hynekpetrak / malware-jail Goto Github PK

hi ,
i have a script from the latest ransomware that appear can you please check it why dont run on your sandbox.

ps: this sandbox is awesome

RLbPRgWrsX.zip

this script is a ransomware downloader so is zipped with the same password as always

best regards
joao azevedo

Is it possible to define different browser plugin versions, such as Flash, Java?

Hey @HynekPetrak, great project! 👍

This is more of a doubt, rather than an issue and would like to hear your thoughts on the same. I have seen syntax which is non-compliant to the ECMAScript standard supported by JScript. For example:

function a () {
} 

function a.prototype.b () {
}

c = new a();

c.b();

How do you think is a proper way to handle such files in the jail?

mailware-jail, a malware sandbox ver. 0.12

Is this a typo? s/mailware-jail/malware-jail

I came across this project when I was looking for malicious html/javascript detection, this project works perfectly when processing javascript files, but for javascripts in html files, it needs many manual things to do and sometimes it could not work properly due to the DOM interactive.
Any plan for you to support html scanning in the future?

For all of those looking at this repository, @CybercentreCanada has "forked" this tool into its JsJaws service for Assemblyline and will be providing support and maintenance for their version of the tool: https://github.com/CybercentreCanada/assemblyline-service-jsjaws/tree/main/tools/malwarejail

Thank you @HynekPetrak for your work on this tool!

🇨🇦

Topic says it:

[13:30:22 j:~/build/malware-jail$] nodejs jailme.js
/build/malware-jail/jailme.js:95
var _proxy = function(o, verbose = false, what = undefined) {
                                 ^

SyntaxError: Unexpected token =
    at exports.runInThisContext (vm.js:53:16)
    at Module._compile (module.js:373:25)
    at Object.Module._extensions..js (module.js:416:10)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Function.Module.runMain (module.js:441:10)
    at startup (node.js:139:18)
    at node.js:990:3

installed via Ubuntu apt which installed node.js 4.7.2. There is no "node" command, but "nodejs".

Sample : http://pastebin.com/dTvva02n

Error

13 Dec 18:45:47 - mailware-jail, a malware sandbox ver. 0.10
...
13 Dec 18:45:47 - new Function(, lesleyA = new Function('','return  \"TVM=\".extractAll();' ) ;) => Function[10]
13 Dec 18:45:47 - Exception occured: object ReferenceError: WSH is not defined
    at /samples/31cc.jse:182:4
    at ContextifyScript.Script.runInContext (vm.js:35:29)
    at Object.exports.runInContext (vm.js:67:17)
    at run_in_ctx (/malware-jail/jailme.js:261:16)
    at Object.<anonymous> (/malware-jail/jailme.js:291:1)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
13 Dec 18:45:47 - ==> Cleaning up sandbox.

Changing WSH at (Line:182) to 1 and the script ran as expected.

if(WSH)
{
    lesleyA2();
}

Hi, how can we get all URLS inside the JS (

pdf.js.zip

this is one of the lately JS that downloads locky and encrypts files with .ykcol from multiple URLS

$node jailme.js -h -b list
/home/alfonso/malware-jail/jailme.js:95
var _proxy = function(o, verbose = false, what = undefined) {
^

SyntaxError: Unexpected token =
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:373:25)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:140:18)
at node.js:1043:3

Hello :)

When I was dealing with one of the JScript malwares, I got the following error:
- Exception occured: object TypeError: AB$D[((("e" + "nvironmen") + (intermediate value)(intermediate value)(intermediate value)) + "")] is not a function at eval (eval at <anonymous> (C:\Users\Sandbox\Desktop\original.js:3:29), <anonymous>:2:802) at Object.eval [as toString] (eval at <anonymous> (C:\Users\Sandbox\Desktop\original.js:3:29), <anonymous>:2:63571) at C:\Users\Sandbox\Desktop\original.js:4:25 at ContextifyScript.Script.runInContext (vm.js:35:29) at Object.exports.runInContext (vm.js:67:17) at run_in_ctx (C:\tools\malware-jail\jailme.js:145:16) at Object.<anonymous> (C:\tools\malware-jail\jailme.js:168:1) at Module._compile (module.js:570:32) at Object.Module._extensions..js (module.js:579:10) at Module.load (module.js:487:32)

I runned malware-jail with config_wscript_only config. (download sample: https://ufile.io/31a14)
Thank a lot, awesome tool.

When emulate the following file I get the error: TypeError: Array.prototype.sort called on null or undefined

File is malware, be careful !
Password is infected
4dc67aaa7133c5245da8234b2dadbf88-info_141926248.zip

This is my eval.js
eval.zip