• Blog/JS Dropper Galaxy

JS Dropper Galaxy - The wonderful ways to obfuscate JavaScript Dropper

Malware Analysis and Code Reverse Engineering is one of my passion in security field.

Today I'd like to show two wonderful ways, used by bad actor, to offuscate a JavaScript file in order to get complicated code analysis. I analyzed the same phishing campaign (based on e-mail's Object) that spreads two different JavaScript droppers.

Bad Actor used double file extension to lure the target.

The first one:

That file is well obfuscated and only a dynamic analysis help you to understand which actions it will perform during its execution.

The second one:

JavaScript Obfuscated Code - Part 1

JavaScript Obfuscated Code - Part 2

This JavaScript gives me the evidence that who create it is not very expert in code development and obfuscation field. The trick used to obfuscate that file has been to create a lot of functions that have an array filled with random number and only one position with text or one char, the function will return when invoked a specific position that is the only char present into the array. (Look Part 1).
The second part shows as who created this file, invoked more than one function within specified array position in order to rebuild URL and other objects ("Scripting.FileSystemObject", "ADODB.Stream", "MSXML2.XMLHTTP") used for evil purpose. Below I am reporting two images that show the JavaScript code de-obfuscated.
Reading it you can see which Objects will invoked in your OS when the JS file will be executed, which URL will be contacted and in which folder the evil files will be stored in your computer. No dynamic analysis is necessary to understand which actions this JavaScript will be performed and which URL will be requested.

JavaScript De-Obfuscated Code - Part 1

JavaScript De-Obfuscated Code - Part 2

The same Campaign, two different file...?!?!

Next post