A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #30198  by waffles2.0
 Tue Apr 04, 2017 11:50 am
I am looking into ransomware that isn't an executable, mainly file types you can attach to emails. Am I correct in assuming that all the JavaScript and documents relating to ransomware are just downloading executables for urls?

Or is there any ransomware that is contained completely within Javascript and doesn't need to pull down from a website?
 #30200  by zerosum0x0
 Tue Apr 04, 2017 1:48 pm
MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting.

There is a "Scripting.FileSystemObject" (FSO) ActiveXObject. I don't know if there is a COM object for direct crypto, but there are implementations of crypto libraries written in JavaScript, including asymmetric public key cryptography.

So with a little creativity, yes it is possible. FSO is off limits in the default IE security zone, but if someone double clicks a .js email attachment it will run.

In the wild, however, most of the .js malware I've come across are just droppers to download normal binaries. I can't personally name a pure JS ransomware strain.