at first look of the javascript we can really say that it is obfuscated even we can see some notable strinng within its code but still it is too hard to understand.
fig. 1 - javascript snippet code 1 |
fig. 1b - js code snippet 2 |
we can try to manually deobfuscate this stuff using some R.E scripting technique using JS, python or by some some online JS emulator like JSUnpack or firebug addson in firefox browser and many more. but in this case I debugger to show the de-obfuscated script. Since JS used the wscript.exe to execute its code I try to attached it to debugger with our JS file as parameter and do some R.E and API breakpoint that may trigger during the execution of the script.
after debugging the script look like this.
we can see that the malicious javascript file will execute a cmd shell with powershell command to download to malicious URL and invoke- WMI method to execute the downloaded file as process name as CNH67.exe.