Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction – EffectHacking

Malware-Jail is a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. It is written for Node.js.

It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.

How To Install Malware-Jail

You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.

Pull from GitHub

Pull the source with git:

Then install all the dependecies (minimist, entities, iconv-lite) with:

Usage

In the examples folder you may find a deactivated malware file. Run the analysis with:

Internet browser based malware you may test with

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.

You may want to examine following entries of ‘sandbox_dump_after.json‘:

• eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
• wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
• wscript_urls – all URLs that the malware intended to GET or POST.
• wscript_objects – WScript or ActiveX objects created.

‘sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.

Sample Output

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Examples

Example: Analysing Wileen.js

you get something like:

Example: Analysing Norri.js

Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file.