From aldeid
Jump to navigation Jump to search


Jsunpack-n is a command-line Javascript unpacker that has more or less the same features as the Web version of Jsunpack (http://jsunpack.jeek.org/).


Download jsunpackn

$ cd /data/src/
$ svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n-read-only
$ cd jsunpack-n-read-only/

Install dependencies


$ sudo aptitude install libpcap-dev


$ cd depends/pynids/
$ tar xzvf pynids-0.6.1.tar.gz
$ cd pynids-0.6.1/
$ python setup.py build
$ sudo python setup.py install


$ cd depends/
$ tar xzvf js-1.8.0-rc1-src.tar.gz
$ cd js-1.8.0-rc1-src/
$ make BUILD_OPT=1 -f Makefile.ref

Then, make the 'js' binary available within your path:

$ echo 'export PATH="$PATH:/data/src/jsunpack-n-read-only/depends/js-1.8.0-rc1-src/Linux_All_OPT.OBJ/";' >> ~/.bashrc
$ . ~/.bashrc
For more information about SpiderMonkey, refer to this page.


$ sudo aptitude install libpcre3 libpcre3-dev
$ cd depends/
$ tar xvfz yara-1.6.tar.gz
$ cd yara-1.6/
$ ./configure
$ make
$ sudo make install
$ sudo -s
# echo "/usr/local/lib" >> /etc/ld.so.conf
# exit
$ sudo ldconfig

Yara python

$ cd depends/
$ tar xvfz yara-python-1.6.tar.gz
$ cd  yara-python-1.6/
$ python setup.py build
$ sudo python setup.py install


$ cd depends/
$ tar xvfz BeautifulSoup-3.2.0.tar.gz
$ cd BeautifulSoup-3.2.0/
$ python setup.py build
$ sudo python setup.py install


$ cd depends/
$ tar xvfz pycrypto-2.4.1.tar.gz
$ cd pycrypto-2.4.1/
$ python setup.py build
$ sudo python setup.py install


$ sudo aptitude install python-yapgvb


$ sudo aptitude install python-magic



./jsunpackn.py [fileName]
./jsunpackn.py -i [interfaceName]


-h, --help
show this help message and exit
-t TIMEOUT, --timeout=TIMEOUT
limit on number of seconds to evaluate JavaScript
maximium evaluation time to allow processing of alternative version strings
maximum running time (seconds; cumulative total). If exceeded, raise an alert (default: no limit)
-f, --fast-evaluation
disables (multiversion HTML,shellcode XOR) to improve performance
actively fetch specified URL (for fully active fetch use with -a)
-d OUTDIR, --destination-directory=OUTDIR
output directory for all suspicious/malicious content
configuration filepath (default options.config)
-s, --save-all
save ALL original streams/files in output dir
-e, --save-exes
save ALL executable files in output dir
-a, --active
actively fetch URLs (only for use with pcap/file/url as input)
-p PROXY, --proxy=PROXY
use a random proxy from this list (comma separated)
use this proxy and ignore proxy list from --proxy
-q, --quiet
limited output to stdout
-v, --verbose
verbose mode displays status for all files and decoding stages, without this option reports only detection
-V, --very-verbose
shows all decoding errors (noisy)
-g GRAPHFILE, --graph-urlfile=GRAPHFILE
filename for URL relationship graph, 60 URLs maximium due to library limitations
live capture mode, use at your own risk (example eth0)
-D, --debug
(experimental) debugging option, do not delete temporary files
-J, --javascript-decode-disable
(experimental) dont decode anything, if you want to just use the original contents


Example 1

Given a malicious PDF file:

$ file /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514 
/mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514: PDF document, version 1.3

This PDF is known to be malicious (Exploit:Win32/Pdfjsc.CR):

Let's analyze the file with jsunpackn:

$ ./jsunpackn.py -V /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514 
[suspicious:3] [PDF] /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514
          info: [decodingLevel=0] JavaScript in PDF 201 bytes, with 87 bytes headers
          suspicious: getAnnots CVE-2009-1492 detected  
          info: [decodingLevel=1] found JavaScript
          error: undefined variable p
          info: file: saved /mnt/hgfs/malware/application-pdf/aa0485b8619c4d2d9268cf40babd4514 to (./temp/files/original_d4fad5f994283e3c514dc7da19a38fe4dc173858)
          file: decoding_c688ebdc3219475eec714eec111e2a24604a599d: 288 bytes
          file: original_d4fad5f994283e3c514dc7da19a38fe4dc173858: 9607 bytes

Decoded files:

$ cat temp/files/original_d4fad5f994283e3c514dc7da19a38fe4dc173858 
1 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 6 0 R>>endobj
2 0 obj<</Type/Outlines/Count 0>>endobj
3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj
4 0 obj<</Type/Page /Annots[ 5 0 R ]/Parent 3 0 R/MediaBox [0 0 612 792]>>endobj
5 0 obj<</Type/Annot /Subtype /Text /Name /Comment/Rect[25 100 60 115] /Subj 8 0 R>>endobj
6 0 obj<</Type/Action/S/JavaScript/JS 7 0 R>>endobj
7 0 obj<</Length 158/Filter/FlateDecode>>
     ?0^L???W???????? x???????`??]?!??}?%3H?9???pƒ?C0??vU?[B?d?????~?Y?Ш???V{X????Q??+wrB?o??
$ cat temp/files/decoding_c688ebdc3219475eec714eec111e2a24604a599d | indent
c =[];
zzzpages.push (c);
this.numPages = zzzpages.length;

//jsunpack End PDF headers
var z;
var y;
z = y = app.doc;
y = 0;
z.syncAnnotScan ();
y = z;
var p = y.getAnnots ({ nPage:0 }

var s = p[0].subject;
var l = s.replace (/z / g, '%');
s = unescape (l);
eval (s);
s = ;
z = 1;

Example 2

The Jsunpack-n tool also comes with a pdf.py script that is capable of decompressing JavaScript contained in PDF files. Here is an example.

$ tar xzvf samples.tgz
$ ./pdf.py samples/pdf-thisCreator.file 
parsing samples/pdf-thisCreator.file
obj 1 0: 
       tag Type                                          (TAG)
       tag Catalog                                       (TAG)
       tag Pages = 2 0 R                                 (TAGVAL)
       tag Names = 3 0 R                                 (ENDTAG)
obj 2 0: 
       tag Type                                          (TAG)
       tag Pages                                         (TAG)
       tag Count = 1                                     (TAGVAL)
       tag Kids = 4 0 R ]                                (ENDTAG)
Found JavaScript in 111611 0 (697 bytes)
       children []
       tags [['TAG', 'Filter', "], ['TAG', 'FlateDecode', "], ['ENDTAG', 'Length', '142']]
       indata = <</Filter/FlateDecode/Length 142>>streamxJ*MI+6qN3PwsNI*JKSN.LKJ/K,RH'M-K22RKIr_"WZXA>RMT%(r=IzE9@3
Found JavaScript in 3 0 (0 bytes)
       children [['JavaScript', '5 0']]
       tags [['ENDTAG', 'JavaScript', '5 0 R ']]
       indata = <</JavaScript 5 0 R >>
Wrote JavaScript (9289 bytes -- 8592 headers / 697 code) to file samples/pdf-thisCreator.file.out
$ cat samples/pdf-thisCreator.file.out 
info.creator = String('z6ez6fz70[REMOVED]6z22z2cz20z6ez75z6dz29z3b');
this.creator = info.creator;

//jsunpack End PDF headers
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
var b/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/=/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/this.creator;
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
var a/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/=/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/unescape(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/b/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/);
/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/
eval(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/unescape(/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/this.creator.replace(/z/igm,'%')/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/)/*fjudfs4FSf4ZX <POFRNFSdfnjrfnc> SaKsonifbdh*/);