Malware Analysis – Javascript Deobfuscation
Intro
I recently started conducting some malware analysis, and I found myself particularly intrigued by a section focused on JavaScript code analysis. I thought it would be the perfect opportunity to dive deeper and sharpen my skills by working with real-world examples. So, here’s a quick and straightforward analysis to get started!
Sample
- REMnux - Linux
- Ghost Windows 10 (contain my own malware tools)
Static Analysis
SHA256- Hash : 58d9dfb6906f5d06e85773461bd8ecc23f836a73dc0ef98a537e2385faeaaf43cbf5c548e7564bf7c3a09fcbc01259a2
Well, let's give it a first look in notepadd++
.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Observations
- The actual code that will execute is at the beggining of the script.
- Many variables to obfuscate the code,
Each variable contains many chars
, so our mission is to find the pattern the code is made from that obfuscation.
Deobfuscation with SpiderMonkey
Let's give it a try to deobfuscate it with spidermonkey
tool in REMnux.
It didn't work well for deobfuscation, but give us one clue, an eval
fucntion at line 21
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
So, I tried to use box-js
as it helps to emulate the run time components (like faking urls the malware trying to get)
when checking IOC.json and rest fo files, It observed only that there is a registy key being written, but other files contain wiered scripts that doesn't related to the malware :XD.
Manual Deobfuscation
I will replace each variable with a readable "charX"
: x will be a number that will increase, just to make it more readable
Example :
final one will be more easy to parse.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Now, there are many variables, each variable have 28-45 character, we need to find which character will be placed before running the script.
So, I start looking for something the script must include http://
, and i found this
and i start looking at the values of each char, they are in sequences, i mean this :
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
And configured that the script call the last char of each variable.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
So, we now need to only replace last char with each variable.
After Replacement :
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
IOCs
Behavioural Analysis
Let's ping the C2 if it is active.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Yes, it is, now let's download invoice.php
that will be saved in %tmp%\\invoice.pdf
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
It is a pdf, when i parsed it with pdf-parser.py
, it doesn;t contain any js codes. And confirmed that with virustotal
.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
So, Let's look further and try to download the dll 100758775027.dll
.
But, the server was off.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
So, our analysis concludes here.
See you! 🚀