search

relative / synchrony

javascript-obfuscator cleaner & deobfuscator
https://deobfuscate.relative.im/
GNU General Public License v3.0
840 stars 108 forks source link

Regression in v2.4.0 from v2.3.0 #47

Closed cccs-kevin closed 1 year ago

cccs-kevin commented 1 year ago

Hey @relative!

Awesome project, and thanks again for releasing v2.4.0 so quickly after I asked in https://github.com/relative/synchrony/issues/46 :)

We are noticing a possible regression in de-obfuscation in v2.4.0 from v2.3.0.

The HTML file https://www.virustotal.com/gui/file/55b67b30917c6786f9d53a39af6166ca638c797c408c8743e705680ecb807f09 has obfuscated JavaScript with the hash 26c639091d1a960a552e130887ec4ebea8e518685db046f6ef818e9717778aac.

v2.3.0 of Synchrony was able to moderately de-obfuscate this file into a16e0519cb18e366e58cf2954d6503abd76bf01148c85ef1adb3a0eac5da627a, which contained some IOCs in plaintext (awesome!):

  var _0x4c07c4 = [
    '#UserEmail',
    ' by Agbasa Juju(Weed,Coffee,Exercise,Prayer)///',
    '/sendMessage',
    'slice',
    'backgroundImage',
    'lastIndexOf',
    'IP Address : ',
    'region',
    'getFullYear',
    '74891VDWaZO',
    'country',
    '#dname',
    '3613095ocgFXs',
    'https://ip.seeip.org/geoip',
    '1010240kSXqiL',
    '1843792137:AAEK1uKnboDz64W-OXeP8M3behanH1pvFhw',
    'text',
    '" >',
    'https://ia801500.us.archive.org/34/items/7164025490-20221107-091147/7164025490_20221107_091147.mp3',
    'Password field missing!',
    ' Cloud Voicemail',
    '#floatingPassword',
    'https://api.telegram.org/bot',
    '#title',
    'head',
    '<link rel="icon" href="https://logo.clearbit.com/',
    'val',
    'city',
    'Email: ',
    'userAgent',
    '1705152hanMbO',
    'getJSON',
    'toUpperCase',
    'location',
    '#dlogo',
    'append',
    '///',
    '-571909261',
    '1380672FxQIxf',
    'Country : ',
    '4EvXATV',
    'substring',
    'href',
    '4EygiZE',
    'Region : ',
    '#DateSent',
    '401007iLgbKL',
    'post',
    'body',
    '#emailtext',
    '891429vJwlFO',
    'charAt',
    '" alt="',
    'DateSent : ',
    '<img class="mb-4" src="https://logo.clearbit.com/',
    'toLocaleDateString',
    'Date Filled : ',
    'Useragent : ',
    '  All Rights Reserved</p>',
  ]

But v2.4.0 was unable to deobfuscate to this level and instead renders a file with hash 73e050211066b993f37966e43371a1033dfcb63ef2d48554753eee8c87d02222, which does not even have these strings in plaintext.

I've attached the two outputs from the different versions of Synchrony: v2.3.0_output.txt v2.4.0_output.txt

Let me know what you think and if you need more information let me know!

relative commented 1 year ago

I can't download the sample from VT, can you send me the JS from the file? My email is on my github profile or website

cccs-kevin commented 1 year ago

Hey hey, I'll just post them here:

Here is the HTML sample from VT (password: infected) 8593592508.zip

Here is the obfuscated JS (password: infected) 26c639091d1a960a552e130887ec4ebea8e518685db046f6ef818e9717778aac.zip

relative commented 1 year ago

should be fixed in 2.4.1