Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help on Deobfuscating a Java script


  • Please log in to reply
3 replies to this topic

#1 lavangam

lavangam

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 05 October 2016 - 11:19 PM

Hi Guys,

 

I have come across a email with an attachment that infects the computer with ransomeware upon execution.

 

Im trying to de-obfuscate it for the past 2 days, but the script is highly obfuscated. Have tried all the possible tools, but no luck.

 

If we have experts in this forum need your help in de-obfuscating this JS file.

 

Code can be found here :

 

http://pastebin.com/WKxcfMWc



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 AM

Posted 06 October 2016 - 05:40 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lavangam

lavangam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 06 October 2016 - 06:58 PM

Sorry, I thought my query was clear. Let me give more details on it.

 

I'm not a victim of this ransomeware.

 

One of our customer's received an email with this Java script. The script is highly obfuscated that I cant understand the code in it.

 

So, I need someone's help who are good at de-obfuscating the script. 

 

From a dynamic analysis perspective I can see that as soon as I execute the script I downloads the actual piece of malware to encrypt the files.

 

But from a static analysis perspective I'm trying to de-obfuscate that code to see what type of functions the threat actors are relying on.

 

Hope this is clear. :rolleyes:



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:48 AM

Posted 09 October 2016 - 08:37 PM

One trick I use is to copy all of the code piece by piece, and execute it (in a sandbox or VM is safest in case you miss something!). Usually, I try to let it build whatever strings it is going to stuff into something like eval(), but don't actually eval() it. In your example code, I let it run all of the functions that return strings, and then let it build the string inside the "new Function" call (but didn't let it execute as a function). It ends up trying to execute this.

/* Original code
ewabasixqi4() + qdexed3() + xetta9() + wvybjubavfe5() + ucfydogci4() + wgocemivu2() + yzwucysol6() + hezovvug8() + vtifte6() + tiwne0() + ywcubgomi4() + oxcolcir4() + enbybnape8() + epsaco3() + wcuqifhyzoqd7() + itykcocurg2() + ykbyjoqqeza5() + ihidpu6() + yftifu0() + orqohxinr5() + upxobbi2() + rakybavfitr3() + nofylyks5() + qywji2() + cuppukcezv5() + ifvermyg0() + ebisluwluhcy1() + pebpilahj0() + fikzubvy5() + amavimuqdi7() + pasrog0() + acnuthysyw0() + ocodtawos7() + fojtetihdond0() + nzymittibzam8() + myhbaf2() + oxixyvatu9() + ybforkojh8() + lojimijk9() + apnefago4() + umnobi2() + yvexgij5() + olity9()
*/
 
var ilibasp = WScript.CreateObject('WScript.Shell'); var webu4 = ilibasp.CreateShortcut('\qvertyd.lnk'); return webu4.TargetPath;

Combining this function with the following logic of the switch case, it is basically checking if the shortcut "qvertyd.lnk" exists already; if so, it doesn't run again.

 

You can then systematically go through the rest, executing just enough to build the function name, but not actually execute it. Here's an example of the first one.

/* Original code
abyxjablu6 = ukbumwyhku3[ltobxyqqefme4() + sekulqeqez0() + apaz3() + mode3()];
*/

// Execute just the string building
> ltobxyqqefme4() + sekulqeqez0() + apaz3() + mode3();
WScript

/* ukbumwyhku3 = this, or the window in global scope, so this call is actually
window['WScript'];
*/

I don't have the time to go through the rest, so I'll leave it up to you as an exercise. Also, to note, since this is calling WScript, it is actually a JScript file, not JavaScript. It will only execute on Windows (from double-clicking the script) or IE, not outright in any other browser.


Edited by Demonslay335, 09 October 2016 - 08:40 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users