From bdd9c43384090d8f119e0634393f43e4596b27f7 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 16 Jan 2024 19:41:30 +0000 Subject: [PATCH 01/26] Adding commented out Box-js args to test --- jsjaws.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index 488ada2b..bdec8397 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1045,21 +1045,33 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ :param tool_timeout: The time that the tool with run for :return: A list of arguments used for running Box.js """ - # --no-kill Do not kill the application when runtime errors occur - # --no-rewrite Do not rewrite the source code at all, other than for `@cc_on` support - # --loglevel Logging level (debug, verbose, info, warning, error - default "info") - # --output-dir The location on disk to write the results files and folders to (defaults to the - # current directory) - # --timeout The script will timeout after this many seconds (default 10) - # --prepended-code Prepend the JavaScript in the given file to the sample prior to sandboxing boxjs_args = [ self.path_to_boxjs, + # Do not kill the application when runtime errors occur "--no-kill", + # Do not rewrite the source code at all, other than for `@cc_on` support "--no-rewrite", + # Logging level (debug, verbose, info, warning, error - default "info") "--loglevel=debug", + # The location on disk to write the results files and folders to (defaults to the current directory) f"--output-dir={self.working_directory}", + # The script will timeout after this many seconds (default 10) f"--timeout={tool_timeout}", + # Prepend the JavaScript in the given file to the sample prior to sandboxing f"--prepended-code={self.path_to_boxjs_boilerplate}", + # Fake file name to use for the sample being analyzed. Can be a full path or just + # the file name to use. If you have '\' in the path escape them as '\\' in this + # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). + # f"--fake-sample-name={path.basename(request.task.file_name)}", + # Fake that HTTP requests work and have them return a fake payload + # "--fake-download", + # Throttle reporting and data tracking of file writes that write a LOT of data + # "--throttle-writes", + # Rewrite == checks so that comparisons of the current script name to a hard coded + # script name always return true. + # "--loose-script-name", + # Ignore calls to WSCript.Quit() and continue execution. + # "--ignore-wscript-quit", ] no_shell_error = request.get_param("no_shell_error") From ca92ad105423a2c1e87bd587fc2edef8084e8a29 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 16 Jan 2024 19:42:03 +0000 Subject: [PATCH 02/26] Pass sample name to Box-js; update tests --- jsjaws.py | 2 +- .../result.json | 8 +- .../result.json | 90 ++++++++++++++++++- 3 files changed, 94 insertions(+), 6 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index bdec8397..0963db50 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1062,7 +1062,7 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ # Fake file name to use for the sample being analyzed. Can be a full path or just # the file name to use. If you have '\' in the path escape them as '\\' in this # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). - # f"--fake-sample-name={path.basename(request.task.file_name)}", + f"--fake-sample-name={path.basename(request.task.file_name)}", # Fake that HTTP requests work and have them return a fake payload # "--fake-download", # Throttle reporting and data tracking of file writes that write a LOT of data diff --git a/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json b/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json index fd61fba2..7db3123c 100644 --- a/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json +++ b/tests/results/5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f/result.json @@ -134,7 +134,7 @@ }, { "auto_collapse": false, - "body": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger", + "body": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -145,7 +145,7 @@ "dynamic": { "process": { "command_line": [ - "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger" + "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger" ] } } @@ -183,7 +183,7 @@ }, { "name": "boxjs_cmds.bat", - "sha256": "9b64b7d8cee577d55fe9008941646643c052a22607e92bf7cd0ca0452b5a1cb4" + "sha256": "a23ec6fe003760833455c6e87781d3b6779d338baa5d3bc3637d6219783646cb" }, { "name": "5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f.cleaned", @@ -238,7 +238,7 @@ { "heur_id": null, "signatures": [], - "value": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\CURRENT_SCRIPT_IN_FAKED_DIR.js\" argentometry petalledPneumonoparesis Kankedort acknowledger" + "value": "wscript \"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\5fbf446e062e0bf1e7cf57fb2b9c1a6257e9c288744e2d35deda0fb18ce2cf6f\" argentometry petalledPneumonoparesis Kankedort acknowledger" } ] }, diff --git a/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json b/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json index 0f17aba9..fb53825d 100644 --- a/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json +++ b/tests/results/a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1131, + "score": 1142, "sections": [ { "auto_collapse": false, @@ -16,6 +16,30 @@ "title_text": "Signatures", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: shell.application", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "active_x_object": 10 + }, + "signatures": { + "active_x_object": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ActiveXObject", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript decodes a Uniform Resource Identifier\n\t\treturn decodeURIComponent(spatterdock)\n\t\treturn decodeURIComponent(unediblyknotberry)", @@ -112,6 +136,47 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "command_line": [ + "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx" + ] + } + } + }, + "title_text": "The script ran the following commands", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -199,6 +264,10 @@ { "name": "a26c892d61bdab5b9032882bce4c26991252d412e7fde33eccaa3f6bd0a0c27e.cleaned", "sha256": "369c60837a3cd55697de80a4f0d09aae6026da2be89c8d617b8d581bcad19b10" + }, + { + "name": "boxjs_cmds.bat", + "sha256": "a3eda370b58b3bb21be402bbdebd57b0329dcdf71903e1882cbf31923c52efb2" } ], "supplementary": [] @@ -210,6 +279,18 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "active_x_object" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -245,6 +326,13 @@ } ], "tags": { + "dynamic.process.command_line": [ + { + "heur_id": null, + "signatures": [], + "value": "reg add HKCU\\SOFTWARE\\overcarelesslyEnjoins /v TheoremsUniridescently /d qwkpoOQavfDtuJpiIGvlQQUsrqHKIraZiVPmfLOOSllIcYXwYQbfKekUPCfZlfjTJoZLxENPyctMporxEleWgHlKGlShkUNSwrKrQyITvoMgVJNwqmgrYTxliZzeRUUekXIDpUlxMoGPQdogntnFAKOxswviEHWqXgqAepSXUdpQZHnedntgANtfmRGruyfVbdUFlKyefXVOdIbEYciQpnhPKFAGhcIzFdIzPONVVsYlkNaLkxGBFwzWgaOTapGNvWobNtZHsZEBeulRazmjuHmNaxrDYFbGAVEjJHAxYxgRyYWjLQsRDHfKSlaFFxksKdaBBLtiwmmbYGgXXUvrdDpDUKvgdtnxwTkBSBvzwAVpCEWswyHvbHDnQqiiHKvwcXFizIardqLQVgHXtSx" + } + ], "network.static.domain": [ { "heur_id": 2, From 37217dea7768e55715f1dc089699bce90a553a71 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 16 Jan 2024 19:55:40 +0000 Subject: [PATCH 03/26] Fake a download in box-js; update tests --- jsjaws.py | 2 +- .../result.json | 33 ++++- .../result.json | 124 +++++++++++++++++- .../result.json | 31 +++++ .../result.json | 40 +++++- 5 files changed, 222 insertions(+), 8 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index 0963db50..d9f17e7a 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1064,7 +1064,7 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). f"--fake-sample-name={path.basename(request.task.file_name)}", # Fake that HTTP requests work and have them return a fake payload - # "--fake-download", + "--fake-download", # Throttle reporting and data tracking of file writes that write a LOT of data # "--throttle-writes", # Rewrite == checks so that comparisons of the current script name to a hard coded diff --git a/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json b/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json index 36dd8ea5..69c74145 100644 --- a/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json +++ b/tests/results/123bda1a6cedf72acd51a01f40ed32ea1e61d610ff46a05a6a7166c0777f6a8c/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 23, + "score": 33, "sections": [ { "auto_collapse": false, @@ -40,6 +40,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript sends a network request\n\t\tWinHTTP.WinHTTPRequest[13].send()", @@ -225,6 +249,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json index a014350c..24667bd0 100644 --- a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json +++ b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 921, + "score": 932, "sections": [ { "auto_collapse": false, @@ -42,7 +42,7 @@ }, { "auto_collapse": false, - "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: Scripting.FileSystemObject\n\t\tNew ActiveXObject: WinHttp.WinHttpRequest.5.1\n\t\tNew ActiveXObject: WScript.Shell\n\t\tActiveXObject(Scripting.FileSystemObject)\n\t\tActiveXObject(WinHttp.WinHttpRequest.5.1)\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(ADODB.Stream)\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _g = new ActiveXObject(_0x4b[9])", + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: Scripting.FileSystemObject\n\t\tNew ActiveXObject: WinHttp.WinHttpRequest.5.1\n\t\tNew ActiveXObject: WScript.Shell\n\t\tNew ActiveXObject: ADODB.Stream\n\t\tActiveXObject(Scripting.FileSystemObject)\n\t\tActiveXObject(WinHttp.WinHttpRequest.5.1)\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(ADODB.Stream)\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _g = new ActiveXObject(_0x4b[9])", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -64,6 +64,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript creates a new Windows Scripting Host Shell Object\n\t\tnew WScript.Shell[14]()", @@ -162,7 +186,7 @@ }, { "auto_collapse": false, - "body": "JavaScript writes data to disk\n\t\tADODB.Stream[16].SaveToFile(\"C:\\ProgramData\\Trdce\\desired.dll\")\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...", + "body": "JavaScript writes data to disk\n\t\tScript called ADODBStream.savetofile\n\t\tADODB.Stream[16].SaveToFile(\"C:\\ProgramData\\Trdce\\desired.dll\")\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -232,6 +256,68 @@ "title_text": "Signature: WritesExecutable", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "command_line": [ + "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var" + ] + } + } + }, + "title_text": "The script ran the following commands", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\ProgramData\\Trdce\\desired.dll", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce\\desired.dll" + ] + } + } + }, + "title_text": "The script wrote the following files", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -337,7 +423,11 @@ "files": { "extracted": [ { - "name": "extracted_wscript.bat", + "name": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a", + "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" + }, + { + "name": "boxjs_cmds.bat", "sha256": "b20d210cb0e10059d191871493db534e3b2b95eb3d8ecb109734de2cb3446935" } ], @@ -357,6 +447,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -371,6 +466,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -422,6 +524,20 @@ } ], "tags": { + "dynamic.process.command_line": [ + { + "heur_id": null, + "signatures": [], + "value": "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var" + } + ], + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce\\desired.dll" + } + ], "network.dynamic.domain": [ { "heur_id": 1, diff --git a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json index e15e8fea..f709506c 100644 --- a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json +++ b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json @@ -40,6 +40,30 @@ "title_text": "Signature: ActiveXObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript sends a network request\n\t\tMSXML2.XMLHTTP[12].send()\n\t\to.send()", @@ -239,6 +263,13 @@ "active_x_object" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json index a9af3634..7a2457d3 100644 --- a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json +++ b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 83, + "score": 93, "sections": [ { "auto_collapse": true, @@ -130,6 +130,30 @@ "title_text": "Signature: WinMgmtsAutoObject", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript writes data to the console\n\t\tReturning HTTP 200 (Success) with fake response payload 'console.log(\"EXECUTED DOWNLOADED PAYLOAD\");...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "console_output": 10 + }, + "signatures": { + "console_output": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: ConsoleOutput", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "JavaScript returns a reference to an object provided by an ActiveX component\n\t\tGetObject(winmgmts:{impersonationLevel=impersonate}!Win32_Process, undefined)", @@ -390,7 +414,12 @@ ] }, "files": { - "extracted": [], + "extracted": [ + { + "name": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a", + "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" + } + ], "supplementary": [ { "name": "temp_javascript.js", @@ -436,6 +465,13 @@ "auto_object_winmgmts" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "console_output" + ] + }, { "attack_ids": [], "heur_id": 3, From 6bdb8eb089bca5c34cbefb0d9488a80a2fd2dd32 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 16 Jan 2024 20:12:12 +0000 Subject: [PATCH 04/26] Removing box-js args that do not add value --- jsjaws.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index d9f17e7a..7a3a210d 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1065,13 +1065,6 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ f"--fake-sample-name={path.basename(request.task.file_name)}", # Fake that HTTP requests work and have them return a fake payload "--fake-download", - # Throttle reporting and data tracking of file writes that write a LOT of data - # "--throttle-writes", - # Rewrite == checks so that comparisons of the current script name to a hard coded - # script name always return true. - # "--loose-script-name", - # Ignore calls to WSCript.Quit() and continue execution. - # "--ignore-wscript-quit", ] no_shell_error = request.get_param("no_shell_error") From f7d28412a1ebd95499ba158d48ba27906fbe65f3 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Thu, 18 Jan 2024 16:28:18 +0000 Subject: [PATCH 05/26] Extracting more useful info from Box-js results --- jsjaws.py | 131 ++++++++++++++++-- .../result.json | 89 ++++++++++++ .../result.json | 30 ++++ .../result.json | 55 +++++++- .../result.json | 77 +++++++++- .../result.json | 103 ++++++++++++++ .../result.json | 55 +++++++- .../result.json | 62 +++++++++ .../result.json | 77 +++++++++- .../result.json | 77 +++++++++- .../result.json | 77 +++++++++- .../result.json | 95 +++++++++++++ 12 files changed, 911 insertions(+), 17 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index 7a3a210d..a38fc52c 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -3326,7 +3326,7 @@ def _extract_urls(self, request: ServiceRequest) -> None: ioc_json = loads(file_contents) for ioc in ioc_json: value = ioc.get("value", "") - if ioc["type"] == "UrlFetch": + if ioc["type"] in ["UrlFetch", "XMLHttpRequest"]: if any(value["url"] == url["url"] for url in urls_rows): continue elif not add_tag(urls_result_section, "network.dynamic.uri", value["url"], self.safelist): @@ -3559,19 +3559,31 @@ def _extract_boxjs_iocs(self, result: Result) -> None: commands_to_display = list() file_writes = set() file_reads = set() + file_folder_exists = set() + remote_scripts = set() + windows_installers = set() + regkey_reads = set() + regkey_writes = set() + new_resources_associated_with_url = set() + other = list() cmd_count = 0 for ioc in ioc_json: - type = ioc["type"] + ioc_type = ioc["type"] value = ioc.get("value", "") - if type == "Run" and "command" in value: - if value["command"] not in commands: - commands.add(value["command"].strip()) + if ioc_type in ["Run", "WMI.GetObject.Create"]: + command = None + if ioc_type == "Run": + command = value["command"] + commands.add(command.strip()) + else: + command = value + commands.add(command.strip()) # We want to extract powershell commands to a powershell file, which can be confirmed using multidecoder try: - matches = find_powershell_strings(value["command"].encode()) + matches = find_powershell_strings(command.encode()) except BinasciiError as e: - self.log.debug(f"Could not base64-decode encoded command value '{value['command']}' due to '{e}'") + self.log.debug(f"Could not base64-decode encoded command value '{command}' due to '{e}'") matches = [] if matches: @@ -3583,15 +3595,44 @@ def _extract_boxjs_iocs(self, result: Result) -> None: ps1_cmd_spotted = True else: # Write non-ps1 to file - commands_to_display.append(value["command"].strip()) - boxjs_batch_extraction.write(value["command"].strip() + "\n") + commands_to_display.append(command.strip()) + boxjs_batch_extraction.write(command.strip() + "\n") batch_cmd_spotted = True cmd_count += 1 - elif type == "FileWrite" and "file" in value: + elif ioc_type == "FileWrite" and value.get("file"): file_writes.add(value["file"]) - elif type == "FileRead" and "file" in value: + elif ioc_type == "FileRead" and value.get("file"): file_reads.add(value["file"]) + elif ioc_type == "Remote Script" and value.get("url"): + remote_scripts.add(value["url"]) + elif ioc_type in ["FileExists", "FolderExists"]: + file_folder_exists.add(value) + elif ioc_type == "WindowsInstaller" and value.get("url"): + windows_installers.add(value["url"]) + elif ioc_type == "RegRead" and value.get("key"): + regkey_reads.add(value["key"]) + elif ioc_type == "RegWrite" and value.get("key"): + regkey_writes.add(value["key"]) + elif ioc_type == "NewResource": + if not value.get("latestUrl"): + continue + new_resources_associated_with_url.add(dumps({"path": value["path"], "url": value["latestUrl"]})) + + # Sample Name, DOM Writes, PayloadExec, Environ, ADODBStream are not interesting + # UrlFetch, XMLHttpRequest are handled somewhere else in the code + elif ioc_type in [ + "Sample Name", + "UrlFetch", + "DOM Write", + "PayloadExec", + "Environ", + "XMLHttpRequest", + "ADODBStream", + ]: + continue + else: + other.append(ioc) boxjs_ps1_extraction.close() boxjs_batch_extraction.close() @@ -3646,6 +3687,74 @@ def _extract_boxjs_iocs(self, result: Result) -> None: for file_read in list(file_reads) ] + if file_folder_exists: + file_folder_exists_result_section = ResultTextSection( + "The script checked if the following files/folders existed", parent=ioc_result_section + ) + file_folder_exists_result_section.add_lines(list(file_folder_exists)) + [ + file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist) + for file_folder_exist in list(file_folder_exists) + ] + + if remote_scripts: + remote_scripts_result_section = ResultTextSection( + "The script contains the following remote scripts", parent=ioc_result_section + ) + remote_scripts_result_section.add_lines(list(remote_scripts)) + [ + add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script) + for remote_script in list(remote_scripts) + ] + + if windows_installers: + windows_installers_result_section = ResultTextSection( + "The script contains the following Windows Installers", parent=ioc_result_section + ) + windows_installers_result_section.add_lines(list(windows_installers)) + [ + add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer) + for windows_installer in list(windows_installers) + ] + + if regkey_reads: + regkey_reads_result_section = ResultTextSection( + "The script read the following registry keys", parent=ioc_result_section + ) + regkey_reads_result_section.add_lines(list(windows_installers)) + [ + regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read) + for regkey_read in list(regkey_reads) + ] + + if regkey_writes: + regkey_writes_result_section = ResultTextSection( + "The script wrote the following registry keys", parent=ioc_result_section + ) + regkey_writes_result_section.add_lines(list(windows_installers)) + [ + regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write) + for regkey_write in list(regkey_writes) + ] + + if new_resources_associated_with_url: + new_resources_associated_with_url_result_section = ResultMultiSection( + "The script created the following resources associated with a URL", parent=ioc_result_section + ) + + for new_resource in list(new_resources_associated_with_url): + nr = loads(new_resource) + new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"]) + add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"]) + new_resources_associated_with_url_result_section.add_section_part(KVSectionBody(**nr)) + + if other: + other_result_section = ResultMultiSection( + "The script did the following other interesting things", parent=ioc_result_section + ) + for other_item in other: + other_result_section.add_section_part(KVSectionBody(**other_item)) + if ioc_result_section.subsections: ioc_result_section.set_heuristic(2) result.add_section(ioc_result_section) diff --git a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json index 24667bd0..9c62810a 100644 --- a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json +++ b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json @@ -318,6 +318,70 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "C:\\ProgramData\\Trdce", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": [ + [ + "KEY_VALUE", + { + "path": "C:\\ProgramData\\Trdce\\desired.dll", + "url": "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + }, + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\ProgramData\\Trdce\\desired.dll" + ] + } + }, + "network": { + "dynamic": { + "domain": [ + "orthodentrics.com" + ], + "uri": [ + "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + ], + "uri_path": [ + "/8GE/fdsfdsfewwwe23" + ] + } + } + }, + "title_text": "The script created the following resources associated with a URL", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -532,6 +596,16 @@ } ], "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce" + }, + { + "heur_id": null, + "signatures": [], + "value": "C:\\ProgramData\\Trdce\\desired.dll" + }, { "heur_id": null, "signatures": [], @@ -539,6 +613,11 @@ } ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "orthodentrics.com" + }, { "heur_id": 1, "signatures": [ @@ -548,6 +627,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://orthodentrics.com/8GE/fdsfdsfewwwe23" + }, { "heur_id": 1, "signatures": [ @@ -557,6 +641,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/8GE/fdsfdsfewwwe23" + }, { "heur_id": 1, "signatures": [ diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json index 31ac3eb5..d92f02a8 100644 --- a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json +++ b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json @@ -279,6 +279,36 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": [ + [ + "KEY_VALUE", + { + "description": "The script created a resource.", + "type": "NewResource", + "value": { + "latestUrl": "", + "md5": "c7f02b93dd5d6fd8bb467b870e958b70", + "path": "URL_Blob_file_0", + "sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a", + "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc", + "type": "Zip archive data, at least v1.0 to extract, compression method=store" + } + }, + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": {}, + "title_text": "The script did the following other interesting things", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io", diff --git a/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json b/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json index f1dde867..d2894fe3 100644 --- a/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json +++ b/tests/results/3a46bbf49dd8b5bac190ca05b7c6ba26c99b6c7f1c0d56f9639be42fe0362504/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1663, + "score": 1664, "sections": [ { "auto_collapse": true, @@ -362,6 +362,47 @@ "title_text": "Signature: WritesExecutable", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -669,6 +710,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -746,6 +792,13 @@ } ], "tags": { + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\Users\\SYSOP1~1\\AppData\\Local\\Temp\\a.txt" + } + ], "network.dynamic.domain": [ { "heur_id": 1, diff --git a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json index 93d66dff..0f4e0ccb 100644 --- a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json +++ b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -511,6 +569,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -585,6 +648,18 @@ "value": "taskkill /f /im mshta.exe" } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json index 6ed63114..29b3341e 100644 --- a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json +++ b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json @@ -155,6 +155,59 @@ "title_text": "document.write usage found in HTML", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "https://tapasyaevents.com/fmu/fmu.php?55724\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://dealsontrainers.org/tete/tete.php?85434", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "network": { + "dynamic": { + "domain": [ + "tapasyaevents.com", + "iscast.com.br", + "dealsontrainers.org" + ], + "uri": [ + "https://tapasyaevents.com/fmu/fmu.php?55724", + "https://iscast.com.br/udit/udit.php?68977", + "https://dealsontrainers.org/tete/tete.php?85434" + ], + "uri_path": [ + "/fmu/fmu.php?55724", + "/udit/udit.php?68977", + "/tete/tete.php?85434" + ] + } + } + }, + "title_text": "The script contains the following remote scripts", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -434,6 +487,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -478,6 +536,11 @@ ], "tags": { "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "dealsontrainers.org" + }, { "heur_id": 18, "signatures": [], @@ -491,6 +554,11 @@ ], "value": "dealsontrainers.org" }, + { + "heur_id": null, + "signatures": [], + "value": "iscast.com.br" + }, { "heur_id": 18, "signatures": [], @@ -504,6 +572,11 @@ ], "value": "iscast.com.br" }, + { + "heur_id": null, + "signatures": [], + "value": "tapasyaevents.com" + }, { "heur_id": 18, "signatures": [], @@ -519,6 +592,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://dealsontrainers.org/tete/tete.php?85434" + }, { "heur_id": 18, "signatures": [], @@ -532,6 +610,11 @@ ], "value": "https://dealsontrainers.org/tete/tete.php?85434" }, + { + "heur_id": null, + "signatures": [], + "value": "https://iscast.com.br/udit/udit.php?68977" + }, { "heur_id": 18, "signatures": [], @@ -545,6 +628,11 @@ ], "value": "https://iscast.com.br/udit/udit.php?68977" }, + { + "heur_id": null, + "signatures": [], + "value": "https://tapasyaevents.com/fmu/fmu.php?55724" + }, { "heur_id": 18, "signatures": [], @@ -560,6 +648,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/fmu/fmu.php?55724" + }, { "heur_id": 18, "signatures": [], @@ -573,6 +666,11 @@ ], "value": "/fmu/fmu.php?55724" }, + { + "heur_id": null, + "signatures": [], + "value": "/tete/tete.php?85434" + }, { "heur_id": 18, "signatures": [], @@ -586,6 +684,11 @@ ], "value": "/tete/tete.php?85434" }, + { + "heur_id": null, + "signatures": [], + "value": "/udit/udit.php?68977" + }, { "heur_id": 18, "signatures": [], diff --git a/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json b/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json index a48f8fbf..c9bb2c7f 100644 --- a/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json +++ b/tests/results/850f1ee027d86cd61921195e5fd41a39edaf9a44261dfdce37dc0bff535c526e/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 652, + "score": 653, "sections": [ { "auto_collapse": true, @@ -270,6 +270,47 @@ "title_text": "Signature: SuspiciousUseOfCharCodes", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "C:\\Users\\Public\\po", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:\\Users\\Public\\po" + ] + } + } + }, + "title_text": "The script checked if the following files/folders existed", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -535,6 +576,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -653,6 +699,13 @@ "value": "colorcpl.exe C:\\\\Windows\\\\System32\\\\bitsadmin.exe" } ], + "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:\\Users\\Public\\po" + } + ], "network.dynamic.domain": [ { "heur_id": 13, diff --git a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json index 1730afbc..bdd9f11a 100644 --- a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json +++ b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json @@ -64,6 +64,53 @@ "title_text": "Signature: NetworkRequest", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "https://acehphonnajaya.com/css/ke.msi", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "network": { + "dynamic": { + "domain": [ + "acehphonnajaya.com" + ], + "uri": [ + "https://acehphonnajaya.com/css/ke.msi" + ], + "uri_path": [ + "/css/ke.msi" + ] + } + } + }, + "title_text": "The script contains the following Windows Installers", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -294,6 +341,11 @@ } ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "acehphonnajaya.com" + }, { "heur_id": 1, "signatures": [], @@ -306,6 +358,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "https://acehphonnajaya.com/css/ke.msi" + }, { "heur_id": 1, "signatures": [], @@ -318,6 +375,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/css/ke.msi" + }, { "heur_id": 1, "signatures": [], diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json index 60f2d4e5..a29643af 100644 --- a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json +++ b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -512,6 +570,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -579,6 +642,18 @@ "value": "rundll32 C:\\ProgramData\\index1.png,Wind " } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json index d5f4d1dc..45692534 100644 --- a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json +++ b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -512,6 +570,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -579,6 +642,18 @@ "value": "rundll32 C:\\ProgramData\\121.png,Wind " } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\Firm\\Soft\\Name" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json index 56094cba..a7107aba 100644 --- a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json +++ b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1632, + "score": 1633, "sections": [ { "auto_collapse": false, @@ -320,6 +320,64 @@ "title_text": "Signature: RunsShellApplication", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 0, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 2, + "score": 1, + "score_map": {}, + "signatures": {} + }, + "promote_to": null, + "tags": {}, + "title_text": "IOCs extracted by Box.js", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + ] + } + }, + "title_text": "The script read the following registry keys", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": null, + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "registry_key": [ + "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + ] + } + }, + "title_text": "The script wrote the following registry keys", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -511,6 +569,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, @@ -585,6 +648,18 @@ "value": "taskkill /f /im mshta.exe" } ], + "dynamic.registry_key": [ + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + }, + { + "heur_id": null, + "signatures": [], + "value": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy" + } + ], "file.behavior": [ { "heur_id": null, diff --git a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json index 7a2457d3..760f4ba3 100644 --- a/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json +++ b/tests/results/fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458/result.json @@ -294,6 +294,27 @@ "title_text": "IOCs extracted by Box.js", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "command_line": [ + "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind" + ] + } + } + }, + "title_text": "The script ran the following commands", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "C:/ProgramData/wJPBCKy.HoGKdJI", @@ -315,6 +336,49 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": [ + [ + "KEY_VALUE", + { + "path": "C:/ProgramData/wJPBCKy.HoGKdJI", + "url": "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + }, + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 1, + "heuristic": null, + "promote_to": null, + "tags": { + "dynamic": { + "process": { + "file_name": [ + "C:/ProgramData/wJPBCKy.HoGKdJI" + ] + } + }, + "network": { + "dynamic": { + "domain": [ + "gkjdepok.org" + ], + "uri": [ + "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + ], + "uri_path": [ + "/crtfc/TsCw3rCG.dll" + ] + } + } + }, + "title_text": "The script created the following resources associated with a URL", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -415,6 +479,10 @@ }, "files": { "extracted": [ + { + "name": "boxjs_cmds.bat", + "sha256": "371c59b411db032c8668d9324a40e50a135d574cd34a24989d5c0548d32b7053" + }, { "name": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a", "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" @@ -509,7 +577,19 @@ } ], "tags": { + "dynamic.process.command_line": [ + { + "heur_id": null, + "signatures": [], + "value": "rundll32 C:\\ProgramData\\wJPBCKy.HoGKdJI,Wind" + } + ], "dynamic.process.file_name": [ + { + "heur_id": null, + "signatures": [], + "value": "C:/ProgramData/wJPBCKy.HoGKdJI" + }, { "heur_id": null, "signatures": [], @@ -517,6 +597,11 @@ } ], "network.dynamic.domain": [ + { + "heur_id": null, + "signatures": [], + "value": "gkjdepok.org" + }, { "heur_id": 1, "signatures": [], @@ -524,6 +609,11 @@ } ], "network.dynamic.uri": [ + { + "heur_id": null, + "signatures": [], + "value": "http://gkjdepok.org/crtfc/TsCw3rCG.dll" + }, { "heur_id": 1, "signatures": [], @@ -531,6 +621,11 @@ } ], "network.dynamic.uri_path": [ + { + "heur_id": null, + "signatures": [], + "value": "/crtfc/TsCw3rCG.dll" + }, { "heur_id": 1, "signatures": [], From 2cda53a22f78fa6fa0794869183776911692a120 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Thu, 18 Jan 2024 16:47:59 +0000 Subject: [PATCH 06/26] Sort Box-js IOCs; Bugfix in registry key output; update tests --- jsjaws.py | 37 +++++++++++-------- .../result.json | 30 --------------- .../result.json | 4 +- .../result.json | 14 +++---- .../result.json | 4 +- .../result.json | 4 +- .../result.json | 4 +- 7 files changed, 37 insertions(+), 60 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index a38fc52c..37f5bd48 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -3671,70 +3671,77 @@ def _extract_boxjs_iocs(self, result: Result) -> None: file_writes_result_section = ResultTextSection( "The script wrote the following files", parent=ioc_result_section ) - file_writes_result_section.add_lines(list(file_writes)) + sorted_file_writes = sorted(file_writes) + file_writes_result_section.add_lines(sorted_file_writes) [ file_writes_result_section.add_tag("dynamic.process.file_name", file_write) - for file_write in list(file_writes) + for file_write in sorted_file_writes ] if file_reads: file_reads_result_section = ResultTextSection( "The script read the following files", parent=ioc_result_section ) - file_reads_result_section.add_lines(list(file_reads)) + sorted_file_reads = sorted(file_reads) + file_reads_result_section.add_lines(sorted_file_reads) [ file_reads_result_section.add_tag("dynamic.process.file_name", file_read) - for file_read in list(file_reads) + for file_read in sorted_file_reads ] if file_folder_exists: file_folder_exists_result_section = ResultTextSection( "The script checked if the following files/folders existed", parent=ioc_result_section ) - file_folder_exists_result_section.add_lines(list(file_folder_exists)) + sorted_file_folder_exists = sorted(file_folder_exists) + file_folder_exists_result_section.add_lines(sorted_file_folder_exists) [ file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist) - for file_folder_exist in list(file_folder_exists) + for file_folder_exist in sorted_file_folder_exists ] if remote_scripts: remote_scripts_result_section = ResultTextSection( "The script contains the following remote scripts", parent=ioc_result_section ) - remote_scripts_result_section.add_lines(list(remote_scripts)) + sorted_remote_scripts = sorted(remote_scripts) + remote_scripts_result_section.add_lines(sorted_remote_scripts) [ add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script) - for remote_script in list(remote_scripts) + for remote_script in sorted_remote_scripts ] if windows_installers: windows_installers_result_section = ResultTextSection( "The script contains the following Windows Installers", parent=ioc_result_section ) - windows_installers_result_section.add_lines(list(windows_installers)) + sorted_windows_installers = sorted(windows_installers) + windows_installers_result_section.add_lines(sorted_windows_installers) [ add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer) - for windows_installer in list(windows_installers) + for windows_installer in sorted_windows_installers ] if regkey_reads: regkey_reads_result_section = ResultTextSection( "The script read the following registry keys", parent=ioc_result_section ) - regkey_reads_result_section.add_lines(list(windows_installers)) + sorted_regkey_reads = sorted(regkey_reads) + regkey_reads_result_section.add_lines(sorted_regkey_reads) [ regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read) - for regkey_read in list(regkey_reads) + for regkey_read in sorted_regkey_reads ] if regkey_writes: regkey_writes_result_section = ResultTextSection( "The script wrote the following registry keys", parent=ioc_result_section ) - regkey_writes_result_section.add_lines(list(windows_installers)) + sorted_regkey_writes = sorted(regkey_writes) + regkey_writes_result_section.add_lines(sorted_regkey_writes) [ regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write) - for regkey_write in list(regkey_writes) + for regkey_write in sorted_regkey_writes ] if new_resources_associated_with_url: @@ -3742,7 +3749,7 @@ def _extract_boxjs_iocs(self, result: Result) -> None: "The script created the following resources associated with a URL", parent=ioc_result_section ) - for new_resource in list(new_resources_associated_with_url): + for new_resource in sorted(new_resources_associated_with_url): nr = loads(new_resource) new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"]) add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"]) diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json index d92f02a8..31ac3eb5 100644 --- a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json +++ b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json @@ -279,36 +279,6 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": [ - [ - "KEY_VALUE", - { - "description": "The script created a resource.", - "type": "NewResource", - "value": { - "latestUrl": "", - "md5": "c7f02b93dd5d6fd8bb467b870e958b70", - "path": "URL_Blob_file_0", - "sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a", - "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc", - "type": "Zip archive data, at least v1.0 to extract, compression method=store" - } - }, - {} - ] - ], - "body_config": {}, - "body_format": "MULTI", - "classification": "TLP:C", - "depth": 1, - "heuristic": null, - "promote_to": null, - "tags": {}, - "title_text": "The script did the following other interesting things", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io", diff --git a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json index 0f4e0ccb..eab5e3e0 100644 --- a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json +++ b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json index 29b3341e..fffdec11 100644 --- a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json +++ b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json @@ -177,7 +177,7 @@ }, { "auto_collapse": false, - "body": "https://tapasyaevents.com/fmu/fmu.php?55724\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://dealsontrainers.org/tete/tete.php?85434", + "body": "https://dealsontrainers.org/tete/tete.php?85434\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://tapasyaevents.com/fmu/fmu.php?55724", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -188,19 +188,19 @@ "network": { "dynamic": { "domain": [ - "tapasyaevents.com", + "dealsontrainers.org", "iscast.com.br", - "dealsontrainers.org" + "tapasyaevents.com" ], "uri": [ - "https://tapasyaevents.com/fmu/fmu.php?55724", + "https://dealsontrainers.org/tete/tete.php?85434", "https://iscast.com.br/udit/udit.php?68977", - "https://dealsontrainers.org/tete/tete.php?85434" + "https://tapasyaevents.com/fmu/fmu.php?55724" ], "uri_path": [ - "/fmu/fmu.php?55724", + "/tete/tete.php?85434", "/udit/udit.php?68977", - "/tete/tete.php?85434" + "/fmu/fmu.php?55724" ] } } diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json index a29643af..01e7a2d7 100644 --- a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json +++ b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json index 45692534..a21e7518 100644 --- a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json +++ b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json index a7107aba..4a04668a 100644 --- a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json +++ b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", From 242e6f38846be10b391f067e3349b8cc9a9d2889 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Thu, 18 Jan 2024 19:48:40 +0000 Subject: [PATCH 07/26] Check versions of npm packages --- pipelines/azure-tests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index a9541d21..8bc5dd78 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -69,6 +69,7 @@ jobs: # Install Node packages cd tools npm install + npm list displayName: Setup environment - script: | set -x # echo on From 02fa81679d04e3194728dc7798aa8cd7d55d5c60 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Thu, 18 Jan 2024 20:01:27 +0000 Subject: [PATCH 08/26] Updating tests+packages --- .../result.json | 2 +- .../result.json | 2 +- tools/package.json | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json index fffdec11..4b0cbe63 100644 --- a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json +++ b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2622, + "score": 2623, "sections": [ { "auto_collapse": false, diff --git a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json index f709506c..06fe3bc0 100644 --- a/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json +++ b/tests/results/babb776566afc06cab8b4bc1d21a89a670e803e8995cdd7107860017ad9f3b05/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 541, + "score": 551, "sections": [ { "auto_collapse": false, diff --git a/tools/package.json b/tools/package.json index 3aa166f7..182652ae 100644 --- a/tools/package.json +++ b/tools/package.json @@ -14,10 +14,10 @@ "node": ">=6.0.0" }, "dependencies": { - "@nodesecure/js-x-ray": ">=6.1.1", + "@nodesecure/js-x-ray": ">=6.3.0", "box-js": ">=1.9.25", "crypto-js": ">=4.2.0", - "deobfuscator": ">=2.4.4", + "deobfuscator": ">=2.4.5", "entities": ">=4.5.0", "iconv-lite": ">=0.6.3", "log-timestamp": ">=0.3.0", From 052c071c084086c6b355ebf6e3ea340680345e6c Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Fri, 19 Jan 2024 15:32:05 +0000 Subject: [PATCH 09/26] Bug fixes in gootloader, updating results --- .../result.json | 7 ++- tools/gootloader/GootLoaderAutoJsDecode.py | 44 +++++++++++-------- tools/gootloader/utils/variables.py | 5 ++- 3 files changed, 35 insertions(+), 21 deletions(-) diff --git a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json index bdd9f11a..0241ea9c 100644 --- a/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json +++ b/tests/results/85ec3b750424e1f63ec881010106efa480f15f29b794a7a6c70daaa9098da8e1/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 24, + "score": 25, "sections": [ { "auto_collapse": false, @@ -317,6 +317,11 @@ "heur_id": 2, "signatures": [] }, + { + "attack_ids": [], + "heur_id": 2, + "signatures": [] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tools/gootloader/GootLoaderAutoJsDecode.py b/tools/gootloader/GootLoaderAutoJsDecode.py index 2c3a8a04..eed29876 100644 --- a/tools/gootloader/GootLoaderAutoJsDecode.py +++ b/tools/gootloader/GootLoaderAutoJsDecode.py @@ -122,6 +122,8 @@ def convertConcatToString(inputConcatMatches, inputVarsDict, noEquals=False): def decodeString(scripttext): # Gootloader decode function ans = "" + if not scripttext: + return ans for i in range(0, len(scripttext)): if i % 2 == 1: ans += scripttext[i] @@ -179,17 +181,17 @@ def getGootVersion(topFileData, log: Logger = print): gloader21sample = False if re.search(r"jQuery JavaScript Library v\d{1,}\.\d{1,}\.\d{1,}$", topFileData): - log("\nGootLoader Obfuscation Variant 2.0 detected") + log("GootLoader Obfuscation Variant 2.0 detected") gloader21sample = False elif goot3linesPattern.match(topFileData): log( - '\nGootLoader Obfuscation Variant 3.0 detected\n\nIf this fails try using CyberChef "JavaScript Beautify" against the file first.' + 'GootLoader Obfuscation Variant 3.0 detected\n\nIf this fails try using CyberChef "JavaScript Beautify" against the file first.' ) gloader3sample = True # 3 and 2 have some overlap so enabling both flags for simplicity gloader21sample = True else: - log("\nGootLoader Obfuscation Variant 2.1 or higher detected") + log("Attempting default option for GootLoader Obfuscation Variant 2.1 or higher") gloader21sample = True return gloader21sample, gloader3sample @@ -317,9 +319,11 @@ def findCodeMatchInRound1Result(inputStr): # Find code text in the result of the first decode round findCodeinQuotePattern = re.compile(r"(? 0: + return results[0] + else: + return "" def getVariableAndConcatPatterns(isGloader21Sample): @@ -398,8 +402,8 @@ def parseRound2Data( else: outputFileName = payload_path - log("\nScript output Saved to: %s\n" % outputFileName) - log("\nThe script will new attempt to deobfuscate the %s file." % outputFileName) + log("Script output Saved to: %s\n" % outputFileName) + log("The script will new attempt to deobfuscate the %s file." % outputFileName) else: if isGootloader3sample: outputCode = round2InputStr.replace("'+'", "").replace("')+('", "").replace("+()+", "").replace("?+?", "") @@ -416,15 +420,16 @@ def parseRound2Data( outputCode = round2InputStr v2DomainRegex = re.compile(r"(.*)(\[\".*?\"\])(.*)") - domainsMatch = v2DomainRegex.search(round2InputStr)[2] - maliciousDomains = ( - domainsMatch.replace("[", "") - .replace("]", "") - .replace('"', "") - .replace("+(", "") - .replace(")+", "") - .split(",") - ) + if round2InputStr: + domainsMatch = v2DomainRegex.search(round2InputStr)[2] + maliciousDomains = ( + domainsMatch.replace("[", "") + .replace("]", "") + .replace('"', "") + .replace("+(", "") + .replace(")+", "") + .split(",") + ) # Store the malicious domains and return the list.s for domain in maliciousDomains: @@ -435,11 +440,12 @@ def parseRound2Data( outputFileName = "DecodedJsPayload.js_" # Print to screen - log("\nScript output Saved to: %s\n" % outputFileName) + log("Script output Saved to: %s\n" % outputFileName) outputDomains = "" for dom in maliciousDomains: outputDomains += defang(dom) + "\n" - log("\nMalicious Domains: \n\n%s" % outputDomains) + if outputDomains: + log("\nMalicious Domains: \n\n%s" % outputDomains) return outputCode, outputFileName, output_domains, persistence diff --git a/tools/gootloader/utils/variables.py b/tools/gootloader/utils/variables.py index 511c6cce..da4b6ab4 100644 --- a/tools/gootloader/utils/variables.py +++ b/tools/gootloader/utils/variables.py @@ -129,7 +129,10 @@ def run(self, file_data: str) -> str: self.__parse_concat_variable_definition(file_data) self.__assign_strings() self.__assign_concats() - return max(self.__get_all_blocks(), key=len) + blocks = self.__get_all_blocks() + if not blocks: + return None + return max(blocks, key=len) def grab_longest_string(content: str): From dc7e4c764518ab8377f9471c4fecc67f9793c17c Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 16:52:52 +0000 Subject: [PATCH 10/26] Updating test --- .../result.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json b/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json index 76f2d854..96540e35 100644 --- a/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json +++ b/tests/results/2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0/result.json @@ -252,7 +252,7 @@ }, { "auto_collapse": false, - "body": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"", + "body": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -263,7 +263,7 @@ "dynamic": { "process": { "command_line": [ - "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"" + "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"" ] } } @@ -277,7 +277,7 @@ "extracted": [ { "name": "boxjs_cmds.bat", - "sha256": "f8cc51983cf9a74f49d3dee2ca65f933cfa27152e61c58b2fa24a2be1f762fc4" + "sha256": "de0cabd9595cf2419dc88b738f121534c43e82463c7b2a91575cd0caca5dd1a0" } ], "supplementary": [ @@ -352,7 +352,7 @@ { "heur_id": null, "signatures": [], - "value": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"CURRENT_SCRIPT_IN_FAKED_DIR.js\"" + "value": "\"C:Users\\Sysop12\\AppData\\Roaming\\Microsoft\\Templates\\\"cscript.exe \"2e5cc91b03fc9292a400d0cc480bfaa806d57d18425965014041edb38abf3ac0\"" } ], "file.name.extracted": [ From b55efe3ff4485de55bc68e76cc1a5666032b3a7f Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 20:15:47 +0000 Subject: [PATCH 11/26] Bugfix in local variable access --- tools/gootloader/GootLoaderAutoJsDecode.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/gootloader/GootLoaderAutoJsDecode.py b/tools/gootloader/GootLoaderAutoJsDecode.py index eed29876..8109aeb2 100644 --- a/tools/gootloader/GootLoaderAutoJsDecode.py +++ b/tools/gootloader/GootLoaderAutoJsDecode.py @@ -381,6 +381,7 @@ def parseRound2Data( ): output_domains = list() persistence = None + maliciousDomains = list() if round2InputStr.startswith("function"): log("GootLoader Obfuscation Variant 3.0 sample detected.") From 0887b715daf689be710263d89c965216416a244e Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 20:16:19 +0000 Subject: [PATCH 12/26] Manually updating test to confirm issue --- .../result.json | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json index 9c62810a..e3862ae7 100644 --- a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json +++ b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json @@ -276,27 +276,6 @@ "title_text": "IOCs extracted by Box.js", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 1, - "heuristic": null, - "promote_to": null, - "tags": { - "dynamic": { - "process": { - "command_line": [ - "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var" - ] - } - } - }, - "title_text": "The script ran the following commands", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "C:\\ProgramData\\Trdce\\desired.dll", @@ -491,7 +470,7 @@ "sha256": "4af7e12ad0e9238529121a173c6577a819f10a8c3c82226f372720fd04b04c8a" }, { - "name": "boxjs_cmds.bat", + "name": "extracted_wscript.bat", "sha256": "b20d210cb0e10059d191871493db534e3b2b95eb3d8ecb109734de2cb3446935" } ], @@ -588,13 +567,6 @@ } ], "tags": { - "dynamic.process.command_line": [ - { - "heur_id": null, - "signatures": [], - "value": "rundll32 C:\\ProgramData\\Trdce\\desired.dll, HUF_inc_var" - } - ], "dynamic.process.file_name": [ { "heur_id": null, From 1fc5d92787047631966a0f8412049a9bf39b4ab1 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 20:54:07 +0000 Subject: [PATCH 13/26] Debug test for sample, related to boxjs analysis --- jsjaws.py | 1 + pipelines/azure-tests.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/jsjaws.py b/jsjaws.py index 37f5bd48..3d512d66 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1310,6 +1310,7 @@ def _handle_boxjs_output(self, responses: Dict[str, List[str]], boxjs_args: List if line.startswith("[verb] Code saved to"): continue else: + print(line) boxjs_output.append(line) return boxjs_output diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 8bc5dd78..7ec43044 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -79,5 +79,5 @@ jobs: # Override the path to make sure Azure doesn't interfere export PATH="/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export REPO_NAME=${BUILD_REPOSITORY_NAME##*/} - python -m pytest -p no:cacheprovider --durations=10 -rsx -xsvvv --disable-warnings + python -m pytest -p no:cacheprovider --durations=10 -rsx -xsvvv --disable-warnings -k 14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116 displayName: Test From 1c80e81041199978f1eb6923b879d0ff45bd6e96 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 21:13:18 +0000 Subject: [PATCH 14/26] Adding log fix for boxjs supplementary; Printing all boxjs file output --- jsjaws.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jsjaws.py b/jsjaws.py index 3d512d66..079045ab 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -3089,6 +3089,7 @@ def _extract_payloads(self, sample_sha256: str, deep_scan: bool) -> None: box_js_payloads = [] for file in sorted(listdir(boxjs_output_dir)): + print(file) if file not in snippet_keys: box_js_payloads.append((file, path.join(boxjs_output_dir, file))) @@ -3417,7 +3418,7 @@ def _extract_supplementary(self, output: List[str]) -> None: "description": f"{BOX_JS} Output", "to_be_extracted": False, } - self.log.debug(f"Adding supplementary file: {boxjs_analysis_log}") + self.log.debug(f"Adding supplementary file: {boxjs_analysis_log['path']}") self.artifact_list.append(boxjs_analysis_log) def _run_signatures(self, output: List[str], result: Result, display_iocs: bool = False) -> None: From 5fb24cd13a7e1c10d20d277bd957cad77430b752 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Mon, 5 Feb 2024 21:20:55 +0000 Subject: [PATCH 15/26] Are the boxjs args affecting the ability to find the boxjs file somehow? --- jsjaws.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jsjaws.py b/jsjaws.py index 079045ab..59560732 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1062,9 +1062,9 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ # Fake file name to use for the sample being analyzed. Can be a full path or just # the file name to use. If you have '\' in the path escape them as '\\' in this # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). - f"--fake-sample-name={path.basename(request.task.file_name)}", + # f"--fake-sample-name={path.basename(request.task.file_name)}", # Fake that HTTP requests work and have them return a fake payload - "--fake-download", + # "--fake-download", ] no_shell_error = request.get_param("no_shell_error") From 20c1943d5a8922002992381aa0eac0a24a03dccf Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 13:42:15 +0000 Subject: [PATCH 16/26] Using fake-download since it is required for 1415... --- jsjaws.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jsjaws.py b/jsjaws.py index 59560732..c75f2a9d 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -1064,7 +1064,7 @@ def _setup_boxjs_args(self, request: ServiceRequest, tool_timeout: int) -> List[ # command line argument value (ex. --fake-sample-name=C:\\foo\\bar.js). # f"--fake-sample-name={path.basename(request.task.file_name)}", # Fake that HTTP requests work and have them return a fake payload - # "--fake-download", + "--fake-download", ] no_shell_error = request.get_param("no_shell_error") From d327e0489cf1f3da14205d781789955e02f3f514 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 13:55:54 +0000 Subject: [PATCH 17/26] Print file paths and file sizes --- jsjaws.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jsjaws.py b/jsjaws.py index c75f2a9d..3c67d4d8 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -3089,7 +3089,8 @@ def _extract_payloads(self, sample_sha256: str, deep_scan: bool) -> None: box_js_payloads = [] for file in sorted(listdir(boxjs_output_dir)): - print(file) + print(path.join(boxjs_output_dir, file)) + print(path.getsize(path.join(boxjs_output_dir, file))) if file not in snippet_keys: box_js_payloads.append((file, path.join(boxjs_output_dir, file))) From 99f5633e7e8c7218c2498f43d5a3e2bcf6ee9c57 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 14:11:23 +0000 Subject: [PATCH 18/26] List all dependencies of npm modules --- pipelines/azure-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 7ec43044..8c7b5124 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -69,7 +69,7 @@ jobs: # Install Node packages cd tools npm install - npm list + npm list --all displayName: Setup environment - script: | set -x # echo on From ff26a76a87ead6118be45fddc0a7047955faf81d Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 14:33:42 +0000 Subject: [PATCH 19/26] Use fork for debugging --- tools/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/package.json b/tools/package.json index 182652ae..9008bf27 100644 --- a/tools/package.json +++ b/tools/package.json @@ -15,7 +15,7 @@ }, "dependencies": { "@nodesecure/js-x-ray": ">=6.3.0", - "box-js": ">=1.9.25", + "box-js": "github:cccs-kevin/box-js", "crypto-js": ">=4.2.0", "deobfuscator": ">=2.4.5", "entities": ">=4.5.0", From e7ab1a05878596d5651564ba3eab990e246964fd Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 14:51:48 +0000 Subject: [PATCH 20/26] Attempting another way to npm install a git repo --- tools/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/package.json b/tools/package.json index 9008bf27..f8f95abc 100644 --- a/tools/package.json +++ b/tools/package.json @@ -15,7 +15,7 @@ }, "dependencies": { "@nodesecure/js-x-ray": ">=6.3.0", - "box-js": "github:cccs-kevin/box-js", + "box-js": "git://github.com/cccs-kevin/box-js.git#13440fe", "crypto-js": ">=4.2.0", "deobfuscator": ">=2.4.5", "entities": ">=4.5.0", From 64f0eabbb9a4e24e5854944900791f5978ddbcec Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 14:59:59 +0000 Subject: [PATCH 21/26] Install git --- pipelines/azure-tests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 8c7b5124..c08d911e 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -52,6 +52,7 @@ jobs: - script: | set -exv # echo on cd assemblyline-service-jsjaws + apt-get install git [ ! -d "$(pwd)/tests" ] && echo "No tests found" && exit # Override the path to make sure Azure doesn't interfere From 7c4ee132908e4196eb5309e1d128d6d56b4d0ead Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 15:03:14 +0000 Subject: [PATCH 22/26] Install git as sudo --- pipelines/azure-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index c08d911e..414750eb 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -52,7 +52,7 @@ jobs: - script: | set -exv # echo on cd assemblyline-service-jsjaws - apt-get install git + sudo apt-get install git [ ! -d "$(pwd)/tests" ] && echo "No tests found" && exit # Override the path to make sure Azure doesn't interfere From b63c4102653e47739079426ca0e9df1d427d7965 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 15:07:38 +0000 Subject: [PATCH 23/26] Just use apt instead of apt-get --- pipelines/azure-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 414750eb..2b6e35fd 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -52,7 +52,7 @@ jobs: - script: | set -exv # echo on cd assemblyline-service-jsjaws - sudo apt-get install git + sudo apt install git [ ! -d "$(pwd)/tests" ] && echo "No tests found" && exit # Override the path to make sure Azure doesn't interfere From 3f87defee0388cdfbd40679e2b45d9c1a906711d Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 15:15:30 +0000 Subject: [PATCH 24/26] No sudo, just apt --- pipelines/azure-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 2b6e35fd..24a40c6b 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -52,7 +52,7 @@ jobs: - script: | set -exv # echo on cd assemblyline-service-jsjaws - sudo apt install git + apt install git [ ! -d "$(pwd)/tests" ] && echo "No tests found" && exit # Override the path to make sure Azure doesn't interfere From 1c233fac5194cf44a297a897c2f02a1ac30917c2 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 15:21:04 +0000 Subject: [PATCH 25/26] Updating nightly Dockerfile to install git --- pipelines/azure-tests.yaml | 1 - pipelines/nightly.Dockerfile | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/pipelines/azure-tests.yaml b/pipelines/azure-tests.yaml index 24a40c6b..8c7b5124 100755 --- a/pipelines/azure-tests.yaml +++ b/pipelines/azure-tests.yaml @@ -52,7 +52,6 @@ jobs: - script: | set -exv # echo on cd assemblyline-service-jsjaws - apt install git [ ! -d "$(pwd)/tests" ] && echo "No tests found" && exit # Override the path to make sure Azure doesn't interfere diff --git a/pipelines/nightly.Dockerfile b/pipelines/nightly.Dockerfile index b1b2bda9..3f1c236d 100644 --- a/pipelines/nightly.Dockerfile +++ b/pipelines/nightly.Dockerfile @@ -2,7 +2,7 @@ FROM cccstemp.azurecr.io/assemblyline-root-build:stable AS base # Install necessary packages for service testing RUN apt-get update -RUN apt-get install -y libfuzzy-dev libfuzzy2 curl +RUN apt-get install -y libfuzzy-dev libfuzzy2 curl git # Pinning to this version of Node ENV NODE_VERSION=19.7.0 From 41e99416f9c177101c761e8d5bc4106069fd143c Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 6 Feb 2024 15:33:48 +0000 Subject: [PATCH 26/26] Install fork on nightly build --- pipelines/nightly.Dockerfile | 7 ++++++- tools/package.json | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/pipelines/nightly.Dockerfile b/pipelines/nightly.Dockerfile index 3f1c236d..caf8d539 100644 --- a/pipelines/nightly.Dockerfile +++ b/pipelines/nightly.Dockerfile @@ -2,7 +2,7 @@ FROM cccstemp.azurecr.io/assemblyline-root-build:stable AS base # Install necessary packages for service testing RUN apt-get update -RUN apt-get install -y libfuzzy-dev libfuzzy2 curl git +RUN apt-get install -y libfuzzy-dev libfuzzy2 curl wget unzip # Pinning to this version of Node ENV NODE_VERSION=19.7.0 @@ -12,6 +12,11 @@ WORKDIR /usr/local RUN curl https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz --output node-v${NODE_VERSION}-linux-x64.tar.xz RUN tar -xJf node-v${NODE_VERSION}-linux-x64.tar.xz --strip 1 +RUN echo "Installing Box-JS" +RUN mkdir /opt/al_support/ +RUN wget https://github.com/cccs-kevin/box-js/archive/refs/heads/master.zip -O /opt/al_support/box-js.zip +RUN unzip /opt/al_support/box-js.zip -d /opt/al_support/box-js + # Check the version of node and npm, just to be sure RUN node --version RUN npm --version diff --git a/tools/package.json b/tools/package.json index f8f95abc..559c62b3 100644 --- a/tools/package.json +++ b/tools/package.json @@ -15,7 +15,7 @@ }, "dependencies": { "@nodesecure/js-x-ray": ">=6.3.0", - "box-js": "git://github.com/cccs-kevin/box-js.git#13440fe", + "box-js": "file:/opt/al_support/box-js/box-js-master", "crypto-js": ">=4.2.0", "deobfuscator": ">=2.4.5", "entities": ">=4.5.0",