Closed cccs-kevin closed 8 months ago
Another sample that depends on this functionality is 1e98af662c337468274d2a20e1f5eb66645c8fff55269ee09fa9ba6e0733ce98
From the logs:
[MIMEHANDLER (SVG+XML)][ERROR] TypeError: URL.createObjectURL is not a function ( @ 30 : 41 ) -> let IV7XsVbK = URL["createObjectURL"](JkT5zYmW);
@cccs-kevin I confirm your analysis. Thug currently lacks the implementation of the URL methods createObjectURL and revokeObjectURL. I created just two placeholders at the moment but I think having at least a sample handy could be really beneficial in order to figure out how the methods are used. And I realized I can not download them from VirusTotal. Would you mind sharing them (even privately if you prefer)? Thanks!
Sure thing, here is the MalwareBazaar link:
https://bazaar.abuse.ch/sample/1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0/
Thanks! Really appreciate!
FYI it seems like I fixed both this issue and the issue https://github.com/buffer/thug/issues/369. As you can see from the attached output, the (base64 encoded) encrypted ZIP file is now correctly stored in the JSON report. I am going to open a PR later today and perform some additional tests before merging. Please expect a new Thug release soon.
~ $ thug -u osx10chrome97 -l -F -Z 1b61b16dd4b7f6203d742b47411ca679f1f5734ed01534a37a126263f84396c0.html
[2024-01-30 12:11:34] [window open redirection] about:blank -> blob://about:blank/90113783-fa43-4aea-866a-43a0eedf1b7d
[2024-01-30 12:11:34] [MIMEHANDLER (ZIP)][ERROR] File 'doc/Valid445.lnk' is encrypted, password required for extraction
[2024-01-30 12:11:34] Thug analysis logs saved at /tmp/thug/logs/3f21298a46011be141bcc21e9179a706/20240130121134
~ $ jq '.files' < /tmp/thug/logs/3f21298a46011be141bcc21e9179a706/20240130121134/analysis/json/analysis.json
[
{
"type": "ZIP",
"md5": "9782d065f715729a10ec754610bb3f91",
"sha1": "4f8fb3d85523183cccd5570ae004357e86907858",
"sha256": "05b8f8346baf3d7f50bc4315cd3d66e716916e716cc5ef3d3942dd7c2b71e933",
"ssdeep": "24:DMh1C78O/ymafE1GKf7u5u+EL9dL0hTCLa4tC5:DqnpmkERwu+EL9dBu",
"url": "about:blank",
"data": "UEsDBAoAAAAAAKOIKFUAAAAAAAAAAAAAAAAEABwAZG9jL1VUCQADwSAaY8EgGmN1eAsAAQQAAAAABAAAAABQSwMEFAAJAAgAo4goVYG/icpmAwAAkQgAABAAHABkb2MvVmFsaWQ0NDUubG5rVVQJAAPBIBpjwSAaY3V4CwABBAAAAAAEAAAAACZV2FQRYSiqMiyXoZna/+rOqVDWPKv4YrvDOqAJnMK84hZxs2t/CZNFeC0MDjBCP/wkloB0nOs610ZU1hoQHf2MLip/yh6UsHOUFjtDlgrl3HrhD0m41YeiSSjZA/5i643ZkFTOWPwEp/T0bctDU2vSpYSVxbd0npebZsA6FMlA6cGSzrf2cVbz1Iyvb2RkCrmexgE7dhlXhkRCOGX5uZnaiQGbJaD40c5ij94kcxiUrIObN3Q+hEdVHKIQQ61pw+II7irLKHv1HbHzbfUw6CO8WtrI1LXeQqEBPNtcrfXPb6zw0ctHzm7bzfrAzDttAdvpXeQIXiYh4Z0VhDO+e903yzpH13vPdHppxID1ewmjSuyvw92NVpAtN3WDW6rRaE3lKwCMtaDrBV0g7f6sAT+ykGFxHWL4HWPO/H4LgVxgZoL1yQ6s0JRx947PD+RAPTVAQMvsS2M2qswOa85iIqzZq565KJL3uTHIvLlj8+3RbKbsTsPxD+XVW4oeqp98iOC28/4DSI5D5/r49Tho26MT2YxOsfhMzRPftCqoeqP7s1G0jCMWWq1qI0IQzShxa7SvexaVtjUVB0tjDUS3QUFwk8K9qsb44PuPcwyjNw2jz3d7/SzZ8R0hkqNcJYfMZYDR1UKemf/FpGWlK+iJSUr+WUbqMahB6xUTiE19sq88/KrKoy48rtLmCWa+/PfIqO63EO9IYkpe+ievGXiUeoGPU68ZCCiTt+5UJbFVF9QOJbpIs+lGnffhOxtKTBjhPVfIAMQZNbZ0e5Qm6Ga+rzDihEfkXRywQAbagHvJUHNVNP3x+33PNBaPAZFwLpXKcshuRi/phWk8pr6+N/RsrHE1jzMU5ryazwOEwzvQmqSe9RFFeq8e1kCwBhn6+R7OIMZ6vXVbNPw0TMFWWBPI8LM6pUeAEkSf9DDsr9mVDLacNJaXqU21dHBm5LTiK5f020bPj3uY7Cjf4jZOM7spNznfWO/iV2ZlVCzOpWyE9yhZcNtUa5PAqNI5oKqRNZlt3r9UXVKQiKkdetdYwZ3g8tAWXdWC9oG+73T5w1xPaQo87B5qckuNrB/bI5ifNIffjI8AdORdlaRsir8wrhlhC4S0y4yAIXOC6nISjBx5DUtwkkd9sDE19hqMMGqWZMVZy+RBvnwLBlBLBwiBv4nKZgMAAJEIAABQSwECHgMKAAAAAACjiChVAAAAAAAAAAAAAAAABAAYAAAAAAAAABAA7UEAAAAAZG9jL1VUBQADwSAaY3V4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAKOIKFWBv4nKZgMAAJEIAAAQABgAAAAAAAAAAACkgT4AAABkb2MvVmFsaWQ0NDUubG5rVVQFAAPBIBpjdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAACAAIAoAAAAP4DAAAAAA=="
}
]
Hi @buffer,
I'm ramping up the inclusion of the Thug tool in the Assemblyline project (specifically in the JsJaws service), but I'm noticing a lack of detection / payload extraction for samples such as the one mentioned. The de-obfuscated JavaScript as per the Synchrony project contains the following:
When I run the sample in Thug using the
osx10chrome97
useragent, I see that no file is added to the "files" key of the analysis.json and I suspect that this is due to lack ofURL.createObjectURL
/URL.revokeObjectURL
in the context?Let me know if I'm on the right track!