capacitorset / box-js Goto Github PK
View Code? Open in Web Editor NEWA tool for studying JavaScript malware.
License: MIT License
A tool for studying JavaScript malware.
License: MIT License
Some droppers rely on a technique similar to this:
new ActiveXObject((WScript.Now + 'Shell.Application').substr(9, 17))
The code is only valid if WScript.Now
returns undefined
.
Because of this, box-js must have a list of all WScript properties, and replace the Proxy with a simple object that will return undefined for unknown properties.
Hi all,
I came across with this sample (6acf3abf8e68d97b02f0b3502b1ca58c)
https://malwr.com/analysis/NjhmZGQ4YzU5ZmViNDhhNzljMmI3ODZjN2YwNTY0NWQ/
Executing it in a sandbox I got some outputs like: URLs, download a PE file and so on
when I use run.js i get this output
Analyzing ../sample/js/32264.js
The file seems to be encoded with ascii.
Rewriting code...
Rewritten successfully.
Reading registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS\COMMON DOCUMENTS
Unknown registry key!
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
Checking if exists, returning true
Checking if NaN exists, returning true
..... .... ....
Rewriting code...
Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
Rewriting typeof calls (use --no-typeof-rewrite to skip)...
Rewriting eval calls (use --no-eval-rewrite to skip)...
Rewriting try/catch statements (use --no-catch-rewrite to skip)...
Rewritten successfully.
@CapacitorSet do you have any idea?
best regards
PS: I'm using the V.1.8.0
In JavaScript, "Functions created with the Function constructor do not create closures to their creation contexts; they always are created in the global scope. When running them, they will only be able to access their own local variables and global ones, not the ones from the scope in which the Function constructor was called", per MDN. This is not true in JavaScript, and this inconsistence is being exploited "in the wild" as seen in this sample.
MDN reports that this does not happen for eval
with code for a function expression, so it's worth looking into as a possible way to implement this quirk in a rather clean way.
Hello,
I have this issue with Msxml2.ServerXMLHTTP ActiveXObject.
--no-kill option not working.
Output:
`Analyzing x.jse
New ActiveXObject: WScript.Shell
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: ADODB.Stream
New ActiveXObject: Shell.Application
New ActiveXObject: Msxml2.ServerXMLHTTP
C:\Users\xxx\Desktop\x\box-js-master_controller.js:32
throw new Error(message);
^
Error: Unknown ActiveXObject msxml2.serverxmlhttp
at Object.kill (C:\Users\xxx\Desktop\x\box-js-master_controller
.js:32:10)
at new ActiveXObject (C:\Users\xxx\Desktop\x\box-js-master\analy
ze.js:326:15)
at sample.js:97:13
at ContextifyScript.Script.runInContext (vm.js:35:29)
at ContextifyScript.Script.runInNewContext (vm.js:41:15)
at Object.exports.runInNewContext (vm.js:72:17)
at Object. (C:\Users\xxx\Desktop\x\box-js-master\anal
yze.js:282:4)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
This is an issue for internal use.
Investigate the sample sent by Nwinternights today (12 October).
Move flag documentations to a new, JSON file; use that for generating both the usage text (node run --help
) and the documentation in README.md.
Hi. We at Intel Owl recently added support for Box-JS.
Intel Owl is a completely free and open source threat intelligence gathering tool that integrates a lot of external services and analyzers. If someone wants to request scans through Box-JS (and many other analyzers) they can do so easily with our web GUI - get the result from all the files such as resources.json
, IOC.json
, urls.json
, etc all together in a prettified format which can be filtered/sorted/search through and is saved into the DB.
This is NOT meant to be an "advertisement" for Intel Owl nor a replacement to Box-JS - We support Box-JS. I decided to drop some info about this here because these could be some really nice features for Box-JS users to speed up their threat intelligence operations.
I hope you don't mind and thank you for creating this amazing tool!
EDIT: Added link to Box-JS's LICENSE to the project's README.
Hi ,
I got a jse that i decoded with the decoder of boxjs then I run the JS with --preprocess --no-kill parameters and I get this error: (on the bottom the urls for download the sample)
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
/home/boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
Error: WScript.version not implemented!
at Object.kill (/home//boxjs/lib.js:24:9)
at Object.get (/home//boxjs/analyze.js:344:10)
at Object.get (/home//boxjs/node_modules/vm2/lib/contextify.js:330:37)
at vm.js:947:67
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home//boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home//boxjs/analyze.js:356:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)
JS URL (https://malwr.com/analysis/ZWQxZWI0NTk1N2IyNDgyYTgyOGQ0NzA5NDBmMjdmNjE/)
JSE URL(https://malwr.com/analysis/MTliMTA4ZGUzYWJkNDM3ZDhkN2Q0NGRlYTI1NTFmNjA/)
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Script read environment variable userprofile
Trace: Table win32_service not implemented!
at Object.kill (/usr/local/lib/node_modules/box-js/lib.js:29:10)
at getTable (/usr/local/lib/node_modules/box-js/emulator/WMI.js:66:7)
at Proxy.ExecQuery (/usr/local/lib/node_modules/box-js/emulator/WMI.js:101:11)
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/contextify.js:288:34)
at ccerkvkjkxyyirdz (eval at Function (vm.js:103:41), :38:40)
at eval (eval at Function (vm.js:103:41), :58:5)
at ceyuzm (vm.js:125:23)
at vm.js:127:1
at Script.runInContext (vm.js:74:29)
at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:204:72)
Exiting (use --no-kill to just simulate a runtime error).
Sample : https://www.reverse.it/sample/a00c774dc807919c5b7d97ff949cf004cd00d8ee17970639527aba415a823542?environmentId=100
Best regards
Hey I went to try your box-js tool and got the following error:
/home/zach/Tools/box-js-master/run.js:8
let timeout = argv.timeout || 10;
^^^
SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:374:25)
at Object.Module._extensions..js (module.js:417:10)
at Module.load (module.js:344:32)
at Function.Module._load (module.js:301:12)
at Function.Module.runMain (module.js:442:10)
at startup (node.js:136:18)
at node.js:966:3
I'm attempting to run box.js on a sample piece of malware, and it seems to be having an issue with the sample file importing different libraries.
This is the error I receive when attempting to run box.js:
Command:
» box-js sample-malware.js --no-rewrite
Output:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:82
throw e;
^
vm.js:110
import u from "path";
^^^^^^
SyntaxError: 'import' and 'export' may appear only with 'sourceType: module'
at makeNiceSyntaxError (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:41:16)
at transformer (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/transformer.js:80:8)
at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:491:16)
at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:529:8)
at Module._compile (node:internal/modules/cjs/loader:1099:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Module.load (node:internal/modules/cjs/loader:975:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
at node:internal/main/run_main_module:17:47
Node.js v17.7.2
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .
If I run box.js without the --no-rewrite
flag, I get the following output:
[error] Couldn't parse with Acorn:
[error] SyntaxError: 'import' and 'export' may appear only with 'sourceType: module' (1:0)
[error]
[error] Decode JSE. 'cc decoder.c -o decoder'. './decoder ${filename} ${filename}.js'
The beginning of the malware file contains the following imports:
import u from "path";
import a from "fs";
import o from "https";
Appreciate the support. Thank you!
I get FileSystemObject.GetParentFolderName not implemented when running a particularly brainy js code that has some pretty good anti-sandbox evasion builtin... Any suggestions?
After a fresh git pull box-js no longer analyses any files. Everytime I run box-js the following error is shown:
/usr/local/lib/node_modules/box-js/emulator/WMI.js:5
const diskSize = Math.floor(Math.random() * (10 ** 11));
^
SyntaxError: Unexpected token *
at Object.exports.runInThisContext (vm.js:76:16)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:322:13)
at Module._compile (module.js:570:32)
I'm running Ubuntu 14.04.5 LTS.
Hello, after execute gwmi -Query "SELECT * FROM Win32_Process" > a.txt
in win7
and move it to vm with box-js and node 8.10.0 it returns error, i tried to fix it by myself but im new to node
nodejs makeProcList.js
undefined:2
"": undefined},
^
from what i googled JSON.stringify
should clean it, but the real fail happens here JSON.parse(jsonString)
would appreciate any help
best regards
This example crashes with code.match is not a function
, because the Function
patch is called with a Function object rather than with text:
(function() {
console.log(1);
})
"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS\COMMONMUSIC": "C:\Users\Public\Music",
got some samples that search for that Key/folder.
regards
Hello,
Having a few issues with this sample: jssample.zip (password:infected). When I run it with the default options I see:
[debug] Analysis launched: ["/usr/bin/nodejs","/opt/box-js/analyze","jssample.js","jssample.js.results/","--loglevel","debug","--timeout=10"]
[verb] Analyzing jssample.js
[debug] Using detected encoding
[debug] jschardet (v1.5.1) detected encoding ascii
[verb] Rewriting code...
[verb] Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[verb] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[verb] Rewriting eval calls (use --no-eval-rewrite to skip)...
[verb] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[verb] Rewritten successfully.
[verb] Code saved to 87e6db80-a18f-4365-9f46-fcd3d3b2aed2.js
[debug] Analyzing with vm2 v3.4.6
/opt/box-js/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
TypeError: "457870616EcTxqapTV6445zo hXdZ6E76Gz q69726Fwpt6E6DtqNp65acSG ywzpnq6EttwvVVfLaW7453afqskt7472npeRwg696Esmvc p6773".w is not a function
at vm.js:42:130
at ContextifyScript.Script.runInContext (vm.js:35:29)
at VM.run (/opt/box-js/node_modules/vm2/lib/main.js:207:72)
at Object.<anonymous> (/opt/box-js/analyze.js:380:5)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.runMain (module.js:604:10)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* If the error is about a legitimate "Unknown ActiveXObject", report a bug at https://github.com/CapacitorSet/box-js/issues/ .
If I try it with --no-rewrite
I get the following:
[debug] Analysis launched: ["/usr/bin/nodejs","/opt/box-js/analyze","jssample.js","jssample.js.1.results/","--loglevel","debug","--no-rewrite","--timeout=10"]
[verb] Analyzing jssample.js
[debug] Using detected encoding
[debug] jschardet (v1.5.1) detected encoding ascii
[verb] Code saved to ee238066-3abf-41cd-a922-477f3c641d3b.js
[debug] Analyzing with vm2 v3.4.6
/opt/box-js/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
SyntaxError: Unexpected token .
at VMScript.compile (/opt/box-js/node_modules/vm2/lib/main.js:74:20)
at VM.run (/opt/box-js/node_modules/vm2/lib/main.js:207:52)
at Object.<anonymous> (/opt/box-js/analyze.js:380:5)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.runMain (module.js:604:10)
at run (bootstrap_node.js:389:7)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* If the error is about a legitimate "Unknown ActiveXObject", report a bug at https://github.com/CapacitorSet/box-js/issues/ .
I didn't see anything in the other issues that seemed applicable to this one but I'd love to know what's going on.
just installed on kali linux with
sudo npm install box-js --global
than tried to run a script.
got this as result:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:287
throw bridge.from(e);
^
ReferenceError [Error]: navigator is not defined
at eval (eval at apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10), :2:21)
at eval ()
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10)
at vm.js:139:1
at Script.runInContext (vm.js:130:18)
at VM.runScript (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:285:18)
at /usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:507:16
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:130:18)
at doWithTimeout (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:132:29)
C:\home\kali> sudo box-js index.html.1.js
[sudo] Passwort für kali:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:287
throw bridge.from(e);
^
ReferenceError [Error]: navigator is not defined
at eval (eval at apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10), :2:21)
at eval ()
at Object.apply (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/setup-sandbox.js:371:10)
at vm.js:139:1
at Script.runInContext (vm.js:130:18)
at VM.runScript (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:285:18)
at /usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:507:16
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:130:18)
at doWithTimeout (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/vm.js:132:29)
i will attach the file i wanted to check. PLEASE be aware: THIS IS MALICIOUS CODE LEADING TO A PHISHINJG SITE !!!
index.html.1.js.txt
Any help available?
main@dev:~$ box-js test.js
/usr/local/lib/node_modules/box-js/_run.js:49
let timeout = argv.timeout;
^^^
SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
Any solution?
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
/usr/local/lib/node_modules/box-js/lib.js:28
throw new Error(message);
^
Error: WMI.GetObject.Get not implemented!
at Object.kill (/usr/local/lib/node_modules/box-js/lib.js:28:9)
at Object.get (/usr/local/lib/node_modules/box-js/emulator/WMI.js:82:8)
at eval (eval at <anonymous> (sample.js:272:1), <anonymous>:1:35)
at sample.js:272:1
at ContextifyScript.Script.runInContext (vm.js:59:29)
at ContextifyScript.Script.runInNewContext (vm.js:65:15)
at Object.runInNewContext (vm.js:135:38)
at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:428:5)
at Module._compile (module.js:652:30)
at Object.Module._extensions..js (module.js:663:10)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .
Needs a compliant parser to extract the JScript code from WSF files (with <job>
, <script>
and so on).
Hello! We've spoken before via email.
You pointed me to node.js after I answered a thread on reddit wanting to build another program. I wasn't experienced enough to help you though.
I know you've already spoken about how to get something to be defined in your readme, but I am confused. I do not know if it's simply because I'm inexperienced or what.
Basically both firebug and node.js have one issue in common: they can puzzle out information from recursive arrays' but they do NOT show how they arrived at it!
So this malware I have is pretty much one giant array, with two smaller arrays. And somehow, it builds an entire program and config file out of them! I cannot seem to, no matter how much I try, figure this out!
Your program (and firebug) both output this function: _87867t67t6gt (but say it isn't defined) which is great, but I cannot seem to figure out HOW that function was generated from a set of random array stuff.
What I was hoping for, was that your program would allow me to build the entire program from the array, THEN I could attempt to run it and see what it does via your software.
Is this a total misunderstanding of what the software does? if not, how can I see what it took from each array (and the calculations) to build the function and the rest of the program? Can I have it build EVERYTHING without attempting to run it (and thus stop it from running into the _____ not defined issue?).
Does this make any sense? Feel free to drop me a line at theoryofscience @ gmail . com, which we've talked through before!
I got the following error when running box-js against malicious javascript under REMnux(latest version)
Analyzing test.js
{ Error: Line 22: Unexpected token ;
at constructError (/opt/box-js/node_modules/esprima/esprima.js:2406:21)
at createError (/opt/box-js/node_modules/esprima/esprima.js:2425:17)
at unexpectedTokenError (/opt/box-js/node_modules/esprima/esprima.js:2499:13)
at throwUnexpectedToken (/opt/box-js/node_modules/esprima/esprima.js:2504:15)
at expect (/opt/box-js/node_modules/esprima/esprima.js:2522:13)
at parseForStatement (/opt/box-js/node_modules/esprima/esprima.js:4426:9)
at parseStatement (/opt/box-js/node_modules/esprima/esprima.js:4774:24)
at parseStatementListItem (/opt/box-js/node_modules/esprima/esprima.js:3988:16)
at parseFunctionSourceElements (/opt/box-js/node_modules/esprima/esprima.js:4868:23)
at parseFunctionDeclaration (/opt/box-js/node_modules/esprima/esprima.js:5016:16) lineNumber: 22, description: 'Unexpected token ;', index: 486 }
And around line 22, I do not see any ";" token and the code is js-beautified, so pretty formatted. Let me know if you need the original malicious JS file. Thanks.
Hi,
There are some issues on download function.
It does not work completely.
I believe you need to fix this issue in the following way.
Thanks,
Hi,
analyze.js handles wsf file which is <script>..</script><script>..</script>.
Some wsf have <script language=JScript>.......</script> .
Of course if I add the right tags box.js runs smoothy.
below a sample I submitted:
(https://malwr.com/analysis/Yjc0MmFkY2JiNjIwNDMxMmE2YmJmZGIzNzU1MGVhZGU/)
before:
node run.js ../sample/wsf/00.wsf --debug
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
Analyzing ../sample/wsf/00.wsf
Using detected encoding
The file seems to be encoded with ascii.
After tag modification:
node run.js ../sample/wsf/00.wsf --download --no-shell-error
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
Analyzing ../sample/wsf/00.wsf
Using detected encoding
The file seems to be encoded with ascii.
New ActiveXObject: Msxml2.XMLHTTP
GET hxxp://actual-clinic.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481
Downloading...
Downloaded 377344 bytes.
New ActiveXObject: Msxml2.XMLHTTP
GET hxxp://pvo-taganrog.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481
Downloading...
An error occurred while emulating a GET request to hxxp://pvo-taganrog.ru/counter/?rRP-8RCu_V6K4KpmizObebi7BQzTwk79mvZzsY-T-tBYheL-okeQKIl0pHkFCOJKdORQ_ffv9tYJ3iBR7UNBPQKY5i1vHS481.
{ Error: getaddrinfo ENOTFOUND pvo-taganrog.ru pvo-taganrog.ru:80
at doRequestWith (/home/socadmin/boxjs/node_modules/sync-request/index.js:87:17)
at doRequest (/home/socadmin/boxjs/node_modules/sync-request/index.js:20:10)
at Object.fetchUrl (/home/socadmin/boxjs/controller.js:53:17)
at Proxy.XMLHTTP.send (/home/socadmin/boxjs/emulator/XMLHTTP.js:24:26)
at Object.apply (/home/socadmin/boxjs/node_modules/vm2/lib/contextify.js:288:34)
at vm.js:20:15
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/socadmin/boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/socadmin/boxjs/analyze.js:294:4)
at Module._compile (module.js:569:30) code: 'ENOTFOUND' }
PS ok the URL was not reachable :-)
best regards
I edited the issue to remove malicious URLs. - CapacitorSet
Document the REST API with Swagger.
Running into.
ReferenceError [Error]: CollectGarbage is not defined
at vm.js:3430:1
at Script.runInContext (vm.js:131:20)
at C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:851:53
at timeout_bridge.js:1:1
at Script.runInContext (vm.js:131:20)
at doWithTimeout (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:467:17)
at VM.run (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\node_modules\vm2\lib\main.js:849:10)
at Object. (C:\Users\zashraf\AppData\Roaming\npm\node_modules\box-js\analyze.js:442:5)
at Module._compile (internal/modules/cjs/loader.js:1138:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)
As of now, the content of eval
calls is rewritten, but this doesn't happen for new Function(source)()
.
As of now, ADODB.RecordSet.AddNew is a no-op. It should be managed appropriately, in order to implement MoveFirst correctly.
img.txt
I guess this is very obfuscated JS and even uglify raises some errors:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Preprocessing with uglify-js v3.0.24 (remove --preprocess to skip)...
[error] Couldn't preprocess with uglify-js: {"message":"'return' outside of function","filename":"0","line":4,"col":4,"pos":337}
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[error] Error: Line 4: Illegal return statement
[error]
[error] This doesn't seem to be a JavaScript/WScript file.
If this is a JSE file (JScript.Encode), compile
decoder.c and run it on the file, like this:
cc decoder.c -o decoder
./decoder ../sample/js/img.js ../sample/js/img.js.
Hi all
If i try to execute cc decoder.c -o decoder I get this Warning:
decoder.c: In function ‘ScriptDecoder’:
decoder.c:391:53: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘long unsigned int’ [-Wformat=]
printf ("Msg: Found encoded block containing %d characters.\n", len);
^
Can someone help me?
regards
Implemented by @ALange here: https://github.com/ALange/box-js/commit/1555a6c40a1f407be2b205566e96d7a86a4aa0b9
Syntax: CopyFile(src, dest)
returning true
See #21 for details.
At the moment, the script will run the analyses sequentially. Users who run batch analyses might want to run them in parallel, so it would be nice to have something like a --threads
flag.
argv.js will ignore unknown flags, because they may refer to either "run"
or "export"
. This is undesirable behaviour, and the previous behaviour should be restored (non-existing flags result in an error).
If anyone is reading this issue: note that this refers to code that hasn't been pushed to GitHub at the time of writing.
This is an unknown ActiveXObject where --no-kill does not work. The sample is:
https://www.virustotal.com/gui/file/12298dfb14f426e2c5191dc22e54832df6bdfde374032b2264faadbf898b9e9f/detection
# box-js --timeout 60 --no-kill sample.js
/root/box-js-master/node_modules/vm2/lib/main.js:218
throw this._internal.Decontextify.value(e);
^
Error: Unknown ActiveXObject adodb.connection
at Object.kill (/root/box-js-master/lib.js:28:9)
at new ActiveXObject (/root/box-js-master/analyze.js:488:8)
at Object.construct (/root/box-js-master/node_modules/vm2/lib/contextify.js:300:33)
at gxO (vm.js:189:15)
at vm.js:347:8
at Script.runInContext (vm.js:137:20)
at VM.run (/root/box-js-master/node_modules/vm2/lib/main.js:212:72)
at Object.<anonymous> (/root/box-js-master/analyze.js:451:5)
at Module._compile (internal/modules/cjs/loader.js:936:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:947:10)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .
Some ideas:
"foo" + "bar".decode()
to "foobar".decode()
@cc_on
are stripped correctlyeval
https://google.com/robots.txt
), and test that they are analysed correctlyHi all,
I was trying to decode a jse (d7afb22d8c35874bdbb3227a57948b8b) (https://www.reverse.it/sample/dffa67c8f7c807c9ded265b5706eff1e64a2c836f4af0342fb34aa1bed8bce44?environmentId=100)
After compiled the decoder I ran box.js and even if I set long timeout I still have the error below:
node run.js ../sample/jse/fatturaN0567.js --timeout=10000 --no-echo
Analyzing ../sample/jse/fatturaN0567.js
Using detected encoding
The file seems to be encoded with ascii.
New ActiveXObject: WScript.Shell
New ActiveXObject: Scripting.FileSystemObject
New ActiveXObject: ADODB.Stream
New ActiveXObject: Shell.Application
New ActiveXObject: Msxml2.ServerXMLHTTP
FSObject[bufferarray] = ;
/boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
Error: Script execution timed out.
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/....../boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/......./boxjs/analyze.js:294:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)
at tryModuleLoad (module.js:466:12)
at Function.Module._load (module.js:458:3)
at Function.Module.runMain (module.js:605:10)
@CapacitorSet do you have an idea?
regards and thanks for the support!!
In a specific case uglify-js did a very good job of deobfuscating samples. It is worth investigating as an improvement over the current, "manual" rewriting in analyze.js
.
Cuckoo exposes a REST API documented here, it would be nice to integrate with it.
Hi @CapacitorSet ,
This is what I get when running the js attached NIC423523.js.TXT :
node run.js ../sample/js/NIC423523.js --unsafe-preprocess --no-kill
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
[info] Rewriting code...
[info] Replacing function A.prototype.B()
(use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
/home/...../boxjs/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
TypeError: lib.warn is not a function
at Proxy.WScriptShell.regread (/home/...../boxjs/emulator/WScriptShell.js:67:7)
at Object.apply (/home/....../boxjs/node_modules/vm2/lib/contextify.js:288:34)
at eval (eval at (vm.js:30:19), :2:39)
at vm.js:30:19
at ContextifyScript.Script.runInContext (vm.js:53:29)
at VM.run (/home/....../boxjs/node_modules/vm2/lib/main.js:207:72)
at Object. (/home/--/boxjs/analyze.js:358:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)
tks for your support
I am getting this error:
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:297
throw this._internal.Decontextify.value(e);
^
ReferenceError: navigator is not defined
at vm.js:111:17
at vm.js:143:6
at ContextifyScript.Script.runInContext (vm.js:59:29)
at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:291:64)
at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:442:5)
at Module._compile (module.js:652:30)
at Object.Module._extensions..js (module.js:663:10)
at Module.load (module.js:565:32)
at tryModuleLoad (module.js:505:12)
at Function.Module._load (module.js:497:3)
And I am wondering if this is just because navigator is not defined as a value or ?
Hi,
Could be a good idea to automatically upload samples on Virustotal via public API after the dropper downloaded the .exe file? (or Malwr, but i don't see APIs so will be more tricky)
Un tizio dall'ESC2k17
Here's the error I get when trying to run a sample:
\# box-js --timeout 300 sample.js
/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:297
throw this._internal.Decontextify.value(e);
^
ReferenceError: document is not defined
at vm.js:108:1
at Script.runInContext (vm.js:107:20)
at VM.run (/usr/local/lib/node_modules/box-js/node_modules/vm2/lib/main.js:291:64)
at Object.<anonymous> (/usr/local/lib/node_modules/box-js/analyze.js:442:5)
at Module._compile (internal/modules/cjs/loader.js:689:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:742:12)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* Otherwise, report a bug at https://github.com/CapacitorSet/box-js/issues/ .
Done some Googling and can't find a solution to this
Hi, got this sample to analyze "https://www.reverse.it/sample/31641b7e48cf51ec19fc9c006f9ee1ecc8988b5c728f9a1386d2927c32718189?environmentId=100" MD5:6f6067cacbc94d2019a7e2643645c60e
but I get this error:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[error] Couldn't preprocess with uglify-es: {"message":"cascade
is not a supported option","defs":{"arrows":true,"booleans":true,"collapse_vars":true,"comparisons":true,"computed_props":true,"conditionals":true,"dead_code":true,"drop_console":false,"drop_debugger":true,"ecma":5,"evaluate":true,"expression":false,"global_defs":{},"hoist_funs":false,"hoist_props":true,"hoist_vars":false,"ie8":false,"if_return":true,"inline":true,"join_vars":true,"keep_classnames":false,"keep_fargs":true,"keep_fnames":false,"keep_infinity":false,"loops":true,"negate_iife":true,"passes":1,"properties":true,"pure_getters":"strict","pure_funcs":null,"reduce_funcs":true,"reduce_vars":true,"sequences":true,"side_effects":true,"switches":true,"top_retain":null,"toplevel":false,"typeofs":true,"unsafe":false,"unsafe_arrows":false,"unsafe_comps":false,"unsafe_Function":false,"unsafe_math":false,"unsafe_methods":false,"unsafe_proto":false,"unsafe_regexp":false,"unsafe_undefined":false,"unused":true,"warnings":false}}
Any Ideas @CapacitorSet ?
regards
Sample 25f50092c0a90d13302987b8d3e21401 throws syntax errors when --preprocess
is used. Look into this.
Hi @CapacitorSet when i'm tryin to download payload of this JS
https://malwr.com/analysis/ZTRlNmM3ZjZmODNiNGEyN2I1MTI3MWM5MDQzZTJlODI/
I got this error :
throw this._internal.Decontextify.value(e);
^
TypeError: Function is not a constructor
Can you help me?
best regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.