Improve Javascript results, particularly for rand-user-agent (#925)

Author: tstromberg

rules/anti-static/obfuscation/js.yara

@@ -12,6 +12,8 @@ private rule obfs_probably_js {
     $f_false     = "false);"
     $f_function  = /function\(\w{0,32}\)/
     $f_function2 = "function()"
+    $f_function3 = "function ()"
+    $f_global    = "global["
     $f_method    = "@method"
     $f_namespace = "@namespace"
     $f_Object    = "Object."
@@ -48,6 +50,20 @@ private rule obfs_probably_js {
     filesize < 5MB and 4 of ($f*) and none of ($not*)
 }
 
+rule js_var_misdirection: medium {
+  meta:
+    description = "multiple layers of variable misdirection"
+
+  strings:
+    $short_mix_high = /var [a-z]{0,2}[A-Z]{1,2}[a-z]\w{1,2}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/
+    $empty          = /var [a-z]{1,3}[A-Z][a-z]{0,2}\s{0,2}=\s{0,2}"";/
+    $short_mix_low  = /var [a-z][A-Z]{1,6}\w{1,2}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/
+    $short_low      = /var [a-z]{1,3}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/
+
+  condition:
+    obfs_probably_js and filesize < 4MB and 3 of them
+}
+
 rule character_obfuscation: medium {
   meta:
     description = "obfuscated javascript that relies on character manipulation"
@@ -344,11 +360,59 @@ rule high_entropy_charAt: medium {
     description = "high entropy javascript (>5.37) that uses charAt/substr/join loops"
 
   strings:
-    $ = "charAt("
-    $ = "substr("
-    $ = "join("
-    $ = "function("
-    $ = "for("
+    $           = "charAt("
+    $           = "substr("
+    $           = "join("
+    $s_function = /function\s{0,2}\(/
+    $s_for      = /for\s{0,2}\(/
+
+  condition:
+    obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them
+}
+
+rule charAt_long_string: medium {
+  meta:
+    description = "uses charAt/substr/join loops with a long variable"
+
+  strings:
+    $s_charAt   = "charAt("
+    $s_substr   = "substr("
+    $s_join     = "join("
+    $s_function = /function\s{0,2}\(/
+    $s_for      = /for\s{0,2}\(/
+
+    $long_string  = /\([\'\"]\w{32,1024}[\"\']\)/
+    $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/
+
+  condition:
+    obfs_probably_js and all of ($s*) and any of ($long*)
+}
+
+rule charAt_long_vars: medium {
+  meta:
+    description = "uses charAt/substr/join loops with long variables"
+
+  strings:
+    $s_charAt   = "charAt("
+    $s_substr   = "substr("
+    $s_join     = "join("
+    $s_function = /function\s{0,2}\(/
+    $s_for      = /for\s{0,2}\(/
+
+    $long_string  = /\([\'\"]\w{32,1024}[\"\']\)/
+    $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/
+
+  condition:
+    obfs_probably_js and all of ($s*) and (#long_string + #long_garbage) > 3
+}
+
+rule obfuscated_require: high {
+  meta:
+    description = "sets variable to the 'require' keyword"
+
+  strings:
+    $ = /global\[\"\w{1,16}\"\]\s{0,2}=\s{0,2}require;/
+    $ = /var \w{1,16}\s{0,2}=\s{0,2}require;/
 
   condition:
     obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them

rules/anti-static/obfuscation/math.yara

@@ -1,31 +1,66 @@
-rule js_long_math: high {
-  meta:
-    description = "performs multiple rounds of long integer math"
-
+private rule math_probably_js {
   strings:
     $f_function = "function"
     $f_return   = "return"
     $f_local    = "local"
+    $f_var      = "var" fullword
+    $f_global   = "global["
     $f_end      = "end" fullword
 
+  condition:
+    filesize < 5MB and 3 of ($f*)
+}
+
+rule js_long_math: high {
+  meta:
+    description = "performs multiple rounds of long integer math"
+
+  strings:
     $d = /\d{6,14}[\+\-]\d{6,14}/ fullword
 
   condition:
-    3 of ($f*) and #d > 64
+    math_probably_js and #d > 64
 }
 
 rule js_long_dumb_math: critical {
   meta:
     description = "performs multiple rounds of long dumb integer math"
 
   strings:
-    $f_function = "function"
-    $f_return   = "return"
-    $f_local    = "local"
-    $f_end      = "end" fullword
-
     $d = /[-\+]\([-\+]\d{6,14}[-\+]\([-\+]\d{6,14}\)\)/
 
   condition:
-    2 of ($f*) and #d > 32
+    math_probably_js and #d > 32
+}
+
+rule js_junk_math: medium {
+  meta:
+    description = "suspicious junk math"
+
+  strings:
+    $charAt                     = "charAt"
+    $m_subtract_var             = /\s\w{1,16}\s{0,2}=\s{0,2}\d{0,8}\s{0,2}-\s{0,2}\d{1,8};/
+    $m_var_int                  = /var\s{1,16}\w{0,16}\s{0,2}=\s{0,2}\d{3,16};/
+    $m_paren_add                = /\(\w{0,8}\s{0,2}\+\s{0,2}\d{1,16}\)/
+    $m_paren_long_remainder     = /\(\w{0,8}\s{0,2}%\s{0,2}\d{4,16}\)/
+    $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/
+
+  condition:
+    math_probably_js and $charAt and 2 of ($m*)
+}
+
+rule js_junk_math_high: high {
+  meta:
+    description = "multiple examples of suspicious junk math"
+
+  strings:
+    $charAt                     = "charAt"
+    $m_subtract_var             = /\s\w{1,16}\s{0,2}=\s{0,2}\d{0,8}\s{0,2}-\s{0,2}\d{2,8};/
+    $m_var_int                  = /var\s{1,16}\w{0,16}\s{0,2}=\s{0,2}\d{3,16};/
+    $m_paren_add                = /\(\w{0,8}\s{0,2}\+\s{0,2}\d{2,16}\)/
+    $m_paren_long_remainder     = /\(\w{0,8}\s{0,2}%\s{0,2}\d{4,16}\)/
+    $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/
+
+  condition:
+    math_probably_js and $charAt and 3 of ($m*)
 }

rules/anti-static/obfuscation/python.yara

@@ -253,7 +253,7 @@ rule py_lib_alias_val: medium {
     $val
 }
 
-rule multi_decode_3: high {
+rule multi_decode_3: medium {
   meta:
     description = "multiple (3+) levels of decoding"
     filetypes   = "py"
@@ -266,6 +266,19 @@ rule multi_decode_3: high {
     obfs_probably_python and filesize < 10MB and all of them
 }
 
+rule multi_decode_3_smaller_file: high {
+  meta:
+    description = "multiple (3+) levels of decoding"
+    filetypes   = "py"
+
+  strings:
+    $return              = "return"
+    $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/
+
+  condition:
+    obfs_probably_python and filesize < 256KB and all of them
+}
+
 rule multi_decode: medium {
   meta:
     description = "multiple (2) levels of decoding"

rules/c2/addr/url.yara

@@ -73,8 +73,7 @@ rule http_url_with_question: medium {
     $not_doku            = "/doku.php?"
 
   condition:
-    filesize < 256KB and any of them
-  // ($f*) and $ref and none of ($not*)
+    filesize < 256KB and any of ($f*) and $ref and none of ($not*)
 }
 
 rule binary_with_url: low {

rules/exec/remote_commands/code_eval.yara

@@ -12,6 +12,8 @@ private rule eval_probably_js {
     $f_false     = "false);"
     $f_function  = /function\(\w{0,32}\)/
     $f_function2 = "function()"
+    $f_function3 = "function ()"
+    $f_global    = "global["
     $f_method    = "@method"
     $f_namespace = "@namespace"
     $f_Object    = "Object."
@@ -133,6 +135,18 @@ rule js_eval_obfuscated_fromChar: critical {
     eval_probably_js and filesize < 5MB and all of them and math.abs(@exec - @ref) > 384
 }
 
+rule js_anonymous_function: medium {
+  meta:
+    description = "evaluates code using an anonymous function"
+
+  strings:
+    $func = /\n\s{0,8}\(function\s{0,8}\(\)\s{0,8}\{/
+    $run  = /\n\s{0,8}\}\)\(\);/
+
+  condition:
+    eval_probably_js and filesize < 5MB and all of them and (@run - @func) > 384
+}
+
 rule python_exec: medium {
   meta:
     description = "evaluate code dynamically using exec()"

tests/c/clean/falco/string_visitor.ut.cpp.simple

@@ -1,5 +1,4 @@
 # c/clean/falco/string_visitor.ut.cpp: medium
-c2/addr/url: medium
 credential/shell/bash_history: medium
 fs/path/etc: low
 fs/path/var: low

tests/c/clean/ruby_http_parser/test.c.simple

@@ -1,5 +1,4 @@
 # c/clean/ruby_http_parser/test.c: medium
-c2/addr/url: medium
 c2/tool_transfer/os: low
 crypto/openssl: medium
 data/compression/gzip: low

tests/does-nothing/does-nothing.go.simple

@@ -1,2 +0,0 @@
-# does-nothing/does-nothing.go: medium
-c2/addr/url: medium

tests/javascript/2022.an-instance.99.10.9/index.js.simple

@@ -1,6 +1,5 @@
 # javascript/2022.an-instance.99.10.9/index.js: critical
 anti-static/obfuscation/hex: medium
-c2/addr/url: medium
 data/encoding/int: low
 data/encoding/json_encode: low
 discover/network/interface_list: medium