Jsunpack-n Tutorial (Analyzing Malicious Documents)

INSTALLATION:

Required Dependencies(all these dependencies are present in jsunpack-n package in a folder named depend):
1) Build and install pynids (nids) from ./depends/pynids-0.6.1.tar.gz
To compile pynids, you may need the following (ubuntu) packages:
libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev
        To install these package either use software center or command apt-get install PackageName

    $ cd depends
    $ tar xvfz pynids-0.6.1.tar.gz
$ cd pynids-0.6.1/ directory
$ python setup.py build
$ sudo python setup.py install

2) Build SpiderMonkey 'js' from ./depends/js-1.8.0-rc1-src.tar.gz

    This package has modifications to the spidermonkey source code; therefore, it is not recommended you use default smjs packages. (Details of the modifications are in INSTALL.spidermonkey.shellcode and INSTALL.spidermonkey, for historical purposes)

    $ cd depends/
    $ tar xvfz js-1.8.0-rc1-src.tar.gz
    $ cd js-1.8.0-rc1-src
    $ make BUILD_OPT=1 -f Makefile.ref
    Then, make the 'js' binary available within your path.
    $ echo "export $PATH="     //to find your env var value...which will be used in JS_DIST
    $sudo make BUILD_OPT=1 JS_DIST=/usr/local -f Makefile.ref export

3) Build and install YARA from ./depends/yara-1.6.tar.gz
    (For Ubuntu or other systems, these packages may be required: libpcre3 libpcre3-dev)

    $ cd depends
    $ .
    $ cd yara-1.6
    $ ./configure
    $ make
    $ sudo make install

For Ubuntu12.04 or other systems, you may need to add the following path after building:

$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
$ sudo ldconfig

4) Build and install YARA Python from ./depends/yara-python-1.6.tar.gz

    $ cd depends
    $ tar xvfz yara-python-1.6.tar.gz
    $ cd  yara-python-1.6
    $ python setup.py build
    $ sudo python setup.py install
   

5) Build and install BeautifulSoup from ./depends/BeautifulSoup-3.2.0.tar.gz
    (alternatively from the pypi http://pypi.python.org/pypi/BeautifulSoup/3.2.0)

    $ cd depends
    $ tar xvfz BeautifulSoup-3.2.0.tar.gz
    $ cd BeautifulSoup-3.2.0/
    $ python setup.py build
    $ sudo python setup.py install

6) Install pycrypto (for encrypted PDFs) from ./depends/pycrypto-2.4.1.tar.gz
    (alternatively from the pypi http://pypi.python.org/pypi/pycrypto/2.4.1)

    $ cd depends
    $ tar xvfz pycrypto-2.4.1.tar.gz
    $ cd pycrypto-2.4.1
    $ python setup.py build
    $ sudo python setup.py install

Optional:
a) To use the -g --graph option, you should install the "python-yapgvb" package.

b) Filetype identification: Magic (optional)
    If you use Ubuntu, you can install the python-magic package using apt-get install python-magic.
   To define your local magic data use file /etc/magic.

Using Jsunpack-n
Now unzip the samples.tgz,it contain many document on which you can test jsunpack
1:Run following command to find file type first as in sample folder file extension are renamed:
$file NameofFile 
$./jsunpackn.py -V /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf.file

Jsunpack-n

2:Read the decoded  file which is extracted in last step.
$cat ./temp/files/original_c34022681fa89171fc803baeb2b120400bc1775f 

Jsunpack decoded file

3:jsunpack-n also contain pdf.py  tools that can be used to decompress javascripts.
$ ./pdf.py -V /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf-thisCreator.file
Above command will otput javascript in a ".out" file
$cat samples/pdf-thisCreator.file.out

pdf.py tool in jsunpack-n

4:Produce a graph using -g option,give name of a picture file with proper extension like uname.png with -g option ex: -g nameofpicfile.png
$./jsunpackn.py -g unamed.png /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf.file

Jsunpack graph