Here I demonstrate how to reverse engineer packed JavaScript which is VERY noisy and difficult to analyse at first glance. I show you how to very quickly peel back the layers so you can get to the true logic that the bad-guy is implementing which extracts all the key IOCs from the file, including file and network indicators.
I use Sublime Text to analyse the file statically, and use the "Prettify" plugin to make life super-easy as it makes JavaScript much more readable.
I also show you a "Matching Bracket Method" which cuts through the noise by finding the end of pointless and junk functions defined in the sample. This is SUPER useful for quick analysis and will save you reverse engineering code that is never called.
Sample Reviewed:
zixmail15.js
MD5: e3decc9aa0d96ac5eb89b54b668e1f91
https://www.virustotal.com/#/file/36076945c5524a2a906ff13f210619f590762939195444878da2de6c7f764e8e/detection
Tools:
Sublime Text: https://www.sublimetext.com/
Prettify Plugin: https://packagecontrol.io/pa...
Originally collected by
fetching...
(
less)
