Anti-Analysis in JavaScript Executed by Windows Script Host (WSH)

It’s common to see malicious office documents drop a JavaScript (JS) file to be executed by the Windows Script Host (WSH). The JS can then be used to create the necessary objects to create HTTP requests to retrieve and execute the next stage payload. For example, here is a document that drops the JS and executes it via CMD -> WSCRIPT (you can also see the use of CSCRIPT):

Process activity of malicious document

What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth investigating further.

No HTTP traffic observed in a sandbox

Digging into the JavaScript

Upon digging into the JS file, which was heavily obfuscated, I observed that it was generating a process list from the host as a string. It would then compare the length of that string to a hard-coded value, if the string is too short it assumes a sandbox and causes the program to terminate.

Malware checking length of process listing string

In the above screenshot, the variable ntKqtbonnet97 contains the process list. This variable is used in the if statement, along with a series of functions that simple return a string (character by character). The string returned here is length, which is then used as a property for the string object through the brackets (i.e. [ and ] ).

Process listing variable

Finally, if the length of the string is less than 3181, the code enters the if statement.

Comparison of string length to hard-coded value

Finding the VM

Inside this if statement, the code simply defines an invalid property/method on the this object, causing the script to fail. If the code does not enter this statement, it goes on to make an HTTP request for the next stage, downloads and executes it.

Strings used for HTTP request

Anti-Anti-Analysis

What’s somewhat unique about this approach is that instead of looking for specific processes, this is simply looking for a large number of processes running on the system. One way around this technique is to have a larger number of arbitrary processes running, or creating processes with longer names…

References

https://app.any.run/tasks/b64fd2da-42fc-407a-9aa5-f070a0281c11