Forum Discussion

AtakanBal's avatar
AtakanBal
Icon for Bronze III rankBronze III
2 months ago

Reverse Engineering (Offensive) JavaScript Analysis: JSDetox

I'm stuck at below two questions

Q6: Which variable does the initial script try to return?
Q8: The exploit kit contains a large block of hex encoded shellcode stored in a variable. This shellcode is also XOR encoded. What is the single byte xor key? (In the format 0xNN e.g. 0x11.)

So far I downloaded the HTTP objects via Wireshark, extracted the script to JSDetox then decoded base64 strings which resolves to other 2 scripts. With these steps I was able to answer other questions but I can't go any further, any guidance? 

Thanks in advance

  • AtakanBal's avatar
    AtakanBal
    2 months ago

    I was able to complete the lab however I think lab needs some improvement

    For Q3, you need to look into the obfuscated code, before applying applying any deobfuscating steps
    For Q8, the data analyze tool in the lab does not work. Use CyberChef or something else, it is very misleading if you assume it works and you are missing something.

    JSDetox error

     

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager

    Hi AtakanBal!

    Thanks for the question, let me ask the lab author and come back to you.

    In the meantime, if anyone else has any ideas please drop a comment below 👇

    • ChrisKershaw's avatar
      ChrisKershaw
      Icon for Community Support rankCommunity Support

      Hey AtakanBal 

      Can you take a few screenshots to show where you are in the lab, and we can help to get some guidance to you?

      Kindest regards,
      Chris

  • I think this tool is both overrated and abandoned, and at first I thought it would do some magic. I waited dozens of minutes for "Analyze" to do something, before I aborted these attempts. It's much easier to load the HTML file into the browser and then "Copy -> Inner HTML" to get the decoded scripts (JSDETOX has a nice formatter, but that's it). Not a single edit needed.

    I couldn't understand Q4: "Which packet number corresponds to the site that is 302 redirected to (and which hosts the malware where you start analysis)?", it's not clear what you want. And since it's not a Wireshark lab, it might be just written as: "Identify the server where the malware is downloaded from, and as answer enter the number of the first frame with a http response code from that server."

    • KieranRowley's avatar
      KieranRowley
      Icon for Community Manager rankCommunity Manager

      Hey netcat we have discussed your feedback internally and are in agreement with many of your comments. This is an older lab that no longer meets our quality standards and we are therefore going to uplift this lab and change some of the wording to make it clearer.

      You may be interested in the Introduction to Malware Analysis lab which uses more modern tooling. 

  • Oh yeah...just the last question in "Practical Malware Analysis: Static Analysis" is a little bit confusing: "What native Microsoft service is this malware trying to masquerade as with a legitimate seeming name and a reference to a file path that can be used for persistence? (Hint: Review the briefing panel for information on how to override a function signature.)".
    "file path"...turns out to be a "file name"