Now we will analyze some note worthy code of the landing page that contain obfuscated VB Script.
I saved the packet into a text file and found 3 variable that are fully encrypted. we will name the as scriptA, scriptB and scriptC
after decrypting the said script, we can see right away how this exploit kit infect the compromised machine.
1st Decrypted Script:
The note worthy code I found on the decrypted scriptA is the function below that contain an RC4 decryption routine and the actual RC4 key.
I create a simple VB script with this function to decrypted the blob send back by the EK server to the infected machine. In decrypted scriptB, there is a code calling to a function with 2 parameter, the URL link of the payload and a string that looks like the RC4 key.I fetched the key and put to my VB srcipt as well the encrypted blob and it was nicely decrypted and verified to be ransomware.
It also tries to drop a fake executable to the infected machine as part of its installation. Maybe to lure the analyst from its actual behavior.
2nd Decrypted Script:
The decrypted scriptB also contain a shellcode that run a javascript using CreateProcessA API. The JS file will generate a random executable filename for its ransomware payload and will execute it depend on the file type of the payload that the EK server will send back.
3rd Decrypted Script:
The last decrypted scriptC is a setup for executing the exploited SWF file.
 |
| 1st encrypted script - scriptA |
 |
| 2nd encrypted script - scriptB |
 |
| 3rd encrypted script - scriptC |
after decrypting the said script, we can see right away how this exploit kit infect the compromised machine.
1st Decrypted Script:
The note worthy code I found on the decrypted scriptA is the function below that contain an RC4 decryption routine and the actual RC4 key.
 |
| RC4 decryption routine |
I create a simple VB script with this function to decrypted the blob send back by the EK server to the infected machine. In decrypted scriptB, there is a code calling to a function with 2 parameter, the URL link of the payload and a string that looks like the RC4 key.I fetched the key and put to my VB srcipt as well the encrypted blob and it was nicely decrypted and verified to be ransomware.
 |
| creating fake win32 file |
2nd Decrypted Script:
The decrypted scriptB also contain a shellcode that run a javascript using CreateProcessA API. The JS file will generate a random executable filename for its ransomware payload and will execute it depend on the file type of the payload that the EK server will send back.
 |
| the shellcode |
 |
| the decrypted shellcode |
 |
| execute the payload depend on its file type |
3rd Decrypted Script:
The last decrypted scriptC is a setup for executing the exploited SWF file.
 |
| script in executing the SWF |
