Deobfuscating JavaScript: A Malware Analyst's Guide

Malware authors often use obfuscation to hide their code's functionality. In this post, we'll explore common JavaScript obfuscation techniques and how to reverse them.

Common Obfuscation Techniques

One common technique is string array encoding. The script holds a large array of strings and references them by index.

var _0xabc123 = ['log', 'Hello, World!', 'console'];
(function(c, d) {
    var e = function(f) {
        while (--f) {
            c['push'](c['shift']());
        }
    };
    e(++d);
}(_0xabc123, 0x123));
var _0x456def = function(a, b) {
    a = a - 0x0;
    var c = _0xabc123[a];
    return c;
};
console[_0x456def('0x0')](_0x456def('0x1'));
      

By analyzing the wrapper functions, we can write a simple script to replace the function calls with the actual string values, making the code readable.

Dynamic Analysis with a Sandbox

Running the script in a controlled environment or browser debugger allows us to observe its behavior, such as network requests or DOM manipulation, without risking our system.

# Using a simple Node.js sandbox
node -e "const vm = require('vm'); const sandbox = { console: console }; vm.runInNewContext('console.log(\'sandboxed\')', sandbox);"
      

Static and dynamic analysis together provide a comprehensive view of the malware's capabilities.