Tag Archives: phishing

Anatomy of a Javascript Downloader

So one of your users got an email from a supposed vendor with an attached invoice.  The invoice wasn’t a PDF, word doc, or even an excel sheet.  It was a zip file, and the user opened it as well as opening the “.js” attachment.  Now they called you explaining that they can no longer open any files on their computer or their network share.  The files have all been renamed and the user  has no idea what the heck happened.  You already have a good idea that they downloaded some type of crypto ransomware.  But how did it get through??  You thought you had adequate protection with antivirus as well as web/email filtering.  After chatting with the user, you were able to obtain the original email that she opened unfortunately there wasn’t much you could get from it.  The email address it came from was most likely compromised, so you added it to your anti-spam black list.  You noticed a bunch of files in the zip but when you tried to look at them in notepad it was just a big blob of code that didn’t make sense.

Fig. 1 raw javascript file

Fig. 1 raw javascript file

There are only a few areas that might look like readable code, but most of the file is what we call “obfuscated”.  The malware author encoded most of the code which helps prevent typical anti-virus software from picking up on the malicious parts.  Also this is javascript which could also be used for legitimate purposes.  At this point you could submit the samples to your AV vendor so they could update their definitions and protect the rest of your users from infection.  You can also upload them to Virustotal.com. But what does this file really do?  It is obfuscated so most online analysis tools may not be able to pick up on the actual instructions.  These javascript files are usually just the delivery method for the cryptoware and that is where Remnux comes in to help.

REMnux-logoRemnux is a Linux toolkit for reverse engineering and analyzing malware. It has a number of different analysis tools to assist in malware analysis.  One of my favorites for handling these types of files is JSDetox.  This is a docker based app that will analyze the messy javascript code seen in Fig. 1.  In order to start it up, just type JSDetox in a terminal window.  It will then instruct you on how to start the Docker image (See Fig. 2.).  Once it starts up you will then be able to connect to http://localhost:3000.

Fig. 2 JSDetox Startup

Fig. 2 JSDetox Startup

Fig. 3 JSDetox Dashboard

Fig. 3 JSDetox Dashboard

Open the browser in Remnux and connect to http://localhost:3000.  You will then need to upload the obfuscated javascript file in order to complete analysis.  Simply click the “Upload” button and choose the bad JS file.  If you click the “Reformat” button, it will organize the Javascript code into a more structured layout.  Unfortunately this will not deobfuscate the code.  (See Fig 4.)

Fig. 4 Reformatted

Fig. 4 Reformatted

Detoxed Javascript Code

Fig. 5 Detoxed Javascript Code

Now lets make some sense of it!  Click on “Analyze” then scroll down to look at the deobfuscated javascript code (See Fig. 5).  It begins to make a little more sense right?  The code builds out a number of variables that are then put together further down via instructions.  What it eventually does is calls out to a URL using a GET request.  It downloads and runs an executable in the computer’s default TEMP directory (See Fig 6).

Fig 6. Instructions

Fig 6. Instructions

At this point you can examine other systems for possible infection by looking for the executable file in the temp directory.  You can also take the URL and add it to your web filter block list.  You should also check your email service to ensure you can block such files from making it to your users.  Google Apps does a pretty good job at blocking these types of messages.  Microsoft Exchange requires a bit of magic with Transport rules as it’s default Exchange Online Protection service doesn’t block .js files nor does it look inside zip files.  If you have some form of anti-spam or email gateway security solution in place, it should prevent these as well.  But if you are a small business, you may not be so lucky to have a budget for such things.  Good luck and happy hunting!!