Sign in Subscribe

akira.red - how to defeat aes-256-cbc with one console.log

Mero

2 min read
Share
akira.red - how to defeat aes-256-cbc with one console.log

initial analysis

The sample was first analyzed using Detect It Easy (DIE).

The result was unremarkable. No meaningful signatures, no obvious indicators, and nothing immediately useful.

At this point, suspicion only increased.

binwalk findings

Next, the sample was run through binwalk, which revealed something more interesting:

7-zip archive data detected

After extracting the contents and navigating the directory, the structure looked very familiar.

This was not a native binary. It was an Electron application.

And like all Electron apps, it contained an .asar archive.

inspecting the electron application

Once unpacked, several files stood out:

  • input.js
  • obf.js
  • jscrypter

The naming suggested an attempt at obfuscation rather than real protection.

As expected, obf.js was heavily obfuscated. However, input.js appeared far more readable and likely contained the attacker’s actual logic.

the critical mistake

While reviewing the code, a function named decrypt stood out, along with a constant called decrypted.

given that the decryption key was already present in the code, the next step was straightforward: log the decrypted output.

A simple console.log(decrypted) was added.

it really was that simple

the obfuscation did not hold up.

The decrypted output revealed a poorly written JavaScript-based information stealer, masquerading as a Minecraft exploit tool. The attacker’s webhook had already been deleted the same day the sample was reverse engineered.

attribution

further research and comparison suggest the malware aligns with Akira stealer behavior.

reference:
https://www.cyfirma.com/research/akira-stealer-an-undetected-python-based-info-stealer/

while this sample was implemented in JavaScript rather than Python, the intent and behavior are consistent.

outcome

shortly after analysis, GitHub removed the malicious repository.

credit where it’s due, the response was fast.

closing thoughts

This sample is a reminder that:

  • many "undetectable" tools rely more on obfuscation than sophistication
  • Electron applications are often trivial to reverse when attackers are careless
  • sometimes reversing malware really is just one console.log() away

Sign up for more like this.

Enter your email
Subscribe