Analyze JavaScript and VBScript Malware With x64dbg Debugger and API Hooking
iSpeech.org
Open Analysis Live! The fastest way to analyze JavaScript and VBScript malware is by using a debugger to hook API calls. In this tutorial we demonstrate this technique using x64dbg debugger and then demo a tool to automate the whole process frida-wshook.
**NOTE: as Duncan Ogilvie pointed out I made a mistake when describing the DLL breakpoints, they actually just break when a DLL is loaded and after that on the DLL entry point. Thanks Duncan!
The malicious JavaScript can be downloaded here:
http://malshare.com/sample.php?action=detail&hash=77996383ebb12476d1896eeb8dedf70b
Out other tutorial for manually deobfuscating wscript can be watched here:
You can find x64dbg here:
https://x64dbg.com/#start
The automated deobfuscation too frida-wshook can be found on our github here:
https://github.com/OALabs/frida-wshook
Here are some links to other excellent wscript analysis tools:
Macros
https://github.com/egaus/maliciousmacrobot
Windbg JavaScript analysis
https://github.com/szimeus/evalyzer
Online JS WScript analyzer
https://mrpapercut.com/sites/wscript/
Another JS sandbox
https://github.com/HynekPetrak/malware-jail
JStillery an automated JS deobfuscator
https://github.com/mindedsecurity/JStillery/
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
2018-01-25 12:36:53
source
Gloss