Svchost.js is a malicious, obfuscated JavaScript dropper responsible for delivering the Ursnif Trojan (also known as Gozi). Ursnif is a sophisticated banking trojan capable of spyware, ransomware delivery, and maintaining persistent backdoors.
Filename: svchost.js
MD5: 04691e4a9ad9f034a94714dd1ec8f114
Sample: Download via Reverse.it
Technical Analysis Walkthrough
The JavaScript Dropper
The infection begins with svchost.js, which is heavily minified and obfuscated. This script is intended to be executed via WScript (Windows Script Host).
To analyze the script, we use the cscript command with the /X flag to trigger a Just-In-Time (JIT) debugger.
Inside the debugger, we inspect local variables. We can see the script is about to download S3BzHNmoZ.exe into the %TEMP% directory.
Anti-Sandbox: The "Process Count" Trick
The executable uses an anti-sandbox routine that checks for the number of running processes. It calls the FindWindow API for a non-existent window titled "gggg". If the total number of processes searched is too low, the malware enters an infinite loop.
By patching the comparison at address 0x0040198f with NOP instructions, we can force the malware to run even in a sandbox environment.
C&C Beaconing
Once bypassed, Ursnif injects code into svchost.exe and begins beaconing. It uses pseudo-random GET requests, frequently masking data as .AVI video files.
The main controller identified during this session was 217.182.73.92 over port 443.
Conclusion
Ursnif's use of simple script-based droppers combined with manual anti-analysis checks makes it a persistent threat. While automated tools might fail, manual reverse engineering can easily strip away these protections to reveal the true intent of the malware.
Happy hunting.