JavaScript Deobfuscation Update

It didn't take long for the Internet Storm Center to post another article on JavaScript deobfuscation, this one by Didier Stevens. This time the previous deobfuscation techniques failed,so Didier uses python to do static analysis.Nice work. The article is here.

Angler Exploit Kit to TeslaCrypt

There's an excellent write up by Brad Duncan in the Internet Storm Center's Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.

From the article:

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.

The chain started with a compromised website that generated an admedia gate.

The gate led to Angler EK.

Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.

·         178.62.122.211 - img.belayamorda.info - admedia gate
·         185.46.11.113 - ssd.summerspellman.com - Angler EK
·         192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

 Full write up is here.

Some of the obfuscation may seem daunting, but there's a wealth of information on techniques to deobfuscate Javascript and other code. A lot of that information is in the Handlers Diaries itself. Here's some other write ups from the ISC:

1. Decoding Javascript

2. Deobfuscating VB Script

3. Advanced Obfuscated Javascript Analysis

4. Javascript Traps For Analysts

5. Mixed (VBScript and JavaScript) Obfuscation

6. Browser *does* matter, not only for vulnerabilities - a story on JavaScript deobfuscation

7. V8 as an Alternative to SpiderMonkey for JavaScript Deobfuscation

8. Decoding Common XOR Obfuscation in Malicious Code

9. Javascript decoding round-up

And from other sites:

1. JavaScript Obfuscation - Manual Armor - Malware at Stake

2. Javascript Deobfuscation Tools (Part 1) - Kahu Security

3. Javascript Deobfucation Tools (Part 2) - Kahu Security

Surcuri Labs Hex Decoder

Sucuri has a nice decoder page at http://ddecode.com/hexdecoder/ that might help if you're having trouble figuring mixed forms of obfuscation. Even if it can't completely decode the segment, it may be able to deobfuscate it enough to give you a sense of what the code is doing.