JavaScript is a programming language commonly used in web browsers. Due to its use in web browsers, it is often employed by security researchers and malicious actors to identify and exploit security vulnerabilities in browsers (e.g., the Aurora Operation).
Additionally, JavaScript is also used by exploit kits to gain control over target systems and deliver malware. Examples of this include the Blackhole exploit kit, which caused significant trouble for both end users and corporate users, and the Angler exploit kit, which took over the exploit kit market after its developer was arrested.
Recently, it was revealed by Heimdal Security that the Angler exploit kit had been used to deliver Cryptowall malware to the targeted systems it compromised.
Looking at both cyberattacks on organizations and exploit kits, it is evident that JavaScript plays a significant role. As a result, the ability for security experts to analyze malicious JavaScript code has become even more crucial.
It is not feasible to analyze JavaScript step-by-step using debugger tools like OllyDbg, Immunity Debugger, or IDA Pro. Instead, you can benefit from the free Firebug extension, which has JavaScript debugging capabilities and can be installed as an add-on in both Chrome and Firefox browsers.
Let’s assume you have a “traffic file” (PCAP) from the Angler exploit kit to analyze. Your first step would be to use the HTTP filter and Follow TCP Stream in Wireshark to detect the suspicious JavaScript found within the HTML file.
Once you successfully identify the JavaScript, removing the HTML code and leaving only the JavaScript code in the file, formatting it, and placing the debugger; keyword at the point where you want to begin debugging will simplify your analysis. (However, you can also use different methods instead of using the debugger; keyword.) However, in cases like the Angler exploit kit, where JavaScript may require HTML code during execution, removing the HTML code could make your analysis more difficult instead.
To begin debugging, open the Firefox browser, and by clicking on the Firefox icon in the upper-right corner, you will see that Firebug becomes active. Then, when you open the HTML file containing the JavaScript code in Firefox, you will notice that Firebug’s debugger is waiting for a command at the debugger; keyword. If you are used to using debuggers like OllyDbg, Immunity Debugger, etc., you can use Firebug in a similar way with the buttons or keyboard shortcuts (F8 – Continue, F11 – Step Into, F10 – Step Over) located in the lower section, at the top right corner.
When you begin debugging, you will see that the Firebug tool is focused on the eval() function. On the right, you will be able to view the JavaScript code contained in the H4BA5 variable, which will be interpreted and executed by the eval() function. This clearly indicates that the JavaScript code was hidden within the HTML code, and during runtime, it is decoded (revealed) by the browser and passed to the eval() function to be executed.
You can access the JavaScript code within the variables at any time from the console screen. To do this, simply type console.log(variable) in the Console window.
Besides the Firebug extension, you can also use the Developer Tools built into the Chrome browser to analyze and debug JavaScript code. To do this, simply open the relevant HTML file and press the F12 key on your keyboard.
Let’s say you have an HTML file from the Angler exploit kit, extracted from a PCAP file as mentioned at the beginning of the article, and when you run this file in Chrome, you notice that the browser is attempting to go to the address doodveeantoviar.kyderby.org. You want to find out exactly where this address is located in the HTML file and analyze the function, but you searched for the address and couldn’t find it. What would you do in this case?
In this case, the first thing you should do is copy all the JavaScript code that was revealed by the eval() function into the Angler HTML file and execute it. When you run it, as shown in the screenshot below, you will see that the HTTP address comes from the getKolaio() function. Looking at the getKolaio() function, you will see that the value returned by this function comes from the NhxUAmwU(xlAEe1xlAEe3); function. When you examine the xlAEe1xlAEe3 variable, you will realize that it holds an obfuscated value. Upon reviewing the NhxUAmwU function, it will become clear that it is the main function for decoding the obfuscated data.
To dynamically analyze the NhxUAmwU function with a debugger, you can copy the function into a separate HTML file, pass the obfuscated data to this function, and step through the process to understand how the obfuscated data is being decoded. Good luck with your analysis! 🙂
