Malzilla

From aldeid
Jump to: navigation, search

Description

Malzilla is a malware hunting tool. It uses the SpiderMonkey engine to analyze scripts. Among other things, it is able to deobfuscate JavaScripts and has several decoders and other utilities.

It currently exclusilvely supports Windows.

Installation

Download link: http://sourceforge.net/projects/malzilla/files/Malzilla%20Win32%20Binary%20package/Malzilla%201.2.0/malzilla_1.2.0.zip

Usage

Contextual menu

By right clicking on a panel, you can see the following contextual menu. Notice that this menu can differ a little depending on the tab that is selected.

Malzilla-contextual-menu.png

The options are:

Undo / Redo
Undo or redo the previous action
Cut / Copy / Paste / Delete
usual copy/paste/delete operations
Select all / clear
select or unselect a selection
Load from file
Load a local file in the tab
Save to file
Saves the result in a file
Run script
Advanced options to run a script
Load from buffer / save to buffer
Enables to save code and load from buffer slots
Word wrap
Format code to wrap code
Log actions
Log the actions so that they appear in the logs tab

Tabs

Download

Open a new tab

You can open a new tab to browse another URL by right clicking on the first tab and selecting "New tab":

Malzilla-new-tab.png

Load a URL

Use the URL field to enter a URL to browse and click the "Get" button to load the content in the top frame.

Malzilla-download-tab.png

  • Notice that you have several options to fake the user-agent, the referrer, the cookies.
  • There are also options to change the browser's behavior (use user-agent, use cookies, use proxy, use referrer, auto-set referrer, auto redirect)
  • If you prefer to load a html page that you have locally, click on the "Get to file" button

Actions

Once your page has been sent to the Text tab, you can perform different actions:

  • Send script to decoder: will send the selected (use the "find objects" button first) script to the decoder tab
  • Find objects: finds scripts in the page.

Malzilla-download-find-objects.png

  • Send all scripts to decoder: send all scripts to the decoder tab
  • Append selection to decoder: send your selection to the decoder
  • Send to links parser: automatically detect links contained in the code

Malzilla-send-to-link-parser.png

  • Mini HTML view: mini browser to see what the page looks like

Views

You can switch between other views:

  • hex: hexadecimal view
  • Cookies: list of detected cookies
  • Link parser: list of detected links (will be filled once you have clicked the "Send to links parser" option).

Decoder

Load sample into Malzilla

To load the sample JavaScript into Malzilla, go to the "Decoder" tab and right click in the pane. Select "load from file" in the menu, and select your script.

Malzilla-load-js.png

Run script

You script will appear in the center panel. Click on the "Run" button to start your script:

Malzilla-run-script.png

Misc Decoders

Malzilla-misc-decoders-tab.png

Kalimero Processor

Malzilla-kalimero-processor-tab.png

Shellcode analyzer

Malzilla-shellcode-analyzer-tab.jpg

Log

Malzilla-log-tab.png

Clipboard Monitor

The clipboard monitor keeps track of your clipboard. You can select an entry and:

  • send it to download tab
  • send to download tab and get
  • download all

Malzilla-clipboard-monitor.png

Notes

This tab enables you to take notes.

Hex view

This tab is a Hex editor that comes with a disassembler and a xor search feature:

Malzilla-hex-view-tab.png

PScript

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Tools

Malzilla-tools-tab.png

Settings

Malzilla-settings-tab.png

Comments

blog comments powered by Disqus