CapacitorSet
commented
7 years ago Hello,
it seems that box-js is timing out on this sample because it is heavily obfuscated, involving thousands of function calls and property accesses for every line of actual code. The engine relies on vm2 rather than the native vm module for security reasons (see here for a simple exploit that breaks out of vm);vm2` uses ES6 proxies, which have a certain overhead - I suspect the overhead keeps accumulating until it makes the analysis time out.
I tried deobfuscating it by hand, and after a few tricks I got this version, which doesn't time out but also reports a missing feature in WMI emulation (GetObject(winmgmts:!\\.\root\cimv2) not implemented!).
Thanks for the report. It's late now, but tomorrow I'll open an issue regarding the missing WMI feature and better investigate whether this was due to excessive obfuscation by trying it with the native vm module instead.
Best regards.
For the sake of it, I briefly tried to analyze the sample anyway. I removed the part that used WMI, replacing it with processList = "", and found that the script makes a request to https://<ip>/S/lafamilia.php?add=stayoutofmyterritory&u=704130568&o=0&v=20&<random>.
Luckily, the distribution site is now down. However, what the script did was:
- verify that the host replied with HTTP 200
- save the payload to disk
- check the first two bytes of the payload to verify that it starts with the
MZmagic number- call
cmd /U /Q /C cd /D <drive letter here>: && dir /b/s/x <long list of file extensions> >>%TEMP%\\<long list of file extensions>for each drive- call
cmd \c start <filename here>(which runs the dropped file)- call
cmd /U /Q /C del /Q/F %TEMP%\\*.exe && del /Q/F %TEMP%\\*.gop && del /Q/F %TEMP%\\*.txt && del /Q/F %TEMP%\\*.log && del /Q/F %TEMP%\\*.jse open 0.
Nwinternights
kzc
Hi all, I was trying to decode a jse (d7afb22d8c35874bdbb3227a57948b8b) (https://www.reverse.it/sample/dffa67c8f7c807c9ded265b5706eff1e64a2c836f4af0342fb34aa1bed8bce44?environmentId=100) After compiled the decoder I ran box.js and even if I set long timeout I still have the error below: node run.js ../sample/jse/fatturaN0567.js --timeout=10000 --no-echo
Analyzing ../sample/jse/fatturaN0567.js Using detected encoding The file seems to be encoded with ascii. New ActiveXObject: WScript.Shell New ActiveXObject: Scripting.FileSystemObject New ActiveXObject: ADODB.Stream New ActiveXObject: Shell.Application New ActiveXObject: Msxml2.ServerXMLHTTP FSObject[bufferarray] = ;
/boxjs/node_modules/vm2/lib/main.js:213 throw this._internal.Decontextify.value(e); ^ Error: Script execution timed out. at ContextifyScript.Script.runInContext (vm.js:53:29) at VM.run (/home/....../boxjs/node_modules/vm2/lib/main.js:207:72) at Object. (/home/......./boxjs/analyze.js:294:4)
at Module._compile (module.js:569:30)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:503:32)
at tryModuleLoad (module.js:466:12)
at Function.Module._load (module.js:458:3)
at Function.Module.runMain (module.js:605:10)
@CapacitorSet do you have an idea?
regards and thanks for the support!!