A Node.js-based sandbox for semi-automatic JavaScript malware analysis, deobfuscation, and payload extraction.
Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
malware-jail is designed for security researchers and analysts to safely analyze and deobfuscate JavaScript malware by simulating Windows Scripting Host and partial browser environments. It enables extraction of malicious payloads and enumeration of remote URLs, facilitating deeper understanding and investigation of JavaScript-based malware.
Exercise caution when analyzing real malware as it may attempt to escape the sandbox and harm the host system; it is recommended to run malware-jail from an unprivileged Linux user account or within a virtualized Windows environment. The tool is not yet available as an npm package and requires manual installation. Angler exploit kit samples included are not disarmed.
Ensure Node.js (version >= 6.x) and npm are installed
Clone the repository: git clone https://github.com/HynekPetrak/malware-jail.git
Change directory: cd malware-jail
Install dependencies using npm: npm installnode jailme.js -h -b list
Displays help and lists supported browser environment types
node jailme.js [-e file1] [-e file2] .. [-c ./config.json] [-o ofile] [-b id] [-s odir] [--down] [malware1 [malware2] .. ]
Runs the sandbox with specified options including environment simulation files, config, output file, browser type, output directory, and malware scripts
--t404
Configures HTTP requests to always return HTTP/404 and throw exceptions, enabling enumeration of all remote URLs
--h404
Configures HTTP requests to always return HTTP/404 without throwing exceptions, enabling enumeration of all remote URLs
-t msecs
Limits malware execution time to specified milliseconds (default 60 seconds)
--trace
Prints stack trace with every log line for detailed debugging
--down
Allows downloading malware payloads from remote servers during analysis