From 06f2843a393e5710cdf4bfbb1fabee4e29e6ab92 Mon Sep 17 00:00:00 2001 From: Mark Manning Date: Wed, 7 May 2025 14:36:25 -0400 Subject: [PATCH 1/5] fix(js): Reducing severity of javascript issues to reduce false positive blockers --- rules/anti-static/obfuscation/js.yara | 20 ++++++++++---------- rules/anti-static/obfuscation/reverse.yara | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara index 54570de07..053cbc1ba 100644 --- a/rules/anti-static/obfuscation/js.yara +++ b/rules/anti-static/obfuscation/js.yara @@ -70,7 +70,7 @@ rule character_obfuscation: medium { obfs_probably_js and filesize < 4MB and all of them } -rule js_char_code_at_substitution: high { +rule js_char_code_at_substitution: low { meta: description = "converts integers into strings and contains a substitution map" filetypes = "javascript" @@ -83,7 +83,7 @@ rule js_char_code_at_substitution: high { obfs_probably_js and filesize < 256KB and all of them } -rule child_process: critical { +rule child_process: medium { meta: description = "obfuscated javascript that calls external programs" @@ -101,7 +101,7 @@ rule child_process: critical { obfs_probably_js and filesize < 1MB and all of them and math.entropy(1, filesize) >= 6 } -rule ebe: critical { +rule ebe: medium { meta: description = "highly obfuscated javascript (eBe)" filetypes = "javascript" @@ -116,7 +116,7 @@ rule ebe: critical { obfs_probably_js and filesize < 5MB and $function and $charCodeAt and #ref > 10 } -rule ebe_generic: high { +rule ebe_generic: low { meta: description = "highly obfuscated javascript" filetypes = "javascript" @@ -168,7 +168,7 @@ rule js_hex_eval_obfuscation: critical { obfs_probably_js and filesize < 128KB and any of them } -rule js_hex_obfuscation: critical { +rule js_hex_obfuscation: medium { meta: description = "javascript function obfuscation (hex)" @@ -180,7 +180,7 @@ rule js_hex_obfuscation: critical { obfs_probably_js and filesize < 1MB and any of them } -rule high_entropy: medium { +rule high_entropy: low { meta: description = "high entropy javascript (>6)" @@ -188,7 +188,7 @@ rule high_entropy: medium { obfs_probably_js and math.entropy(1, filesize) >= 6 } -rule very_high_entropy: critical { +rule very_high_entropy: medium { meta: description = "very high entropy javascript (>7)" @@ -209,7 +209,7 @@ rule charCodeAtIncrement: medium { obfs_probably_js and filesize < 4MB and $function and #increment > 1 } -rule js_many_parseInt: high { +rule js_many_parseInt: medium { meta: description = "javascript obfuscation (integer parsing)" filetypes = "javascript" @@ -261,7 +261,7 @@ rule unicode_prototype: critical { obfs_probably_js and any of them } -rule var_filler: high { +rule var_filler: medium { meta: description = "header is filled with excessive variable declarations" @@ -327,7 +327,7 @@ rule obfuscated_map_to_array_conversions: high { obfs_probably_js and #ref > 32 } -rule large_obfuscated_array: high { +rule large_obfuscated_array: medium { meta: description = "contains large obfuscated arrays" diff --git a/rules/anti-static/obfuscation/reverse.yara b/rules/anti-static/obfuscation/reverse.yara index abc8c211a..35652a647 100644 --- a/rules/anti-static/obfuscation/reverse.yara +++ b/rules/anti-static/obfuscation/reverse.yara @@ -57,7 +57,7 @@ rule string_reversal: medium { any of them } -rule function_reversal: high { +rule function_reversal: medium { meta: description = "reversed function definition" From b8a0b8e2d49f232a52be6f3a6a6370ccc2b8361e Mon Sep 17 00:00:00 2001 From: Mark Manning Date: Wed, 7 May 2025 15:57:04 -0400 Subject: [PATCH 2/5] Fix: Dropping scope to only the most common false positive issues --- rules/anti-static/obfuscation/js.yara | 20 ++++++++++---------- rules/anti-static/obfuscation/reverse.yara | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara index 053cbc1ba..8a73fd0e2 100644 --- a/rules/anti-static/obfuscation/js.yara +++ b/rules/anti-static/obfuscation/js.yara @@ -70,7 +70,7 @@ rule character_obfuscation: medium { obfs_probably_js and filesize < 4MB and all of them } -rule js_char_code_at_substitution: low { +rule js_char_code_at_substitution: high { meta: description = "converts integers into strings and contains a substitution map" filetypes = "javascript" @@ -83,7 +83,7 @@ rule js_char_code_at_substitution: low { obfs_probably_js and filesize < 256KB and all of them } -rule child_process: medium { +rule child_process: high { meta: description = "obfuscated javascript that calls external programs" @@ -101,7 +101,7 @@ rule child_process: medium { obfs_probably_js and filesize < 1MB and all of them and math.entropy(1, filesize) >= 6 } -rule ebe: medium { +rule ebe: high { meta: description = "highly obfuscated javascript (eBe)" filetypes = "javascript" @@ -116,7 +116,7 @@ rule ebe: medium { obfs_probably_js and filesize < 5MB and $function and $charCodeAt and #ref > 10 } -rule ebe_generic: low { +rule ebe_generic: high { meta: description = "highly obfuscated javascript" filetypes = "javascript" @@ -168,7 +168,7 @@ rule js_hex_eval_obfuscation: critical { obfs_probably_js and filesize < 128KB and any of them } -rule js_hex_obfuscation: medium { +rule js_hex_obfuscation: high { meta: description = "javascript function obfuscation (hex)" @@ -180,7 +180,7 @@ rule js_hex_obfuscation: medium { obfs_probably_js and filesize < 1MB and any of them } -rule high_entropy: low { +rule high_entropy: medium { meta: description = "high entropy javascript (>6)" @@ -188,7 +188,7 @@ rule high_entropy: low { obfs_probably_js and math.entropy(1, filesize) >= 6 } -rule very_high_entropy: medium { +rule very_high_entropy: high { meta: description = "very high entropy javascript (>7)" @@ -209,7 +209,7 @@ rule charCodeAtIncrement: medium { obfs_probably_js and filesize < 4MB and $function and #increment > 1 } -rule js_many_parseInt: medium { +rule js_many_parseInt: high { meta: description = "javascript obfuscation (integer parsing)" filetypes = "javascript" @@ -261,7 +261,7 @@ rule unicode_prototype: critical { obfs_probably_js and any of them } -rule var_filler: medium { +rule var_filler: high { meta: description = "header is filled with excessive variable declarations" @@ -327,7 +327,7 @@ rule obfuscated_map_to_array_conversions: high { obfs_probably_js and #ref > 32 } -rule large_obfuscated_array: medium { +rule large_obfuscated_array: high { meta: description = "contains large obfuscated arrays" diff --git a/rules/anti-static/obfuscation/reverse.yara b/rules/anti-static/obfuscation/reverse.yara index 35652a647..abc8c211a 100644 --- a/rules/anti-static/obfuscation/reverse.yara +++ b/rules/anti-static/obfuscation/reverse.yara @@ -57,7 +57,7 @@ rule string_reversal: medium { any of them } -rule function_reversal: medium { +rule function_reversal: high { meta: description = "reversed function definition" From 982f71d6ca76d83d49abca728e3446663034eb33 Mon Sep 17 00:00:00 2001 From: Mark Manning Date: Wed, 7 May 2025 15:57:04 -0400 Subject: [PATCH 3/5] fix: Updating test cases to reflect new scores --- ...aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple | 2 +- tests/javascript/2024.xmlrpc/validator.js.simple | 2 +- tests/npm/2024.discord-api-ts/postinstall.js.simple | 2 +- tests/npm/2024.nvmfix/config.js.simple | 2 +- tests/npm/2024.testerrrrrrrrrr/init.js.simple | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple b/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple index 2aabdae9f..cff891a6a 100644 --- a/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple +++ b/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple @@ -1,5 +1,5 @@ # javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js: critical -anti-static/obfuscation/js: critical +anti-static/obfuscation/js: high data/embedded/base64_terms: medium exec/remote_commands/code_eval: medium process/chdir: low diff --git a/tests/javascript/2024.xmlrpc/validator.js.simple b/tests/javascript/2024.xmlrpc/validator.js.simple index 5c1104b04..ecf454380 100644 --- a/tests/javascript/2024.xmlrpc/validator.js.simple +++ b/tests/javascript/2024.xmlrpc/validator.js.simple @@ -1,7 +1,7 @@ # javascript/2024.xmlrpc/validator.js: critical anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical +anti-static/obfuscation/js: high anti-static/obfuscation/strtoi: medium c2/addr/url: medium c2/client: medium diff --git a/tests/npm/2024.discord-api-ts/postinstall.js.simple b/tests/npm/2024.discord-api-ts/postinstall.js.simple index 2f227b487..742c7b541 100644 --- a/tests/npm/2024.discord-api-ts/postinstall.js.simple +++ b/tests/npm/2024.discord-api-ts/postinstall.js.simple @@ -2,7 +2,7 @@ anti-behavior/random_behavior: low anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical +anti-static/obfuscation/js: high anti-static/obfuscation/strtoi: medium c2/addr/url: medium data/encoding/int: medium diff --git a/tests/npm/2024.nvmfix/config.js.simple b/tests/npm/2024.nvmfix/config.js.simple index 0c84fab92..0b095708c 100644 --- a/tests/npm/2024.nvmfix/config.js.simple +++ b/tests/npm/2024.nvmfix/config.js.simple @@ -1,6 +1,6 @@ # npm/2024.nvmfix/config.js: critical anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical +anti-static/obfuscation/js: high c2/addr/url: medium data/encoding/utf16: medium process/create: medium diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple index b045a6a80..a0595c44c 100644 --- a/tests/npm/2024.testerrrrrrrrrr/init.js.simple +++ b/tests/npm/2024.testerrrrrrrrrr/init.js.simple @@ -1,7 +1,7 @@ # npm/2024.testerrrrrrrrrr/init.js: critical anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical +anti-static/obfuscation/js: high anti-static/obfuscation/url: critical c2/addr/server: medium c2/addr/url: medium From fec6535e0236b39862d5758b71596fa2700f5636 Mon Sep 17 00:00:00 2001 From: antitree Date: Wed, 7 May 2025 16:27:09 -0400 Subject: [PATCH 4/5] Update 002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple Signed-off-by: antitree --- ...aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple b/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple index cff891a6a..2aabdae9f 100644 --- a/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple +++ b/tests/javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple @@ -1,5 +1,5 @@ # javascript/2024.obfuscated/002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js: critical -anti-static/obfuscation/js: high +anti-static/obfuscation/js: critical data/embedded/base64_terms: medium exec/remote_commands/code_eval: medium process/chdir: low From 75818512be3731efb850b0001013e1c5f2170cac Mon Sep 17 00:00:00 2001 From: antitree Date: Thu, 8 May 2025 09:20:44 -0400 Subject: [PATCH 5/5] Revert "fix: Reduce Malcontent JS False Positives (#904)"