MEGANUKE

Deobfuscating and Understanding a Malicious Javascript File

First, it will eval the FirstActiveXObjects variable, which will be used to instantiate the shell, provide shell access, and access to the filesystem. It then will check if a Folder exist with a function returning either True or False.
Hi everybody, Meganuke here! Today I'm going to show you my findings while deobfuscating a Javascript Malware sample. There is a collection of almost 40,000 samples in a github repository by Hynek Petrak Which is a cool place to start if you are starting to get your hands on these kinds of projects.

You can find the repository here:
Ok, now that you have all the basic information. Let's dive in!!

First, we select a random sample, I didn't want to work on a really old sample so I've decided to go with this: 20170501_018edd4b581516682574e305c835c5c9.js. Which tells us by its name that it was captured on 2017-05-01. So as soon as I opened it I see a lot of gibberish. A long string at first that seems like random characters and concatenating short strings together. You can see the picture to see what I mean.

Well, the first place I would like to start is by getting rid of all the concatenation, I just want to have a single string. There are many ways to do this but for me, the easiest one is to simply start by commenting out everything but the variable I would like to clean and use console log to output the full string. Of course, I was careful enough to check if there were any EVAL functions or other stuff that could trigger anything. So, after cleaning all the variables we get something like this:

This is still a lot confusing, but still, it makes more sense than before. There is a function with an odd name (RiYTWtZHfKGdkUyEx) which we can esaily understand what it does. It takes three arguments. The first argument is the string to check (the name of the variable in this case). The second argument is used as the pattern to check and split the string from there, and the third argument is used to concatenate the string using that character or string. This is the function:

We now know what the function does, so, it's time to start renaming the values to start making sense. After changing the name of the function's values, it's time to check how this function deobfuscates the variables. To do this, all I had to do was log the variable glDKwCjkWBtOiHbdXx and see what's the output. After doing that, we can see clearly what this sample wanted to do. It uses JScript as a string and then uses EVAL to call the function. (So, now we know this was aimed towards Windows). Let's see what I believe is trying to do:

It creates a variable which creates an ActiveXObject("shell application") to instantiate a shell object. Then it creates also a WScript shell to use the shell and an scripting filesystemobject) to be able to access the computer's file system. After that, it uses a function to check if a file exists, which at this point, I believe is some kind of killswitch or just a step to avoid trying to reinfect an already infected computer.

The next one is a little tricky because it involves a couple of steps to get there. It seemed there was not a single call to a specific variable, but that seemed odd, so I thought maybe it will be called later. So I proceeded to the next one and Ohh surprise. After deobfuscating that string we can check that the previous variable was called and it was used to access the Windows registry to get a specific character from it. Why is that, I don't know, but let's keep going.

After deobfuscation, it was indeed a Registry Key. Precisely it was "HKLM\software\miCrosoft\windoWs nT\currentversIoN\SysTemROOT" Which is called to get a character, it uses the WScript shell object created before to be able to access the registry and get the character, which will see which one is it in a moment. So far, it hasn't done anything other than that.

The last obfuscated variable is called only if the function created by the first variable returns false. Otherwise, it won't call it. This variable used the deobfuscate function two times. Here is when we need the registry key character to continue the deobfuscation. After a lot of researching I found that the character it retrieves from that specific registry key was a colon ":" Which gets replaced with a "%" sign to set a URL Encoded payload. OK, and check this out. We now have a completely deobfuscated script. Let's check what it does in the correct order.

First, it will eval the FirstActiveXObjects variable, which will be used to instantiate the shell, provide shell access, and access to the filesystem. It then will check if a Folder exist with a function returning either True or False. If it's true, the script will simply stop, but if it returns false it will create new ActiveXObjects. A new WScript shell, shell application and MSXML2 XMLHTTP, which is used to make requests to websites. It will then create a file in the Templates directory and name the retrieved file with a random number with .exe. It will make a request to "http://kingzoneg.top/admin.php?f=404" and if the status code is 200 it will get the payload using "ADODB.Stream" as a stream of data. And then it will execute the downloaded file. As of today, it seems the website no longer exists but doing a simple google search, seems the downloaded file had something to do with Ransomware.

Well, that is all for today! Hope you enjoyed it and maybe also learned something new. Cheers!

MEGANUKE!

Published on 24 November 2021

Return to Homepage

You can find me at:

Twitter Youtube Github Soundcloud