Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Using JSDetox to Analyze and Deobfuscate Javascript - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using JSDetox to Analyze and Deobfuscate Javascript

Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).

Steps to Decode Java Obfuscated Script

1- Copy the code into the Code Analysis window and select Analyze.


2- The script will then be formatted in the Code Formatted window.



3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.


The final result is quite similar to the Wepawet report in Daniel's diary.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


522 Posts
ISC Handler
Jun 25th 2012

I think that's the code I submitted.

Also, thanks for introducing me to JSDetox, this will come in handy.

12 Posts
Guy on our team wrote this about two weeks ago, does all of this for you on a web page:
4 Posts

Sign Up for Free or Log In to start participating in the conversation!