From 3c75dbd8e3a8086f683e5d3a463903b84bf34784 Mon Sep 17 00:00:00 2001 From: Andriy Brukhovetskyy Date: Fri, 10 Jan 2025 14:48:33 +0100 Subject: [PATCH 1/2] yara_detect --- lib/cuckoo/common/abstracts.py | 38 ++++++++++++++++++++-------------- modules/processing/CAPE.py | 6 ++++-- modules/processing/pcapng.py | 1 + 3 files changed, 27 insertions(+), 18 deletions(-) diff --git a/lib/cuckoo/common/abstracts.py b/lib/cuckoo/common/abstracts.py index 567a53a6bd6..98bdd1782ab 100644 --- a/lib/cuckoo/common/abstracts.py +++ b/lib/cuckoo/common/abstracts.py @@ -842,12 +842,14 @@ def yara_detected(self, name): if re.findall(name, yara_block["name"], re.I): yield "sample", self.results["target"]["file"]["path"], yara_block, self.results["target"]["file"] - for block in target["file"].get("extracted_files", []): - for keyword in ("cape_yara", "yara"): - for yara_block in block[keyword]: - if re.findall(name, yara_block["name"], re.I): - # we can't use here values from set_path - yield "sample", block["path"], yara_block, block + if target["file"].get("selfextract"): + for _, toolsblock in target["file"]["selfextract"].items(): + for block in toolsblock.get("extracted_files", []): + for keyword in ("cape_yara", "yara"): + for yara_block in block[keyword]: + if re.findall(name, yara_block["name"], re.I): + # we can't use here values from set_path + yield "sample", block["path"], yara_block, block for block in self.results.get("CAPE", {}).get("payloads", []) or []: for sub_keyword in ("cape_yara", "yara"): @@ -855,11 +857,13 @@ def yara_detected(self, name): if re.findall(name, yara_block["name"], re.I): yield sub_keyword, block["path"], yara_block, block - for subblock in block.get("extracted_files", []): - for keyword in ("cape_yara", "yara"): - for yara_block in subblock[keyword]: - if re.findall(name, yara_block["name"], re.I): - yield "sample", subblock["path"], yara_block, block + if block.get("selfextract", {}): + for _, toolsblock in block["selfextract"].items(): + for subblock in toolsblock.get("extracted_files", []): + for keyword in ("cape_yara", "yara"): + for yara_block in subblock[keyword]: + if re.findall(name, yara_block["name"], re.I): + yield "sample", subblock["path"], yara_block, block for keyword in ("procdump", "procmemory", "extracted", "dropped"): if self.results.get(keyword) is not None: @@ -879,11 +883,13 @@ def yara_detected(self, name): if re.findall(name, yara_block["name"], re.I): yield "extracted_pe", pe["path"], yara_block, block - for subblock in block.get("extracted_files", []): - for keyword in ("cape_yara", "yara"): - for yara_block in subblock[keyword]: - if re.findall(name, yara_block["name"], re.I): - yield "sample", subblock["path"], yara_block, block + if block.get("selfextract", {}): + for _, toolsblock in block["selfextract"].items(): + for subblock in toolsblock.get("extracted_files", []): + for keyword in ("cape_yara", "yara"): + for yara_block in subblock[keyword]: + if re.findall(name, yara_block["name"], re.I): + yield "sample", subblock["path"], yara_block, block macro_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(self.results["info"]["id"]), "macros") for macroname in self.results.get("static", {}).get("office", {}).get("Macro", {}).get("info", []) or []: diff --git a/modules/processing/CAPE.py b/modules/processing/CAPE.py index 2170f9f4e07..f8ad8ba427e 100644 --- a/modules/processing/CAPE.py +++ b/modules/processing/CAPE.py @@ -163,6 +163,7 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str, """ if not path_exists(file_path): + log.debug("file doesn't exist: %s", file_path) return cape_names = set() @@ -206,7 +207,8 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str, type_string, append_file = self._metadata_processing(metadata, file_info, append_file) - if processing_conf.CAPE.targetinfo and category in ("static", "file"): + # import code;code.interact(local=dict(locals(), **globals())) + if category in ("static", "file"): if MISP_HASH_LOOKUP: misp_hash_lookup(file_info["sha256"], str(self.task["id"]), file_info) @@ -256,7 +258,7 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str, # Process CAPE Yara hits # Prefilter extracted data + beauty is better than oneliner: all_files = [] - for key, value in file_info.get("selfextract", {}).items(): + for _, value in file_info.get("selfextract", {}).items(): for file in value.get("extracted_files", []): if not file.get("cape_yara", []): continue diff --git a/modules/processing/pcapng.py b/modules/processing/pcapng.py index c1868a57acc..f41e288cb97 100644 --- a/modules/processing/pcapng.py +++ b/modules/processing/pcapng.py @@ -80,6 +80,7 @@ def append_file_contents_to_file(self, file_with_contents, append_to_file): dst.write(src.read()) def generate_pcapng(self, sslkeylogfile_path): + # ToDo bail if file is empty cmd = [EDITCAP, "--inject-secrets", "tls," + sslkeylogfile_path, self.pcap_path, self.pcapng_path] log.debug("generating pcapng with command '%s", cmd) subprocess.check_call(cmd, timeout=EDITCAP_TIMEOUT) From 11de9d8ed5a45810bdab1d941917e5741948ada7 Mon Sep 17 00:00:00 2001 From: Andriy Brukhovetskyy Date: Fri, 10 Jan 2025 14:49:03 +0100 Subject: [PATCH 2/2] yara_detect --- modules/processing/CAPE.py | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/processing/CAPE.py b/modules/processing/CAPE.py index f8ad8ba427e..f1602605e5f 100644 --- a/modules/processing/CAPE.py +++ b/modules/processing/CAPE.py @@ -207,7 +207,6 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str, type_string, append_file = self._metadata_processing(metadata, file_info, append_file) - # import code;code.interact(local=dict(locals(), **globals())) if category in ("static", "file"): if MISP_HASH_LOOKUP: misp_hash_lookup(file_info["sha256"], str(self.task["id"]), file_info)