**Update**
After a bit of analysis, it looks like I can force the deobfuscated code to run by "patching" following bit:
"return (await _0x324dc7(_0x26c49f.HKLM, "Software\\Microsoft\\Cryptography", "MachineGuid")).value;"
Once that done, I can use --inspect-brk, use dev view and set a breakpoint at the end, on the eval. In Process Hacker I can see the POST.
The Payload can be decoded in cyberchef, it's Base64 decode, send to HEX, use the first 16 bytes as an XOR key, then take the remaining HEX, (From HEX) and apply the XOR key.
You will get something like:
{"Event":"heartbeat","MachineId":"f4f34c43-9bc1-4a9a-b55f-1d4dd97e0e88","SessionId":"125cc3b3-bc56-474d-817b-badc96d07202","Version":"0.0.2","OSVersion":"10.0.26100","args":""}
Since Args doesn't return anything, it's hard to know what this does after the POST of this data.
I started looking at a sample of JustAskJacky.exe which caught my attention thanks to gdata.
I grabbed what appears to be a different version than what they have. I was looking at "
aa017ac68f47ee8c8579135bb6af8604856e24f08ba2d89585434e454eb8a295"
This version is using a later version of innosetup, so I had to grab the following to extract it: InnoUnpacker
This allows me to look at the scheduled task that gets dropped, as well as the JS file, and some of the workings of this application.
This one is very heavily obfuscated. As can be seen in the screenshot below.
I attempted to play with it, but there are some protections in place I haven't gotten fully gotten around or understood. I used the following to be able to be able to use edge://inspect and step through things, but that wasn't very helpful.
node.exe --inspect-brk "..\3787c0c1-90e8-4e8f-b66d-9979206b55ed.js"
I have had luck with https://obf-io.deobfuscate.io/ however.
From that I was able to get the following:
REQUEST_URL: "api[.]ckvlhijb4e8g0yatim[.]com"
Comments
Post a Comment