From time to time I'm checking Bazaar website to download some samples and try to analyse them in my 'local Lab'. This time I decided to download a file tagged as 'dropper'. Below you'll find the details. Here we go...
This time we'll start here:
I downloaded the malware sample and extracted it. After I saw an extension 'unknown' I decided to use file command to check what kind of binary we have here. This is what I found:
So - looks like we have a text file. Let's check it:
I decided to cut out the 'obfuscated' part and put it in a new file for future analysis. When I saw String.fromCharCode I decided to prepare a separated HTML file using the 'CharCode'-numbers I found in the file. Example is presented on the screen below:
Reading sample-JS-file line by line I was able to restore more names/variables. I also decided to check the function with Math.random():
After a while I was somewhere here - checking function responsible for running bitsadmin. bitsadmin is used here to create a job that downloads a malicious executable and stores it later in the harddrive.
Checking line by line and trying to reverse it- below list of hostnames used by this dropper to download additional files:
Next - preparing directory structure to save and run downloaded file(s):
My next step was to start checking hostnames I found in this sample and that's how I landed at VirusTotal[1, 2]. Example of results:
More details about this malware I found here and here (thanks!).
List of identified host is presented below:
---<cut>---
$ grep http: malware.js | sed -e 's/\./,/g'
urladdress = "http://15iokc,txtrxaa,top/";
urladdress = "http://1doubu,fpqaguo,cloud/";
urladdress = "http://50ioc4,lxgtmfq,top/";
urladdress = "http://a8eehw,iozwbfe,top/";
urladdress = "http://eraa61,jigxlxp,top/";
urladdress = "http://fhuayp,txtrxaa,top/";
urladdress = "http://hkaasu,lmmuwcq,top/";
urladdress = "http://ipua8l,fpqaguo,cloud/";
urladdress = "http://kcaww,urugpbb,cloud/";
urladdress = "http://lcaee,lxgtmfq,top/";
urladdress = "http://lniiew,ulletrb,cloud/";
urladdress = "http://miuu6k,urugpbb,cloud/";
urladdress = "http://n8io4h,tqdnnxg,top/";
urladdress = "http://rtaa1f,iozwbfe,top/";
urladdress = "http://twaibg,lmmuwcq,top/";
urladdress = "http://upuahx,jigxlxp,top/";
urladdress = "http://uwaevf,nluayiu,cloud/";
urladdress = "http://waea,tqdnnxg,top/";
urladdress = "http://wat8,ulletrb,cloud/";
urladdress = "http://wawe,nluayiu,cloud/";
---</cut>---
Maybe you'll find it useful.
Brak komentarzy:
Prześlij komentarz