How to analyze the script code from a phishing email?

P

Pavel2018-12-28 19:59:33

Phishing

Pavel, 2018-12-28 19:59:33

Hello.
The company I work for often has phishing emails. Users are warned, they try not to take unnecessary actions when a mailing occurs. All mailing cases are promptly eliminated, and generally do not cause any particular difficulties.
But not so long ago, a rather unusual thing happened. Letters began to arrive on behalf of one state body. It was real spoofing. Links in the letter led to the state website of Ukraine, from which a malicious archive was pulled. Those. people are well prepared. From the archive, I managed to pull out the code written in js. But well "encrypted". Those. visually, I could not read it, tk. variables are constantly created and reassigned, connected and separated.
Is there a software/service that can make it more readable? A lot of preparation has been done before the mailing, and it seems to me that there is something interesting in it for the security of the company in which I work.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

cssman, 2018-12-29
@psycat

According to the task - you need a deobfuscator. But not the fact that it will help (read below).
On the problem - everything is a little deeper, we need a normal mail filter with an antivirus function, we need an antivirus and minimization of permissions on endpoints in order to complicate the launch of malicious executable code as much as possible. If it's possible to put IDS/IPS on the network to track down or prevent further network attacks after the dropper is loaded and running, that would be great.
The malicious code itself needs to be analyzed in the sandbox, trying to deobfuscate and see where it "climbs", what modules it downloads, what commands it receives from the control server, etc.