What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth investigating further.
Upon digging into the JS file, which was heavily obfuscated, I observed that it was generating a process list from the host as a string. It would then compare the length of that string to a hard-coded value, if the string is too short it assumes a sandbox and causes the program to terminate.
In the above screenshot, the variable ntKqtbonnet97 contains the process list. This variable is used in the if statement, along with a series of functions that simple return a string (character by character). The string returned here is length, which is then used as a property for the string object through the brackets (i.e. [ and ] ).
Finally, if the length of the string is less than 3181, the code enters the if statement.
Finding the VM
Inside this if statement, the code simply defines an invalid property/method on the this object, causing the script to fail. If the code does not enter this statement, it goes on to make an HTTP request for the next stage, downloads and executes it.
What’s somewhat unique about this approach is that instead of looking for specific processes, this is simply looking for a large number of processes running on the system. One way around this technique is to have a larger number of arbitrary processes running, or creating processes with longer names…