capesandbox / community Goto Github PK

In sysmon.py, I read this:

       # First figure out what architecture the system in running (x64 or x86)
        bin_path = os.path.join(os.getcwd(), "bin")

        if "Windows" in platform.uname():
            if "AMD64" in platform.uname():
                sysmon = os.path.join(bin_path, "SMaster64.exe")
            else:
                sysmon = os.path.join(bin_path, "SMaster32.exe")
        # TODO: Platform is Linux, add support for https://github.com/Sysinternals/SysmonForLinux
        else:
            self.enabled = False
            return False

        config_file = os.path.join(bin_path, "sysmonconfig-export.xml")
        if not os.path.exists(sysmon) or not os.path.exists(config_file):
            raise CuckooPackageError(
                "In order to use the Sysmon functionality, it "
                "is required to have the SMaster(64|32).exe file and "
                "sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are "
                "just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques."
            )

Where do I need to store the files? os.getcwd() is based on the agent.py location on the guest?

A while ago, I tried to set up an account and verification failed miserably. I'm wondering if my ad blocker (Adgaurd Adblocker) or Bitdefender VPN had anything to do with it? My browser is Microsoft edge. Anyways. Here I am trying to set up an account, and it tells me that another account exists with my same email (probably the one that failed). I tried to reset the password associated with my email...

And this is what I got:

I also tried to connect my GitHub account as a last resort, but that did not work. Now I'm stuck with a 3rd party authorization which I'm not sure I should be revoking... permanently. Ughh.

I've been looking for places to reach out, and this seems like the best one. Is there anything that can be done on the developer side to fix this issue? Please redirect me elsewhere if this is not where I should be posting my issue.

When running the community.py file in utilities via the following command it will error out and not install the signatures;

python3 community.py -s --file master.tar.gz

It errors out on a missing t variable in the code.

t = tarfile.TarFile.open(fileobj=BytesIO(data), mode="r:gz")

By adding this variable to the code as shown below and in the pull request the error is fixed.

`
def install(enabled, force, rewrite, filepath):

if filepath and os.path.exists(filepath):

    data = open(filepath, "rb").read()
    t = tarfile.TarFile.open(fileobj=BytesIO(data), mode="r:gz")

else:

    print("Downloading modules from {0}".format(URL))

    try:

        http = urllib3.PoolManager()

        data = http.request("GET", URL).data

        t = tarfile.TarFile.open(fileobj=BytesIO(data), mode="r:gz")

    except Exception as e:

        print("ERROR: Unable to download archive: %s" % e)

        sys.exit(-1)



folders = {

    "feeds": "modules/feeds",

    "signatures": "modules/signatures",

    "processing": "modules/processing",

    "reporting": "modules/reporting",

    "machinery": "modules/machinery",

    "analyzer": "analyzer",

    "data": "data",

}



members = t.getmembers()

directory = members[0].name.split("/", 1)[0]



for category in enabled:

    folder = folders.get(category, False)

    if not folder:

        continue`

Hi, Will be thankful to help me with this issue.

I installed and configure capev2 using its documentation. The OS is ubuntu 20.04 LTS.

There are some "no module named ..." errors and one permission error for:
PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/log/cuckoo.log'

This is the output of running python3 cuckoo.py in /opt/CAPEv2/:
(As an example, I tried to install BumbleBee by pip3, but the error is not solved.)

CAPE parser: No module named BumbleBee - No module named 'regex'
CAPE parser: No module named CobaltStrikeBeacon - No module named 'netstruct'
CAPE parser: No module named Blister - No module named 'malduck'

.-----------------.
| Cuckoo Sandbox? |
| OH NOES! |\ '-.__.-'
'-----------------' \ /oo |--.--,--,--.
_.-'.i__i__i.'
"""""""""

Cuckoo Sandbox 2.2-CAPE
www.cuckoosandbox.org
Copyright (c) 2010-2015

CAPE: Config and Payload Extraction
github.com/kevoreilly/CAPEv2

Traceback (most recent call last):
File "cuckoo.py", line 118, in
cuckoo_init(quiet=args.quiet, debug=args.debug, artwork=args.artwork, test=args.test)
File "cuckoo.py", line 76, in cuckoo_init
init_logging(level)
File "/opt/CAPEv2/lib/cuckoo/core/startup.py", line 176, in init_logging
fh = logging.handlers.TimedRotatingFileHandler(
File "/usr/lib/python3.8/logging/handlers.py", line 200, in init
BaseRotatingHandler.init(self, filename, 'a', encoding, delay)
File "/usr/lib/python3.8/logging/handlers.py", line 55, in init
logging.FileHandler.init(self, filename, mode, encoding, delay)
File "/usr/lib/python3.8/logging/init.py", line 1147, in init
StreamHandler.init(self, self._open())
File "/usr/lib/python3.8/logging/init.py", line 1176, in _open
return open(self.baseFilename, self.mode, encoding=self.encoding)
PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/log/cuckoo.log'

Is it possible to push new features as well as a web/templates/example.html that comes with the feature?

I am curious, how open are y'alls to me starting to raid other Yara repos for stuff we don't currently have. Begun looking deeper into that dir and comparing it against https://github.com/Yara-Rules/rules/tree/master/malware .

One hit upon that was easily testable was Pony with 469a2bd68eec3b9262aae35bbdc51dba from https://samples.vx-underground.org/samples/Families/Pony/ .

That said it had plenty of other hits, but it was just one of I just happened to look at that we did not have direct coverage for already in there.

I am working on cape sandbox to add a guest linux machine, my agent in linux is working fine as it accessible through curl command but the analysis is lasting for a few seconds hence I am getting blank report. What could be the issue?

Hello!

Sorry if this is the wrong place, but this is the only place I could find to contact you.

I registered my account a while back, but I was on a VPN, and I think that got me flagged, as it said I needed to wait for the system admin to review my account or something. I couldn't find where to contact you (and I didn't think this would be the place to do so), and I never got anything back from you guys, so I just moved on.

Recently, I wanted to try CAPE out to look at some API calls, so I tried to reset my password, hoping that it was all sorted out and my account had been reviewed, but I get no password recovery e-mail

My e-mail is nordgarentv@gmail,com, and my username is nordgaren.

Edit: I finally got the e-mail, but it says there is no record of my account, but if I try to sign up again, it says a user is already registered at that address and that my username is already taken.

Thank you!
Nordgaren.

I noticed that while CAPE does have ~ 670 signatures, there is a large number of Cuckoo signatures (~400), at least by looking at their names alone, that did not make it to CAPE.

Obviously they could've been renamed when migrated, although I don't think that is the case. I'm wondering if there was a reason for a lot of signatures did not make it to CAPE?

A few examples of the signatures that did not make it:

• amsi_bypass
• antivm_parallels_window
• creates_null_reg_entry

I enabled the reporting module "malheur" and got this error:

2024-05-15 07:50:41,703 [Task 35] [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "Malheur": Strings must be encoded before hashing
Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 738, in process
    current.run(self.results)
  File "/opt/CAPEv2/utils/../modules/reporting/malheur.py", line 160, in run
    outputfile = os.path.join(basedir, f"malheur.txt.{hashlib.md5(str(random.random())).hexdigest()}")
TypeError: Strings must be encoded before hashing

Any idea how to fix this?

I've gone through most signatures in this repository, and noticed that there is a lack of consistency when it comes to naming "marks" or self.data entries. Below are the possible mark names that I've found across the signatures:

['<any virustotal vendor>', '<not a dictionary, just a file path>', '<sha1>', '<sha256>', 'Affid', 'Beacon', 'Buffer', 'C2', 'Campaign', 'ClassName', 'Copy', 'Creates', 'Decoy Document', 'DeletedFile', 'Domain:Port', 'DynamicLoader', 'Event', 'File Move on Reboot', 'HTTPMethod:URI', 'Injection', 'Interacts', 'KernelExploitAttempt', 'KernelExploitBase', 'Key', 'Likely to allow modification of', 'Lure', 'Note', 'Object', 'Payload', 'Payment', 'Process', 'Process executing suspicious JavaScript', 'Program', 'Redirect', 'Regkey', 'SMTP', 'Spam', 'SuspiciousDynamicFunction', 'URL', 'User-Agent', 'Version', 'Window', 'added', 'addit', 'anomalous_version', 'anomaly', 'appends_email', 'appends_new_extension', 'aslr bypass', 'attachment', 'authenticode error', 'author_format', 'begining_of_ransom_message', 'binary', 'browser_inject', 'cmdline', 'command', 'connectivity_check', 'content', 'content_anomaly', 'cookie', 'copy', 'country', 'created_process', 'creation_anomaly', 'cscript_exe', 'cve', 'cve2009_3459', 'cve_2012-0507', 'cve_2012-4681', 'cve_2012-5076', 'cve_2013-0422', 'cve_2013-0431', 'cve_2013-1493', 'cve_2013-2423', 'cve_2013-2460', 'cve_2013-2465', 'cve_2013-2471', 'data', 'data_after_eof', 'data_being_encrypted', 'decoded_base64_string', 'disables_system_recovery', 'disguised_executable', 'domain', 'driver_testsigning', 'drops_unknown_mimetypes', 'embedded content', 'encoded_pe', 'execute', 'fake_useragent', 'file', 'file name', 'file_modifications', 'flash load', 'handlename', 'heap spray', 'http', 'ie_martian', 'ignorefailures', 'injections', 'ioc', 'ip', 'ip address', 'javascript_object', 'jscript_exe', 'key', 'large_attribute', 'last_saved_format', 'lsass credential dumping', 'lsass read access', 'malicious_author', 'mass file_deletion', 'message', 'mimic_dest', 'mimic_source', 'mmbot', 'modified_drive', 'modified_name', 'modified_path', 'mshta_exe', 'mutex', 'mysterious_kernel_module', 'new_appended_file_extension', 'no_pages', 'numerical_author', 'numerical_last_saved', 'obfuscation_reflection', 'office file', 'office_cve_2021_40444', 'office_dl_write_exe', 'office_martian', 'open_action', 'original_name', 'original_path', 'parameter', 'path', 'pattern', 'payload', 'pdbpath', 'percent_match', 'physical drive access', 'pid', 'postscript', 'process', 'reg_query_name', 'regkey', 'regkeyval', 'request', 'section', 'security_permissions', 'self_read', 'serialized_object', 'service', 'servicename', 'short_author_format', 'short_last_saved_format', 'sign', 'signature', 'single_page', 'smtp_header', 'string_length', 'suspicious_deviceiocontrol_ioctl_use', 'system_event_object', 'task', 'unhook', 'unlinked', 'unnamed_driver', 'uri', 'url', 'user-agent', 'window', 'written_content', 'wscript_exe', 'xfa_object']

As you can see, there are a bunch of duplicates if the marks were case insensitive (I will work on fixing this), but in general since there is no standard for assigning marks, the naming has become unpredictable and this makes using CAPEv2 hard to automate.

I will also work on renaming obvious marks to a synonym that is used more often (cmdline -> command, etc).

If there could be some work done to standardize these mark names, whether it be through generalization, constants, or helper methods, I'd appreciate it :)

I also found that these were the most-often used names for marks for signatures:

• regkey x52
• file x81
• process x11
• domain x12
• ip x20
• data x16
• mutex x40
• request x31
• cmdline x17
• command x77
• anomaly x14
• section x12
• key x20

I am currently running CAPEv2 for doing malware analysis, I have been doing analysis on windows 10 guest machine but I want to enable a linux machine for analysis. I have tried a number of liunx OS like ubuntu 16.04, 18.04, 20.04 but as we know that agent of cape runs on 32 bit python so by running the commands given in cape documentation I seem to lose functionalities in the machines like loss of terminal or loss of internet etc , I can make the agent run but lose internet access in the machine due to changing python architecture.

Can you suggest me which ubuntu version or any other linux to use, and why am I getting these kind of problems even by following the commands on cape document.

Following are the commands I ran on x64 bit ubuntu linux:
$ sudo dpkg --add-architecture i386
$ sudo apt update
$ sudo apt install python3:i386 -y
$ sudo apt install systemtap-runtime -y
$ curl -sSL https://bootstrap.pypa.io/get-pip.py -o get-pip.py
$ python3 get-pip.py
$ python3 -m pip install pyinotify
$python3 /path/to/agent.py
And I used x86 ubuntu 16.04 which had older python version but even updating it disturbed the OS.

Following are the commands I used to in 32bit OS:
$ sudo apt update
$ sudo apt install python3-pip systemtap-runtime
$ pip3 install pyinotify
And also changed python version to 3.7.9 that is compatible with the agent.

Need guidance.
Regards

https://github.com/kevoreilly/community/blob/8ecef0aa052b459c73b4ff8afb3048e589b9a5bb/analyzer/windows/modules/auxiliary/procmon.py#L66-L94

The check for self.enabled should be moved to the beginning of the function. Just like in the run function.

def stop(self) -> bool: 
    if not self.enabled: 
        return return False
    ...
    return False 

Otherwise, procmon.exe /Terminate and procmon.exe /OpenLog ... will still be run, which is pointless?