Undetected JScript Dropper Installs Sage Ransomware
April 20, 2017 | Malware AnalysisA popular method to distribute malware (especially ransomware) is to send a JScript file (*.js) by E-Mail or prompt a user surfing the web to execute a file. The goal of this type of attack is to bypass filtering systems that warn users trying to open attachments with certain file extensions (e.g. .exe) or disallow those attachments altogether. In response, Google issued a ban on *.js file attachments in Gmail in February.
In most cases, JScript files are not the actual malware. They are a dropper, designed to “install” malware on the target system. This technique is difficult to detect through a signature-based approach because there are endless variations and custom obfuscations.
We recently saw an example of this technique used by a JScript dropper containing the Sage Ransomware 2.2 (you can read an overview of Sage Ransomware 2.0 here). The JScript Dropper was completely undetected by 0/55 AntiVirus products in VirusTotal at the time of our analysis.
This is not unusual. Whenever a new kind of malware appears in the wild, the first few hours are quite dangerous for users relying solely on traditional Antivirus products (demonstrated in Figure 1). Through VMRay Analyzer’s dynamic analysis we are able to see the malware’s full behavior. Malicious behavior is always malicious behavior, even if you add obfuscation on top of it.
We can already see suspicious behavior from the JScript dropper in Figure 2:
The JScript dropper uses Scripting.FilesystemObject to work on local files, Wscript.Shell to execute other applications, and finally, an eval() function to execute a JScript payload. Pay attention to how lower and upper case characters were used randomly to evade weak detection systems. These behaviors are all red flags.
In Figure 3, we see the first eval() resolves to:
Figure 4 shows the second eval() resolving to another eval():
After unescaping the payload we get (Figure 5):
Executing the sample in VMRay Analyzer, we can see that the final payload is the latest version of Sage ransomware. Figure 6 shows Sage ransomware encrypting files on the system and demanding ransom to restore the files.
Figure 7 shows VMRay Analyzer identifying malicious activity such as: modifying user files, overwriting the master boot record (MBR), and installing system service. As a result, this generates a high VTI score, indicating this is very malicious behavior.
Watch our video analysis where we outline the malicious behavior carried out by the JScript Dropper:
Access the Full Analysis Report
References
- https://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-file-attachments.html
- https://support.google.com/mail/answer/6590?hl=en
- https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/
- https://www.virustotal.com/en/file/11c5f1f77e3f46fa466a24013e72fe6a9a2c6a9f3da04706c2f7a93e9cb6c3ba/analysis/
- https://www.vmray.com/analyses/5539928/report/overview.html
- https://www.youtube.com/watch?v=XRdczwG1p0s