Solved

Windows hack script

Posted on 2016-07-28
11
62 Views
Last Modified: 2016-08-13
Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
hack.txt
0
Comment
Question by:pgm554
11 Comments
 
LVL 30

Author Comment

by:pgm554
ID: 41733755
Hmm.it appears to run a script that drops a back door and some other goodies.

https://www.hybrid-analysis.com/sample/c190dca2a054af240e1dda64c128049517d696a863b082de2ea11499c594670b?environmentId=100

It came in a zip file and passed at least 3 virus scans.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41733916
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733921
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 93

Expert Comment

by:John Hurst
ID: 41733925
I would be inclined to delete the email right away.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41733980
That's been done.
It's perfectly harmless unless the extension is changed.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41733985
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41734259
it is a javascript downloader.. my antivirus scanned it immediately
JS/Downloader.Agent.42_W
I did a document.write on one of the variables and removed the job entries
https://www.virustotal.com/en/file/a44a54cb12cd530229b1124af437127150c3e91785160a3aca212b7a43b98474/analysis/1469777981/
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734536
Sophos UTM picks this up as Troj/JSDldr-QU

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSDldr-QU.aspx

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
1
 
LVL 30

Author Closing Comment

by:pgm554
ID: 41734884
Nice to know that there are so many ineffective virus scanners.
0
 
LVL 30

Author Comment

by:pgm554
ID: 41734920
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
ff.PNG
0
 
LVL 30

Author Comment

by:pgm554
ID: 41755159
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question