Home Security Tools Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

by ethhack
Malware-Jail - Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail is a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. It is written for Node.js.

It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.

Malware-Jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context  env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented  env/browser.js .

How To Install Malware-Jail

You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.

Pull from GitHub

Pull the source with git:

Then install all the dependecies (minimist, entities, iconv-lite) with:


In the examples folder you may find a deactivated malware file. Run the analysis with:

Internet browser based malware you may test with

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.

You may want to examine following entries of ‘sandbox_dump_after.json‘:

  • eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
  • wscript_urls – all URLs that the malware intended to GET or POST.
  • wscript_objects – WScript or ActiveX objects created.

sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.

Sample Output

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf


The malware folder contains real-world malware samples. Most of them downloaded from https://malwr.com.

Example: Analysing Wileen.js

Taking malicious script from malwr.com: Wileen.js
Apparently the malware does not execute if run from within a browser:

Therefore you may want to use an alternate config filem which does not load browser/DOM components:

Interesting use of Powershell:

Example: Analysing ORDER-10455.js

Taking malicious JavaScript from malwr.com: ORDER-10455.js

First run without interaction with remote servers:

you get something like:

Seems to be a “standard” behaviour of deobfuscation in order to finally download an exe binary and execute it.

If we want to get the real payload, run it with ‘–down=y’:

Example: Analysing Norri.js

Taking malicious JavaScript from malwr.com: Norri.js


you get: 

Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file.

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler/angler_full.html.

Strip the non Angler part and save as malware/angler/angler_stripped.html.


Source link

Related Articles

Leave a Comment