Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update/box js args [dev] #670

Open
wants to merge 28 commits into
base: dev
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
9421528
Merge pull request #684 from CybercentreCanada/bugfix/decode-check
cccs-kevin Jan 30, 2024
9875c1e
Merge pull request #685 from CybercentreCanada/gootloader-validation
cccs-kevin Feb 1, 2024
bdd9c43
Adding commented out Box-js args to test
cccs-kevin Jan 16, 2024
ca92ad1
Pass sample name to Box-js; update tests
cccs-kevin Jan 16, 2024
37217de
Fake a download in box-js; update tests
cccs-kevin Jan 16, 2024
6bdb8eb
Removing box-js args that do not add value
cccs-kevin Jan 16, 2024
f7d2841
Extracting more useful info from Box-js results
cccs-kevin Jan 18, 2024
2cda53a
Sort Box-js IOCs; Bugfix in registry key output; update tests
cccs-kevin Jan 18, 2024
242e6f3
Check versions of npm packages
cccs-kevin Jan 18, 2024
02fa816
Updating tests+packages
cccs-kevin Jan 18, 2024
052c071
Bug fixes in gootloader, updating results
cccs-kevin Jan 19, 2024
dc7e4c7
Updating test
cccs-kevin Feb 5, 2024
b55efe3
Bugfix in local variable access
cccs-kevin Feb 5, 2024
0887b71
Manually updating test to confirm issue
cccs-kevin Feb 5, 2024
1fc5d92
Debug test for sample, related to boxjs analysis
cccs-kevin Feb 5, 2024
1c80e81
Adding log fix for boxjs supplementary; Printing all boxjs file output
cccs-kevin Feb 5, 2024
5fb24cd
Are the boxjs args affecting the ability to find the boxjs file somehow?
cccs-kevin Feb 5, 2024
20c1943
Using fake-download since it is required for 1415...
cccs-kevin Feb 6, 2024
d327e04
Print file paths and file sizes
cccs-kevin Feb 6, 2024
99f5633
List all dependencies of npm modules
cccs-kevin Feb 6, 2024
ff26a76
Use fork for debugging
cccs-kevin Feb 6, 2024
e7ab1a0
Attempting another way to npm install a git repo
cccs-kevin Feb 6, 2024
64f0eab
Install git
cccs-kevin Feb 6, 2024
7c4ee13
Install git as sudo
cccs-kevin Feb 6, 2024
b63c410
Just use apt instead of apt-get
cccs-kevin Feb 6, 2024
3f87def
No sudo, just apt
cccs-kevin Feb 6, 2024
1c233fa
Updating nightly Dockerfile to install git
cccs-kevin Feb 6, 2024
41e9941
Install fork on nightly build
cccs-kevin Feb 6, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Extracting more useful info from Box-js results
  • Loading branch information
cccs-kevin committed Feb 5, 2024
commit f7d28412a1ebd95499ba158d48ba27906fbe65f3
131 changes: 120 additions & 11 deletions jsjaws.py
Original file line number Diff line number Diff line change
@@ -3326,7 +3326,7 @@ def _extract_urls(self, request: ServiceRequest) -> None:
ioc_json = loads(file_contents)
for ioc in ioc_json:
value = ioc.get("value", "")
if ioc["type"] == "UrlFetch":
if ioc["type"] in ["UrlFetch", "XMLHttpRequest"]:
if any(value["url"] == url["url"] for url in urls_rows):
continue
elif not add_tag(urls_result_section, "network.dynamic.uri", value["url"], self.safelist):
@@ -3559,19 +3559,31 @@ def _extract_boxjs_iocs(self, result: Result) -> None:
commands_to_display = list()
file_writes = set()
file_reads = set()
file_folder_exists = set()
remote_scripts = set()
windows_installers = set()
regkey_reads = set()
regkey_writes = set()
new_resources_associated_with_url = set()
other = list()
cmd_count = 0
for ioc in ioc_json:
type = ioc["type"]
ioc_type = ioc["type"]
value = ioc.get("value", "")
if type == "Run" and "command" in value:
if value["command"] not in commands:
commands.add(value["command"].strip())
if ioc_type in ["Run", "WMI.GetObject.Create"]:
command = None
if ioc_type == "Run":
command = value["command"]
commands.add(command.strip())
else:
command = value
commands.add(command.strip())

# We want to extract powershell commands to a powershell file, which can be confirmed using multidecoder
try:
matches = find_powershell_strings(value["command"].encode())
matches = find_powershell_strings(command.encode())
except BinasciiError as e:
self.log.debug(f"Could not base64-decode encoded command value '{value['command']}' due to '{e}'")
self.log.debug(f"Could not base64-decode encoded command value '{command}' due to '{e}'")
matches = []

if matches:
@@ -3583,15 +3595,44 @@ def _extract_boxjs_iocs(self, result: Result) -> None:
ps1_cmd_spotted = True
else:
# Write non-ps1 to file
commands_to_display.append(value["command"].strip())
boxjs_batch_extraction.write(value["command"].strip() + "\n")
commands_to_display.append(command.strip())
boxjs_batch_extraction.write(command.strip() + "\n")
batch_cmd_spotted = True

cmd_count += 1
elif type == "FileWrite" and "file" in value:
elif ioc_type == "FileWrite" and value.get("file"):
file_writes.add(value["file"])
elif type == "FileRead" and "file" in value:
elif ioc_type == "FileRead" and value.get("file"):
file_reads.add(value["file"])
elif ioc_type == "Remote Script" and value.get("url"):
remote_scripts.add(value["url"])
elif ioc_type in ["FileExists", "FolderExists"]:
file_folder_exists.add(value)
elif ioc_type == "WindowsInstaller" and value.get("url"):
windows_installers.add(value["url"])
elif ioc_type == "RegRead" and value.get("key"):
regkey_reads.add(value["key"])
elif ioc_type == "RegWrite" and value.get("key"):
regkey_writes.add(value["key"])
elif ioc_type == "NewResource":
if not value.get("latestUrl"):
continue
new_resources_associated_with_url.add(dumps({"path": value["path"], "url": value["latestUrl"]}))

# Sample Name, DOM Writes, PayloadExec, Environ, ADODBStream are not interesting
# UrlFetch, XMLHttpRequest are handled somewhere else in the code
elif ioc_type in [
"Sample Name",
"UrlFetch",
"DOM Write",
"PayloadExec",
"Environ",
"XMLHttpRequest",
"ADODBStream",
]:
continue
else:
other.append(ioc)

boxjs_ps1_extraction.close()
boxjs_batch_extraction.close()
@@ -3646,6 +3687,74 @@ def _extract_boxjs_iocs(self, result: Result) -> None:
for file_read in list(file_reads)
]

if file_folder_exists:
file_folder_exists_result_section = ResultTextSection(
"The script checked if the following files/folders existed", parent=ioc_result_section
)
file_folder_exists_result_section.add_lines(list(file_folder_exists))
[
file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist)
for file_folder_exist in list(file_folder_exists)
]

if remote_scripts:
remote_scripts_result_section = ResultTextSection(
"The script contains the following remote scripts", parent=ioc_result_section
)
remote_scripts_result_section.add_lines(list(remote_scripts))
[
add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script)
for remote_script in list(remote_scripts)
]

if windows_installers:
windows_installers_result_section = ResultTextSection(
"The script contains the following Windows Installers", parent=ioc_result_section
)
windows_installers_result_section.add_lines(list(windows_installers))
[
add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer)
for windows_installer in list(windows_installers)
]

if regkey_reads:
regkey_reads_result_section = ResultTextSection(
"The script read the following registry keys", parent=ioc_result_section
)
regkey_reads_result_section.add_lines(list(windows_installers))
[
regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read)
for regkey_read in list(regkey_reads)
]

if regkey_writes:
regkey_writes_result_section = ResultTextSection(
"The script wrote the following registry keys", parent=ioc_result_section
)
regkey_writes_result_section.add_lines(list(windows_installers))
[
regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write)
for regkey_write in list(regkey_writes)
]

if new_resources_associated_with_url:
new_resources_associated_with_url_result_section = ResultMultiSection(
"The script created the following resources associated with a URL", parent=ioc_result_section
)

for new_resource in list(new_resources_associated_with_url):
nr = loads(new_resource)
new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"])
add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"])
new_resources_associated_with_url_result_section.add_section_part(KVSectionBody(**nr))

if other:
other_result_section = ResultMultiSection(
"The script did the following other interesting things", parent=ioc_result_section
)
for other_item in other:
other_result_section.add_section_part(KVSectionBody(**other_item))

if ioc_result_section.subsections:
ioc_result_section.set_heuristic(2)
result.add_section(ioc_result_section)
Original file line number Diff line number Diff line change
@@ -318,6 +318,70 @@
"title_text": "The script wrote the following files",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "C:\\ProgramData\\Trdce",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": null,
"promote_to": null,
"tags": {
"dynamic": {
"process": {
"file_name": [
"C:\\ProgramData\\Trdce"
]
}
}
},
"title_text": "The script checked if the following files/folders existed",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
[
"KEY_VALUE",
{
"path": "C:\\ProgramData\\Trdce\\desired.dll",
"url": "https://orthodentrics.com/8GE/fdsfdsfewwwe23"
},
{}
]
],
"body_config": {},
"body_format": "MULTI",
"classification": "TLP:C",
"depth": 1,
"heuristic": null,
"promote_to": null,
"tags": {
"dynamic": {
"process": {
"file_name": [
"C:\\ProgramData\\Trdce\\desired.dll"
]
}
},
"network": {
"dynamic": {
"domain": [
"orthodentrics.com"
],
"uri": [
"https://orthodentrics.com/8GE/fdsfdsfewwwe23"
],
"uri_path": [
"/8GE/fdsfdsfewwwe23"
]
}
}
},
"title_text": "The script created the following resources associated with a URL",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
@@ -532,13 +596,28 @@
}
],
"dynamic.process.file_name": [
{
"heur_id": null,
"signatures": [],
"value": "C:\\ProgramData\\Trdce"
},
{
"heur_id": null,
"signatures": [],
"value": "C:\\ProgramData\\Trdce\\desired.dll"
},
{
"heur_id": null,
"signatures": [],
"value": "C:\\ProgramData\\Trdce\\desired.dll"
}
],
"network.dynamic.domain": [
{
"heur_id": null,
"signatures": [],
"value": "orthodentrics.com"
},
{
"heur_id": 1,
"signatures": [
@@ -548,6 +627,11 @@
}
],
"network.dynamic.uri": [
{
"heur_id": null,
"signatures": [],
"value": "https://orthodentrics.com/8GE/fdsfdsfewwwe23"
},
{
"heur_id": 1,
"signatures": [
@@ -557,6 +641,11 @@
}
],
"network.dynamic.uri_path": [
{
"heur_id": null,
"signatures": [],
"value": "/8GE/fdsfdsfewwwe23"
},
{
"heur_id": 1,
"signatures": [
Original file line number Diff line number Diff line change
@@ -279,6 +279,36 @@
"title_text": "The script wrote the following files",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
[
"KEY_VALUE",
{
"description": "The script created a resource.",
"type": "NewResource",
"value": {
"latestUrl": "",
"md5": "c7f02b93dd5d6fd8bb467b870e958b70",
"path": "URL_Blob_file_0",
"sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a",
"sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc",
"type": "Zip archive data, at least v1.0 to extract, compression method=store"
}
},
{}
]
],
"body_config": {},
"body_format": "MULTI",
"classification": "TLP:C",
"depth": 1,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "The script did the following other interesting things",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io",
Loading
Oops, something went wrong.