It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.
Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.
How To Install Malware-Jail
You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.
Pull from GitHub
Pull the source with git:
Then install all the dependecies (minimist, entities, iconv-lite) with:
In the examples folder you may find a deactivated malware file. Run the analysis with:
Internet browser based malware you may test with
At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.
You may want to examine following entries of ‘sandbox_dump_after.json‘:
- eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
- wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
- wscript_urls – all URLs that the malware intended to GET or POST.
- wscript_objects – WScript or ActiveX objects created.
‘sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.
In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf
Example: Analysing Wileen.js
Therefore you may want to use an alternate config filem which does not load browser/DOM components:
Interesting use of Powershell:
Example: Analysing ORDER-10455.js
First run without interaction with remote servers:
you get something like:
If we want to get the real payload, run it with ‘–down=y’:
Example: Analysing Norri.js
Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile file.
Example: Analysing Angler EK
Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler/angler_full.html.
Strip the non Angler part and save as malware/angler/angler_stripped.html.
Remove tags and convert required
and save as malware/angler/angler.js.
Run the analysis:
Eventually capture the output into angler_output.txt:
Deobfuscating the final stage: