# SANS ISC: Houdini is Back Delivered Through a JavaScript Dropper - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training SANS ISC InfoSec Forums **[isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/](https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/)** Houdini is Back Delivered Through a JavaScript Dropper Houdini is a very old RAT that was discovered years ago. The first mention I found back is from 2013! Houdini is a simple remote access tool writt The RAT implements the following commands: ----- Nothing really fancy here. What’s more interesting is the way it is delivered to the victim. A classic technique is used: a phishing email with a ZIP a The JavaScript is pretty well obfuscated but, once you check deeper, you quickly realize that most of the code is not used. The main function is kk ----- The technique used is simple: A variable is defined and set to false (example: __p_0015805216). Then code blocks are executed if the variable is JavaScript is a very beautiful/ugly language (select your best feeling) that is very permissive with the code. So, another technique is the creation o ----- When I'm teaching FOR610, I like to say to students that they must find their way and go straight to the point to find what the script being analyze ``` $ awk '{print length, $0}' New-Order.js | sort -rn|head -1 78396 return 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImZpZ2hRWEp5WVhrdWNISnZkRzkwZVhCbExtWnZja1ZoWTJnZ1B5QkJjbkpoZVM1d2NtOTBiM1I1Y0dVdVptOXlSV0ZqYUNBOUlHWjFib FF... (Remaining characters removed) ``` Now, you can search for this string and find that it is just returned, again, by a simple function: This looks like a Base64-encoded string but it won't decode "as is". The attacker added some bad characters that must be replaced first: ----- The script drops two other samples on the file system: ``` C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\HUAqCSmCDP.js C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Local\Temp\hworm.vbs ``` An interesting point: Persistence is implemented via two techniques in parallel, via the registry (HKEY_CURRENT_USER\Software\Microsoft\Win [1] [https://www.virustotal.com/gui/file/402a722d58368018ffb78eda78280a3f1e6346dd8996b4e4cd442f30e429a5cf/detection](https://www.virustotal.com/gui/file/402a722d58368018ffb78eda78280a3f1e6346dd8996b4e4cd442f30e429a5cf/detection) Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant [PGP Key](https://keybase.io/xme/key.asc) [I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022](https://www.sans.org/event/amsterdam-august-2022/course/reverse-engineering-malware-malware-analysis-tools-techniques) -----