Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back.

Let’s see what these scripts look like:


At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:


Since we’re dealing with JScript, we can just do this and capture the result instead of executing it:


Now we get this:


This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what’s going on.

After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It’s using the familiar AJAX method.


I echo out the URL array to see where the requests are going. There’s three URLs it’s attempting to connect to. If the site is up then Locky gets downloaded and executed.


This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you’ve been tracking their scripts, you know that they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.

Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There’s Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.

URL Revealer
Here’s my take on a web proxy. This program will capture the request from these scripts and drop it so it won’t download the malware from the Internet. This way you can see the URLs and take the necessary action quickly and without having to deobfuscate the script.

When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file to the app path. You should open up your browser and test it to make sure it’s working properly before executing the script you want to analyze. You should also set your VM’s network adapter to “host-only” while doing this just to be safe.

Here’s what it looks like when I run four recent Locky scripts plus two from the past two weeks:


I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it’s exactly the same as the one before.

When you are done, press to quit so that URL Revealer can disable the proxy server. If you forget, just run URL Revealer and hit enter a couple of times until it quits.

If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.


Over the past several months, I saw four methods used by various scripts to download malware from the Internet – ajax, winhttp, bitsadmin, and powershell. URLRevealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.

You can get the program here.

Posted in Malicious Email, Malscript, Tools | Tagged , , , , | Comments Off on Locky JS and URL Revealer

Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.




I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted in Malscript, Tools | Tagged , , , | Comments Off on Script Deobfuscator Updated

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem:


In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.


The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.


I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.


Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.


Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1


Example #2


Example #3…for this one, I had to unescape the script first.


In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted in Malicious Email, Malscript | Tagged , | Comments Off on Deobfuscating a Hideous-Looking JS Downloader

Script Deobfuscator Released

The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you.

I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts.

To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts.

Example #1 (unphp)

Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array.


Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button.


The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again.


The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly.

Example #2 (ddecode)

Here’s the script we’ll be working on:


First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.)


Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value.

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:


Example #3 (unphp)

This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them.


Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top.


Example #4 (unphp)

Here’s what the script looks like (I highlighted the key):


This script references an element in an array to build the values for its variables. The elements are based on the character position in the key.

The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option.


Example #5 (ddecode)

In this example, we’re just interested in decoding the base64 strings.


Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script.


Example #6 (pastebin)

This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does.


Paste the script into the Input box and choose the “ASCII” method.


Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again.


Example #7 (pastebin)

This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent.


Paste the script in and choose the “Math” method.


The result shows decimal values but not the text equivalent. 🙁 So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box.


Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box.


The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out.

I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here.

Happy reversing!

Posted in Malscript, Tools | Tagged , , , , , | Comments Off on Script Deobfuscator Released

Packing/Unpacking Javascript from DOS

Here’s one way to pack and unpack Javascript from the Windows’ command line. For this we use PhantomJS and Dean Edwards’ Javascript Compressor.

1. Download PhantomJS from here.

2. Download the JSPacker.js file from here.

3. Put everything in a folder or on your desktop then in DOS type the following:

C:\> phantomjs jspacker.js pack in.txt out.txt


C:\> phantomjs jspacker.js unpack in.txt out.txt


Posted in Tools | Tagged , , , | Comments Off on Packing/Unpacking Javascript from DOS