capacitorset / box-js Goto Github PK

Some droppers rely on a technique similar to this:

new ActiveXObject((WScript.Now + 'Shell.Application').substr(9, 17))

The code is only valid if WScript.Now returns undefined.

Because of this, box-js must have a list of all WScript properties, and replace the Proxy with a simple object that will return undefined for unknown properties.

Hi all,
I came across with this sample (6acf3abf8e68d97b02f0b3502b1ca58c)
https://malwr.com/analysis/NjhmZGQ4YzU5ZmViNDhhNzljMmI3ODZjN2YwNTY0NWQ/
Executing it in a sandbox I got some outputs like: URLs, download a PE file and so on
when I use run.js i get this output
Analyzing ../sample/js/32264.js
The file seems to be encoded with ascii.
Rewriting code...
Rewritten successfully.
Reading registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS\COMMON DOCUMENTS
Unknown registry key!
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
..... .... ....
Rewriting code...
Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
Rewriting typeof calls (use --no-typeof-rewrite to skip)...
Rewriting eval calls (use --no-eval-rewrite to skip)...
Rewriting try/catch statements (use --no-catch-rewrite to skip)...
Rewritten successfully.
@CapacitorSet do you have any idea?
best regards
PS: I'm using the V.1.8.0

In JavaScript, "Functions created with the Function constructor do not create closures to their creation contexts; they always are created in the global scope. When running them, they will only be able to access their own local variables and global ones, not the ones from the scope in which the Function constructor was called", per MDN. This is not true in JavaScript, and this inconsistence is being exploited "in the wild" as seen in this sample.

MDN reports that this does not happen for eval with code for a function expression, so it's worth looking into as a possible way to implement this quirk in a rather clean way.

Hello,
I have this issue with Msxml2.ServerXMLHTTP ActiveXObject.
--no-kill option not working.

Output:
`Analyzing x.jse
New ActiveXObject: WScript.Shell
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: ADODB.Stream
New ActiveXObject: Shell.Application
New ActiveXObject: Msxml2.ServerXMLHTTP
C:\Users\xxx\Desktop\x\box-js-master_controller.js:32
throw new Error(message);
^

Error: Unknown ActiveXObject msxml2.serverxmlhttp
at Object.kill (C:\Users\xxx\Desktop\x\box-js-master_controller
.js:32:10)
at new ActiveXObject (C:\Users\xxx\Desktop\x\box-js-master\analy
ze.js:326:15)
at sample.js:97:13
at ContextifyScript.Script.runInContext (vm.js:35:29)
at ContextifyScript.Script.runInNewContext (vm.js:41:15)
at Object.exports.runInNewContext (vm.js:72:17)
at Object. (C:\Users\xxx\Desktop\x\box-js-master\anal
yze.js:282:4)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)

• If you see garbled text, try emulating Windows XP with --windows-xp.
• If the error is about a weird "Unknown ActiveXObject", try --no-kill.
• If the error is about a legitimate "Unknown ActiveXObject", report a bug at h
  ttps://github.com/CapacitorSet/box-js/issues/ .`

This is an issue for internal use.

Investigate the sample sent by Nwinternights today (12 October).

Move flag documentations to a new, JSON file; use that for generating both the usage text (node run --help) and the documentation in README.md.

Hi. We at Intel Owl recently added support for Box-JS.

Intel Owl is a completely free and open source threat intelligence gathering tool that integrates a lot of external services and analyzers. If someone wants to request scans through Box-JS (and many other analyzers) they can do so easily with our web GUI - get the result from all the files such as resources.json, IOC.json, urls.json, etc all together in a prettified format which can be filtered/sorted/search through and is saved into the DB.

This is NOT meant to be an "advertisement" for Intel Owl nor a replacement to Box-JS - We support Box-JS. I decided to drop some info about this here because these could be some really nice features for Box-JS users to speed up their threat intelligence operations.

I hope you don't mind and thank you for creating this amazing tool!

EDIT: Added link to Box-JS's LICENSE to the project's README.

Hi ,
I got a jse that i decoded with the decoder of boxjs then I run the JS with --preprocess --no-kill parameters and I get this error: (on the bottom the urls for download the sample)
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
/home/boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^

Error: WScript.version not implemented!
at Object.kill (/home//boxjs/lib.js:24:9)
at Object.get (/home//boxjs/analyze.js:344:10)
at Object.get (/home//boxjs/node_modules/vm2/lib/contextify.js:330:37)
at vm.js:947:67
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home//boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home//boxjs/analyze.js:356:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)

JS URL (https://malwr.com/analysis/ZWQxZWI0NTk1N2IyNDgyYTgyOGQ0NzA5NDBmMjdmNjE/)
JSE URL(https://malwr.com/analysis/MTliMTA4ZGUzYWJkNDM3ZDhkN2Q0NGRlYTI1NTFmNjA/)

Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Script read environment variable userprofile
Trace: Table win32_service not implemented!
at Object.kill (/usr/local/lib/node_modules/box-js/lib.js:29:10)
at getTable (/usr/local/lib/node_modules/box-js/emulator/WMI.js:66:7)
at Proxy.ExecQuery (/usr/local/lib/node_modules/box-js/emulator/WMI.js:101:11)
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/contextify.js:288:34)
at ccerkvkjkxyyirdz (eval at Function (vm.js:103:41), :38:40)
at eval (eval at Function (vm.js:103:41), :58:5)
at ceyuzm (vm.js:125:23)
at vm.js:127:1
at Script.runInContext (vm.js:74:29)
at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:204:72)
Exiting (use --no-kill to just simulate a runtime error).

Sample : https://www.reverse.it/sample/a00c774dc807919c5b7d97ff949cf004cd00d8ee17970639527aba415a823542?environmentId=100
Best regards

Hey I went to try your box-js tool and got the following error:

/home/zach/Tools/box-js-master/run.js:8
let timeout = argv.timeout || 10;
^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:374:25)
at Object.Module._extensions..js (module.js:417:10)
at Module.load (module.js:344:32)
at Function.Module._load (module.js:301:12)
at Function.Module.runMain (module.js:442:10)
at startup (node.js:136:18)
at node.js:966:3

I'm attempting to run box.js on a sample piece of malware, and it seems to be having an issue with the sample file importing different libraries.
This is the error I receive when attempting to run box.js:

Command:
» box-js sample-malware.js --no-rewrite

Output:

Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:82
   	throw e;
   	^

vm.js:110
import u from "path";
^^^^^^

SyntaxError: 'import' and 'export' may appear only with 'sourceType: module'
   at makeNiceSyntaxError (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:41:16)
   at transformer (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:80:8)
   at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:491:16)
   at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:529:8)
   at Module._compile (node:internal/modules/cjs/loader:1099:14)
   at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
   at Module.load (node:internal/modules/cjs/loader:975:32)
   at Function.Module._load (node:internal/modules/cjs/loader:822:12)
   at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
   at node:internal/main/run_main_module:17:47

Node.js v17.7.2

* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .

If I run box.js without the --no-rewrite flag, I get the following output:

[error] Couldn't parse with Acorn:
[error] SyntaxError: 'import' and 'export' may appear only with 'sourceType: module' (1:0)
[error] 
[error] Decode JSE. 'cc decoder.c -o decoder'. './decoder ${filename} ${filename}.js'

The beginning of the malware file contains the following imports:

import u from "path";
import a from "fs";
import o from "https";

Appreciate the support. Thank you!

I get FileSystemObject.GetParentFolderName not implemented when running a particularly brainy js code that has some pretty good anti-sandbox evasion builtin... Any suggestions?

After a fresh git pull box-js no longer analyses any files. Everytime I run box-js the following error is shown:

/usr/local/lib/node_modules/box-js/emulator/WMI.js:5
const diskSize = Math.floor(Math.random() * (10 ** 11));
                                                 ^
SyntaxError: Unexpected token *
    at Object.exports.runInThisContext (vm.js:76:16)
    at Module._compile (module.js:542:28)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
    at Module.require (module.js:497:17)
    at require (internal/module.js:20:19)
    at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:322:13)
    at Module._compile (module.js:570:32)

I'm running Ubuntu 14.04.5 LTS.

Hello, after execute gwmi -Query "SELECT * FROM Win32_Process" > a.txt in win7
and move it to vm with box-js and node 8.10.0 it returns error, i tried to fix it by myself but im new to node

• error, it looks like for some reason it adds that to the end of the dictionary

nodejs makeProcList.js
undefined:2
"": undefined},
    ^

from what i googled JSON.stringify should clean it, but the real fail happens here JSON.parse(jsonString)

would appreciate any help
best regards

This example crashes with code.match is not a function, because the Function patch is called with a Function object rather than with text:

(function() {
    console.log(1);
})

"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS\COMMONMUSIC": "C:\Users\Public\Music",
got some samples that search for that Key/folder.
regards

Hello,

Having a few issues with this sample: jssample.zip (password:infected). When I run it with the default options I see:

[debug] Analysis launched: ["/usr/bin/nodejs","/opt/box-js/analyze","jssample.js","jssample.js.results/","--loglevel","debug","--timeout=10"]
[verb] Analyzing jssample.js
[debug] Using detected encoding
[debug] jschardet (v1.5.1) detected encoding ascii
[verb] Rewriting code...
[verb]     Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[verb]     Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[verb]     Rewriting eval calls (use --no-eval-rewrite to skip)...
[verb]     Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[verb] Rewritten successfully.
[verb] Code saved to 87e6db80-a18f-4365-9f46-fcd3d3b2aed2.js
[debug] Analyzing with vm2 v3.4.6

/opt/box-js/node_modules/vm2/lib/main.js:213
			throw this._internal.Decontextify.value(e);
			^
TypeError: "457870616EcTxqapTV6445zo hXdZ6E76Gz q69726Fwpt6E6DtqNp65acSG ywzpnq6EttwvVVfLaW7453afqskt7472npeRwg696Esmvc p6773".w is not a function
    at vm.js:42:130
    at ContextifyScript.Script.runInContext (vm.js:35:29)
    at VM.run (/opt/box-js/node_modules/vm2/lib/main.js:207:72)
    at Object.<anonymous> (/opt/box-js/analyze.js:380:5)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
    at Module.runMain (module.js:604:10)

 * If the error is about a weird "Unknown ActiveXObject", try --no-kill.
 * If the error is about a legitimate "Unknown ActiveXObject", report a bug at https://github.com/CapacitorSet/box-js/issues/ .

If I try it with --no-rewrite I get the following:

[debug] Analysis launched: ["/usr/bin/nodejs","/opt/box-js/analyze","jssample.js","jssample.js.1.results/","--loglevel","debug","--no-rewrite","--timeout=10"]
[verb] Analyzing jssample.js
[debug] Using detected encoding
[debug] jschardet (v1.5.1) detected encoding ascii
[verb] Code saved to ee238066-3abf-41cd-a922-477f3c641d3b.js
[debug] Analyzing with vm2 v3.4.6

/opt/box-js/node_modules/vm2/lib/main.js:213
			throw this._internal.Decontextify.value(e);
			^
SyntaxError: Unexpected token .
    at VMScript.compile (/opt/box-js/node_modules/vm2/lib/main.js:74:20)
    at VM.run (/opt/box-js/node_modules/vm2/lib/main.js:207:52)
    at Object.<anonymous> (/opt/box-js/analyze.js:380:5)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
    at Module.runMain (module.js:604:10)
    at run (bootstrap_node.js:389:7)

 * If the error is about a weird "Unknown ActiveXObject", try --no-kill.
 * If the error is about a legitimate "Unknown ActiveXObject", report a bug at https://github.com/CapacitorSet/box-js/issues/ .

I didn't see anything in the other issues that seemed applicable to this one but I'd love to know what's going on.

just installed on kali linux with
sudo npm install box-js --global
than tried to run a script.
got this as result:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds

/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:287
throw bridge.from(e);
^
ReferenceError [Error]: navigator is not defined
at eval (eval at apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10), :2:21)
at eval ()
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10)
at vm.js:139:1
at Script.runInContext (vm.js:130:18)
at VM.runScript (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:285:18)
at /usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:507:16
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:130:18)
at doWithTimeout (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:132:29)

• If the error is about a weird "Unknown ActiveXObject", try --no-kill.
• Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .

C:\home\kali> sudo box-js index.html.1.js
[sudo] Passwort für kali:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds

/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:287
throw bridge.from(e);
^
ReferenceError [Error]: navigator is not defined
at eval (eval at apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10), :2:21)
at eval ()
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10)
at vm.js:139:1
at Script.runInContext (vm.js:130:18)
at VM.runScript (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:285:18)
at /usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:507:16
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:130:18)
at doWithTimeout (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:132:29)

• If the error is about a weird "Unknown ActiveXObject", try --no-kill.
• Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .

i will attach the file i wanted to check. PLEASE be aware: THIS IS MALICIOUS CODE LEADING TO A PHISHINJG SITE !!!
index.html.1.js.txt

Any help available?

main@dev:~$ box-js test.js
/usr/local/lib/node_modules/box-js/_run.js:49
let timeout = argv.timeout;
^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode

Any solution?

Needs a compliant parser to extract the JScript code from WSF files (with <job>, <script> and so on).

(see https://zaufanatrzeciastrona.pl/post/obszerna-analiza-zlosliwego-oprogramowania-na-polskim-przykladzie/)

Hello! We've spoken before via email.

You pointed me to node.js after I answered a thread on reddit wanting to build another program. I wasn't experienced enough to help you though.

I know you've already spoken about how to get something to be defined in your readme, but I am confused. I do not know if it's simply because I'm inexperienced or what.

Basically both firebug and node.js have one issue in common: they can puzzle out information from recursive arrays' but they do NOT show how they arrived at it!

So this malware I have is pretty much one giant array, with two smaller arrays. And somehow, it builds an entire program and config file out of them! I cannot seem to, no matter how much I try, figure this out!

Your program (and firebug) both output this function: _87867t67t6gt (but say it isn't defined) which is great, but I cannot seem to figure out HOW that function was generated from a set of random array stuff.

What I was hoping for, was that your program would allow me to build the entire program from the array, THEN I could attempt to run it and see what it does via your software.

Is this a total misunderstanding of what the software does? if not, how can I see what it took from each array (and the calculations) to build the function and the rest of the program? Can I have it build EVERYTHING without attempting to run it (and thus stop it from running into the _____ not defined issue?).

Does this make any sense? Feel free to drop me a line at theoryofscience @ gmail . com, which we've talked through before!

I got the following error when running box-js against malicious javascript under REMnux(latest version)

Analyzing test.js
{ Error: Line 22: Unexpected token ;
at constructError (/opt/box-js/node_modules/esprima/esprima.js:2406:21)
at createError (/opt/box-js/node_modules/esprima/esprima.js:2425:17)
at unexpectedTokenError (/opt/box-js/node_modules/esprima/esprima.js:2499:13)
at throwUnexpectedToken (/opt/box-js/node_modules/esprima/esprima.js:2504:15)
at expect (/opt/box-js/node_modules/esprima/esprima.js:2522:13)
at parseForStatement (/opt/box-js/node_modules/esprima/esprima.js:4426:9)
at parseStatement (/opt/box-js/node_modules/esprima/esprima.js:4774:24)
at parseStatementListItem (/opt/box-js/node_modules/esprima/esprima.js:3988:16)
at parseFunctionSourceElements (/opt/box-js/node_modules/esprima/esprima.js:4868:23)
at parseFunctionDeclaration (/opt/box-js/node_modules/esprima/esprima.js:5016:16) lineNumber: 22, description: 'Unexpected token ;', index: 486 }

And around line 22, I do not see any ";" token and the code is js-beautified, so pretty formatted. Let me know if you need the original malicious JS file. Thanks.

Hi,

There are some issues on download function.
It does not work completely.

I believe you need to fix this issue in the following way.

• Change doDownload to argv.download in lib.js file
  or
• Define doDownload variable in argv.js file

Thanks,

Hi,
analyze.js handles wsf file which is <script>..</script><script>..</script>.
Some wsf have <script language=JScript>.......</script> .
Of course if I add the right tags box.js runs smoothy.
below a sample I submitted:
(https://malwr.com/analysis/Yjc0MmFkY2JiNjIwNDMxMmE2YmJmZGIzNzU1MGVhZGU/)
before:
node run.js ../sample/wsf/00.wsf --debug
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
Analyzing ../sample/wsf/00.wsf
Using detected encoding
The file seems to be encoded with ascii.

After tag modification:

node run.js ../sample/wsf/00.wsf --download --no-shell-error
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
Analyzing ../sample/wsf/00.wsf
Using detected encoding
The file seems to be encoded with ascii.
New ActiveXObject: Msxml2.XMLHTTP
GET hxxp://actual-clinic.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481
Downloading...
Downloaded 377344 bytes.
New ActiveXObject: Msxml2.XMLHTTP
GET hxxp://pvo-taganrog.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481
Downloading...
An error occurred while emulating a GET request to hxxp://pvo-taganrog.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481.
{ Error: getaddrinfo ENOTFOUND pvo-taganrog.ru pvo-taganrog.ru:80
at doRequestWith (/home/socadmin/boxjs/node_modules/sync-request/index.js:87:17)
at doRequest (/home/socadmin/boxjs/node_modules/sync-request/index.js:20:10)
at Object.fetchUrl (/home/socadmin/boxjs/controller.js:53:17)
at Proxy.XMLHTTP.send (/home/socadmin/boxjs/emulator/XMLHTTP.js:24:26)
at Object.apply (/home/socadmin/boxjs/node_modules/vm2/lib/contextify.js:288:34)
at vm.js:20:15
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/socadmin/boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/socadmin/boxjs/analyze.js:294:4)
at Module._compile (module.js:569:30) code: 'ENOTFOUND' }
PS ok the URL was not reachable :-)

best regards

I edited the issue to remove malicious URLs. - CapacitorSet

Document the REST API with Swagger.

Running into.
ReferenceError [Error]: CollectGarbage is not defined
at vm.js:3430:1
at Script.runInContext (vm.js:131:20)
at C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:851:53
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:131:20)
at doWithTimeout (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:467:17)
at VM.run (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:849:10)
at Object. (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\analyze.js:442:5)
at Module._compile (internal/modules/cjs/loader.js:1138:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)

As of now, the content of eval calls is rewritten, but this doesn't happen for new Function(source)().

As of now, ADODB.RecordSet.AddNew is a no-op. It should be managed appropriately, in order to implement MoveFirst correctly.

img.txt
I guess this is very obfuscated JS and even uglify raises some errors:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[error] Couldn't preprocess with uglify-js: {"message":"'return' outside of function","filename":"0","line":4,"col":4,"pos":337}
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[error] Error: Line 4: Illegal return statement
[error]
[error] This doesn't seem to be a JavaScript/WScript file.
If this is a JSE file (JScript.Encode), compile
decoder.c and run it on the file, like this:

cc decoder.c -o decoder
./decoder ../sample/js/img.js ../sample/js/img.js.

Hi all
If i try to execute cc decoder.c -o decoder I get this Warning:
decoder.c: In function ‘ScriptDecoder’:
decoder.c:391:53: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘long unsigned int’ [-Wformat=]
printf ("Msg: Found encoded block containing %d characters.\n", len);
^
Can someone help me?
regards

Implemented by @ALange here: https://github.com/ALange/box-js/commit/1555a6c40a1f407be2b205566e96d7a86a4aa0b9

Syntax: CopyFile(src, dest) returning true

See #21 for details.

At the moment, the script will run the analyses sequentially. Users who run batch analyses might want to run them in parallel, so it would be nice to have something like a --threads flag.

argv.js will ignore unknown flags, because they may refer to either "run" or "export". This is undesirable behaviour, and the previous behaviour should be restored (non-existing flags result in an error).

If anyone is reading this issue: note that this refers to code that hasn't been pushed to GitHub at the time of writing.

This is an unknown ActiveXObject where --no-kill does not work. The sample is:
https://www.virustotal.com/gui/file/12298dfb14f426e2c5191dc22e54832df6bdfde374032b2264faadbf898b9e9f/detection

# box-js --timeout 60 --no-kill sample.js
/root/box-js-master/node_modules/vm2/lib/main.js:218
			throw this._internal.Decontextify.value(e);
			^

Error: Unknown ActiveXObject adodb.connection
    at Object.kill (/root/box-js-master/lib.js:28:9)
    at new ActiveXObject (/root/box-js-master/analyze.js:488:8)
    at Object.construct (/root/box-js-master/node_modules/vm2/lib/contextify.js:300:33)
    at gxO (vm.js:189:15)
    at vm.js:347:8
    at Script.runInContext (vm.js:137:20)
    at VM.run (/root/box-js-master/node_modules/vm2/lib/main.js:212:72)
    at Object.<anonymous> (/root/box-js-master/analyze.js:451:5)
    at Module._compile (internal/modules/cjs/loader.js:936:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:947:10)

 * If the error is about a weird "Unknown ActiveXObject", try --no-kill.
 * Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .

Some ideas:

• Testing on a blank file to make sure that everything works
• Testing for frequent mistakes, like simplifying "foo" + "bar".decode() to "foobar".decode()
• Testing that XML tags and @cc_on are stripped correctly
• Testing for rewrites inside eval
• Use various pieces of existing malware (that for some reason at one point or another were not emulated correctly by box-js), deactivate it (eg. replace the payload URLs with https://google.com/robots.txt), and test that they are analysed correctly
• Test for samples based on codepage-437 encoding, downloading the samples from a local webserver, and verifying that the result is decoded correctly (requires one to study one such sample and "craft" a payload correctly, i.e. so that it can be decoded - obviously can't use real-life payloads)
• Test for individual components - WScriptShell, XMLHTTP, etc.

Hi all,
I was trying to decode a jse (d7afb22d8c35874bdbb3227a57948b8b) (https://www.reverse.it/sample/dffa67c8f7c807c9ded265b5706eff1e64a2c836f4af0342fb34aa1bed8bce44?environmentId=100)
After compiled the decoder I ran box.js and even if I set long timeout I still have the error below:
node run.js ../sample/jse/fatturaN0567.js --timeout=10000 --no-echo

Analyzing ../sample/jse/fatturaN0567.js
Using detected encoding
The file seems to be encoded with ascii.
New ActiveXObject: WScript.Shell
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: ADODB.Stream
New ActiveXObject: Shell.Application
New ActiveXObject: Msxml2.ServerXMLHTTP
FSObject[bufferarray] = ;

/boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
Error: Script execution timed out.
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/....../boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/......./boxjs/analyze.js:294:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)
at tryModuleLoad (module.js:466:12)
at Function.Module._load (module.js:458:3)
at Function.Module.runMain (module.js:605:10)
@CapacitorSet do you have an idea?
regards and thanks for the support!!

In a specific case uglify-js did a very good job of deobfuscating samples. It is worth investigating as an improvement over the current, "manual" rewriting in analyze.js.

Cuckoo exposes a REST API documented here, it would be nice to integrate with it.

Hi @CapacitorSet ,
This is what I get when running the js attached NIC423523.js.TXT :
node run.js ../sample/js/NIC423523.js --unsafe-preprocess --no-kill
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Replacing function A.prototype.B() (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
/home/...../boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^

TypeError: lib.warn is not a function
at Proxy.WScriptShell.regread (/home/...../boxjs/emulator/WScriptShell.js:67:7)
at Object.apply (/home/....../boxjs/node_modules/vm2/lib/contextify.js:288:34)
at eval (eval at (vm.js:30:19), :2:39)
at vm.js:30:19
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/....../boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/--/boxjs/analyze.js:358:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)

tks for your support

I am getting this error:

/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:297
			throw this._internal.Decontextify.value(e);
			^
ReferenceError: navigator is not defined
    at vm.js:111:17
    at vm.js:143:6
    at ContextifyScript.Script.runInContext (vm.js:59:29)
    at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:291:64)
    at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:442:5)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)

And I am wondering if this is just because navigator is not defined as a value or ?

Hi,
Could be a good idea to automatically upload samples on Virustotal via public API after the dropper downloaded the .exe file? (or Malwr, but i don't see APIs so will be more tricky)

Un tizio dall'ESC2k17

Here's the error I get when trying to run a sample:

\# box-js --timeout 300 sample.js

/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:297
			throw this._internal.Decontextify.value(e);
			^
ReferenceError: document is not defined
    at vm.js:108:1
    at Script.runInContext (vm.js:107:20)
    at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:291:64)
    at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:442:5)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
    at Function.Module._load (internal/modules/cjs/loader.js:530:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:742:12)

 * If the error is about a weird "Unknown ActiveXObject", try --no-kill.
 * Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .

Done some Googling and can't find a solution to this

Hi, got this sample to analyze "https://www.reverse.it/sample/31641b7e48cf51ec19fc9c006f9ee1ecc8988b5c728f9a1386d2927c32718189?environmentId=100" MD5:6f6067cacbc94d2019a7e2643645c60e
but I get this error:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[error] Couldn't preprocess with uglify-es: {"message":"cascade is not a supported option","defs":{"arrows":true,"booleans":true,"collapse_vars":true,"comparisons":true,"computed_props":true,"conditionals":true,"dead_code":true,"drop_console":false,"drop_debugger":true,"ecma":5,"evaluate":true,"expression":false,"global_defs":{},"hoist_funs":false,"hoist_props":true,"hoist_vars":false,"ie8":false,"if_return":true,"inline":true,"join_vars":true,"keep_classnames":false,"keep_fargs":true,"keep_fnames":false,"keep_infinity":false,"loops":true,"negate_iife":true,"passes":1,"properties":true,"pure_getters":"strict","pure_funcs":null,"reduce_funcs":true,"reduce_vars":true,"sequences":true,"side_effects":true,"switches":true,"top_retain":null,"toplevel":false,"typeofs":true,"unsafe":false,"unsafe_arrows":false,"unsafe_comps":false,"unsafe_Function":false,"unsafe_math":false,"unsafe_methods":false,"unsafe_proto":false,"unsafe_regexp":false,"unsafe_undefined":false,"unused":true,"warnings":false}}

Any Ideas @CapacitorSet ?
regards

Sample 25f50092c0a90d13302987b8d3e21401 throws syntax errors when --preprocess is used. Look into this.

fatt-pdf-720649912.copy.jse.txt

Hi @CapacitorSet when i'm tryin to download payload of this JS
https://malwr.com/analysis/ZTRlNmM3ZjZmODNiNGEyN2I1MTI3MWM5MDQzZTJlODI/
I got this error :
throw this._internal.Decontextify.value(e);
^
TypeError: Function is not a constructor
Can you help me?
best regards