Looking at sample: da3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0
AppSuites-PDF-1.0.28
Specifically looking at the malicious JS file loaded. pdfeditor.js (b3ef2e11c855f4812e64230632f125db5e7da1df3e9e34fdb2f088ebe5e16603). Once this is deobfuscated using https://obf-io.deobfuscate.io/ I can launch this using node.exe --inspect-brk, then launch edge://inspect to step through the JS.
This write-up is a work-in-progress of findings as I go. Here are some of the interesting screenshots so far:
A4FDDP7: "ew-key"
A6C2XCU: "id"
A6C7C7N: "add"
A43AUWU: "0.0.0.0"
A64CEBI: "usid"
A6882RQ: "Url"
B4CB2TX: "split"
B5D13XX: "https://sdk.appsuites.ai"
B5D95P7: "Item2"
B5E9U50: "api/s3/event"
B40DLY6: "process"
B48EZW2: "detached"
C3F0UN5: "ShiftLaunchTask"
C5C7K1A: "pref"
C4241FD: "initialization"
C64201Q: "aes256"
D4E3EHU: "wde"
D6B7K5N: "searchdata"
D6BCGWT: "api/s3/remove"
D427OI7: "mkdirSync"
D574YX7: "GetIDFailed"
D609ZVD: "better-sqlite3"
D632I7Z: "join"
E4ABLV4: "TimeZone"
E67CJ69: "ol"
E556U2O: "Proc"
E651U56: "LOCALAPPDATA"
E5658K4: "reg"
E6550M3: "pdfeditor"
F58B61E: "size"
F69D16U: "status"
F512AD8: "WaveBrowser-StartAtLogin"
F674T0O: "Session"
F5346T5: "profile"
G4BB3M9: "createCipheriv"
G4BCEWR: "slice"
G41BG0Z: "run_in_background_enabled"
G48D9K5: "pipe"
G54BYCQ: "update"
G488AV7: "bak"
G650IE3: "startsWith"
G5627UH: "undefined"
H3FFJL0: "/ping"
H4DA17M: "writeFileSync"
H5C67AR: "wc"
H5E1M22: "Software"
H4832PH: "getTimezoneOffset"
I5F48GK: "Action"
I50FLEB: "fs"
I51CUEF: "Value"
I64DIO0: "aes-256-cbc"
I446D33: "endsWith"
I603IDV: "basename"
I697ZHR: "isDirectory"
J4A3LS0: "final"
J461QQ9: "ReadFileError"
J480N8H: "env"
J577HX1: "getRandomValues"
K5D5X77: "win32"
K5F23B9: "spref"
K6BE1WP: "platform"
K66ASXK: "toString"
K67EYCX: "--check"
K437LR8: "dirname"
K511ZAD: "keywords"
L4F0IKZ: "File"
L5B97FE: "Wavesor"
L6B5VHK: "os_crypt"
L6BFF7Y: "state"
L53AS0L: "query"
M43BSAP: "exit"
M50ASNP: "uid"
M452QLK: "recursive"
M514ZKV: "api/s3/validate"
M570Z6T: "LoadPageFailed"
N40FP3T: "node-fetch"
N66FSQQ: "homedir"
N568FHP: "entries"
O5C8THW: "api/s3/options"
O6CBOE4: "reglist"
O49C14T: "/d"
O49DK17: "error"
O52E8MA: "prepare"
O442CZN: "GetRtcFailed"
O605FNJ: "pas-key"
O4756TR: "hasBLFile"
P4BF6IH: "includes"
P4EAG90: "LOG1"
P5AA6AT: "exceptions"
P44ASG7: "close"
P68BP92: "https://appsuites.ai"
P593R8H: "PrepareRtcFailed"
P61985Q: "AppData"
Q508XTZ: "sid"
R4A7QBI: "readFileSync"
R47BBLY: "existsSync"
R60BYB2: "OK"
R685UDI: "os"
S62CQ99: "lastIndexOf"
S69BT6N: "hasBLReg"
S4262D0: "OneLaunchLaunchTask"
T4B6MTM: "indexOf"
T4D7GUJ: "PrepareRtcBlocked"
T5B2T2A: "sf"
T5F71B2: "pas"
T51EAGA: "isBuffer"
T408FQL: "Version"
T411DS8: "hex"
T4365UD: "https://on.appsuites.ai"
T62912R: "argv"
U4A126Z: "url"
U4DF304: "randomBytes"
U5690G0: "ip"
V4AE1EH: "POST"
V52BN6A: "encrypted_key"
V553WPU: "append"
V54518G: "sf_deep"
W627K9D: "/v"
X5A6GBU: "copyFileSync"
X6C1YRF: "all"
X42A9C5: "spawn"
X42CN81: "wv"
X502MRI: "message"
X68213H: "launch_on_login_enabled"
Y4B23HN: "wv_deep"
Y4DC6K9: "parse"
Y4FBON3: "ERROR"
Y5F5MNT: "mtime"
Y6A1ZDE: "ignore"
Y55B2P2: "version"
Y618TY6: "Activity"
Z5C4I10: "HKCU"
Z5D0QW2: "select"
Z48C9KB: "EmptyPath"
a5F00S3: "--install"
a6AFL0X: "wdc"
a407FSY: "api/s3/config"
a586DQ2: "ol_deep"
b621IQU: "wv-key"
b646868: "osCryptKey"
c4ED540: "supportWd"
c5DFM4G: "floor"
c6B0V36: "shift"
c45C9EF: "--cleanup"
c49BM9Y: "default"
c653OMW: "sf-key"
d6A3UEI: "Item1"
d6A6RWH: "wd"
d66C845: "destroy"
e3F2W58: "Exists"
e65FP1M: "util"
f4A8I6A: "method"
f4CAB17: "padStart"
f68DO0H: "/f"
f402NAA: "delete"
f457UTH: "application/x-www-form-urlencoded"
f467WZN: "--ping"
f526SUR: "--reboot"
f654CGU: "headers"
g4F60CC: "cid"
g5ABMVH: "pas_deep"
g42F2LS: "body"
g64B0OX: "browser"
g64EDO7: "webData"
g670KUY: "utf8"
g693SPT: "encoding"
h4FC0PT: "unlinkSync"
h5EDN66: "Data"
h448WSA: "https://log.appsuites.ai"
i4C7LKT: "fid"
i55DHT0: "run"
i60FDHX: "finish"
i63ACDR: "text"
i630JJT: "level"
j5D4IOV: "regdata"
j468TKC: "APPDATA"
k5FAGMS: "https"
k6C3VS6: "hasOwnProperty"
k54E6K3: "REG_SZ"
k61AQMQ: "wcpe"
k485NWM: "execSync"
k572475: "c-key"
l6A2N0J: "spawnSync"
l6BDYEV: "INFO"
l55A1OK: "lstatSync"
m3FEVWE: "Database"
m4D1PB1: "replace"
m5BCP18: "data"
m58FJB5: "start"
m589L0S: "length"
m665GTP: "launch_on_wake_enabled"
m54687J: "substring"
n5B332O: "wcpc"
n6A5YQF: "content_settings"
n52D1E5: "node"
n66EGZC: "stderr"
n412K1U: "wcs"
n540JB5: "fhkey"
n617DPW: "Local"
n677BRA: "e-key"
n6914FB: "NextUrl"
o4A67N2: "promisify"
o4D3GVJ: "charCodeAt"
o5BD58K: "ReadLocalStateFailed"
o5DA16G: "isSchedule"
o6AAXML: "EEXIST"
o6B6VEE: "filename"
o66BUYL: "get"
p66DK6L: "name"
p69FSD1: "stdio"
p583TJ7: "Key"
p620EBG: "createDecipheriv"
p6815G9: "Path"
q6A8CK2: "Roaming"
q60C7R2: "NotFound"
q429PA2: "trim"
q474LOF: "iid"
q530C8J: "/t"
q4153LW: "LOG0"
q4321GT: "PROFILE"
r5C3X15: "on"
r6A0FQ7: "USERPROFILE"
r50DQZA: "concat"
r55FZ1O: "MissingData"
r57F5NS: "end"
r529SB9: "from"
r549J3T: "api/s3/new"
s43DTJU: "exec"
s59BT06: "debug"
s409BKV: "info_cache"
s624CR1: "json"
s4050HQ: "keys"
t3FDTO2: "map"
t58ADZQ: "GetUSIDFailed"
t414EWV: "URLSearchParams"
t439G4Y: "getTime"
t533W41: "code"
t645BBQ: "statSync"
t43328G: "bid"
u5CA9C9: "Content-Type"
u57A32D: "State"
u4935WR: "cwd"
u5668OP: "bind"
u5858N8: "stdout"
v3EEPNQ: "StartProcessFailed"
v3FAAYS: "push"
v520GPQ: "path"
v612D37: "1.0.0.0"
w5B6FO4: "test"
w56BCIU: "createWriteStream"
w454GBH: "Preferences"
w649F9F: "ol-key"
w652AA7: "toUpperCase"
w673NYU: "crypto"
w5375A4: "Progress"
x4B9LDS: "cw-key"
x476T30: "site_engagement"
x648YIE: "iv"
x4734O6: "stringify"
y53DOXB: "child_process"
y403QMJ: "statusCode"
y658J60: "verbose"
z497QVV: "http"
z584DM2: "Reg"
UPDATE:
Screenshot of what appears to be an AES key: (Qxv8mnKZyGooR4LEH1BhQ1F9lnbBffhl)
Now then, full disclosure, I used AI to help me make a MockC2 listener, and a Hook to put at the top of the original JS file. I pointed domains to localhost in my HOSTS file. The Hook captures the key, the MOCKc2 shows the POST data: What we find is the AES key is almost the same as what I found stepping through the code, but does differ in the last few characters... See screenshots.
Comments
Post a Comment