Merge pull request #453 from kevross33/patch-62

Update packer_yoda.py
CAPESandbox · Oct 5, 2024 · 5a6c536 · 5a6c536
2 parents 38cf48d + a3e4834
commit 5a6c536
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/modules/signatures/all/packer_yoda.py b/modules/signatures/all/packer_yoda.py
@@ -15,7 +15,6 @@
 
 from lib.cuckoo.common.abstracts import Signature
 
-
 class YodaPacked(Signature):
     name = "packer_yoda"
     description = "Executable file is packed/obfuscated with Y0da"
@@ -29,9 +28,15 @@ class YodaPacked(Signature):
     mbcs = ["OB0001", "OB0002", "OB0006", "F0001"]
 
     def run(self):
-        for section in self.results.get("static", {}).get("pe", {}).get("sections", []):
-            if section["name"].startswith(".yP") or section["name"].startswith(".y0da"):
-                self.data.append({"section": section})
-                return True
+        ret = False
+
+        target = self.results.get("target", {})
+        if target.get("category") in ("file", "static") and target.get("file"):
+            pe = self.results["target"]["file"].get("pe", [])
+            if pe:
+                for section in pe["sections"]:
+                    if section["name"].startswith(".yP") or section["name"].startswith(".y0da"):
+                        self.data.append({"section": section})
+                        ret = True         
 
-        return False
+        return ret