Have you ever wondered what goes under the hood of unpacking a malicious JavaScript? Well, I certainly did when I saw Joe Sandbox unpack GootLoader with Microsoft's Antimalware Scan Interface (AMSI) during an investigation.
I present to you WSHooker, a tool I wrote (inspired by OALabs' frida-wshook and this blog post) that aims to do just as good as AMSI, if not better. WSHooker is written in Python, relying heavily on Frida, a dynamic binary instrumentation framework that enables developers, malware analysts or security researchers to have full control over a piece of software or malware or code through function or API hooking. WSHooker uses Frida to trace and intercept Windows Scripting Host (WSH) as it executes the malicious script. As such, it supports the analysis of script types such as .js/.jse (JScript), .vbs/.vbe (VBScript), and even script container like .wsf (Windows Script File).
In theory, you should be able to use WSHooker to analyze and unpack malicious scripts targeted at Windows. I've tested WSHooker against malicious scripts associated with the following malware families:
- AdWind
- AgentTesla
- AsyncRAT
- AveMariaRAT
- Azorult
- BabylonRAT
- Emotet
- Formbook
- GootLoader
- GuLoader
- IcedID
- JSOutProx
- Loki
- Magniber
- NanoCore
- NetSupport
- NetWire
- NjRAT
- PureCrypter
- QNodeService
- Qbot/Qakbot/Quakbot
- RedLineStealer
- RemcosRAT
- SocGholish
- STRRAT
- Vjw0rm
- WSHRAT
- YoungLotus
WSHooker has several features over AMSI when it comes to analyzing and unpacking malicious scripts.
-
Unpacks the malicious script on-the-fly and writes the unpacked code to a file for further analysis and/or to extract IOCs
-
Prevents child processes from spawning when the malicious script tries to run a command or program in a new process
-
Sinkholes DNS query and terminates network socket
-
Prevents file copy/move/write
-
Prevents Windows Registry key/value write
-
Terminates dangerous and evasive COM objects:
InternetExplorer.ApplicationSchedule.ServiceWindowsInstaller.Installer
-
Time skipping in
WScript.Sleep() -
Timestamps in output trace — useful for measuring time between function calls
-
Trace functions dynamically as they are called
-
Tracks COM objects creation, WMI queries, and stops
Win32_Processcreation
To use WSHooker, you need Python 3 and Frida:
pip install frida-tools
To set c:\symbols as the local symbol cache as WSHooker downloads debug symbols from the Microsoft symbol server, use the following:
setx _NT_SYMBOL_PATH SRV*c:\symbols*https://msdl.microsoft.com/downloads/symbols
WSHooker may appear unresponsive in the first run as it downloads the required debug symbols. This is normal.
WSHooker supports a number of options to allow certain dangerous operations to continue during analysis in order to reveal behaviors of the malicious script that were otherwise blocked.
python wshooker.py --help
usage: wshooker.py [-h] [-p PID | -s SCRIPT] [-a ARGS] [-d DIR] [-o TRACE] [--allow-bad-progid] [--allow-file] [--allow-net]
[--allow-proc] [--allow-reg-write] [--allow-shell-exec] [--allow-sleep] [--debug] [--dynamic] [--fun] [--json]
[--no-banner] [--timestamp] [--wscript]
WSHooker - Windows Script Hooking with Frida
options:
-h, --help show this help message and exit
-p PID, --pid PID process id (reserved for future release)
-s SCRIPT, --script SCRIPT
path to malicious script
-a ARGS, --args ARGS arguments to malicious script, e.g., -a "arg1 arg2 arg3 ..."
-d DIR, --directory DIR
directory or folder for output traces
-o TRACE, --output TRACE
write output trace to file (default is "trace.log")
--allow-bad-progid (dangerous) allow known bad ProgID
--allow-file (dangerous) allow file copy/move/write
--allow-net (dangerous) allow network requests
--allow-proc (dangerous) allow Win32_Process
--allow-reg-write (dangerous) allow Registry write
--allow-shell-exec (dangerous) allow shell execution as current user
--allow-sleep (slow-down) allow WScript.Sleep()
--debug (verbose) display debug message
--dynamic (verbose) enable dynamic tracing
--fun add some fun to life
--json output trace in JSON (default is "trace.json")
--no-banner remove banner in output trace
--timestamp show timestamp in output trace
--wscript use "wscript.exe" (default is "cscript.exe")
WSHooker has been tested on Windows 10.
If you have ideas or suggestions how to make WSHooker better, please DM me (@limbernie) in Twitter. Thank you!