update cape #7

Added njrat parser

A bunch of fixes for a bunch of tests

Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.2. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@42.0.0...42.0.2) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

…ptography-42.0.2 Bump cryptography from 42.0.0 to 42.0.2

Fix zip_compound package

Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.4. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@42.0.2...42.0.4) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

…ptography-42.0.4 Bump cryptography from 42.0.2 to 42.0.4

Fixing AWS Deployment Bugs

Update Latrodectus parser

Update Latrodectus.py

Update DarkGate parser

Optimizing the wait_time_to_reimage parameter to a more realistic value

… deprecated

Update az.conf.default

Update github actions to new versions

Bumps [orjson](https://github.com/ijl/orjson) from 3.8.5 to 3.9.15. - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](ijl/orjson@3.8.5...3.9.15) --- updated-dependencies: - dependency-name: orjson dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

…son-3.9.15 Bump orjson from 3.8.5 to 3.9.15

AgentTesla Parser: Added: MailTo for smtp exfil #sha256: 893f4dc8f8a1dcee05a0840988cf90bc93c1cda5b414f35a6adb5e9f40678ce9 Added: ExternalIPCheck: ipify.org, ip-api.com Added: HTTP(S) exifl #sha256: 8907c9e3fdd73e8536cf04439b46137bc9fd52d3bb9774242e8ebd9df95c3c66 Fix: Discrod exfil AgentTesla yara update: Added V5 (no string encryption) Added V3 JIT native string decryption

AgentTesla update

…txt as input

Github action pip-audit needs requirements.txt as input

…SIs)

…and Lumma direct systenter unmap crash bypass

GitHub action refactoring

Oyster extractor

…mplify Better control of environment variable for nektos act

Update: XWorm Parser

…actions Run tests on the windows analyzer

Update XWorm parser: add more configs

Previous implementation of segregation defaulted all non-os-labelled signatures to windows. This feature defaulted important static sigantures to only be run on windows analyses. Segregation of signatures to the respective folders, windows, linux and all, allows static-type signatures to be run on all platforms and platform specific running of signaturization. I believe this would also help to improve the time for running signatures.

Fix file name

Description: - Sample executed via `strace` to capture api execution sequence - Strace logs output to linux guest machine - Filecollector to ignore strace log - Strace logs uploaded to host - Strace logs processed and output to CAPE report json

…ommit Run ruff during pre-commit checks

- removal of strace-process-tree dependencies - removal of strace folder in analysis output folder - changed output location of strace log files to match like behavior ("logs" folder) - extra clean up of previous systemtap implementations

Description: Some malware may not close file descriptors, relies on lazy cleanup. Fix is to assume that the file descriptor is closed after running, If encounter fd that is unclosed during processing, match the respective filename anyway, since most likely reach near end of file descriptor list

Previous implementation was referencing the `strace` syscall indexes in order to match the relevant syscalls and argument inputs. Turns out, this is not very reliable and causes a bug on the `open` syscall which is output by strace to be the index of 5. Upon matching with the linux syscall json, it incorrectly matches with `newfstat`. The fix to this was to just match via the same syscall name instead.

Signature segregation

- Added file test_agent.py - Tests will be run in Windows and Linux - Tests will be run in github actions - Test most existing functionality of the agent - In send_file open the file in binary mode (bug fix) - Updates to the agent to make it testable, including: - Pass a multiprocessing event to the run() method when under test, so the test knows when the agent process is ready - Tweaks to the shutdown method enabling testing - Let jsonify not crash if values cannot be serialized - Add a new command-line parameter, -v, useful when testing interactively - When -v is given, stdout and stderr will simply go to the console - Allow the 'date' command to be executed from localhost; for testing

- Use an enum for the status. Only accept expected values. - Check that we can read a file before trying to send it.

- Monitor async python process spawned in background - Be able to detect if background process completed ok or errored - Accurately report failure status on execution failures - The agent used to report RUNNING when the process actually FAILED - Add base64 encoding capability to send_file - Detect and log errors that occur during send_file - Allow json_success to have status codes - Allow json_error to accept kwargs, like json_success already does - More detailed error messages for certain kinds of failure - creating directory; storing file; extracting zip file

- This feature only available in Windows - This can serve a variety of purposes - Via a POST request, the agent will open the named mutex - If not immediately available, wait 500 ms - Via a DELETE request, the agent will release the named mutex - The mutex must already exist; the agent will not create a mutex

…for-agent Automated unit tests for agent; monitoring of async python process; input validation when setting status; added support for mutexes

Add dots for decimal separator

Resultserver msgs about process creation

… the file immediately

…oumis

…oumis

@nbargnesi

Log the image name as well as the process ID; added tests. Also, restore the process is_alive check, disabled 4 years ago. Consequently, commented out excessive logging. Credit: @nbargnesi

…ayload

It was setting the file length, which was the wrong length for the encoded data.

EVTX single endpoint added

…t-set-length Omit setting the length when in base64 transmission mode.

Linux support

(cherry picked from commit 67ee5b4b68ca8f48b071777bb5cb5af2ff389130)

Fix config length offset

PikaBot parser update

Add test

PikaBot ignore empty config

…para0x0dise

…para0x0dise

…ted .NET payloads to avoid missing interesting payloads

CAPE has an issue of extracting the shellcode from the binary and now, it's fixed @9616452

fixed unrecognized bytes encoding in remcos parser

…ests Improvement to process.py logging

Rozena/Swort (Metasploit) payload parser

for reporting

Use payload dump to decrypt

Carbanak update

Bumps [django](https://github.com/django/django) from 4.2.10 to 4.2.11. - [Commits](django/django@4.2.10...4.2.11) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

…ngo-4.2.11 chore(deps): bump django from 4.2.10 to 4.2.11

Fix bug in sample_path_by_hash.

Bumps [black](https://github.com/psf/black) from 22.12.0 to 24.3.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@22.12.0...24.3.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>

There might not be a conf/cuckoo.conf file, i.e. if the user has simply created custom/conf/cuckoo.conf to override the defaults.

…ile. Let the Config class handle raising those types of errors.

…ck-24.3.0 chore(deps-dev): bump black from 22.12.0 to 24.3.0

Fix issues with looking for specific config files

…longer invalid

Ask the agent to create a directory that already exists

…ed via de4dot. e.g. c8274e8e105104d68650a281fad995b46bf4e0a78f582058b3562fbcaa2c7c5b

AgentTesla tweaks

Update objects.py

Commits on Mar 2, 2024

fix kevoreilly#1591

doomedraven committed Mar 2, 2024

Configuration menu

View commit details

Copy full SHA for b877b1a

Browse repository at this point

Copy the full SHA

b877b1a View commit details

Browse the repository at this point in the history

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update cape #7

update cape #7

Commits on Feb 15, 2024

Commits on Feb 16, 2024

Commits on Feb 17, 2024

Commits on Feb 20, 2024

Commits on Feb 21, 2024

Commits on Feb 22, 2024

Commits on Feb 23, 2024

Commits on Feb 24, 2024

Commits on Feb 25, 2024

Commits on Feb 26, 2024

Commits on Feb 27, 2024

Commits on Feb 28, 2024

Commits on Feb 29, 2024

Commits on Mar 1, 2024

Commits on Mar 2, 2024

Commits on Mar 4, 2024

Commits on Mar 5, 2024

Commits on Mar 6, 2024

Commits on Mar 7, 2024

Commits on Mar 8, 2024

Commits on Mar 9, 2024

Commits on Mar 11, 2024

Commits on Mar 12, 2024

Commits on Mar 13, 2024

Commits on Mar 14, 2024

Commits on Mar 15, 2024

Commits on Mar 18, 2024

Commits on Mar 19, 2024

Commits on Mar 20, 2024

Commits on Mar 21, 2024

Commits on Mar 22, 2024

Commits on Mar 25, 2024

Commits on Mar 26, 2024

Commits on Mar 27, 2024