About half of a year ago, my girlfriend got e-mail from post office saying that the the package was ready to pickup, with a quick note saying that more information is available in the attachment. I was asked to look at it, as she found it suspicious - mail was written very poorly - definitely not what official mail would sound like. Firstly I took a look at the domain, from where this mail was sent, and as I excepted, it was not connected to domains of our post service. But what I really wanted to know was, what's the goal of the attachment?
But after some time I noticed a pattern - in last 30 lines of code, there were only references to the variables, and after connecting them together what I got, was much more readable than before. In example, if you take this piece of code and connect to the variables in the beggining, what you'll get is something more likely looking like this.
Great, now to make it clearer to read I have to do the same. Unfortunately I'm not completely sure that it's 'translated' 100% correctly, but it still gives me insight into how this script may work.
Finally, after around 3 hours, I got the full translation. But I've got still a few questions, what is WScript and how it works?
Okay, as far as I can understand, it downloads the file from url (not shown in this code), and somehow executes it, maybe using cmd? But for better insight I had to dig for references showing the use of the WScript and other functions show in this code.
Script uses these WScript calls:
- WScript.CreateObject(WScript.Shell) - provides access to shell methods of operating system.
- WScript.CreateObject(MSXML2.XMLHTTP) - XML request using HTTP.
- WScript.CreateObject(ADODB.Stream) - is used to represent a stream of data or text.
GetSpecialFolder(2) will get the %TEMP% folder.
Then the script creates the XML request to get the data from specified URL and, then it sends the request.
After that script creates a series of commands to:
- Get the response body of the request.
- Write it to a file in tmp directory.
- Save and close the file.
- Execute through CMD
- Lastly, it will delete the file.
Unfortunately, .exe file was not available, while I got to check, and I couldn't find as much info about it as I wanted. The only information I could find were:
Author of this malware did a lot, to try and obfuscate this script, as I spent a lot of time trying to make it readable, but still it wasn't as complicated as I thought at first. To stay protected from these kinds of attacks, remember to tell explorer to open .js files through the Notepad by default, as well as show files with their extensions. That way you will see if it's really a text document or .txt.js malware. And the most important step, don't download files that you're unsure about. Simply, don't trust anyone ;)
I had great fun, trying to understand the concept, and even though you may think, that it was very simple, I still learned a lot from this.