On July 1’st 2016 I seen a tweet by Herbie Zimmerman @HerbieZimmerman where he had gotten a zip file from some malaspam containing an obfuscated Java Script file.
The infection chain is documented on his site here https://www.herbiez.com/?p=550
He had posed that he had trouble reversing the script, so that is what I will cover here.
As we scroll down the script we first see this.
We see it starts by setting a variable , assigning a value then tacking more on to the end of it. We next see another variable name and a value assigned to it.
If we look close at the second variable name it is the same variable name and value assigned many times.
So we scroll down until we see this.
Tacking more onto our initial value. Scroll down some more.
Hmm a regular expression and new array.
Looks like this is only supposed to work this year.
Hmm if the date doesn’t match it return an empty string else ……
Lets take a closer look at this.
This looks like it takes our first variable as a hex array and Xor’s it with the Decimal 68.
A close look at the second variable name and it is never used so lets clean this up and see what is left.
Now that we have this cleaned up what do we have ?
At the top we see out initial variable as a string of hex Char’s.
Next our variable is being reassigned as a hex array by using the Reg X to spit the string into lengths of 2 hex char’s , or a hex array.
Then we start the while loop.
Next is a check for the year, Interesting thing about this is the function used is depreciated for html and returns 116 instead of 2016. If you try and drop this script into a html page it will always be false.
If it succeeds in matching the date then it will run thru the array of bytes and Xor them by “Decimal” 68 (that tripped me up for a few minuets) then finally output the string or the decoded script.
The final 2 lines take our decoded script, drop it into a new function then call it to run the decoded script.
And here is what it looks like.
The script itself calls out to “http[:]//220.181.87[.]80/ok.jpg” to download the file and uses a random name generator to create a 1 Char name using the alphabet of “1234567890abcdef” and save the file to the temp folder then launches the resulting .exe file.
That’s pretty much it for this one.
Ok, so I rushed over the part about getting the variable values into a hex array.
We first copy all of the variable parts over to a new text window.
Next in this case using Notepad ++ , select everything from the left single quote on the second variable to the right single quote on the first variable and then hit the find button.
next chose the replace tab.
be sure the “Replace with” is empty, then select replace all and we get.
Now take everything in between the 2 single quotes and run it thru your favorite Xor tool.
Take the result of the Xor and drop it back into a new Notepad ++ and use the Java Script format .
And there we go.
I hope it helps.
PC's Xcetra Support 