Analyzing JavaScript in HTML

1. Analyzing re_texrjs.html:

  • Initial Inspection with Notepad++:

    • Aid to be Function:

      • This is a base64 decoding function.

      • Decodes data passed to document.write() function.

      • document.write() expects HTML, indicating the decoded data is another HTML code.

  • Using CyberChef for Decoding:

    • Step 1: Copy the base64 data from the HTML file.

    • Step 2: Use CyberChef to decode the base64 string.

    • Decoded Output: Reveals another stage of JavaScript within <script> tags.

2. Analyzing the Decoded JavaScript:

  • Inspecting with Notepad++:

    • The JavaScript begins with an eval() function.

    • Key Functions to Look For:

      • document.write(): Dynamically writes string arguments into the HTML workspace; expected to be HTML format.

      • eval(): Executes the passed string as JavaScript code; often used by threat actors for executing obfuscated code.

  • Modifying the Code:

    • Replace the eval() function by storing its argument in a new variable, two_eval.

    • Modify the script to include HTML tags for debugging.

    • Save the modified file as decoded.html.

3. Debugging with Google Chrome:

  • Loading the Modified HTML File:

    • Drag and drop decoded.html into Chrome.

    • Expectation: The code executes, resulting in a string stored in two_eval.

  • Using Developer Tools:

    • Press F12 to open Developer Tools.

    • Navigate to the Sources tab and locate the decoded.html file.

    • Inspect Variable Contents:

      • Enter the two_eval variable name in the Console tab to view its content, revealing more JavaScript code.

  • Behavior Analysis:

    • The final stage displays a message and redirects to a potentially malicious domain, thisbadsite.com.

4. Debugging JavaScript with Visual Studio Code (VS Code):

  • Installation Issues:

    • If issues arise with VS Code on Flare VM, reinstall it using the Chocolatey package manager.

    • Disable Internet: Avoid conflicts with loopback addresses during debugging.

  • Setting Up Debugging in VS Code:

    • Open the HTML sample in VS Code.

    • Add a new line before the JavaScript code to enable breakpoint setting.

    • Set a breakpoint by pressing F9 or clicking next to the line number.

    • Click the Debug icon and select Run and Debug using Chrome.

  • Debugging Process:

    • Breakpoint Hit: VS Code opens Chrome and stops at the breakpoint.

    • Using Step Functions:

      • F11 (Step Into): For functions like document.write() or eval().

      • Shift + F11 (Step Out): To exit loops or functions.

    • Final Stage Analysis: Continuously pressing F11 shows the obfuscated text, followed by the final JavaScript stage.

5. Key Takeaways:

  • Understanding Functions:

    • Familiarize with functions like document.write() and eval() for effective JavaScript analysis.

  • Obfuscation Awareness:

    • Be cautious of obfuscated JavaScript code, often used by threat actors to hide malicious activity.

  • Tool Utilization:

    • Use CyberChef for decoding and Notepad++ or VS Code for detailed inspection and debugging.

  • Practical Debugging:

    • Visual Studio Code offers advanced debugging features, allowing you to control the execution flow and analyze each stage of JavaScript code in detail.

PreviousAnalyzing JavaScript SamplesNextAnalyzing Macro Code in Office Documents

Last updated