Monday, February 22, 2016

JavaScript Deobfuscation Update

It didn't take long for the Internet Storm Center to post another article on JavaScript deobfuscation, this one by Didier Stevens. This time the previous deobfuscation techniques failed,so Didier uses python to do static analysis.Nice work. The article is here.

Thursday, February 18, 2016

Angler Exploit Kit to TeslaCrypt

There's an excellent write up by Brad Duncan in the Internet Storm Center's Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.

From the article:

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.

The chain started with a compromised website that generated an admedia gate.

The gate led to Angler EK.

Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.

·         178.62.122.211 - img.belayamorda.info - admedia gate
·         185.46.11.113 - ssd.summerspellman.com - Angler EK
·         192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

 Full write up is here.

Some of the obfuscation may seem daunting, but there's a wealth of information on techniques to deobfuscate Javascript and other code. A lot of that information is in the Handlers Diaries itself. Here's some other write ups from the ISC:


And from other sites:



Monday, February 15, 2016

Surcuri Labs Hex Decoder

Sucuri has a nice decoder page at http://ddecode.com/hexdecoder/ that might help if you're having trouble figuring mixed forms of obfuscation. Even if it can't completely decode the segment, it may be able to deobfuscate it enough to give you a sense of what the code is doing.

Blog Archive