Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Deep JavaScript Tracing: Unleashing Advanced Phishing Detection

Published on: 31.01.2024



In this blog post, we are introducing JavaScript tracing, a new technology we recently added to Joe Sandbox Cloud, that makes our platform even better at spotting and analyzing complex phishing attacks.




Joe Sandbox already has a rich set of technologies for phishing detection. Those include image recognition, OCR, DOM based signatures and many more. However what is missing is capability for deep analysis of JavaScript executed with the web browser. Most phishing pages use JavaScript for obfuscation and hiding of key elements. JavaScript traces are a gold-mine for detection artifacts. 


Enhancing Web Page Inspection: The Power of JavaScript Tracing 


With Joe Sandbox v39 Ruby we have implemented stealth JavaScript tracing within the Chrome web browser.  Cloud Pro customers can enable JavaScript Tracing in the Code Analysis section on the submission page:



With the tracing enabled Joe Sandbox can now log function calls with parameters, object getters, setters and instantiations.

 




Malware Analysts can download the full JavaScript tracing from the report overview page and dig into all the tracing details:




Why It's a Game-Changer: From Obfuscation to Clarity


JavaScript Tracing also significantly boosts Joe Sandbox’s capacity to deeply analyze phishing attacks. Phishing sites often employ complex obfuscation techniques to conceal their malicious intent. With this technology, analysts can uncover and understand these tactics, such as dynamic HTML content decoding and script injections. This capability not only improves the detection rates but also provides analyst with detailed, human-readable reports for further analysis. 

Lets take a recent HTML file which is sent to victims as e-Mail attachment. The content is hard to understand as it uses atob-array obfuscation:






Antivirus detection is very low:






If we run that HTML sample in Joe Sandbox however and enable JavaScript tracing we get several interesting signature hits:





We can see from the signature overview the data passed to document.write(). Thanks to the trace log we can have a look at that data:




Based on this find we see that the final page is likely phishing for Microsoft credentials since it is loading the favicon from Microsoft. This is confirmed by the image recognition engine:






Conclusion



Thanks to JavaScript tracing analysts get a very deep view into the execution of JavaScript running in a web browser. The tracing boost detection precision and provides additional insights such as what obfuscations are used, evasion tactics and general behavior of malicious JavaScript code. 

Analysts can enable JavaScript tracing on the submission page - Code Analysis section. The tracing log can be download via the analysis detail page. 

JavaScript tracing is available in Joe Sandbox Cloud v39 Ruby. 

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!