forked from CybercentreCanada/assemblyline-service-jsjaws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice_manifest.yml
executable file
·296 lines (245 loc) · 7.22 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
name: JsJaws
version: $SERVICE_TAG
description: >
Provides sandboxing for JavaScript.
accepts: code/javascript|code/html|code/hta|code/jscript|code/wsf|code/wsc|image/svg
rejects: empty|metadata/.*
stage: CORE
category: Static Analysis
file_required: true
timeout: 300
disable_cache: false
enabled: true
is_external: false
licence_count: 0
uses_temp_submission_data: true
config:
# Note that the Docker container must be allowed Internet access as well
allow_download_from_internet: false
# Maximum payload files extracted if deep scan is turned off
max_payloads_extracted: 50
# Raise a noisy exception if the MalwareJail tool errors, rather than silently letting the other tools output.
raise_malware_jail_exc: false
# The limit to number of stdout lines analyzed that were captured from tools
total_stdout_limit: 10000
# If you don't want your STDERR clogging up your terminal, set to true
send_tool_stderr_to_pipe: false
# The maximum number of times that the gauntlet should be run
max_gauntlet_runs: 30
submission_params:
# Service-wide parameters
- default: 30
name: tool_timeout
type: int
value: 30
- default: false
name: add_supplementary
type: bool
value: false
- default: true
name: static_signatures
type: bool
value: true
- default: true
name: display_iocs
type: bool
value: true
# Set to "true" if you do not want the file to be executed via Box.js and MalwareJail
- default: false
name: static_analysis_only
type: bool
value: false
- default: false
name: ignore_stdout_limit
type: bool
value: false
# Box.js parameters
- default: false
name: no_shell_error
type: bool
value: false
# MalwareJail parameters
- default: "IE8"
name: browser
type: list
value: "IE8"
list: [ "IE8", "IE11_W10", "IE7", "iPhone", "Firefox", "Chrome"]
- default: false
name: wscript_only
type: bool
value: false
- default: false
name: throw_http_exc
type: bool
value: false
- default: false
name: download_payload
type: bool
value: false
- default: false
name: extract_function_calls
type: bool
value: false
- default: false
name: extract_eval_calls
type: bool
value: false
- default: false
name: log_errors
type: bool
value: false
- default: false
name: override_eval
type: bool
value: false
- default: false
name: file_always_exists
type: bool
value: false
# Synchrony parameters
- default: false
name: enable_synchrony
type: bool
value: false
heuristics:
- heur_id: 1
name: Network Traffic Detected
score: 1
filetype: '.*'
description: Malware Sandbox Tool(s) detected network traffic.
- heur_id: 2
name: IOC(s) Extracted
score: 1
filetype: '.*'
description: At least one IOC has been extracted.
- heur_id: 3
name: Suspicious Activity Detected
score: 1
filetype: '.*'
description: Suspicious activity was detected during execution.
- heur_id: 4
name: Embedded Code in Common Library
score: 1000
filetype: '.*'
description: Embedded code was discovered in a file posing as a common library. Seen frequently in Gootloader.
- heur_id: 5
name: Microsoft Support Diagnostic Tool found in location redirection
score: 500
filetype: '.*'
description: This technique was widely seen as part of the Follina exploit
- heur_id: 6
name: Automatic location redirection
score: 10
filetype: '.*'
description: Automatic redirection to another resource
- heur_id: 7
name: Suspicious CSS Usage
score: 10
filetype: '.*'
description: Suspicious declarations were detected in HTML stylesheets
- heur_id: 8
name: Obfuscated with Obfuscator.io
score: 1000
filetype: '.*'
description: Sample was obfuscated with Obfuscator.io
- heur_id: 9
name: ShortCut usage
score: 100
filetype: '.*'
description: Sample uses unusual ShortCut objects
- heur_id: 10
name: Long One-Liner
score: 1
filetype: '.*'
description: Sample consists of a long single line of code
- heur_id: 11
name: Time Waster
score: 1000
filetype: '.*'
description: Sample uses common time-wasting techniques. Seen frequently in Gootloader.
- heur_id: 12
name: Visual Basic and JavaScript
score: 1
filetype: '.*'
description: Sample uses a combination of both Visual Basic and JavaScript
- heur_id: 13
name: WScript Shell uses IOCs
score: 1
filetype: '.*'
description: Sample uses a WScript Shell to manipulate network calls
- heur_id: 14
name: Single script writes suspicious value
score: 500
filetype: 'code/ht.*'
description: Single script tag with unescaped value written to DOM
- heur_id: 15
name: Nested document.write calls
score: 250
filetype: '.*'
description: Multiple rounds of tool runs were required due to nested document.write calls
- heur_id: 16
name: Third-party script(s) required
score: 1
filetype: '.*'
description: Reference error caused by requirement of suspicious third party script(s)
- heur_id: 17
name: Malformed JavaScript found in visible text
score: 1
filetype: '.*'
description: JavaScript code is found in the visible text of an HTML document, indicating malformation
- heur_id: 18
name: Programmatically created script(s) with external source
score: 1
filetype: '.*'
description: Script(s) with an external source were programatically created by the sample.
- heur_id: 19
name: Function inception
score: 500
filetype: '.*'
description: Script uses function inception
- heur_id: 20
name: Multiple script writes with suspicious values
score: 500
filetype: 'code/ht.*'
description: Multiple script tags with unescaped values written to DOM
- heur_id: 21
name: Script contains leading garbage characters
score: 0
filetype: '.*'
description: A script contains leading characters meant to obfuscate / mis-identify the file.
- heur_id: 22
name: Detected JavaScript Redirector / Loader
score: 100
filetype: '.*'
description: Low number of body elements.
- heur_id: 23
name: document.write usage found in HTML
score: 100
filetype: 'code/html'
description: Suspicious JavaScript code found in HTML file
- heur_id: 24
name: HTML document with suspicious title
score: 100
filetype: 'code/html'
description: HTML document has title containing common phishing terms
- heur_id: 25
name: HTML document queries sensitive user data
score: 100
filetype: 'code/html'
description: HTML document has password / email / username input fields
- heur_id: 26
name: HTML document contains password input but no form action
score: 100
filetype: 'code/html'
description: <input type="password"/> found but no <form action="..."/>
- heur_id: 27
name: Suspicious form URL found
score: 0
filetype: 'code/html'
description: Form action is suspicious because form was created in suspicious way
docker_config:
allow_internet_access: true
image: ${REGISTRY}cccs/assemblyline-service-jsjaws:$SERVICE_TAG
cpu_cores: 1
ram_mb_min: 1536
ram_mb: 4096