Analyze JavaScript Malware

-A Case Study of Vjw0rm

About:

Vjw0rm is a worm that spreads via USB drives and has RAT capabilities because it implements different commands transmitted by the C2 server. It establishes persistence on a machine by copying to the Startup folder and creating a Run registry entry. The malware drops a Java-based RAT called STRRAT, executed using the Java executable that can be found on the local computer or downloaded from a remote URL.

Analysis and findings:

SHA256: 2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e

JavaScript malware can be an infection vector leading to serious threats such as ransomware and spyware. We want to present a general approach that can be used to analyze any malicious JavaScript scripts.

As we can see in figure 1, the initial script is obfuscated, and we need to find a way to extract the relevant information:

Figure 1

We used js-beautify to beautify the JavaScript file. We identified a string that seems to be Base64-encoded (see figure 2).

Figure 2

The malware replaces the “_!” characters with “m” in the above string:

Figure 3

Figure 3 Box-js is a tool that can be used to execute and analyze a JavaScript file. Figure 4 shows that the malware creates a script called “KeunXSGcHu.js” in the “%AppData%” directory and runs it:

Figure 4

The transformed string is Base64-decoded, and then the script executes the new instructions.

As we’ve already seen, the malware creates a file called “KeunXSGcHu.js”, which is populated with a variable that is Base64-decoded, as highlighted below:

Figure 5Figure 6

Another variable named “longText” is decoded by replacing the “_!” characters with “A” (see figure 7).

Figure 7

The script generates a random string consisting of a maximum of 10 characters using the “Math.random()” function. The “longText” variable is Base64-decoded, and its content is saved in a “.txt” file. The resulting file is a malicious JAR called STRRAT with the following hash: 0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a.

Figure 8

The malware tries to locate the Java executable on the machine by querying the following

registry keys:

Figure 9

Whether Java is found on the computer, the malicious JAR file is executed; otherwise, the “GrabJreFromNet” function is called:

Figure 10

The function mentioned above downloads an archive called “jre.zip” from “https[:]//aash[.]com.pk/jre.zip”. The archive content is extracted and saved in a folder called “jre7” in the “%AppData%” directory. A registry Run entry called “ntfsmgr” is used as a persistence mechanism to run the malicious JAR:

Figure 11

The implementation of the “UnZip” function is shown in figure 12:

Figure 12

In the “KeunXSGcHu.js” file, it is implemented a function similar to the one from the initial script:

Figure 13Figure 14

Finally, after decoding the Base64-encoded string, we can identify the malware as vjw0rm (see figure 15).

Figure 15

The script verifies if the “HKCU\vjw0rm” registry key exists on the system, which would indicate a previous infection. If that’s not the case, the value is created and populated with “TRUE” or “FALSE”:

Figure 16

The malicious script is copied to the Startup folder using the CopyFile function, as shown below:

Figure 17

The malware performs a POST request to the C2 server “http[:]//javaautorun.duia[.]ro:5465/Vre” with a custom User-Agent:

Figure 18

The user-agent contains the following information: computer name, username, serial number of all logical disks, operating system version, and antivirus software name (see figure 19).

Figure 19

The worm implements the following commands:

Figure 20

Cl command:

The command is used to terminate the script execution.

Sc command:

The process creates a temporary file, populates it with code sent by the C2 server, and executes it using the run function.

Ex command:

The command is used to execute JavaScript code transmitted by the C2 server.

Rn command:

The malware modifies the current script and executes the new file using wscript.exe.

Up command:

The malicious process creates a temporary file that is filled in with code and executed via Wscript.

Un command:

The command runs additional JavaScript code that might be used to uninstall the worm.

RF command:

Same execution flow as the Sc command.

We used Recaf to analyze the malicious JAR file. As shown in figure 21, the initial code appears to be obfuscated.

Figure 21

We have used Java deobfuscator to detect any obfuscators. Figure 22 reveals that the Allatori Java obfuscator has been identified:

Figure 22

After deobfuscating the file, we can spot many differences (figure 23). For example, a scheduled task called “Skype” is created by the RAT.

Figure 23

We have decrypted the STRRAT configuration using this script:

Figure 24

We can highlight two C2 servers nneewwllooggzz.mefound[.]com and windowsupdatelogz.onedumb[.]com, and the http[:]//jbfrost[.]live URL that hosts the STRRAT plugins. STRRAT provides functionalities such as keylogging, uninstalling the application, updating the malware, downloading and executing files using cmd or Powershell, and so on:

Figure 25

SHA256:

2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e

0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

Files created:

%AppData%\KeunXSGcHu.js

%AppData%\<random name>.txt

%AppData%\jre.zip

%AppData%\jre7

Registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr

HKCU\vjw0rm

C2 servers/URLs:

https[:]//aash[.]com.pk/jre.zip

http[:]//javaautorun.duia[.]ro:5465

http[:]//jbfrost[.]live

nneewwllooggzz.mefound[.]com

windowsupdatelogz.onedumb[.]com