In this blog post, we are introducing JavaScript tracing, a new technology we recently added to Joe Sandbox Cloud, that makes our platform even better at spotting and analyzing complex phishing attacks.
Joe Sandbox already has a rich set of technologies for phishing detection. Those include image recognition, OCR, DOM based signatures and many more. However what is missing is capability for deep analysis of JavaScript executed with the web browser. Most phishing pages use JavaScript for obfuscation and hiding of key elements. JavaScript traces are a gold-mine for detection artifacts.
With Joe Sandbox v39 Ruby we have implemented stealth JavaScript tracing within the Chrome web browser. Cloud Pro customers can enable JavaScript Tracing in the Code Analysis section on the submission page:
With the tracing enabled Joe Sandbox can now log function calls with parameters, object getters, setters and instantiations.
Malware Analysts can download the full JavaScript tracing from the report overview page and dig into all the tracing details:
JavaScript Tracing also significantly boosts Joe Sandbox’s capacity to deeply analyze phishing attacks. Phishing sites often employ complex obfuscation techniques to conceal their malicious intent. With this technology, analysts can uncover and understand these tactics, such as dynamic HTML content decoding and script injections. This capability not only improves the detection rates but also provides analyst with detailed, human-readable reports for further analysis.
Lets take a recent HTML file which is sent to victims as e-Mail attachment. The content is hard to understand as it uses atob-array obfuscation:
If we run that HTML sample in Joe Sandbox however and enable JavaScript tracing we get several interesting signature hits:
We can see from the signature overview the data passed to document.write(). Thanks to the trace log we can have a look at that data:
Based on this find we see that the final page is likely phishing for Microsoft credentials since it is loading the favicon from Microsoft. This is confirmed by the image recognition engine: