Extracting IOCs from MalwareJail output

CybercentreCanada · Sep 8, 2021 · 180c28f · 180c28f
1 parent 7b600e2
commit 180c28f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/jsjaws.py b/jsjaws.py
@@ -261,6 +261,7 @@ def execute(self, request: ServiceRequest) -> None:
         self._run_signatures(total_output, request.result, display_sig_marks)
 
         self._extract_boxjs_iocs(request.result)
+        self._extract_malware_jail_iocs(malware_jail_output, request.result)
         self._extract_wscript(total_output, request.result)
         self._extract_doc_writes(malware_jail_output)
         self._extract_payloads(request.sha256, request.deep_scan)
@@ -706,6 +707,13 @@ def _flag_jsxray_iocs(output: Dict[str, Any], result: Result) -> None:
             jsxray_iocs_result_section.set_heuristic(2)
             result.add_section(jsxray_iocs_result_section)
 
+    def _extract_malware_jail_iocs(self, output: List[str], result: Result) -> None:
+        malware_jail_res_sec = ResultSection("MalwareJail extracted the following IOCs")
+        for line in output:
+            self._extract_iocs_from_text_blob(line, malware_jail_res_sec, ".js")
+        if len(malware_jail_res_sec.tags) > 0:
+            result.add_section(malware_jail_res_sec)
+
     def _run_tool(self, tool_name: str, args: List[str], tool_timeout: int, resp: Dict[str, Any], get_stdout: bool = False, split: bool = False) -> None:
         self.log.debug(f"Running {tool_name}...")
         start_time = time()

diff --git a/test/test_jsjaws.py b/test/test_jsjaws.py
@@ -598,3 +598,18 @@ def test_get_id_from_data(data, expected_result):
             f.write(b"blah")
         assert get_id_from_data(some_file) == expected_result
         remove(some_file)
+
+    @staticmethod
+    def test_extract_malware_jail_iocs(jsjaws_class_instance):
+        from assemblyline_v4_service.common.result import Result, ResultSection
+        correct_res_sec = ResultSection("MalwareJail extracted the following IOCs")
+        correct_res_sec.set_heuristic(2)
+        correct_res_sec.tags = {
+            "network.dynamic.domain": ["blah.com"],
+            "network.dynamic.uri": ["https://blah.com/blah.exe"],
+            "network.dynamic.uri_path": ["/blah.exe"],
+        }
+        res = Result()
+        output = ["https://blah.com/blah.exe"]
+        jsjaws_class_instance._extract_malware_jail_iocs(output, res)
+        assert check_section_equality(res.sections[0], correct_res_sec)