A new version of
jsunpack-n is available 0.1e! This version makes some major improvements in the rule language (using Yara) and allows you to make pretty pictures like this:
One thing I think you will like is the new output ./files/ directory and command line options! Enjoy.
Here is it running with the sample files included in the archive:
$ ./jsunpack-n.py sample-http-exploit.pcap
[malicious:10] hifgejig.cn/nuc/
[impact=5] DecodedGenericCLSID detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=10] MSOfficeSnapshotViewer detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=5] ObfuscationPattern detected location eval
[impact=10] MSIENestedSpan detected CDATA[<image SRC=http:// DATAFORMATAS= <SPAN DATASRC= DATASRC= DATAFLD=
[info] find_urls: [javascript var] hifgejig.cn/nuc/exe.php
$ ./jsunpack-n.py sample-pdf.pcap
[suspicious:5] trughtsa.com/
[impact=5] DecodedIframe detected <iframe
[info] [iframe /] trughtsa.com/img/pfqa.php
[malicious:10] trughtsa.com/img/pfqa.php
[impact=10] PDFexploit detected util.printf Collab.getIcon getAnnots Collab.collectEmailInfo spell.customDictionaryOpen
[malicious] identified shellcode of length 1533 (./files/shellcode_9ac3a76f70caef94f2773abc1043e9511d2d0f09)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor] trughtsa.com/img/uet.php
[impact=5] ObfuscationPattern detected eval String.fromCharCode
[malicious:10] trughtsa.com/img/uet.php
[incident:10] [0] requested by 192.168.203.60
[incident:10] [0] origin trughtsa.com/img/pfqa.php
[incident:10] [0] method=GET type=shellcode
[incident:10] [0] filetype MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
$ ./jsunpack-n.py sample-pdf.file
[malicious:10] sample-pdf.file
[impact=10] PDFexploit detected collab.getIcon
[suspicious] likely NOP sled shellcode variable of length 167
[malicious] identified shellcode of length 1526 (./files/shellcode_da344d16e814e40dec67592bdccdf3ad50e0069d)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor] b35.info/w/who.exe
[suspicious] likely NOP sled shellcode variable of length 2048
[suspicious] likely NOP sled shellcode variable of length 1714
[suspicious] likely NOP sled shellcode variable of length 522574
More from the RELEASE notes:
RELEASE NOTES:
Updates 2009-09-02 version 0.1e
First and foremost, thanks to Victor! (for creating the Yara detection library)
Yara is now a required dependency and the supported format for the 'rules' file
1) improved URL tracking using 'urlattr' class and urls dictionary
1a) new command line option -g, to create a URL graph (only when pcap contains 10 or fewer URL requests)
2) bug fixes for stream reassembly and pdf parsing
2a) stream reassembly now handles all streams when processing a pcap file,
regardless of whether the nids state is in end_states
4) detection of NOP sled shellcode and performance improvements in shellcode processing
(this was one of the performance bottlenecks)
5) new output format with ./files/ directory or -d OUTDIR command line option
6) CVE references are available in the 'rules' file but are temporarily unavailable in alerts