Readers will recall that in my “Man In The Proxy” blog post, a malicious JScript file (Flash-2017.js) was used to download and execute a banking malware targeting the system. In that article, I mentioned that this obfuscated (encoded) JScript file could not be easily analyzed through a web browser, as outlined in my “Malicious JavaScript Analysis” post. The reason for this was that the JScript file required ActiveX and WScript to function. (“WScript is not defined”, “ActiveXObject is not defined”). In cases where the JScript file cannot be analyzed with a browser, you can use both Visual Studio and the free version, Visual Studio Express, for analysis.
According to Wikipedia, Microsoft Windows Script Host (WSH) (formerly known as Windows Scripting Host) is a scripting automation technology for the Microsoft Windows operating system that offers far more features than BATCH files. One of its key advantages is its support for multiple scripting languages (JScript, VBScript). As a side note, for debugging VBScript, you can also use a tool called VbsEdit, which is worth mentioning
In such cases, to quickly analyze a JScript file, you should first define the debugging parameters specified by Microsoft under the Tools -> External Tools menu in Visual Studio. Afterward, open the JScript file you want to analyze in Visual Studio, and then select the WScript you defined earlier from the Tools menu to easily begin analyzing the JScript file.
When we begin step-by-step debugging and analyzing the JScript file named Flash-2017.js, we can observe that the code removes the characters /* and */ that mark the beginning and end of comment lines.
Next, the functions ddfddfdcccbcaf() and acfabbfabdd(), which sequentially decode the hidden data within the script, will immediately catch our attention. If our goal is to quickly reach the decoded version of the hidden data, we can place a breakpoint at the return statement at the end of the acfabbfabdd() function. This allows us to easily and quickly access the decoded data.
For those who don’t want to deal with Visual Studio and debugging, they can write a simple JScript code to quickly decode the hidden data by utilizing the relevant functions, as shown in the screenshot below.
As we approach the end of the analysis, we can see that the JScript file sends a request to the address http://highetave.xyz/gete14.php?ff1, and each time, the response from the web server is different (Server-side polymorphism). After learning that the numeric value before the ||| delimiter is also used to decode the hidden data, we observe that the data decoded by the functions mentioned earlier is saved to disk under the name 0c03.exe (md5: dcfb9cab318417d3c71bc25e717221c2), and then executed. As a result, in situations where web browsers are insufficient for analysis, malicious JScript and VBScript code can be quickly analyzed using Visual Studio debugging, helping you find answers to the questions you have in mind.
