John Hammond Analyzes Malware Sample from Email

In this video, John Hammond analyzes a malware sample he received via an email titled "malwarejs et exe" from romsf.fun.com, redirected through Discord's CDN. The email mentions a drive-by download of a malicious file while downloading ROMs for Xbox 360 games on a modified console. The file in question, named "less one an Mia Khalif, and all that.zip," is hosted on MediaFire with a password-protected archive. Hammond begins his analysis in a Windows 11 virtual machine to isolate the environment. He extracts the archive and discovers a .js file and an executable file disguised as a Firefox installer. The .js file contains JScript code, a local scripting language for Windows. Upon examining the code, Hammond finds comments and utility functions in ECMAScript 5, as well as obfuscated code intended to evade antivirus detection. The JScript code uses ActiveX objects to execute commands and perform web requests. It determines the arguments provided to the script and, if none are present, executes a command to re-execute itself. The script also contains encoded strings that are decoded to perform additional actions. Hammond uses the browser console to deobfuscate these strings and discovers that the script downloads another payload from a Pastebin link. The second payload, also in JScript, contains functions to query the system and retrieve information such as the public IP address, environment variables, and unique identifiers. The script uses this information to build commands and execute another payload via PowerShell. Hammond decodes the PowerShell payload and finds that it downloads a JPEG image from archive.org, extracts hidden data from the RGB pixel values of the image, and executes a .NET assembly. The .NET assembly, disguised as Microsoft Win32 Task Scheduler, is analyzed with tools like dnSpy. Hammond discovers that the final payload is AsyncRAT, a well-known Remote Access Trojan (RAT). The RAT connects to a command and control (C&C) server to receive instructions and exfiltrate data. In conclusion, although the malware uses interesting techniques to hide its payloads in image files and obfuscate its code, it turns out to be a commoditized and widely used RAT. Hammond notes that the executable disguised as a Firefox installer does not seem to be part of the main attack chain. To see the full analysis and technical details, watch the video at the following address: https://www.youtube.com/watch?v=LwKOS10lblk