Skip to content

ScanJavascript

This scanner extracts various components from JavaScript files, such as tokens, keywords, strings, identifiers, and regular expressions. It also has the option to deobfuscate the JavaScript before scanning. URLs within the script are extracted and added as indicators of compromise (IOCs).

Options

beautify: Determines if JavaScript should be deobfuscated (default: True). max_strings: Maximum number of strings to extract from each category (default: 50).

Source code in strelka/src/python/strelka/scanners/scan_javascript.py 
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
class ScanJavascript(strelka.Scanner):
    """
    This scanner extracts various components from JavaScript files, such as tokens,
    keywords, strings, identifiers, and regular expressions. It also has the option
    to deobfuscate the JavaScript before scanning. URLs within the script are
    extracted and added as indicators of compromise (IOCs).

    Options:
        beautify: Determines if JavaScript should be deobfuscated (default: True).
        max_strings: Maximum number of strings to extract from each category
            (default: 50).
    """

    def init(self):
        # Regular expression to capture URLs, considering various schemes and TLDs.
        self.url_regex = re.compile(
            r'(?:\b[a-z\d.-]+://[^<>\s\(\)]+|\b(?:(?:(?:[^\s!@#$%^&*()_=+[\]{}\|;:\'",.<>/?]+)\.)+(?:aaa|aarp|abarth|abb|abbott|abbvie|abc|able|abogado|abudhabi|ac|academy|accenture|accountant|accountants|aco|active|actor|ad|adac|ads|adult|ae|aeg|aero|aetna|af|afamilycompany|afl|africa|ag|agakhan|agency|ai|aig|aigo|airbus|airforce|airtel|akdn|al|alfaromeo|alibaba|alipay|allfinanz|allstate|ally|alsace|alstom|am|americanexpress|americanfamily|amex|amfam|amica|amsterdam|analytics|android|anquan|anz|ao|aol|apartments|app|apple|aq|aquarelle|ar|arab|aramco|archi|army|arpa|art|arte|as|asda|asia|associates|at|athleta|attorney|au|auction|audi|audible|audio|auspost|author|auto|autos|avianca|aw|aws|ax|axa|az|azure|ba|baby|baidu|banamex|bananarepublic|band|bank|bar|barcelona|barclaycard|barclays|barefoot|bargains|baseball|basketball|bauhaus|bayern|bb|bbc|bbt|bbva|bcg|bcn|bd|be|beats|beauty|beer|bentley|berlin|best|bestbuy|bet|bf|bg|bh|bharti|bi|bible|bid|bike|bing|bingo|bio|biz|bj|black|blackfriday|blanco|blockbuster|blog|bloomberg|blue|bm|bms|bmw|bn|bnl|bnpparibas|bo|boats|boehringer|bofa|bom|bond|boo|book|booking|bosch|bostik|boston|bot|boutique|box|br|bradesco|bridgestone|broadway|broker|brother|brussels|bs|bt|budapest|bugatti|build|builders|business|buy|buzz|bv|bw|by|bz|bzh|ca|cab|cafe|cal|call|calvinklein|cam|camera|camp|cancerresearch|canon|capetown|capital|capitalone|car|caravan|cards|care|career|careers|cars|cartier|casa|case|caseih|cash|casino|cat|catering|catholic|cba|cbn|cbre|cbs|cc|cd|ceb|center|ceo|cern|cf|cfa|cfd|cg|ch|chanel|channel|charity|chase|chat|cheap|chintai|christmas|chrome|chrysler|church|ci|cipriani|circle|cisco|citadel|citi|citic|city|cityeats|ck|cl|claims|cleaning|click|clinic|clinique|clothing|cloud|club|clubmed|cm|cn|co|coach|codes|coffee|college|cologne|com|comcast|commbank|community|company|compare|computer|comsec|condos|construction|consulting|contact|contractors|cooking|cookingchannel|cool|coop|corsica|country|coupon|coupons|courses|cr|credit|creditcard|creditunion|cricket|crown|crs|cruise|cruises|csc|cu|cuisinella|cv|cw|cx|cy|cymru|cyou|cz|dabur|dad|dance|data|date|dating|datsun|day|dclk|dds|de|deal|dealer|deals|degree|delivery|dell|deloitte|delta|democrat|dental|dentist|desi|design|dev|dhl|diamonds|diet|digital|direct|directory|discount|discover|dish|diy|dj|dk|dm|dnp|do|docs|doctor|dodge|dog|doha|domains|dot|download|drive|dtv|dubai|duck|dunlop|duns|dupont|durban|dvag|dvr|dz|earth|eat|ec|eco|edeka|edu|education|ee|eg|email|emerck|energy|engineer|engineering|enterprises|epost|epson|equipment|er|ericsson|erni|es|esq|estate|esurance|et|etisalat|eu|eurovision|eus|events|everbank|exchange|expert|exposed|express|extraspace|fage|fail|fairwinds|faith|family|fan|fans|farm|farmers|fashion|fast|fedex|feedback|ferrari|ferrero|fi|fiat|fidelity|fido|film|final|finance|financial|fire|firestone|firmdale|fish|fishing|fit|fitness|fj|fk|flickr|flights|flir|florist|flowers|fly|fm|fo|foo|food|foodnetwork|football|ford|forex|forsale|forum|foundation|fox|fr|free|fresenius|frl|frogans|frontdoor|frontier|ftr|fujitsu|fujixerox|fun|fund|furniture|futbol|fyi|ga|gal|gallery|gallo|gallup|game|games|gap|garden|gb|gbiz|gd|gdn|ge|gea|gent|genting|george|gf|gg|ggee|gh|gi|gift|gifts|gives|giving|gl|glade|glass|gle|global|globo|gm|gmail|gmbh|gmo|gmx|gn|godaddy|gold|goldpoint|golf|goo|goodhands|goodyear|goog|google|gop|got|gov|gp|gq|gr|grainger|graphics|gratis|green|gripe|grocery|group|gs|gt|gu|guardian|gucci|guge|guide|guitars|guru|gw|gy|hair|hamburg|hangout|haus|hbo|hdfc|hdfcbank|health|healthcare|help|helsinki|here|hermes|hgtv|hiphop|hisamitsu|hitachi|hiv|hk|hkt|hm|hn|hockey|holdings|holiday|homedepot|homegoods|homes|homesense|honda|honeywell|horse|hospital|host|hosting|hot|hoteles|hotels|hotmail|house|how|hr|hsbc|ht|hu|hughes|hyatt|hyundai|ibm|icbc|ice|icu|id|ie|ieee|ifm|ikano|il|im|imamat|imdb|immo|immobilien|in|inc|industries|infiniti|info|ing|ink|institute|insurance|insure|int|intel|international|intuit|investments|io|ipiranga|iq|ir|irish|is|iselect|ismaili|ist|istanbul|it|itau|itv|iveco|jaguar|java|jcb|jcp|je|jeep|jetzt|jewelry|jio|jlc|jll|jm|jmp|jnj|jo|jobs|joburg|jot|joy|jp|jpmorgan|jprs|juegos|juniper|kaufen|kddi|ke|kerryhotels|kerrylogistics|kerryproperties|kfh|kg|kh|ki|kia|kim|kinder|kindle|kitchen|kiwi|km|kn|koeln|komatsu|kosher|kp|kpmg|kpn|kr|krd|kred|kuokgroup|kw|ky|kyoto|kz|la|lacaixa|ladbrokes|lamborghini|lamer|lancaster|lancia|lancome|land|landrover|lanxess|lasalle|lat|latino|latrobe|law|lawyer|lb|lc|lds|lease|leclerc|lefrak|legal|lego|lexus|lgbt|li|liaison|lidl|life|lifeinsurance|lifestyle|lighting|like|lilly|limited|limo|lincoln|linde|link|lipsy|live|living|lixil|lk|llc|loan|loans|locker|locus|loft|lol|london|lotte|lotto|love|lpl|lplfinancial|lr|ls|lt|ltd|ltda|lu|lundbeck|lupin|luxe|luxury|lv|ly|ma|macys|madrid|maif|maison|makeup|man|management|mango|map|market|marketing|markets|marriott|marshalls|maserati|mattel|mba|mc|mckinsey|md|me|med|media|meet|melbourne|meme|memorial|men|menu|merckmsd|metlife|mg|mh|miami|microsoft|mil|mini|mint|mit|mitsubishi|mk|ml|mlb|mls|mm|mma|mn|mo|mobi|mobile|mobily|moda|moe|moi|mom|monash|money|monster|mopar|mormon|mortgage|moscow|moto|motorcycles|mov|movie|movistar|mp|mq|mr|ms|msd|mt|mtn|mtr|mu|museum|mutual|mv|mw|mx|my|mz|na|nab|nadex|nagoya|name|nationwide|natura|navy|nba|nc|ne|nec|net|netbank|netflix|network|neustar|new|newholland|news|next|nextdirect|nexus|nf|nfl|ng|ngo|nhk|ni|nico|nike|nikon|ninja|nissan|nissay|nl|no|nokia|northwesternmutual|norton|now|nowruz|nowtv|np|nr|nra|nrw|ntt|nu|nyc|nz|obi|observer|off|office|okinawa|olayan|olayangroup|oldnavy|ollo|om|omega|one|ong|onl|online|onyourside|ooo|open|oracle|orange|org|organic|origins|osaka|otsuka|ott|ovh|pa|page|panasonic|panerai|paris|pars|partners|parts|party|passagens|pay|pccw|pe|pet|pf|pfizer|pg|ph|pharmacy|phd|philips|phone|photo|photography|photos|physio|piaget|pics|pictet|pictures|pid|pin|ping|pink|pioneer|pizza|pk|pl|place|play|playstation|plumbing|plus|pm|pn|pnc|pohl|poker|politie|porn|post|pr|pramerica|praxi|press|prime|pro|prod|productions|prof|progressive|promo|properties|property|protection|pru|prudential|ps|pt|pub|pw|pwc|py|qa|qpon|quebec|quest|qvc|racing|radio|raid|re|read|realestate|realtor|realty|recipes|red|redstone|redumbrella|rehab|reise|reisen|reit|reliance|ren|rent|rentals|repair|report|republican|rest|restaurant|review|reviews|rexroth|rich|richardli|ricoh|rightathome|ril|rio|rip|rmit|ro|rocher|rocks|rodeo|rogers|room|rs|rsvp|ru|rugby|ruhr|run|rw|rwe|ryukyu|sa|saarland|safe|safety|sakura|sale|salon|samsclub|samsung|sandvik|sandvikcoromant|sanofi|sap|sarl|sas|save|saxo|sb|sbi|sbs|sc|sca|scb|schaeffler|schmidt|scholarships|school|schule|schwarz|science|scjohnson|scor|scot|sd|se|search|seat|secure|security|seek|select|sener|services|ses|seven|sew|sex|sexy|sfr|sg|sh|shangrila|sharp|shaw|shell|shia|shiksha|shoes|shop|shopping|shouji|show|showtime|shriram|si|silk|sina|singles|site|sj|sk|ski|skin|sky|skype|sl|sling|sm|smart|smile|sn|sncf|so|soccer|social|softbank|software|sohu|solar|solutions|song|sony|soy|space|spiegel|sport|spot|spreadbetting|sr|srl|srt|st|stada|staples|star|starhub|statebank|statefarm|statoil|stc|stcgroup|stockholm|storage|store|stream|studio|study|style|su|sucks|supplies|supply|support|surf|surgery|suzuki|sv|swatch|swiftcover|swiss|sx|sy|sydney|symantec|systems|sz|tab|taipei|talk|taobao|target|tatamotors|tatar|tattoo|tax|taxi|tc|tci|td|tdk|team|tech|technology|tel|telefonica|temasek|tennis|teva|tf|tg|th|thd|theater|theatre|tiaa|tickets|tienda|tiffany|tips|tires|tirol|tj|tjmaxx|tjx|tk|tkmaxx|tl|tm|tmall|tn|to|today|tokyo|tools|top|toray|toshiba|total|tours|town|toyota|toys|tr|trade|trading|training|travel|travelchannel|travelers|travelersinsurance|trust|trv|tt|tube|tui|tunes|tushu|tv|tvs|tw|tz|ua|ubank|ubs|uconnect|ug|uk|unicom|university|uno|uol|ups|us|uy|uz|va|vacations|vana|vanguard|vc|ve|vegas|ventures|verisign|versicherung|vet|vg|vi|viajes|video|vig|viking|villas|vin|vip|virgin|visa|vision|vistaprint|viva|vivo|vlaanderen|vn|vodka|volkswagen|volvo|vote|voting|voto|voyage|vu|vuelos|wales|walmart|walter|wang|wanggou|warman|watch|watches|weather|weatherchannel|webcam|weber|website|wed|wedding|weibo|weir|wf|whoswho|wien|wiki|williamhill|win|windows|wine|winners|wme|wolterskluwer|woodside|work|works|world|wow|ws|wtc|wtf|xbox|xerox|xfinity|xihuan|xin|xn--11b4c3d|xn--1ck2e1b|xn--1qqw23a|xn--2scrj9c|xn--30rr7y|xn--3bst00m|xn--3ds443g|xn--3e0b707e|xn--3hcrj9c|xn--3oq18vl8pn36a|xn--3pxu8k|xn--42c2d9a|xn--45br5cyl|xn--45brj9c|xn--45q11c|xn--4gbrim|xn--54b7fta0cc|xn--55qw42g|xn--55qx5d|xn--5su34j936bgsg|xn--5tzm5g|xn--6frz82g|xn--6qq986b3xl|xn--80adxhks|xn--80ao21a|xn--80aqecdr1a|xn--80asehdb|xn--80aswg|xn--8y0a063a|xn--90a3ac|xn--90ae|xn--90ais|xn--9dbq2a|xn--9et52u|xn--9krt00a|xn--b4w605ferd|xn--bck1b9a5dre4c|xn--c1avg|xn--c2br7g|xn--cck2b3b|xn--cg4bki|xn--clchc0ea0b2g2a9gcd|xn--czr694b|xn--czrs0t|xn--czru2d|xn--d1acj3b|xn--d1alf|xn--e1a4c|xn--eckvdtc9d|xn--efvy88h|xn--estv75g|xn--fct429k|xn--fhbei|xn--fiq228c5hs|xn--fiq64b|xn--fiqs8s|xn--fiqz9s|xn--fjq720a|xn--flw351e|xn--fpcrj9c3d|xn--fzc2c9e2c|xn--fzys8d69uvgm|xn--g2xx48c|xn--gckr3f0f|xn--gecrj9c|xn--gk3at1e|xn--h2breg3eve|xn--h2brj9c|xn--h2brj9c8c|xn--hxt814e|xn--i1b6b1a6a2e|xn--imr513n|xn--io0a7i|xn--j1aef|xn--j1amh|xn--j6w193g|xn--jlq61u9w7b|xn--jvr189m|xn--kcrx77d1x4a|xn--kprw13d|xn--kpry57d|xn--kpu716f|xn--kput3i|xn--l1acc|xn--lgbbat1ad8j|xn--mgb9awbf|xn--mgba3a3ejt|xn--mgba3a4f16a|xn--mgba7c0bbn0a|xn--mgbaakc7dvf|xn--mgbaam7a8h|xn--mgbab2bd|xn--mgbai9azgqp6j|xn--mgbayh7gpa|xn--mgbb9fbpob|xn--mgbbh1a|xn--mgbbh1a71e|xn--mgbc0a9azcg|xn--mgbca7dzdo|xn--mgberp4a5d4ar|xn--mgbgu82a|xn--mgbi4ecexp|xn--mgbpl2fh|xn--mgbt3dhd|xn--mgbtx2b|xn--mgbx4cd0ab|xn--mix891f|xn--mk1bu44c|xn--mxtq1m|xn--ngbc5azd|xn--ngbe9e0a|xn--ngbrx|xn--node|xn--nqv7f|xn--nqv7fs00ema|xn--nyqy26a|xn--o3cw4h|xn--ogbpf8fl|xn--otu796d|xn--p1acf|xn--p1ai|xn--pbt977c|xn--pgbs0dh|xn--pssy2u|xn--q9jyb4c|xn--qcka1pmc|xn--qxam|xn--rhqv96g|xn--rovu88b|xn--rvc1e0am3e|xn--s9brj9c|xn--ses554g|xn--t60b56a|xn--tckwe|xn--tiq49xqyj|xn--unup4y|xn--vermgensberater-ctb|xn--vermgensberatung-pwb|xn--vhquv|xn--vuq861b|xn--w4r85el8fhu5dnra|xn--w4rs40l|xn--wgbh1c|xn--wgbl6a|xn--xhq521b|xn--xkc2al3hye2a|xn--xkc2dl3a5ee0h|xn--y9a3aq|xn--yfro4i67o|xn--ygbi2ammx|xn--zfr164b|xxx|xyz|yachts|yahoo|yamaxun|yandex|ye|yodobashi|yoga|yokohama|you|youtube|yt|yun|za|zappos|zara|zero|zip|zippo|zm|zone|zuerich|zw)|(?:(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]))(?:[;/][^#?<>\s]*)?(?:\?[^#<>\s]*)?(?:#[^<>\s\(\)]*)?(?!\w))',
            re.IGNORECASE,
        )

        # Set of suspicious keywords
        self.suspicious_keywords = {
            "eval",
            "Function",
            "unescape",
            "execCommand",
            "ActiveXObject",
            "XMLHttpRequest",
            "onerror",
            "onload",
            "onclick",
            "WebSocket",
            "crypto",
            "Worker",
        }

    def scan(self, data, file, options, expire_at):
        """
        Scans a Javascript file, tokenizes it, and extracts useful components.

        Args:
            data: Content of the file being scanned.
            file: File metadata.
            options: Scanner options.
            expire_at: Expiry timestamp of the scan task.
        """
        beautify = options.get("beautify", True)
        max_strings = options.get("max_strings", 50)

        self.event.setdefault("tokens", set())
        self.event.setdefault("keywords", set())
        self.event.setdefault("strings", set())
        self.event.setdefault("identifiers", set())
        self.event.setdefault("regular_expressions", set())
        self.event.setdefault("suspicious_keywords", set())
        self.event.setdefault("urls", set())
        self.event["beautified"] = False

        # Get script length
        self.event["script_length_bytes"] = len(data)

        if beautify:
            try:
                data = jsbeautifier.beautify(data.decode())
                self.event["beautified"] = True
            except Exception as e:
                self.flags.append(f"beautify_error: {str(e)[:50]}")

        try:
            tokens = esprima.tokenize(data, options={"comment": True, "tolerant": True})
            for t in tokens:
                self.process_token(t, max_strings)
        except Exception as e:
            self.flags.append(f"tokenization_error: {str(e)[:50]}")

        # Convert sets to lists and trim to max_strings
        try:
            self.trim_event_data(max_strings)
        except Exception as e:
            self.flags.append(f"output_error: {str(e)[:50]}")

        # Remove duplicates and add URLs as IOCs
        try:
            if self.event["urls"]:
                self.event["urls"] = list(set(self.event["urls"]))
                self.add_iocs(self.event["urls"])
        except Exception as e:
            self.flags.append(f"ioc_extraction_error: {str(e)[:50]}")

    def process_token(self, token, max_strings):
        """Processes each token, categorizing and storing relevant data."""
        self.event["tokens"].add(token.type)

        if token.type == "String":
            stripped_val = token.value.strip("\"'")
            self.event["strings"].add(stripped_val)
            self.extract_urls(stripped_val, max_strings)
        elif token.type == "Keyword":
            self.event["keywords"].add(token.value)
        elif token.type == "Identifier":
            if token.value in self.suspicious_keywords:
                self.event["suspicious_keywords"].add(token.value)
            self.event["identifiers"].add(token.value)
        elif token.type == "RegularExpression":
            self.event["regular_expressions"].add(token.value)

    def extract_urls(self, text, max_strings):
        """Extracts URLs from the provided text using regex matching."""
        urls = self.url_regex.findall(text)
        for url in urls:
            self.event["urls"].add(url)
            if len(self.event["urls"]) >= max_strings:
                break

    def trim_event_data(self, max_strings):
        """Trims the event data to the maximum number of strings specified."""
        for key in [
            "tokens",
            "keywords",
            "strings",
            "identifiers",
            "regular_expressions",
            "urls",
            "suspicious_keywords",
        ]:
            self.event[key] = list(self.event[key])[:max_strings]

scan(data, file, options, expire_at)

Scans a Javascript file, tokenizes it, and extracts useful components.

Parameters:

Name Type Description Default
data

Content of the file being scanned.

 required
file

File metadata.

 required
options

Scanner options.

 required
expire_at

Expiry timestamp of the scan task.

 required
Source code in strelka/src/python/strelka/scanners/scan_javascript.py 
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
def scan(self, data, file, options, expire_at):
    """
    Scans a Javascript file, tokenizes it, and extracts useful components.

    Args:
        data: Content of the file being scanned.
        file: File metadata.
        options: Scanner options.
        expire_at: Expiry timestamp of the scan task.
    """
    beautify = options.get("beautify", True)
    max_strings = options.get("max_strings", 50)

    self.event.setdefault("tokens", set())
    self.event.setdefault("keywords", set())
    self.event.setdefault("strings", set())
    self.event.setdefault("identifiers", set())
    self.event.setdefault("regular_expressions", set())
    self.event.setdefault("suspicious_keywords", set())
    self.event.setdefault("urls", set())
    self.event["beautified"] = False

    # Get script length
    self.event["script_length_bytes"] = len(data)

    if beautify:
        try:
            data = jsbeautifier.beautify(data.decode())
            self.event["beautified"] = True
        except Exception as e:
            self.flags.append(f"beautify_error: {str(e)[:50]}")

    try:
        tokens = esprima.tokenize(data, options={"comment": True, "tolerant": True})
        for t in tokens:
            self.process_token(t, max_strings)
    except Exception as e:
        self.flags.append(f"tokenization_error: {str(e)[:50]}")

    # Convert sets to lists and trim to max_strings
    try:
        self.trim_event_data(max_strings)
    except Exception as e:
        self.flags.append(f"output_error: {str(e)[:50]}")

    # Remove duplicates and add URLs as IOCs
    try:
        if self.event["urls"]:
            self.event["urls"] = list(set(self.event["urls"]))
            self.add_iocs(self.event["urls"])
    except Exception as e:
        self.flags.append(f"ioc_extraction_error: {str(e)[:50]}")

process_token(token, max_strings)

Processes each token, categorizing and storing relevant data.

Source code in strelka/src/python/strelka/scanners/scan_javascript.py 
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
def process_token(self, token, max_strings):
    """Processes each token, categorizing and storing relevant data."""
    self.event["tokens"].add(token.type)

    if token.type == "String":
        stripped_val = token.value.strip("\"'")
        self.event["strings"].add(stripped_val)
        self.extract_urls(stripped_val, max_strings)
    elif token.type == "Keyword":
        self.event["keywords"].add(token.value)
    elif token.type == "Identifier":
        if token.value in self.suspicious_keywords:
            self.event["suspicious_keywords"].add(token.value)
        self.event["identifiers"].add(token.value)
    elif token.type == "RegularExpression":
        self.event["regular_expressions"].add(token.value)

extract_urls(text, max_strings)

Extracts URLs from the provided text using regex matching.

Source code in strelka/src/python/strelka/scanners/scan_javascript.py 
115
116
117
118
119
120
121
def extract_urls(self, text, max_strings):
    """Extracts URLs from the provided text using regex matching."""
    urls = self.url_regex.findall(text)
    for url in urls:
        self.event["urls"].add(url)
        if len(self.event["urls"]) >= max_strings:
            break

trim_event_data(max_strings)

Trims the event data to the maximum number of strings specified.

Source code in strelka/src/python/strelka/scanners/scan_javascript.py 
123
124
125
126
127
128
129
130
131
132
133
134
def trim_event_data(self, max_strings):
    """Trims the event data to the maximum number of strings specified."""
    for key in [
        "tokens",
        "keywords",
        "strings",
        "identifiers",
        "regular_expressions",
        "urls",
        "suspicious_keywords",
    ]:
        self.event[key] = list(self.event[key])[:max_strings]

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
javascript_file
text/javascript

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
beautified
bool
elapsed
str
flags
list
identifiers
str
iocs
str
keywords
str
regular_expressions
str
script_length_bytes
int
strings
str
suspicious_keywords
str
tokens
str
urls
str

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": [],
        "tokens": unordered(
            [
                "LineComment",
                "String",
                "Identifier",
                "Punctuator",
                "RegularExpression",
                "Numeric",
                "BlockComment",
                "Keyword",
            ]
        ),
        "keywords": unordered(
            [
                "var",
                "in",
                "this",
                "typeof",
                "return",
                "function",
                "if",
                "else",
                "throw",
                "new",
                "for",
            ]
        ),
        "strings": unordered(
            [
                "",
                "ws",
                "open",
                "string",
                "ftp://suspicious-ftp-server.org",
                "Checking URL: ",
                "Fetching data from: ",
                "base64",
                "path",
                ".",
                "-",
                " (",
                "fs",
                "utf8",
                "package.json",
                "https://another-example-bad-site.net",
                "Found unknown type of partial ",
                "use strict",
                ") in Handlebars partial Array => ",
                "function",
                "Could not find partial with name ",
                "http://example-malicious-site.com",
                "http://example-malicious-site.com/data",
                "Connection established",
            ]
        ),
        "identifiers": unordered(
            [
                "compile",
                "Handlebars",
                "send",
                "urls",
                "partials",
                "JSON",
                "pkg",
                "open",
                "eval",
                "console",
                "params",
                "cwd",
                "register",
                "key",
                "replace",
                "suspiciousUrl",
                "toLowerCase",
                "hasOwnProperty",
                "WebSocket",
                "concat",
                "arguments",
                "ws",
                "partial",
                "Buffer",
                "helpers",
                "btoa",
                "dynamicEval",
                "opt",
                "slugify",
                "str",
                "jsonStringify",
                "process",
                "url",
                "stringify",
                "i",
                "fetchDataFromUrl",
                "context",
                "log",
                "SafeString",
                "on",
                "checkMultipleUrls",
                "code",
                "helper",
                "escape",
                "a",
                "Utils",
                "name",
                "atob",
                "fs",
                "obj",
                "join",
                "path",
                "module",
                "forEach",
                "length",
                "establishWebSocket",
                "arr",
                "b",
                "require",
                "readFileSync",
                "toString",
                "parse",
                "exports",
                "escapeExpression",
                "registerHelper",
            ]
        ),
        "regular_expressions": unordered(["/ +/g", "/[^\\w ]+/g"]),
        "suspicious_keywords": unordered(["WebSocket", "eval"]),
        "urls": unordered(
            [
                "https://another-example-bad-site.net",
                "http://example-malicious-site.com",
                "ftp://suspicious-ftp-server.org",
                "http://example-malicious-site.com/data",
            ]
        ),
        "beautified": True,
        "script_length_bytes": 3127,
        "iocs": unordered(
            [
                {
                    "ioc": "suspicious-ftp-server.org",
                    "ioc_type": "domain",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "ftp://suspicious-ftp-server.org",
                    "ioc_type": "url",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "example-malicious-site.com",
                    "ioc_type": "domain",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "http://example-malicious-site.com",
                    "ioc_type": "url",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "http://example-malicious-site.com/data",
                    "ioc_type": "url",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "another-example-bad-site.net",
                    "ioc_type": "domain",
                    "scanner": "ScanJavascript",
                },
                {
                    "ioc": "https://another-example-bad-site.net",
                    "ioc_type": "url",
                    "scanner": "ScanJavascript",
                },
            ]
        ),
    }