Holla Forums, I got this virus in an email but since I'm using BSD I am not worried about viruses.
What does this code do?
function d(){ var _wds = "W"+"S"+"c"+"r"+"i"+"pt"; var _c = "\%S"+"y"+"st"+"em"+"Root\%\\s"+"ystem32\\cmd."+"ex"+"e"; var _zds = this[_wds]["C"+"re"+"ateOb"+"ject"](_wds+".Sh"+"ell"); var se = _zds["E"+"n"+"vi"+"ron"+"men"+"t"]("S"+"Y"+"S"+"T"+"E"+"M"); var _dd = se("Co"+"m"+"S"+"pe"+"c"); if (_dd == _c) {return 1;} else {WScript["Q"+"u"+"i"+"t"](1);};}d();... and so on
Remove eval, add console.log(HTs), remove top shit and you get more obfuscated crap. Man, I forgot that wscript even existed. The file was also probably modified with notepad. Disgusting.
Ryan White
Smells like curry or kiddies. Can't decide.
Grayson Gray
Looks like just base64 "obfuscated" by a retard a few times.
Andrew Reyes
What does it actually do?
Elijah Peterson
The function d() gets the environment variable "ComSpec" which returns 1 if a command interpreter is found and quits otherwise.
After that it decodes its payload, you'll be able to see the payload if you print the variable HTs like , I can't be bothered to setup a virtual machine to do this, but if someone else could do it real quick that would be great.
Some of those don't work and others are binary files, I'm not yet sure what they are, I've tried disassembling them but I see lots of bad instructions so I don't think it's machine code. Must have something to do with this thing: for (var Lp9=0; Lp9 < JEc3["length"]; Lp9++){ JEc3[Lp9] ^= random(84 * 3 + 4, TIk);}
Daniel Jones
For stuff like this it's easier to run it in a javascript VM with a debugger and just make note of the interactions with the environment rather than try to deobfuscate by hand. I'm too lazy to do it, but it's trying to place a %TEMP%/ec89LoOKa788SL2.dll file on your system and then likely run it.
Chase Ward
Only one of these seems like it's working, here's the binary file that was on: itogazaidan.jp (no wonder it got hacked, nothing's been updated on there since 2005!) Here's a more permanent download filebin.ca/2tpEwpKfh9Ya/hnnencdd
Brayden Price
I think might be right, I see var Px = "%SystemRoot%\\system32\\rundll32.exe" + "";var LJz3 = "%SystemRoot%\\SysWOW64\\rundll32.exe" + "";
Hudson Williams
Can you do something similar to pre-evaluate arithmetic expressions like 6+3*8?
Hudson Hall
In this case using eval is kind of okay, it can only match on arithmetic expr. Tried it and my pc isn't on fire yet. There may be bugs like not knowing about parens. perl -pE 'while (/(-?\d+\s*(\+|-|\*|\/)\s*-?\d+)/) { my $res = eval $1; die "dead" unless defined $res; s/\Q$1/$res/g}' < thing
So they're encoded with the lookup tables Io and Vi5 Io[key]=key2 Vi5[key2]=key
We need to start commenting what each argument is and giving functions proper names so we can figure out what it's decrypting and encrypting.
Hunter Cox
It downloads the thing from a random domain, calls St(on it) and then Kx1.
Levi Gomez
Ah, so I'm guessing they decipher the binary file in
Brayden Wright
Any characters below 128 use the same code, any characters above that use the lookup table, after that the character is appended to a character array. Can the regex/perl guy or anyone else write something that converts the array[key]=deciphered_character; pattern to a key:deciphered_character, format?
Logan Hughes
Let me correct myself: It doesn't pick a random domain, it is deterministic. Should always return IGv7[4]. Either the writer doesn't know how random number generators work, or this is intentional. Probably intentional, random isn't obfuscated.
Austin Parker
That explains why only one of the sites actually had a download, I thought the other sites just happened to remove the malware or something.
Thomas Allen
I've deobfuscated a large chunk of it now: pastebin.com/raw/0RmHjL8Z I'll try and build a decrypter for the DLL so we can disassemble it after I finish.
Jace Long
Did you add the comments, or did they actually leave that in themselves?
Wyatt Richardson
Those are mine
Nolan Torres
I've done some more, but the function HIi() is really stumping me, I think there's some sort of pattern to what it's doing because said random() is deterministic, even then, at face value it looks like it just corrupts the string by xoring it randomly. I'm guessing since random() was the only name that wasn't obfusicated it *might* be a red herring of some sort, but I'm not sure. Here's where I'm at now so you can take a look: paste.teknik.io/Raw/mZZH3
Asher Bell
DLL decrypted, hoping they didn't obfuscate it so I can just straight decompile it. Here's the script I used, also I think the deobfusicated thing we made has a mistake, I think the encrypt and decrypt procedures might be the wrong way around because I had to reverse the dict. paste.teknik.io/Raw/eMla2 Here's the decrypted DLL: filebin.ca/2tuDV13s3Vra/decrypted.dll
Cameron Bailey
My AV went berzerk when I downloaded that thing, so it looks like you decrypted it well (enough). Checking against virustotal (which apparently someone also already did 30 minutes ahead of me) gave this result:
