diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json index 654a8827..0f197a75 100644 --- a/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json +++ b/tests/results/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/result.json @@ -330,10 +330,6 @@ { "name": "1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0.cleaned", "sha256": "a14f37dd914b4185314f4b9e53df2a22029d4d9db2d90c1e4b093e759c7f18a8" - }, - { - "name": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc", - "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc" } ], "supplementary": [ diff --git a/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json b/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json index 5395d619..be07370a 100644 --- a/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json +++ b/tests/results/2b26cd43aee8e79e808add3cebaa4902731b529274ef697c5ff9486c71a91b4d/result.json @@ -231,10 +231,6 @@ }, "files": { "extracted": [ - { - "name": "3fb5f6db21abb181956aeaf5bdeabfe8c711874d37ff77b20d8689318d3f9d7e", - "sha256": "3fb5f6db21abb181956aeaf5bdeabfe8c711874d37ff77b20d8689318d3f9d7e" - }, { "name": "Blob[80]", "sha256": "d303c8ff0303b9f86867615e9e3d77323f9ba65c26d2856086bd3df4587fbf55" diff --git a/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json b/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json index 40d1175c..01090691 100644 --- a/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json +++ b/tests/results/40c70ac063d55e6fa83fd4fcb80f079b6a30e1cc1d91e030c4c8347ba3d978de/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581", + "ioc": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581", "ioc_type": "uri" }, { - "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581", + "ioc": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581", "ioc_type": "uri" }, { - "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581", + "ioc": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581", "ioc_type": "uri" }, { - "ioc": "/test.php?eqhwvautjqdnpp=402536143433771534173581", + "ioc": "/test.php?eqhwvautjqdnpp=0180094100052510254173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?eqhwvautjqdnpp=88927095034910674173581", + "ioc": "/test.php?eqhwvautjqdnpp=148353615178769664173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?eqhwvautjqdnpp=92260338581876324173581", + "ioc": "/test.php?eqhwvautjqdnpp=186103112418377854173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.maghrebassurance.fr" ], "uri": [ - "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581", - "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581", - "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581" + "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581", + "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581", + "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581" ], "uri_path": [ - "/test.php?eqhwvautjqdnpp=402536143433771534173581", - "/test.php?eqhwvautjqdnpp=88927095034910674173581", - "/test.php?eqhwvautjqdnpp=92260338581876324173581" + "/test.php?eqhwvautjqdnpp=0180094100052510254173581", + "/test.php?eqhwvautjqdnpp=148353615178769664173581", + "/test.php?eqhwvautjqdnpp=186103112418377854173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581" + "url": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581" }, { "method": "GET", - "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581" + "url": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581" }, { "method": "GET", - "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581" + "url": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.macromixenlinea.com" ], "uri": [ - "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581", - "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581", - "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581" + "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581", + "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581", + "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581" ], "uri_path": [ - "/test.php?eqhwvautjqdnpp=402536143433771534173581", - "/test.php?eqhwvautjqdnpp=92260338581876324173581", - "/test.php?eqhwvautjqdnpp=88927095034910674173581" + "/test.php?eqhwvautjqdnpp=0180094100052510254173581", + "/test.php?eqhwvautjqdnpp=148353615178769664173581", + "/test.php?eqhwvautjqdnpp=186103112418377854173581" ] } } @@ -520,21 +520,21 @@ "signatures": [ "gootloader_url" ], - "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581" + "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581" + "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581" + "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581" } ], "network.dynamic.uri_path": [ @@ -543,21 +543,21 @@ "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=402536143433771534173581" + "value": "/test.php?eqhwvautjqdnpp=0180094100052510254173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=88927095034910674173581" + "value": "/test.php?eqhwvautjqdnpp=148353615178769664173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?eqhwvautjqdnpp=92260338581876324173581" + "value": "/test.php?eqhwvautjqdnpp=186103112418377854173581" } ], "network.static.domain": [ @@ -586,34 +586,34 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=92260338581876324173581" + "value": "https://www.ls1969.fr/test.php?eqhwvautjqdnpp=148353615178769664173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=88927095034910674173581" + "value": "https://www.macromixenlinea.com/test.php?eqhwvautjqdnpp=186103112418377854173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=402536143433771534173581" + "value": "https://www.maghrebassurance.fr/test.php?eqhwvautjqdnpp=0180094100052510254173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=402536143433771534173581" + "value": "/test.php?eqhwvautjqdnpp=0180094100052510254173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=88927095034910674173581" + "value": "/test.php?eqhwvautjqdnpp=148353615178769664173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?eqhwvautjqdnpp=92260338581876324173581" + "value": "/test.php?eqhwvautjqdnpp=186103112418377854173581" } ] }, diff --git a/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json b/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json index 06014692..c71baac6 100644 --- a/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json +++ b/tests/results/59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1563, + "score": 1562, "sections": [ { "auto_collapse": false, @@ -62,7 +62,7 @@ }, { "auto_collapse": false, - "body": "JavaScript creates an ActiveXObject\n\t\tActiveXObject(MSXML2.XMLHTTP)\n\t\tvar a0_0x56e24b=new ActiveXObject(a0_0x32782b('Vm^C',0x443)+a0_0x32782b('dPAd',0x43c))", + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: MSXML2.XMLHTTP\n\t\tActiveXObject(MSXML2.XMLHTTP)\n\t\tvar a0_0x56e24b=new ActiveXObject(a0_0x32782b('Vm^C',0x443)+a0_0x32782b('dPAd',0x43c))", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -284,26 +284,6 @@ "title_text": "URLs", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": "\t\tAn unsafe statement was found: Function", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 0, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 2, - "score": 1, - "score_map": {}, - "signatures": {} - }, - "promote_to": null, - "tags": {}, - "title_text": "JS-X-Ray IOCs Detected", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "View extracted file 59eaf90e91b13fcb16f228d304ff863edab9665579c80b9a870447d476195d6c.cleaned for details.", @@ -353,11 +333,6 @@ "heur_id": 2, "signatures": [] }, - { - "attack_ids": [], - "heur_id": 2, - "signatures": [] - }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json b/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json index 49c41b99..4cb00efb 100644 --- a/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json +++ b/tests/results/67eb5b143270f50973f89cc44204c74497ed59a68ece5edb4300e05329f2fdfc/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581", + "ioc": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581", "ioc_type": "uri" }, { - "ioc": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581", + "ioc": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581", "ioc_type": "uri" }, { - "ioc": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581", + "ioc": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581", "ioc_type": "uri" }, { - "ioc": "/test.php?mhsctaxsmkzg=34925214178245014173581", + "ioc": "/test.php?mhsctaxsmkzg=077161677580135594173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?mhsctaxsmkzg=37804277527256084173581", + "ioc": "/test.php?mhsctaxsmkzg=439833284187109544173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?mhsctaxsmkzg=62322887284989544173581", + "ioc": "/test.php?mhsctaxsmkzg=45122065224627144173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.lohevisto.com" ], "uri": [ - "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581", - "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581", - "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581" + "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581", + "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581", + "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581" ], "uri_path": [ - "/test.php?mhsctaxsmkzg=34925214178245014173581", - "/test.php?mhsctaxsmkzg=37804277527256084173581", - "/test.php?mhsctaxsmkzg=62322887284989544173581" + "/test.php?mhsctaxsmkzg=077161677580135594173581", + "/test.php?mhsctaxsmkzg=439833284187109544173581", + "/test.php?mhsctaxsmkzg=45122065224627144173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581" + "url": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581" }, { "method": "GET", - "url": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581" + "url": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581" }, { "method": "GET", - "url": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581" + "url": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.location-atelier-garage.com" ], "uri": [ - "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581", - "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581", - "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581" + "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581", + "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581", + "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581" ], "uri_path": [ - "/test.php?mhsctaxsmkzg=34925214178245014173581", - "/test.php?mhsctaxsmkzg=62322887284989544173581", - "/test.php?mhsctaxsmkzg=37804277527256084173581" + "/test.php?mhsctaxsmkzg=45122065224627144173581", + "/test.php?mhsctaxsmkzg=439833284187109544173581", + "/test.php?mhsctaxsmkzg=077161677580135594173581" ] } } @@ -520,21 +520,21 @@ "signatures": [ "gootloader_url" ], - "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581" + "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581" + "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581" + "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581" } ], "network.dynamic.uri_path": [ @@ -543,21 +543,21 @@ "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=34925214178245014173581" + "value": "/test.php?mhsctaxsmkzg=077161677580135594173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=37804277527256084173581" + "value": "/test.php?mhsctaxsmkzg=439833284187109544173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?mhsctaxsmkzg=62322887284989544173581" + "value": "/test.php?mhsctaxsmkzg=45122065224627144173581" } ], "network.static.domain": [ @@ -586,34 +586,34 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=62322887284989544173581" + "value": "https://www.liparicasa.it/test.php?mhsctaxsmkzg=439833284187109544173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=37804277527256084173581" + "value": "https://www.location-atelier-garage.com/test.php?mhsctaxsmkzg=077161677580135594173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=34925214178245014173581" + "value": "https://www.lohevisto.com/test.php?mhsctaxsmkzg=45122065224627144173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=34925214178245014173581" + "value": "/test.php?mhsctaxsmkzg=077161677580135594173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=37804277527256084173581" + "value": "/test.php?mhsctaxsmkzg=439833284187109544173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?mhsctaxsmkzg=62322887284989544173581" + "value": "/test.php?mhsctaxsmkzg=45122065224627144173581" } ] }, diff --git a/tests/results/b2a12d57e3eae64cfa1e628036f3b62fcb76bbb4ec0e337adc37d70d2130ab28/result.json b/tests/results/b2a12d57e3eae64cfa1e628036f3b62fcb76bbb4ec0e337adc37d70d2130ab28/result.json index 486c6c2d..70d84b04 100644 --- a/tests/results/b2a12d57e3eae64cfa1e628036f3b62fcb76bbb4ec0e337adc37d70d2130ab28/result.json +++ b/tests/results/b2a12d57e3eae64cfa1e628036f3b62fcb76bbb4ec0e337adc37d70d2130ab28/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 563, + "score": 540, "sections": [ { "auto_collapse": false, @@ -16,30 +16,6 @@ "title_text": "Signatures", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: MSXML2.XMLHTTP\n\t\tNew ActiveXObject: WScript.Shell\n\t\tNew ActiveXObject: ADODB.Stream\n\t\tNew ActiveXObject: Shell.Application", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 1, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 3, - "score": 10, - "score_map": { - "active_x_object": 10 - }, - "signatures": { - "active_x_object": 1 - } - }, - "promote_to": null, - "tags": {}, - "title_text": "Signature: ActiveXObject", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "JavaScript encodes a Uniform Resource Identifier\n\t\treturn window.btoa(unescape(encodeURIComponent(str)))", @@ -88,30 +64,6 @@ "title_text": "Signature: ParseIntUsage", "zeroize_on_tag_safe": false }, - { - "auto_collapse": false, - "body": "JavaScript writes data to disk\n\t\tScript called ADODBStream.savetofile", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 1, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 3, - "score": 10, - "score_map": { - "save_to_file": 10 - }, - "signatures": { - "save_to_file": 1 - } - }, - "promote_to": null, - "tags": {}, - "title_text": "Signature: SaveToFile", - "zeroize_on_tag_safe": false - }, { "auto_collapse": false, "body": "JavaScript uses charCodeAt/fromCharCode to obfuscate/de-obfuscate characters\n\t\tvar char = String.fromCharCode(i + 32)\n\t\tvar size = (mapStr.charCodeAt(i) - OFFSET) / SCALE", @@ -183,115 +135,6 @@ "tags": {}, "title_text": "Signature: Unescape", "zeroize_on_tag_safe": false - }, - { - "auto_collapse": false, - "body": null, - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 0, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 2, - "score": 1, - "score_map": {}, - "signatures": {} - }, - "promote_to": null, - "tags": {}, - "title_text": "IOCs extracted by Box.js", - "zeroize_on_tag_safe": false - }, - { - "auto_collapse": false, - "body": "C://ProgramData//CCleaner1.zip", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 1, - "heuristic": null, - "promote_to": null, - "tags": { - "dynamic": { - "process": { - "file_name": [ - "C://ProgramData//CCleaner1.zip" - ] - } - } - }, - "title_text": "The script wrote the following files", - "zeroize_on_tag_safe": false - }, - { - "auto_collapse": false, - "body": [ - { - "method": [ - "GET" - ], - "request_headers": {}, - "url": "https://lilygovert91.top/CCleaner2.zip" - } - ], - "body_config": { - "column_order": [ - "url", - "method", - "request_headers" - ] - }, - "body_format": "TABLE", - "classification": "TLP:C", - "depth": 0, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 1, - "score": 1, - "score_map": {}, - "signatures": {} - }, - "promote_to": null, - "tags": { - "network": { - "dynamic": { - "domain": [ - "lilygovert91.top" - ], - "uri": [ - "https://lilygovert91.top/CCleaner2.zip" - ], - "uri_path": [ - "/CCleaner2.zip" - ] - } - } - }, - "title_text": "URLs", - "zeroize_on_tag_safe": false - }, - { - "auto_collapse": false, - "body": "\t\tObfuscated code was found that was obfuscated by: morse", - "body_config": {}, - "body_format": "TEXT", - "classification": "TLP:C", - "depth": 0, - "heuristic": { - "attack_ids": [], - "frequency": 1, - "heur_id": 2, - "score": 1, - "score_map": {}, - "signatures": {} - }, - "promote_to": null, - "tags": {}, - "title_text": "JS-X-Ray IOCs Detected", - "zeroize_on_tag_safe": false } ] }, @@ -301,28 +144,6 @@ }, "results": { "heuristics": [ - { - "attack_ids": [], - "heur_id": 1, - "signatures": [] - }, - { - "attack_ids": [], - "heur_id": 2, - "signatures": [] - }, - { - "attack_ids": [], - "heur_id": 2, - "signatures": [] - }, - { - "attack_ids": [], - "heur_id": 3, - "signatures": [ - "active_x_object" - ] - }, { "attack_ids": [], "heur_id": 3, @@ -337,13 +158,6 @@ "parseint_usage" ] }, - { - "attack_ids": [], - "heur_id": 3, - "signatures": [ - "save_to_file" - ] - }, { "attack_ids": [], "heur_id": 3, @@ -366,36 +180,7 @@ ] } ], - "tags": { - "dynamic.process.file_name": [ - { - "heur_id": null, - "signatures": [], - "value": "C://ProgramData//CCleaner1.zip" - } - ], - "network.dynamic.domain": [ - { - "heur_id": 1, - "signatures": [], - "value": "lilygovert91.top" - } - ], - "network.dynamic.uri": [ - { - "heur_id": 1, - "signatures": [], - "value": "https://lilygovert91.top/CCleaner2.zip" - } - ], - "network.dynamic.uri_path": [ - { - "heur_id": 1, - "signatures": [], - "value": "/CCleaner2.zip" - } - ] - }, + "tags": {}, "temp_submission_data": {} } } \ No newline at end of file diff --git a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json index 60f2d4e5..55c8b8ce 100644 --- a/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json +++ b/tests/results/b86808fa91902548e429018297f01d9ae76b319fb192fc095e8d40e6aaed71c4/result.json @@ -471,6 +471,19 @@ "084a8a9aa8cced9175bd07bc44998e75" ] } + }, + "network": { + "static": { + "ip": [ + "139.99.117.17" + ], + "uri": [ + "http://139.99.117.17/68597.dat" + ], + "uri_path": [ + "/68597.dat" + ] + } } }, "title_text": "JS-X-Ray IOCs Detected", @@ -635,6 +648,11 @@ ], "value": "139.99.117.17" }, + { + "heur_id": 2, + "signatures": [], + "value": "139.99.117.17" + }, { "heur_id": 2, "signatures": [], @@ -654,6 +672,11 @@ "signatures": [], "value": "http://139.99.117.17/68597.dat" }, + { + "heur_id": 2, + "signatures": [], + "value": "http://139.99.117.17/68597.dat" + }, { "heur_id": 2, "signatures": [], @@ -668,6 +691,11 @@ ], "value": "/68597.dat" }, + { + "heur_id": 2, + "signatures": [], + "value": "/68597.dat" + }, { "heur_id": 2, "signatures": [], diff --git a/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json b/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json index 38274b9f..fe18930b 100644 --- a/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json +++ b/tests/results/b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d/result.json @@ -281,7 +281,7 @@ }, { "auto_collapse": false, - "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\t_0x270c40[_0x4b1197(...)] is not a function\n\t\tHTMLFormElement[18].innerText = (string) 'Payment-notice.xls Microsoft Excel File This document...\n\t\tconst _0x4b1197=_0x5dbe75;function _0x303a0c(){function _0x53811e(_0x38f68c,_0x2d883e){return _0x31b...\n\t\tdocument[6].addEventListener(click, _0x186426)\n\t\tRunning function _0x186426([object Object])\n\t\tlogin_form6vstsa7g7dnohpt5hszsc4_jsjaws.innerText = \"Payment-notice.xls Microsoft Excel File Th...\n\t\tfunction _0x303a0c(){function _0x53811e(_0x38f68c,_0x2d883e){return _0x31bf(_0x38f68c-'0x2e6',_0x2d8...\n\t\t}function _0x1ae974(_0x277982,_0x3f26cb){return _0x49e1(_0x3f26cb-'0x1b1',_0x277982)\n\t\t}const _0x4de4bd=[_0x501dfe('B$lB',-'0x26'),_0x501dfe('6YpM',-'0xa'),_0x53811e('0x50d','0x520'),_0x5...\n\t\t_0x303a0c=function(){function _0x7d723c(_0x74702d,_0x460db6){return _0x501dfe(_0x460db6,_0x74702d-'0...\n\t\t[102 Mark(s) Truncated]", + "body": "The prefix '_0x' in names of variables and functions suggests that obfuscated code exists\n\t\t_0x3f6b1e[_0xf4f74d(...)] is not a function\n\t\tHTMLFormElement[18].innerText = (string) 'Payment-notice.xls Microsoft Excel File This document...\n\t\tconst _0x4b1197=_0x5dbe75;function _0x303a0c(){function _0x53811e(_0x38f68c,_0x2d883e){return _0x31b...\n\t\tdocument[6].addEventListener(click, _0x186426)\n\t\tRunning function _0x186426([object Object])\n\t\tlogin_form6vstsa7g7dnohpt5hszsc4_jsjaws.innerText = \"Payment-notice.xls Microsoft Excel File Th...\n\t\tfunction _0x303a0c(){function _0x53811e(_0x38f68c,_0x2d883e){return _0x31bf(_0x38f68c-'0x2e6',_0x2d8...\n\t\t}function _0x1ae974(_0x277982,_0x3f26cb){return _0x49e1(_0x3f26cb-'0x1b1',_0x277982)\n\t\t}const _0x4de4bd=[_0x501dfe('B$lB',-'0x26'),_0x501dfe('6YpM',-'0xa'),_0x53811e('0x50d','0x520'),_0x5...\n\t\t_0x303a0c=function(){function _0x7d723c(_0x74702d,_0x460db6){return _0x501dfe(_0x460db6,_0x74702d-'0...\n\t\t[102 Mark(s) Truncated]", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json b/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json index b782fd14..a00e85e8 100644 --- a/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json +++ b/tests/results/e826df2ff2104f8fe4e968ce85ea3530f03236d28e3af0efe6f3dd4e28b4fb85/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581", + "ioc": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581", "ioc_type": "uri" }, { - "ioc": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581", + "ioc": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", "ioc_type": "uri" }, { - "ioc": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581", + "ioc": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581", "ioc_type": "uri" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=425188798706796164173581", "ioc_type": "uri_path" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=68216817063525744173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", "ioc_type": "uri_path" }, { - "ioc": "/xml.php?axkhpbmxwhmjuwt=83015716210956714173581", + "ioc": "/xml.php?axkhpbmxwhmjuwt=9251403045648554173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.travelettes.net" ], "uri": [ - "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581", - "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581", - "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581", + "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", + "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" ], "uri_path": [ - "/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581", - "/xml.php?axkhpbmxwhmjuwt=68216817063525744173581", - "/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "/xml.php?axkhpbmxwhmjuwt=425188798706796164173581", + "/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", + "/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "url": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" }, { "method": "GET", - "url": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "url": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581" }, { "method": "GET", - "url": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "url": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.thomadaneau.com" ], "uri": [ - "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581", - "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581", - "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581", + "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", + "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" ], "uri_path": [ - "/xml.php?axkhpbmxwhmjuwt=68216817063525744173581", - "/xml.php?axkhpbmxwhmjuwt=83015716210956714173581", - "/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "/xml.php?axkhpbmxwhmjuwt=425188798706796164173581", + "/xml.php?axkhpbmxwhmjuwt=85992707432009694173581", + "/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" ] } } @@ -520,21 +520,21 @@ "signatures": [ "gootloader_url" ], - "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" } ], "network.dynamic.uri_path": [ @@ -543,21 +543,21 @@ "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "value": "/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "value": "/xml.php?axkhpbmxwhmjuwt=85992707432009694173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "value": "/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" } ], "network.static.domain": [ @@ -586,34 +586,34 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "value": "https://www.thomadaneau.com/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "value": "https://www.tokyo-hi-vision.com/xml.php?axkhpbmxwhmjuwt=85992707432009694173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "value": "https://www.travelettes.net/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=0599240611494411554173581" + "value": "/xml.php?axkhpbmxwhmjuwt=425188798706796164173581" }, { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=68216817063525744173581" + "value": "/xml.php?axkhpbmxwhmjuwt=85992707432009694173581" }, { "heur_id": 2, "signatures": [], - "value": "/xml.php?axkhpbmxwhmjuwt=83015716210956714173581" + "value": "/xml.php?axkhpbmxwhmjuwt=9251403045648554173581" } ] }, diff --git a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json index d5f4d1dc..6d3b447f 100644 --- a/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json +++ b/tests/results/f0a00d22892a3885f4c041e919ee872a3da5d84fe04700e1c3507f22af70ab3d/result.json @@ -471,6 +471,19 @@ "5cd5058bca53951ffa7801bcdf421651" ] } + }, + "network": { + "static": { + "ip": [ + "103.214.71.45" + ], + "uri": [ + "http://103.214.71.45/86204.dat" + ], + "uri_path": [ + "/86204.dat" + ] + } } }, "title_text": "JS-X-Ray IOCs Detected", @@ -635,6 +648,11 @@ ], "value": "103.214.71.45" }, + { + "heur_id": 2, + "signatures": [], + "value": "103.214.71.45" + }, { "heur_id": 2, "signatures": [], @@ -654,6 +672,11 @@ "signatures": [], "value": "http://103.214.71.45/86204.dat" }, + { + "heur_id": 2, + "signatures": [], + "value": "http://103.214.71.45/86204.dat" + }, { "heur_id": 2, "signatures": [], @@ -668,6 +691,11 @@ ], "value": "/86204.dat" }, + { + "heur_id": 2, + "signatures": [], + "value": "/86204.dat" + }, { "heur_id": 2, "signatures": [], diff --git a/tests/results/f4d25238bce7b3f1718dbe2c1ec73a9b56b221b2aeff2fb9c96afa98fa67ee1e/result.json b/tests/results/f4d25238bce7b3f1718dbe2c1ec73a9b56b221b2aeff2fb9c96afa98fa67ee1e/result.json index f564f442..a4d1dc57 100644 --- a/tests/results/f4d25238bce7b3f1718dbe2c1ec73a9b56b221b2aeff2fb9c96afa98fa67ee1e/result.json +++ b/tests/results/f4d25238bce7b3f1718dbe2c1ec73a9b56b221b2aeff2fb9c96afa98fa67ee1e/result.json @@ -38,7 +38,7 @@ }, { "auto_collapse": false, - "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: WScript.Shell\n\t\tNew ActiveXObject: System.IO.MemoryStream\n\t\tUnknown ActiveXObject system.io.memorystream\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(System.IO.MemoryStream)\n\t\tActiveXObject(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter)\n\t\tActiveXObject(System.Collections.ArrayList)", + "body": "JavaScript creates an ActiveXObject\n\t\tNew ActiveXObject: WScript.Shell\n\t\tNew ActiveXObject: System.IO.MemoryStream\n\t\tActiveXObject(WScript.Shell)\n\t\tActiveXObject(System.IO.MemoryStream)\n\t\tActiveXObject(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter)\n\t\tActiveXObject(System.Collections.ArrayList)", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -110,7 +110,7 @@ }, { "auto_collapse": false, - "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\tNew ActiveXObject: System.IO.MemoryStream\n\t\tUnknown ActiveXObject system.io.memorystream\n\t\tActiveXObject(System.IO.MemoryStream)\n\t\tWScript.CreateObject(\"System.IO.MemoryStream\")\n\t\tnew System.IO.MemoryStream[13]()\n\t\tSystem.IO.MemoryStream[13].WriteByte()\n\t\tSystem.IO.MemoryStream[13].Position = 0\n\t\tSystem.IO.MemoryStream[13].toString()\n\t\t> System.IO.MemoryStream[13]\n\t\tSystem.Runtime.Serialization.Formatters.Binary.BinaryFormatter[14].Deserialize_2(System.IO.MemoryStr...\n\t\tnew Delegate[16](System.IO.MemoryStream[13], undefined)(System.IO.MemoryStream[13])\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).toString()\n\t\t> Delegate[16](System.IO.MemoryStream[13], undefined)\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).0 => [0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0...\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).DynamicInvoke([0, 1, 0, 0, 0, 255, 255, 255, 255...", + "body": "JavaScript uses a MemoryStream object to manipulate memory\n\t\tNew ActiveXObject: System.IO.MemoryStream\n\t\tSystem.IO.MemoryStream.WriteByte not implemented!\n\t\tActiveXObject(System.IO.MemoryStream)\n\t\tWScript.CreateObject(\"System.IO.MemoryStream\")\n\t\tnew System.IO.MemoryStream[13]()\n\t\tSystem.IO.MemoryStream[13].WriteByte()\n\t\tSystem.IO.MemoryStream[13].Position = 0\n\t\tSystem.IO.MemoryStream[13].toString()\n\t\t> System.IO.MemoryStream[13]\n\t\tSystem.Runtime.Serialization.Formatters.Binary.BinaryFormatter[14].Deserialize_2(System.IO.MemoryStr...\n\t\tnew Delegate[16](System.IO.MemoryStream[13], undefined)(System.IO.MemoryStream[13])\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).toString()\n\t\t> Delegate[16](System.IO.MemoryStream[13], undefined)\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).0 => [0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0...\n\t\tDelegate[16](System.IO.MemoryStream[13], undefined).DynamicInvoke([0, 1, 0, 0, 0, 255, 255, 255, 255...", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/fdb599ee616fa643820cfaeb9afe561fe5915447ccc80f7d63d85573f0440237/result.json b/tests/results/fdb599ee616fa643820cfaeb9afe561fe5915447ccc80f7d63d85573f0440237/result.json index 1d3b8e1b..642fc000 100644 --- a/tests/results/fdb599ee616fa643820cfaeb9afe561fe5915447ccc80f7d63d85573f0440237/result.json +++ b/tests/results/fdb599ee616fa643820cfaeb9afe561fe5915447ccc80f7d63d85573f0440237/result.json @@ -272,10 +272,6 @@ { "name": "fdb599ee616fa643820cfaeb9afe561fe5915447ccc80f7d63d85573f0440237.cleaned", "sha256": "153b3e0785599c169f576625125bd4a21f19eb140744241ca5e4998becff3ed0" - }, - { - "name": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc", - "sha256": "dc7a6e43134675e424d383d96caa04a04e20e1501fbaefb97cfb8580602eeccc" } ], "supplementary": [] diff --git a/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json b/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json index 8210df56..b8090e27 100644 --- a/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json +++ b/tests/results/fe988f34d74e1f975a872876f002b85ab55181e58d15de7a5d93e01adcf4b62f/result.json @@ -254,27 +254,27 @@ "ioc_type": "domain" }, { - "ioc": "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581", + "ioc": "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581", "ioc_type": "uri" }, { - "ioc": "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581", + "ioc": "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581", "ioc_type": "uri" }, { - "ioc": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581", + "ioc": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581", "ioc_type": "uri" }, { - "ioc": "/test.php?tfognzsagssntu=18680958474488344173581", + "ioc": "/test.php?tfognzsagssntu=54926734707489064173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?tfognzsagssntu=20836692376602554173581", + "ioc": "/test.php?tfognzsagssntu=62017306330001044173581", "ioc_type": "uri_path" }, { - "ioc": "/test.php?tfognzsagssntu=476607271236990654173581", + "ioc": "/test.php?tfognzsagssntu=8365680894171074173581", "ioc_type": "uri_path" } ], @@ -306,14 +306,14 @@ "www.macromixenlinea.com" ], "uri": [ - "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581", - "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581", - "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581" + "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581", + "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581", + "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581" ], "uri_path": [ - "/test.php?tfognzsagssntu=18680958474488344173581", - "/test.php?tfognzsagssntu=20836692376602554173581", - "/test.php?tfognzsagssntu=476607271236990654173581" + "/test.php?tfognzsagssntu=54926734707489064173581", + "/test.php?tfognzsagssntu=62017306330001044173581", + "/test.php?tfognzsagssntu=8365680894171074173581" ] } } @@ -326,15 +326,15 @@ "body": [ { "method": "GET", - "url": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581" + "url": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581" }, { "method": "GET", - "url": "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581" + "url": "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581" }, { "method": "GET", - "url": "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581" + "url": "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581" } ], "body_config": { @@ -368,14 +368,14 @@ "www.lukeamiller.net" ], "uri": [ - "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581", - "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581", - "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581" + "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581", + "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581", + "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581" ], "uri_path": [ - "/test.php?tfognzsagssntu=20836692376602554173581", - "/test.php?tfognzsagssntu=476607271236990654173581", - "/test.php?tfognzsagssntu=18680958474488344173581" + "/test.php?tfognzsagssntu=54926734707489064173581", + "/test.php?tfognzsagssntu=62017306330001044173581", + "/test.php?tfognzsagssntu=8365680894171074173581" ] } } @@ -520,21 +520,21 @@ "signatures": [ "gootloader_url" ], - "value": "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581" + "value": "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581" + "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581" + "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581" } ], "network.dynamic.uri_path": [ @@ -543,21 +543,21 @@ "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=18680958474488344173581" + "value": "/test.php?tfognzsagssntu=54926734707489064173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=20836692376602554173581" + "value": "/test.php?tfognzsagssntu=62017306330001044173581" }, { "heur_id": 1, "signatures": [ "gootloader_url" ], - "value": "/test.php?tfognzsagssntu=476607271236990654173581" + "value": "/test.php?tfognzsagssntu=8365680894171074173581" } ], "network.static.domain": [ @@ -586,34 +586,34 @@ { "heur_id": 2, "signatures": [], - "value": "https://www.lovlr.com/test.php?tfognzsagssntu=476607271236990654173581" + "value": "https://www.lovlr.com/test.php?tfognzsagssntu=62017306330001044173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=18680958474488344173581" + "value": "https://www.lukeamiller.net/test.php?tfognzsagssntu=8365680894171074173581" }, { "heur_id": 2, "signatures": [], - "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=20836692376602554173581" + "value": "https://www.macromixenlinea.com/test.php?tfognzsagssntu=54926734707489064173581" } ], "network.static.uri_path": [ { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=18680958474488344173581" + "value": "/test.php?tfognzsagssntu=54926734707489064173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=20836692376602554173581" + "value": "/test.php?tfognzsagssntu=62017306330001044173581" }, { "heur_id": 2, "signatures": [], - "value": "/test.php?tfognzsagssntu=476607271236990654173581" + "value": "/test.php?tfognzsagssntu=8365680894171074173581" } ] }, diff --git a/tools/js-x-ray-run.js b/tools/js-x-ray-run.js index 78cd8ed3..c1f86711 100644 --- a/tools/js-x-ray-run.js +++ b/tools/js-x-ray-run.js @@ -1,4 +1,4 @@ -import { runASTAnalysis } from "@nodesecure/js-x-ray"; +import { AstAnalyser } from "@nodesecure/js-x-ray"; import { readFileSync } from "fs"; const dividing_comment = process.argv[2]; @@ -14,6 +14,8 @@ if (split_script.length == 2) { var actual_script = split_script[0]; } +const scanner = new AstAnalyser(); + const options = { "removeHTMLComments": true }; -const { warnings } = runASTAnalysis(actual_script, options); +const { warnings, dependencies } = scanner.analyse(actual_script, options); console.log(JSON.stringify({"warnings": warnings}));