Late last week, I received a spam email with an attachment. For some reason, this particular campaign wasn’t well reported (unless I somehow missed it).
The flow of events went like this:
~ The email attachment was an .html file which claimed to be an invoice named:
~ This .html file contained only the following single line:
<meta http-equiv=”refresh” content=”1; url=http://bit[.]ly/2rsvZN4″>
~ The Bitly-shortened link ended up downloading a file named:
~ Within the .zip file was a .js file named:
As I started to look through the script, the first thing I noticed was that, while there was some obfuscation, it was not nearly as cryptic as most scripts that I encounter. As I dug more deeply, I realized that this is a great script to use for study or as a training example. The techniques presented here are pretty basic but, hopefully, will still benefit someone.
Generally speaking, my primary goal in evaluating potentially malicious scripts is to try to answer a few “W” questions:
- What is the script trying to do?
- What is it dropping?
- Where is it going?
- What is it downloading?, etc.
Basically, I’m just trying to move to the next level of the cat and mouse game. The reason I mention this is that I typically only spend as much time analyzing scripts as is necessary to move to the next level. In this case, I tried to look more deeply at the “H” question as well:
- How is the script trying to accomplish its objective?
If you want to follow along, you can download the original script from here.
(yes, it’s a malicious script – handle with caution)
One thing is usually do right away is check the length of the file. This one has just about 860 lines.
For the most part, this script is quite readable. It also has a few comments in it.
A LOT of variables are declared.
Clue! This would lead me to ask – are all of these variables being used? If not then we can reduce the length of the script by removing variables that are declared but never used.
While there are 29 functions, they basically do 3 things:
- decrypt (7 functions)
- download (11 functions)
- run (11 functions)
Clue! We should also take a quick look at the functions to see if there are any functions that are defined but never used. As with variables, if this is the case, we can thin down the script even further.
Triage / Script Cleanup:
I should state at the outset that I do not, by any means, consider myself an expert coder. It’s entirely possible that this method could result in analysis omissions. So far though, I’ve found it to be reliable.
For this task, it’s important to use an editor that will:
1. Allow you to select the filetype and color the script based on its programming language.
2. Highlight all instances of a selected word.
The reasons for this will soon become clear, if they aren’t already.
I used Geany as my editor. The first thing I did was to look at the variables that are declared.
Double-click to select the variable name and either scroll through the script looking for any other instances of the variable or use your editor’s “Find” feature and search for other instances.
If there are no other instances of the variable (in other words, if the variable is declared but never used) then delete the variable declaration.
Continue until you’ve gone through all of the variables.
Note: As you go through this process, try to get a feel for the overall flow of the script.
Because of the lack of obfuscation in this script, it was pretty easy to see that the functions in each category (decrypt, download and run) were the same. The only thing that remained was to figure out which function (in each category) do we need to keep.
We can use the same procedure as we did for variables – select each function name and look to see if it is called. If it isn’t called then also delete it.
After doing this, the script became very manageable at only around 145 lines. We were left with a handful of variables and 3 functions – one to decrypt, one to download and one to run the downloaded file.
Note: As I mentioned earlier, my primary goal with a script like this is to find out how to move to the next step. You don’t need eagle eyes to notice the URL that is barely hidden in the script. Under most circumstances, I would simply grab the URL and move on.
Once you cut out the extraneous information, the script is fairly readable. I went through it from top to bottom and added (excessive!) comments to narrate the program flow.
since it references ActiveXObject, etc.
The script is nicely broken into just a handful of small code segments. Try to go through and manually figure out the flow and purpose of each line of the script.
The code snippet in the image above is from the very start of the script. Right after the variables are declared, the program execution starts and a long string of capital letters (shown above as the variable s1) is passed to the decryption function. It would be possible but pretty tedious to manually run through the decryption loop. With a few tweaks to the code, you can replicate the code snippet in the editor then run it to get the final value.
From here, it’s just a question of navigating the script and figuring it out section by section.
All in all, it’s a pretty straightforward script with a pretty straightforward purpose. Oddly, however, the Bit.ly-shortened link that was found in the script ends up downloading an .mp3 file named chainsmokers02.mp3.
VirusTotal results for the file chainsmokers02.mp3 can be found here.
Perhaps this malspam isn’t as simplistic as it seems. If I find anything noteworthy, I’ll take a look at it in a future blog entry.
Article Link: https://executemalware.com/?p=496