Sort Box-js IOCs; Bugfix in registry key output; update tests

CybercentreCanada · Jan 18, 2024 · 670912f · 670912f
1 parent 2cc6092
commit 670912f
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 60 deletions.
diff --git a/jsjaws.py b/jsjaws.py
@@ -3667,78 +3667,85 @@ def _extract_boxjs_iocs(self, result: Result) -> None:
             file_writes_result_section = ResultTextSection(
                 "The script wrote the following files", parent=ioc_result_section
             )
-            file_writes_result_section.add_lines(list(file_writes))
+            sorted_file_writes = sorted(file_writes)
+            file_writes_result_section.add_lines(sorted_file_writes)
             [
                 file_writes_result_section.add_tag("dynamic.process.file_name", file_write)
-                for file_write in list(file_writes)
+                for file_write in sorted_file_writes
             ]
 
         if file_reads:
             file_reads_result_section = ResultTextSection(
                 "The script read the following files", parent=ioc_result_section
             )
-            file_reads_result_section.add_lines(list(file_reads))
+            sorted_file_reads = sorted(file_reads)
+            file_reads_result_section.add_lines(sorted_file_reads)
             [
                 file_reads_result_section.add_tag("dynamic.process.file_name", file_read)
-                for file_read in list(file_reads)
+                for file_read in sorted_file_reads
             ]
 
         if file_folder_exists:
             file_folder_exists_result_section = ResultTextSection(
                 "The script checked if the following files/folders existed", parent=ioc_result_section
             )
-            file_folder_exists_result_section.add_lines(list(file_folder_exists))
+            sorted_file_folder_exists = sorted(file_folder_exists)
+            file_folder_exists_result_section.add_lines(sorted_file_folder_exists)
             [
                 file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist)
-                for file_folder_exist in list(file_folder_exists)
+                for file_folder_exist in sorted_file_folder_exists
             ]
 
         if remote_scripts:
             remote_scripts_result_section = ResultTextSection(
                 "The script contains the following remote scripts", parent=ioc_result_section
             )
-            remote_scripts_result_section.add_lines(list(remote_scripts))
+            sorted_remote_scripts = sorted(remote_scripts)
+            remote_scripts_result_section.add_lines(sorted_remote_scripts)
             [
                 add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script)
-                for remote_script in list(remote_scripts)
+                for remote_script in sorted_remote_scripts
             ]
 
         if windows_installers:
             windows_installers_result_section = ResultTextSection(
                 "The script contains the following Windows Installers", parent=ioc_result_section
             )
-            windows_installers_result_section.add_lines(list(windows_installers))
+            sorted_windows_installers = sorted(windows_installers)
+            windows_installers_result_section.add_lines(sorted_windows_installers)
             [
                 add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer)
-                for windows_installer in list(windows_installers)
+                for windows_installer in sorted_windows_installers
             ]
 
         if regkey_reads:
             regkey_reads_result_section = ResultTextSection(
                 "The script read the following registry keys", parent=ioc_result_section
             )
-            regkey_reads_result_section.add_lines(list(windows_installers))
+            sorted_regkey_reads = sorted(regkey_reads)
+            regkey_reads_result_section.add_lines(sorted_regkey_reads)
             [
                 regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read)
-                for regkey_read in list(regkey_reads)
+                for regkey_read in sorted_regkey_reads
             ]
 
         if regkey_writes:
             regkey_writes_result_section = ResultTextSection(
                 "The script wrote the following registry keys", parent=ioc_result_section
             )
-            regkey_writes_result_section.add_lines(list(windows_installers))
+            sorted_regkey_writes = sorted(regkey_writes)
+            regkey_writes_result_section.add_lines(sorted_regkey_writes)
             [
                 regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write)
-                for regkey_write in list(regkey_writes)
+                for regkey_write in sorted_regkey_writes
             ]
 
         if new_resources_associated_with_url:
             new_resources_associated_with_url_result_section = ResultMultiSection(
                 "The script created the following resources associated with a URL", parent=ioc_result_section
             )
 
-            for new_resource in list(new_resources_associated_with_url):
+            for new_resource in sorted(new_resources_associated_with_url):
                 nr = loads(new_resource)
                 new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"])
                 add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"])

diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json
@@ -279,36 +279,6 @@
         "title_text": "The script wrote the following files",
         "zeroize_on_tag_safe": false
       },
-      {
-        "auto_collapse": false,
-        "body": [
-          [
-            "KEY_VALUE",
-            {
-              "description": "The script created a resource.",
-              "type": "NewResource",
-              "value": {
-                "latestUrl": "",
-                "md5": "c7f02b93dd5d6fd8bb467b870e958b70",
-                "path": "URL_Blob_file_0",
-                "sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a",
-                "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc",
-                "type": "Zip archive data, at least v1.0 to extract, compression method=store"
-              }
-            },
-            {}
-          ]
-        ],
-        "body_config": {},
-        "body_format": "MULTI",
-        "classification": "TLP:C",
-        "depth": 1,
-        "heuristic": null,
-        "promote_to": null,
-        "tags": {},
-        "title_text": "The script did the following other interesting things",
-        "zeroize_on_tag_safe": false
-      },
       {
         "auto_collapse": false,
         "body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io",

diff --git a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json
@@ -342,7 +342,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -361,7 +361,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",

diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json
@@ -177,7 +177,7 @@
       },
       {
         "auto_collapse": false,
-        "body": "https://tapasyaevents.com/fmu/fmu.php?55724\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://dealsontrainers.org/tete/tete.php?85434",
+        "body": "https://dealsontrainers.org/tete/tete.php?85434\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://tapasyaevents.com/fmu/fmu.php?55724",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -188,19 +188,19 @@
           "network": {
             "dynamic": {
               "domain": [
-                "tapasyaevents.com",
+                "dealsontrainers.org",
                 "iscast.com.br",
-                "dealsontrainers.org"
+                "tapasyaevents.com"
               ],
               "uri": [
-                "https://tapasyaevents.com/fmu/fmu.php?55724",
+                "https://dealsontrainers.org/tete/tete.php?85434",
                 "https://iscast.com.br/udit/udit.php?68977",
-                "https://dealsontrainers.org/tete/tete.php?85434"
+                "https://tapasyaevents.com/fmu/fmu.php?55724"
               ],
               "uri_path": [
-                "/fmu/fmu.php?55724",
+                "/tete/tete.php?85434",
                 "/udit/udit.php?68977",
-                "/tete/tete.php?85434"
+                "/fmu/fmu.php?55724"
               ]
             }
           }

diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json
@@ -342,7 +342,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -361,7 +361,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",

diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json
@@ -342,7 +342,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -361,7 +361,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",

diff --git a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json
@@ -342,7 +342,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -361,7 +361,7 @@
       },
       {
         "auto_collapse": false,
-        "body": null,
+        "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",