- 896
- 44
- 1,045
A utility to analyze malicious JavaScript.
Installation
Simply install box-js from npm:
Usage
Looking to use box-js with Cuckoo? Use cuckoo-package.py as an analysis package.
Let's say you have a sample called sample.js: to analyze it, simply run
Chances are you will also want to download any payloads; use the flag --download to enable downloading. Otherwise, the engine will simulate a 404 error, so that the script will be tricked into thinking the distribution site is down and contacting any fallback sites.
Box.js will emulate a Windows JScript environment, print a summary of the emulation to the console, and create a folder called sample.js.results (if it already exists, it will create sample.js.1.results and so on). This folder will contain:
- analysis.log, a log of the analysis as it was printed on screen;
- a series of files identified by UUIDs;
- snippets.json, a list of pieces of code executed by the sample (JavaScript, shell commands, etc.);
- urls.json, a list of URLs contacted;
- active_urls.json, a list of URLs that seem to drop active malware;
- resources.json, the ADODB streams (i.e. the files that the script wrote to disk) with file types and hashes;
- IOC.json, a list of behaviours identified as IOCs (Indicators of Compromise). These include registry accesses, written files, HTTP requests and so on.