Malicious JavaScript Vjw0rm / STRRAT Analysis

I'll grab a JavaScript file from Malware Bazaar and take a look. There are several layers of obfuscated JavaScript, during which it drops and runs a Java Jar file (potentially STRRAT) and eventually we'll find vjw0rm and look at the different commands it can get from the C2 server. I'll make use of VSCode, CyberChef, VirusTotal, and Google along the way. Sample: https://bazaar.abuse.ch/sample/0a19ba2af0a2c3b6bdb5c7265439185093c1f6e8128338b7d566e3a15cc8b193/ ☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf [00:00] Introduction [01:12] Initial sample analysis [02:10] Deobfuscating initial layer [05:43] Decoding next layer [06:45] Analysis of "layer1.js" [10:10] Decoding next JavaScript layer [10:53] Analysis of "layer2a.js" [11:55] Decoding next JavaScript layer [12:50] Analysis of "layer3.js" / vjw0rm [18:36] Decoding Jar file [20:30] Analysis of Jar, it's files [21:24] Search VT [22:58] Searching Google for carLambo [23:41] Conclusion