Simple Js deobfuscation 1
On hybrid-analysis :
hash : 0413a0c095230c5a1d9fd24c5526e381
(You need to have a free account on hybrid-analysis to be able to download sample) This website is really interessting if you are looking for sample to analyse :) Link to the Hybrid-analysis sample
Take care ! This sample is real and can be dangerous if you manipulate it in a real environment :)
I’m going to do this analysis on a linux system (SIFT workstation).
But you can do big part of this exercice with Firefox using the console available when you type F12. First check the file type :
… Nothing much, ok it’s an ASCII text file we are safe to open it into any text editor (VIm, emacs, leafpad, nano …). Just by opening you see that the obfuscation used here is not advanced :
We can see severals variables declaration, some of them are really self explanatory
x : variable contains some domain/subdomain name. You already find your IOC ;)
t4 : contains “http” must be used to declare the url where is stored the payload :)
g2 : is pretty easy to understand to, just a concatenation of strings and another variable.
pi6dnz : is more difficult but when you look at the type of character used you can see that they are hexadecimal value. If you look at your ascii table …
You can see that the hexadecimal value 70 = p 65 = e 6E = n …p e n… ok it might be used somewhere else later ..
- m : this one is the hardest to understand, we will see it later.
Ok let’s use rhino on this small parts.
If you don’t have rhino you can install it on a ubuntu based distro just by typing :
Then just start it :
Just take the variable you want and copy paste it. I’m going to use t4 and pi6dnz and print them using the print(); function (Simple :p)
Ok i think you understand the concept now. Let’s continue with the other part of the js
First we enter in a for loop with i incrementing.
Then a function declaration creating an ActiveXObject with the parameter g2. If you played a little bit with rhino you will find that :
Just after it, we can see the creation of an object called e.
So e is a ActiveXObject.
Here we enter in a try and then a new declaration of variable :
We find pi6dnz back, 6F is the ascii for o so o + pen = …. ? ;)
And then the big query :
If you try to print this with rhino here there will be 2 little trick: First you need to remove the e because it’s a object. You also need to change i to the number 0 (it’s related to the domain name list that we saw earlier. It’s an array so incrementing i will change the domain name requested.
And there is also the false at the end to remove.
If you go to msdn.microsoft.com about the function used here you will find your scheme
In rhino add all variable or create a little js script :
After this the script try to receive what was requested.
You will need to download with a wget the malicious script to continue :)
With a simple wget you can download the payload.
I you open it with vim you can see we have more obfuscated js.
Go back to your first js and let’s look at the operation done on the answer of the server (the url that you downloaded trough wget.
We can see that we have some kind of substition of the m variable and added at the end the third character of the variable zaima (that is a).
We can do the same kind of substition using vim and sed. Or any text editor that allow to replace character by other :)
So we have to replace LRAf7gyufKYR4MwFaLGaGyC-AIyJR0x4H3WREwqTezLd5P35obsIzYt3pHkF6oEqDeW3A5bvDPm0e4k9RekqVS20SQTDNnIlK_k by a
You will then have a JS with lots of variable incrementation var NXmef= “….” var NXmef+=”…” Lots of stuff are added to the string. To easilty see what is inside this long string just check a the end of the JS. change the eval(NXmef) by a simple print