diff --git a/modules/signatures/all/flarecapa_lib.py b/modules/signatures/all/flarecapa_lib.py index 83147cea..c11dc8d6 100644 --- a/modules/signatures/all/flarecapa_lib.py +++ b/modules/signatures/all/flarecapa_lib.py @@ -15,6 +15,7 @@ from lib.cuckoo.common.abstracts import Signature + class FlareCAPALib(Signature): name = "flare_capa_lib" description = "CAPA detected interesting code functions" @@ -26,20 +27,20 @@ class FlareCAPALib(Signature): def run(self): ret = False - + target = self.results.get("target", {}) if target.get("category") in ("file", "static") and target.get("file"): - capa = self.results["target"]["file"].get("flare_capa", []) + capa = self.results["target"]["file"].get("flare_capa", []) if capa: samplesha256 = capa["sha256"] capabilities = capa["CAPABILITY"] for namespace, capability in capabilities.items(): if "lib" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"target": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - - for block in self.results.get("CAPE", {}).get("payloads", []) or []: + + for block in self.results.get("CAPE", {}).get("payloads", []) or []: capa = block.get("flare_capa", []) if capa: samplesha256 = capa["sha256"] @@ -47,7 +48,7 @@ def run(self): for namespace, capability in capabilities.items(): if "lib" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"payload": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) for keyword in ("procdump", "procmemory", "extracted", "dropped"): @@ -62,7 +63,7 @@ def run(self): for namespace, capability in capabilities.items(): if "lib" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({keyword: "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - + return ret diff --git a/modules/signatures/all/flarecapa_persistence.py b/modules/signatures/all/flarecapa_persistence.py index cf39a5ea..dffa0c88 100644 --- a/modules/signatures/all/flarecapa_persistence.py +++ b/modules/signatures/all/flarecapa_persistence.py @@ -15,6 +15,7 @@ from lib.cuckoo.common.abstracts import Signature + class FlareCAPAPersistence(Signature): name = "flare_capa_persistence" description = "CAPA detected persistence capabilities" @@ -27,20 +28,20 @@ class FlareCAPAPersistence(Signature): def run(self): ret = False - + target = self.results.get("target", {}) if target.get("category") in ("file", "static") and target.get("file"): - capa = self.results["target"]["file"].get("flare_capa", []) + capa = self.results["target"]["file"].get("flare_capa", []) if capa: samplesha256 = capa["sha256"] capabilities = capa["CAPABILITY"] for namespace, capability in capabilities.items(): if "persistence" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"target": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - - for block in self.results.get("CAPE", {}).get("payloads", []) or []: + + for block in self.results.get("CAPE", {}).get("payloads", []) or []: capa = block.get("flare_capa", []) if capa: samplesha256 = capa["sha256"] @@ -48,7 +49,7 @@ def run(self): for namespace, capability in capabilities.items(): if "persistence" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"payload": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) for keyword in ("procdump", "procmemory", "extracted", "dropped"): @@ -63,7 +64,7 @@ def run(self): for namespace, capability in capabilities.items(): if "persistence" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({keyword: "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - + return ret diff --git a/modules/signatures/all/flarecapa_runtime.py b/modules/signatures/all/flarecapa_runtime.py index 2b0831e5..f5f50f33 100644 --- a/modules/signatures/all/flarecapa_runtime.py +++ b/modules/signatures/all/flarecapa_runtime.py @@ -15,6 +15,7 @@ from lib.cuckoo.common.abstracts import Signature + class FlareCAPARuntime(Signature): name = "flare_capa_runtime" description = "CAPA detected runtime code" @@ -27,20 +28,20 @@ class FlareCAPARuntime(Signature): def run(self): ret = False - + target = self.results.get("target", {}) if target.get("category") in ("file", "static") and target.get("file"): - capa = self.results["target"]["file"].get("flare_capa", []) + capa = self.results["target"]["file"].get("flare_capa", []) if capa: samplesha256 = capa["sha256"] capabilities = capa["CAPABILITY"] for namespace, capability in capabilities.items(): if "runtime" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"target": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - - for block in self.results.get("CAPE", {}).get("payloads", []) or []: + + for block in self.results.get("CAPE", {}).get("payloads", []) or []: capa = block.get("flare_capa", []) if capa: samplesha256 = capa["sha256"] @@ -48,7 +49,7 @@ def run(self): for namespace, capability in capabilities.items(): if "runtime" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"payload": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) for keyword in ("procdump", "procmemory", "extracted", "dropped"): @@ -63,7 +64,7 @@ def run(self): for namespace, capability in capabilities.items(): if "runtime" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({keyword: "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - + return ret diff --git a/modules/signatures/all/flarecapa_targeting.py b/modules/signatures/all/flarecapa_targeting.py index e674b82f..b63ab723 100644 --- a/modules/signatures/all/flarecapa_targeting.py +++ b/modules/signatures/all/flarecapa_targeting.py @@ -15,6 +15,7 @@ from lib.cuckoo.common.abstracts import Signature + class FlareCAPATargeting(Signature): name = "flare_capa_targeting" description = "CAPA detected specific system targeting capabilities" @@ -27,20 +28,20 @@ class FlareCAPATargeting(Signature): def run(self): ret = False - + target = self.results.get("target", {}) if target.get("category") in ("file", "static") and target.get("file"): - capa = self.results["target"]["file"].get("flare_capa", []) + capa = self.results["target"]["file"].get("flare_capa", []) if capa: samplesha256 = capa["sha256"] capabilities = capa["CAPABILITY"] for namespace, capability in capabilities.items(): if "targeting" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"target": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - - for block in self.results.get("CAPE", {}).get("payloads", []) or []: + + for block in self.results.get("CAPE", {}).get("payloads", []) or []: capa = block.get("flare_capa", []) if capa: samplesha256 = capa["sha256"] @@ -48,7 +49,7 @@ def run(self): for namespace, capability in capabilities.items(): if "targeting" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({"payload": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) for keyword in ("procdump", "procmemory", "extracted", "dropped"): @@ -63,7 +64,7 @@ def run(self): for namespace, capability in capabilities.items(): if "targeting" in namespace: ret = True - joined = ', '.join(capability) + joined = ", ".join(capability) self.data.append({keyword: "SHA256 %s - %s %s" % (samplesha256, namespace, joined)}) - + return ret