The initial JavaScript downloader is obfuscated and contains several eval functions.
One of the eval calls is a function that returns a long string, which is decoded by another function.
The function that decodes the string is located further down in the script.
At first sight it looks complicated, but it is a simple replacement function.
First, the passed arguments are stored in a new variable.
It is done this way to work correctly with an arbitrary number of arguments.
Next, the replacement operation runs on the initial string. The second argument of the replace function in JavaScript is another function which returns the replacement string.
In this case, the second argument to this inline function is the capturing group which matches the regular expression {d+}.
Since the capturing group is a decimal number, it is used as an index for the arguments array which is returned as a replacement string.
In case of an index out of bounds exception, the function returns the whole matching string, which was most likely implemented to handle mismatches.
To decode the string three arguments (A, u, F) are passed to the function.
The decoded string is Base64 encoded which can simply be decoded to analyze it in more detail. By creating and writing an ActiveX Data Stream Object this sequence is decoded and executed using an eval statement.
The most notable part of this sequence are the hex characters stored in a nested array, which is used as another layer of obfuscation.
Using an ActiveX object, a shell application instance is created, passing a long, chained argument.
By simply adding line breaks after the & characters, we can reformat the command line argument into a readable format.
The first parts of the command line argument are used to write lines to a VBScript file using an echo function. This file is then executed, resulting in a download through an XMLHTTP object.
The response to the GET request – the malware payload – is written to a file called YVC.JAR.
The VBScript file is then deleted. Afterwards, the cmd.exe process waits 12 seconds, before running the payload.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...