My Script Engines Know What You Did In The Dark: Converting Engines into Script API Tracers

Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Existing designs of script analysis tools do not fulfill the following three requirements important for malicious script analysis. 1. Universally applicable to various script languages. 2. Capable of outputting analysis logs that can precisely recover behavior of malicious scripts. 3. Applicable to proprietary script engines.

In this paper, we propose a method for automatically generating script API tracer by analyzing the target script engine binaries. The method mine the knowledge of script engine internals that are required to append behavior analysis capability. This enables to add analysis functionalities to arbitrary script engines and generates script API tracers that can fulfill the requirements. Experimental results showed that we can apply this method for building malicious script analysis tools.

Toshinori Usui
NTT Secure Platform Laboratories / Institute of Industrial Science, The University of Tokyo

Yuto Otsuki
NTT Secure Platform Laboratories

Yuhei Kawakoya
NTT Secure Platform Laboratories

Makoto Iwamura
NTT Secure Platform Laboratories

Jun Miyoshi
NTT Secure Platform Laboratories

Kanta Matsuura
Institute of Industrial Science, The University of Tokyo