Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

emails with suspicious .js files


  • Please log in to reply
24 replies to this topic

#1 Cobra11Murderer

Cobra11Murderer

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 March 2016 - 12:46 PM

ok, im not infected by this or anything but ive been getting some emails recently with a rar attached to them.. scanned it and it was fine so i opened it and found a .js file... opened with notepad++ and found thats it could be a new infection of sometype I cant honestly understand it? anyone wanna check it out? Avast couldnt detect it and I kinda wonder what it is.. I think i might just have to make a virtual machine just to see lol.. the file is named invoice_scan_ then just random numbers and lettering.. I wont post the code right here unless its ok

Edited by quietman7, 02 March 2016 - 04:46 PM.
Moved from Gen Chat to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 neuronic

neuronic

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Hampshire
  • Local time:05:37 PM

Posted 02 March 2016 - 01:41 PM

Upload it to https://www.virustotal.com/ and post the results. I'm curious. 

 

Also it sounds like you need Email security and spam protection - just saying. :D



#3 Cobra11Murderer

Cobra11Murderer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 March 2016 - 01:49 PM

lol will do and i do have one with avast but eh it didn't detect it.. of course I'm not gonna open a random invoice that I know isn't real lol.. and thanks for that I forgot about Virustotal and sure enough here we go. I guess a downloader

 

https://www.virustotal.com/en/file/1bb39593a9803629649f724830d9a822fd54afa9f488743b8307d1bc83fd3250/analysis/


Edited by Cobra11Murderer, 02 March 2016 - 01:50 PM.


#4 neuronic

neuronic

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Hampshire
  • Local time:05:37 PM

Posted 02 March 2016 - 02:06 PM

I use Email protection at the server level. It catches a lot and web protection catches mostly everything that's left -> then A/V and if all that fails = Bare metal cloud backup and recovery. lol 



#5 Cobra11Murderer

Cobra11Murderer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 March 2016 - 03:04 PM

I got a server that I have yet to figure out... bought it a few years ago and it has 12 hard drives, unfortantly cant figure out how to set them to raid again since all where taken out and put in, in a different order.. its a ibm eServer x255 lol should of never bought it cause its got me stumped I think I need a disk yet cant figure out what could set them all up



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 02 March 2016 - 03:09 PM

It's a .js file, probably a downloader for a Ransomware or another trojan. Now that you uploaded it on VirusTotal, some of our Security Developers here (like Fabian Wosar from Emsisoft) will be able to download and analyze it. If it's a .js file, simply editing it and de-obfuscating the code (if it's obfuscated) could tell us what it does, and we could download the payload from it and analyze it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Cobra11Murderer

Cobra11Murderer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 March 2016 - 03:18 PM

It's a .js file, probably a downloader for a Ransomware or another trojan. Now that you uploaded it on VirusTotal, some of our Security Developers here (like Fabian Wosar from Emsisoft) will be able to download and analyze it. If it's a .js file, simply editing it and de-obfuscating the code (if it's obfuscated) could tell us what it does, and we could download the payload from it and analyze it.

 

Gotcha, ill remember that for the next time I get another one :), I looked threw it and it was a bit more detailed then I know.. I have done web development in the past with basic .js editing involved but that's way past what I know.. I kind of figured it was caring something.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 02 March 2016 - 04:41 PM

CryptoWall has been found to use malicious .js files...see here.

The developers of TeslaCrypt have increased their use of malicious .js files...

Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive. This offensive is on-going. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js...download and install the TeslaCrypt ransomware.

TeslaCrypt ransomware sent using malicious spam

Weve seen TeslaCrypt being spread via spam emails that contain malicious zip attachments. Inside the zip gile, there is a .js file which, when unzipped, retrieves TeslaCrypt from several compromised web pages.

TeslaCrypt Infections Rise as Spam Campaign Hits Companies in Europe

A new blackmailer variant email with new transmission characters was captured by Antiy Threat Situational Awareness System on December 2, 2015, which was guided by a JS script in compressed package rather than spread by sending binary file load directly... A zip file near to the mail is unzipped to a JS script. After JS script is executed, it will download TeslaCrypt2.x...

An Analysis Report of TeslaCrypt spread by emailing JS Script
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 05 March 2016 - 05:11 PM

It tries to download an exe from 2 URLs and then executes it. Only the second URL works.

Here is the downloaded EXE: https://www.virustotal.com/en/file/3c82be68f43f6c0a0dc4712002903240263bc82087c17c867911a232789c99d5/analysis/


Edited by Didier Stevens, 05 March 2016 - 05:12 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:37 PM

Posted 05 March 2016 - 05:26 PM

Opened Files
C:\Documents and Settings\<USER>\My Documents\recover_file_gnqwboqja.txt
C:\bimbazo\_ReCoVeRy_+ctkkt.png

Moved Files
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.mp3 (successful)

HTTP Requests
http://conspec.us/wp-content/plugins/nextgen-galleryOLD/products/photocrati_nextgen/modules/i18n/wstr.php

 
Definitely a dropper for TeslaCrypt 3.0.0a. Good thing you dodged the bullet on opening that one.


Edited by Demonslay335, 05 March 2016 - 05:28 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 05 March 2016 - 06:05 PM

Another good place to upload suspicious files is on Malwr.com. It runs the file in a sandbox. It grabs screenshots of malware like ransomware if it can. It shows dropped files and what websites it connects to and more. I generally upload to both Virus-total and Malwr.com. 



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 05 March 2016 - 06:12 PM

Yes. Malwr.com is good but there are others.

Comprehensive List of Online File analyzers & services
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 LeroyCalloway

LeroyCalloway

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 06 March 2016 - 02:57 AM

check that on virus total website



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 06 March 2016 - 07:20 AM

It was already checked at virus total and our experts have replied.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 powermax

powermax

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 08 March 2016 - 05:25 AM

lol will do and i do have one with avast but eh it didn't detect it.. of course I'm not gonna open a random invoice that I know isn't real lol.. and thanks for that I forgot about Virustotal and sure enough here we go. I guess a downloader

 

https://www.virustotal.com/en/file/1bb39593a9803629649f724830d9a822fd54afa9f488743b8307d1bc83fd3250/analysis/

Can you ZIP that .JS file and upload a copy to sendspace.com ? Can be usuefull to know how that Java script work. Tnks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users