Deobfuscating the Nemucod Downloader Script

Matt Decker from hybrid-cloudblog.com sent me this script he received via email and asked for help deobfuscating this so here we go…

Here’s the WSF file he sent me:

2016-10-22_01

About half-way down the script, I come across this. Two variables should have caught your eye.

2016-10-22_02

Doing a search for the first variable name, I end up at the variable “vista” which references that blob and then the function is immediately called.

2016-10-22_03

To view the value of “vista”, I do this. I don’t want the script to run any further so I do a quit right after the popup.

2016-10-22_04

And this is what I get. It shows several functions like reading and writing to a file and three conversion functions. This decrypts the download file which I’ll get to in a bit.

2016-10-22_05

Searching for the other variable, brings us here. It’s inside of a for-loop and the variable “efioppocsonny5HORDA6” appears to be building up URLs then calling a function named “efioppocsonny5_a2”. Notice that the URLs are being passed in the first argument.

2016-10-22_06

Now let’s search for this function. It’s going back up to here. Based on what’s in the function, it looks like it’s preparing and making AJAX calls.

2016-10-22_07

So our goal is to see the URLs and block the HTTP request for now. Here’s the changes I make.

2016-10-22_08

When I run it, I get the URLs one at a time.

2016-10-22_09

If you want to pull down the payload then search for “.Run” and comment out that line so the payload won’t execute and interrupt our analysis.

2016-10-22_10

Based on the script, it will download and save a file into the Temp folder, read it in, decode it, write it out to a DLL file, then execute it. However, this particular script doesn’t seem to have domains that answer so I have to find another script with live domains.

Here’s another one I got from VirusTotal Intelligence:

2016-10-22_11

And make the same change.

2016-10-22_12

This time I get the payload, the script decodes it then writes it out to a DLL file which turns out to be Locky/Odin.

2016-10-22_13

Let’s have a look at the original downloaded file and the DLL file from the Temp folder. I wrote this program to analyze the files. I load up the binary files into each input box (only the first 1,024 bytes are read to save time).

2016-10-22_14

Then I choose the “XOR” method as my first guess.

2016-10-22_15

I get this result. Do you see a pattern in the output box?

2016-10-22_16

How about now?

2016-10-22_17

I can use Converter to XOR the original file using the same XOR pattern (converted to hex).

2016-10-22_18

And get the same result as the original.

2016-10-22_19

Now let’s see if we can find this in the script. Near the bottom there’s a long string that gets sent to the function VGRA3 (that function is from the blob we deobfuscated earlier). Then later when the payload is downloaded, the variable holding this key is used to XOR the file. It’s the same string.

2016-10-22_20

We’re done!

But I did want to show you another related script I found. It’s basically the same as the one above, however, the JScript is inside of an HTML file. This is an important distinction because we have to deobfuscate this differently.

2016-10-22_21

At the bottom of the script, we see that it’s functionally similar to the script we just looked at. Do you see that function call at the “if” statement? Let’s search for that. By the way, the blue arrow is pointing to the XOR key.

2016-10-22_22

Here’s the function that takes in some arguments passed from the call at the bottom. The first argument is the URLs just like the previous script.

2016-10-22_23

If I search for the variable name, we see that there’s two other variables prepending it.

2016-10-22_24

Let’s see what these three variables are by adding the following line then have it stop running the rest of the script. Notice I have to use “alert” and “stop” instead of “WScript.Echo” and “WScript.Quit”.

2016-10-22_25

Now I can execute the script by running it in IE. You can’t use another browser because this script uses an ActiveX control.

2016-10-22_26

You can continue to alert on variables to better understand what it’s doing but you’ll find that it’s doing the same thing as the WSF script from above.

Good luck!

This entry was posted in Malscript, Tools and tagged , , , , , , . Bookmark the permalink.