Changing name of config that displays marks, setting all scores to 0

README.md

@@ -1,4 +1,6 @@
 # JsJaws Service
+**[NOTE: THIS SERVICE IS UNDER HEAVY DEVELOPMENT]**
+
 This Assemblyline service integrates components from two open-source projects:
 * [Malware Jail](https://github.com/HynekPetrak/malware-jail), which provides a sandbox for semi-automatic Javascript 
   malware analysis, deobfuscation and payload extraction.

jsjaws.py

@@ -148,7 +148,7 @@ def execute(self, request: ServiceRequest) -> None:
         add_supplementary = request.get_param("add_supplementary")
         static_signatures = request.get_param("static_signatures")
         no_shell_error = request.get_param("no_shell_error")
-        display_sig_marks = request.get_param("display_sig_marks")
+        display_iocs = request.get_param("display_iocs")
 
         # --loglevel             Logging level (debug, verbose, info, warning, error - default "info")
         # --no-kill              Do not kill the application when runtime errors occur
@@ -258,7 +258,7 @@ def execute(self, request: ServiceRequest) -> None:
             total_output = boxjs_output + malware_jail_output + static_file_lines
         else:
             total_output = boxjs_output + malware_jail_output
-        self._run_signatures(total_output, request.result, display_sig_marks)
+        self._run_signatures(total_output, request.result, display_iocs)
 
         self._extract_boxjs_iocs(request.result)
         self._extract_malware_jail_iocs(malware_jail_output, request.result)
@@ -527,13 +527,13 @@ def _extract_iocs_from_text_blob(self, blob: str, result_section: ResultSection,
         if ioc_extracted and result_section.heuristic is None:
             result_section.set_heuristic(2)
 
-    def _run_signatures(self, output: List[str], result: Result, display_sig_marks: bool = False) -> None:
+    def _run_signatures(self, output: List[str], result: Result, display_iocs: bool = False) -> None:
         """
         This method sets up the parallelized signature engine and runs each signature against the
         stdout from MalwareJail
         :param output: A list of strings where each string is a line of stdout from the MalwareJail tool
         :param result: A Result object containing the service results
-        :param display_sig_marks: A boolean indicating if we are going to include the signature marks in the
+        :param display_iocs: A boolean indicating if we are going to include the signature marks in the
         ResultSection
         :return: None
         """
@@ -578,7 +578,7 @@ def _run_signatures(self, output: List[str], result: Result, display_sig_marks:
                 sig_res_sec.set_heuristic(sig_that_hit.heuristic_id)
                 translated_score = TRANSLATED_SCORE[sig_that_hit.severity]
                 sig_res_sec.heuristic.add_signature_id(sig_that_hit.name, score=translated_score)
-                if display_sig_marks:
+                if display_iocs:
                     for mark in sig_that_hit.marks:
                         sig_res_sec.add_line(f"\t\t{truncate(mark)}")
 

service_manifest.yml

@@ -40,10 +40,10 @@ submission_params:
     type: bool
     value: true
 
-  - default: false
-    name: display_sig_marks
+  - default: true
+    name: display_iocs
     type: bool
-    value: false
+    value: true
 
   # Box.js parameters
   - default: false
@@ -86,19 +86,19 @@ submission_params:
 heuristics:
   - heur_id: 1
     name: Network Traffic Detected
-    score: 500
+    score: 1
     filetype: '*'
     description: Malware Sandbox Tool(s) detected network traffic.
 
   - heur_id: 2
     name: IOC(s) Extracted
-    score: 250
+    score: 1
     filetype: '*'
     description: At least one IOC has been extracted.
 
   - heur_id: 3
     name: Suspicious Activity Detected
-    score: 250
+    score: 1
     filetype: '*'
     description: Suspicious activity was detected during execution.
 

signatures/active_x_object.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="active_x_object",
             description="JavaScript creates an ActiveXObject",
             indicators=["ActiveXObject"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="xml_http",
             description="JavaScript creates an ActiveXObject to perform XML HTTP requests",
             indicators=["ActiveXObject", "Microsoft.XMLHTTP"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/automation_object.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="auto_object",
             description="JavaScript creates an AutomationObject",
             indicators=["AutomationObject"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="auto_object_winmgmts",
             description="JavaScript creates an AutomationObject that uses winmgmts",
             indicators=["AutomationObject", "winmgmts"],
-            severity=3
+            severity=0
         )
 
     def process_output(self, output):

signatures/decode.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="unescape",
             description="JavaScript uses unescape() to decode an encoded string",
             indicators=["unescape"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/network.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="prepare_network_request",
             description="JavaScript prepares a network request",
             indicators=[".setRequestHeader(", "User-Agent", "XMLHttpRequest("],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="network_request",
             description="JavaScript sends a network request",
             indicators=[".send()"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):

signatures/reconnaissance.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="env_str_recon",
             description="JavaScript looks at the environment strings",
             indicators=[".ExpandEnvironmentStrings"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="drive_object",
             description="JavaScript creates an object representing a hard drive",
             indicators=["DriveObject"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -39,7 +39,7 @@ def __init__(self):
             name="file_system_object",
             description="JavaScript creates an ActiveXObject to gain access to the computer's file system",
             indicators=["Scripting.FileSystemObject"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/runs_shell.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="runs_shell",
             description="JavaScript runs code via shell",
             indicators=["WScript.Shell", ".Run"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="runs_executable",
             description="JavaScript runs dropped executable",
             indicators=["WScript.Shell", ".Run", ".exe"],
-            severity=2,
+            severity=0,
             safelist=["cmd.exe"]
         )
 
@@ -40,7 +40,7 @@ def __init__(self):
             name="runs_cmd_prompt",
             description="JavaScript runs Command Prompt via cmd.exe",
             indicators=["WScript.Shell", ".Run", "cmd.exe"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):
@@ -54,7 +54,7 @@ def __init__(self):
             name="runs_ps1",
             description="JavaScript runs PowerShell via powershell.exe",
             indicators=["WScript.Shell", ".Run", "powershell.exe"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):
@@ -68,7 +68,7 @@ def __init__(self):
             name="runs_elevated_ps1",
             description="JavaScript runs elevated PowerShell via powershell.exe",
             indicators=["powershell.exe", "-ExecutionPolicy", "bypass"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):
@@ -82,7 +82,7 @@ def __init__(self):
             name="runs_hidden_ps1",
             description="JavaScript runs PowerShell via powershell.exe in a hidden window",
             indicators=["powershell.exe", "-windowstype", "hidden"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):
@@ -96,7 +96,7 @@ def __init__(self):
             name="runs_ps1_no_profile",
             description="JavaScript runs PowerShell via powershell.exe with no profile",
             indicators=["powershell.exe", "-noprofile"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/save_to_file.py

@@ -25,7 +25,7 @@ def __init__(self):
             name="writes_executable",
             description="JavaScript writes executable file to disk",
             indicators=["SaveToFile", ".exe"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/script_control.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="script_control",
             description="JavaScript uses MSScriptControl to run a script",
             indicators=["WScript.CreateObject", "MSScriptControl.ScriptControl"],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -25,7 +25,7 @@ def __init__(self):
             name="script_control_vbs",
             description="JavaScript uses MSScriptControl to write and run a VBScript",
             indicators=["MSScriptControl.ScriptControl", ".Language", "VBScript"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/sleep.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="sleep",
             description="JavaScript attempts to sleep",
             indicators=["WScript.Sleep", ".setTimeout("],
-            severity=1
+            severity=0
         )
 
     def process_output(self, output):
@@ -27,7 +27,7 @@ def __init__(self):
             name="antisandbox_timeout",
             description="JavaScript file managed to delay execution until the sandbox timed out",
             indicators=["Script execution timed out after"],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/suspicious_process.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="suspicious_process",
             description="JavaScript uses a suspicious process",
             indicators=["winmgmts", "eval(", "uneval("],
-            severity=2
+            severity=0
         )
 
     def process_output(self, output):

signatures/wmi.py

@@ -11,7 +11,7 @@ def __init__(self):
             name="wmi",
             description="JavaScript use Window Management Instrumentation",
             indicators=[".ExecQuery"],
-            severity=3
+            severity=0
         )
 
     def process_output(self, output):

test/test_jsjaws.py

@@ -204,7 +204,7 @@ def test_execute(sample, jsjaws_class_instance, dummy_completed_process_instance
             "add_supplementary": False,
             "static_signatures": True,
             "no_shell_error": False,
-            "display_sig_marks": False
+            "display_iocs": False
         }
         jsjaws_class_instance._task = task
         service_request = ServiceRequest(task)
@@ -503,7 +503,7 @@ def test_run_signatures(jsjaws_class_instance):
         correct_subsection.set_heuristic(3)
         correct_subsection.heuristic.add_signature_id("save_to_file", score=10)
         jsjaws_class_instance._run_signatures(output, result)
-        jsjaws_class_instance._run_signatures(output, result, display_sig_marks=True)
+        jsjaws_class_instance._run_signatures(output, result, display_iocs=True)
         assert check_section_equality(result.sections[0], correct_section)
         correct_subsection.add_line("\t\tSaveToFile")
         assert check_section_equality(result.sections[1], correct_section)