Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

Windows hack script

Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
hack.txt
0
pgm554
Asked:
pgm554
2 Solutions
 
pgm554Author Commented:
Hmm.it appears to run a script that drops a back door and some other goodies.

https://www.hybrid-analysis.com/sample/c190dca2a054af240e1dda64c128049517d696a863b082de2ea11499c594670b?environmentId=100

It came in a zip file and passed at least 3 virus scans.
0
 
JohnBusiness Consultant (Owner)Commented:
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
0
 
pgm554Author Commented:
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
JohnBusiness Consultant (Owner)Commented:
I would be inclined to delete the email right away.
0
 
pgm554Author Commented:
That's been done.
It's perfectly harmless unless the extension is changed.
0
 
JohnBusiness Consultant (Owner)Commented:
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
0
 
David Johnson, CD, MVPOwnerCommented:
it is a javascript downloader.. my antivirus scanned it immediately
JS/Downloader.Agent.42_W
I did a document.write on one of the variables and removed the job entries
https://www.virustotal.com/en/file/a44a54cb12cd530229b1124af437127150c3e91785160a3aca212b7a43b98474/analysis/1469777981/
0
 
LearnctxEngineerCommented:
Sophos UTM picks this up as Troj/JSDldr-QU

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSDldr-QU.aspx

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
1
 
pgm554Author Commented:
Nice to know that there are so many ineffective virus scanners.
0
 
pgm554Author Commented:
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
ff.PNG
0
 
pgm554Author Commented:
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now