![]() So what I would like to do is replace each expression with the character it evaluates to. You can see that this script contains many expressions similar to the one I just reduced: this is the kind of string obfuscation used in this sample. When a list is evaluated in JavaScript, it evaluates to its last emelent. ![]() So the expression ('office', 'modal', 'dialect', '\u0074informer'.e()) can be replace with expression ('office', 'modal', 'dialect', '\u0074'), or ('office', 'modal', 'dialect', 't'). Method e() returns the first character of the string to which it is applied. This String method is defined farther down in the script: look at the function definition I labeled 2. The last string has a method call (e.()). The expression I labeled 1 is a list of strings. As I wrote in a previous diary, if malware malfunctions, you can still use static analysis. Xavier, handler on duty, analyzed the (malicious) JavaScript in his sandbox, but it failed with an error. Yesterday, Wayne Smith submitted a sample (MD5 F1F31B18259DC9768D8B6132E543E3EE) to the ISC.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |