INSTALLATION:
Required Dependencies(all these dependencies are present in jsunpack-n package in a folder named depend):
1) Build and install pynids (nids) from ./depends/pynids-0.6.1.tar.gz
To compile pynids, you may need the following (ubuntu) packages:
libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev
To install these package either use software center or command apt-get install PackageName
$ cd depends
$ tar xvfz pynids-0.6.1.tar.gz
$ cd pynids-0.6.1/ directory
$ python setup.py build
$ sudo python setup.py install
2) Build SpiderMonkey 'js' from ./depends/js-1.8.0-rc1-src.tar.gz
This package has modifications to the spidermonkey source code; therefore, it is not recommended you use default smjs packages. (Details of the modifications are in INSTALL.spidermonkey.shellcode and INSTALL.spidermonkey, for historical purposes)
$ cd depends/
$ tar xvfz js-1.8.0-rc1-src.tar.gz
$ cd js-1.8.0-rc1-src
$ make BUILD_OPT=1 -f Makefile.ref
Then, make the 'js' binary available within your path.
$ echo "export $PATH=" //to find your env var value...which will be used in JS_DIST
$sudo make BUILD_OPT=1 JS_DIST=/usr/local -f Makefile.ref export
3) Build and install YARA from ./depends/yara-1.6.tar.gz
(For Ubuntu or other systems, these packages may be required: libpcre3 libpcre3-dev)
$ cd depends
$ .
$ cd yara-1.6
$ ./configure
$ make
$ sudo make install
For Ubuntu12.04 or other systems, you may need to add the following path after building:
$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
$ sudo ldconfig
4) Build and install YARA Python from ./depends/yara-python-1.6.tar.gz
$ cd depends
$ tar xvfz yara-python-1.6.tar.gz
$ cd yara-python-1.6
$ python setup.py build
$ sudo python setup.py install
5) Build and install BeautifulSoup from ./depends/BeautifulSoup-3.2.0.tar.gz
(alternatively from the pypi http://pypi.python.org/pypi/BeautifulSoup/3.2.0)
$ cd depends
$ tar xvfz BeautifulSoup-3.2.0.tar.gz
$ cd BeautifulSoup-3.2.0/
$ python setup.py build
$ sudo python setup.py install
6) Install pycrypto (for encrypted PDFs) from ./depends/pycrypto-2.4.1.tar.gz
(alternatively from the pypi http://pypi.python.org/pypi/pycrypto/2.4.1)
$ cd depends
$ tar xvfz pycrypto-2.4.1.tar.gz
$ cd pycrypto-2.4.1
$ python setup.py build
$ sudo python setup.py install
Optional:
a) To use the -g --graph option, you should install the "python-yapgvb" package.
b) Filetype identification: Magic (optional)
If you use Ubuntu, you can install the python-magic package using apt-get install python-magic.
To define your local magic data use file /etc/magic.
Using Jsunpack-n
Now unzip the samples.tgz,it contain many document on which you can test jsunpack
1:Run following command to find file type first as in sample folder file extension are renamed:
$file NameofFile
$./jsunpackn.py -V /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf.file
![]() |
Jsunpack-n |
2:Read the decoded file which is extracted in last step.
$cat ./temp/files/original_c34022681fa89171fc803baeb2b120400bc1775f
![]() |
Jsunpack decoded file |
3:jsunpack-n also contain pdf.py tools that can be used to decompress javascripts.
$ ./pdf.py -V /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf-thisCreator.file
Above command will otput javascript in a ".out" file
$cat samples/pdf-thisCreator.file.out
![]() |
pdf.py tool in jsunpack-n |
4:Produce a graph using -g option,give name of a picture file with proper extension like uname.png with -g option ex: -g nameofpicfile.png
$./jsunpackn.py -g unamed.png /home/alt/Desktop/Analyze-Mal-doc/jsunpack-n/jsunpack-n/samples/pdf.file
![]() |
Jsunpack graph |
Comments
Post a Comment