Merge pull request #731 from CybercentreCanada/AL-3231-js-jaws-possib…

…le-heuristics-signatures Al 3231 js jaws possible heuristics signatures [dev]
CybercentreCanada · Jun 14, 2024 · ed62560 · ed62560
2 parents a2d37ef + 1497e1a
commit ed62560
Show file tree

Hide file tree

Showing 10 changed files with 209 additions and 54 deletions.
diff --git a/jsjaws.py b/jsjaws.py
diff --git a/signatures/active_x_object.py b/signatures/active_x_object.py
@@ -1,10 +1,12 @@
 """
 These are all of the signatures related to using ActiveXObjects
 """
+
 from signatures.abstracts import Signature
 
 
 class ActiveXObject(Signature):
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L35
     def __init__(self):
         super().__init__(
             heuristic_id=3,

diff --git a/signatures/decode.py b/signatures/decode.py
@@ -7,6 +7,7 @@
 
 class Unescape(Signature):
     # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/ad3105ab9d3363df013ff95bae218f5c374a93fb/Systems/Multiple/malicious_html_codes.json#L27
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L33
     # https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/unescape
     def __init__(self):
         super().__init__(
@@ -101,6 +102,7 @@ def process_output(self, output):
 
 
 class CryptoJSObfuscation(Signature):
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L41
     def __init__(self):
         super().__init__(
             heuristic_id=3,

diff --git a/signatures/network.py b/signatures/network.py
@@ -1,11 +1,13 @@
 """
 These are all of the signatures related to making network requests
 """
+
 from signatures.abstracts import ALL, Signature
 
 
 class PrepareNetworkRequest(Signature):
     # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/ad3105ab9d3363df013ff95bae218f5c374a93fb/Systems/Multiple/malicious_html_codes.json#L47
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L36
     def __init__(self):
         super().__init__(
             heuristic_id=3,
@@ -90,3 +92,19 @@ def process_output(self, output):
             {"method": ALL, "indicators": self.indicators},
         ]
         self.check_multiple_indicators_in_list(output, indicator_list)
+
+
+class WebSocketUsage(Signature):
+    # Inspired by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L40
+    # https://developer.mozilla.org/en-US/docs/Web/API/WebSocket
+    def __init__(self):
+        super().__init__(
+            heuristic_id=3,
+            name="websocket_usage",
+            description="WebSocket object was used for communicating with a server",
+            indicators=["WebSocket("],
+            severity=0,
+        )
+
+    def process_output(self, output):
+        self.check_indicators_in_list(output)
diff --git a/signatures/suspicious_function_call.py b/signatures/suspicious_function_call.py
@@ -1,6 +1,7 @@
 """
 These are all of the signatures related to using suspicious function calls
 """
+
 from signatures.abstracts import Signature
 
 
@@ -39,3 +40,19 @@ def __init__(self):
 
     def process_output(self, output):
         self.check_indicators_in_list(output, match_all=True)
+
+
+class ExecCommandUsage(Signature):
+    # Inspired by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L34
+    # https://developer.mozilla.org/en-US/docs/Web/API/document/execCommand
+    def __init__(self):
+        super().__init__(
+            heuristic_id=3,
+            name="execcommand_usage",
+            description="Executes command, possibly related to clipboard access, or editing forms and documents.",
+            indicators=["execCommand("],
+            severity=0,
+        )
+
+    def process_output(self, output):
+        self.check_indicators_in_list(output, match_all=True)
diff --git a/signatures/suspicious_process.py b/signatures/suspicious_process.py
@@ -1,10 +1,12 @@
 """
 These are all of the signatures related to the presence of suspicious processes
 """
+
 from signatures.abstracts import Signature
 
 
 class SuspiciousProcess(Signature):
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L42
     def __init__(self):
         super().__init__(
             heuristic_id=3,
@@ -20,6 +22,7 @@ def process_output(self, output):
 
 class EvalUsage(Signature):
     # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/ad3105ab9d3363df013ff95bae218f5c374a93fb/Systems/Multiple/malicious_html_codes.json#L7
+    # Supported by https://github.com/target/strelka/blob/3439953e6aa2dafb68ea73c3977da11f87aeacdf/src/python/strelka/scanners/scan_javascript.py#L31
     # https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
     # https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
     def __init__(self):

diff --git a/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json b/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json
@@ -36,7 +36,9 @@
           "heur_id": 25,
           "score": 100,
           "score_map": {},
-          "signatures": {}
+          "signatures": {
+            "short_form": 1
+          }
         },
         "promote_to": null,
         "tags": {},
@@ -986,7 +988,9 @@
       {
         "attack_ids": [],
         "heur_id": 25,
-        "signatures": []
+        "signatures": [
+          "short_form"
+        ]
       },
       {
         "attack_ids": [],

diff --git a/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json b/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json
@@ -56,7 +56,9 @@
           "heur_id": 25,
           "score": 100,
           "score_map": {},
-          "signatures": {}
+          "signatures": {
+            "short_form": 1
+          }
         },
         "promote_to": null,
         "tags": {},
@@ -856,7 +858,9 @@
       {
         "attack_ids": [],
         "heur_id": 25,
-        "signatures": []
+        "signatures": [
+          "short_form"
+        ]
       },
       {
         "attack_ids": [],

diff --git a/tools/malwarejail/env/web/web.js b/tools/malwarejail/env/web/web.js
@@ -6318,10 +6318,6 @@ URLPattern = function () {
     util_log(">>> FIXME: URLPattern used");
     return URLPattern;
 }
-URLSearchParams = function () {
-    util_log(">>> FIXME: URLSearchParams used");
-    return URLSearchParams;
-}
 USB = function () {
     util_log(">>> FIXME: USB used");
     return USB;

diff --git a/tools/malwarejail/jailme.js b/tools/malwarejail/jailme.js
@@ -283,6 +283,7 @@ sandbox.TextDecoder = TextDecoder;
 sandbox.TextDecoderStream = TextDecoderStream;
 sandbox.TextEncoder = TextEncoder;
 sandbox.TextEncoderStream = TextEncoderStream;
+sandbox.URLSearchParams = URLSearchParams;
 
 process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";