Introduction

During an incident response, the Intrinsec CERT encountered an obfuscated JavaScript file that, after initial analysis, appeared to be malicious. When the investigation began, this file was not known to VirusTotal, and we found no information about its behavior.

We therefore analyzed it in 4 phases:

• Decoding,
• Deobfuscation,
• behavioral analysis,
• the extraction of indicators of compromise (IOC).

Decoding

Since the script is a ".jse" file, it is encoded using a method developed by Microsoft, but whose encoding and decoding algorithms were discovered in 2013. The code is available on the following GitHub repository:« https://gist.github.com/bcse/1834878 »", for example, allowed us to decode it.

Deobfuscation

The script contained over 300,000 lines of code. A quick look revealed that it was obfuscated and that certain lines of code were regularly repeated. It therefore became worthwhile to focus on these repetitions to reduce the script's size.

Thus we identified 8 different parts of the code that could be modified in order to reverse the obfuscation.

1.

These lines of code appear nearly 4,000 times and are actually equivalent to the first letter of the function declaration. Here, the term "function(pika666)" becomes 'f'.

2.

Similarly, these lines return the letter 'F', here in uppercase thanks to the "toUpperCase()" function.

3.

These lines of code appear more than 36,000 times and consistently return the value of "po9_0" (i.e., 'i'). The variable names are random, making it more difficult to automatically replace these lines.

4.

The fourth part is equivalent to "String['fromCharCode'](114)", which is the letter 'r'.

5.

Here the returned letter is the letter 'p' (the 6th letter of the concatenation of "true" and "Ap"). .

6.

As in the previous case, it is the 4th letter of the term "false" that is returned, i.e. 's'.

7.

Variable names are also obfuscated through the use of Unicode characters. For example, the variable "hashhere" will have the following value: "\u0068\u0061\u0073\u0068\u0068\u0065\u0072\u0065".

In conclusion, the deobfuscated code comprises fewer than 300 lines and therefore becomes more easily analyzed.

Behavioral analysis

Analysis of the deobfuscated script quickly shows that the first 19 lines are declarations of variables that will not be used.

Other variables of interest include the following:

• ‘'zoUobail89', the URL that will be used to download the active payload
• ‘'zoUoriches24', the absolute path of the script
• ‘'ext789', the list of extensions that will be used later in the script
• ‘'list87656', the file that will store the absolute paths of files whose extension is part of the previous list

If the script name is different from "adobeupd.jse" and is not located in the current user's "startup" folder, the script will display a popup stating that the script is corrupted and cannot be repaired.

Indeed, the variable "zoUowhich43" is used to retrieve the 'startup' folder of the current user, as explained in the Microsoft documentation (see link). [2] And [3] (for more details).

After replacing the relevant variables, the code becomes the following:

Since the variable "pills" does not exist, an exception will be thrown and caught by the "catch" block. The script code is saved in a variable that will be used later to attempt lateral propagation.

 

The script will then loop 4 million times before checking for the presence or absence of a list of processes or usernames present on the infected machine.

The list is as follows:

• Wireshark
• Temp\iexplore.exe
• Process Hacker
• vmtoolsd
• VBoxService
• python
• Proxifier.exe
• Johnson-PC
• ImmunityDebugger.exe
• lordPE.exe
• ctfmon.exe*JOHN-PC

If one of these inputs is detected, the script will call an undefined variable, causing it to stop. This behavior is therefore intended to limit the capabilities of analysis environments.

Once these checks have been carried out, the script will copy itself into the 'adobeupd.jse' file in the user's 'startup' folder, allowing it to ensure its persistence.

It will then retrieve the payload (in this case, an executable) from the URL "hxxps://185.130.104[.]178:4444". Note the port 4444, which is, among other things, the port for the Metasploit framework, but also for many Trojans. The payload is placed in the temporary folder and named with a random number followed by the extension ".exe". The payload can also be placed in the same folder with the extension '.ioi' and encoded in base64.

If the creation of the ".exe" file fails, the script will attempt to propagate itself to find a vulnerable machine. To do this, it will search for files whose extension is included in the list contained in the "ext789" variable and located on removable drives and network drives ("DriveType" 3 or 1). The extensions searched for are as follows:

The complete list of found files will be saved in the file "%TEMP%\yaper.txt". The script will then replicate itself, replacing all these files with the script's contents and changing the extension to ".jse". It will then delete "yaper.txt".

Finally, the script will execute the previously downloaded active payload and attempt to clean up these traces by deleting all files in the temporary folder with the extensions ".exe", ".ioi" and ".txt".

Impact and mitigation

An infection by this program could lead to two consequences: either infection by the active payload, which we are currently analyzing, or the deletion of all files present on network and removable drives accessible from the infected computer.

One possible mitigation measure is to monitor outgoing traffic to 185.130.104[.]178. It is also advisable to block outgoing communications to port 4444 in general and to monitor its use, as this port is very frequently used for illegitimate communications.

Furthermore, it's possible to modify the default program that runs "jse" scripts, replacing it with Notepad, for example. This way, if a user double-clicks a malicious "jse" script, it won't be executed but will open in Notepad. More information on this method can be found in our ransomware protection guide. [here].

Extraction of IOCs

• 185.130.104[.]178
• hxxps://185.130.104[.]178:4444/C/deerstalker[.]php
• C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\adobeupd.jse
• %TEMP%\yaper.txt
• %TEMP%\RANDOM_NUMBER.exe
• %TEMP%\RANDOM_NUMBER.ioi
• 643b3605c64901771759c1ed0bf735bf8dc9dbd56e63f603c5689c951f0e8c98 (sha256 of 'jse' file)
• 2bcb14e7aafae7418dd7fa0ef26ec39af71b7094a84b6a4ba1c65a8abf287e31 (active load sha256)

Sources

[1] https://gist.github.com/bcse/1834878

[2] https://technet.microsoft.com/fr-fr/library/bb774085.aspx

[3] https://technet.microsoft.com/fr-fr/library/bb774096.aspx

[4] https://www.intrinsec.com/wp-content/uploads/2015/11/Intrinsec-CERT-Handbook-Anti-Ransomware-v2.pdf