29
Sep
2015

Reverse Engineering Javascript Email Malware

So I was looking through my Spam folder in Gmail and I found this:

Screenshot_2015-09-29_11-41-47

So five points to Gmailindoor. Definitely very suspicious, and not because his name is Vincent. Gmail has put flags all over this email, telling me its infected.

Now, some warnings. At this stage, delete the email. Do not even look at it for another second. You see this button?

Screenshot_2015-09-29_11-45-32

Click it. Click it now. You do not want to run whatever is inside this zip file. In fact, Gmail won’t even let you download it to your PC. If you value your files and data, don’t download any suspicious files such as this one.

But, I want to know what this will actually do. I am running Ubuntu Linux 15.04, inside a fresh VM in which I will disable network access once I have the zip. Gmail will actually let you download the zip file on your phone, so that’s what I did. I then copied it into the VM and cut off it’s networking.

Gmail lets us take a sneak peak into the zip:

Screenshot_2015-09-29_11-52-16

Oooooh! A Javascript file! This means that we have essentially source code to look at! Way more fun than a silly exe file. Let’s open it up and see what we get:

Screenshot_2015-09-29_11-53-57

They have scrambled the script. The code at the end rearranges the functions into their original order. Pathetic. Time for some Linux magic:

  • sed 's/function wp/\'$'\n/g' 0000140894.doc.js > linebreaks.txt
    This command replaces “function wp” with a line break, to make it simpler to sort:
  • sort --version-sort linebreaks.txt > linesinorder.txt
    This command sorts all the lines into the right order
  • cut -d ' ' -f 4-100  linesinorder.txt | cut -c 2- > startscut.txt
    This command cuts the start of the lines off up to the code we want
  • cat startscut.txt | rev | cut -c 7- | rev > final.js
    This command trims the rest of the excess characters from the end of the lines to just leave the code.

So the code is all extracted and in the right order now. Deleting all the line breaks would leave the code in one long line (which would work as code, but would not be very easy to read). I went through and used the delete and end keys to arrange the code into a logical layout, then readded some code from the original file (the code that did the unscrambling):

Screenshot_2015-09-29_12-19-33

That’s the whole code as it would run from the scrambled js file. I have uploaded the code as an image for a very good reason: so you can’t simply copy and paste the code. It’s dangerous code that downloads extra files from the sites above using some special strings that it generates in the program:

Here is my breakdown:

  • This code uses ActiveX. So if you’re running an older version of IE when you run this and allow this to run, gg.
  • It firstly connects to the three sites at the top, and downloads files with ID’s 811, 7092 and 693. The stroke is probably a unique ID for this particular file that was sent to me, and sending a request to their sites with my ID will let them know that I ran this file.
  • The ActiveX portion of this is where it gets interesting. It creates an ActiveX object that runs every time IE is started. The downloaded EXE is written into the startup ActiveX object and it is given a random name (a pathetic attempt at avoiding antivirus detection). When IE is launched, the ActiveX object is called and the downloaded malicious EXE is ran.

So this is essentially an EXE downloader that grabs an EXE and runs it every time you start IE.

We have all the information we need to download the EXE’s in this here js file. Let’s see if we can grab them from the malicious sites. I won’t be sending back my ID – I don’t want them thinking I actually ran the file. Time for some wget:

I fired up Tor and used torsocks to set the shell to use Tor. The first site (crossfitrepscheme.com) did not seem to do anything, just a load of 404 errors. This was the output for the second site (ihaveavoice2.com):

Screenshot_2015-09-29_12-53-13

Hmm. Looks like I might need that ID. I used another one and tried again, this time also specifying my User-Agent (as IE 7 teehee), and running it through Tor (and saving the file to RAM and not disk, can’t be too careful):

Screenshot_2015-09-29_13-11-13

Yeeep. It downloaded a ~300KB file (I renamed it to 811.exe to keep track). I downloaded the others aswell:

Screenshot_2015-09-29_13-13-32

I ran cat 693.exe:

Screenshot_2015-09-29_13-16-20

See the highlighted text? This EXE does some dodgy memory management stuff. I’m not sure what it does, but if its messing with the memory space it cannot be good.

I’m not going to run these files. No no nope. Even if I did use a VM, they could well crash the host and cause damage that way too. I’ll send the files to Virustotal and see what I get back:

693.exe I couldn’t get a lot of info on, so I just suspect it’s a BSOD timer.

811.exe is a new virus (as of now). I don’t know much about it, and neither do AV companies. I wonder what it does.

7092.exe, according to Virustotal, seems to be Cryptolocker. Lovely!

Phew, that was a long post. I guess there’s a few things to be learned from this:

  1. Don’t be a ninny and click stuff in suspicious emails. If an email is marked as suspicious and comes from a friend or colleague, they could have had their email account compromised, or your email software is mistaken. In the latter case, email them back and ask them what the deal is.
  2. Don’t use outdated Internet Explorer and ActiveX stuff. Do you want ants? Because that is how you get ants.
  3. Run Linux. Sorry, had to sneak that one in for /r/linuxmasterrace.

Stay safe out there people!

Seagate Barracuda 7200.14 500GB: Bad sectors!
The Windows Registry: Vulnerabilities

{One Response to “Reverse Engineering Javascript Email Malware”}

  1. Great work! Fascinating read, really enjoyable and informative!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.