Static malware analysis: addition-6172.js

Recently, Gama forwarded a mail that contained a malicious JavaScript for me to analyse. The sample called addition-6172.js is a dropper that will download, decode and run a DOS MZ executable.

The content of the malicious JavaScript is the following:

I changed the eva() with var payload = afBqLXnu.split(... then embed the script in a HTML page then run it in a browser (in a lab VM). Then, I used the console from the developer tools and typed payload to find the following text:

A little bit of jsbeautifier, then run in browser for debug; once renamed, re-formatted, executed/resolved, I have the following de-obfuscated code:

Here we can see that the dropper will try three different URLs to download a malicious file:

  • http://xxxxxxxx.com/cqoanbzr
  • http://xxxxx.com/s5ibqz1
  • http://xxxx-xxx.com/awcigpa1

The file will be downloaded in the %TEMP% folder with the name 8ILlhXLFKkib, then the file will be converted according to a translation table (in TransformOne). Then the script make sure the new file has a DOS MZ header and XOR it (in TransformTwo). The transformed data will then once again be convert according to another translation table (in TransformThree) to finally be saved as 8ILlhXLFKkib.exe.

This new malicious executable is then executed with the argument 123.

In the next post, I will try to understand a little bit more the 8ILlhXLFKkib.exe file.

Leave a Reply

Your email address will not be published. Required fields are marked *