Latest Changelog Malware-Jail v0.10:
+ env: Store new Function params under its ID.
+ Added new sample: SHOP_12907.js
+ jailme.js: Fixed new Function referencing ‘this’
+ Package_json: Added a _trace func. Switched over to sync-request.
malware-jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context env/wscript.js, at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js. Runs on any operating system, tested on All Linux Distros with (Node v4.2.1).
Be careful when working with a real malware. Malware, that is aware of this sandbox may try to escape it and harm your PC. It’s recommended you run it either from an unpriviledged Linux account or from within virtualized Windows.
Internet browser based malware you may test with:
The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file ‘sandbox_dump_after.json’. There you may find:
+ _eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
+ _wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
+ _wscript_urls – all URLs that the malware intended to GET or POST.
+ _wscript_objects – WScript or ActiveX objects created.
+ _’sandbox_dump_after.json’ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.
makesure node.js has been install on your Computer
git clone https://github.com/HynekPetrak/malware-jail && cd malware-jail
npm install minimist xmlhttprequest entities
node jailme.js -h
node jailme.js malware/example.js
git pull origin master