image
A utility to analyze malicious JavaScript. Installation Simply install box-js from npm: npm install box-js –global Usage Looking to use box-js with Cuckoo? Use cuckoo-package.py as an analysis package. Let's say you have a sample called sample.js : to analyze it, simply run box-js sample.js Chances are you will also want to download any payloads; use the flag –download to enable downloading. Otherwise, the engine will simulate a 404 error, so that the script will be tricked into thinking the distribution site is down and contacting any fallback sites. Box.js will emulate a Windows JScript environment, print a summary of the emulation to the console, and create a folder called sample.js.results (if it already exists, it will create sample.js.1.results and so on). This folder will contain: analysis.log , a log of the analysis as it was printed on screen; a series of files identified by UUIDs; snippets.json , a list of pieces of code executed by the sample (JavaScript, shell commands, etc.); urls.json , a list of URLs contacted; active_urls.json , a list of URLs that seem to drop active malware; resources.json , the ADODB streams (i.e. the files that the script wrote to disk) with file types and hashes; IOC.json , a list of behaviours identified as IOCs (Indicators of Compromise). These include registry accesses, written files, HTTP requests and so on. You can analyze these by yourself, or you can automatically submit them to Malwr, …