20
Lor-inc
45d

Any malware specialists here?
Yesterday I started dismantling the virus that is spreading on facebook messenger these days.
What techniques do you use? Any special trick that doesn't require years of practice and could make my job easier? I have already familiarized myself with the nicifier and Function.ToString() traps. Now I have an 850 line JS file full of weird code and I have deciphered like 70 lines so far so I'm looking for some tool, strategy or algorithm to make my job easier.

Comments
  • 2
    What Kind of Virus are we talking about?
  • 1
    Cause if it was a normal executable, .elf, .exe, etc. You could have looked a ghidra, tho I got no idea how it is with JS.
  • 4
    Here's my code if anybody cares.

    https://github.com/theitsloth/...
  • 3
    @Ranchu No clue. Since it's not even a thousand lines, I figured that trying to observe what it does would be more difficult than reading the code.
  • 1
    @Lor-inc Well you could setup a VM and let have it's fun
  • 1
    @Lor-inc Shellcode Looks painfully similar to metasploit.
  • 5
    @Ranchu Nah, I already have a little over a hundred lines deciphered and I'm starting to get an intuition for it.

    Really, the uglifier just basically applies a few pre-programmed isomorphic transformations to the AST at random. And it isn't even that good. All locally defined functions are either pure or interact with globals only in a sensible manner. Basically it's just shuffling lines and adding round-trips, but it doesn't change behavior significantly.
  • 1
    Pretty interesting
  • 0
  • 1
    Yea it's actually an incredibly dumb phishing thing. However it submits the loot to lsddgroup.host, if anyone wishes to do a little pentesting I'd suggest testing the shit out of them.
Add Comment