Update deps and code from upstream

enzok · Sep 3, 2024 · c5b0ffe · c5b0ffe
1 parent 1a66f02
commit c5b0ffe
Show file tree

Hide file tree

Showing 8 changed files with 67 additions and 10 deletions.
diff --git a/CAPEsolo/dll/capemon.dll b/CAPEsolo/dll/capemon.dll
diff --git a/CAPEsolo/dll/capemon_x64.dll b/CAPEsolo/dll/capemon_x64.dll
diff --git a/CAPEsolo/lib/core/packages.py b/CAPEsolo/lib/core/packages.py
@@ -44,7 +44,9 @@ def choose_package(file_type, file_name, exports, target):
         or "Microsoft Office Word" in file_type
         or "Microsoft OOXML" in file_type
         or "MIME entity" in file_type
-        or file_name.endswith((".doc", ".dot", ".docx", ".dotx", ".docm", ".dotm", ".docb", ".rtf", ".mht", ".mso", ".wbk", ".wiz"))
+        or file_name.endswith(
+            (".asd", ".doc", ".dot", ".docx", ".dotx", ".docm", ".dotm", ".docb", ".rtf", ".mht", ".mso", ".wbk", ".wiz")
+        )
     ):
         return "doc"
     elif (
@@ -67,10 +69,24 @@ def choose_package(file_type, file_name, exports, target):
         return "rar"
     elif "Macromedia Flash" in file_type or file_name.endswith((".swf", ".fws")):
         return "swf"
-    elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type:
+    elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type or b"import" in file_content:
         return "python"
     elif file_name.endswith(".ps1"):
         return "ps1"
+    elif file_name.endswith((".msg", ".rpmsg")) or "rpmsg Restricted Permission Message" in file_type:
+        return "msg"
+    elif file_name.endswith((".eml", ".ics")) or (
+        "RFC 822 mail" in file_type
+        or "old news" in file_type
+        or "mail forwarding" in file_type
+        or "smtp mail" in file_type
+        or "news" in file_type
+        or "news or mail" in file_type
+        or "saved news" in file_type
+        or "MIME entity" in file_type
+        or "vCalendar calendar" in file_type
+    ):
+        return "eml"
     elif file_name.endswith((".js", ".jse")):
         return "js"
     elif file_name.endswith(".hta"):
@@ -129,5 +145,7 @@ def choose_package(file_type, file_name, exports, target):
         return "archive"
     elif file_name.endswith(".a3x"):
         return "autoit"
+    elif file_name.endswith(("cmd", "bat")) or b"@echo off" in file_content:
+        return "batch"
     else:
         return "generic"
diff --git a/CAPEsolo/modules/packages/batch.py b/CAPEsolo/modules/packages/batch.py
@@ -0,0 +1,36 @@
+# Copyright (C) 2010-2015 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from lib.common.abstracts import Package
+from lib.common.common import check_file_extension
+
+
+class Batch(Package):
+    """batch analysis package."""
+
+    PATHS = [
+        ("SystemRoot", "system32", "cmd.exe"),
+    ]
+    summary = "Executes the batch scripts with cmd.exe."
+    description = """Uses 'cmd.exe /c start /wait "" "path"' to execute sample files.
+    For context behind this command:
+    /C          Carries out the command specified by string and then terminates
+    START       Starts a separate window to run a specified program or command.
+    /WAIT       Start application and wait for it to terminate.
+    ""          The name of the separate window
+    "path"      The path of the uploaded batch file.
+    """
+
+    def start(self, path):
+        cmd_path = self.get_path("cmd.exe")
+        # For context behind this command:
+        # /C          Carries out the command specified by string and then terminates
+        # START       Starts a separate window to run a specified program or command.
+        # WAIT        Start application and wait for it to terminate.
+        # ""          The name of the separate window
+        # "{path}"    The name of the specific batch file
+
+        path = check_file_extension(path, ".bat")
+        cmd_args = f'/c start /wait "" "{path}"'
+        return self.execute(cmd_path, cmd_args, path)
diff --git a/CAPEsolo/modules/packages/python.py b/CAPEsolo/modules/packages/python.py
@@ -3,6 +3,7 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 from lib.common.abstracts import Package
+from lib.common.common import check_file_extension
 from lib.common.constants import OPT_ARGUMENTS
 from lib.common.exceptions import CuckooPackageError
 
@@ -24,4 +25,6 @@ def start(self, path):
             python = self.get_path_glob("py.exe")
 
         arguments = self.options.get(OPT_ARGUMENTS, "")
+
+        path = check_file_extension(path, ".py")
         return self.execute(python, f"{path} {arguments}", path)
diff --git a/CAPEsolo/parsers/Remcos.py b/CAPEsolo/parsers/Remcos.py
@@ -145,7 +145,7 @@ def check_version(filedata):
 
     # find and extract version string e.g. "2.0.5 Pro", "1.7 Free" or "1.7 Light"
     for s in slist:
-        if bool(re.search(r"^\d+\.\d+\.\d+\s+\w+$", s)):
+        if bool(re.search(r"^\d+\.\d+(\.\d+)?\s+\w+$", s)):
             return s
     return ""
 

diff --git a/CAPEsolo/yara/CAPE/Latrodectus.yar b/CAPEsolo/yara/CAPE/Latrodectus.yar
@@ -28,7 +28,7 @@ rule Latrodectus_AES
 		$key =  {C6 44 2? ?? ?? [150] C6 44 2? ?? ?? B8 02}
 		$aes_ctr_1 = {8B 44 24 ?? FF C8 89 44 24 ?? 83 7C 24 ?? 00 7C ?? 4? 63 44 24 ?? 4? 8B 4C 24 ?? 0F B6 84 01 F0 00 00 00 3D FF 00 00 00}
 		$aes_ctr_2 = {48 03 C8 48 8B C1 0F B6 ?? 48 63 4C 24 ?? 0F B6 4C 0C ?? 33 C1 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 03 D1 48 8B CA 88 01}
-		$version_1_4 = {C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 01 00 00 00 8B}
+		$version = {C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 01 00 00 00 8B}
     condition:
         all of them
 }
diff --git a/poetry.lock b/poetry.lock