Merge pull request #746 from CybercentreCanada/ast_analyzer

Switch from runASTAnalysis to AstAnalyser for js-x-ray
CybercentreCanada · Sep 13, 2024 · 2dabe42 · 2dabe42
2 parents da935bc + 8cc6c01
commit 2dabe42
Show file tree

Hide file tree

Showing 15 changed files with 199 additions and 393 deletions.
diff --git a/tests/__init__.py b/tests/__init__.py
diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json
@@ -330,10 +330,6 @@
       {
         "name": "1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0.cleaned",
         "sha256": "a14f37dd914b4185314f4b9e53df2a22029d4d9db2d90c1e4b093e759c7f18a8"
-      },
-      {
-        "name": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc",
-        "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc"
       }
     ],
     "supplementary": [

diff --git a/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json b/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json
@@ -231,10 +231,6 @@
   },
   "files": {
     "extracted": [
-      {
-        "name": "3fb5f6db21abb181956aeaf5bdeabfe8c711874d37ff77b20d8689318d3f9d7e",
-        "sha256": "3fb5f6db21abb181956aeaf5bdeabfe8c711874d37ff77b20d8689318d3f9d7e"
-      },
       {
         "name": "Blob[80]",
         "sha256": "d303c8ff0303b9f86867615e9e3d77323f9ba65c26d2856086bd3df4587fbf55"

diff --git a/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json b/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json
@@ -254,27 +254,27 @@
             "ioc_type": "domain"
           },
           {
-            "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581",
+            "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581",
             "ioc_type": "uri"
           },
           {
-            "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581",
+            "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581",
             "ioc_type": "uri"
           },
           {
-            "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581",
+            "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581",
             "ioc_type": "uri"
           },
           {
-            "ioc": "/test.php?eqhwvautjqdnpp=402536143433771534173581",
+            "ioc": "/test.php?eqhwvautjqdnpp=0180094100052510254173581",
             "ioc_type": "uri_path"
           },
           {
-            "ioc": "/test.php?eqhwvautjqdnpp=88927095034910674173581",
+            "ioc": "/test.php?eqhwvautjqdnpp=148353615178769664173581",
             "ioc_type": "uri_path"
           },
           {
-            "ioc": "/test.php?eqhwvautjqdnpp=92260338581876324173581",
+            "ioc": "/test.php?eqhwvautjqdnpp=186103112418377854173581",
             "ioc_type": "uri_path"
           }
         ],
@@ -306,14 +306,14 @@
                 "www.maghrebassurance.fr"
               ],
               "uri": [
-                "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581",
-                "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581",
-                "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581"
+                "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581",
+                "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581",
+                "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581"
               ],
               "uri_path": [
-                "/test.php?eqhwvautjqdnpp=402536143433771534173581",
-                "/test.php?eqhwvautjqdnpp=88927095034910674173581",
-                "/test.php?eqhwvautjqdnpp=92260338581876324173581"
+                "/test.php?eqhwvautjqdnpp=0180094100052510254173581",
+                "/test.php?eqhwvautjqdnpp=148353615178769664173581",
+                "/test.php?eqhwvautjqdnpp=186103112418377854173581"
               ]
             }
           }
@@ -326,15 +326,15 @@
         "body": [
           {
             "method": "GET",
-            "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581"
+            "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581"
           },
           {
             "method": "GET",
-            "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581"
+            "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581"
           },
           {
             "method": "GET",
-            "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581"
+            "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581"
           }
         ],
         "body_config": {
@@ -368,14 +368,14 @@
                 "www.macromixenlinea.com"
               ],
               "uri": [
-                "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581",
-                "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581",
-                "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581"
+                "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581",
+                "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581",
+                "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581"
               ],
               "uri_path": [
-                "/test.php?eqhwvautjqdnpp=402536143433771534173581",
-                "/test.php?eqhwvautjqdnpp=92260338581876324173581",
-                "/test.php?eqhwvautjqdnpp=88927095034910674173581"
+                "/test.php?eqhwvautjqdnpp=0180094100052510254173581",
+                "/test.php?eqhwvautjqdnpp=148353615178769664173581",
+                "/test.php?eqhwvautjqdnpp=186103112418377854173581"
               ]
             }
           }
@@ -520,21 +520,21 @@
           "signatures": [
             "gootloader_url"
           ],
-          "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581"
+          "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581"
         },
         {
           "heur_id": 1,
           "signatures": [
             "gootloader_url"
           ],
-          "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581"
+          "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581"
         },
         {
           "heur_id": 1,
           "signatures": [
             "gootloader_url"
           ],
-          "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581"
+          "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581"
         }
       ],
       "network.dynamic.uri_path": [
@@ -543,21 +543,21 @@
           "signatures": [
             "gootloader_url"
           ],
-          "value": "/test.php?eqhwvautjqdnpp=402536143433771534173581"
+          "value": "/test.php?eqhwvautjqdnpp=0180094100052510254173581"
         },
         {
           "heur_id": 1,
           "signatures": [
             "gootloader_url"
           ],
-          "value": "/test.php?eqhwvautjqdnpp=88927095034910674173581"
+          "value": "/test.php?eqhwvautjqdnpp=148353615178769664173581"
         },
         {
           "heur_id": 1,
           "signatures": [
             "gootloader_url"
           ],
-          "value": "/test.php?eqhwvautjqdnpp=92260338581876324173581"
+          "value": "/test.php?eqhwvautjqdnpp=186103112418377854173581"
         }
       ],
       "network.static.domain": [
@@ -586,34 +586,34 @@
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581"
+          "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581"
         },
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581"
+          "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581"
         },
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581"
+          "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581"
         }
       ],
       "network.static.uri_path": [
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "/test.php?eqhwvautjqdnpp=402536143433771534173581"
+          "value": "/test.php?eqhwvautjqdnpp=0180094100052510254173581"
         },
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "/test.php?eqhwvautjqdnpp=88927095034910674173581"
+          "value": "/test.php?eqhwvautjqdnpp=148353615178769664173581"
         },
         {
           "heur_id": 2,
           "signatures": [],
-          "value": "/test.php?eqhwvautjqdnpp=92260338581876324173581"
+          "value": "/test.php?eqhwvautjqdnpp=186103112418377854173581"
         }
       ]
     },

diff --git a/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json b/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json
@@ -1,7 +1,7 @@
 {
   "extra": {
     "drop_file": false,
-    "score": 1563,
+    "score": 1562,
     "sections": [
       {
         "auto_collapse": false,
@@ -62,7 +62,7 @@
       },
       {
         "auto_collapse": false,
-        "body": "JavaScript creates an ActiveXObject\n\t\tActiveXObject(MSXML2.XMLHTTP)\n\t\tvar a0_0x56e24b=new ActiveXObject(a0_0x32782b('Vm^C',0x443)+a0_0x32782b('dPAd',0x43c))",
+        "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: MSXML2.XMLHTTP\n\t\tActiveXObject(MSXML2.XMLHTTP)\n\t\tvar a0_0x56e24b=new ActiveXObject(a0_0x32782b('Vm^C',0x443)+a0_0x32782b('dPAd',0x43c))",
         "body_config": {},
         "body_format": "TEXT",
         "classification": "TLP:C",
@@ -284,26 +284,6 @@
         "title_text": "URLs",
         "zeroize_on_tag_safe": false
       },
-      {
-        "auto_collapse": false,
-        "body": "\t\tAn unsafe statement was found: Function",
-        "body_config": {},
-        "body_format": "TEXT",
-        "classification": "TLP:C",
-        "depth": 0,
-        "heuristic": {
-          "attack_ids": [],
-          "frequency": 1,
-          "heur_id": 2,
-          "score": 1,
-          "score_map": {},
-          "signatures": {}
-        },
-        "promote_to": null,
-        "tags": {},
-        "title_text": "JS-X-Ray IOCs Detected",
-        "zeroize_on_tag_safe": false
-      },
       {
         "auto_collapse": false,
         "body": "View extracted file 59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c.cleaned for details.",
@@ -353,11 +333,6 @@
         "heur_id": 2,
         "signatures": []
       },
-      {
-        "attack_ids": [],
-        "heur_id": 2,
-        "signatures": []
-      },
       {
         "attack_ids": [],
         "heur_id": 3,