Thursday, October 5, 2017

Generic JS Instrumentation

Attackers are constantly changing their tactics and procedures in order to find new containers to deliver and execute code on end-points. Beside VBA in Microsoft Office Documents, Javascript files are a very popular infection vector:

Why? In contrast to VBA, Javascript offers many constructs for advanced obfuscation:

Obfuscation often includes eval() on a string, representing the code obtained through complex computations that are extremely hard to follow statically. As javascript runs in the browser, endpoint protection solutions have to be careful, each FP could have a big impact. Given the complexity, it's hard to correctly detect malicious JS files. 

Javascript files are often just droppers which will download a second stage malware. However, we have recently seen an increase of evasive Javascript files, crafted to prevent analysis and execution in Sandboxes.

JS Instrumentation

To better fight this type of evasion, we have added JS instrumentation to Joe Sandbox v20 (our upcoming release). What is instrumentation? Instrumentation is a technique to modify a program before runtime, by inserting logging and trace code:

Instrumentation is extremely powerful since it features the following benefits:

  • Trace of any variable such as strings, integers etc.
  • Trace of any function call, including full parameters
  • Trace of any API call, including full parameters
  • Modification of any variable, function call or function arguments

Finally, this allows us to detect and bypass evasions! Please note that full system emulation or inter-modular call tracing is not able to provide such insights. Only instrumentation covers that fine-grained access and tracing.

So how does Javascript instrumentation work internally? We have developed a full Javascript parser (this is complex). The parser understands all semantics of the code and generates an abstract syntax tree (AST). The AST allows inserting new code while making sure the newly generated code is still working correctly. 

The Javascript instrumentation can be easily enabled / disabled on Joe Sandbox's submission page:

Detecting Dropper Behavior

Let us have a look at the sample 12PO #927476.js (MD5: b5b90ef6266f34b0eb4f9d3a9878a21e, full report):

In the report, you find the Javascript Instrumentation data in the Disassembly section:

An annotated call graph visualizes what code parts have been executed:

Right below you find the Javascript code on the left side. On the right side you find the dynamic data:

The main purpose of the anonymous function on line 10 is to return the string Wscrip.Shell. We can easily find URLs, domains and IPs in the output:

The sample checks if vbc.exe (Visual Basic Command Line Compiler) is installed, as well as which Antivirus software is installed:

Additionally, it also checks the serial number of the primary disk:

Finally, the Javascript file is copied to the user startup directory. Each time the system reboots the payload gets executed.

Detecting Evasive Behavior

Let us have a look at sample mal.js  (SHA256: 206a351c718ae5e7737f6cc3866505e5de3cf10b44636a451b1506b0742d75d8, full report):

Mal3.js was uploaded to Joe Sandbox Cloud Basic and analyzed without Javascript instrumentation. The detection was "clean" and no interesting behavior has been found:

Let's turn on Javascript instrumentation and analyze the sample again (full analysis report):

The sample is now detected as malicious. If we navigate to "Malware Analysis System Evasion" we find a detection for time-based evasions:

The execution coverage is very low (orange = executed):

For each signature, we can easily navigate to the data which triggered the signature:

Which jumps to:

This sample executes its payload only before 2017-09-28 09:52:05.

Final Words

With Javascript instrumentation Security Analysts and Incident Responders get a unique and powerful technology to deeply analyze malicious Javascript. In addition, Javascript instrumentation enables Joe Sandbox to detect and circumvent evasions which other platforms miss. Javascript instrumentation offers very fine-grained tracing and access that full system emulation and intermodular tracing cannot provide. 

Have you known that we also have instrumentation for Macro / VBA Code in Microsoft Office documents? If not, check out our blog post about Generic VBA Instrumentation.

Looking to test Javascript instrumentation? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!