Skip to content

KevinEL-Dev/malware-analysis-pipeline

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

malware-analysis-pipeline

An AI-driven automated sandbox for analyzing obfuscated Javascript malware. Built for the USF/NextEra Cybersecruty Challenge.

Overview

This projects implements a host-guest architecture for "safe" malware analysis:

  • Host (Ubuntu): Orchestrates analysis, generates LLM hints, and summarizes results using Groq.

  • Guest (Windows 10 VM): Performs static + dynamic analysis by executing the sample with cscript.exe and monitoring behavior.

Key features:

  • Polling-based shared folder communication
  • Static obfuscation detection (IMLRHNEGAR marker, Unicode junk, string concatenation)
  • Dynamic execution with file change monitoring
  • LLM-powered reoprt generation
  • Designed for obfuscated JS droppers

Architecture

Architecture Diagram

Observed Malware Behavior

  • Heavy obfuscation using repeated IMLHNEGAR marker + Unicode characters
  • Runtime string reconstruction via multilpe += operations
  • Spawns powershell.exe after decoding payload (fileless execution)
  • Windows Defender detects as Trojan
  • Typical of JS droppers leading to AsyncRAT or similar RATs

potential answers to blue/red team

Setup

  1. Create a Windows 10 VM in VirtualBox with shared folder
  2. Install dependencies on host and guest
  3. Run sandbox_agent.py on guest (as Administrator)
  4. Trigger analysis from host: python host/sandbox_analyze.py <sample.js>

What I learned

  • Difficulty of analyzing heavily obfuscated malware
  • Importance of dynamic analysis vs static
  • Safety on communication between host and guest for sandboxing

Screenshots

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages