jsasst.py v1.0 (beta)
1. Introduction
Malicious JavaScript code that is obfuscated and large in size is difficult to read and understand. It is through the implementation of sound deobfuscation practices and techniques that these scripts’ become easier to read and understand, however even after deobfuscation, the malware author’s intentional use of misleading statements combined with long and weirdly named variables often becomes apparent. The resultant is code that is littered with the aforementioned types that aims to slow down the cybersecurity expert in their attempts to understand the script’s true intention.
In my attempt to somewhat alleviate the above mentioned hindrances that are implemented by malware authors and enable a reduced time taken to read and understand a script’s capabilities, I decided to build a tool that could automate a few of the manual tasks that are involved in reviewing malicious JavaScript code (i.e after deobfuscation) such as the manual scanning for script elements that can indicate script capabilities.
I am aware that there are several tools that assist in understanding a scripts capabilities through script emulation and execution, however with this tool I am simply focusing on reading and analyzing code (no execution/emulation). This tool is meant to assist the reverse engineer/cyber security expert by adding to their array of tools and enabling him/her to get a quicker handle on the capabilities of the JavaScript file thereby supporting them in their overall DFIR efforts.
Side note: I am sure that there are other tools that do what I tried to achieve (I must admit that I did not research it to find out), this is simply my attempt at assisting the broader community. In addition, I am still testing it, so there may be a few bugs. Backup the original script and then use this tool to be safe.
2. jsasst Overview
The following tasks are automated (based on your selected usage argument):
- Rename weird variable names to a name that you specify (you provide the prefix and the tool will append an integer value to it)
- Identify suspicious elements (the tool uses the lookup list to accomplish this, i.e. the se_list.txt file that you can edit/update)
- Identify URLs and files names within the script
- Identify misleading tuple structures in the script
The jsasst.py tool is run within a Linux terminal window. The following arguments can be used with the tool:
A summarized list of each argument and how it can be used is displayed in the table below:
3. jsasst Setup/Installation
NOTE: This tool requires python3 to be installed:
Step 1: Download the jsasst.py and se_list.txt files from github at https://github.com/nvzavi/jsasst
Step 2: Copy jsasst.py to /usr/local/bin and make it executable (chmod +x jsasst.py)
Step 3: Copy se_list.txt to /usr/share/remnux (I am testing on a REMnux VM). You can adjust this path in the code, simple find the comment that highlights this (see code snippet below).
Step 4: Review/update the se_list.txt file to enable the tool to identify the elements that you deem noteworthy. To do so, simply navigate to the folder in which the file is placed >> open the file and update it. Note that the format for each entry is as follows: keyword: short description.
Below is a screenshot of the se_list.txt file.
4. jsasst Walkthrough
4.1 Help Window
Use the –h argument to display the help window
4.2 Update variable names
To rename the long or difficult to read variable names, simply use the – d and – v arguments as shown in the image below. Note the following:
– d specifies the file to which the updated contents will be saved,
– v specifies the variable name to which all scripts variables will be renamed to (an incremented integer value is added to the end of the variable name)
Below is a sample output (before and after running jsasst with – d and – v)
Before
After
Note that the new variable name will appear everywhere in the file wherever it is used.
4.3 Identify suspicious elements
To identify any suspicious element simply use the – e argument (as shown in the image below). Note that the jsasst tool will scan the JavaScript file for any elements that you have contained within the se_list.txt file.
Below is a sample output:
The output of the tool can also be sent to text file using the > (greater than) symbol. See below image:
4.4 Identify URLs and Files
To identify any URLs or files that may be contained within the JavaScript file, simply use the – u argument (as shown in the image below). The jsasst tool will scan the JavaScript file and display the results in the terminal window
Below is a sample output:
The output of the tool can also be sent to text file using the > (greater than) symbol. See below image:
4.5 Misleading tuples
In JavaScript, if a tuple is assigned to a variable that can only hold a single value, then the last value in the tuple will be assigned to the variable. Example if TempVar = (1,2,3,4,”eval”), then TempVar = “eval”. The jsasst tool will scan the JavaScript file to look for similar assignments and display the results in the terminal window. To identify the misleading tuples, use the – t argument (as shown in the image below).
Below is a sample output:
Note that the output has 2 columns namely the Starting Position column which indicates the starting character position of the structure in the file, and the Code Snippet column which is an extract of the code depicting the structure that was found.
The output of the tool can also be sent to text file using the > (greater than) symbol. See below image:
4.6 Element Summary
Instead of running the identification of URLs/files, suspicious elements and misleading tuples separately, you can simply use the – s argument to direct the jsasst tool to run all three arguments i.e. -u -e -t (URLs/files, suspicious elements and misleading tuples) at once and display the results in the terminal window (as shown in the image below).
Below is a sample output:
The output of the tool can also be sent to text file using the > (greater than) symbol. See below image:
Below is an example of the summary report that was generated using the – s argument and sent to a text file using the > (greater than) symbol.
5. Conclusion
Note that I have kept the tool in beta right now as I still want to run a few tests and there may be a few bugs. If you do use the tool, it is best to make a backup of your original script first i.e. prior to using the tool. As mentioned previously, this is a small utility (that I created in my spare time) to assist in understanding the capabilities of malicious JavaScript files and enable a quicker triage of the script. I make no claims that it is going help immensely in your daily tasks within the cybersecurity realm, but it can assist when used together with your broader array of tools.
Have an awesome day
nvzavi
Twitter: @nvzavi
Cybersecurity related stuff and then some 