Use Babel to Deobfuscate JavaScript Malware

malware-analysis, technology 2026-01-18
In this blob post, I will describe how I wrote a config extractor for obfuscated JavaScript-based GootLoader component. The hard part of automating the config extraction is the obfuscation: the C2 servers are just plain text in the last stage. All code is on Github if you are just interested in that. # Intro A fellow Cyberian struppigel recently released Samplepedia, a platform were people can drop SHA256 hashes of files with a description and an analysis goal and some other metadata. My understanding is that the goal is to finally have a place to find interesting malware to analyze, a question I get asked a lot when teaching reverse engineering. Naturally I picked a task myself and decided to do one involve JavaScript, something I don't have a lot of expose to as a reverse engineer (I do have some exposure to it as a forward engineer, but that's a different story). The sample in question is 1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f and the task is: > Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool. I was particularly intrigued because I've recently seen other people be extremely successful leveraging "normal dev tooling" in the JavaScript ecosystem to tackle challenges with JavaScript-based malware. Would you like to know more?

WordPress, KaTeX and the Showdown

latex, technology 2017-06-23
We decided to use the javascript markdown engine [showdown](https://github.com/showdownjs/showdown) for the blawg, and [$\KaTeX$](https://khan.github.io/KaTeX/) for rendering latex. If you think that's a good way to go: Here is how to do it with wordpress.

The Exam Polynomial

mathematics, technology 2015-07-24
When students write exams, they want to know their score as fast as possible. However, the system that is supposed to deliver this information to the students is usually slow, for a lot of reasons that I will not go into. Where I work, it has become quite usual to publish a pdf on the course website that lists the student ID together with the number of points they scored. Since student IDs are usually anonymous, most people don't see it as a problem. However, the more this practice is used, the less anonymous a student ID actually is: Once there are enough of these lists public, this data might theoretically be used to connect a student to his or her student ID only by knowing which courses he or she attended. I propose a much better solution. I did not come up with this myself by the way, this is due to a brillian colleague of mine, but I still wanted to share it with the world. (more…)
Authors have copyrights. People say these things in footers.
All Hail the Great Yawgmoth, Father of Machines.