Skip to content

Commit

Permalink
ci: add pre-commit hooks
Browse files Browse the repository at this point in the history
  • Loading branch information
TheMythologist committed Jun 9, 2022
1 parent 5541cbc commit 329e98c
Show file tree
Hide file tree
Showing 140 changed files with 350 additions and 333 deletions.
27 changes: 27 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
hooks:
- id: check-json
- id: check-yaml
- id: end-of-file-fixer
- id: trailing-whitespace
- id: fix-byte-order-marker
- id: mixed-line-ending
- id: debug-statements

# - repo: https://github.com/csachs/pyproject-flake8
# rev: v0.0.1a4
# hooks:
# - id: pyproject-flake8

- repo: https://github.com/psf/black
rev: 22.3.0
hooks:
- id: black

- repo: https://github.com/pycqa/isort
rev: 5.10.1
hooks:
- id: isort
name: isort (python)
2 changes: 1 addition & 1 deletion conf/aws.conf
Original file line number Diff line number Diff line change
Expand Up @@ -133,4 +133,4 @@ resultserver_port =
#tags =

# Mostly unused for now. Please don't fill it out.
#options =
#options =
2 changes: 1 addition & 1 deletion data/malpedia.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mbc.json
Original file line number Diff line number Diff line change
Expand Up @@ -1006,5 +1006,5 @@
"B0040.002": {
"long": "Malware may store information in an image.",
"short": "Steganography"
},
}
}
2 changes: 1 addition & 1 deletion data/mitre/enterprise_attck_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/generated_attck_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/generated_nist_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/ics_attck_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/mobile_attck_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/nist_controls_json.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion data/mitre/pre_attck_json.json

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion data/peutils/UserDB.TXT
Original file line number Diff line number Diff line change
Expand Up @@ -7321,4 +7321,3 @@ ep_only = true
[[MSLRH] v32a -> emadicius]
signature = EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31
ep_only = true

4 changes: 2 additions & 2 deletions data/yara/CAPE/AAR.yar
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule AAR
maltype = "Remote Access Trojan"
filetype = "exe"
cape_type = "AAR Payload"

strings:
$a = "Hashtable"
$b = "get_IsDisposed"
Expand All @@ -18,4 +18,4 @@ rule AAR
condition:
all of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Adfind.yar
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ strings:
condition:
any of them
}
}
4 changes: 2 additions & 2 deletions data/yara/CAPE/Adzok.yar
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ rule Adzok
$a6 = "inic$ShutdownHook.class"
$a7 = "Uninstall.jarPK"
$a8 = "resources/icono.pngPK"
condition:
7 of ($a*)
}
}
16 changes: 8 additions & 8 deletions data/yara/CAPE/AlienSpy.yar
Original file line number Diff line number Diff line change
Expand Up @@ -10,36 +10,36 @@ rule AlienSpy
strings:
$PK = "PK"
$MF = "META-INF/MANIFEST.MF"
$a1 = "a.txt"
$a2 = "b.txt"
$a3 = "Main.class"
$b1 = "ID"
$b2 = "Main.class"
$b3 = "plugins/Server.class"
$c1 = "resource/password.txt"
$c2 = "resource/server.dll"
$d1 = "java/stubcito.opp"
$d2 = "java/textito.isn"
$e1 = "java/textito.text"
$e2 = "java/resources.xsx"
$f1 = "amarillo/asdasd.asd"
$f2 = "amarillo/adqwdqwd.asdwf"
$g1 = "config/config.perl"
$g2 = "main/Start.class"
$o1 = "config/config.ini"
$o2 = "windows/windows.ini"
$o3 = "components/linux.plsk"
$o4 = "components/manifest.ini"
$o5 = "components/mac.hwid"
condition:
$PK at 0 and $MF and
Expand Down
12 changes: 6 additions & 6 deletions data/yara/CAPE/Andromeda.yar
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,21 @@ meta:

strings:
//IndexerVolumeGuid
$ = { 8d ?? dc fd ff ff 50 8d ?? d8 fd ff ff 50 e8 ?? ?? ?? ?? 8a 00 53 68 ?? ?? ?? ?? 56
ff b? ?? ?? ?? ?? a2 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 18 53 ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53
53 ff 15 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 83 f8
$ = { 8d ?? dc fd ff ff 50 8d ?? d8 fd ff ff 50 e8 ?? ?? ?? ?? 8a 00 53 68 ?? ?? ?? ?? 56
ff b? ?? ?? ?? ?? a2 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 18 53 ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53
53 ff 15 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 83 f8
ff 74 ?? 6a 01 50 ff 15 ?? ?? ?? ?? }
$ = { 83 c4 10 ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff b?
$ = { 83 c4 10 ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff b?
?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? }
/*
MOV DL ,byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ]
MOV DH ,byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ]
MOV byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ],DH
MOV byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ],DL
*/
$ = { 36 8a 94 28 00 ff ff ff 02 da 36 8a b4 2b 00 ff ff ff 36 88 b4 28 00 ff ff ff 36 88 94 2b 00 ff ff ff }
condition:
any of them
}
6 changes: 3 additions & 3 deletions data/yara/CAPE/Arcom.yar
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@ rule Arcom
maltype = "Remote Access Trojan"
filetype = "exe"
cape_type = "Arcom Payload"

strings:
$a1 = "CVu3388fnek3W(3ij3fkp0930di"
$a2 = "ZINGAWI2"
$a3 = "clWebLightGoldenrodYellow"
$a4 = "Ancestor for '%s' not found" wide
$a5 = "Control-C hit" wide
$a6 = {A3 24 25 21}
condition:
all of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Avaddon.yar
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ rule Avaddon {
$s9 = ".?AUANEventIsGetExternalIP@@" fullword ascii
$s10 = ".?AUANEventGetCpuMax@@" fullword ascii
$s11 = "\"hdd\":\"" fullword ascii
$s12 = "\"ext\":\"" fullword ascii wide
$s12 = "\"ext\":\"" fullword ascii wide
condition:
uint16(0) == 0x5a4d and 8 of them
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Avalon.yar
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,5 @@ rule Avalon {
$p1 = "^(?!:\\/\\/)([a-zA-Z0-9-_]+\\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\\.[a-zA-Z]{2,11}?$" wide
$p2 = "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" wide
condition:
uint16(0) == 0x5a4d and 8 of them
uint16(0) == 0x5a4d and 8 of them
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/BackOffLoader.yar
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ rule BackOffLoader
$str4 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
condition:
all of them
}
}
6 changes: 3 additions & 3 deletions data/yara/CAPE/Bandook.yar
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ rule Bandook
maltype = "Remote Access Trojan"
filetype = "exe"
cape_type = "Bandook Payload"

strings:
$a = "aaaaaa1|"
$b = "aaaaaa2|"
Expand All @@ -19,9 +19,9 @@ rule Bandook
$h = "givemecache"
$i = "%s\\system32\\drivers\\blogs\\*"
$j = "bndk13me"
condition:
all of them
}
Expand Down
6 changes: 3 additions & 3 deletions data/yara/CAPE/BlackNix.yar
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@ rule BlackNix
maltype = "Remote Access Trojan"
filetype = "exe"
cape_type = "BlackNix Payload"

strings:
$a1 = "SETTINGS" wide
$a2 = "Mark Adler"
$a3 = "Random-Number-Here"
$a4 = "RemoteShell"
$a5 = "SystemInfo"
condition:
all of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/BlackShades.yar
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ rule BlackShades
$string3 = "UDPFlood"
condition:
all of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/BlueBanana.yar
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ rule BlueBanana
$c = "a/a/a/b/q.class"
$d = "a/a/a/b/v.class"
condition:
all of them
}
4 changes: 2 additions & 2 deletions data/yara/CAPE/Bozok.yar
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ rule Bozok
$c = "SendCamList" nocase
$d = "untPlugin" nocase
$e = "gethostbyname" nocase
condition:
all of them
}
}
4 changes: 2 additions & 2 deletions data/yara/CAPE/Chuwi.yar
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ rule Chuwi {
$cmd6 = "exe_link" fullword ascii
$cmd7 = "shellCommand" fullword ascii
$cmd8 = "R_CMMAND" fullword ascii
$cnc1 = "/check_command.php?HWID=" ascii
$cnc2 = "&act=get_command" ascii
$cnc3 = "/get_command.php?hwid=" ascii
Expand All @@ -21,7 +21,7 @@ rule Chuwi {
$cnc6 = "&command=open_link" ascii
$cnc7 = "&command=down_exec" ascii
$cnc8 = "&command=shell" ascii
$pdb = "\\Users\\CHUWI\\Documents\\CPROJ\\Downloader\\svchost" ascii
condition:
uint16(0) == 0x5a4d and ($pdb or 5 of ($cmd*) or 4 of ($cnc*) or 8 of them)
Expand Down
6 changes: 3 additions & 3 deletions data/yara/CAPE/Confucius_B.yar
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@ meta:
reference = "https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/"
tlp = "White"
cape_type = "Confucius_B Payload"

strings:
$ = "----BONE-79A8DE0E314C50503FF2378aEB126363-" ascii wide
$ = "----MUETA-%.08x%.04x%.04x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x-" ascii wide
$ = "C:\\Users\\DMITRY-PC\\Documents\\JKE-Agent-Win32\\JKE_Agent_DataCollectorPlugin\\output\\Debug\\JKE_Agent_DumbTestPlugin.dll" ascii wide
condition:
any of them
}
}
4 changes: 2 additions & 2 deletions data/yara/CAPE/CryLock.yar
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
date = "2020-09"
tlp = "White"
cape_type = "CryLock payload"

strings:
$ = "///END ENCRYPT ONLY EXTENATIONS" ascii wide
$ = "///END UNENCRYPT EXTENATIONS" ascii wide
Expand All @@ -21,4 +21,4 @@ strings:
condition:
2 of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/CryptBot.yar
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ rule CryptBot {
$f5 = "*pass*.txt" fullword wide
$f6 = "*bitcoin*.txt" fullword wide
$p1 = "%USERPROFILE%\\Desktop\\*.txt" fullword wide
$p2 = "%USERPROFILE%\\Desktop\\secret.txt" fullword wide
$p2 = "%USERPROFILE%\\Desktop\\secret.txt" fullword wide
$p3 = "%USERPROFILE%\\Desktop\\report.doc" fullword wide
$v2_1 = "%02d.%02d.%4d [%02d:%02d:%02d] UTC: %s%02d:%02d %wS" fullword wide
$v2_2 = "UserName [ComputerName]:" fullword wide
Expand Down
2 changes: 1 addition & 1 deletion data/yara/CAPE/DarkRAT.yar
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ rule DarkRAT
condition:
all of them
}
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Dharma.yara
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ rule Dharma {
meta:
author = "ditekSHen"
description = "Detects Dharma ransomware"
cape_type = "Dharma Payload"
cape_type = "Dharma Payload"
strings:
$s1 = "C:\\crysis\\Release\\PDB\\payload.pdb" fullword ascii
condition:
Expand Down
6 changes: 3 additions & 3 deletions data/yara/CAPE/Dridex.yar
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ rule Dridex
$crypt_32_v3 = {56 57 53 55 81 EC 08 02 00 00 8B E9 8B FA 85 ED 74 19 85 FF 74 15 83 BC 24 1C 02 00 00 00 74 0B 8B 9C 24 20 02 00 00 85 DB 75 0D}
$crypt_64_v1 = {41 54 41 55 41 56 41 57 48 81 EC 48 02 00 00 49 89 CE 45 89 CC 4D 89 C5 41 89 D7 4D 85 F6 0F 84 41 02 00 00 45 85 FF 0F 84 38 02 00 00 4D 85 ED 0F 84 2F 02 00 00 45 85 E4 0F 84 26 02 00}
condition:
//check for MZ Signature at offset 0
uint16(0) == 0x5A4D
uint16(0) == 0x5A4D
and
and
($crypt_32_v1 or $crypt_32_v2 or $crypt_32_v3 or $crypt_64_v1)
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Duke.yar
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ rule PolyglotDuke {
condition:
uint16(0) == 0x5a4d and (all of ($s*)) or
(
2 of them and
2 of them and
pe.exports("InitSvc")
)
}
2 changes: 1 addition & 1 deletion data/yara/CAPE/Egregor.yar
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ rule Egregor {
condition:
(uint16(0) == 0x5a4d and pe.is_dll() and ((all of ($s*) and 1 of ($p*)) or
(
2 of them and filesize < 1000KB and
2 of them and filesize < 1000KB and
for any i in (0 .. pe.number_of_sections) : (
(
pe.sections[i].name == ".00cfg"
Expand Down
2 changes: 1 addition & 1 deletion data/yara/CAPE/EnigmaStub.yar
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
date = "2020-03"
tlp = "White"

strings:
strings:
$ = "Enigma anti-emulators plugin - GetProcAddress" ascii wide
$ = "Enigma anti-debugger plugin - CheckRemoteDebuggerPresent" ascii wide
$ = "Enigma anti-debugger plugin - IsDebuggerPresent" ascii wide
Expand Down
4 changes: 2 additions & 2 deletions data/yara/CAPE/EvilGrab.yar
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ rule EvilGrab
condition:
//check for MZ Signature at offset 0
uint16(0) == 0x5A4D
uint16(0) == 0x5A4D
and
and
$configure1 or $configure2 or $configure3
}
Loading

0 comments on commit 329e98c

Please sign in to comment.