Trojan- JS downloader

I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file and after extracting it, I got .js file.

On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download  SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86

Below are  the URL’s used in JS to download malicious executable files.


Below is JS code where it goes to the URL to check whether it’s up else will check another URL to get the malware downloaded on user’s machine.


I tried to accessed all four URL’s used in JS script and could able to download malicious .exe files from three of them. One URL was inaccessible.


Below are executable files downloaded from URL’s.


When I checked the version and hash of all three files, all were same.


Behavior of executable file:

On execution, file get created under C:\Windows\SysWow64 directory under name sourcematrix.exe. 


and it also adds to the windows services (services.msc).


Wireshark log shows this malware executable connects to IP address 5[.]230[.]147[.]179


Below is malicious executable file hash

SHA256: D6798B62CEF08C4F61A30DFA346FAF5AA29F9D03E4599EBE5AE910A193087B86

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.