diff --git a/signatures/abstracts.py b/signatures/abstracts.py index 4aba6850..dc3b4f11 100755 --- a/signatures/abstracts.py +++ b/signatures/abstracts.py @@ -1,4 +1,4 @@ -from re import findall +import re from typing import Any, Dict, List, Optional, Union from assemblyline.common.str_utils import safe_str @@ -15,14 +15,14 @@ class Signature: def __init__( self, - heuristic_id: int = None, - name: str = None, - description: str = None, - ttp: List[str] = None, - families: List[str] = None, - indicators: List[str] = None, - severity: int = None, - safelist: List[str] = None, + heuristic_id: int | None = None, + name: str | None = None, + description: str | None = None, + ttp: List[str] | None = None, + families: List[str] | None = None, + indicators: List[str] | None = None, + severity: int = 0, + safelist: List[str] | None = None, ): """ This method instantiates the base Signature class and performs some validtion checks @@ -51,11 +51,11 @@ def __init__( if severity is None: self.severity: int = 0 elif severity < 0: - self.severity: int = 0 + self.severity = 0 elif severity > 3: - self.severity: int = 3 + self.severity = 3 else: - self.severity: int = severity + self.severity = severity self.safelist: List[str] = [] if safelist is None else safelist @@ -69,28 +69,20 @@ def check_indicators_in_list(self, output: List[str], match_all: bool = False) - :param match_all: All indicators must be found in a single line for a mark to be added """ for string in output: - # For more lines of output, there is a datetime separated by a ]. We do not want the datetime. - split_line = string.split("] ") - if len(split_line) == 2: - string = split_line[1] - elif len(split_line) > 2: - string = "] ".join(split_line[1:]) - - # If we want to match all indicators in a line and nothing from the safelist is in that line, mark it! - if ( - match_all - and all(indicator.lower() in string.lower() for indicator in self.indicators) - and not any(item.lower() in string.lower() for item in self.safelist) - ): + string = self.remove_timestamp(string) + lower = string.lower() + any_all = all if match_all else any + # If we match indicators in a line and nothing from the safelist is in that line, mark it! + if any_all(indicator.lower() in lower for indicator in self.indicators) and not self.safelisted(lower): self.add_mark(string) - # If we only want to match at least one indicator in a line, then mark it! - if not match_all: - for indicator in self.indicators: - if indicator.lower() in string.lower() and not any( - item.lower() in string.lower() for item in self.safelist - ): - self.add_mark(string) + def safelisted(self, string: str) -> bool: + """ + This method checks if the string contains any safelisted terms + :param string: The string to check + """ + string = string.lower() + return any(item.lower() in string for item in self.safelist) @staticmethod def check_regex(regex: str, string: str) -> List[str]: @@ -99,11 +91,7 @@ def check_regex(regex: str, string: str) -> List[str]: :param regex: A regular expression to be applied to the string :param string: A line of output """ - result = findall(regex, string) - if len(result) > 0: - return result - else: - return [] + return re.findall(regex, string) def process_output(self, output: List[str]): """ @@ -117,13 +105,25 @@ def add_mark(self, mark: Any) -> bool: :param mark: The mark to be added :return: A boolean indicating if the mark was added """ - if mark: - if safe_str(mark).strip() not in self.marks: - # Sometimes lines end with trailing semi-colons and sometimes they do not. These are not unique marks - if safe_str(mark).strip() + ";" not in self.marks: - self.marks.append(safe_str(mark).strip()) - else: + if not mark: return False + mark = safe_str(mark).strip() + if mark not in self.marks and mark + ";" not in self.marks: + # Sometimes lines end with trailing semi-colons and sometimes they do not. These are not unique marks + self.marks.append(mark) + return True + return False + + @staticmethod + def remove_timestamp(line: str) -> str: + """ + This method removes the timestamp from the start of an output line + :param line: The line to strip the timestamp from + """ + if not line.startswith("["): + return line + # For more lines of output, there is a datetime separated by a ]. We do not want the datetime. + return line.split("] ", 1)[-1] def check_multiple_indicators_in_list(self, output: List[str], indicators: List[Dict[str, List[str]]]) -> None: """ @@ -144,35 +144,22 @@ def check_multiple_indicators_in_list(self, output: List[str], indicators: List[ for string in output: # For more lines of output, there is a datetime separated by a ]. We do not want the datetime. - split_line = string.split("] ") - if len(split_line) == 2: - string = split_line[1] - - # If all_indicators - are_indicators_matched = True - for all_indicator in all_indicators: - if are_indicators_matched and all( - indicator.lower() in string.lower() for indicator in all_indicator["indicators"] - ): - for any_indicator in any_indicators: - if are_indicators_matched and any( - indicator.lower() in string.lower() for indicator in any_indicator["indicators"] - ): - pass - else: - are_indicators_matched = False - else: - are_indicators_matched = False - - # If no all_indicators - if not all_indicators: - for any_indicator in any_indicators: - if are_indicators_matched and any( - indicator.lower() in string.lower() for indicator in any_indicator["indicators"] - ): - pass - else: - are_indicators_matched = False - - if are_indicators_matched and not any(item.lower() in string.lower() for item in self.safelist): + string = self.remove_timestamp(string) + lower = string.lower() + + # We want all of the indicators to match + if ( + all( + # With all_indicators matching all of their indicators + all(indicator.lower() in lower for indicator in all_indicator["indicators"]) + for all_indicator in all_indicators + ) + and all( + # And any_indicators matching any of their indicators + any(indicator.lower() in lower for indicator in any_indicator["indicators"]) + for any_indicator in any_indicators + ) + # But nothing from the safelist + and not self.safelisted(lower) + ): self.add_mark(string) diff --git a/signatures/save_to_file.py b/signatures/save_to_file.py index 2b3eff52..27e88a20 100755 --- a/signatures/save_to_file.py +++ b/signatures/save_to_file.py @@ -2,7 +2,10 @@ These are all of the signatures related to saving a file """ +import re + from assemblyline.common.str_utils import safe_str + from signatures.abstracts import ANY, Signature # List of commands used to save a file to disk @@ -34,11 +37,13 @@ def __init__(self): ) def process_output(self, output): - indicator_list = [ - {"method": ANY, "indicators": save_commands}, - {"method": ANY, "indicators": self.indicators}, - ] - self.check_multiple_indicators_in_list(output, indicator_list) + for line in output: + line = self.remove_timestamp(line) + lower = line.lower() + if re.search(r"[.](exe|dll)\b", lower) and any( + save_command.lower() in lower for save_command in save_commands + ): + self.add_mark(line) class WritesArchive(Signature): @@ -48,7 +53,7 @@ def __init__(self): name="writes_archive", description="JavaScript writes archive file to disk", # File extensions based on https://github.com/CybercentreCanada/assemblyline-service-cape/blob/2412416fd8040897d25d00bdaba6356d514398f4/cape/cape_main.py#L1343 - indicators=["\\.zip", "\\.iso", "\\.rar", "\\.vhd", "\\.udf", "\\.7z"], + indicators=["zip", "iso", "rar", "vhd", "udf", "7z"], severity=3, ) @@ -57,21 +62,17 @@ def process_output(self, output): results = [] # First look for file extensions - extension_regex = f"(?i)({'|'.join(self.indicators)})\\b" + extension_regex = f"(?i)\\w[.]({'|'.join(self.indicators)})\\b" for line in output: - split_line = line.split("] ") - if len(split_line) == 2: - string = split_line[1] - else: - string = line - if self.check_regex(extension_regex, string.lower()): + string = self.remove_timestamp(line) + if re.search(extension_regex, string.lower()): extension_results.append(string) # Next look for the command escaped_save_commands = [save_command.replace("(", "\\(") for save_command in save_commands] commands_regex = f"({'|'.join(escaped_save_commands)})" for line in extension_results: - if self.check_regex(commands_regex, line): + if re.search(commands_regex, line): results.append(line) results_set = sorted(set(results)) diff --git a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json index feef447b..1cdff94a 100644 --- a/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json +++ b/tests/results/14158b01bd923506175ac3398625464ce2ad91d2a7924237621280e27b49f116/result.json @@ -18,7 +18,7 @@ }, { "auto_collapse": false, - "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _d = _0x4b[18]\n\t\tvar _e = _0x4b[19]\n\t\tvar _f = _0x4b[20]\n\t\t_b[_0x4b[5]](_0x4b[4], _e, false)\n\t\t_b[_0x4b[6]]()\n\t\tvar _g = new ActiveXObject(_0x4b[9])\n\t\t[6 Mark(s) Truncated]", + "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\tvar _0x4b = [\"\\\\ProgramData\\\\\", \"Scripting.FileSystemObject\", \"WinHttp.WinHttpRequest.5.1\", \"WScript...\n\t\tvar _a = new ActiveXObject(_0x4b[1])\n\t\tvar _b = new ActiveXObject(_0x4b[2])\n\t\tvar _c = new ActiveXObject(_0x4b[3])\n\t\tvar _d = _0x4b[18]\n\t\tvar _e = _0x4b[19]\n\t\tvar _f = _0x4b[20]\n\t\t_b[_0x4b[5]](_0x4b[4], _e, false)\n\t\t_b[_0x4b[6]]()\n\t\tif (_b[_0x4b[7]] == 200) {\n\t\t[9 Mark(s) Truncated]", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/1ea398a049ee180db192880d643faaa84b6904842c416d90f5afe16e58ff142a/result.json b/tests/results/1ea398a049ee180db192880d643faaa84b6904842c416d90f5afe16e58ff142a/result.json index d2b7b772..d8ed82a7 100644 --- a/tests/results/1ea398a049ee180db192880d643faaa84b6904842c416d90f5afe16e58ff142a/result.json +++ b/tests/results/1ea398a049ee180db192880d643faaa84b6904842c416d90f5afe16e58ff142a/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2021, + "score": 2031, "sections": [ { "auto_collapse": false, @@ -136,7 +136,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function LtGEs($XGqbLJV){$xamrMR=\"A8AFCE8D37\";function szxwJG($PQNgWB){$JUxiC = [System.IO.MemorySt...\n\t\tTypeError: \"function LtGEs($XGqbLJV){$xamrMR=\"A8AFCE8D37\";function szxwJG($PQNgWB){$JUxiC = [System....\n\t\tfunction szxwJG($PQNgWB){$JUxiC = [System.IO.MemoryStream]::new()", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function LtGEs($XGqbLJV){$xamrMR=\"A8AFCE8D37\";function szxwJG($PQNgWB){$JUxiC = [System.IO.MemorySt...\n\t\tR= 'ShELLEXEcUtESTdinlastIndexOfcscriptWsCriPT.ShElLsLeepsCrIptFulLNAmeshell.APPLiCaTioNCrEAtEObJeCT...\n\t\tTypeError: \"function LtGEs($XGqbLJV){$xamrMR=\"A8AFCE8D37\";function szxwJG($PQNgWB){$JUxiC = [System....\n\t\tfunction szxwJG($PQNgWB){$JUxiC = [System.IO.MemoryStream]::new()", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -160,7 +160,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell via powershell.exe\n\t\tR= 'ShELLEXEcUtESTdinlastIndexOfcscriptWsCriPT.ShElLsLeepsCrIptFulLNAmeshell.APPLiCaTioNCrEAtEObJeCT...", + "body": "JavaScript runs PowerShell via powershell.exe\n\t\tR= 'ShELLEXEcUtESTdinlastIndexOfcscriptWsCriPT.ShElLsLeepsCrIptFulLNAmeshell.APPLiCaTioNCrEAtEObJeCT...\n\t\tR= 'ShELLEXEcUtESTdinlastIndexOfcscriptWsCriPT.ShElLsLeepsCrIptFulLNAmeshell.APPLiCaTioNCrEAtEObJeCT...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -182,6 +182,30 @@ "title_text": "Signature: RunsPowerShell", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript runs PowerShell to call out to a URI\n\t\tR= 'ShELLEXEcUtESTdinlastIndexOfcscriptWsCriPT.ShElLsLeepsCrIptFulLNAmeshell.APPLiCaTioNCrEAtEObJeCT...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "runs_ps1_to_download": 10 + }, + "signatures": { + "runs_ps1_to_download": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: PowerShellDownloader", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -356,6 +380,13 @@ "runs_ps1" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "runs_ps1_to_download" + ] + }, { "attack_ids": [], "heur_id": 4, diff --git a/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json b/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json index be07370a..06d08a30 100644 --- a/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json +++ b/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json @@ -114,7 +114,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses charCodeAt/fromCharCode to obfuscate/de-obfuscate characters\n\t\t= jUVqAOisGJal[zWCwJfTxMEaZ].charCodeAt(0)", + "body": "JavaScript uses charCodeAt/fromCharCode to obfuscate/de-obfuscate characters\n\t\tGdxgkbZtlbkX[i] = jUVqAOisGJal[zWCwJfTxMEaZ].charCodeAt(0)", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json b/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json index 5ee47c40..d5a24796 100644 --- a/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json +++ b/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581", + "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581", "ioc_type": "uri" }, { - "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581", + "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581", "ioc_type": "uri" }, { - "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581", + "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581", "ioc_type": "uri" }, { - "ioc": "/test.php?eqhwvautjqdnpp=49712600883349284173581", + "ioc": "/test.php?eqhwvautjqdnpp=42649572717666964173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?eqhwvautjqdnpp=66137918200139924173581", + "ioc": "/test.php?eqhwvautjqdnpp=62667339945301654173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?eqhwvautjqdnpp=87848672891302514173581", + "ioc": "/test.php?eqhwvautjqdnpp=70823198667204594173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.maghrebassurance.fr" ], "uri": [ - "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581", - "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581", - "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581" + "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581", + "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581", + "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581" ], "uri_path": [ - "/test.php?eqhwvautjqdnpp=49712600883349284173581", - "/test.php?eqhwvautjqdnpp=66137918200139924173581", - "/test.php?eqhwvautjqdnpp=87848672891302514173581" + "/test.php?eqhwvautjqdnpp=42649572717666964173581", + "/test.php?eqhwvautjqdnpp=62667339945301654173581", + "/test.php?eqhwvautjqdnpp=70823198667204594173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581" + "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581" }, { "method": "GET", - "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581" + "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581" }, { "method": "GET", - "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581" + "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.macromixenlinea.com" ], "uri": [ - "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581", - "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581", - "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581" + "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581", + "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581", + "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581" ], "uri_path": [ - "/test.php?eqhwvautjqdnpp=87848672891302514173581", - "/test.php?eqhwvautjqdnpp=66137918200139924173581", - "/test.php?eqhwvautjqdnpp=49712600883349284173581" + "/test.php?eqhwvautjqdnpp=70823198667204594173581", + "/test.php?eqhwvautjqdnpp=62667339945301654173581", + "/test.php?eqhwvautjqdnpp=42649572717666964173581" ] } } @@ -540,76 +540,76 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581" + "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=66137918200139924173581" + "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=62667339945301654173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581" + "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=49712600883349284173581" + "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=42649572717666964173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581" + "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=87848672891302514173581" + "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=70823198667204594173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=49712600883349284173581" + "value": "/test.php?eqhwvautjqdnpp=42649572717666964173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=49712600883349284173581" + "value": "/test.php?eqhwvautjqdnpp=42649572717666964173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=66137918200139924173581" + "value": "/test.php?eqhwvautjqdnpp=62667339945301654173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=66137918200139924173581" + "value": "/test.php?eqhwvautjqdnpp=62667339945301654173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=87848672891302514173581" + "value": "/test.php?eqhwvautjqdnpp=70823198667204594173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=87848672891302514173581" + "value": "/test.php?eqhwvautjqdnpp=70823198667204594173581" } ] }, diff --git a/tests/results/5c2a68774c1148a0c960e374049ae3452086cc32a74455b6dd149d5d54ae8790/result.json b/tests/results/5c2a68774c1148a0c960e374049ae3452086cc32a74455b6dd149d5d54ae8790/result.json index 3e911c5d..0d7271ec 100644 --- a/tests/results/5c2a68774c1148a0c960e374049ae3452086cc32a74455b6dd149d5d54ae8790/result.json +++ b/tests/results/5c2a68774c1148a0c960e374049ae3452086cc32a74455b6dd149d5d54ae8790/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2021, + "score": 2031, "sections": [ { "auto_collapse": false, @@ -137,7 +137,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\tfunction kdTGa($raPRe){$qKbDpJ = [sYsTeM.Io.memOrYSTReAM]::NeW()", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\th=(WScript);d = ?fullNamEexEcwrITelINESLEepquit\\\\lastIndexOfcscRIPT.exesliceSheLL.APPLICaTIonSheLleX...\n\t\tfunction kdTGa($raPRe){$qKbDpJ = [sYsTeM.Io.memOrYSTReAM]::NeW()", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -161,7 +161,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell via powershell.exe\n\t\td = ?fullNamEexEcwrITelINESLEepquit\\\\lastIndexOfcscRIPT.exesliceSheLL.APPLICaTIonSheLleXEcUtEsCrIpTf...", + "body": "JavaScript runs PowerShell via powershell.exe\n\t\th=(WScript);d = ?fullNamEexEcwrITelINESLEepquit\\\\lastIndexOfcscRIPT.exesliceSheLL.APPLICaTIonSheLleX...\n\t\td = ?fullNamEexEcwrITelINESLEepquit\\\\lastIndexOfcscRIPT.exesliceSheLL.APPLICaTIonSheLleXEcUtEsCrIpTf...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -183,6 +183,30 @@ "title_text": "Signature: RunsPowerShell", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript runs PowerShell to call out to a URI\n\t\th=(WScript);d = ?fullNamEexEcwrITelINESLEepquit\\\\lastIndexOfcscRIPT.exesliceSheLL.APPLICaTIonSheLleX...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "runs_ps1_to_download": 10 + }, + "signatures": { + "runs_ps1_to_download": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: PowerShellDownloader", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -362,6 +386,13 @@ "runs_ps1" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "runs_ps1_to_download" + ] + }, { "attack_ids": [], "heur_id": 4, diff --git a/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json b/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json index 57718670..62ed6427 100644 --- a/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json +++ b/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581", + "ioc": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581", "ioc_type": "uri" }, { - "ioc": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581", + "ioc": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581", "ioc_type": "uri" }, { - "ioc": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581", + "ioc": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581", "ioc_type": "uri" }, { - "ioc": "/test.php?mhsctaxsmkzg=0078605325243217284173581", + "ioc": "/test.php?mhsctaxsmkzg=44442601755626534173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?mhsctaxsmkzg=257095672739137364173581", + "ioc": "/test.php?mhsctaxsmkzg=479118856125003274173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?mhsctaxsmkzg=57421312233533084173581", + "ioc": "/test.php?mhsctaxsmkzg=63817139353586484173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.lohevisto.com" ], "uri": [ - "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581", - "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581", - "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581" + "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581", + "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581", + "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581" ], "uri_path": [ - "/test.php?mhsctaxsmkzg=0078605325243217284173581", - "/test.php?mhsctaxsmkzg=257095672739137364173581", - "/test.php?mhsctaxsmkzg=57421312233533084173581" + "/test.php?mhsctaxsmkzg=44442601755626534173581", + "/test.php?mhsctaxsmkzg=479118856125003274173581", + "/test.php?mhsctaxsmkzg=63817139353586484173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581" + "url": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581" }, { "method": "GET", - "url": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581" + "url": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581" }, { "method": "GET", - "url": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581" + "url": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.location-atelier-garage.com" ], "uri": [ - "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581", - "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581", - "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581" + "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581", + "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581", + "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581" ], "uri_path": [ - "/test.php?mhsctaxsmkzg=57421312233533084173581", - "/test.php?mhsctaxsmkzg=0078605325243217284173581", - "/test.php?mhsctaxsmkzg=257095672739137364173581" + "/test.php?mhsctaxsmkzg=44442601755626534173581", + "/test.php?mhsctaxsmkzg=479118856125003274173581", + "/test.php?mhsctaxsmkzg=63817139353586484173581" ] } } @@ -540,76 +540,76 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581" + "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=0078605325243217284173581" + "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=479118856125003274173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581" + "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=257095672739137364173581" + "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=63817139353586484173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581" + "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=57421312233533084173581" + "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=44442601755626534173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=0078605325243217284173581" + "value": "/test.php?mhsctaxsmkzg=44442601755626534173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=0078605325243217284173581" + "value": "/test.php?mhsctaxsmkzg=44442601755626534173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=257095672739137364173581" + "value": "/test.php?mhsctaxsmkzg=479118856125003274173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=257095672739137364173581" + "value": "/test.php?mhsctaxsmkzg=479118856125003274173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=57421312233533084173581" + "value": "/test.php?mhsctaxsmkzg=63817139353586484173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=57421312233533084173581" + "value": "/test.php?mhsctaxsmkzg=63817139353586484173581" } ] }, diff --git a/tests/results/6f30d32889faed3d0f6e1d27ec3b19fee1be80c8c31562f6188fdd03f365d5ef/result.json b/tests/results/6f30d32889faed3d0f6e1d27ec3b19fee1be80c8c31562f6188fdd03f365d5ef/result.json index 5c5be23d..e97c0105 100644 --- a/tests/results/6f30d32889faed3d0f6e1d27ec3b19fee1be80c8c31562f6188fdd03f365d5ef/result.json +++ b/tests/results/6f30d32889faed3d0f6e1d27ec3b19fee1be80c8c31562f6188fdd03f365d5ef/result.json @@ -136,7 +136,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\tfunction pVsfJUP($zViavV){$iKxAK = [SyStEm.iO.memOrySTReaM]::nEW()", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\tn = ?function pxny($TlOIlxX){$HmsGlo=\"56139C9225\";function pVsfJUP($zViavV){$iKxAK = [SyStEm.iO.memO...\n\t\tfunction pVsfJUP($zViavV){$iKxAK = [SyStEm.iO.memOrySTReaM]::nEW()", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -160,7 +160,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell via powershell.exe\n\t\t-rEpLaCE \"\\^\",\"\");}}whilE(1){trY{pxny(@(\"https://redshirtsalwaysdie.com/xmlrpc.php\",\"https://edelson...\n\t\tN=?sLeEpScriptfullNamEFuLLnaMEPowERsHeLL.EXelastIndexOfcscriptWSCRIPT.SHElLsearchCREATEOBjECT\\\\CsCrI...", + "body": "JavaScript runs PowerShell via powershell.exe\n\t\tn = ?function pxny($TlOIlxX){$HmsGlo=\"56139C9225\";function pVsfJUP($zViavV){$iKxAK = [SyStEm.iO.memO...\n\t\tN=?sLeEpScriptfullNamEFuLLnaMEPowERsHeLL.EXelastIndexOfcscriptWSCRIPT.SHElLsearchCREATEOBjECT\\\\CsCrI...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -184,7 +184,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell to call out to a URI\n\t\t-rEpLaCE \"\\^\",\"\");}}whilE(1){trY{pxny(@(\"https://redshirtsalwaysdie.com/xmlrpc.php\",\"https://edelson...", + "body": "JavaScript runs PowerShell to call out to a URI\n\t\tn = ?function pxny($TlOIlxX){$HmsGlo=\"56139C9225\";function pVsfJUP($zViavV){$iKxAK = [SyStEm.iO.memO...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/9831464ab191b8fe30db4f437ff95d77f40bf692dff26dfd5b209b44b0c1c07c/result.json b/tests/results/9831464ab191b8fe30db4f437ff95d77f40bf692dff26dfd5b209b44b0c1c07c/result.json index 987f93ea..721bf0f4 100644 --- a/tests/results/9831464ab191b8fe30db4f437ff95d77f40bf692dff26dfd5b209b44b0c1c07c/result.json +++ b/tests/results/9831464ab191b8fe30db4f437ff95d77f40bf692dff26dfd5b209b44b0c1c07c/result.json @@ -104,7 +104,7 @@ }, { "auto_collapse": false, - "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\tfunction _0x2f62(b, e) {\n\t\tvar f = _0x1f7f()\n\t\treturn _0x2f62 = function (g, h) {\n\t\t= k, b = arguments, _0x2f62[D(0x184, 'h1iX')] = !![]\n\t\t=== undefined && (_0x2f62[D(0x1bc, '^Hs8')] = !![]), i = _0x2f62[D(0x1f9, 'R04l')](i, h), b[m] = i) ...\n\t\t}, _0x2f62(b, e)\n\t\tvar _0x460ecf = _0x2f62\n\t\tvar E = d, f = _0x2f62, g = b()\n\t\t}(_0x1f7f, 0x7fb6c))\n\t\tvar _0xebf086 = (function () {\n\t\t[22 Mark(s) Truncated]", + "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\tfunction _0x2f62(b, e) {\n\t\tvar f = _0x1f7f()\n\t\treturn _0x2f62 = function (g, h) {\n\t\tif (_0x2f62['DEcwLP'] === undefined) {\n\t\t_0x2f62[D(0x1c6, 'wmH4')] = k, b = arguments, _0x2f62[D(0x184, 'h1iX')] = !![]\n\t\treturn !n ? (_0x2f62[D(0x1c0, 'XU*R')] === undefined && (_0x2f62[D(0x1bc, '^Hs8')] = !![]), i = _0x2...\n\t\t}, _0x2f62(b, e)\n\t\tvar _0x460ecf = _0x2f62\n\t\tvar E = d, f = _0x2f62, g = b()\n\t\t}(_0x1f7f, 0x7fb6c))\n\t\t[24 Mark(s) Truncated]", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/a10250d42b15151c9bdbcfd08291527dc60e026f47138343ba1258214b3ec953/result.json b/tests/results/a10250d42b15151c9bdbcfd08291527dc60e026f47138343ba1258214b3ec953/result.json index fb033fcc..3b20ca06 100644 --- a/tests/results/a10250d42b15151c9bdbcfd08291527dc60e026f47138343ba1258214b3ec953/result.json +++ b/tests/results/a10250d42b15151c9bdbcfd08291527dc60e026f47138343ba1258214b3ec953/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2021, + "score": 2031, "sections": [ { "auto_collapse": false, @@ -136,7 +136,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function pWmwhX($KaVEat){$QHDEzk=\"2588429F03\";function OmaZSQ($IkbSO){$uFwkyX = [System.IO.MemorySt...\n\t\tTypeError: \"function pWmwhX($KaVEat){$QHDEzk=\"2588429F03\";function OmaZSQ($IkbSO){$uFwkyX = [System....\n\t\tfunction OmaZSQ($IkbSO){$uFwkyX = [System.IO.MemoryStream]::new()", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function pWmwhX($KaVEat){$QHDEzk=\"2588429F03\";function OmaZSQ($IkbSO){$uFwkyX = [System.IO.MemorySt...\n\t\tn = WScript;z=('SlEEPcscript\\\\OPEnlastIndexOfsCRIpTfulLnAmEcReatEobjECtSHelL.appLIcAtIoNShEllexECUte...\n\t\tTypeError: \"function pWmwhX($KaVEat){$QHDEzk=\"2588429F03\";function OmaZSQ($IkbSO){$uFwkyX = [System....\n\t\tfunction OmaZSQ($IkbSO){$uFwkyX = [System.IO.MemoryStream]::new()", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -160,7 +160,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell via powershell.exe\n\t\tz=('SlEEPcscript\\\\OPEnlastIndexOfsCRIpTfulLnAmEcReatEobjECtSHelL.appLIcAtIoNShEllexECUtePOWerSHELLEx...", + "body": "JavaScript runs PowerShell via powershell.exe\n\t\tn = WScript;z=('SlEEPcscript\\\\OPEnlastIndexOfsCRIpTfulLnAmEcReatEobjECtSHelL.appLIcAtIoNShEllexECUte...\n\t\tz=('SlEEPcscript\\\\OPEnlastIndexOfsCRIpTfulLnAmEcReatEobjECtSHelL.appLIcAtIoNShEllexECUtePOWerSHELLEx...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -182,6 +182,30 @@ "title_text": "Signature: RunsPowerShell", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript runs PowerShell to call out to a URI\n\t\tn = WScript;z=('SlEEPcscript\\\\OPEnlastIndexOfsCRIpTfulLnAmEcReatEobjECtSHelL.appLIcAtIoNShEllexECUte...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "runs_ps1_to_download": 10 + }, + "signatures": { + "runs_ps1_to_download": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: PowerShellDownloader", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -356,6 +380,13 @@ "runs_ps1" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "runs_ps1_to_download" + ] + }, { "attack_ids": [], "heur_id": 4, diff --git a/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json b/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json index 69ee3466..b120467e 100644 --- a/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json +++ b/tests/results/a822a0ad8bdf6afe197ae4eb4d375f988e30224c4af13e04110e6dcdcd77c836/result.json @@ -661,7 +661,7 @@ }, { "auto_collapse": false, - "body": "JavaScript encodes a Uniform Resource Identifier\n\t\t= encodeURIComponent(this.value)\n\t\tb.push(c+\"=\"+encodeURIComponent(d))}var b=b.join\n\t\tG.n=function(a,b,c){var d=this.k,e=this.e||\"\",d=d+\"?module=\"+encodeURIComponent(e)\n\t\td=d+\"&type=\"+encodeURIComponent(a)\n\t\t+\"&msg=\"+encodeURIComponent(b)\n\t\ta++)d=d+\"&arg=\"+encodeURIComponent(c[a])\n\t\treturn a=0<=a.indexOf(\"?\")?a+\"&\"+encodeURIComponent(b)+\"=\"+encodeURIComponent(c):a\n\t\t+\"?\"+encodeURIComponent(b)+\"=\"+encodeURIComponent(c)}", + "body": "JavaScript encodes a Uniform Resource Identifier\n\t\tlangChooser_params['hl'] = encodeURIComponent(this.value)\n\t\tb.push(c+\"=\"+encodeURIComponent(d))}var b=b.join\n\t\tG.n=function(a,b,c){var d=this.k,e=this.e||\"\",d=d+\"?module=\"+encodeURIComponent(e)\n\t\td=d+\"&type=\"+encodeURIComponent(a)\n\t\t+\"&msg=\"+encodeURIComponent(b)\n\t\ta++)d=d+\"&arg=\"+encodeURIComponent(c[a])\n\t\treturn a=0<=a.indexOf(\"?\")?a+\"&\"+encodeURIComponent(b)+\"=\"+encodeURIComponent(c):a\n\t\t+\"?\"+encodeURIComponent(b)+\"=\"+encodeURIComponent(c)}", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json b/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json index 0290d949..d6a3f15c 100644 --- a/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json +++ b/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581", + "ioc": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581", "ioc_type": "uri" }, { - "ioc": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", + "ioc": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", "ioc_type": "uri" }, { - "ioc": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581", + "ioc": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581", "ioc_type": "uri" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=64491924747170474173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=184980817204321254173581", "ioc_type": "uri_path" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", "ioc_type": "uri_path" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=83225618111331714173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=8825554069874854173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.travelettes.net" ], "uri": [ - "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581", - "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", - "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581", + "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", + "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" ], "uri_path": [ - "/xml.php?axkhpbmxwhmjuwt=64491924747170474173581", - "/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", - "/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "/xml.php?axkhpbmxwhmjuwt=184980817204321254173581", + "/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", + "/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "url": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" }, { "method": "GET", - "url": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581" + "url": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581" }, { "method": "GET", - "url": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "url": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.thomadaneau.com" ], "uri": [ - "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581", - "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", - "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581", + "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", + "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" ], "uri_path": [ - "/xml.php?axkhpbmxwhmjuwt=64491924747170474173581", - "/xml.php?axkhpbmxwhmjuwt=67170061695449034173581", - "/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "/xml.php?axkhpbmxwhmjuwt=8825554069874854173581", + "/xml.php?axkhpbmxwhmjuwt=36948072985515484173581", + "/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" ] } } @@ -540,76 +540,76 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581" + "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=67170061695449034173581" + "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=36948072985515484173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "value": "/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=64491924747170474173581" + "value": "/xml.php?axkhpbmxwhmjuwt=184980817204321254173581" }, { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=67170061695449034173581" + "value": "/xml.php?axkhpbmxwhmjuwt=36948072985515484173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=67170061695449034173581" + "value": "/xml.php?axkhpbmxwhmjuwt=36948072985515484173581" }, { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "value": "/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=83225618111331714173581" + "value": "/xml.php?axkhpbmxwhmjuwt=8825554069874854173581" } ] }, diff --git a/tests/results/ec6f12f58df788e557db1a38aecff94f7e92eab09af3c84fe14ac6f07d521f27/result.json b/tests/results/ec6f12f58df788e557db1a38aecff94f7e92eab09af3c84fe14ac6f07d521f27/result.json index de045646..049a2200 100644 --- a/tests/results/ec6f12f58df788e557db1a38aecff94f7e92eab09af3c84fe14ac6f07d521f27/result.json +++ b/tests/results/ec6f12f58df788e557db1a38aecff94f7e92eab09af3c84fe14ac6f07d521f27/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2021, + "score": 2031, "sections": [ { "auto_collapse": false, @@ -136,7 +136,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function JyOYc($ywVoR){$tMWkE=\"8AD00AC970\";function hmXLCut($unTuRCX){$lagYac = [System.IO.MemorySt...\n\t\tTypeError: \"function JyOYc($ywVoR){$tMWkE=\"8AD00AC970\";function hmXLCut($unTuRCX){$lagYac = [System....\n\t\tfunction hmXLCut($unTuRCX){$lagYac = [System.IO.MemoryStream]::new()", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\t\"function JyOYc($ywVoR){$tMWkE=\"8AD00AC970\";function hmXLCut($unTuRCX){$lagYac = [System.IO.MemorySt...\n\t\tp ='WriTeLiNeSLeeplastIndexOfshEllExECUtEsHeLL.APpLIcATIonexEcCREaTEobjectslicePOwErShELlwScrIpt.sHe...\n\t\tTypeError: \"function JyOYc($ywVoR){$tMWkE=\"8AD00AC970\";function hmXLCut($unTuRCX){$lagYac = [System....\n\t\tfunction hmXLCut($unTuRCX){$lagYac = [System.IO.MemoryStream]::new()", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -160,7 +160,7 @@ }, { "auto_collapse": false, - "body": "JavaScript runs PowerShell via powershell.exe\n\t\tp ='WriTeLiNeSLeeplastIndexOfshEllExECUtEsHeLL.APpLIcATIonexEcCREaTEobjectslicePOwErShELlwScrIpt.sHe...", + "body": "JavaScript runs PowerShell via powershell.exe\n\t\tp ='WriTeLiNeSLeeplastIndexOfshEllExECUtEsHeLL.APpLIcATIonexEcCREaTEobjectslicePOwErShELlwScrIpt.sHe...\n\t\tp ='WriTeLiNeSLeeplastIndexOfshEllExECUtEsHeLL.APpLIcATIonexEcCREaTEobjectslicePOwErShELlwScrIpt.sHe...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -182,6 +182,30 @@ "title_text": "Signature: RunsPowerShell", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "JavaScript runs PowerShell to call out to a URI\n\t\tp ='WriTeLiNeSLeeplastIndexOfshEllExECUtEsHeLL.APpLIcATIonexEcCREaTEobjectslicePOwErShELlwScrIpt.sHe...", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "runs_ps1_to_download": 10 + }, + "signatures": { + "runs_ps1_to_download": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: PowerShellDownloader", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -356,6 +380,13 @@ "runs_ps1" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "runs_ps1_to_download" + ] + }, { "attack_ids": [], "heur_id": 4, diff --git a/tests/results/f4f43bfabf8e410683a9ffaa7acd359fda0045b35d1eef7bd872ae2c4064382f/result.json b/tests/results/f4f43bfabf8e410683a9ffaa7acd359fda0045b35d1eef7bd872ae2c4064382f/result.json index 2e8a0f35..20b1227e 100644 --- a/tests/results/f4f43bfabf8e410683a9ffaa7acd359fda0045b35d1eef7bd872ae2c4064382f/result.json +++ b/tests/results/f4f43bfabf8e410683a9ffaa7acd359fda0045b35d1eef7bd872ae2c4064382f/result.json @@ -200,7 +200,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses charCodeAt/fromCharCode to obfuscate/de-obfuscate characters\n\t\t= slice.charCodeAt(i)", + "body": "JavaScript uses charCodeAt/fromCharCode to obfuscate/de-obfuscate characters\n\t\tbyteNumbers[i] = slice.charCodeAt(i)", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json b/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json index bbf526b3..ea33a86e 100644 --- a/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json +++ b/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581", + "ioc": "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581", "ioc_type": "uri" }, { - "ioc": "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581", + "ioc": "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581", "ioc_type": "uri" }, { - "ioc": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581", + "ioc": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581", "ioc_type": "uri" }, { - "ioc": "/test.php?tfognzsagssntu=0215825558213542664173581", + "ioc": "/test.php?tfognzsagssntu=000070463760521111144173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?tfognzsagssntu=175109366876121664173581", + "ioc": "/test.php?tfognzsagssntu=2065242434389884173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?tfognzsagssntu=92907735917390034173581", + "ioc": "/test.php?tfognzsagssntu=8727009293490524173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.macromixenlinea.com" ], "uri": [ - "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581", - "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581", - "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581" + "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581", + "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581", + "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581" ], "uri_path": [ - "/test.php?tfognzsagssntu=0215825558213542664173581", - "/test.php?tfognzsagssntu=175109366876121664173581", - "/test.php?tfognzsagssntu=92907735917390034173581" + "/test.php?tfognzsagssntu=000070463760521111144173581", + "/test.php?tfognzsagssntu=2065242434389884173581", + "/test.php?tfognzsagssntu=8727009293490524173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581" + "url": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581" }, { "method": "GET", - "url": "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581" + "url": "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581" }, { "method": "GET", - "url": "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581" + "url": "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.lukeamiller.net" ], "uri": [ - "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581", - "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581", - "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581" + "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581", + "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581", + "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581" ], "uri_path": [ - "/test.php?tfognzsagssntu=0215825558213542664173581", - "/test.php?tfognzsagssntu=175109366876121664173581", - "/test.php?tfognzsagssntu=92907735917390034173581" + "/test.php?tfognzsagssntu=000070463760521111144173581", + "/test.php?tfognzsagssntu=8727009293490524173581", + "/test.php?tfognzsagssntu=2065242434389884173581" ] } } @@ -540,76 +540,76 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581" + "value": "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.lovlr.com/test.php?tfognzsagssntu=175109366876121664173581" + "value": "https://www.lovlr.com/test.php?tfognzsagssntu=8727009293490524173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581" + "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=92907735917390034173581" + "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=2065242434389884173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581" + "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=0215825558213542664173581" + "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=000070463760521111144173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=0215825558213542664173581" + "value": "/test.php?tfognzsagssntu=000070463760521111144173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=0215825558213542664173581" + "value": "/test.php?tfognzsagssntu=000070463760521111144173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=175109366876121664173581" + "value": "/test.php?tfognzsagssntu=2065242434389884173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=175109366876121664173581" + "value": "/test.php?tfognzsagssntu=2065242434389884173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=92907735917390034173581" + "value": "/test.php?tfognzsagssntu=8727009293490524173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=92907735917390034173581" + "value": "/test.php?tfognzsagssntu=8727009293490524173581" } ] },