-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathservice_manifest.yml
137 lines (117 loc) · 4.13 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Espresso
version: $SERVICE_TAG
description: This Assemblyline service analyzes Java JAR files. All classes are extracted, decompiled and analyzed for malicious behavior.
# Regex defining the types of files the service accepts and rejects
accepts: java/jar
rejects: empty|metadata/.*
# At which stage the service should run (one of FILTER, EXTRACT, CORE, SECONDARY, POST, REVIEW)
# NOTE: Stages are executed in the order defined in the list
stage: CORE
# Which category the service is part of (one of Antivirus, Dynamic Analysis, External, Extraction, Filtering, Internet Connected, Networking, Static Analysis)
category: Static Analysis
# Does the service require access to the file to perform its task
# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...)
file_required: true
# Maximum execution time the service has before it's considered to be timed out
timeout: 180
# is the service enabled by default
enabled: true
privileged: true
heuristics:
- heur_id: 1
name: Embedded PE, mz in applet
score: 500
filetype: java/jar
description: If the first two bytes of the JAR file are MZ there is an embedded executable detected.
- heur_id: 2
name: Embedded PE
score: 100
filetype: java/jar
description: If the first two bytes of the JAR file are MZ there is an embedded executable detected.
- heur_id: 3
name: Launchable File in JAR, mz in applet
score: 500
filetype: java/jar
description: >-
If the file path has any of the following extensions:
'BAT' - DOS/Windows batch file
'CMD' - Windows Command
'COM' - DOS Command
'EXE' - DOS/Windows executable
'DLL' - Windows library
'LNK' - Windows shortcut
'SCR' - Windows screensaver
then there is a launchable file found inside the JAR.
- heur_id: 4
name: Launchable File in JAR,
score: 100
filetype: java/jar
description: >-
If the file path has any of the following extensions:
'BAT' - DOS/Windows batch file
'CMD' - Windows Command
'COM' - DOS Command
'EXE' - DOS/Windows executable
'DLL' - Windows library
'LNK' - Windows shortcut
'SCR' - Windows screensaver
then there is a launchable file found inside the JAR.
- heur_id: 5
name: Encoding and Magic Bytes
score: 500
filetype: java/jar
description: The file doesnt have the normal class file magic bytes.
- heur_id: 6
name: java/applet/Applet
score: 50
filetype: java/jar
description: Looking for the string "java/applet/Applet" in the file
- heur_id: 7
name: ClassLoader
score: 10
filetype: java/jar
description: Looking for the string "ClassLoader" in the file
- heur_id: 8
name: /security/
score: 10
filetype: java/jar
description: Looking for the string "/security/" in the file
- heur_id: 9
name: net/URL
score: 10
filetype: java/jar
description: Looking for the string "net/URL" in the file
- heur_id: 10
name: java/lang/Runtime
score: 50
filetype: java/jar
description: Looking for the string "java/lang/Runtime" in the file
- heur_id: 11
name: Self-signed certificate
score: 1
filetype: java/jar
description: This JAR is self-signed.
- heur_id: 12
name: No country in certificate owner
score: 100
filetype: java/jar
description: This JAR's certificate has no country in the owner field.
- heur_id: 13
name: Certificate valid for more than 30 years
score: 100
filetype: java/jar
description: JAR's certificate is valid for more than 30 years. This is highly unlikely.
- heur_id: 14
name: Invalid country code in certificate owner
score: 10
filetype: java/jar
description: JAR's certificate has an invalid country code.
- heur_id: 15
name: Certificate expires before validity date starts
score: 500
filetype: java/jar
description: JAR's certificate is expiring before the certificate validity date.
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-espresso:$SERVICE_TAG
cpu_cores: 1.0
ram_mb: 2048