Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help on Deobfuscating a Java script

  • Please log in to reply
3 replies to this topic

#1 lavangam


  • Members
  • 5 posts
  • Local time:05:42 AM

Posted 05 October 2016 - 11:19 PM

Hi Guys,


I have come across a email with an attachment that infects the computer with ransomeware upon execution.


Im trying to de-obfuscate it for the past 2 days, but the script is highly obfuscated. Have tried all the possible tools, but no luck.


If we have experts in this forum need your help in de-obfuscating this JS file.


Code can be found here :



BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,904 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:42 PM

Posted 06 October 2016 - 05:40 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lavangam

  • Topic Starter

  • Members
  • 5 posts
  • Local time:05:42 AM

Posted 06 October 2016 - 06:58 PM

Sorry, I thought my query was clear. Let me give more details on it.


I'm not a victim of this ransomeware.


One of our customer's received an email with this Java script. The script is highly obfuscated that I cant understand the code in it.


So, I need someone's help who are good at de-obfuscating the script. 


From a dynamic analysis perspective I can see that as soon as I execute the script I downloads the actual piece of malware to encrypt the files.


But from a static analysis perspective I'm trying to de-obfuscate that code to see what type of functions the threat actors are relying on.


Hope this is clear. :rolleyes:

#4 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 09 October 2016 - 08:37 PM

One trick I use is to copy all of the code piece by piece, and execute it (in a sandbox or VM is safest in case you miss something!). Usually, I try to let it build whatever strings it is going to stuff into something like eval(), but don't actually eval() it. In your example code, I let it run all of the functions that return strings, and then let it build the string inside the "new Function" call (but didn't let it execute as a function). It ends up trying to execute this.

/* Original code
ewabasixqi4() + qdexed3() + xetta9() + wvybjubavfe5() + ucfydogci4() + wgocemivu2() + yzwucysol6() + hezovvug8() + vtifte6() + tiwne0() + ywcubgomi4() + oxcolcir4() + enbybnape8() + epsaco3() + wcuqifhyzoqd7() + itykcocurg2() + ykbyjoqqeza5() + ihidpu6() + yftifu0() + orqohxinr5() + upxobbi2() + rakybavfitr3() + nofylyks5() + qywji2() + cuppukcezv5() + ifvermyg0() + ebisluwluhcy1() + pebpilahj0() + fikzubvy5() + amavimuqdi7() + pasrog0() + acnuthysyw0() + ocodtawos7() + fojtetihdond0() + nzymittibzam8() + myhbaf2() + oxixyvatu9() + ybforkojh8() + lojimijk9() + apnefago4() + umnobi2() + yvexgij5() + olity9()
var ilibasp = WScript.CreateObject('WScript.Shell'); var webu4 = ilibasp.CreateShortcut('\qvertyd.lnk'); return webu4.TargetPath;

Combining this function with the following logic of the switch case, it is basically checking if the shortcut "qvertyd.lnk" exists already; if so, it doesn't run again.


You can then systematically go through the rest, executing just enough to build the function name, but not actually execute it. Here's an example of the first one.

/* Original code
abyxjablu6 = ukbumwyhku3[ltobxyqqefme4() + sekulqeqez0() + apaz3() + mode3()];

// Execute just the string building
> ltobxyqqefme4() + sekulqeqez0() + apaz3() + mode3();

/* ukbumwyhku3 = this, or the window in global scope, so this call is actually

I don't have the time to go through the rest, so I'll leave it up to you as an exercise. Also, to note, since this is calling WScript, it is actually a JScript file, not JavaScript. It will only execute on Windows (from double-clicking the script) or IE, not outright in any other browser.

Edited by Demonslay335, 09 October 2016 - 08:40 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users