Solved

Windows hack script

Posted on 2016-07-28
11
72 Views
Last Modified: 2016-08-13
Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
hack.txt
0
Comment
Question by:pgm554
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 30

Author Comment

by:pgm554
ID: 41733755
Hmm.it appears to run a script that drops a back door and some other goodies.

https://www.hybrid-analysis.com/sample/c190dca2a054af240e1dda64c128049517d696a863b082de2ea11499c594670b?environmentId=100

It came in a zip file and passed at least 3 virus scans.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41733916
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733921
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 95

Expert Comment

by:John Hurst
ID: 41733925
I would be inclined to delete the email right away.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733980
That's been done.
It's perfectly harmless unless the extension is changed.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41733985
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
0
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41734259
it is a javascript downloader.. my antivirus scanned it immediately
JS/Downloader.Agent.42_W
I did a document.write on one of the variables and removed the job entries
https://www.virustotal.com/en/file/a44a54cb12cd530229b1124af437127150c3e91785160a3aca212b7a43b98474/analysis/1469777981/
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734536
Sophos UTM picks this up as Troj/JSDldr-QU

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSDldr-QU.aspx

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
1
 
LVL 30

Author Closing Comment

by:pgm554
ID: 41734884
Nice to know that there are so many ineffective virus scanners.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41734920
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
ff.PNG
0
 
LVL 30

Author Comment

by:pgm554
ID: 41755159
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SharePoint and CAML query help 4 26
Javascript: Range object 16 34
Windows Storage Server 2012 R2 Standard 2 81
Frequency of Windows Server updates 27 134
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question