Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail - Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail is a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. It is written for Node.js.

It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.

Malware-Jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context  env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented  env/browser.js .

How To Install Malware-Jail

You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.

Pull from GitHub

Pull the source with git:

Then install all the dependecies (minimist, entities, iconv-lite) with:

Usage

In the examples folder you may find a deactivated malware file. Run the analysis with:

Internet browser based malware you may test with

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.

You may want to examine following entries of ‘sandbox_dump_after.json‘:

  • eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
  • wscript_urls – all URLs that the malware intended to GET or POST.
  • wscript_objects – WScript or ActiveX objects created.

sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.

Sample Output

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Examples

The malware folder contains real-world malware samples. Most of them downloaded from https://malwr.com.

Example: Analysing Wileen.js

Taking malicious script from malwr.com: Wileen.js
Apparently the malware does not execute if run from within a browser:

Therefore you may want to use an alternate config filem which does not load browser/DOM components:

Interesting use of Powershell:

Example: Analysing ORDER-10455.js

Taking malicious JavaScript from malwr.com: ORDER-10455.js

First run without interaction with remote servers:

you get something like:

Seems to be a “standard” behaviour of deobfuscation in order to finally download an exe binary and execute it.

If we want to get the real payload, run it with ‘–down=y’:

Example: Analysing Norri.js

Taking malicious JavaScript from malwr.com: Norri.js

Run:

you get: 

Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file.

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler/angler_full.html.

Strip the non Angler part and save as malware/angler/angler_stripped.html.

Remove 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

AndroL4b – A Virtual Machine For Assessing Android Applications, Reverse Engineering and Malware Analysis

AndroL4b - A Virtual Machine For Assessing Android Applications, Reverse Engineering and Malware Analysis

AndroL4b is an android security virtual machine based on Ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.

Tools:

  • Radare2: Unix-like reverse engineering framework and commandline tools
  • Frida: Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.
  • ByteCodeViewer Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
  • Mobile Security Framework (MobSF) (Android/iOS) Automated Pentesting Framework (Just Static Analysis in this VM)
  • Drozer Security Assessment Framework for Android Applications
  • APKtool Reverse Engineering Android Apks
  • AndroidStudio IDE For Android Application Development
  • BurpSuite Assessing Application Security
  • Wireshark Network Protocol Analyzer
  • MARA Mobile Application Reverse engineering and Analysis Framework
  • FindBugs-IDEA Static byte code analysis to look for bugs in Java code
  • AndroBugs Framework Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications
  • Qark Tool to look for several security related Android application vulnerabilities

    Labs:

    • Damn Insecure and vulnerable App for Android(DIVA) Vulnerable Android Application
    • InsecureBankv2 Vulnerable Android Application
    • Android Security Sandbox An app showcase of some techniques to improve Android app security
    • GoatDroid A fully functional and self-contained training environment for educating developers and testers on Android security
    • Sieve: A Password Manager App, showcasing some common Android vulnerabilities.

      AndroL4b Screenshot 1

      AndroL4b Screenshot 2

      AndroL4b Screenshot 3

      AndroL4b Screenshot 4

      AndroL4b Screenshot 5

      Download Androl4b Part 1

      Download Androl4b Part 2

      Download Androl4b Part 1

      Download Androl4b Part 2

      You might also like:
      • WordBrutePress – A Multithreaded WordPress Bruteforcing Tool
      • USBTracker – Tool To Track USB Devices Events and Artifacts In a Windows OS
      • 0d1n – Tool For Bruteforcing Web Applications
      • Security Onion – Linux Distro for Intrusion Detection, Network Security Monitoring, and Log Management
      • Beginner’s Guide To The Deep Web and The Dark Web
      • RouterCheck – Tool For Protecting Your Router (Android App)
      • zANTI – Android App For Hackers
      • How To Change (spoof) MAC Address on Android (3 Methods)


      Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

      Sandboxed Execution Environment – A Framework for Building Test Automation In Secured Environments

      Sandboxed Execution Environment - A Framework for Building Test Automation In Secured Environments

      Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.

      The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.

      Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file.

      Audience

      SEE is for automating tests against unknown, dangerous or unstable software tracking its activity during the execution.

      SEE is well suited for building modular test platforms or managing executable code with a good degree of isolation.

      SEE allows to write sandboxed tests both for quick prototyping and for running on production environment.

      Installation

      SEE is available as Python package on the Python Package Index (PyPI).

      It’s user’s responsibility to install and setup the hypervisors intended to be controlled with SEE and the possible dependencies and subsystems used by the selected image providers.

      Please refer to the documentation to see how to setup and configure each hypervisor.

      Supported hypervisors

      SEE is build on top of libvirt’s APIs, therefore all hypervisors supported by libvirt can be controlled through SEE.

      SEE comes with a basic support for QEMU, VirtualBox and LXC, to add more hypervisor or customize the basic ones see the code contained in see/context.

      Image providers

      SEE uses a system of pluggable providers to retrieve disk images from arbitrary sources and make them available to SEE.

      SEE bundles providers for LibVirt storage pools and OpenStack Glance as well as a dummy provider implementation, to add more providers see the code contained in see/image_providers.

      Principles

      SEE is an event-driven, plugin-based sandbox provider for synchronous and asynchronous test flow control.

      A SEE Environment encapsulates all the required resources acting as a handler for the User. The Sandbox is controlled by the Hooks which act as plugins, Hooks communicate and co-ordinate themselves through Events.

      Each Hook has direct access to the Sandbox which exposes a simple API for it’s control and libvirt’s APIs for more fine grained control.


      Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

      Mobile Security Framework (MobSF) – An All-In-One Mobile Application Security Assessment Framework

      Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

      Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

      MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

      Screenshots:

      • Static Analysis – Android
      MobSF Android Static Analysis Screenshot

      Requirements:

      • Mac:
        • Install Git
        • Install Python 3.6 – 3.7 (3.8 is not supported)
        • macOS Catalina users must uninstall existing python3 and install the one from Python.org. After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command
        • Install JDK 8+
        • Install command line tools xcode-select –install
        • Download & Install wkhtmltopdf as per the wiki instructions
        • macOS Mojave users, install headers if available: 

      • Ubuntu/Debian based Linux:
        • Install Git sudo apt get install git
        • Install Python 3.63.7 sudo apt-get install python3
        • Install JDK 8+ sudo apt-get install openjdk-8-jdk
        • Install the following dependencies 

      If you are running MobSF in Windows host, you do not have to configure anything, apart from interacting with the automated installation script for the first time when you run MobSF. However, if you are using a different host OS, you need to configure a Windows VM. Sadly binskim is only available on Windows. So even for static analysis, a Windows VM is required.
      Steps on the Windows-VM:

      • Install the following requirements on the VM
        • Python 3
        • rsa (via python -m pip install rsa)
      • Download the setup.py script and run it
      • There is some manual interaction, but if there are no errors, everything is good and the RPC-Server should be running.

      Remember: Use separate Windows-VM for MobSF and don’t expose it to a network range where an attack might be coming from. The best solution is to set it to host-only mode.

      • To integrate a Windows-VM into MobSF, please follow these steps. 
        • Get the IP of you VM and set in the MobSF/settings.py-File (search for WINDOWS_VM_IP)
        • (If not yet done:) Copy the private rsa key from the vm to MobSF

      If you see errors like this:

      MobSF setup script assume that your VM or host Windows box have a C Drive and you have all the permissions to perform read/write operations in C:MobSF. This error occurs if you don’t have proper read/write permissions.

      IMPORTANT:

      • Set JAVA_HOME environment variable.
      • iOS IPA Analysis works only on Mac, Linux and Docker containers.

      Dynamic Analysis:

      • Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.
      • Install Genymotion

      Installation:

      Tested on Windows 10, Ubuntu (18.04, 19.04) , macOS Catalina

      IMPORTANT: Windows users, before running setup.bat close any opened folders of MobSF or text editors with MobSF opened. Either of these can interrupt the setup by causing permission errors.

      Running MobSF

      • For Linux and Mac: ./run.sh
      • For Windows: run.bat

      You can navigate to http://localhost:8000/ to access MobSF web interface.

      Configuring Dynamic Analyzer

      Dynamic analysis using a real mobile phone is not supported.

      Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above.

      Android versions 5 and above are automatically MobSFyed on first run. For Android versions less than 5, you must MobSFy the Android Runtime prior to Dynamic Analysis for the first time. Click MobSFy Android Runtime button in Dynamic Analysis page to MobSFy the android runtime environment.


      HTTPS Proxy

      • For Android versions 4.4 – 9.0, global proxy settings are automatically applied at runtime.
      • For Android version 4.1 – 4.3, set Android VM proxy as displayed in Dynamic Analysis page.

      If Dynamic Analyzer doesn’t detect your android device, you need to manually configure ANALYZER_IDENTIFIER in MobSF/settings.py. Example: ANALYZER_IDENTIFIER = ‘192.168.56.101:5555’. You can find the Android Device IP from the Genymotion title bar and the default port is 5555.

      MobSF Docker Container

      Lazy to setup MobSF? Use the latest MobSF docker image (Dynamic Analysis is not supported)

      MobSF e-Learning Courses & Certification

      We have 2 self paced e-learning courses that covers MobSF and other Android Security tools.

      • OpSecX – Automated Mobile Application Security Assessment with MobSF – MAS (Currently being updated)
      • OpSecX – Android Security Tools Expert – ATX

      Updating MobSF

      If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as

      Run the below command to migrate your db

      If the above changes didn’t work, you might have to run setup.sh or setup.bat again which will delete your previous scan results.

      APKiD

      APKiD is enabled by default. To disable it, set APKID_ENABLED to False in MobSF/settings.py.

      VirusTotal Scan

      VirusTotal Scan is disabled by default. You need to add your VirusTotal API Key before enabling it.

      AppMonsta Android Play Store Information

      We use AppMonsta API to fetch details from Google Play Store as a fail safe to our primary implementation. It is disabled by default. To enable it, you need AppMonsta API Key.

      • Get AppMonsta API Key from: AppMonsta API Key
      • In MobSF/settings.py, add your API Key to APPMONSTA_KEY and restart MobSF.

      Mass Static Analysis

      MobSF supports mass static analysis. Here is how to run a mass static analysis:

      • Run mass_static_analysis.py

      Example: python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/ 

      Using Postgres DB instead of SQLite:

      Install psycopg2: pip3 install psycopg2-binary

      Go to MobSFsettings.py

      Comment the following:

      Now uncomment the following:

      Create a database in Postgres named mobsf and configure the above settings with correct username, password and other details.

      Apply Migrations:

      Now you can start MobSF server and you have successfully configured Postgres as your database.

      If you want all user uploads, downloads and user configurations to be created in home directory, enable home directory support:

      To provide personalized version of MobSF to multiple users on an OS or to bundle MobSF with a pentesting distro you might need the home directory support enabled.

      To enable Home Directory support, go to settings.py and set USE_HOME to True.


      Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.