I know there are so many way to de-obfuscate or analyze a malicious script like using the browser as a debugger, using AMSI technology , wscript.exe to trigger a debug mode "/X" to a target script file or deep dive analysis and try to work with some tools or code some script.
Today I will share some tip how I analyzed the obfuscation technique of WSHRAT JS script with the help of python script to make the code more clear and see how it keeps several payload file on its code body.
Let's Start!! :)
First Stager - The Initial loader
The First Stage of WSHRAT script show interesting obfuscation that it used even in its second stage. As we can see in the figure 1, It started with a "squrr3L" function which will de-obfuscate each initialized strings within the code that will executed using EVAL() command.
The "squrr3L" function will replace the string "{}" that contains an index number pertaining to the index of string counter part that was pass to it as parameter. So in the figure 1. we can see "Array.prototype.tp_l1nk" is a big string contains "{}" which is either {0},{1},{2} that pertains to the parameter "F", "P", "x" pass to it so we can say that {0} = "F", {1}="P" and {2}="x".
 |
| Figure 1 - First Stager The Loader |
Once we replaced all the needed strings specially in variable "Array.prototype.tp_l1nk" which is base 64 encoded string of the next stager, we can decode it with our tool of choice.
Second Stager - The Payload Executioner
After decoding the base-64 encoded string, The code is really a mess at first glance but don't worry as you work to figuring out how it works little by little it is not hard as what we expected. At the start of the code you will notice right away a big array list of hex string values named as "dKEW_qS[]". This big chunk of hex encoded string is the gem of this script once converted to readable string and place on the right place. below is the code snippet of the hex string array. |
| figure 2 - hex encoded string array |
And like what we've expected, the array list "dKEW_qS" was used as a reference to index the hex encoded string it needed to initialize, process or execute.
 |
| figure 3 - referencing the Hex Encoded String Array |
Attacking The Problem - De-Obfuscation
Now we know the problem and how the obfuscations work. we can start analyzing it either manually checking or referencing the hex encoded string as you go to its code or "if you're lazy like me" you can work with simple script.
So the goal of my script is the following:
1. read each line of the wshrat script malware and check if there is a array referencing the "dKEW_qS[]"
2. if yes grab the index number, locate the hex encoded string and then normalized it
3. copy that line into the output file as we as create a comment below the original code line
4. if not just copy the original line
below is the example console output of the script I created showing how it replace all the index array to its normalized string.
 |
| figure 4 - console out of script |
While below is the output file generated by the script I created where it creates a comment for each line having the reference array with the normalize string counter part to it. now it is easier to read right! ;)
 |
| figure 5 - before and after the execution of the script |
I know the script is not so fancy but the help for analysis is really worth it. After having the output of my script I understand some its feature function like RDP (), keylogger() and reverseproxy() better. I thought all those function will be done within the script but nope. It will decode a base-64 encoded .net executable file for each of those payload and run it :).
 |
| figure 6 - getRDP function before and after the execution of the script |
 |
| figure 7 - getKeyLogger function before and after the execution of the script |
 |
| figure 8 - getReverseProxy function before and after the execution of the script |
And some noteworthy behavior can be easily seen now after the normalizing it.
 |
| figure 9 - UAC bypass and defense evasion technique |
Conclusion:
In this Blog We learned that sometimes if you have time it is really worth it to go on deep dive on some technique made by malware especially the obfuscation because at the end of the day you will learn something new.
Hashes:
stage 1: SHA1 : d13add65fdee9c2b86925ed112d73685011e463b
stage 2: SHA1: e5eb857e1564204997c1de1049d452a0bf6c8421
