Forum Discussion
Bronze IIIReverse Engineering (Offensive) JavaScript Analysis: JSDetox
I'm stuck at below two questions
Q6: Which variable does the initial script try to return?
Q8: The exploit kit contains a large block of hex encoded shellcode stored in a variable. This shellcode is also XOR encoded. What is the single byte xor key? (In the format 0xNN e.g. 0x11.)
So far I downloaded the HTTP objects via Wireshark, extracted the script to JSDetox then decoded base64 strings which resolves to other 2 scripts. With these steps I was able to answer other questions but I can't go any further, any guidance?
Thanks in advance
I was able to complete the lab however I think lab needs some improvement
JSDetox error
For Q3, you need to look into the obfuscated code, before applying applying any deobfuscating steps
For Q8, the data analyze tool in the lab does not work. Use CyberChef or something else, it is very misleading if you assume it works and you are missing something.
10 Replies
- KieranRowley
Community Manager
Hi AtakanBal!
Thanks for the question, let me ask the lab author and come back to you.
In the meantime, if anyone else has any ideas please drop a comment below 👇
- ChrisKershaw
Community Support
Hey AtakanBal
Can you take a few screenshots to show where you are in the lab, and we can help to get some guidance to you?
Kindest regards,
Chris
AtakanBalChrisKershawcan you be more specific on what screenshots do you want?
- KieranRowley
- netcat
Silver III
I think this tool is both overrated and abandoned, and at first I thought it would do some magic. I waited dozens of minutes for "Analyze" to do something, before I aborted these attempts. It's much easier to load the HTML file into the browser and then "Copy -> Inner HTML" to get the decoded scripts (JSDETOX has a nice formatter, but that's it). Not a single edit needed.
I couldn't understand Q4: "Which packet number corresponds to the site that is 302 redirected to (and which hosts the malware where you start analysis)?", it's not clear what you want. And since it's not a Wireshark lab, it might be just written as: "Identify the server where the malware is downloaded from, and as answer enter the number of the first frame with a http response code from that server."- KieranRowley
Hey netcat we have discussed your feedback internally and are in agreement with many of your comments. This is an older lab that no longer meets our quality standards and we are therefore going to uplift this lab and change some of the wording to make it clearer.
You may be interested in the Introduction to Malware Analysis lab which uses more modern tooling.
- netcat
Oh yeah...just the last question in "Practical Malware Analysis: Static Analysis" is a little bit confusing: "What native Microsoft service is this malware trying to masquerade as with a legitimate seeming name and a reference to a file path that can be used for persistence? (Hint: Review the briefing panel for information on how to override a function signature.)".
"file path"...turns out to be a "file name"
nehachawlaBronze I
What is the answer for this I am stuck with this question and question 12th of this lab.
