RecJS: a Multi-Component Malware hides behind JavaScript.

June 25, 2015

The Dell Sonicwall Threats Research team observed reports of a New Multi-Component family named GAV: RECJS.AB actively spreading in the wild. This time attackers used a Java Script .Js file dropped by an executable file. The malware uses Windows-based Script Host to run scripts on infected machine and hides behind a JavaScript file to avoid detection. One major component is responsible to take a Screenshot from infected machine and upload it to its own C&C server.

Infection Cycle:

The Malware uses the following icon:


  • 2a63b3a621d8e555734582d83b5e06a5 - Multi-Component Package


  • aecef77725f3ee0b84b6b8046efe5ac0 - 7z.dll

  • a1efcedc97c76b356f7ffa7cf909d733 - 7z.exe

  • f3c7fb3cabab9af2291d55da05ce10fe - ns3B2.tmp

  • e0c13aa81e0d5a2df8ecc98c969a6958 - nsExec.dll

  • ae182dc797cd9ad2c025066692fc041b - System.dll

  • 75fb0aecd2cfef2210495a4f3cab5bcf - windrv.exe

  • f1a7ea45ced96bec4ad093f5dbd53b29 - e4a65dca09558335391ff7233ec51084.js

The Malware adds the following files to the system:

  • Malware.exe

    • %Temp% nsb3AE.tmpSystem.dll

    • %Temp% nsb3AE.tmp nsExec.dll

    • %Temp% nsb3AE.tmp ns3B2.tmp

  • cmd.exe

    • %Userprofile%Application DataAppCache_3a879c0b9817492db842ebd53ca6a115

    • 7z.dll

    • 7z.exe

    • e4a65dca09558335391ff7233ec51084.js

    • svchost.exe

      • its a copy of Microsoft (R) Windows Based Script Host C:WINDOWSsystem32wscript.exe

    • taskhost.exe

      • its copy of Windows Command Processor C:WINDOWSsystem32cmd.exe

    • windrv.exe

      • It a app for capturing Screenshots from target system

The Malware adds the following files to the Windows startup folder to ensure persistence upon reboot:

  • %Userprofile%Application Dataappdata.lnk

  • %Userprofile%Start MenuProgramsStartupWindows Application Manager.lnk

    • C:WINDOWSsystem32wscript.exe /b /nologo /E:javascript "%Userprofile%Application data AppCache_3a879c0b9817492db842ebd53ca6a115 e4a65dca09558335391ff7233ec51084.js" startup

Once the computer is compromised, the malware copies of Windows Based Script Host wscript.exe and Windows Command Processor Cmd.exe to AppCache folder.

The Malware uses .JS script to grabbing information from the infected machine and uses legitimate windows apps to avoid the detection by AV Vendors.

In the background the Malware runs the following commands on the system:

  • Cmd.exe

    • Cmd /c cd C:Documents and SettingsAdministratorApplication DataAppCache_3a879c0b9817492db842ebd53ca6a115 & copy /b 34c227 + 34c227bb + 34c22 + 34c227b + bb4736 + bb473 7z.exe

  • %Temp% nsb3AE.tmp ns3B0.tmp

    • "%Userprofile%LOCALS~1Temp nsb3AE.tmp ns3B0.tmp" cmd /c cd %Userprofile%Application DataAppCache_3a879c0b9817492db842ebd53ca6a115 & copy /b 343b + 9398cde4 + 93 + 9398cd + 9398cde + 4c7d + 4c7d9ee9 7z.dll

The file e4a65dca09558335391ff7233ec51084.js is dropped after malware launches on the target system, the malware uses wscript.exe for grabbing information from the infected machine such as the version of installed Anti-Virus, here is an example:

The malware tries to retrieves the version of your Processor to create a unique ID from your system, here is an example:

When the Malware creates and unique ID from your system then its transfers information to its own C&C server with following format:

After a while malware starts to take screenshot from infected machine and save it into screenshot.png file and then upload it to its own C&C server.

Command and Control (C&C) Traffic

RECJS.AB performs C&C communication over 443 port. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: