Deciphering Obfuscated JavaScript Malware
Рет қаралды 60,809
Күн бұрынDo you like solving programming puzzles? Want to uncover what a malicious attacker is actually trying to do with their code?
In this video, we manually deobfuscate and Reverse Engineer an obfuscated JavaScript file. We look at a malicious loader file that downloads and executes a secondary AsyncRAT payload. You can follow along yourself with the video, by using the hash listed below!
---
File Hash: 978bf1471b3536dfdea854dd1c5d8ee63bdfbc8223c0254a92b183a711699a3a
---
Timestamps:
00:00 Intro to JavaScript Deobfuscation
06:03 Deeper Deobfuscation Techniques
12:02 Decoding Variables
18:00 Analyzing Obfuscated JS Function Calls
24:00 Uncovering Hidden Functionality
30:00 Reconstructing the Malicious Payload
---
LaurieWired Socials:
linktr.ee/lauriewired
---
Intro Music Courtesy of Analog Summer:
• Cloud Reverie by Analo...
@bartekklusek5242 Ай бұрын
This is not really my area of interest specifically, although i follow various computer related content. What actually shocked me, after watching several videos, is how orderly mind this lady has. Absolutely smooth speaking about complicated topics. I envy that talent so much.
@digitalradiohacker Ай бұрын
I'm a complete code mong, so I'm trying to "hang around" with smart people to soak up as much as I can - hence, why I'm here. Just to prove I was paying attention: 28:30 It looks like the integer returned was "1". You went back to the code and typed "0". Thanks for the walkthrough of what you're doing - Picked up a couple of tricks here.
@angelortiz-vk8ez 4 күн бұрын
yep, saw that as well
@christopher8641 Ай бұрын
I'm a backend dev and have never dug into malware analysis, but this video made the process look pretty fun and rewarding. I guess it is just a big dangerous puzzle
@cusematt23 Ай бұрын
holy effing sht. I literally just came across some heavily obfuscated js code that i am dying to reverse engineer and this vid came up. there is a god.
@adityadas5835 Ай бұрын
Or maybe Big Brother is tracking you. Who knows? 😕
@corp-por Ай бұрын
wtf, almost the same here. A client just called me because a js file was triggering a virus alert in windows defender. And here I am 🥸
@Katchi_ Ай бұрын
Liar.
@cusematt23 Ай бұрын
@@Katchi_ Not even kidding. I am using a complex optimization app and instead of it doing work on the server it just sends a giant minified obfuscated js bundle. And I am curious although not as smart as Laurie and will prob never fully reverse engineer it. So far the only thing I am getting is that the code using the glpk javascript library. I didn't even know this existed so that's a bonus at least. I am guessing there will soon be a day where most of the python AI/ML library functionalities are in javascript and running in your browser without (most people) you being aware. I am unsure if i should be excited or petrified.
@cusematt23 Ай бұрын
@@adityadas5835 certainly possible.
@NatteeSetobol Ай бұрын
Nice, I was looking for a nice detailed video that goes through such an annoying obfuscation in JavaScript. Thanks!
@VincentGroenewold Ай бұрын
The quality of these videos is just great, I'm not into JS at all, but it's well explained to follow along, nice! It all feels very much like security through obscurity, I predict this can be automated in the near future.
@iss9280 Ай бұрын
One of my new favorite channels! I love the old school Tech Tv/G4 vibe of your set.
@shady4tv Ай бұрын
The theme is from Serial Experiments Lain. great anime - only like 13 episodes. Would recommend watching if you have the time. I will warn you tho - it's a trip.
@Desmaad Ай бұрын
Not to mention the Classic Mac (Copland/OS 8-9.2) theming.
@TheChugnut Ай бұрын
Wow, just found your channel and I love it. Your presentation style is amazing!
@ArjanvanVught Ай бұрын
@28:29 a little error here ;-) pasting 0 instead of the 1
@swenic Ай бұрын
^ 28:41
@sonyarianto 28 күн бұрын
yeah this is a bug in this video
@OfficialiGamer 29 күн бұрын
I don't deal with programming much (or js) as I'm a hardware guy, but I found this super interesting to watch, and I understood most of it! Keep up the good work pretty lady!
@thediskostarz Ай бұрын
Awesome video Laurie, I learned a lot by watching your well explained videos. Thank you.
@svampius2448 Ай бұрын
I love the content and aesthetics of your videos, definitely my favourite channel at the moment! Also, for some reason you make me think of squirrels, which is fantastic - a vaporwave squirrel.
@DotDager Ай бұрын
A lot of interesting insights, great job as usual!
@sshiiden Ай бұрын
You did a really good job with the style of your videos
@leoroux4712 Ай бұрын
I did't need this but the explanation was so clear I kept watching
@plato4ek Ай бұрын
20:39 and other places: you don't need to write the "console.log", just expression itself is okay.
@drwhitewash Ай бұрын
Exactly, the console will output the result of that expression, instead of those "undefined"s.
@kxmode Ай бұрын
I think she's being extra careful to isolate the output to the console
@plato4ek Ай бұрын
@@kxmode this won't help isolate anything. Everything inside the "console.log()" is being evaluated anyway.
@DavidLindes Ай бұрын
@@kxmode the thing is, she's _in_ the "console" (in other languages, it might get called the REPL -- Read, Evaluate, Print (in a Loop)), so, as plato4ek says, it's not really isolating anything in this context. What she's doing isn't harming anything, of course, it's just also not buying much when done interactively. (But it would be very useful if recording it to a file and running it with node, say, so, perhaps it's a habit born from such intentions in prior work.)
@kxmode Ай бұрын
@@DavidLindes hmm... good to know. always thought console.log was a way to sandbox the code. A good note to self.
@UliTroyo Ай бұрын
This was a lot of fun! What a cool breakdown.
@mr.bulldops7692 Ай бұрын
Clear, concise, and cool as hell. You picked a great code example!
@enthusi Ай бұрын
Obfuscated code is fun.. JavaScript not so much my cup of tea 😊 Thanks for presenting these topics!
@dodgecoates8760 Ай бұрын
How can you like obfuscated code but not love javascript?
@dudemcperson3582 Ай бұрын
I absolutely love the way you break this down. Thank you!
@menegatmarcelo Ай бұрын
Laurie, your voice and way to explain is gorgeous!! New favorite channel! Im a simple FE developer who loves non FE content :) Thank you for exists!
@Emerson1 Ай бұрын
Great video, and great production value
@jefflucas_life Ай бұрын
I like the way how this was video instructed , thumbs up!!
@hitmongg Ай бұрын
I've never looked at malware before; it's super interesting. Thanks for sharing!
@tysonbenson Ай бұрын
Thanks, Laurie! Awesome video!
@OneAndOnlyMe Ай бұрын
This was a great tutorial, Laurie!
@shockinho Ай бұрын
This is so good I can't believe it exists, let alone such good content being free on KZfaq. Amazing work
@syth-1 Ай бұрын
Great video - these are all tricks I've used to deobfuscate API's I probs shouldn't be using .-. If you know the code is safe to run, and have a bit more complex code that jumps thru many different libraries, executing and walking thru the code line by line helps a tone, What you maybe reverse engineering maybe just one file, but seeing the external lib calls and filling in the values returned just like in the video rlly helps put the puzzle together, (of course gotta give props to browser Dev tools - when walking thru code can just hover over any variable to see the current value inside)
@kelliaa Ай бұрын
really sick video, gonna try to learn more about this, and your set is so sick
@dblanque Ай бұрын
Super neat video, really high level of production (also, 28:37, oopsie daisies the 1!) :P Really awesome content, learnt a lot Laurie! Subbed :)
@ronen124 Ай бұрын
28:37 aquí escribiste '0' en lugar de '1' por error . Esta fue una ingeniería inversa interesante y fascinante para dicho malware, muchas gracias por compartir tu análisis.
@Plagueheart Ай бұрын
I like the channel, it has a 90's style vibe from PBS after school tv educational shows which gives me that nostalgic vibe
@vapaspen Ай бұрын
My team has been fighting this thing for months now. When we got our first Sig it we though it was a FP cause of how many hits we got but no its just hitting that many people. Its a nasty little bugger. Thanks for the really cool breakdown on this! :)
@zzord Ай бұрын
Well done! Quick tip: You don't need to use console.log to evaluate expressions. You can just paste the expression and evaluate it directly. Also, at 22:56, you could evaluate the whole object in one step, instead of doing one function call at a time.
@Anthony-vb7sj 7 күн бұрын
impressive work !!! This channel is very Under-rated 😯👍🏻
@jhonm6347 Ай бұрын
Damn, this is very informative. I can't quite keep up with everything yet because I'm new to coding but it is very interesting, great video.
@Slycooper2456 Ай бұрын
Such great videos! (Love the Burnout clips at the end of each videos such a fun a game!)
@LuisGarcia1992_ 20 күн бұрын
LOVE the effect of a tape fast-forward 😂
@nceban2136 17 күн бұрын
Not a big fan of Lain, but still can appreciate the committment to the intros
@rafaelskt4ever Ай бұрын
Love your Serial Experiments: Lain theme
@robertivaneinarsson5868 Ай бұрын
Fantastic! I would love a video from you breaking down the XZ backdoor thing.
@Ron55O Ай бұрын
That's what I thought at first too😅
@Futureretrobix Ай бұрын
I love your videos Laurie!!!!
@JosephSaintClair Ай бұрын
Thank you for covering IOCCC. Something I always encourage aspiring programmers to try for themselves first the personal challenge and discipline. 🙏
@hgeldenhuys Ай бұрын
Laurie, your channel is genius
@zhanezar Ай бұрын
this was so good to watch, the quality of production is amazing
@trex6142 Ай бұрын
Well done and super interesting!
@Sasha-Good Ай бұрын
Amazing ReveЯsive design on channel 💯
@giamagg4602 Ай бұрын
Thanks, Laurie! You are awesome
@giamagg4602 Ай бұрын
In line 75 of your js code, the console log response is 1 and you put 0. Anyway you have obtained the IP and completely gutted the malware. I love it 28:42 console. log(0x1b9 * 0x9 + 0x2354 + 0x1 *-0x32d4) 1
@ShannonWare Ай бұрын
JS tools tip for NPP won you a subscriber! Thanks a million, my favourite app just got better XD
@thefrub Ай бұрын
Your production value is through the roof, you've got the whole room setup, the multiple cameras, the old Mac aesthetic. And you're great at this! This is amazing
@marshallgraphic Ай бұрын
Excellent work!
@No0Vad Ай бұрын
Sometimes you get lucky with Auto-play enabled, that's how I found this video which I enjoyed. Love the retro feeling!
@GerbenWijnja Ай бұрын
Nice work, Laurie. Of course there are many shortcuts possible all over the place, but that also increases the risk of errors. Refactoring piece by piece provides more confidence that you're on the right track. Is the original code available somewhere? I couldn't find it with just the hash.
@Kakerate2 29 күн бұрын
i love seeing this done in n++!
@ZioYuri78 Ай бұрын
This is so fascinating, thanks for sharing your competence!
@davidburns8113 Ай бұрын
I'm ecstatic I just found this channel! TYSM for sharing skills and methods like this on the Internet for free! Also the little corgi made my day!!
@Montegasppa 12 күн бұрын
This is the first (maybe second) os your videos I watch, and I got the reference. シリアルエクスペリメンツレイン
@BillyC Ай бұрын
This was sick to watch!
@yanniammari1491 Ай бұрын
how much did you spend on your setup/room it looks cool af
@Dorff_Meister Ай бұрын
That was a lot of fun. Thanks!
@ceruleanserpent387 19 сағат бұрын
I love the Copland OS interface
@justinmiller3349 Ай бұрын
Incredibly educational, and great production value. You're killing it. Keep it up!
@BlackHermit Ай бұрын
A true gem for anyone passionate about unraveling the mysteries! This step-by-step approach to deobfuscating and reverse engineering an obfuscated JavaScript file is not just informative, but downright thrilling. I love how Laurie invites viewers to follow along with the truth provided. Simply invaluable! 💻🔍✨
@timolff9239 Ай бұрын
what's the point of using chatgpt to comment on a youtube video?
@BlackHermit Ай бұрын
@@timolff9239 ChatGPT's English is better than mine. I couldn't have possibly articulated my feelings towards this video better than it did!
@AEONIC_MUSIC Ай бұрын
But everyone can tell it's AI so we think it's fake. Also I think claude opus has more natural speaking
@BlackHermit Ай бұрын
@@AEONIC_MUSIC Well, it is fake in the sense that I was not the one who worded everything, but I did tell ChatGPT what I felt!
@shpleemcgert Ай бұрын
At 23:06... If your ultimate goal was to get the _0x502708 map object, couldn't you have executed that block in your dev tools and just printed it out? Especially since you know the method was just outputting string characters and was not inherently malicious. Please correct me if there is something I'm overlooking here. Just a gut reaction at a potential time save Also this video was beautiful and I love your editing style. This is incredibly educational and I have subscribed. Looking forward to seeing more of your thought process.
@thmo_ Ай бұрын
yeah, would have been a time save to let it write the commands up to the last two map entries actually using the activexobject.
@epiphaner Ай бұрын
I'm guessing she did it this way to keep it safe and accessible for the viewers. A viewer might not be savvy enough to distinguish which parts of the code are safe to execute and which are not. That would also explain why she would go through de-obfuscating the first two methods before using them even though they, to me, obviously had no code that could do harm. A viewer following the workflow in this video will not get their system infected.
@thmo_ Ай бұрын
True, also in general the way she did it was very verbose to follow along and replicate with other code, so this will be more helpful to viewers.
@penguin_m1rage Ай бұрын
This video is so awesome omg 🤯
@jcKobeh Ай бұрын
The horizontally flipped front face camera has had me wondering exactly what you were doing for a couple of videos. Did you decide to do it to have your face "looking into" the direction of the code? Now that I'm commenting, I'll just say: I love the graphic overlays and design you use. And the way you present these videos, just clear voice, no music, well prepared, and sitting still and straight throughout the whole thing, My respects. I know how all of these kind of things are invisible to most when done correctly, but cheers, it doesn't go un-appreciated.
@Hwyadylaw 20 күн бұрын
Webcams and front-facing phone cameras tend to mirror the image to emulate.. well, a mirror, since that's how most people are used to seeing themselves.
@jcKobeh 20 күн бұрын
@@Hwyadylaw but that footage looks like a real camera, not a webcam, which is why it seems to me like it must be an active decision and not just the default thing the camera does.
@Hidamarisketchfan5 Ай бұрын
Interesting video. Whenever I hear about Javascript malware, I'm glad and fortified in my use, of Noscript. Sure, Noscript isn't 100% secure, but it's far better than executing everything that may come with some random website.
@ewasteredux Ай бұрын
Hi @LaurieWired! Dumb question(s) here from a total novice... In your opinion, was the initial obfuscation done via a program/script or was it done by a human? Is there an easy way to tell or is this an educated guess?
@TheSnero3 Ай бұрын
where do you get all of those wonderful backgrounds?
@g2D1 Ай бұрын
Which OS are you using Laurie? it looks very retro. I have been looking for a KDE look alike for SOlaris 2.6 but have not been able to. But this one has a similar feel and looks like a Mac OS Retro
@timewarptrio11 Ай бұрын
Well explained!
@pdelong42 Ай бұрын
It's been a few decades since I've done anything serious on Windows, so I was frankly surprised to learn that ActiveX is still a thing. We all thought it was a gaping security hole from day one, and I thought Microsoft was at-least disabling it by default now. Glad to see that it's deprecated (according to Wikipedia).
@canetabisturi Ай бұрын
Laurie are you planning on making a video on the xz backdoor? Would love to hear your thoughts!!
@damien__j Ай бұрын
I see LaurieWired and I click
@JenByte Ай бұрын
Now I would like to know what the malware that would be downloaded form that server is actually doing when executed.
@martin1b Ай бұрын
I love this. It's amazing how obfuscation can make it look so much more complex than it really is.
@mendodsoregonbackroads6632 Ай бұрын
Yea the way it all boiled down at the end to just a few lines of code was pretty cool.
@ab-tu5wc Ай бұрын
5:07 I saw this kind of code where a function is wrapped in parenthesis while it's being defined in a TamperMonkey user script but I didn't know what is was called so thanks for clearing that up. It's a weird way to call a function ngl. Is there an advantage to executing a function like this in terms of memory that I'm not seeing or is it just the malware person being petty and obfuscating the call to the function?
@rickgray Ай бұрын
It's called an IIFE. Not common these days because ES6 fixed a lot of weirdness that necessitated them.
@caerphoto Ай бұрын
It's often used for initialisation code, where a bunch of stuff needs doing, but you don't want to create global variables - it keeps that portion of code contained. This: (function (root, sel) { let selected = root.querySelector(sel); selected.classList.add('loaded'); }(window.document, 'body')); Is basically the same as this: function markAsLoaded(root, sel) { let selected = root.querySelector(sel); selected.classList.add('loaded'); } markAsLoaded(window.document, 'body'); except the first one doesn't create a global 'markAsLoaded' function. Obviously the function bodies in this example are pretty trivial, so you wouldn't actually use it in this case, but for more complex code it's useful.
@pulserudeus7968 24 күн бұрын
love it!
@zetronman Ай бұрын
I'm stupid but why are you able to find + replace-all? Doesn't that risk renaming variables that are locally scoped that use the same name as other locally scoped variables in another function? edit: like obviously it'd still work, I just feel like it'd mess with me a lot and it seems like it'd be better if the find-replace was scoped but idk, I don't RE malware.
@vlk.charles Ай бұрын
Yeah, I too thought that was a little "reckless". Turned out this code didn't use the same name in different scopes but it could have, just to mess with reverse engineers.
@ancestrall794 Ай бұрын
Really interesting. I wonder if the ActiveXObject function can be used for XSS in pentesting / CTFs
@astropgn Ай бұрын
Would it be an alternative to obfuscating your malware to use web assembly? I am assuming, since it is a compiled, it would require a lot more effort to reverse engineer it. Yet it would work relatively fine on modern browsers.
@rne1223 Ай бұрын
Editing is amazing, but the content is off the charts. Amazing work 👏👏👏
@maelstrom57 Ай бұрын
To rename variables, it's much safer to do it in VSCode using the F2 shortcut. With a string replace, you risk modifying any piece of code (like a string) that happens to contain the variable name without being a reference to it.
@climatechangedoesntbargain9140 Ай бұрын
just any JS Editor with variable rename functionality
@iro4201 Ай бұрын
I see you are no fan of probability.
@maelstrom57 Ай бұрын
@@iro4201 Nah I ain't a simp for it.
@iro4201 Ай бұрын
@@maelstrom57 Better simp for speed, than for fear of making a mistake though.
@DanielRodriguez-ff5cs Ай бұрын
great video! The corgi app ❤
@Taaz2 Ай бұрын
Awesome stuff! May I kindly request any links to the desktop wallpaper you use? I need it haha
@onlymyrailgununknown2960 28 күн бұрын
Your kind is rare. I am working on a C decompiler, and will soon deal with optimized binaries and later with static obfuscation methods and I am thinking on how to automate deobfuscation. For JS it looks quite possible. You are basically doing some kind of constant propagation (with the help of runtime logs) and give sensible names. If someone would write a high-level JS optimizer, you could also get rid of unneccessary/pointless dead code, control flow, ... then its done. Basically adapting the GCC/CLANG optimization tricks to JS would make no JS secure.
@dungeonman.fromyoutube Ай бұрын
Awesome video
@angelortiz-vk8ez 4 күн бұрын
¡Gracias!
@Saru-Dono 19 күн бұрын
Notepad ++ and MS Edge is such a based combo for development
@pavloburyanov5842 Ай бұрын
For "repetitive" part: you can grep needed invocations and process them in the loop. PS: I believe notepad++ supports macros to make life easier.
@waffen9894 Ай бұрын
28:41. Were you supposed to put 1 there instead of 0?
@tommyhuffman7499 Ай бұрын
very cool channel!
@Skatche Ай бұрын
23:30 Quicker way to do this: just copy and paste the definition of the variable _0x502708 into your console and then console.log the result.
@user-jx7cv2td4y Ай бұрын
Also, instead of concatenating strings in a loop, we can just replace activeX calls to console.log, run it and see what commands are executed
@BlitzkriegHD Ай бұрын
Your background / set is a trip dude. Is all that retro gear real or are you using a greenscreen of some sort? If it’s real then you’ve got a really cool collection of… old computer stuff hahah
@lauriewired Ай бұрын
It's all real :)
@DinMamma002 Ай бұрын
Interesting! How well does a LLM deobfuscate?
@jackbarrett3599 Ай бұрын
my guess would be terribly.
@prima_ballerina Ай бұрын
Interesting. But why console.log each call individually instead of copying the whole object and logging that? Also: I'd use node with an actual temp js file instead of copying to a browser dev console to make it easier to correct if I made a mistake.
@markdempsey1088 Ай бұрын
Interesting video.
@stacksmasherninja7266 Ай бұрын
not even sure whether that's an actual linux distro but it looks 10/10
@levonschaftin3676 Ай бұрын
anyone know what keyboard she's using? sounds like topre
@LuisGarcia1992_ 20 күн бұрын
I'm on my Android tablet, so can't directly verify, but I'm pretty sure that CTRL+H brings you directly to the "replace" dialog. You don't have to ctrl+f and then click. It's just ctrl+h.
Oscar's Funny World
Рет қаралды 131 МЛН
Low Level Learning
Рет қаралды 1,2 МЛН
Strange Loop Conference
Рет қаралды 9 М.
spline
Рет қаралды 166 М.
Myphoneacc
Рет қаралды 8 МЛН
Kasim Tech
Рет қаралды 63 МЛН