diff --git a/jsjaws.py b/jsjaws.py index 167b4201..3c67d4d8 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -871,7 +871,11 @@ def log_and_replace(match) -> bytes: self.log.debug(f"Replaced VBScript Env variable: ({truncate(property_name)}) = {truncate(property_value)};") # Since we are looking for the character prior to this assignment, we need to add it again leading_char_index = match.regs[0][0] - leading_char = match.string.decode()[leading_char_index] + try: + decoded_match_string = match.string.decode() + except UnicodeDecodeError: + return + leading_char = decoded_match_string[leading_char_index] return f"{leading_char}[{property_name}] = {property_value};".encode() new_content = re.sub(VBSCRIPT_ENV_SETTING_REGEX, log_and_replace, file_content) @@ -1041,21 +1045,26 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ :param tool_timeout: The time that the tool with run for :return: A list of arguments used for running Box.js """ - # --no-kill Do not kill the application when runtime errors occur - # --no-rewrite Do not rewrite the source code at all, other than for `@cc_on` support - # --loglevel Logging level (debug, verbose, info, warning, error - default "info") - # --output-dir The location on disk to write the results files and folders to (defaults to the - # current directory) - # --timeout The script will timeout after this many seconds (default 10) - # --prepended-code Prepend the JavaScript in the given file to the sample prior to sandboxing boxjs_args = [ self.path_to_boxjs, + # Do not kill the application when runtime errors occur "--no-kill", + # Do not rewrite the source code at all, other than for `@cc_on` support "--no-rewrite", + # Logging level (debug, verbose, info, warning, error - default "info") "--loglevel=debug", + # The location on disk to write the results files and folders to (defaults to the current directory) f"--output-dir={self.working_directory}", + # The script will timeout after this many seconds (default 10) f"--timeout={tool_timeout}", + # Prepend the JavaScript in the given file to the sample prior to sandboxing f"--prepended-code={self.path_to_boxjs_boilerplate}", + # Fake file name to use for the sample being analyzed. Can be a full path or just + # the file name to use. If you have '\' in the path escape them as '\\' in this + # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). + # f"--fake-sample-name={path.basename(request.task.file_name)}", + # Fake that HTTP requests work and have them return a fake payload + "--fake-download", ] no_shell_error = request.get_param("no_shell_error") @@ -1301,6 +1310,7 @@ def _handle_boxjs_output(self, responses: Dict[str, List[str]], boxjs_args: List if line.startswith("[verb] Code saved to"): continue else: + print(line) boxjs_output.append(line) return boxjs_output @@ -3079,6 +3089,8 @@ def _extract_payloads(self, sample_sha256: str, deep_scan: bool) -> None: box_js_payloads = [] for file in sorted(listdir(boxjs_output_dir)): + print(path.join(boxjs_output_dir, file)) + print(path.getsize(path.join(boxjs_output_dir, file))) if file not in snippet_keys: box_js_payloads.append((file, path.join(boxjs_output_dir, file))) @@ -3317,7 +3329,7 @@ def _extract_urls(self, request: ServiceRequest) -> None: ioc_json = loads(file_contents) for ioc in ioc_json: value = ioc.get("value", "") - if ioc["type"] == "UrlFetch": + if ioc["type"] in ["UrlFetch", "XMLHttpRequest"]: if any(value["url"] == url["url"] for url in urls_rows): continue elif not add_tag(urls_result_section, "network.dynamic.uri", value["url"], self.safelist): @@ -3407,7 +3419,7 @@ def _extract_supplementary(self, output: List[str]) -> None: "description": f"{BOX_JS} Output", "to_be_extracted": False, } - self.log.debug(f"Adding supplementary file: {boxjs_analysis_log}") + self.log.debug(f"Adding supplementary file: {boxjs_analysis_log['path']}") self.artifact_list.append(boxjs_analysis_log) def _run_signatures(self, output: List[str], result: Result, display_iocs: bool = False) -> None: @@ -3550,19 +3562,31 @@ def _extract_boxjs_iocs(self, result: Result) -> None: commands_to_display = list() file_writes = set() file_reads = set() + file_folder_exists = set() + remote_scripts = set() + windows_installers = set() + regkey_reads = set() + regkey_writes = set() + new_resources_associated_with_url = set() + other = list() cmd_count = 0 for ioc in ioc_json: - type = ioc["type"] + ioc_type = ioc["type"] value = ioc.get("value", "") - if type == "Run" and "command" in value: - if value["command"] not in commands: - commands.add(value["command"].strip()) + if ioc_type in ["Run", "WMI.GetObject.Create"]: + command = None + if ioc_type == "Run": + command = value["command"] + commands.add(command.strip()) + else: + command = value + commands.add(command.strip()) # We want to extract powershell commands to a powershell file, which can be confirmed using multidecoder try: - matches = find_powershell_strings(value["command"].encode()) + matches = find_powershell_strings(command.encode()) except BinasciiError as e: - self.log.debug(f"Could not base64-decode encoded command value '{value['command']}' due to '{e}'") + self.log.debug(f"Could not base64-decode encoded command value '{command}' due to '{e}'") matches = [] if matches: @@ -3574,15 +3598,44 @@ def _extract_boxjs_iocs(self, result: Result) -> None: ps1_cmd_spotted = True else: # Write non-ps1 to file - commands_to_display.append(value["command"].strip()) - boxjs_batch_extraction.write(value["command"].strip() + "\n") + commands_to_display.append(command.strip()) + boxjs_batch_extraction.write(command.strip() + "\n") batch_cmd_spotted = True cmd_count += 1 - elif type == "FileWrite" and "file" in value: + elif ioc_type == "FileWrite" and value.get("file"): file_writes.add(value["file"]) - elif type == "FileRead" and "file" in value: + elif ioc_type == "FileRead" and value.get("file"): file_reads.add(value["file"]) + elif ioc_type == "Remote Script" and value.get("url"): + remote_scripts.add(value["url"]) + elif ioc_type in ["FileExists", "FolderExists"]: + file_folder_exists.add(value) + elif ioc_type == "WindowsInstaller" and value.get("url"): + windows_installers.add(value["url"]) + elif ioc_type == "RegRead" and value.get("key"): + regkey_reads.add(value["key"]) + elif ioc_type == "RegWrite" and value.get("key"): + regkey_writes.add(value["key"]) + elif ioc_type == "NewResource": + if not value.get("latestUrl"): + continue + new_resources_associated_with_url.add(dumps({"path": value["path"], "url": value["latestUrl"]})) + + # Sample Name, DOM Writes, PayloadExec, Environ, ADODBStream are not interesting + # UrlFetch, XMLHttpRequest are handled somewhere else in the code + elif ioc_type in [ + "Sample Name", + "UrlFetch", + "DOM Write", + "PayloadExec", + "Environ", + "XMLHttpRequest", + "ADODBStream", + ]: + continue + else: + other.append(ioc) boxjs_ps1_extraction.close() boxjs_batch_extraction.close() @@ -3621,22 +3674,97 @@ def _extract_boxjs_iocs(self, result: Result) -> None: file_writes_result_section = ResultTextSection( "The script wrote the following files", parent=ioc_result_section ) - file_writes_result_section.add_lines(list(file_writes)) + sorted_file_writes = sorted(file_writes) + file_writes_result_section.add_lines(sorted_file_writes) [ file_writes_result_section.add_tag("dynamic.process.file_name", file_write) - for file_write in list(file_writes) + for file_write in sorted_file_writes ] if file_reads: file_reads_result_section = ResultTextSection( "The script read the following files", parent=ioc_result_section ) - file_reads_result_section.add_lines(list(file_reads)) + sorted_file_reads = sorted(file_reads) + file_reads_result_section.add_lines(sorted_file_reads) [ file_reads_result_section.add_tag("dynamic.process.file_name", file_read) - for file_read in list(file_reads) + for file_read in sorted_file_reads ] + if file_folder_exists: + file_folder_exists_result_section = ResultTextSection( + "The script checked if the following files/folders existed", parent=ioc_result_section + ) + sorted_file_folder_exists = sorted(file_folder_exists) + file_folder_exists_result_section.add_lines(sorted_file_folder_exists) + [ + file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist) + for file_folder_exist in sorted_file_folder_exists + ] + + if remote_scripts: + remote_scripts_result_section = ResultTextSection( + "The script contains the following remote scripts", parent=ioc_result_section + ) + sorted_remote_scripts = sorted(remote_scripts) + remote_scripts_result_section.add_lines(sorted_remote_scripts) + [ + add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script) + for remote_script in sorted_remote_scripts + ] + + if windows_installers: + windows_installers_result_section = ResultTextSection( + "The script contains the following Windows Installers", parent=ioc_result_section + ) + sorted_windows_installers = sorted(windows_installers) + windows_installers_result_section.add_lines(sorted_windows_installers) + [ + add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer) + for windows_installer in sorted_windows_installers + ] + + if regkey_reads: + regkey_reads_result_section = ResultTextSection( + "The script read the following registry keys", parent=ioc_result_section + ) + sorted_regkey_reads = sorted(regkey_reads) + regkey_reads_result_section.add_lines(sorted_regkey_reads) + [ + regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read) + for regkey_read in sorted_regkey_reads + ] + + if regkey_writes: + regkey_writes_result_section = ResultTextSection( + "The script wrote the following registry keys", parent=ioc_result_section + ) + sorted_regkey_writes = sorted(regkey_writes) + regkey_writes_result_section.add_lines(sorted_regkey_writes) + [ + regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write) + for regkey_write in sorted_regkey_writes + ] + + if new_resources_associated_with_url: + new_resources_associated_with_url_result_section = ResultMultiSection( + "The script created the following resources associated with a URL", parent=ioc_result_section + ) + + for new_resource in sorted(new_resources_associated_with_url): + nr = loads(new_resource) + new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"]) + add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"]) + new_resources_associated_with_url_result_section.add_section_part(KVSectionBody(**nr)) + + if other: + other_result_section = ResultMultiSection( + "The script did the following other interesting things", parent=ioc_result_section + ) + for other_item in other: + other_result_section.add_section_part(KVSectionBody(**other_item)) + if ioc_result_section.subsections: ioc_result_section.set_heuristic(2) result.add_section(ioc_result_section) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index a9541d21..8c7b5124 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -69,6 +69,7 @@ jobs: # Install Node packages cd tools npm install + npm list --all displayName: Setup environment - script: | set -x # echo on @@ -78,5 +79,5 @@ jobs: # Override the path to make sure Azure doesn't interfere export PATH="/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export REPO_NAME=${BUILD_REPOSITORY_NAME##*/} - python -m pytest -p no:cacheprovider --durations=10 -rsx -xsvvv --disable-warnings + python -m pytest -p no:cacheprovider --durations=10 -rsx -xsvvv --disable-warnings -k 14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116 displayName: Test diff --git a/pipelines/nightly.Dockerfile b/pipelines/nightly.Dockerfile index b1b2bda9..caf8d539 100644 --- a/pipelines/nightly.Dockerfile +++ b/pipelines/nightly.Dockerfile @@ -2,7 +2,7 @@ FROM cccstemp.azurecr.io/assemblyline-root-build:stable AS base # Install necessary packages for service testing RUN apt-get update -RUN apt-get install -y libfuzzy-dev libfuzzy2 curl +RUN apt-get install -y libfuzzy-dev libfuzzy2 curl wget unzip # Pinning to this version of Node ENV NODE_VERSION=19.7.0 @@ -12,6 +12,11 @@ WORKDIR /usr/local RUN curl https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz --output node-v${NODE_VERSION}-linux-x64.tar.xz RUN tar -xJf node-v${NODE_VERSION}-linux-x64.tar.xz --strip 1 +RUN echo "Installing Box-JS" +RUN mkdir /opt/al_support/ +RUN wget https://github.com/cccs-kevin/box-js/archive/refs/heads/master.zip -O /opt/al_support/box-js.zip +RUN unzip /opt/al_support/box-js.zip -d /opt/al_support/box-js + # Check the version of node and npm, just to be sure RUN node --version RUN npm --version diff --git a/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json b/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json index 36dd8ea5..69c74145 100644 --- a/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json +++ b/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 23, + "score": 33, "sections": [ { "auto_collapse": false, @@ -40,6 +40,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript sends a network request\n\t\tWinHTTP.WinHTTPRequest[13].send()", @@ -225,6 +249,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json index a014350c..e3862ae7 100644 --- a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json +++ b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 921, + "score": 932, "sections": [ { "auto_collapse": false, @@ -42,7 +42,7 @@ }, { "auto_collapse": false, - "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: Scripting.FileSystemObject\n\t\tNew ActiveXObject: WinHttp.WinHttpRequest.5.1\n\t\tNew ActiveXObject: WScript.Shell\n\t\tActiveXObject(Scripting.FileSystemObject)\n\t\tActiveXObject(WinHttp.WinHttpRequest.5.1)\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(ADODB.Stream)\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _g = new ActiveXObject(_0x4b[9])", + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: Scripting.FileSystemObject\n\t\tNew ActiveXObject: WinHttp.WinHttpRequest.5.1\n\t\tNew ActiveXObject: WScript.Shell\n\t\tNew ActiveXObject: ADODB.Stream\n\t\tActiveXObject(Scripting.FileSystemObject)\n\t\tActiveXObject(WinHttp.WinHttpRequest.5.1)\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(ADODB.Stream)\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _g = new ActiveXObject(_0x4b[9])", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -64,6 +64,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript creates a new Windows Scripting Host Shell Object\n\t\tnew WScript.Shell[14]()", @@ -162,7 +186,7 @@ }, { "auto_collapse": false, - "body": "JavaScript writes data to disk\n\t\tADODB.Stream[16].SaveToFile(\"C:\\ProgramData\\Trdce\\desired.dll\")\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...", + "body": "JavaScript writes data to disk\n\t\tScript called ADODBStream.savetofile\n\t\tADODB.Stream[16].SaveToFile(\"C:\\ProgramData\\Trdce\\desired.dll\")\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -232,6 +256,111 @@ "title_text": "Signature: WritesExecutable", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\ProgramData\\Trdce\\desired.dll", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce\\desired.dll" + ] + } + } + }, + "title_text": "The script wrote the following files", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\ProgramData\\Trdce", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": [ + [ + "KEY_VALUE", + { + "path": "C:\\ProgramData\\Trdce\\desired.dll", + "url": "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + }, + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce\\desired.dll" + ] + } + }, + "network": { + "dynamic": { + "domain": [ + "orthodentrics.com" + ], + "uri": [ + "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + ], + "uri_path": [ + "/8GE/fdsfdsfewwwe23" + ] + } + } + }, + "title_text": "The script created the following resources associated with a URL", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -336,6 +465,10 @@ }, "files": { "extracted": [ + { + "name": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a", + "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" + }, { "name": "extracted_wscript.bat", "sha256": "b20d210cb0e10059d191871493db534e3b2b95eb3d8ecb109734de2cb3446935" @@ -357,6 +490,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -371,6 +509,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -422,7 +567,29 @@ } ], "tags": { + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce" + }, + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce\\desired.dll" + }, + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce\\desired.dll" + } + ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "orthodentrics.com" + }, { "heur_id": 1, "signatures": [ @@ -432,6 +599,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + }, { "heur_id": 1, "signatures": [ @@ -441,6 +613,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/8GE/fdsfdsfewwwe23" + }, { "heur_id": 1, "signatures": [ diff --git a/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json b/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json index 76f2d854..96540e35 100644 --- a/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json +++ b/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json @@ -252,7 +252,7 @@ }, { "auto_collapse": false, - "body": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"", + "body": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -263,7 +263,7 @@ "dynamic": { "process": { "command_line": [ - "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"" + "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"" ] } } @@ -277,7 +277,7 @@ "extracted": [ { "name": "boxjs_cmds.bat", - "sha256": "f8cc51983cf9a74f49d3dee2ca65f933cfa27152e61c58b2fa24a2be1f762fc4" + "sha256": "de0cabd9595cf2419dc88b738f121534c43e82463c7b2a91575cd0caca5dd1a0" } ], "supplementary": [ @@ -352,7 +352,7 @@ { "heur_id": null, "signatures": [], - "value": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"" + "value": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"" } ], "file.name.extracted": [ diff --git a/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json b/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json index f1dde867..d2894fe3 100644 --- a/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json +++ b/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1663, + "score": 1664, "sections": [ { "auto_collapse": true, @@ -362,6 +362,47 @@ "title_text": "Signature: WritesExecutable", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -669,6 +710,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -746,6 +792,13 @@ } ], "tags": { + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt" + } + ], "network.dynamic.domain": [ { "heur_id": 1, diff --git a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json index 93d66dff..eab5e3e0 100644 --- a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json +++ b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -511,6 +569,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -585,6 +648,18 @@ "value": "taskkill /f /im mshta.exe" } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json b/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json index fd61fba2..7db3123c 100644 --- a/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json +++ b/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json @@ -134,7 +134,7 @@ }, { "auto_collapse": false, - "body": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger", + "body": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -145,7 +145,7 @@ "dynamic": { "process": { "command_line": [ - "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger" + "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger" ] } } @@ -183,7 +183,7 @@ }, { "name": "boxjs_cmds.bat", - "sha256": "9b64b7d8cee577d55fe9008941646643c052a22607e92bf7cd0ca0452b5a1cb4" + "sha256": "a23ec6fe003760833455c6e87781d3b6779d338baa5d3bc3637d6219783646cb" }, { "name": "5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f.cleaned", @@ -238,7 +238,7 @@ { "heur_id": null, "signatures": [], - "value": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger" + "value": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger" } ] }, diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json index 6ed63114..4b0cbe63 100644 --- a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json +++ b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2622, + "score": 2623, "sections": [ { "auto_collapse": false, @@ -155,6 +155,59 @@ "title_text": "document.write usage found in HTML", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "https://dealsontrainers.org/tete/tete.php?85434\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://tapasyaevents.com/fmu/fmu.php?55724", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "network": { + "dynamic": { + "domain": [ + "dealsontrainers.org", + "iscast.com.br", + "tapasyaevents.com" + ], + "uri": [ + "https://dealsontrainers.org/tete/tete.php?85434", + "https://iscast.com.br/udit/udit.php?68977", + "https://tapasyaevents.com/fmu/fmu.php?55724" + ], + "uri_path": [ + "/tete/tete.php?85434", + "/udit/udit.php?68977", + "/fmu/fmu.php?55724" + ] + } + } + }, + "title_text": "The script contains the following remote scripts", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -434,6 +487,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -478,6 +536,11 @@ ], "tags": { "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "dealsontrainers.org" + }, { "heur_id": 18, "signatures": [], @@ -491,6 +554,11 @@ ], "value": "dealsontrainers.org" }, + { + "heur_id": null, + "signatures": [], + "value": "iscast.com.br" + }, { "heur_id": 18, "signatures": [], @@ -504,6 +572,11 @@ ], "value": "iscast.com.br" }, + { + "heur_id": null, + "signatures": [], + "value": "tapasyaevents.com" + }, { "heur_id": 18, "signatures": [], @@ -519,6 +592,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://dealsontrainers.org/tete/tete.php?85434" + }, { "heur_id": 18, "signatures": [], @@ -532,6 +610,11 @@ ], "value": "https://dealsontrainers.org/tete/tete.php?85434" }, + { + "heur_id": null, + "signatures": [], + "value": "https://iscast.com.br/udit/udit.php?68977" + }, { "heur_id": 18, "signatures": [], @@ -545,6 +628,11 @@ ], "value": "https://iscast.com.br/udit/udit.php?68977" }, + { + "heur_id": null, + "signatures": [], + "value": "https://tapasyaevents.com/fmu/fmu.php?55724" + }, { "heur_id": 18, "signatures": [], @@ -560,6 +648,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/fmu/fmu.php?55724" + }, { "heur_id": 18, "signatures": [], @@ -573,6 +666,11 @@ ], "value": "/fmu/fmu.php?55724" }, + { + "heur_id": null, + "signatures": [], + "value": "/tete/tete.php?85434" + }, { "heur_id": 18, "signatures": [], @@ -586,6 +684,11 @@ ], "value": "/tete/tete.php?85434" }, + { + "heur_id": null, + "signatures": [], + "value": "/udit/udit.php?68977" + }, { "heur_id": 18, "signatures": [], diff --git a/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json b/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json index a48f8fbf..c9bb2c7f 100644 --- a/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json +++ b/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 652, + "score": 653, "sections": [ { "auto_collapse": true, @@ -270,6 +270,47 @@ "title_text": "Signature: SuspiciousUseOfCharCodes", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\Users\\Public\\po", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\Users\\Public\\po" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -535,6 +576,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -653,6 +699,13 @@ "value": "colorcpl.exe C:\\\\Windows\\\\System32\\\\bitsadmin.exe" } ], + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\Users\\Public\\po" + } + ], "network.dynamic.domain": [ { "heur_id": 13, diff --git a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json index 1730afbc..0241ea9c 100644 --- a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json +++ b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 24, + "score": 25, "sections": [ { "auto_collapse": false, @@ -64,6 +64,53 @@ "title_text": "Signature: NetworkRequest", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "https://acehphonnajaya.com/css/ke.msi", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "network": { + "dynamic": { + "domain": [ + "acehphonnajaya.com" + ], + "uri": [ + "https://acehphonnajaya.com/css/ke.msi" + ], + "uri_path": [ + "/css/ke.msi" + ] + } + } + }, + "title_text": "The script contains the following Windows Installers", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -270,6 +317,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -294,6 +346,11 @@ } ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "acehphonnajaya.com" + }, { "heur_id": 1, "signatures": [], @@ -306,6 +363,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://acehphonnajaya.com/css/ke.msi" + }, { "heur_id": 1, "signatures": [], @@ -318,6 +380,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/css/ke.msi" + }, { "heur_id": 1, "signatures": [], diff --git a/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json b/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json index 0f17aba9..fb53825d 100644 --- a/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json +++ b/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1131, + "score": 1142, "sections": [ { "auto_collapse": false, @@ -16,6 +16,30 @@ "title_text": "Signatures", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: shell.application", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "active_x_object": 10 + }, + "signatures": { + "active_x_object": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ActiveXObject", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript decodes a Uniform Resource Identifier\n\t\treturn decodeURIComponent(spatterdock)\n\t\treturn decodeURIComponent(unediblyknotberry)", @@ -112,6 +136,47 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "command_line": [ + "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx" + ] + } + } + }, + "title_text": "The script ran the following commands", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -199,6 +264,10 @@ { "name": "a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e.cleaned", "sha256": "369c60837a3cd55697de80a4f0d09aae6026da2be89c8d617b8d581bcad19b10" + }, + { + "name": "boxjs_cmds.bat", + "sha256": "a3eda370b58b3bb21be402bbdebd57b0329dcdf71903e1882cbf31923c52efb2" } ], "supplementary": [] @@ -210,6 +279,18 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "active_x_object" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -245,6 +326,13 @@ } ], "tags": { + "dynamic.process.command_line": [ + { + "heur_id": null, + "signatures": [], + "value": "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx" + } + ], "network.static.domain": [ { "heur_id": 2, diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json index 60f2d4e5..01e7a2d7 100644 --- a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json +++ b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -512,6 +570,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -579,6 +642,18 @@ "value": "rundll32 C:\\ProgramData\\index1.png,Wind " } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json index e15e8fea..06fe3bc0 100644 --- a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json +++ b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 541, + "score": 551, "sections": [ { "auto_collapse": false, @@ -40,6 +40,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript sends a network request\n\t\tMSXML2.XMLHTTP[12].send()\n\t\to.send()", @@ -239,6 +263,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json index d5f4d1dc..a21e7518 100644 --- a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json +++ b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -512,6 +570,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -579,6 +642,18 @@ "value": "rundll32 C:\\ProgramData\\121.png,Wind " } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json index 56094cba..4a04668a 100644 --- a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json +++ b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -511,6 +569,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -585,6 +648,18 @@ "value": "taskkill /f /im mshta.exe" } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json index a9af3634..760f4ba3 100644 --- a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json +++ b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 83, + "score": 93, "sections": [ { "auto_collapse": true, @@ -130,6 +130,30 @@ "title_text": "Signature: WinMgmtsAutoObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript returns a reference to an object provided by an ActiveX component\n\t\tGetObject(winmgmts:{impersonationLevel=impersonate}!Win32_Process, undefined)", @@ -270,6 +294,27 @@ "title_text": "IOCs extracted by Box.js", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "command_line": [ + "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind" + ] + } + } + }, + "title_text": "The script ran the following commands", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "C:/ProgramData/wJPBCKy.HoGKdJI", @@ -291,6 +336,49 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": [ + [ + "KEY_VALUE", + { + "path": "C:/ProgramData/wJPBCKy.HoGKdJI", + "url": "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + }, + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:/ProgramData/wJPBCKy.HoGKdJI" + ] + } + }, + "network": { + "dynamic": { + "domain": [ + "gkjdepok.org" + ], + "uri": [ + "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + ], + "uri_path": [ + "/crtfc/TsCw3rCG.dll" + ] + } + } + }, + "title_text": "The script created the following resources associated with a URL", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -390,7 +478,16 @@ ] }, "files": { - "extracted": [], + "extracted": [ + { + "name": "boxjs_cmds.bat", + "sha256": "371c59b411db032c8668d9324a40e50a135d574cd34a24989d5c0548d32b7053" + }, + { + "name": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a", + "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" + } + ], "supplementary": [ { "name": "temp_javascript.js", @@ -436,6 +533,13 @@ "auto_object_winmgmts" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -473,7 +577,19 @@ } ], "tags": { + "dynamic.process.command_line": [ + { + "heur_id": null, + "signatures": [], + "value": "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind" + } + ], "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:/ProgramData/wJPBCKy.HoGKdJI" + }, { "heur_id": null, "signatures": [], @@ -481,6 +597,11 @@ } ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "gkjdepok.org" + }, { "heur_id": 1, "signatures": [], @@ -488,6 +609,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + }, { "heur_id": 1, "signatures": [], @@ -495,6 +621,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/crtfc/TsCw3rCG.dll" + }, { "heur_id": 1, "signatures": [], diff --git a/tools/gootloader/GootLoaderAutoJsDecode.py b/tools/gootloader/GootLoaderAutoJsDecode.py index 2c3a8a04..8109aeb2 100644 --- a/tools/gootloader/GootLoaderAutoJsDecode.py +++ b/tools/gootloader/GootLoaderAutoJsDecode.py @@ -122,6 +122,8 @@ def convertConcatToString(inputConcatMatches, inputVarsDict, noEquals=False): def decodeString(scripttext): # Gootloader decode function ans = "" + if not scripttext: + return ans for i in range(0, len(scripttext)): if i % 2 == 1: ans += scripttext[i] @@ -179,17 +181,17 @@ def getGootVersion(topFileData, log: Logger = print): gloader21sample = False if re.search(r"jQuery JavaScript Library v\d{1,}\.\d{1,}\.\d{1,}$", topFileData): - log("\nGootLoader Obfuscation Variant 2.0 detected") + log("GootLoader Obfuscation Variant 2.0 detected") gloader21sample = False elif goot3linesPattern.match(topFileData): log( - '\nGootLoader Obfuscation Variant 3.0 detected\n\nIf this fails try using CyberChef "JavaScript Beautify" against the file first.' + 'GootLoader Obfuscation Variant 3.0 detected\n\nIf this fails try using CyberChef "JavaScript Beautify" against the file first.' ) gloader3sample = True # 3 and 2 have some overlap so enabling both flags for simplicity gloader21sample = True else: - log("\nGootLoader Obfuscation Variant 2.1 or higher detected") + log("Attempting default option for GootLoader Obfuscation Variant 2.1 or higher") gloader21sample = True return gloader21sample, gloader3sample @@ -317,9 +319,11 @@ def findCodeMatchInRound1Result(inputStr): # Find code text in the result of the first decode round findCodeinQuotePattern = re.compile(r"(? 0: + return results[0] + else: + return "" def getVariableAndConcatPatterns(isGloader21Sample): @@ -377,6 +381,7 @@ def parseRound2Data( ): output_domains = list() persistence = None + maliciousDomains = list() if round2InputStr.startswith("function"): log("GootLoader Obfuscation Variant 3.0 sample detected.") @@ -398,8 +403,8 @@ def parseRound2Data( else: outputFileName = payload_path - log("\nScript output Saved to: %s\n" % outputFileName) - log("\nThe script will new attempt to deobfuscate the %s file." % outputFileName) + log("Script output Saved to: %s\n" % outputFileName) + log("The script will new attempt to deobfuscate the %s file." % outputFileName) else: if isGootloader3sample: outputCode = round2InputStr.replace("'+'", "").replace("')+('", "").replace("+()+", "").replace("?+?", "") @@ -416,15 +421,16 @@ def parseRound2Data( outputCode = round2InputStr v2DomainRegex = re.compile(r"(.*)(\[\".*?\"\])(.*)") - domainsMatch = v2DomainRegex.search(round2InputStr)[2] - maliciousDomains = ( - domainsMatch.replace("[", "") - .replace("]", "") - .replace('"', "") - .replace("+(", "") - .replace(")+", "") - .split(",") - ) + if round2InputStr: + domainsMatch = v2DomainRegex.search(round2InputStr)[2] + maliciousDomains = ( + domainsMatch.replace("[", "") + .replace("]", "") + .replace('"', "") + .replace("+(", "") + .replace(")+", "") + .split(",") + ) # Store the malicious domains and return the list.s for domain in maliciousDomains: @@ -435,11 +441,12 @@ def parseRound2Data( outputFileName = "DecodedJsPayload.js_" # Print to screen - log("\nScript output Saved to: %s\n" % outputFileName) + log("Script output Saved to: %s\n" % outputFileName) outputDomains = "" for dom in maliciousDomains: outputDomains += defang(dom) + "\n" - log("\nMalicious Domains: \n\n%s" % outputDomains) + if outputDomains: + log("\nMalicious Domains: \n\n%s" % outputDomains) return outputCode, outputFileName, output_domains, persistence diff --git a/tools/gootloader/utils/variables.py b/tools/gootloader/utils/variables.py index 511c6cce..da4b6ab4 100644 --- a/tools/gootloader/utils/variables.py +++ b/tools/gootloader/utils/variables.py @@ -129,7 +129,10 @@ def run(self, file_data: str) -> str: self.__parse_concat_variable_definition(file_data) self.__assign_strings() self.__assign_concats() - return max(self.__get_all_blocks(), key=len) + blocks = self.__get_all_blocks() + if not blocks: + return None + return max(blocks, key=len) def grab_longest_string(content: str): diff --git a/tools/package.json b/tools/package.json index 3aa166f7..559c62b3 100644 --- a/tools/package.json +++ b/tools/package.json @@ -14,10 +14,10 @@ "node": ">=6.0.0" }, "dependencies": { - "@nodesecure/js-x-ray": ">=6.1.1", - "box-js": ">=1.9.25", + "@nodesecure/js-x-ray": ">=6.3.0", + "box-js": "file:/opt/al_support/box-js/box-js-master", "crypto-js": ">=4.2.0", - "deobfuscator": ">=2.4.4", + "deobfuscator": ">=2.4.5", "entities": ">=4.5.0", "iconv-lite": ">=0.6.3", "log-timestamp": ">=0.3.0",