Solved

Windows hack script

Posted on 2016-07-28
11
86 Views
Last Modified: 2016-08-13
Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
hack.txt
0
Comment
Question by:pgm554
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 30

Author Comment

by:pgm554
ID: 41733755
Hmm.it appears to run a script that drops a back door and some other goodies.

https://www.hybrid-analysis.com/sample/c190dca2a054af240e1dda64c128049517d696a863b082de2ea11499c594670b?environmentId=100

It came in a zip file and passed at least 3 virus scans.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41733916
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733921
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 96

Expert Comment

by:Experienced Member
ID: 41733925
I would be inclined to delete the email right away.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733980
That's been done.
It's perfectly harmless unless the extension is changed.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41733985
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41734259
it is a javascript downloader.. my antivirus scanned it immediately
JS/Downloader.Agent.42_W
I did a document.write on one of the variables and removed the job entries
https://www.virustotal.com/en/file/a44a54cb12cd530229b1124af437127150c3e91785160a3aca212b7a43b98474/analysis/1469777981/
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734536
Sophos UTM picks this up as Troj/JSDldr-QU

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSDldr-QU.aspx

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
1
 
LVL 30

Author Closing Comment

by:pgm554
ID: 41734884
Nice to know that there are so many ineffective virus scanners.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41734920
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
ff.PNG
0
 
LVL 30

Author Comment

by:pgm554
ID: 41755159
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question