Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.

2016-02-22_01

2016-02-22_02

2016-02-22_03

I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted in Malscript, Tools | Tagged , , , | Comments Off on Script Deobfuscator Updated

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem:

2016-02-21_01

In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.

2016-02-21_02

The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.

2016-02-21_03

I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.

2016-02-21_04

Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.

2016-02-21_05

Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1

2016-02-21_06

Example #2

2016-02-21_07

Example #3…for this one, I had to unescape the script first.

2016-02-21_08

In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted in Malicious Email, Malscript | Tagged , | Comments Off on Deobfuscating a Hideous-Looking JS Downloader

Script Deobfuscator Released

The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you.

I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts.

To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts.

Example #1 (unphp)

Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array.

2016-02-15_01

Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button.

2016-02-15_02

The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again.

2016-02-15_03

The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly.

Example #2 (ddecode)

Here’s the script we’ll be working on:

2016-02-15_04

First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.)

2016-02-15_05

Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value.

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:

2016-02-15_06

Example #3 (unphp)

This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them.

2016-02-15_07

Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top.

2016-02-15_08

Example #4 (unphp)

Here’s what the script looks like (I highlighted the key):

2016-02-15_09

This script references an element in an array to build the values for its variables. The elements are based on the character position in the key.

The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option.

2016-02-15_10

Example #5 (ddecode)

In this example, we’re just interested in decoding the base64 strings.

2016-02-15_11

Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script.

2016-02-15_12

Example #6 (pastebin)

This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does.

2016-02-15_13

Paste the script into the Input box and choose the “ASCII” method.

2016-02-15_14

Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again.

2016-02-15_15

Example #7 (pastebin)

This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent.

2016-02-15_16

Paste the script in and choose the “Math” method.

2016-02-15_17

The result shows decimal values but not the text equivalent. 🙁 So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box.

2016-02-15_18

Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box.

2016-02-15_19

The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out.

I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here.

Happy reversing!

Posted in Malscript, Tools | Tagged , , , , , | Comments Off on Script Deobfuscator Released

Packing/Unpacking Javascript from DOS

Here’s one way to pack and unpack Javascript from the Windows’ command line. For this we use PhantomJS and Dean Edwards’ Javascript Compressor.

1. Download PhantomJS from here.

2. Download the JSPacker.js file from here.

3. Put everything in a folder or on your desktop then in DOS type the following:

C:\> phantomjs jspacker.js pack in.txt out.txt

-or-

C:\> phantomjs jspacker.js unpack in.txt out.txt

2016-02-06_01

Posted in Tools | Tagged , , , | Comments Off on Packing/Unpacking Javascript from DOS

Javascript Deobfuscator Updated

This program was originally written as a proof of concept but it turned out to work out pretty well so I’ve added several new features to this program to make it more robust and helpful. It still can’t do sophisticated scripts, for those use Revelo.

To show you what’s been added, I’ll go through a few live examples taken from Dynamoo’s pastebin (Conrad has a great site documenting malicious emails — check it out!).

Example #1 (pastebin)
In this latest version, you can click on the “Clues” button and the program will highlight text that will give clues on how to deobfuscate the script. If the script is long, it may take awhile.

You can see that “eval” is highlighted. If I try deobfuscating just on “eval”, it won’t work because of the way the script is written. I now need to find out what’s calling the function “szkmYVRfAFZYusP”.

2016-01-09_01

I click on the “Reset” button to clear the highlights. I type in “szkmYVRfAFZYusP” then click on the “Highlight” button to find all instances of this string. Scroll down to the bottom and you can see what’s calling it.

2016-01-09_02

I double-click on the string “szkmYVRfAFZYusP” and click on “Convert”. The script is now deobfuscated.

2016-01-09_03

Example #2 (pastebin)
This script is somewhat painful to deal with. You need to find out where the eval is called. Let me try searching for “eval”. No luck. Let me try “this”. I find it near the top.

2016-01-09_04

Now let me search for the variable name “mek”. I find that about 2/3rds of the way down.

2016-01-09_05

Finally I search for “wozv”. Going back up, I find it calling the variable “mhnW”.

2016-01-09_06

My guess is “wozv” will evaluate the concatenated script held in “mhnW” (which it is). Highlighting the verb, “wozv” won’t work so let me highlight the function name and variable. To use this method the variable name must be enclosed in single parenthesis.

2016-01-09_07

Since the input textbox is actually a richtext box, selecting the text can be tricky. Hold down ALT while you use your mouse to select the text. Or click on the first letter, hold down the SHIFT key and use the arrow keys to select the text.

Example #3 (pastebin)
For this script, I just searched for “eval” which is found about 1/5th down.

2016-01-09_08

Deobfuscating on “eval” won’t work for this script. But let me try it on the variable name which it’s evaluating. Done.

2016-01-09_09

You can get the updated tool here. And remember to use this in a VM, there’s absolutely no safeguards built in!

Posted in Tools | Tagged , , | Comments Off on Javascript Deobfuscator Updated