To better fight this type of evasion, we have added JS instrumentation to Joe Sandbox v20 (our upcoming release). What is instrumentation? Instrumentation is a technique to modify a program before runtime, by inserting logging and trace code:
Instrumentation is extremely powerful since it features the following benefits:
- Trace of any variable such as strings, integers etc.
- Trace of any function call, including full parameters
- Trace of any API call, including full parameters
- Modification of any variable, function call or function arguments
Finally, this allows us to detect and bypass evasions! Please note that full system emulation or inter-modular call tracing is not able to provide such insights. Only instrumentation covers that fine-grained access and tracing.
Detecting Dropper Behavior
Let us have a look at the sample 12PO #927476.js (MD5: b5b90ef6266f34b0eb4f9d3a9878a21e, full report):
An annotated call graph visualizes what code parts have been executed:
The main purpose of the anonymous function on line 10 is to return the string Wscrip.Shell. We can easily find URLs, domains and IPs in the output:
The sample checks if vbc.exe (Visual Basic Command Line Compiler) is installed, as well as which Antivirus software is installed:
Additionally, it also checks the serial number of the primary disk:
Detecting Evasive Behavior
Let us have a look at sample mal.js (SHA256: 206a351c718ae5e7737f6cc3866505e5de3cf10b44636a451b1506b0742d75d8, full report):
The sample is now detected as malicious. If we navigate to "Malware Analysis System Evasion" we find a detection for time-based evasions:
The execution coverage is very low (orange = executed):
For each signature, we can easily navigate to the data which triggered the signature:
Which jumps to:
This sample executes its payload only before 2017-09-28 09:52:05.
Have you known that we also have instrumentation for Macro / VBA Code in Microsoft Office documents? If not, check out our blog post about Generic VBA Instrumentation.