I’ve analyzed this dropper js: https://www.hybrid-analysis.com/sample/d7abafd2d8a9fcbcc7da09cffa7006df80a42c1731287d59b2a1d71c4ee183a2?environmentId=100
The code is a bit obfsucated and after a good beautifier and decode hexa strings it’s better to analyze it.
The interisting part is at the end of the file:
The first part of code checks if C:\\ProgramData\\abc123 doesn’t exist to create it.
And with the function jXxzlCXaBCDBMIA06KMKC256D7M8JHI0CC40E0 it download two files:
The first file is 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c.
It’s a legit exe developped by vmware
And the second one is : d3d7b56b3b97ff71d522df66bdb59fdd6ba8e630835167c3bc57288f8d5a88ef
it’s a dll and this file is malicious, it’s a banker trojan
And the dropper js renames this file in shfolder.dll like that
var AKrmjVaCK6A6MKEK7FD4K7K0KNE2JJG1C99AHK = zAtCnlAvI5CJN52A0FK7LEFD1H63G522GE15KI(_0xf4b3);
if you check the import table of the legit file:
Like the malicious dll is the same folder like the legit file and exposed the same function SHGetFolderPathW, the trojan is loaded and not the Windows DLL.
This technic is used by PlugX to bypass the security products. Like the software is legit, the security products don’t verify the dll’s loaded. It’s fail !