Malware Analysis 3 ways to deobfuscate JScript and JavaScript malware


Thread author
Staff Member
Malware Hunter
Jul 27, 2015

We use abstract syntax tree manipulation, regex search and replace and dynamic analysis to deobfuscate and unpack GootLoader. Each method has its own pros and cons. GootLoader is an initial infector written in JScript. Current samples feature up to five layers of packed and obfuscated code.

Malware Analysis course:
extract called functions:
gootloader unpacker:
Follow me on Twitter: / struppigel
00:00 Introduction
00:26 First Layer - extract relevant functions
07:24 Regex deobfuscation
14:05 Abstract syntax tree transformations with babel
30:57 Dynamic deobfuscation
40:46 Deobfuscation method overview
41:43 GootLoader unpacker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.