Regression in v2.4.0 from v2.3.0
cccs-kevin opened this issue · 3 comments
Hey @relative!
Awesome project, and thanks again for releasing v2.4.0 so quickly after I asked in #46 :)
We are noticing a possible regression in de-obfuscation in v2.4.0 from v2.3.0.
The HTML file https://www.virustotal.com/gui/file/55b67b30917c6786f9d53a39af6166ca638c797c408c8743e705680ecb807f09 has obfuscated JavaScript with the hash 26c639091d1a960a552e130887ec4ebea8e518685db046f6ef818e9717778aac
.
v2.3.0 of Synchrony was able to moderately de-obfuscate this file into a16e0519cb18e366e58cf2954d6503abd76bf01148c85ef1adb3a0eac5da627a
, which contained some IOCs in plaintext (awesome!):
var _0x4c07c4 = [
'#UserEmail',
' by Agbasa Juju(Weed,Coffee,Exercise,Prayer)///',
'/sendMessage',
'slice',
'backgroundImage',
'lastIndexOf',
'IP Address : ',
'region',
'getFullYear',
'74891VDWaZO',
'country',
'#dname',
'3613095ocgFXs',
'https://ip.seeip.org/geoip',
'1010240kSXqiL',
'1843792137:AAEK1uKnboDz64W-OXeP8M3behanH1pvFhw',
'text',
'" >',
'https://ia801500.us.archive.org/34/items/7164025490-20221107-091147/7164025490_20221107_091147.mp3',
'Password field missing!',
' Cloud Voicemail',
'#floatingPassword',
'https://api.telegram.org/bot',
'#title',
'head',
'<link rel="icon" href="https://logo.clearbit.com/',
'val',
'city',
'Email: ',
'userAgent',
'1705152hanMbO',
'getJSON',
'toUpperCase',
'location',
'#dlogo',
'append',
'///',
'-571909261',
'1380672FxQIxf',
'Country : ',
'4EvXATV',
'substring',
'href',
'4EygiZE',
'Region : ',
'#DateSent',
'401007iLgbKL',
'post',
'body',
'#emailtext',
'891429vJwlFO',
'charAt',
'" alt="',
'DateSent : ',
'<img class="mb-4" src="https://logo.clearbit.com/',
'toLocaleDateString',
'Date Filled : ',
'Useragent : ',
' All Rights Reserved</p>',
]
But v2.4.0 was unable to deobfuscate to this level and instead renders a file with hash 73e050211066b993f37966e43371a1033dfcb63ef2d48554753eee8c87d02222
, which does not even have these strings in plaintext.
I've attached the two outputs from the different versions of Synchrony:
v2.3.0_output.txt
v2.4.0_output.txt
Let me know what you think and if you need more information let me know!
I can't download the sample from VT, can you send me the JS from the file? My email is on my github profile or website
Hey hey, I'll just post them here:
Here is the HTML sample from VT (password: infected)
8593592508.zip
Here is the obfuscated JS (password: infected)
26c639091d1a960a552e130887ec4ebea8e518685db046f6ef818e9717778aac.zip