Deobfuscating the Nemucod Downloader Script

Matt Decker from sent me this script he received via email and asked for help deobfuscating this so here we go…

Here’s the WSF file he sent me:


About half-way down the script, I come across this. Two variables should have caught your eye.


Doing a search for the first variable name, I end up at the variable “vista” which references that blob and then the function is immediately called.


To view the value of “vista”, I do this. I don’t want the script to run any further so I do a quit right after the popup.


And this is what I get. It shows several functions like reading and writing to a file and three conversion functions. This decrypts the download file which I’ll get to in a bit.


Searching for the other variable, brings us here. It’s inside of a for-loop and the variable “efioppocsonny5HORDA6” appears to be building up URLs then calling a function named “efioppocsonny5_a2”. Notice that the URLs are being passed in the first argument.


Now let’s search for this function. It’s going back up to here. Based on what’s in the function, it looks like it’s preparing and making AJAX calls.


So our goal is to see the URLs and block the HTTP request for now. Here’s the changes I make.


When I run it, I get the URLs one at a time.


If you want to pull down the payload then search for “.Run” and comment out that line so the payload won’t execute and interrupt our analysis.


Based on the script, it will download and save a file into the Temp folder, read it in, decode it, write it out to a DLL file, then execute it. However, this particular script doesn’t seem to have domains that answer so I have to find another script with live domains.

Here’s another one I got from VirusTotal Intelligence:


And make the same change.


This time I get the payload, the script decodes it then writes it out to a DLL file which turns out to be Locky/Odin.


Let’s have a look at the original downloaded file and the DLL file from the Temp folder. I wrote this program to analyze the files. I load up the binary files into each input box (only the first 1,024 bytes are read to save time).


Then I choose the “XOR” method as my first guess.


I get this result. Do you see a pattern in the output box?


How about now?


I can use Converter to XOR the original file using the same XOR pattern (converted to hex).


And get the same result as the original.


Now let’s see if we can find this in the script. Near the bottom there’s a long string that gets sent to the function VGRA3 (that function is from the blob we deobfuscated earlier). Then later when the payload is downloaded, the variable holding this key is used to XOR the file. It’s the same string.


We’re done!

But I did want to show you another related script I found. It’s basically the same as the one above, however, the JScript is inside of an HTML file. This is an important distinction because we have to deobfuscate this differently.


At the bottom of the script, we see that it’s functionally similar to the script we just looked at. Do you see that function call at the “if” statement? Let’s search for that. By the way, the blue arrow is pointing to the XOR key.


Here’s the function that takes in some arguments passed from the call at the bottom. The first argument is the URLs just like the previous script.


If I search for the variable name, we see that there’s two other variables prepending it.


Let’s see what these three variables are by adding the following line then have it stop running the rest of the script. Notice I have to use “alert” and “stop” instead of “WScript.Echo” and “WScript.Quit”.


Now I can execute the script by running it in IE. You can’t use another browser because this script uses an ActiveX control.


You can continue to alert on variables to better understand what it’s doing but you’ll find that it’s doing the same thing as the WSF script from above.

Good luck!

Posted in Malscript, Tools | Tagged , , , , , , | Comments Off on Deobfuscating the Nemucod Downloader Script

Deobfuscating a Malicious PHP Downloader

A PHP script was sent to me by reader Nuno who got this from a hacked Joomla website and wanted to know what this was. He said this script was prepended to several legitimate PHP files. Looking into this a bit, I found that this is related to WordPress hacks via MailPoet back in 2014 according to Sucuri (here and here).

The original script from 2014 is pretty much the same as this one after you deobfuscate it so it appears that its creator updated the obfuscation layer since then. Here’s what the 2014 script looks like:


And then it was modified some time later.


This is what the PHP script looks like today.


At the bottom is the code that deobfuscates the above. I make the following change as you can see.


And I get the deobfuscated result.


However, the result gets truncated. It’s probably because there’s HTML-looking tags in there so I have to modify my change to this:


Now I can get the entire script.


After I unescape it, I can see at the bottom a call to the deobfuscation function. I repeat the same step as above.


To get this:


I keep doing this for two more rounds and I end up with this. The for-loop at the bottom deobfuscates the last remaining blobs by passing it to the “oo1” and “oo2” functions above.


I grab functions from the previous rounds and put them all here. Finally you can see what this does.


The script gets some HTTP info, randomly selects a domain (33db9538 .com, 9507c4e8 .com, e5b57288 .com, or 54dfa1cb .com), and makes a request to its C&C using one of five methods until one works. The HTTP GET requests look something like this:

hxxp://54dfa1cb .com/743373?nBcDCJtttnWOB7AFwE6JSD2%252 B9FWohBE48s54engkXvlo7MmPmabcMTRfK5tqJyYRYA4xsNOviBQDEFq2uGAIfWs%253 D.vxcX.60JI.vXyZAJNtdCnP.%252FkaXEZd1

hxxp://33db9538 .com/941577?cqzyJtttwfqjfH%252FwfN8k7f%252 FSpz9SnXR016abcKoeOzkdP9zUs2oUlKyoGy6DqbbxOPukqZ5y%252FDEFLjNyQU2GGmY%253 D.Uazm.Bfm5.UXyZLzR9z6bi.EPWaPjBl

None of the sites were responding with anything useful at the time of this writing so I don’t know what the payload is but if it’s the same as it was back in 2014 then backdoors are created on the site and overwrites legitimate files in the process.

This is what all of the C&C websites look like:


If you get hit by this then you would probably need to do a fair amount of cleanup, restore from backups, or rebuild your site to ensure no backdoors are left behind.

File: 1.php
MD5: 3ED6699CE373F6BEED22F490B1D93219
VT: 2 / 54

File: 2.php
MD5: 69A1CDF5E389D6388ABB3E6DA198D998
VT: 8 / 54

File: 3.php
MD5: 733C0DD3099C514A7D067D0A20657650
VT: 4 / 54

Posted in Malscript | Tagged , , , | Comments Off on Deobfuscating a Malicious PHP Downloader

Javascript Leads to Browser Hijacking

I came across this nasty-looking script that hijacks your browser. It appears to have been around in some shape or form since 2014 but this latest version deploys an aggressive tactic I’ve not seen before. Here’s what this script looks like:


The script is composed of variables and functions but finding the beginning and ending of one is made difficult because of the lack of whitespace. This script uses tricks like encoded characters, regex search/replace, unusual base conversions, and conditional statements.

Here’s an example of how the author obfuscated his/her script. I’ve highlighted one variable that gives you no clue as what it contains.


If you unescape the script, it becomes more readable but not by a lot.


If you evaluate it, you find that all that nonsense code does is build a string of letters and numbers. This is used to generate random strings later.


Here’s how the obfuscation works. Look at the following statement:

And focus on this part first:

This becomes:
5 + 38 * 932840649 = 35447944667

Then we look at this part:

Which becomes:
116 * 0 + 33 = 33

When you combine the two statements above, you are essentially converting the long number from base33 to text which yields the word “replace”:

So in short, the original statement can be distilled down to the following which returns “a”:
"ca"[replace](/[c]/g, "");


Here’s some of the more interesting things this script does.

The script makes a copy of wscript.exe, renames it to something random, and saves it to a new folder in the user’s AppData\Roaming directory. It then makes a copy of itself. The copy of wscript.exe is used to run the script. The script then sets the following registry keys to hide the folder.


It then creates a shortcut to the script called “Start” and saves it to the user’s startup folder. The shortcut has a folder icon to trick the user. If the user double-clicks on the “folder”, he/she ends up running the script.


The script will check if it can get access to Microsoft, Google, or Bing. If so then it will continue and then proceed to send data about the computer to urchintelemetry .com and downloads an encrypted file from 95.153.31 .22 .


The downloaded file is another script. The highlighted section shows the attempt to change IE, Firefox, and Chrome’s start page to login.hhtxnet .com .


If you open your browser, you will end up redirected to portalne .ws .


What’s interesting is that if you visit the CnC website, it looks broken.


However, when a correct POST is made, you get a response but it’s not visible. Here you can see the HTML source contains a response hidden in the body tag.


The script makes use of WMI to ensure security software won’t interfere with its tasks. Here’s an excerpt that shows you the security-related software it’s tracking.


If any of the following programs are run, the process is terminated in an unusual way. Here we see that the script creates a fake error message to make the user think the program is not working.


Let’s see this in action. Here I run Autoruns and the program quits and I get this on the screen.


There’s one more trick up its sleeve. Here’s the excerpt from the script.


This gem executes if you terminate the WScript process associated with the script. In other words, if you stop the script, your computer shuts down immediately.

If you end up with this script on your computer, you can easily get rid of it by restarting in Safe Mode (or logging into another account) then removing the startup link and roaming folder. If you wish to analyze the script while it’s running then simply rename your security tool to something benign.

File: sample1.js
MD5: C8B5A9FB9D573B00E1B5E957BD294C11
VT: 7 / 54

File: sample2.js
MD5: 8EA3EE6DF8CF28ABB220CD8615CC654B
VT: 18 / 54

Posted in Malscript | Tagged , , , | Comments Off on Javascript Leads to Browser Hijacking

Tools Update

Several programs have been updated. You can find them on the Tools page.

Notable changes since the last version:
– Changed textbox font to Courier to improve readability
– Added reverse file option
– Added compare files option
– Consolidated extract and swap functions
– Added count of rows
– Added keep and strip differences to filter menu
– Replaced Hex Format %00 option with %u00
– Replaced Toggle Case format to separate lower/upper case
– Improved Mixed CHR() to Text function
– Added additional options to count delimiters
– Fixed hex-to-text function to better handle nulls


Registry Dumper
I was asked by a reader to suppress the multiple error popups that occur when scanning certain keys with SYSTEM privileges. In this release, only one error will appear then it won’t show up again.


Text Decoder Toolkit
This release is almost a complete re-write of the original version. A lot of things were moved around and included to make it more useful for CTF challenges. The startup takes a bit longer than usual because of the number of textboxes it has to render on the character substitution table form.


URL Revealer
This version now includes the ability to show headers instead of just the URLs. Here’s two examples, a Locky downloader and script (thank you to Malware-Traffic-Analysis and VirusTotal Intelligence for samples). By default, only the URLs are displayed but you can enable the switch to show the headers.


Posted in Tools | Tagged , , , , , | Comments Off on Tools Update

Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back.

Let’s see what these scripts look like:


At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:


Since we’re dealing with JScript, we can just do this and capture the result instead of executing it:


Now we get this:


This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what’s going on.

After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It’s using the familiar AJAX method.


I echo out the URL array to see where the requests are going. There’s three URLs it’s attempting to connect to. If the site is up then Locky gets downloaded and executed.


This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you’ve been tracking their scripts, you know that they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.

Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There’s Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.

URL Revealer
Here’s my take on a web proxy. This program will capture the request from these scripts and drop it so it won’t download the malware from the Internet. This way you can see the URLs and take the necessary action quickly and without having to deobfuscate the script.

When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file to the app path. You should open up your browser and test it to make sure it’s working properly before executing the script you want to analyze. You should also set your VM’s network adapter to “host-only” while doing this just to be safe.

Here’s what it looks like when I run four recent Locky scripts plus two from the past two weeks:


I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it’s exactly the same as the one before.

When you are done, press to quit so that URL Revealer can disable the proxy server. If you forget, just run URL Revealer and hit enter a couple of times until it quits.

If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.


Over the past several months, I saw four methods used by various scripts to download malware from the Internet – ajax, winhttp, bitsadmin, and powershell. URLRevealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.

You can get the program here.

Posted in Malicious Email, Malscript, Tools | Tagged , , , , | Comments Off on Locky JS and URL Revealer