Windows hack script

pgm554
pgm554 used Ask the Experts™
on
Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
hack.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hmm.it appears to run a script that drops a back door and some other goodies.

https://www.hybrid-analysis.com/sample/c190dca2a054af240e1dda64c128049517d696a863b082de2ea11499c594670b?environmentId=100

It came in a zip file and passed at least 3 virus scans.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I would be inclined to delete the email right away.
That's been done.
It's perfectly harmless unless the extension is changed.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
Top Expert 2016
Commented:
it is a javascript downloader.. my antivirus scanned it immediately
JS/Downloader.Agent.42_W
I did a document.write on one of the variables and removed the job entries
https://www.virustotal.com/en/file/a44a54cb12cd530229b1124af437127150c3e91785160a3aca212b7a43b98474/analysis/1469777981/
Sophos UTM picks this up as Troj/JSDldr-QU

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSDldr-QU.aspx

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
Nice to know that there are so many ineffective virus scanners.
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
ff.PNG
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start Today