Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update/box js args #671

Open
wants to merge 26 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
bdd9c43
Adding commented out Box-js args to test
cccs-kevin Jan 16, 2024
ca92ad1
Pass sample name to Box-js; update tests
cccs-kevin Jan 16, 2024
37217de
Fake a download in box-js; update tests
cccs-kevin Jan 16, 2024
6bdb8eb
Removing box-js args that do not add value
cccs-kevin Jan 16, 2024
f7d2841
Extracting more useful info from Box-js results
cccs-kevin Jan 18, 2024
2cda53a
Sort Box-js IOCs; Bugfix in registry key output; update tests
cccs-kevin Jan 18, 2024
242e6f3
Check versions of npm packages
cccs-kevin Jan 18, 2024
02fa816
Updating tests+packages
cccs-kevin Jan 18, 2024
052c071
Bug fixes in gootloader, updating results
cccs-kevin Jan 19, 2024
dc7e4c7
Updating test
cccs-kevin Feb 5, 2024
b55efe3
Bugfix in local variable access
cccs-kevin Feb 5, 2024
0887b71
Manually updating test to confirm issue
cccs-kevin Feb 5, 2024
1fc5d92
Debug test for sample, related to boxjs analysis
cccs-kevin Feb 5, 2024
1c80e81
Adding log fix for boxjs supplementary; Printing all boxjs file output
cccs-kevin Feb 5, 2024
5fb24cd
Are the boxjs args affecting the ability to find the boxjs file somehow?
cccs-kevin Feb 5, 2024
20c1943
Using fake-download since it is required for 1415...
cccs-kevin Feb 6, 2024
d327e04
Print file paths and file sizes
cccs-kevin Feb 6, 2024
99f5633
List all dependencies of npm modules
cccs-kevin Feb 6, 2024
ff26a76
Use fork for debugging
cccs-kevin Feb 6, 2024
e7ab1a0
Attempting another way to npm install a git repo
cccs-kevin Feb 6, 2024
64f0eab
Install git
cccs-kevin Feb 6, 2024
7c4ee13
Install git as sudo
cccs-kevin Feb 6, 2024
b63c410
Just use apt instead of apt-get
cccs-kevin Feb 6, 2024
3f87def
No sudo, just apt
cccs-kevin Feb 6, 2024
1c233fa
Updating nightly Dockerfile to install git
cccs-kevin Feb 6, 2024
41e9941
Install fork on nightly build
cccs-kevin Feb 6, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Sort Box-js IOCs; Bugfix in registry key output; update tests
  • Loading branch information
cccs-kevin committed Feb 5, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 2cda53a22f78fa6fa0794869183776911692a120
37 changes: 22 additions & 15 deletions jsjaws.py
Original file line number Diff line number Diff line change
@@ -3671,78 +3671,85 @@ def _extract_boxjs_iocs(self, result: Result) -> None:
file_writes_result_section = ResultTextSection(
"The script wrote the following files", parent=ioc_result_section
)
file_writes_result_section.add_lines(list(file_writes))
sorted_file_writes = sorted(file_writes)
file_writes_result_section.add_lines(sorted_file_writes)
[
file_writes_result_section.add_tag("dynamic.process.file_name", file_write)
for file_write in list(file_writes)
for file_write in sorted_file_writes
]

if file_reads:
file_reads_result_section = ResultTextSection(
"The script read the following files", parent=ioc_result_section
)
file_reads_result_section.add_lines(list(file_reads))
sorted_file_reads = sorted(file_reads)
file_reads_result_section.add_lines(sorted_file_reads)
[
file_reads_result_section.add_tag("dynamic.process.file_name", file_read)
for file_read in list(file_reads)
for file_read in sorted_file_reads
]

if file_folder_exists:
file_folder_exists_result_section = ResultTextSection(
"The script checked if the following files/folders existed", parent=ioc_result_section
)
file_folder_exists_result_section.add_lines(list(file_folder_exists))
sorted_file_folder_exists = sorted(file_folder_exists)
file_folder_exists_result_section.add_lines(sorted_file_folder_exists)
[
file_folder_exists_result_section.add_tag("dynamic.process.file_name", file_folder_exist)
for file_folder_exist in list(file_folder_exists)
for file_folder_exist in sorted_file_folder_exists
]

if remote_scripts:
remote_scripts_result_section = ResultTextSection(
"The script contains the following remote scripts", parent=ioc_result_section
)
remote_scripts_result_section.add_lines(list(remote_scripts))
sorted_remote_scripts = sorted(remote_scripts)
remote_scripts_result_section.add_lines(sorted_remote_scripts)
[
add_tag(remote_scripts_result_section, "network.dynamic.uri", remote_script)
for remote_script in list(remote_scripts)
for remote_script in sorted_remote_scripts
]

if windows_installers:
windows_installers_result_section = ResultTextSection(
"The script contains the following Windows Installers", parent=ioc_result_section
)
windows_installers_result_section.add_lines(list(windows_installers))
sorted_windows_installers = sorted(windows_installers)
windows_installers_result_section.add_lines(sorted_windows_installers)
[
add_tag(windows_installers_result_section, "network.dynamic.uri", windows_installer)
for windows_installer in list(windows_installers)
for windows_installer in sorted_windows_installers
]

if regkey_reads:
regkey_reads_result_section = ResultTextSection(
"The script read the following registry keys", parent=ioc_result_section
)
regkey_reads_result_section.add_lines(list(windows_installers))
sorted_regkey_reads = sorted(regkey_reads)
regkey_reads_result_section.add_lines(sorted_regkey_reads)
[
regkey_reads_result_section.add_tag("dynamic.registry_key", regkey_read)
for regkey_read in list(regkey_reads)
for regkey_read in sorted_regkey_reads
]

if regkey_writes:
regkey_writes_result_section = ResultTextSection(
"The script wrote the following registry keys", parent=ioc_result_section
)
regkey_writes_result_section.add_lines(list(windows_installers))
sorted_regkey_writes = sorted(regkey_writes)
regkey_writes_result_section.add_lines(sorted_regkey_writes)
[
regkey_writes_result_section.add_tag("dynamic.registry_key", regkey_write)
for regkey_write in list(regkey_writes)
for regkey_write in sorted_regkey_writes
]

if new_resources_associated_with_url:
new_resources_associated_with_url_result_section = ResultMultiSection(
"The script created the following resources associated with a URL", parent=ioc_result_section
)

for new_resource in list(new_resources_associated_with_url):
for new_resource in sorted(new_resources_associated_with_url):
nr = loads(new_resource)
new_resources_associated_with_url_result_section.add_tag("dynamic.process.file_name", nr["path"])
add_tag(new_resources_associated_with_url_result_section, "network.dynamic.uri", nr["url"])
Original file line number Diff line number Diff line change
@@ -279,36 +279,6 @@
"title_text": "The script wrote the following files",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
[
"KEY_VALUE",
{
"description": "The script created a resource.",
"type": "NewResource",
"value": {
"latestUrl": "",
"md5": "c7f02b93dd5d6fd8bb467b870e958b70",
"path": "URL_Blob_file_0",
"sha1": "65fdb009507f70cce46f07c7dc22d180117c6a5a",
"sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc",
"type": "Zip archive data, at least v1.0 to extract, compression method=store"
}
},
{}
]
],
"body_config": {},
"body_format": "MULTI",
"classification": "TLP:C",
"depth": 1,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "The script did the following other interesting things",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "\t\tObfuscated code was found that was obfuscated by: obfuscator.io",
Original file line number Diff line number Diff line change
@@ -342,7 +342,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
@@ -361,7 +361,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Andysoftware\\pdf2html\\register",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Original file line number Diff line number Diff line change
@@ -177,7 +177,7 @@
},
{
"auto_collapse": false,
"body": "https://tapasyaevents.com/fmu/fmu.php?55724\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://dealsontrainers.org/tete/tete.php?85434",
"body": "https://dealsontrainers.org/tete/tete.php?85434\nhttps://iscast.com.br/udit/udit.php?68977\nhttps://tapasyaevents.com/fmu/fmu.php?55724",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
@@ -188,19 +188,19 @@
"network": {
"dynamic": {
"domain": [
"tapasyaevents.com",
"dealsontrainers.org",
"iscast.com.br",
"dealsontrainers.org"
"tapasyaevents.com"
],
"uri": [
"https://tapasyaevents.com/fmu/fmu.php?55724",
"https://dealsontrainers.org/tete/tete.php?85434",
"https://iscast.com.br/udit/udit.php?68977",
"https://dealsontrainers.org/tete/tete.php?85434"
"https://tapasyaevents.com/fmu/fmu.php?55724"
],
"uri_path": [
"/fmu/fmu.php?55724",
"/tete/tete.php?85434",
"/udit/udit.php?68977",
"/tete/tete.php?85434"
"/fmu/fmu.php?55724"
]
}
}
Original file line number Diff line number Diff line change
@@ -342,7 +342,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
@@ -361,7 +361,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Xeonitox\\MP3Conv\\Cfg",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Original file line number Diff line number Diff line change
@@ -342,7 +342,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
@@ -361,7 +361,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\Firm\\Soft\\Name",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Original file line number Diff line number Diff line change
@@ -342,7 +342,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
@@ -361,7 +361,7 @@
},
{
"auto_collapse": false,
"body": null,
"body": "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",