Warning
This section is a work in progress. While the example still works, the features have expanded a lot.
A tool for studying JavaScript malware
Box-js is a JScript emulator aimed at analyzing JavaScript droppers typically found in malicious e-mails. It is meant to be significantly faster than virtual machine-based analysis, cutting analysis times down to 10-20 seconds per sample using a fraction of the memory; however, it is also flexible enough to assist a malware researcher in reverse engineering a single sample.
For a general overview of box-js, see the presentation Automating malware analysis with Node.js, Docker and RabbitMQ (also available in Italian).
Requires Node 6.x or greater.
$ npm install --global box-js
$ box-js sample.js --download --no-kill --timeout=60 Analyzing sample.js New ActiveXObject: Scripting.FileSystemObject New ActiveXObject: Scripting.FileSystemObject New ActiveXObject: WScript.Shell New ActiveXObject: MSXML2.XMLHTTP New ActiveXObject: ADODB.Stream Header set for http://foo.bar/admin.php?f=1.dat: User-Agent Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Emulating a get request to http://foo.bar/admin.php?f=1.dat Downloaded 198353 bytes. Saved sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f (198353 bytes) sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f has been detected as PE32 executable (GUI) Intel 80386, for MS Windows. Active URL detected: http://foo.bar/admin.php?f=1.dat Executing sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc in the WScript shell $ cat sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc cmd.exe /c (Temporary folder)(Temporary file) 0