I have downloaded JS trojan downloader from VirusSign to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file.
On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86
Below are the URL’s used in JS to download malicious executable files.
Below is JS code where it goes to the URL to check whether it’s up else will check another URL to get the malware downloaded on user’s machine.
I tried to accessed all four URL’s used in JS script and could able to download malicious .exe files from three of them. One URL was inaccessible.
Below are executable files downloaded from URL’s.
When I checked the version and hash of all three files, all were same.
Behavior of executable file:
On execution, file get created under C:\Windows\SysWow64 directory under name sourcematrix.exe.
and it also adds to the windows services (services.msc).
Wireshark log shows this malware executable connects to IP address 5[.]230[.]147[.]179
Below is malicious executable file hash