RecJS: a Multi-Component Malware hides behind JavaScript.
The Dell Sonicwall Threats Research team observed reports of a New Multi-Component family named GAV: RECJS.AB actively spreading in the wild. This time attackers used a Java Script .Js file dropped by an executable file. The malware uses Windows-based Script Host to run scripts on infected machine and hides behind a JavaScript file to avoid detection. One major component is responsible to take a Screenshot from infected machine and upload it to its own C&C server.
Infection Cycle:
The Malware uses the following icon:
Md5:
2a63b3a621d8e555734582d83b5e06a5 – Multi-Component Package
Droppers:
aecef77725f3ee0b84b6b8046efe5ac0 – 7z.dll
a1efcedc97c76b356f7ffa7cf909d733 – 7z.exe
f3c7fb3cabab9af2291d55da05ce10fe – ns3B2.tmp
e0c13aa81e0d5a2df8ecc98c969a6958 – nsExec.dll
ae182dc797cd9ad2c025066692fc041b – System.dll
75fb0aecd2cfef2210495a4f3cab5bcf – windrv.exe
f1a7ea45ced96bec4ad093f5dbd53b29 – e4a65dca09558335391ff7233ec51084.js
The Malware adds the following files to the system:
Malware.exe
%Temp% nsb3AE.tmpSystem.dll
%Temp% nsb3AE.tmp nsExec.dll
%Temp% nsb3AE.tmp ns3B2.tmp
cmd.exe
%Userprofile%Application DataAppCache_3a879c0b9817492db842ebd53ca6a115
7z.dll
7z.exe
e4a65dca09558335391ff7233ec51084.js
svchost.exe
its a copy of Microsoft (R) Windows Based Script Host C:WINDOWSsystem32wscript.exe
taskhost.exe
its copy of Windows Command Processor C:WINDOWSsystem32cmd.exe
windrv.exe
It a app for capturing Screenshots from target system
The Malware adds the following files to the Windows startup folder to ensure persistence upon reboot:
%Userprofile%Application Dataappdata.lnk
%Userprofile%Start MenuProgramsStartupWindows Application Manager.lnk
C:WINDOWSsystem32wscript.exe /b /nologo /E:javascript “%Userprofile%Application data AppCache_3a879c0b9817492db842ebd53ca6a115 e4a65dca09558335391ff7233ec51084.js” startup
Once the computer is compromised, the malware copies of Windows Based Script Host wscript.exe and Windows Command Processor Cmd.exe to AppCache folder.
The Malware uses .JS script to grabbing information from the infected machine and uses legitimate windows apps to avoid the detection by AV Vendors.
In the background the Malware runs the following commands on the system:
Cmd.exe
Cmd /c cd C:Documents and SettingsAdministratorApplication DataAppCache_3a879c0b9817492db842ebd53ca6a115 & copy /b 34c227 + 34c227bb + 34c22 + 34c227b + bb4736 + bb473 7z.exe
%Temp% nsb3AE.tmp ns3B0.tmp
“%Userprofile%LOCALS~1Temp nsb3AE.tmp ns3B0.tmp” cmd /c cd %Userprofile%Application DataAppCache_3a879c0b9817492db842ebd53ca6a115 & copy /b 343b + 9398cde4 + 93 + 9398cd + 9398cde + 4c7d + 4c7d9ee9 7z.dll
The file e4a65dca09558335391ff7233ec51084.js is dropped after malware launches on the target system, the malware uses wscript.exe for grabbing information from the infected machine such as the version of installed Anti-Virus, here is an example:
The malware tries to retrieves the version of your Processor to create a unique ID from your system, here is an example:
When the Malware creates and unique ID from your system then its transfers information to its own C&C server with following format:
After a while malware starts to take screenshot from infected machine and save it into screenshot.png file and then upload it to its own C&C server.
Command and Control (C&C) Traffic
RECJS.AB performs C&C communication over 443 port. The malware sends your system information to its own C&C server via following format, here are some examples:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
GAV: RECJS.A
B (Trojan)