Sample: `1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0`

[cccs-kevin]

Hi @buffer,

I'm ramping up the inclusion of the Thug tool in the Assemblyline project (specifically in the JsJaws service), but I'm noticing a lack of detection / payload extraction for samples such as the one mentioned. The de-obfuscated JavaScript as per the Synchrony project contains the following:

if (window.navigator.msSaveOrOpenBlob) {
    window.navigator.msSaveOrOpenBlob(blob, 'Document5934.zip');
} else {
    var url = URL.createObjectURL(blob), a = document.createElement('a');
    a.href = url;
    a.download = 'Document5934.zip';
    document.body.appendChild(a);
    a.click();
    setTimeout(function () {
        ;
        document.body.removeChild(a);
        window.URL.revokeObjectURL(url);
        ;
    }, 0);
    ;
}

When I run the sample in Thug using the osx10chrome97 useragent, I see that no file is added to the "files" key of the analysis.json and I suspect that this is due to lack of URL.createObjectURL/URL.revokeObjectURL in the context?

Let me know if I'm on the right track!

[cccs-kevin]

Another sample that depends on this functionality is 1e98af662c337468274d2a20e1f5eb66645c8fff55269ee09fa9ba6e0733ce98

From the logs: [MIMEHANDLER (SVG+XML)][ERROR] TypeError: URL.createObjectURL is not a function ( @ 30 : 41 ) -> let IV7XsVbK = URL["createObjectURL"](JkT5zYmW);

[buffer]

@cccs-kevin I confirm your analysis. Thug currently lacks the implementation of the URL methods createObjectURL and revokeObjectURL. I created just two placeholders at the moment but I think having at least a sample handy could be really beneficial in order to figure out how the methods are used. And I realized I can not download them from VirusTotal. Would you mind sharing them (even privately if you prefer)? Thanks!

[cccs-kevin]

Sure thing, here is the MalwareBazaar link:

https://bazaar.abuse.ch/sample/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/

[buffer]

Thanks! Really appreciate!

[buffer]

FYI it seems like I fixed both this issue and the issue https://github.com/buffer/thug/issues/369. As you can see from the attached output, the (base64 encoded) encrypted ZIP file is now correctly stored in the JSON report. I am going to open a PR later today and perform some additional tests before merging. Please expect a new Thug release soon.

~ $ thug -u osx10chrome97 -l -F -Z 1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0.html
[2024-01-30 12:11:34] [window open redirection] about:blank -> blob://about:blank/90113783-fa43-4aea-866a-43a0eedf1b7d
[2024-01-30 12:11:34] [MIMEHANDLER (ZIP)][ERROR] File 'doc/Valid445.lnk' is encrypted, password required for extraction
[2024-01-30 12:11:34] Thug analysis logs saved at /tmp/thug/logs/3f21298a46011be141bcc21e9179a706/20240130121134

~ $ jq '.files' < /tmp/thug/logs/3f21298a46011be141bcc21e9179a706/20240130121134/analysis/json/analysis.json
[
  {
    "type": "ZIP",
    "md5": "9782d065f715729a10ec754610bb3f91",
    "sha1": "4f8fb3d85523183cccd5570ae004357e86907858",
    "sha256": "05b8f8346baf3d7f50bc4315cd3d66e716916e716cc5ef3d3942dd7c2b71e933",
    "ssdeep": "24:DMh1C78O/ymafE1GKf7u5u+EL9dL0hTCLa4tC5:DqnpmkERwu+EL9dBu",
    "url": "about:blank",
    "data": "UEsDBAoAAAAAAKOIKFUAAAAAAAAAAAAAAAAEABwAZG9jL1VUCQADwSAaY8EgGmN1eAsAAQQAAAAABAAAAABQSwMEFAAJAAgAo4goVYG/icpmAwAAkQgAABAAHABkb2MvVmFsaWQ0NDUubG5rVVQJAAPBIBpjwSAaY3V4CwABBAAAAAAEAAAAACZV2FQRYSiqMiyXoZna/+rOqVDWPKv4YrvDOqAJnMK84hZxs2t/CZNFeC0MDjBCP/wkloB0nOs610ZU1hoQHf2MLip/yh6UsHOUFjtDlgrl3HrhD0m41YeiSSjZA/5i643ZkFTOWPwEp/T0bctDU2vSpYSVxbd0npebZsA6FMlA6cGSzrf2cVbz1Iyvb2RkCrmexgE7dhlXhkRCOGX5uZnaiQGbJaD40c5ij94kcxiUrIObN3Q+hEdVHKIQQ61pw+II7irLKHv1HbHzbfUw6CO8WtrI1LXeQqEBPNtcrfXPb6zw0ctHzm7bzfrAzDttAdvpXeQIXiYh4Z0VhDO+e903yzpH13vPdHppxID1ewmjSuyvw92NVpAtN3WDW6rRaE3lKwCMtaDrBV0g7f6sAT+ykGFxHWL4HWPO/H4LgVxgZoL1yQ6s0JRx947PD+RAPTVAQMvsS2M2qswOa85iIqzZq565KJL3uTHIvLlj8+3RbKbsTsPxD+XVW4oeqp98iOC28/4DSI5D5/r49Tho26MT2YxOsfhMzRPftCqoeqP7s1G0jCMWWq1qI0IQzShxa7SvexaVtjUVB0tjDUS3QUFwk8K9qsb44PuPcwyjNw2jz3d7/SzZ8R0hkqNcJYfMZYDR1UKemf/FpGWlK+iJSUr+WUbqMahB6xUTiE19sq88/KrKoy48rtLmCWa+/PfIqO63EO9IYkpe+ievGXiUeoGPU68ZCCiTt+5UJbFVF9QOJbpIs+lGnffhOxtKTBjhPVfIAMQZNbZ0e5Qm6Ga+rzDihEfkXRywQAbagHvJUHNVNP3x+33PNBaPAZFwLpXKcshuRi/phWk8pr6+N/RsrHE1jzMU5ryazwOEwzvQmqSe9RFFeq8e1kCwBhn6+R7OIMZ6vXVbNPw0TMFWWBPI8LM6pUeAEkSf9DDsr9mVDLacNJaXqU21dHBm5LTiK5f020bPj3uY7Cjf4jZOM7spNznfWO/iV2ZlVCzOpWyE9yhZcNtUa5PAqNI5oKqRNZlt3r9UXVKQiKkdetdYwZ3g8tAWXdWC9oG+73T5w1xPaQo87B5qckuNrB/bI5ifNIffjI8AdORdlaRsir8wrhlhC4S0y4yAIXOC6nISjBx5DUtwkkd9sDE19hqMMGqWZMVZy+RBvnwLBlBLBwiBv4nKZgMAAJEIAABQSwECHgMKAAAAAACjiChVAAAAAAAAAAAAAAAABAAYAAAAAAAAABAA7UEAAAAAZG9jL1VUBQADwSAaY3V4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAKOIKFWBv4nKZgMAAJEIAAAQABgAAAAAAAAAAACkgT4AAABkb2MvVmFsaWQ0NDUubG5rVVQFAAPBIBpjdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAACAAIAoAAAAP4DAAAAAA=="
  }
]