Merge pull request #2457 from kevoreilly/yara_detect_fix

yara_detect
kevoreilly · Jan 10, 2025 · 724b2b1 · 724b2b1
2 parents bb5cc07 + 11de9d8
commit 724b2b1
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 18 deletions.
diff --git a/lib/cuckoo/common/abstracts.py b/lib/cuckoo/common/abstracts.py
@@ -842,24 +842,28 @@ def yara_detected(self, name):
                     if re.findall(name, yara_block["name"], re.I):
                         yield "sample", self.results["target"]["file"]["path"], yara_block, self.results["target"]["file"]
 
-            for block in target["file"].get("extracted_files", []):
-                for keyword in ("cape_yara", "yara"):
-                    for yara_block in block[keyword]:
-                        if re.findall(name, yara_block["name"], re.I):
-                            # we can't use here values from set_path
-                            yield "sample", block["path"], yara_block, block
+            if target["file"].get("selfextract"):
+                for _, toolsblock in target["file"]["selfextract"].items():
+                    for block in toolsblock.get("extracted_files", []):
+                        for keyword in ("cape_yara", "yara"):
+                            for yara_block in block[keyword]:
+                                if re.findall(name, yara_block["name"], re.I):
+                                    # we can't use here values from set_path
+                                    yield "sample", block["path"], yara_block, block
 
         for block in self.results.get("CAPE", {}).get("payloads", []) or []:
             for sub_keyword in ("cape_yara", "yara"):
                 for yara_block in block.get(sub_keyword, []):
                     if re.findall(name, yara_block["name"], re.I):
                         yield sub_keyword, block["path"], yara_block, block
 
-            for subblock in block.get("extracted_files", []):
-                for keyword in ("cape_yara", "yara"):
-                    for yara_block in subblock[keyword]:
-                        if re.findall(name, yara_block["name"], re.I):
-                            yield "sample", subblock["path"], yara_block, block
+            if block.get("selfextract", {}):
+                for _, toolsblock in block["selfextract"].items():
+                    for subblock in toolsblock.get("extracted_files", []):
+                        for keyword in ("cape_yara", "yara"):
+                            for yara_block in subblock[keyword]:
+                                if re.findall(name, yara_block["name"], re.I):
+                                    yield "sample", subblock["path"], yara_block, block
 
         for keyword in ("procdump", "procmemory", "extracted", "dropped"):
             if self.results.get(keyword) is not None:
@@ -879,11 +883,13 @@ def yara_detected(self, name):
                                     if re.findall(name, yara_block["name"], re.I):
                                         yield "extracted_pe", pe["path"], yara_block, block
 
-                    for subblock in block.get("extracted_files", []):
-                        for keyword in ("cape_yara", "yara"):
-                            for yara_block in subblock[keyword]:
-                                if re.findall(name, yara_block["name"], re.I):
-                                    yield "sample", subblock["path"], yara_block, block
+                    if block.get("selfextract", {}):
+                        for _, toolsblock in block["selfextract"].items():
+                            for subblock in toolsblock.get("extracted_files", []):
+                                for keyword in ("cape_yara", "yara"):
+                                    for yara_block in subblock[keyword]:
+                                        if re.findall(name, yara_block["name"], re.I):
+                                            yield "sample", subblock["path"], yara_block, block
 
         macro_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(self.results["info"]["id"]), "macros")
         for macroname in self.results.get("static", {}).get("office", {}).get("Macro", {}).get("info", []) or []:

diff --git a/modules/processing/CAPE.py b/modules/processing/CAPE.py
@@ -163,6 +163,7 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str,
         """
 
         if not path_exists(file_path):
+            log.debug("file doesn't exist: %s", file_path)
             return
 
         cape_names = set()
@@ -206,7 +207,7 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str,
 
         type_string, append_file = self._metadata_processing(metadata, file_info, append_file)
 
-        if processing_conf.CAPE.targetinfo and category in ("static", "file"):
+        if category in ("static", "file"):
             if MISP_HASH_LOOKUP:
                 misp_hash_lookup(file_info["sha256"], str(self.task["id"]), file_info)
 
@@ -256,7 +257,7 @@ def process_file(self, file_path, append_file, metadata: dict, *, category: str,
         # Process CAPE Yara hits
         # Prefilter extracted data + beauty is better than oneliner:
         all_files = []
-        for key, value in file_info.get("selfextract", {}).items():
+        for _, value in file_info.get("selfextract", {}).items():
             for file in value.get("extracted_files", []):
                 if not file.get("cape_yara", []):
                     continue

diff --git a/modules/processing/pcapng.py b/modules/processing/pcapng.py
@@ -80,6 +80,7 @@ def append_file_contents_to_file(self, file_with_contents, append_to_file):
             dst.write(src.read())
 
     def generate_pcapng(self, sslkeylogfile_path):
+        # ToDo bail if file is empty
         cmd = [EDITCAP, "--inject-secrets", "tls," + sslkeylogfile_path, self.pcap_path, self.pcapng_path]
         log.debug("generating pcapng with command '%s", cmd)
         subprocess.check_call(cmd, timeout=EDITCAP_TIMEOUT)