I'm stuck at below two questionsQ6: Which variable does the initial script try to return?Q8: The exploit kit contains a large block of hex encoded shellcode stored in a variable. This shellcode is also XOR encoded. What is the single byte xor key? (In the format 0xNN e.g. 0x11.)So far I downloaded the HTTP objects via Wireshark, extracted the script to JSDetox then decoded base64 strings which resolves to other 2 scripts. With these steps I was able to answer other questions but I can't go any further, any guidance? Thanks in advance

I was able to complete the lab however I think lab needs some improvementFor Q3, you need to look into the obfuscated code, before applying applying any deobfuscating stepsFor Q8, the data analyze tool in the lab does not work. Use CyberChef or something else, it is very misleading if you assume it works and you are missing something.JSDetox error

Reverse Engineering (Offensive) JavaScript Analysis: JSDetox

10 Replies

KieranRowley
Community Manager
6 months ago
Hi AtakanBal!

Thanks for the question, let me ask the lab author and come back to you.

In the meantime, if anyone else has any ideas please drop a comment below 👇
- ChrisKershaw
  Community Support
  6 months ago
  Hey AtakanBal
  
  Can you take a few screenshots to show where you are in the lab, and we can help to get some guidance to you?
  
  Kindest regards,
  Chris
  - AtakanBal
    Bronze III
    6 months ago
    ChrisKershawcan you be more specific on what screenshots do you want?
KieranRowley
Community Manager
6 months ago
Thanks for the feedback netcat and AtakanBal - I will ensure that it gets passed to the correct people.
netcat
Silver I
6 months ago
I think this tool is both overrated and abandoned, and at first I thought it would do some magic. I waited dozens of minutes for "Analyze" to do something, before I aborted these attempts. It's much easier to load the HTML file into the browser and then "Copy -> Inner HTML" to get the decoded scripts (JSDETOX has a nice formatter, but that's it). Not a single edit needed.

I couldn't understand Q4: "Which packet number corresponds to the site that is 302 redirected to (and which hosts the malware where you start analysis)?", it's not clear what you want. And since it's not a Wireshark lab, it might be just written as: "Identify the server where the malware is downloaded from, and as answer enter the number of the first frame with a http response code from that server."
- KieranRowley
  Community Manager
  6 months ago
  Hey netcat we have discussed your feedback internally and are in agreement with many of your comments. This is an older lab that no longer meets our quality standards and we are therefore going to uplift this lab and change some of the wording to make it clearer.
  
  You may be interested in the Introduction to Malware Analysis lab which uses more modern tooling.
netcat
Silver I
6 months ago
Oh yeah...just the last question in "Practical Malware Analysis: Static Analysis" is a little bit confusing: "What native Microsoft service is this malware trying to masquerade as with a legitimate seeming name and a reference to a file path that can be used for persistence? (Hint: Review the briefing panel for information on how to override a function signature.)".
"file path"...turns out to be a "file name"
- nehachawla
  Bronze I
  3 months ago
  What is the answer for this I am stuck with this question and question 12th of this lab.