From b220ed9ff07f3ea5d4eb10104cf1773e00610e87 Mon Sep 17 00:00:00 2001 From: Kevin Hardy-Cooper Date: Wed, 22 Sep 2021 11:20:35 -0400 Subject: [PATCH] Changing name of config that displays marks, setting all scores to 0 --- README.md | 2 ++ jsjaws.py | 10 +++++----- service_manifest.yml | 12 ++++++------ signatures/active_x_object.py | 4 ++-- signatures/automation_object.py | 4 ++-- signatures/decode.py | 2 +- signatures/network.py | 4 ++-- signatures/reconnaissance.py | 6 +++--- signatures/runs_shell.py | 14 +++++++------- signatures/save_to_file.py | 2 +- signatures/script_control.py | 4 ++-- signatures/sleep.py | 4 ++-- signatures/suspicious_process.py | 2 +- signatures/wmi.py | 2 +- test/test_jsjaws.py | 4 ++-- 15 files changed, 39 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index cbb7dea1..f361c1bf 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ # JsJaws Service +**[NOTE: THIS SERVICE IS UNDER HEAVY DEVELOPMENT]** + This Assemblyline service integrates components from two open-source projects: * [Malware Jail](https://github.com/HynekPetrak/malware-jail), which provides a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. diff --git a/jsjaws.py b/jsjaws.py index 1fcc1fd3..0d6dbf5d 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -148,7 +148,7 @@ def execute(self, request: ServiceRequest) -> None: add_supplementary = request.get_param("add_supplementary") static_signatures = request.get_param("static_signatures") no_shell_error = request.get_param("no_shell_error") - display_sig_marks = request.get_param("display_sig_marks") + display_iocs = request.get_param("display_iocs") # --loglevel Logging level (debug, verbose, info, warning, error - default "info") # --no-kill Do not kill the application when runtime errors occur @@ -258,7 +258,7 @@ def execute(self, request: ServiceRequest) -> None: total_output = boxjs_output + malware_jail_output + static_file_lines else: total_output = boxjs_output + malware_jail_output - self._run_signatures(total_output, request.result, display_sig_marks) + self._run_signatures(total_output, request.result, display_iocs) self._extract_boxjs_iocs(request.result) self._extract_malware_jail_iocs(malware_jail_output, request.result) @@ -527,13 +527,13 @@ def _extract_iocs_from_text_blob(self, blob: str, result_section: ResultSection, if ioc_extracted and result_section.heuristic is None: result_section.set_heuristic(2) - def _run_signatures(self, output: List[str], result: Result, display_sig_marks: bool = False) -> None: + def _run_signatures(self, output: List[str], result: Result, display_iocs: bool = False) -> None: """ This method sets up the parallelized signature engine and runs each signature against the stdout from MalwareJail :param output: A list of strings where each string is a line of stdout from the MalwareJail tool :param result: A Result object containing the service results - :param display_sig_marks: A boolean indicating if we are going to include the signature marks in the + :param display_iocs: A boolean indicating if we are going to include the signature marks in the ResultSection :return: None """ @@ -578,7 +578,7 @@ def _run_signatures(self, output: List[str], result: Result, display_sig_marks: sig_res_sec.set_heuristic(sig_that_hit.heuristic_id) translated_score = TRANSLATED_SCORE[sig_that_hit.severity] sig_res_sec.heuristic.add_signature_id(sig_that_hit.name, score=translated_score) - if display_sig_marks: + if display_iocs: for mark in sig_that_hit.marks: sig_res_sec.add_line(f"\t\t{truncate(mark)}") diff --git a/service_manifest.yml b/service_manifest.yml index 0e65cfa7..24def87b 100755 --- a/service_manifest.yml +++ b/service_manifest.yml @@ -40,10 +40,10 @@ submission_params: type: bool value: true - - default: false - name: display_sig_marks + - default: true + name: display_iocs type: bool - value: false + value: true # Box.js parameters - default: false @@ -86,19 +86,19 @@ submission_params: heuristics: - heur_id: 1 name: Network Traffic Detected - score: 500 + score: 1 filetype: '*' description: Malware Sandbox Tool(s) detected network traffic. - heur_id: 2 name: IOC(s) Extracted - score: 250 + score: 1 filetype: '*' description: At least one IOC has been extracted. - heur_id: 3 name: Suspicious Activity Detected - score: 250 + score: 1 filetype: '*' description: Suspicious activity was detected during execution. diff --git a/signatures/active_x_object.py b/signatures/active_x_object.py index e2c7fc7a..11d6fd55 100644 --- a/signatures/active_x_object.py +++ b/signatures/active_x_object.py @@ -11,7 +11,7 @@ def __init__(self): name="active_x_object", description="JavaScript creates an ActiveXObject", indicators=["ActiveXObject"], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="xml_http", description="JavaScript creates an ActiveXObject to perform XML HTTP requests", indicators=["ActiveXObject", "Microsoft.XMLHTTP"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/automation_object.py b/signatures/automation_object.py index e0139cde..324bd880 100644 --- a/signatures/automation_object.py +++ b/signatures/automation_object.py @@ -11,7 +11,7 @@ def __init__(self): name="auto_object", description="JavaScript creates an AutomationObject", indicators=["AutomationObject"], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="auto_object_winmgmts", description="JavaScript creates an AutomationObject that uses winmgmts", indicators=["AutomationObject", "winmgmts"], - severity=3 + severity=0 ) def process_output(self, output): diff --git a/signatures/decode.py b/signatures/decode.py index 1185794d..eca75df5 100644 --- a/signatures/decode.py +++ b/signatures/decode.py @@ -11,7 +11,7 @@ def __init__(self): name="unescape", description="JavaScript uses unescape() to decode an encoded string", indicators=["unescape"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/network.py b/signatures/network.py index 599ce341..9744ce99 100644 --- a/signatures/network.py +++ b/signatures/network.py @@ -11,7 +11,7 @@ def __init__(self): name="prepare_network_request", description="JavaScript prepares a network request", indicators=[".setRequestHeader(", "User-Agent", "XMLHttpRequest("], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="network_request", description="JavaScript sends a network request", indicators=[".send()"], - severity=1 + severity=0 ) def process_output(self, output): diff --git a/signatures/reconnaissance.py b/signatures/reconnaissance.py index 32059883..a9f1861b 100644 --- a/signatures/reconnaissance.py +++ b/signatures/reconnaissance.py @@ -11,7 +11,7 @@ def __init__(self): name="env_str_recon", description="JavaScript looks at the environment strings", indicators=[".ExpandEnvironmentStrings"], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="drive_object", description="JavaScript creates an object representing a hard drive", indicators=["DriveObject"], - severity=1 + severity=0 ) def process_output(self, output): @@ -39,7 +39,7 @@ def __init__(self): name="file_system_object", description="JavaScript creates an ActiveXObject to gain access to the computer's file system", indicators=["Scripting.FileSystemObject"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/runs_shell.py b/signatures/runs_shell.py index 3066d930..aa3bb149 100755 --- a/signatures/runs_shell.py +++ b/signatures/runs_shell.py @@ -11,7 +11,7 @@ def __init__(self): name="runs_shell", description="JavaScript runs code via shell", indicators=["WScript.Shell", ".Run"], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="runs_executable", description="JavaScript runs dropped executable", indicators=["WScript.Shell", ".Run", ".exe"], - severity=2, + severity=0, safelist=["cmd.exe"] ) @@ -40,7 +40,7 @@ def __init__(self): name="runs_cmd_prompt", description="JavaScript runs Command Prompt via cmd.exe", indicators=["WScript.Shell", ".Run", "cmd.exe"], - severity=2 + severity=0 ) def process_output(self, output): @@ -54,7 +54,7 @@ def __init__(self): name="runs_ps1", description="JavaScript runs PowerShell via powershell.exe", indicators=["WScript.Shell", ".Run", "powershell.exe"], - severity=2 + severity=0 ) def process_output(self, output): @@ -68,7 +68,7 @@ def __init__(self): name="runs_elevated_ps1", description="JavaScript runs elevated PowerShell via powershell.exe", indicators=["powershell.exe", "-ExecutionPolicy", "bypass"], - severity=2 + severity=0 ) def process_output(self, output): @@ -82,7 +82,7 @@ def __init__(self): name="runs_hidden_ps1", description="JavaScript runs PowerShell via powershell.exe in a hidden window", indicators=["powershell.exe", "-windowstype", "hidden"], - severity=2 + severity=0 ) def process_output(self, output): @@ -96,7 +96,7 @@ def __init__(self): name="runs_ps1_no_profile", description="JavaScript runs PowerShell via powershell.exe with no profile", indicators=["powershell.exe", "-noprofile"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/save_to_file.py b/signatures/save_to_file.py index fbe460f9..43cffe8d 100755 --- a/signatures/save_to_file.py +++ b/signatures/save_to_file.py @@ -25,7 +25,7 @@ def __init__(self): name="writes_executable", description="JavaScript writes executable file to disk", indicators=["SaveToFile", ".exe"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/script_control.py b/signatures/script_control.py index 829402ab..b4fced4e 100755 --- a/signatures/script_control.py +++ b/signatures/script_control.py @@ -11,7 +11,7 @@ def __init__(self): name="script_control", description="JavaScript uses MSScriptControl to run a script", indicators=["WScript.CreateObject", "MSScriptControl.ScriptControl"], - severity=1 + severity=0 ) def process_output(self, output): @@ -25,7 +25,7 @@ def __init__(self): name="script_control_vbs", description="JavaScript uses MSScriptControl to write and run a VBScript", indicators=["MSScriptControl.ScriptControl", ".Language", "VBScript"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/sleep.py b/signatures/sleep.py index 43e46e6d..4bb907e3 100755 --- a/signatures/sleep.py +++ b/signatures/sleep.py @@ -11,7 +11,7 @@ def __init__(self): name="sleep", description="JavaScript attempts to sleep", indicators=["WScript.Sleep", ".setTimeout("], - severity=1 + severity=0 ) def process_output(self, output): @@ -27,7 +27,7 @@ def __init__(self): name="antisandbox_timeout", description="JavaScript file managed to delay execution until the sandbox timed out", indicators=["Script execution timed out after"], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/suspicious_process.py b/signatures/suspicious_process.py index b0d26e10..360ca4df 100644 --- a/signatures/suspicious_process.py +++ b/signatures/suspicious_process.py @@ -11,7 +11,7 @@ def __init__(self): name="suspicious_process", description="JavaScript uses a suspicious process", indicators=["winmgmts", "eval(", "uneval("], - severity=2 + severity=0 ) def process_output(self, output): diff --git a/signatures/wmi.py b/signatures/wmi.py index b83d640f..f0f7e38e 100644 --- a/signatures/wmi.py +++ b/signatures/wmi.py @@ -11,7 +11,7 @@ def __init__(self): name="wmi", description="JavaScript use Window Management Instrumentation", indicators=[".ExecQuery"], - severity=3 + severity=0 ) def process_output(self, output): diff --git a/test/test_jsjaws.py b/test/test_jsjaws.py index 029750c3..57a66683 100755 --- a/test/test_jsjaws.py +++ b/test/test_jsjaws.py @@ -204,7 +204,7 @@ def test_execute(sample, jsjaws_class_instance, dummy_completed_process_instance "add_supplementary": False, "static_signatures": True, "no_shell_error": False, - "display_sig_marks": False + "display_iocs": False } jsjaws_class_instance._task = task service_request = ServiceRequest(task) @@ -503,7 +503,7 @@ def test_run_signatures(jsjaws_class_instance): correct_subsection.set_heuristic(3) correct_subsection.heuristic.add_signature_id("save_to_file", score=10) jsjaws_class_instance._run_signatures(output, result) - jsjaws_class_instance._run_signatures(output, result, display_sig_marks=True) + jsjaws_class_instance._run_signatures(output, result, display_iocs=True) assert check_section_equality(result.sections[0], correct_section) correct_subsection.add_line("\t\tSaveToFile") assert check_section_equality(result.sections[1], correct_section)