Merge pull request #102 from kirk-sayre-work/master

Version 1.9.27

Author: kirk-sayre-work

analyze.js

@@ -122,6 +122,8 @@ function hideStrs(s) {
     var resetSlashes = false;
     var justStartedRegex = false;
     var inSquareBrackets = false;
+    var skippedSpace = false;
+    
     s = stripSingleLineComments(s);
     // For debugging.
     var window = "               ";
@@ -186,7 +188,7 @@ function hideStrs(s) {
 	    // Dropping /* */ comments, so don't save current char.
 
             // Out of comment?
-            if ((prevChar == "*") && (currChar == "/")) {
+            if ((prevChar == "*") && (currChar == "/") && !skippedSpace) {
                 inComment = false;
                 // Handle FP single line comment detection for things
                 // like '/* comm1 *//* comm2 */'.
@@ -199,6 +201,10 @@ function hideStrs(s) {
             if (currChar != " ") {
                 prevPrevChar = prevChar;
                 prevChar = currChar;
+                skippedSpace = false;
+            }
+            else {
+                skippedSpace = true;
             }
             continue;
         }
@@ -419,10 +425,22 @@ function extractCode(code) {
     //
     // /*@cc_on
     // @if(1) ... @end@*/
+    //
+    // /*@cc_on @*//*@if (1)    
+    // ... @end @*/
     const commentPat = /\/\*(?:@cc_on\s+)?@if\s*\([^\)]+\)(.+?)@(else|end)\s*@\s*\*\//s
-    const codeMatch = code.match(commentPat);
+    var codeMatch = code.match(commentPat);
     if (!codeMatch) {
-        return code;
+        const commentPat1 = /\/\*\s*@cc_on\s*@\*\/\s*\/\*\s*@if\s*\([^\)]+\)(.+?)@(else|end)\s*@\s*\*\//s;
+        codeMatch = code.match(commentPat1);
+        if (!codeMatch) {
+            // /*@cc_on\n...@*/
+            const commentPat2 = /\/\*\s*@cc_on *\r?\n(.+?)\r?\n@\*\//;
+            codeMatch = code.match(commentPat2);
+            if (!codeMatch) {
+                return code;
+            }
+        }
     }
     var r = codeMatch[1];
     lib.info("Extracted code to analyze from conditional JScript comment.");

boilerplate.js

@@ -50,6 +50,12 @@ const dummyEvent = {
     key: 97, // "a"
 
     stopPropagation: function() {},
+    preventDefault: function() {},
+    composedPath: function() {
+        return {
+            includes: function() { return false; },
+        };
+    },
 };
 
 // Handle Blobs. All Blob methods in the real Blob class for dumping
@@ -451,6 +457,22 @@ function __createElement(tag) {
             // Call the onerror handler.
             func();
         },
+        set value(txt) {
+            this.val = txt;
+        },
+        get value() {
+            return this.val;
+        },
+        get href() {
+            if (typeof(this._href) === "undefined") this._href = 'http://mylegitdomain.com:2112/and/i/have/a/path.php#tag?var1=12&ref=otherlegitdomain.moe';
+            return this._href;
+        },
+        set href(url) {
+	    url = url.replace(/\r?\n/g, "");
+            this._href = url;
+            logIOC('HREF Location', {url}, "The script changed location.href.");
+	    logUrl('HREF Location', url);
+        },
         // Not ideal or close to correct, but sometimes needs a parentNode field.
         parentNode: __fakeParentElem,
         log: [],
@@ -567,7 +589,10 @@ __fakeParentElem = __createElement("FakeParentElem");
 // Stubbed global navigator object.
 const navigator = {
     userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; InfoPath.3)',
-    clipboard: {        
+    clipboard: {
+        writeText : function(txt) {
+            logIOC('Clipboard', txt, "The script pasted text into the clipboard.");
+        },
     },
     connection: {
     },
@@ -589,8 +614,7 @@ const navigator = {
     },
     keyboard: {
     },
-    language: {
-    },
+    language: "english",
     languages: {
     },
     locks: {
@@ -728,6 +752,7 @@ var document = {
         // got nothing to return. Make up some fake element and hope for the best.
         var r = __createElement(id);
         r.val = jqueryVals[id];
+        if (typeof(r.val) == "undefined") r.val = "";
         return r;
     },
     documentElement: {
@@ -762,6 +787,7 @@ var document = {
         eval(extractJSFromHTA(node));
     },
     getElementsByTagName: __getElementsByTagName,
+    getElementsByName: __getElementsByTagName,
     getElementsByClassName: __getElementsByTagName,
     createDocumentFragment: function() {
         return __createElement("__doc_fragment__");
@@ -1216,6 +1242,10 @@ var exports = {};
 function fetch(url, data) {
     lib.logIOC("fetch", {url: url, data: data}, "The script fetch()ed a URL.");
     lib.logUrl("fetch", url);
+    return {
+	ok : true,
+	json : function() { return "1"; },
+    };
 };
 
 // Image class stub.
@@ -1310,3 +1340,8 @@ var history = {
     pushState: function() {},
 };
 
+// Fake sessionStorage object.
+var sessionStorage = {
+    getItem: function() {},
+    setItem: function() {},
+};

emulator/FileSystemObject.js

@@ -226,6 +226,14 @@ function FileSystemObject() {
         var r = new ProxiedFile(filename);
         return r;
     };
+    this.getfilename = function(filename) {
+        filename = "" + filename;
+        const i = filename.lastIndexOf("\\");
+        if (i > 0) {
+            filename = filename.slice(i + 1);
+        }
+        return filename;
+    };
     this.getfileversion = () => "";
     this.getfolder = (str) => new ProxiedFolder(str);
     this.getspecialfolder = function(id) {

emulator/WBEMScriptingSWBEMLocator.js

@@ -1,5 +1,25 @@
 const lib = require("../lib");
 const enumerator = require("./Enumerator");
+const argv = require("../argv.js").run;
+
+// Fake OS language can be set with the --fake-language option.
+// Default language is English.
+var langCode = 1033;
+if (argv["fake-language"]) {
+
+    // Were we given a supported language?
+    const langStr = argv["fake-language"];
+    const langs = {
+        'spanish' : 2058,
+        'english' : 1033,
+        'portuguese' : 1046,
+    };
+    langCode = langs[langStr];
+    if (!langCode) {
+        lib.error("Language '" + langStr + "' not supported.");
+        process.exit(4);
+    };
+}
 
 // Fake SWBEMService.instancesof results.
 
@@ -51,7 +71,15 @@ _fake_win32_operatingsystem = {
     "OperatingSystemSKU" : "4",
     "Organization" : "USERS",
     "OSArchitecture" : "64-bit",
-    "OSLanguage" : "1033",
+    // US English
+    //"OSLanguage" : "1033",
+    // Mexican Spanish
+    get OSLanguage() {
+        lib.logIOC("SWBEMService", langCode, "Read Win32_OperatingSystem.OSLanguage.");
+        return langCode;
+    },
+    // International Spanish
+    //"OSLanguage" : "3082",
     "OSProductSuite" : "256",
     "PAEEnabled" : "",
     "PlusProductID" : "",
@@ -89,6 +117,12 @@ function VirtualSWBEMServices() {
         };
     };
 
+    this.execquery = function(query) {
+        lib.logIOC("SWBEMService", query, "Executed SWBEMService query '" + query + "'.");
+        if (query.indexOf("Win32_OperatingSystem") > -1) return [_fake_win32_operatingsystem];
+        return [];
+    };
+    
     this.get = function(item) {
         return {
             spawninstance_ : function() {

emulator/WScriptNetwork.js

@@ -1,4 +1,10 @@
 const lib = require("../lib");
+const argv = require("../argv.js").run;
+
+var fakeUserDomain = "";
+if (argv["fake-domain"]) {
+    fakeUserDomain = argv["fake-domain"];
+}
 
 class DriveInfo {
     constructor(driveLetters) {
@@ -17,7 +23,8 @@ function WScriptNetwork() {
     this.enumprinterconnections = () => [{
 	foo: "bar",
     }];
-    this.userdomain = "";
+    this.userdomain = fakeUserDomain;
+    this.username = "harvey_danger";
     this.mapnetworkdrive = function(letter, path) {
         lib.info(`Script maps network drive ${letter} to path ${path}`);
         lib.logUrl("map", ("https:" + path).replace("@", ":").replace(/\\/g, "/"));

emulator/XMLHTTP.js

@@ -1,6 +1,8 @@
 const lib = require("../lib");
 const argv = require("../argv.js").run;
 
+var _fileCheckCount = 0;
+var _lastUrl = "";
 function XMLHTTP() {
     this.headers = {};
     this.onreadystatechange = () => {};
@@ -20,7 +22,21 @@ function XMLHTTP() {
 	this.method = method;
 	this.readystate = 1;
 	this.statustext = "OPENED";
+        lib.logUrl('XMLHTTP', url);
+        lib.logIOC("XMLHTTP", {url: url}, "The script opened URL " + url + " with XMLHTTP");
+
+        // Try to break infinite network loops by exiting if we do
+        // many open()s.
+        _fileCheckCount++;
+        if (argv["limit-file-checks"]) {
+            if ((_fileCheckCount > 100) && (url == _lastUrl)) {
+                lib.info("Possible infinite network loop detected. Exiting.");
+                process.exit(0);
+            }
+        }
+        _lastUrl = url;
     };
+    this.responsetext = "console.log('The script executed JS returned from a C2 server.')";
     this.setrequestheader = function(key, val) {
 	key = key.replace(/:$/, ""); // Replace a trailing ":" if present
 	this.headers[key] = val;

flags.json

@@ -82,6 +82,16 @@
             "type": "String",
             "description": "Fake file name to use for the sample being analyzed. Can be a full path or just the file name to use. If you have '\\' in the path escape them as '\\\\' in this command line argument value (ex. --fake-sample-name=C:\\\\foo\\\\bar.js)."
         },
+        {
+            "name": "fake-language",
+            "type": "String",
+            "description": "Specify the language code to return for Win32_OperatingSystem.OSLanguage. Supported values are 'spanish', 'english', and 'portuguese'."
+        },
+        {
+            "name": "fake-domain",
+            "type": "String",
+            "description": "Specify the user domain to return for WScript.Network.UserDomain."
+        },
         {
             "name": "fake-download",
             "type": "Boolean",

lib.js

@@ -414,6 +414,7 @@ module.exports = {
         }
 
 	const filename = getUUID();
+        command = "" + command;
 	logIOC("Run", {command}, "The script ran the command '" + command + "'.");
 	logSnippet(filename, {as: "WScript code"}, command);
 	process.send("expect-shell-error");

package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "box-js",
-    "version": "1.9.26",
+    "version": "1.9.27",
     "description": "A tool for studying JavaScript malware.",
     "dependencies": {
         "acorn": ">=8.8.0",