Box.js

A tool for studying JavaScript malware

Box-js is a JScript emulator aimed at analyzing JavaScript droppers typically found in malicious e-mails. It is meant to be significantly faster than virtual machine-based analysis, cutting analysis times down to 10-20 seconds per sample using a fraction of the memory; however, it is also flexible enough to assist a malware researcher in reverse engineering a single sample.


For a general overview of box-js, see the presentation Automating malware analysis with Node.js, Docker and RabbitMQ (also available in Italian).

Main features

ActiveX emulation
The strength of box-js lies in ActiveX emulation: it creates stubs of ActiveX plugins that from the sample's point of view work exactly like their Windows counterparts, but "behind the scenes" record every interaction. It supports all major plugins (MSXML2.XMLHTTP, WScript.Shell, ADODB.Stream, Scripting.FileSystemObject) and some minor ones: here is the full list.

Suitable for integration

Although box-js can be used on its own, it can also integrate with various tools in an analysis pipeline.

Secure

The malicious sample is isolated from the analysis module via a V8 sandbox which doesn't expose system APIs to the malicious sample, which is further hardened to prevent escaping. Most importantly, every analysis should be run in a Docker container with limited host filesystem access, meaning that an attack on box-js can only compromise one analysis, not the entire system.

Installation

Requires Node 6.x or greater.

$ npm install --global box-js

Usage

Warning
This section is a work in progress. While the example still works, the features have expanded a lot.
$ box-js sample.js --download --no-kill --timeout=60
Analyzing sample.js
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: WScript.Shell
New ActiveXObject: MSXML2.XMLHTTP
New ActiveXObject: ADODB.Stream
Header set for http://foo.bar/admin.php?f=1.dat: User-Agent Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Emulating a get request to http://foo.bar/admin.php?f=1.dat
Downloaded 198353 bytes.
Saved sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f (198353 bytes)
sample.js.results/fa9870f9-c3f9-4c06-bcf7-2472d9ebae4f has been detected as PE32 executable (GUI) Intel 80386, for MS Windows.
Active URL detected: http://foo.bar/admin.php?f=1.dat
Executing sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc in the WScript shell

$ cat sample.js.results/9539b473-c62d-4b99-a659-5aa28842aacc
cmd.exe /c (Temporary folder)(Temporary file) 0