Amazing way to analyze jscript file. Love your vid
@MalwareAnalysisForHedgehogs7 жыл бұрын
I never thought about analyzing JScript files this way. Thanks for the video! Good to have this technique in the back of my head. Btw, this is JScript, not JavaScript.
@OALABS7 жыл бұрын
Ah you are right, I was lazy ... I should have been saying JScript. I wanted to say JavaScript in the title because a lot of people know this as "JavaScript" but I should have clarified in the video and used the right terminology : )
@ganeshkumargopinathan63756 жыл бұрын
Best video for script debugging ! You guys are awesome!!!
@ganeshkumargopinathan63756 жыл бұрын
Please can you tell me.... How to Find API and Dll used by Wscript to run our .js file? will procmon or API monitior could be helpful to trace ?
@mrexodia7 жыл бұрын
Minor correction about DLL breakpoints, they actually just break when a DLL is loaded and after that on the DLL entry point (and TLS callbacks if they exist). Another tip, you can use gflags.exe (included with windbg) and change the ImageFlags to launch x96dbg.exe when mscript or powershell is started. That way it will automatically attach the debugger to it :) You can also use the address view in the dump for a quick overview of a struct with its strings if the struct is pointer aligned. It is also possible to use the struct view to display more complex structs but this isn’t a great workflow yet :)
@OALABS7 жыл бұрын
Whoa cool are you THE Duncan Ogilvie (mrexodia)??? If you are than many many thanks for all your work! ! These tips are great and thanks for the extra info on how the DLL breakpoints are set, I made a bad assumption due to the double break. I have recently been trying to force myself to use x64dbg so I can finally replace ollydbg but I'm still not super familiar with it. Keep those tips coming! : ))
@Ivo--6 жыл бұрын
Great video as always. I really enjoy these, keep it up!
@witoldawacz68186 жыл бұрын
Awesome video! Just small comment, i agree with Ethereal X0R ... The analysts especially those from IR, must be sure of any possible callbacks/additional fallback IPs/domains, which could be missed if we use hooking etc. The hooking technique is extremely useful do for fast triage. Thanks again for the valuable content that you are producing.
@OALABS6 жыл бұрын
Thanks! And absolutely you guys are right. If you just want to quickly rip out the C2 hooking is great but if you need to do a more in-depth analysis you are going to have to start deobfuscating the code. Also great point about the fallback domains, that is something Sean has talked about in some of our other tutorials... just because you get one domain with a sandbox doesn't mean it's the only one : ) A really good lesson for anyone doing IR and probably something I should have mentioned in this vid! Thanks again!
@fade242black6 жыл бұрын
Great video of a cool technique. Keep up the great work!
@mr_fearless7 жыл бұрын
Nicely done. Also good and useful overview of using x64dbg for this.
@shans24086 жыл бұрын
You are one awesome guy. I have been looking all over the net for malware analysts until now. Love your videos, keep uploading. Btw what if I manually look for shellexecute in the scripts and replace them with print?
@OALABS6 жыл бұрын
Thanks so much! Also, you are absolutely correct, replacing interesting calls with a print statements is a great way to see what the malware is doing. However, it might be more time consuming if there are multiple layers of decoding because you will have to keep reading through each layer and adding the statements. For simpler scripts this will work but for more complex ones either using API hooks as we have shown, or in overriding the the actual method with your own code in the script are the quickest ways.
@justinrogers80965 жыл бұрын
Awesome content, thank you.
@AnuragGawande4 жыл бұрын
Thanks for this cool video. Definitely will try it out. :)
@kumanish752 жыл бұрын
amazing video
@kg15827 жыл бұрын
thanks for your share, how to download " malicious JavaScript " ,i can't find download button from malshare
@OALABS7 жыл бұрын
To download the sample you will first need to register for a free account here: malshare.com/register.php They will provide you with an API key when you register that you can use to download the sample here: malshare.com/pull.php Just enter your API key and the sample hash 7616fd825e223fb6f7bfdc0c025a2cf0196b8959cad69eda959c21a7d31e71d5
@kg15827 жыл бұрын
👍
@SoftDatCLS6 жыл бұрын
Great Job!!! very nice video bro
@chaitanyaghorpade80924 жыл бұрын
Tried executing it on 64 bit VM following same steps but on breakpoint it got stuck at sys32.dll entry point. So can anyone guide me regarding this issue ?
@salemarsm6 жыл бұрын
Amazing video... tnx!
@justreverseengineering836 Жыл бұрын
I see you do a lot of static analysis. Maybe something like dynamic analysis featuring the x64dbg would be cool 😎. Thanks
@stevestef077 жыл бұрын
Great tutorial!
@artember12003 жыл бұрын
mind blown
@shell26736 жыл бұрын
thank you
@sathishds86ds5 жыл бұрын
Thanks for this videos.. I tried the same steps for vbs script and it fails. Could you please share me the steps for vbs
@sathishds86ds5 жыл бұрын
I mean the vba macro
@x-defenderlabs61015 жыл бұрын
thanks bro :")
@chinmay89547 жыл бұрын
Super helpful video, thanks a lot! :) How do you get around sleep-based evasions (using WScript.Sleep()) for example? Possible ways would be to hook into ws2_32.dll or using instrumentation to control those calls. Any other ideas which might be useful?
@OALABS6 жыл бұрын
Thanks! This is a great question! So you are correct that the way I would proceed would be to maybe hook Kernel32 Sleep or maybe some other APIs used to delay execution and just return from the call immediately or change the sleep value to something smaller. I saw a good tip for this in another comment; in this video we show a very manual way of setting the hooks but if you just wanted to trace all the API calls to see if there was some sleep type call being made you could try API Monitor www.rohitab.com/apimonitor. This is a great tool for API tracing and once you have identified the APIs that you want to hook you could then go back to frida-wshoook or your debugger and implement the hook code.
@chinmay89546 жыл бұрын
Ah, I see. Thanks ! :D
@taedopalleb13735 жыл бұрын
This is amazing, love the vid and the concept of YT channel that analyzes code #PapaBless