Thursday, 7 July 2016

, , , ,

JS Dropper Galaxy

The wonderful ways to obfuscate JavaScript Dropper




Malware Analysis and Code Reverse Engineering is one of my passion in security field.

Today I'd like to show two wonderful ways to offuscate a JavaScript file in order to get complicated code analysis.

I analyzed the same phishing campaign (based on e-mail's Object) that spreads two different JavaScript dropper. 

As usual the author try to lure the user using double file extensions. 


The first is the following:

This file is well obfuscated and only a dynamic analysis help you to understand which actions it will perform during its execution.

The second is the following:

JavaScript Obfuscated Code - Part  1
JavaScript Obfuscated Code - Part 2
This JavaScript give me the evidence that who create it is not a very expert in code development and obfuscating field.

The trick used to obfuscate this file is to create a lot of functions that have an array filled with random number and only one position with text or one char, the function will return when invoked a specific position that is the only char present into the array. (Look Part 1)

The second part shows as who created this file, invoked more than one function within specified array position in order to rebuild URL and other objects ("Scripting.FileSystemObject", "ADODB.Stream", "MSXML2.XMLHTTP") used for evil purpose.

Below I am reporting two images that show the JavaScript code de-obfuscated. Reading it you can see which Objects will invoked in your OS when the JS file will be executed, which URL will be contacted and in which folder the evil files will be stored in your computer. 

No dynamic analysis is necessary to understand which actions this JavaScript will be performed and which URL will be requested.

JavaScript De-obfuscated Code - Part 1
JavaScript De-obfuscated Code - Part 2

 The same Campaign, two different file...?!?! 
Reazioni:

0 commenti:

Post a Comment