Box.js

A tool for studying JavaScript malware

Box-js is a JScript emulator aimed at analyzing JavaScript droppers typically found in malicious e-mails. It is meant to be significantly faster than virtual machine-based analysis, cutting analysis times down to 10-20 seconds per sample using a fraction of the memory; however, it is also flexible enough to assist a malware researcher in reverse engineering a single sample.

For a general overview of box-js, see the presentation Automating malware analysis with Node.js, Docker and RabbitMQ (also available in Italian).

Main features

ActiveX emulation

The strength of box-js lies in ActiveX emulation: it creates stubs of ActiveX plugins that from the sample's point of view work exactly like their Windows counterparts, but "behind the scenes" record every interaction. It supports all major plugins (MSXML2.XMLHTTP, WScript.Shell, ADODB.Stream, Scripting.FileSystemObject) and some minor ones: here is the full list.

Suitable for integration

Although box-js can be used on its own, it can also integrate with various tools in an analysis pipeline.

At the most basic level, box-js exports the list of files and URLs in JSON, which can be easily read by both humans and tools, as well as manipulated with grep/sed/awk.
After the analysis, it can submit the results to a Cuckoo instance, Malwr, or VirusTotal with their respective APIs.
It features a Cuckoo processing module, enabling box-js to be used as part of a complex toolchain. The module itself relies on a REST API to upload samples and retrieve results.

Secure

The malicious sample is isolated from the analysis module via a V8 sandbox which doesn't expose system APIs to the malicious sample, which is further hardened to prevent escaping. Most importantly, every analysis should be run in a Docker container with limited host filesystem access, meaning that an attack on box-js can only compromise one analysis, not the entire system.

Installation

Requires Node 6.x or greater.

$ npm install --global box-js

Usage

Warning

This section is a work in progress. While the example still works, the features have expanded a lot.

$ box-js sample.js --download --no-kill --timeout=60
Analyzing sample.js
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: WScript.Shell
New ActiveXObject: MSXML2.XMLHTTP
New ActiveXObject: ADODB.Stream
Header set for http://foo.bar/admin.php?f=1.dat: User-Agent Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Emulating a get request to http://foo.bar/admin.php?f=1.dat
Downloaded 198353 bytes.
Saved sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f (198353 bytes)
sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f has been detected as PE32 executable (GUI) Intel 80386, for MS Windows.
Active URL detected: http://foo.bar/admin.php?f=1.dat
Executing sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc in the WScript shell

$ cat sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc
cmd.exe /c (Temporary folder)(Temporary file) 0