Jsunpackn
Jump to navigation
Jump to search
Description
Jsunpack-n is a command-line Javascript unpacker that has more or less the same features as the Web version of Jsunpack (http://jsunpack.jeek.org/).
Installation
Download jsunpackn
$ cd /data/src/ $ svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n-read-only $ cd jsunpack-n-read-only/
Install dependencies
Packages
$ sudo aptitude install libpcap-dev
pynids
$ cd depends/pynids/ $ tar xzvf pynids-0.6.1.tar.gz $ cd pynids-0.6.1/ $ python setup.py build $ sudo python setup.py install
spidermonkey
$ cd depends/ $ tar xzvf js-1.8.0-rc1-src.tar.gz $ cd js-1.8.0-rc1-src/ $ make BUILD_OPT=1 -f Makefile.ref
Then, make the 'js' binary available within your path:
$ echo 'export PATH="$PATH:/data/src/jsunpack-n-read-only/depends/js-1.8.0-rc1-src/Linux_All_OPT.OBJ/";' >> ~/.bashrc $ . ~/.bashrc
Yara
$ sudo aptitude install libpcre3 libpcre3-dev $ cd depends/ $ tar xvfz yara-1.6.tar.gz $ cd yara-1.6/ $ ./configure $ make $ sudo make install $ sudo -s # echo "/usr/local/lib" >> /etc/ld.so.conf # exit $ sudo ldconfig
Yara python
$ cd depends/ $ tar xvfz yara-python-1.6.tar.gz $ cd yara-python-1.6/ $ python setup.py build $ sudo python setup.py install
BeautifulSoup
$ cd depends/ $ tar xvfz BeautifulSoup-3.2.0.tar.gz $ cd BeautifulSoup-3.2.0/ $ python setup.py build $ sudo python setup.py install
pycrypto
$ cd depends/ $ tar xvfz pycrypto-2.4.1.tar.gz $ cd pycrypto-2.4.1/ $ python setup.py build $ sudo python setup.py install
python-yapgvb
$ sudo aptitude install python-yapgvb
python-magic
$ sudo aptitude install python-magic
Usage
Syntax
./jsunpackn.py [fileName] ./jsunpackn.py -i [interfaceName]
Options
- -h, --help
- show this help message and exit
- -t TIMEOUT, --timeout=TIMEOUT
- limit on number of seconds to evaluate JavaScript
- -r REDOEVALTIME, --redoEvalLimit=REDOEVALTIME
- maximium evaluation time to allow processing of alternative version strings
- -m MAXRUNTIME, --maxRunTime=MAXRUNTIME
- maximum running time (seconds; cumulative total). If exceeded, raise an alert (default: no limit)
- -f, --fast-evaluation
- disables (multiversion HTML,shellcode XOR) to improve performance
- -u URLFETCH, --urlFetch=URLFETCH
- actively fetch specified URL (for fully active fetch use with -a)
- -d OUTDIR, --destination-directory=OUTDIR
- output directory for all suspicious/malicious content
- -c CONFIGFILE, --config=CONFIGFILE
- configuration filepath (default options.config)
- -s, --save-all
- save ALL original streams/files in output dir
- -e, --save-exes
- save ALL executable files in output dir
- -a, --active
- actively fetch URLs (only for use with pcap/file/url as input)
- -p PROXY, --proxy=PROXY
- use a random proxy from this list (comma separated)
- -P CURRENTPROXY, --currentproxy=CURRENTPROXY
- use this proxy and ignore proxy list from --proxy
- -q, --quiet
- limited output to stdout
- -v, --verbose
- verbose mode displays status for all files and decoding stages, without this option reports only detection
- -V, --very-verbose
- shows all decoding errors (noisy)
- -g GRAPHFILE, --graph-urlfile=GRAPHFILE
- filename for URL relationship graph, 60 URLs maximium due to library limitations
- -i INTERFACE, --interface=INTERFACE
- live capture mode, use at your own risk (example eth0)
- -D, --debug
- (experimental) debugging option, do not delete temporary files
- -J, --javascript-decode-disable
- (experimental) dont decode anything, if you want to just use the original contents
Examples
Example 1
Given a malicious PDF file:
$ file /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514 /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514: PDF document, version 1.3
This PDF is known to be malicious (Exploit:Win32/Pdfjsc.CR):
- http://jsunpack.jeek.org/?report=95cc7261bba7932a793bafc8d02956536b00fc41
- http://wepawet.iseclab.org/view.php?hash=aa0485b8619c4d2d9268cf40babd4514&type=js
- https://www.virustotal.com/fr/file/56d1b18e1d026cc335189c73a5075ead71cfcf4121ff8262bb3962db930c5da6/analysis/1362815493/
Let's analyze the file with jsunpackn:
$ ./jsunpackn.py -V /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514
[suspicious:3] [PDF] /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514
info: [decodingLevel=0] JavaScript in PDF 201 bytes, with 87 bytes headers
suspicious: getAnnots CVE-2009-1492 detected
info: [decodingLevel=1] found JavaScript
error: undefined variable p
info: file: saved /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514 to (./temp/files/original_d4fad5f994283e3c514dc7da19a38fe4dc173858)
file: decoding_c688ebdc3219475eec714eec111e2a24604a599d: 288 bytes
file: original_d4fad5f994283e3c514dc7da19a38fe4dc173858: 9607 bytes
Decoded files:
$ cat temp/files/original_d4fad5f994283e3c514dc7da19a38fe4dc173858
%PDF-1.3
%?ȴ?
1 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 6 0 R>>endobj
2 0 obj<</Type/Outlines/Count 0>>endobj
3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj
4 0 obj<</Type/Page /Annots[ 5 0 R ]/Parent 3 0 R/MediaBox [0 0 612 792]>>endobj
5 0 obj<</Type/Annot /Subtype /Text /Name /Comment/Rect[25 100 60 115] /Subj 8 0 R>>endobj
6 0 obj<</Type/Action/S/JavaScript/JS 7 0 R>>endobj
7 0 obj<</Length 158/Filter/FlateDecode>>
stream
x?-?A
?0^L???W???????? x???????`??]?!??}?%3H?9???pƒ?C0??vU?[B?d?????~?Y?Ш???V{X????Q??+wrB?o??
?{?0qz?Ŏ?e???
[?Mj??^?????%Z?r???t?kJmO?L?:
[REMOVED]
$ cat temp/files/decoding_c688ebdc3219475eec714eec111e2a24604a599d | indent
c =[];
zzzpages.push (c);
this.numPages = zzzpages.length;
//jsunpack End PDF headers
var z;
var y;
z = y = app.doc;
y = 0;
z.syncAnnotScan ();
y = z;
var p = y.getAnnots ({ nPage:0 }
);
var s = p[0].subject;
var l = s.replace (/z / g, '%');
s = unescape (l);
eval (s);
s = ;
z = 1;
Example 2
The Jsunpack-n tool also comes with a pdf.py script that is capable of decompressing JavaScript contained in PDF files. Here is an example.
$ tar xzvf samples.tgz
$ ./pdf.py samples/pdf-thisCreator.file
parsing samples/pdf-thisCreator.file
obj 1 0:
tag Type (TAG)
tag Catalog (TAG)
tag Pages = 2 0 R (TAGVAL)
tag Names = 3 0 R (ENDTAG)
obj 2 0:
tag Type (TAG)
tag Pages (TAG)
tag Count = 1 (TAGVAL)
tag Kids = 4 0 R ] (ENDTAG)
[REMOVED]
Found JavaScript in 111611 0 (697 bytes)
children []
tags [['TAG', 'Filter', "], ['TAG', 'FlateDecode', "], ['ENDTAG', 'Length', '142']]
indata = <</Filter/FlateDecode/Length 142>>streamxJ*MI+6qN3PwsNI*JKSN.LKJ/K,RH'M-K22RKIr_"WZXA>RMT%(r=IzE9@3
Found JavaScript in 3 0 (0 bytes)
children [['JavaScript', '5 0']]
tags [['ENDTAG', 'JavaScript', '5 0 R ']]
indata = <</JavaScript 5 0 R >>
Wrote JavaScript (9289 bytes -- 8592 headers / 697 code) to file samples/pdf-thisCreator.file.out
$ cat samples/pdf-thisCreator.file.out
info.creator = String('z6ez6fz70[REMOVED]6z22z2cz20z6ez75z6dz29z3b');
this.creator = info.creator;
//jsunpack End PDF headers
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
var b/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/=/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/this.creator;
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
var a/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/=/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/unescape(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/b/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/);
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
eval(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/unescape(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/this.creator.replace(/z/igm,'%')/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/)/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/);