Undetected JScript Dropper Installs Sage Ransomware
April 20, 2017 | Malware AnalysisA popular method to distribute malware (especially ransomware) is to send a JScript file (*.js) by E-Mail or prompt a user surfing the web to execute a file. The goal of this type of attack is to bypass filtering systems that warn users trying to open attachments with certain file extensions (e.g. .exe) or disallow those attachments altogether. In response, Google issued a ban on *.js file attachments in Gmail in February.
In most cases, JScript files are not the actual malware. They are a dropper, designed to “install” malware on the target system. This technique is difficult to detect through a signature-based approach because there are endless variations and custom obfuscations.
We recently saw an example of this technique used by a JScript dropper containing the Sage Ransomware 2.2 (you can read an overview of Sage Ransomware 2.0 here). The JScript Dropper was completely undetected by 0/55 AntiVirus products in VirusTotal at the time of our analysis.
Figure 1: JScript Dropper Undetected in VirusTotal Analysis
This is not unusual. Whenever a new kind of malware appears in the wild, the first few hours are quite dangerous for users relying solely on traditional Antivirus products (demonstrated in Figure 1). Through VMRay Analyzer’s dynamic analysis we are able to see the malware’s full behavior. Malicious behavior is always malicious behavior, even if you add obfuscation on top of it.
We can already see suspicious behavior from the JScript dropper in Figure 2:
Figure 2: JScript Dropper Exhibiting Suspicious Behavior
The JScript dropper uses Scripting.FilesystemObject to work on local files, Wscript.Shell to execute other applications, and finally, an eval() function to execute a JScript payload. Pay attention to how lower and upper case characters were used randomly to evade weak detection systems. These behaviors are all red flags.
In Figure 3, we see the first eval() resolves to:
Figure 3: JS-Dropper First Eval()
Figure 4 shows the second eval() resolving to another eval():
Figure 4: JS-Dropper Resolving to another Eval()
After unescaping the payload we get (Figure 5):
Figure 5: Unescaping Payload
Executing the sample in VMRay Analyzer, we can see that the final payload is the latest version of Sage ransomware. Figure 6 shows Sage ransomware encrypting files on the system and demanding ransom to restore the files.
Figure 6: Sage Ransomware encrypting files and demanding ransom
Figure 7 shows VMRay Analyzer identifying malicious activity such as: modifying user files, overwriting the master boot record (MBR), and installing system service. As a result, this generates a high VTI score, indicating this is very malicious behavior.
Figure 7: VMRay Analyzer determines the JS Dropper as malicious with a VTI score of 100/100
Watch our video analysis where we outline the malicious behavior carried out by the JScript Dropper:
Access the Full Analysis Report
References
- https://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-file-attachments.html
- https://support.google.com/mail/answer/6590?hl=en
- https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/
- https://www.virustotal.com/en/file/11c5f1f77e3f46fa466a24013e72fe6a9a2c6a9f3da04706c2f7a93e9cb6c3ba/analysis/
- https://www.vmray.com/analyses/5539928/report/overview.html
- https://www.youtube.com/watch?v=XRdczwG1p0s
