Goldeneye Ransomware Uses COM to Execute Malicious JavaScript

There is a new ransomware going wild in Germany called Goldeneye, which is a variant of Petya. It’s targeting German-speaking users via email by attaching an application (Bewerbung) in Excel format (xls).

At the time we started analyzing the Goldeneye malware, VirusTotal scored 9/54, but the score varied for different attachments, some were as low as 7/54, some as high as 25/54:

Once executed, it asks for permissions to execute macro code.

If the user has enabled macros by default or decides to enable it just once for this document, it’ll extract and drop an executable file which is the actual ransomware (writes to master boot record , encrypts files, asks for ransom).
What is interesting in this approach is the fact that it uses VBA-macros to execute JScript (which is a JavaScript variant by Microsoft) over COM. The actual extraction of the malicious executable is found in this JavaScript file.

Set SP4 = CreateObject("MSScriptControl.ScriptControl")
SP4.Language = "JScript"
If SP4.Eval(LQ3) Then
End If

It uses MSScriptControl.ScriptControl to create a COM-Object which allows the execution of JScript code (which can also be used to execute any other supported language, such as VBScript).
The JScript code (here in: LQ3) itself is nothing special: it uses base64 to decode the executable file and writes it to disk by using Scripting.FileSystemObject which is then finally executed via Wscript.Shell.
But this technique can’t fool our system. We can easily inspect all calls to COM-Objects (even when they are hidden inside a JavaScript file, which is inside a VBA file, which is inside an Excel document) by opening up the “Com” information tab once the document is analyzed by our system:

The Goldeneye malware scores 100/100 on our system:

References: