Merge branch 'master' into staging

kevoreilly · Mar 5, 2024 · f9c49bf · f9c49bf
2 parents c5205b9 + 76754ee
commit f9c49bf
Show file tree

Hide file tree

Showing 43 changed files with 1,010 additions and 411 deletions.
diff --git a/.actrc b/.actrc
@@ -0,0 +1,5 @@
+ # Nektos act runs tests as root. Without this environment variable
+ # being set, CAPE exits at line 10 of web/web/settings.py,
+ # and no tests are run.
+
+ --env CAPE_AS_ROOT=1
diff --git a/.github/actions/python-setup/action.yml b/.github/actions/python-setup/action.yml
@@ -0,0 +1,30 @@
+name: 'Python setup steps that can be reused'
+description: 'Install dependencies, poetry, requirements'
+inputs:
+  python-version:
+    required: true
+    description: The python version
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install dependencies
+      if: ${{ runner.os == 'Linux' }}
+      shell: bash
+      run: |
+        sudo apt update && sudo apt-get install -y --no-install-recommends libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev p7zip-full innoextract unrar upx
+
+    - name: Install poetry
+      shell: bash
+      run: pip install poetry
+
+    - name: Set up Python ${{ inputs.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: 'poetry'
+
+    - name: Install requirements
+      shell: bash
+      run: |
+        poetry install --no-interaction --no-root
diff --git a/.github/workflows/export-requirements.yml b/.github/workflows/export-requirements.yml
@@ -9,6 +9,7 @@ on:
 
 jobs:
   update:
+    if: ${{ !github.event.act }} # skip during local actions testing
     runs-on: ubuntu-latest
     timeout-minutes: 5
     strategy:
@@ -17,13 +18,13 @@ jobs:
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install poetry
         run: pip install poetry
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           # check-latest: true
           python-version: ${{ matrix.python-version }}
@@ -33,6 +34,8 @@ jobs:
         run: poetry export --format requirements.txt --output requirements.txt
 
       - name: Commit changes if any
+        # Skip this step if being run by nektos/act
+        if: ${{ !env.ACT }}
         run: |
           git config user.name "GitHub Actions"
           git config user.email "[email protected]"

diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml
@@ -14,8 +14,8 @@ jobs:
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - uses: pypa/[email protected]
         with:
-          inputs: .
+          inputs: requirements.txt
diff --git a/.github/workflows/python-package-windows.yml b/.github/workflows/python-package-windows.yml
@@ -0,0 +1,36 @@
+name: Python tests on windows
+
+env:
+  COLUMNS: 120
+
+on:
+  push:
+    branches: [ master, staging ]
+  pull_request:
+    branches: [ master, staging ]
+
+jobs:
+  test:
+    runs-on: windows-latest
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11"]
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+
+      - name: Install pytest
+        run: pip install pytest
+
+      - name: Run unit tests
+        run: |
+          cd analyzer/windows
+          pytest -v .
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -16,37 +16,21 @@ jobs:
     strategy:
       matrix:
         python-version: ["3.10", "3.11"]
-
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Checkout test files repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: CAPESandbox/CAPE-TestFiles
           path: tests/data/
 
-      - name: Install dependencies
-        run: |
-          sudo apt update && sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev p7zip-full innoextract unrar upx
-
-      - name: Install poetry
-        run: pip install poetry
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - uses: ./.github/actions/python-setup/
         with:
-          # check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
-        run: |
-          poetry install --no-interaction --no-root
 
       - name: Install pyattck
         run: |
@@ -58,18 +42,18 @@ jobs:
       - name: Run unit tests
         run: poetry run python -m pytest --import-mode=append
 
-      # Test parsers only if any parser changed
-      - uses: dorny/paths-filter@v2
+      - name: See if any parser changed
+        uses: dorny/paths-filter@v3
         id: changes
         with:
           filters: |
             src:
               - 'modules/processing/parsers/CAPE/*.py'
 
-      - if: steps.changes.outputs.src == 'true'
+      - name: Test parsers only if any parser changed
+        if: steps.changes.outputs.src == 'true'
         run: poetry run python -m pytest tests_parsers -s --import-mode=append
 
-  # Todo unify in future
   format:
     runs-on: ubuntu-latest
     timeout-minutes: 20
@@ -80,25 +64,12 @@ jobs:
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
-
-      - name: Install dependencies
-        run: |
-          sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev
+        uses: actions/checkout@v4
 
-      - name: Install poetry
-        run: pip install poetry
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - name: Set up python
+        uses: ./.github/actions/python-setup
         with:
-          check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
-        run: |
-          poetry install --no-interaction --no-root
 
       - name: Format with black
         run: poetry run black .
@@ -108,6 +79,8 @@ jobs:
         run: poetry run isort .
 
       - name: Commit changes if any
+        # Skip this step if being run by nektos/act
+        if: ${{ !env.ACT }}
         run: |
           git config user.name "GitHub Actions"
           git config user.email "[email protected]"

diff --git a/.github/workflows/yara-audit.yml b/.github/workflows/yara-audit.yml
@@ -14,31 +14,17 @@ jobs:
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Checkout test files repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: CAPESandbox/CAPE-TestFiles
           path: tests/data/
 
-      - name: Install dependencies
-        run: |
-          sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev
-
-      - name: Install poetry
-        run: pip install poetry
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - uses: ./.github/actions/python-setup/
         with:
-          # check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
-        run: |
-          poetry install --no-interaction --no-root
 
       - name: Install dependencies
         run: |

diff --git a/analyzer/windows/analyzer.py b/analyzer/windows/analyzer.py
@@ -34,7 +34,16 @@
     SHUTDOWN_MUTEX,
     TERMINATE_EVENT,
 )
-from lib.common.defines import ADVAPI32, EVENT_MODIFY_STATE, KERNEL32, MAX_PATH, PROCESS_QUERY_LIMITED_INFORMATION, PSAPI, SHELL32
+from lib.common.defines import (
+    ADVAPI32,
+    EVENT_MODIFY_STATE,
+    KERNEL32,
+    MAX_PATH,
+    PROCESS_QUERY_LIMITED_INFORMATION,
+    PSAPI,
+    SHELL32,
+    USER32,
+)
 from lib.common.exceptions import CuckooError, CuckooPackageError
 from lib.common.hashing import hash_file
 from lib.common.results import upload_to_host
@@ -81,6 +90,12 @@ def pid_from_service_name(servicename):
     return thepid
 
 
+def get_explorer_pid():
+    explorer_pid = c_int(0)
+    USER32.GetWindowThreadProcessId(USER32.GetShellWindow(), byref(explorer_pid))
+    return explorer_pid.value
+
+
 def pids_from_image_names(suffixlist):
     """Get PIDs for processes whose image name ends with one of the given suffixes.
 
@@ -1000,6 +1015,17 @@ def _handle_ksubvert(self, data):
             log.info("Process with pid %s has terminated", pid)
             self.analyzer.process_list.remove_pid(pid)
 
+    def _handle_shell(self, data):
+        explorer_pid = get_explorer_pid()
+        if explorer_pid:
+            explorer = Process(options=self.analyzer.options, config=self.analyzer.config, pid=explorer_pid)
+            self.analyzer.CRITICAL_PROCESS_LIST.append(int(explorer_pid))
+            filepath = explorer.get_filepath()
+            explorer.inject(interest=filepath, nosleepskip=True)
+            self.analyzer.LASTINJECT_TIME = timeit.default_timer()
+            explorer.close()
+            KERNEL32.Sleep(2000)
+
     def _handle_interop(self, data):
         if not self.analyzer.MONITORED_DCOM:
             self.analyzer.MONITORED_DCOM = True

diff --git a/analyzer/windows/data/yara/AgentTesla.yar b/analyzer/windows/data/yara/AgentTesla.yar
@@ -3,7 +3,7 @@ rule AgentTeslaV4JIT
     meta:
         author = "kevoreilly"
         description = "AgentTesla V4 JIT native config extractor"
-        cape_options = "bp0=$decode1+8,count=0,hc0=30,action0=string:ecx,typestring=AgentTesla Config,no-logs=2"
+        cape_options = "bp0=$decode1+8,count=0,action0=string:ecx,typestring=AgentTesla Strings,no-logs=2"
         packed = "7f8a95173e17256698324886bb138b7936b9e8c5b9ab8fffbfe01080f02f286c"
     strings:
         $decode1 = {8B 01 8B 40 3C FF 50 10 8B C8 E8 [4] 89 45 CC B8 1A 00 00 00}
@@ -12,3 +12,15 @@ rule AgentTeslaV4JIT
     condition:
         2 of them
 }
+
+rule AgentTeslaV3JIT
+{
+    meta:
+        author = "ClaudioWayne"
+        description = "AgentTesla V3 JIT native string decryption"
+        cape_options = "bp0=$decode+20,count=0,action0=string:eax+8,typestring=AgentTesla Strings,no-logs=2"
+    strings:
+        $decode = {8B C8 57 FF 75 08 8B [5] 8B 01 8B 40 3C FF [2] 8B F0 B8 03 00 00 00}
+    condition:
+        all of them
+}
diff --git a/analyzer/windows/data/yara/DarkGate.yar b/analyzer/windows/data/yara/DarkGate.yar
@@ -0,0 +1,17 @@
+rule DarkGate
+{
+    meta:
+        author = "enzok"
+        description = "DarkGate config"
+        cape_options = "bp0=$config2+3,action0=dump:edx::1025,count=0,typestring=DarkGate Config"
+        hash = "c1d35921f4fc3bac681a3d5148f517dc0ec90ab8c51e267c8c6cd5b1ca3dc085"
+    strings:
+        $part1 = {8B 55 ?? 8A 4D ?? 80 E1 3F C1 E1 02 8A 5D ?? 80 E3 30 81 E3 FF [3] C1 EB 04 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
+        $part2 = {8B 55 ?? 8A 4D ?? 80 E1 0F C1 E1 04 8A 5D ?? 80 E3 3C 81 E3 FF [3] C1 EB 02 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
+        $part3 = {8B 55 ?? 8A 4D ?? 80 E1 03 C1 E1 06 8A 5D ?? 80 E3 3F 02 CB 88 4C 10 FF FF 45}
+        $alphabet = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
+        $config1 = {B9 01 04 00 00 E8 [4] 8D 45}
+        $config2 = {8B 55 ?? 8D 45 ?? E8 [4] 8D 45 ?? 5? B? 06 00 00 00 B? 01 00 00 00 8B 45 ?? E8 [4] 8B 45 ?? B? [4] E8 [4] 75}
+    condition:
+        ($alphabet) and (any of ($part*) or all of ($config*))
+}
diff --git a/analyzer/windows/data/yara/Latrodectus.yar b/analyzer/windows/data/yara/Latrodectus.yar
@@ -0,0 +1,12 @@
+rule Latrodectus
+{
+    meta:
+        author = "kevoreilly"
+        description = "Latrodectus export selection"
+        cape_options = "export=$export"
+        hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05"
+    strings:
+        $export = {48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 EC 30 4C 8B 05 [4] 33 D2 C7 40 [5] 88 50 ?? 49 63 40 3C 42 8B 8C 00 88 00 00 00 85 C9 0F 84}
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}
diff --git a/analyzer/windows/data/yara/Lumma.yar b/analyzer/windows/data/yara/Lumma.yar
@@ -10,3 +10,16 @@ rule Lumma
     condition:
         uint16(0) == 0x5a4d and any of them
 }
+
+rule LummaRemap
+{
+    meta:
+        author = "kevoreilly"
+        description = "Lumma ntdll-remap bypass"
+        cape_options = "ntdll-remap=0"
+        packed = "7972cbf2c143cea3f90f4d8a9ed3d39ac13980adfdcf8ff766b574e2bbcef1b4"
+    strings:
+        $remap = {C6 44 24 20 00 C7 44 24 1C C2 00 00 90 C7 44 24 18 00 00 FF D2 C7 44 24 14 00 BA 00 00 C7 44 24 10 B8 00 00 00 8B 01 89 44 24 11}
+    condition:
+        uint16(0) == 0x5a4d and any of them
+}
diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/analyzer/windows/pytest.ini b/analyzer/windows/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+pythonpath = .