Question 1

How to use box-js to download payloads from a malicious script?

Accepted Answer

Run box-js with the --download flag on your sample. This fetches payloads over the network, saves them with UUIDs in the results folder, and logs hashes and types in resources.json, as explained in the usage section.

Question 2

box-js or Any.run for JavaScript malware analysis?

Accepted Answer

box-js is open-source and focused on JScript emulation with local control, ideal for batch processing. Any.run is a commercial service with interactive, full-system emulation but less customization. box-js integrates with Any.run via third-party services, offering flexibility.

Question 3

How to handle missing 'document' object errors in box-js?

Accepted Answer

Use the --prepended-code=default option to include the default boilerplate.js file that stubs common browser objects. You can copy and modify this file to add custom stubs for more accurate emulation.

Question 4

Can box-js analyze highly obfuscated JavaScript samples?

Accepted Answer

Yes, it offers preprocessing flags like --preprocess and --unsafe-preprocess to deobfuscate code, though these can break on edge cases such as redefined prototypes, requiring careful tuning for each sample.

Question 5

How to set up box-js with Docker for safer isolation?

Accepted Answer

Check the integrations/README.md file for Docker instructions. Running analyses in a temporary Docker container is recommended to enhance isolation, as noted in the usage tips to prevent system risks.

Question 6

What to do if box-js encounters an unknown ActiveX object?

Accepted Answer

You must manually add a case in the ActiveXObject function in the source code, implement the required methods, and iterate until the analysis runs without errors, as described in the 'Expanding' guide.

box-js

What is box-js?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions