diff --git a/jsjaws.py b/jsjaws.py index b96eb663..dd3316a6 100755 --- a/jsjaws.py +++ b/jsjaws.py @@ -3667,70 +3667,77 @@ def _extract_boxjs_iocs(self, result: Result) -> None: file_writes_result_section = ResultTextSection( "The script wrote the following files", parent=ioc_result_section ) - file_writes_result_section.add_lines(list(file_writes)) + sorted_file_writes = sorted(file_writes) + file_writes_result_section.add_lines(sorted_file_writes) [ file_writes_result_section.add_tag("dynamic.process.file_name", file_write) - for file_write in list(file_writes) + for file_write in sorted_file_writes ] if file_reads: file_reads_result_section = ResultTextSection( "The script read the following files", parent=ioc_result_section ) - file_reads_result_section.add_lines(list(file_reads)) + sorted_file_reads = sorted(file_reads) + file_reads_result_section.add_lines(sorted_file_reads) [ file_reads_result_section.add_tag("dynamic.process.file_name", file_read) - for file_read in list(file_reads) + for file_read in sorted_file_reads ] if file_folder_exists: file_folder_exists_result_section = ResultTextSection( "The script checked if the following files/folders existed", parent=ioc_result_section ) - file_folder_exists_result_section.add_lines(list(file_folder_exists)) + sorted_file_folder_exists = sorted(file_folder_exists) + file_folder_exists_result_section.add_lines(sorted_file_folder_exists) [ file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist) - for file_folder_exist in list(file_folder_exists) + for file_folder_exist in sorted_file_folder_exists ] if remote_scripts: remote_scripts_result_section = ResultTextSection( "The script contains the following remote scripts", parent=ioc_result_section ) - remote_scripts_result_section.add_lines(list(remote_scripts)) + sorted_remote_scripts = sorted(remote_scripts) + remote_scripts_result_section.add_lines(sorted_remote_scripts) [ add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script) - for remote_script in list(remote_scripts) + for remote_script in sorted_remote_scripts ] if windows_installers: windows_installers_result_section = ResultTextSection( "The script contains the following Windows Installers", parent=ioc_result_section ) - windows_installers_result_section.add_lines(list(windows_installers)) + sorted_windows_installers = sorted(windows_installers) + windows_installers_result_section.add_lines(sorted_windows_installers) [ add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer) - for windows_installer in list(windows_installers) + for windows_installer in sorted_windows_installers ] if regkey_reads: regkey_reads_result_section = ResultTextSection( "The script read the following registry keys", parent=ioc_result_section ) - regkey_reads_result_section.add_lines(list(windows_installers)) + sorted_regkey_reads = sorted(regkey_reads) + regkey_reads_result_section.add_lines(sorted_regkey_reads) [ regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read) - for regkey_read in list(regkey_reads) + for regkey_read in sorted_regkey_reads ] if regkey_writes: regkey_writes_result_section = ResultTextSection( "The script wrote the following registry keys", parent=ioc_result_section ) - regkey_writes_result_section.add_lines(list(windows_installers)) + sorted_regkey_writes = sorted(regkey_writes) + regkey_writes_result_section.add_lines(sorted_regkey_writes) [ regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write) - for regkey_write in list(regkey_writes) + for regkey_write in sorted_regkey_writes ] if new_resources_associated_with_url: @@ -3738,7 +3745,7 @@ def _extract_boxjs_iocs(self, result: Result) -> None: "The script created the following resources associated with a URL", parent=ioc_result_section ) - for new_resource in list(new_resources_associated_with_url): + for new_resource in sorted(new_resources_associated_with_url): nr = loads(new_resource) new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"]) add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"]) diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json index d92f02a8..31ac3eb5 100644 --- a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json +++ b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json @@ -279,36 +279,6 @@ "title_text": "The script wrote the following files", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": [ - [ - "KEY_VALUE", - { - "description": "The script created a resource.", - "type": "NewResource", - "value": { - "latestUrl": "", - "md5": "c7f02b93dd5d6fd8bb467b870e958b70", - "path": "URL_Blob_file_0", - "sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a", - "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc", - "type": "Zip archive data, at least v1.0 to extract, compression method=store" - } - }, - {} - ] - ], - "body_config": {}, - "body_format": "MULTI", - "classification": "TLP:C", - "depth": 1, - "heuristic": null, - "promote_to": null, - "tags": {}, - "title_text": "The script did the following other interesting things", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io", diff --git a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json index 0f4e0ccb..eab5e3e0 100644 --- a/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json +++ b/tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json index 3dd5e350..b3f796f2 100644 --- a/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json +++ b/tests/results/75a35b91e6295c6287dbd858663b9f126bfd6e29a278e435ab9c17c2eda25ee1/result.json @@ -177,7 +177,7 @@ }, { "auto_collapse": false, - "body": "https://tapasyaevents.com/fmu/fmu.php?55724\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://dealsontrainers.org/tete/tete.php?85434", + "body": "https://dealsontrainers.org/tete/tete.php?85434\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://tapasyaevents.com/fmu/fmu.php?55724", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -188,19 +188,19 @@ "network": { "dynamic": { "domain": [ - "tapasyaevents.com", + "dealsontrainers.org", "iscast.com.br", - "dealsontrainers.org" + "tapasyaevents.com" ], "uri": [ - "https://tapasyaevents.com/fmu/fmu.php?55724", + "https://dealsontrainers.org/tete/tete.php?85434", "https://iscast.com.br/udit/udit.php?68977", - "https://dealsontrainers.org/tete/tete.php?85434" + "https://tapasyaevents.com/fmu/fmu.php?55724" ], "uri_path": [ - "/fmu/fmu.php?55724", + "/tete/tete.php?85434", "/udit/udit.php?68977", - "/tete/tete.php?85434" + "/fmu/fmu.php?55724" ] } } diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json index a29643af..01e7a2d7 100644 --- a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json +++ b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json index 45692534..a21e7518 100644 --- a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json +++ b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json index a7107aba..4a04668a 100644 --- a/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json +++ b/tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json @@ -342,7 +342,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -361,7 +361,7 @@ }, { "auto_collapse": false, - "body": null, + "body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C",