fiddling with obfuscated javascript
Most malware authors automate the obfuscation of their javascript downloaders, making analysis difficult. Luckily, you rarely need to completely deobfuscate the javascript to progress with your analysis. If you can identify the primary function used to handle obfuscated strings you can then use a few quick tricks to obtain interesting data from the javascript file without having to run it.
Identifying the deobfuscation function at a glance:
Most of the deobf functions I see contain a lot of string and character manipulation functions & methods. Some to look for include:
parseInt()
toString()
substr()
String.fromCharCode()
charCodeAt()
UCHAR()
More info on common javascript obfuscation methods and the functions utilized can be found here: https://github.com/bl4de/research/blob/master/javascript-malware-obfuscation/Simple_JavaScript_malware_code_obfuscation_examples.md#basic-obfuscation-methods---expressions-comma-operator-parseint-and-tostring-method
Here is an example of a deobfuscation function from a recent javascript downloader for a Mekotio infection:
This is a bit frustrating to eyeball, and further down in the script there is a series of string vars that are clearly being resolved by the function, which is another good indicator that you've identified the deobf function:
In this case, the name of our deobf function is "kOyE4FeCQNNWM2lQrcsgV3i1O9x6YXJIPQyOsg2wubySsILC82D"
A few quick tricks:
Now that we have this function in hand, we can use a few tools to our advantage; primarily JSFiddle (https://jsfiddle.net/).
From here on I will be referring to this public fiddle: https://jsfiddle.net/08szah29/
The first step is to copy the entire function into your fiddle. Next you must add your obfuscated strings and a print function to generate output, like so:
function print_output(input) {
document.write(NAME_OF_DEOBFUSCATION_FUNCTION(input)+"<br>")
}
var obf_strings = [OBFUSCATED_STRINGS_LIST]
obf_strings.forEach(print_output);
Here is what it looks like with the function name and strings in place:
function print_output(input) {
document.write(kOyE4FeCQNNWM2lQrcsgV3i1O9x6YXJIPQyOsg2wubySsILC82D(input)+"<br>")
}
var obf_strings = ["1920E560E513EC3E29F9041E2BF222DE49CA5AF839E93456F363A2",
"33240467E660E55A8B848E83BD",
"5F9760E01C1F25372F243B1E015FD442085DE91622DD558AC16486C80C6DCA66E177C9033DF3",
"6EB5459C42E238CFB855DA2CD52F",
"F248D1719B47DE23D54200",
"92E73784BA66A06D947E809A4D1F3ED93BCD54F40B3BFD66B360E6",
"41C44482A65EB940EB2A3FE91EE70817E838CA071327E37AA74A88",
"EA17",
"196EDA1E26221939C868EA2BC25F87B066AF78DB28C1",
"91E626A142FC06082E2A",
"34045F96FB26F130E725223DC764F956",
"5A926BEB11CD63F164B146D10D14C664B0BA43936D8BD376A359BE5B8951C192EA481BBC669EED67C9BEB47188BB9EB6789B41FA0D2CCF77E92B0A5DF925E9342FC46B97",
"NULL",
"CF73B729D80C51F127EE3CC960AC64818892",
"37075AA984BE58DA0805421D271D2E020C151A0D0928E633030F64CB1D21032B4CC7658E9FACC151E51BD329CE65AF6FA86690A143EA32BAB06F8A9F40D72BED1EFD34D139C346AF42F57C9F6ECFC7",
"DA1EEA5485A07B91451C2ECCA1A34F2328F87F98AF",]
obf_strings.forEach(print_output);
**Note: This particular function utilized the string length of another var found elsewhere in the script as part of its input, which can be seen on line 45 of the fiddle.
Finally, of course, run the fiddle.
Quick Python Diversion
I wrote a simple python3 script that will take find the obfuscated strings in this particular javascript file (or whatever else you throw at it I suppose) and output them in a format that can easily be copied and pasted into jsfiddle:
# obfstr.py
import sys
import re
script_file = sys.argv[1]
with open(script_file, "r") as obfuscated_script:
text = obfuscated_script.readlines()
pattern = r"\('(\S+)'\)"
out_vars = re.findall(pattern, str(text))
print(out_vars)
usage:
python3 obfstr.py javascript_file.js
This matches strings that fall inside parentheses and single quotes, such as ('33240467E660E55A8B848E83BD'). The regex can be easily tweaked to fit whatever string pattern you identify (use regex101.com to test your regex).
Back to the js
At this point we have successfully deobfuscated several strings that indicate the functionality of this script:
WinHttp.WinHttpRequest.5.1
ADODB.Stream
http://3.87.129[.]127/vai/cL4p0L9l1.png
wscript.shell
%username%
%systemdrive%\Windows\Temp
Scripting.FileSystemObject
\
%HOMEPATH%\documents\
%comspec%
/C start /MAX
https://download.java.net/java/GA/jmc7/14/jmc-7_windows-x64_bin.zip
Shell.Application
/C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "
shutdown -r -f -t 00
We have the payload site (which I defanged), downloaded file locations, registry key changes, forced shutdown, and more - all without having to run the script.
Nice.
Identifying the deobfuscation function at a glance:
Most of the deobf functions I see contain a lot of string and character manipulation functions & methods. Some to look for include:
parseInt()
toString()
substr()
String.fromCharCode()
charCodeAt()
UCHAR()
More info on common javascript obfuscation methods and the functions utilized can be found here: https://github.com/bl4de/research/blob/master/javascript-malware-obfuscation/Simple_JavaScript_malware_code_obfuscation_examples.md#basic-obfuscation-methods---expressions-comma-operator-parseint-and-tostring-method
Here is an example of a deobfuscation function from a recent javascript downloader for a Mekotio infection:
This is a bit frustrating to eyeball, and further down in the script there is a series of string vars that are clearly being resolved by the function, which is another good indicator that you've identified the deobf function:
In this case, the name of our deobf function is "kOyE4FeCQNNWM2lQrcsgV3i1O9x6YXJIPQyOsg2wubySsILC82D"
A few quick tricks:
Now that we have this function in hand, we can use a few tools to our advantage; primarily JSFiddle (https://jsfiddle.net/).
From here on I will be referring to this public fiddle: https://jsfiddle.net/08szah29/
The first step is to copy the entire function into your fiddle. Next you must add your obfuscated strings and a print function to generate output, like so:
function print_output(input) {
document.write(NAME_OF_DEOBFUSCATION_FUNCTION(input)+"<br>")
}
var obf_strings = [OBFUSCATED_STRINGS_LIST]
obf_strings.forEach(print_output);
Here is what it looks like with the function name and strings in place:
function print_output(input) {
document.write(kOyE4FeCQNNWM2lQrcsgV3i1O9x6YXJIPQyOsg2wubySsILC82D(input)+"<br>")
}
var obf_strings = ["1920E560E513EC3E29F9041E2BF222DE49CA5AF839E93456F363A2",
"33240467E660E55A8B848E83BD",
"5F9760E01C1F25372F243B1E015FD442085DE91622DD558AC16486C80C6DCA66E177C9033DF3",
"6EB5459C42E238CFB855DA2CD52F",
"F248D1719B47DE23D54200",
"92E73784BA66A06D947E809A4D1F3ED93BCD54F40B3BFD66B360E6",
"41C44482A65EB940EB2A3FE91EE70817E838CA071327E37AA74A88",
"EA17",
"196EDA1E26221939C868EA2BC25F87B066AF78DB28C1",
"91E626A142FC06082E2A",
"34045F96FB26F130E725223DC764F956",
"5A926BEB11CD63F164B146D10D14C664B0BA43936D8BD376A359BE5B8951C192EA481BBC669EED67C9BEB47188BB9EB6789B41FA0D2CCF77E92B0A5DF925E9342FC46B97",
"NULL",
"CF73B729D80C51F127EE3CC960AC64818892",
"37075AA984BE58DA0805421D271D2E020C151A0D0928E633030F64CB1D21032B4CC7658E9FACC151E51BD329CE65AF6FA86690A143EA32BAB06F8A9F40D72BED1EFD34D139C346AF42F57C9F6ECFC7",
"DA1EEA5485A07B91451C2ECCA1A34F2328F87F98AF",]
obf_strings.forEach(print_output);
**Note: This particular function utilized the string length of another var found elsewhere in the script as part of its input, which can be seen on line 45 of the fiddle.
Finally, of course, run the fiddle.
Quick Python Diversion
I wrote a simple python3 script that will take find the obfuscated strings in this particular javascript file (or whatever else you throw at it I suppose) and output them in a format that can easily be copied and pasted into jsfiddle:
# obfstr.py
import sys
import re
script_file = sys.argv[1]
with open(script_file, "r") as obfuscated_script:
text = obfuscated_script.readlines()
pattern = r"\('(\S+)'\)"
out_vars = re.findall(pattern, str(text))
print(out_vars)
usage:
python3 obfstr.py javascript_file.js
This matches strings that fall inside parentheses and single quotes, such as ('33240467E660E55A8B848E83BD'). The regex can be easily tweaked to fit whatever string pattern you identify (use regex101.com to test your regex).
Back to the js
At this point we have successfully deobfuscated several strings that indicate the functionality of this script:
WinHttp.WinHttpRequest.5.1
ADODB.Stream
http://3.87.129[.]127/vai/cL4p0L9l1.png
wscript.shell
%username%
%systemdrive%\Windows\Temp
Scripting.FileSystemObject
\
%HOMEPATH%\documents\
%comspec%
/C start /MAX
https://download.java.net/java/GA/jmc7/14/jmc-7_windows-x64_bin.zip
Shell.Application
/C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "
shutdown -r -f -t 00
We have the payload site (which I defanged), downloaded file locations, registry key changes, forced shutdown, and more - all without having to run the script.
Nice.
Comments
Post a Comment