How do you decode this?

Hello, community.

I’ve been playing with some educational traffic captures from malware-traffic-analysis, and i wanted to get a bit dipper than just analyze pcap itself and answer training questions. I’ve exported some file samples used during the attack and need some help to recover the kill chain.
So here is the contents of interest.

Entropy analysis shows it is not encrypted (falls into “regular English text” range), so i presume its is some JS script. And the data itself kinda seems to be some variation of “kid’s secret language”. But anyway i could not figure out who to crack such thing. Need advice on what is the general approach to such cases?

1 Like

Heh. As it usually happens, once you have asked someone, you magically figure out some key thing about the subject.

I have noticed, that there were not obfuscated symbols - dots, semicolons, slashes, etc. So i’ve decided to try just remove some repeating sequences. Particularly “f3t_542”. Cyberchef helped with this and in a second i had something much more readable. Next i did code beautify magic and found interesting chunk of data, obviously Base64 encoded. Several more mouse clicks and i see VBScript with the exact URL, i saw during PCAP analysis, hardcoded right into the script!

Why i didn’t notice all this immediately?


Look’s like you did not need help from anyone for this :slight_smile: , nobody answering your post gave you the push required i guess , dont feel sad if there aren’t many people involved in your post , and the question you just posted is better off on the Discord channel (all the fun is there , just hop in )

1 Like

I love when that happens! Awesome revelation.