An AI-driven automated sandbox for analyzing obfuscated Javascript malware. Built for the USF/NextEra Cybersecruty Challenge.
This projects implements a host-guest architecture for "safe" malware analysis:
-
Host (Ubuntu): Orchestrates analysis, generates LLM hints, and summarizes results using Groq.
-
Guest (Windows 10 VM): Performs static + dynamic analysis by executing the sample with
cscript.exeand monitoring behavior.
Key features:
- Polling-based shared folder communication
- Static obfuscation detection (IMLRHNEGAR marker, Unicode junk, string concatenation)
- Dynamic execution with file change monitoring
- LLM-powered reoprt generation
- Designed for obfuscated JS droppers
- Heavy obfuscation using repeated
IMLHNEGARmarker + Unicode characters - Runtime string reconstruction via multilpe
+=operations - Spawns
powershell.exeafter decoding payload (fileless execution) - Windows Defender detects as Trojan
- Typical of JS droppers leading to AsyncRAT or similar RATs
- Create a Windows 10 VM in VirtualBox with shared folder
- Install dependencies on host and guest
- Run
sandbox_agent.pyon guest (as Administrator) - Trigger analysis from host:
python host/sandbox_analyze.py <sample.js>
- Difficulty of analyzing heavily obfuscated malware
- Importance of dynamic analysis vs static
- Safety on communication between host and guest for sandboxing
