Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.

2015-02-15_01

What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.

2015-02-15_02

It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?

2015-02-15_03

First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.

2015-02-15_04

Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.

2015-02-15_05

An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.

2015-02-15_06

The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.

2015-02-15_07

The downloaded file is definitely not a JPEG image.

2015-02-15_08

The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.

2015-02-15_09

I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.

2015-02-15_10

Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!

2015-02-15_11

The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.

2015-02-15_12

All you need to do is select the new method and enter “return output” and click on Execute. Done!

2015-02-15_13

I also added three more options to the menu:

2015-02-15_14

    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

This entry was posted in Malicious Email, Malscript, Tools and tagged , , . Bookmark the permalink.