Skip to content

Commit

Permalink
style: Automatic code formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Mar 7, 2024
1 parent 1d5e2cd commit 98d36e3
Show file tree
Hide file tree
Showing 12 changed files with 153 additions and 136 deletions.
7 changes: 4 additions & 3 deletions modules/signatures/binary_yara.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@

from lib.cuckoo.common.abstracts import Signature


class BinaryTriggeredYARA(Signature):
name = "binary_yara"
description = "Binary file triggered YARA rule"
Expand All @@ -23,7 +24,7 @@ class BinaryTriggeredYARA(Signature):
weight = 1
enabled = True
categories = ["static"]
authors = ["Yasin Tas", "Eye Security"]
authors = ["Yasin Tas", "Eye Security"]
minimum = "1.3"

def run(self):
Expand All @@ -37,7 +38,7 @@ def run(self):
if count > 1:
self.description = "Binary file triggered multiple YARA rules"
elif count > 3:
self.weight = 3
self.weight = 3
return True
else:
return False
return False
68 changes: 34 additions & 34 deletions modules/signatures/credential_access_phishingkit.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,29 +13,29 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

from lib.cuckoo.common.abstracts import Signature

import re

from lib.cuckoo.common.abstracts import Signature

try:
from chepy import Chepy
except ImportError:
raise ImportError("Please install chepy")

import base64


class HTMLPhisher_0(Signature):
name = "phishing_kit_detected"
description = "Phishing Kit Detected, sample is trying to harvest credentials"
severity = 3
confidence = 100
categories = ["credential_access","evasion","infostealer","phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
categories = ["credential_access", "evasion", "infostealer", "phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
]
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
minimum = "1.2"
ttps = ["T1111", "T1193", "T1140"] # MITRE v6
Expand All @@ -47,20 +47,20 @@ def run(self):
if self.results["info"]["package"] == "edge" or self.results["info"]["package"] == "html":
if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []:
return False
strings = self.results["target"]["file"]["strings"]
strings = self.results["target"]["file"]["strings"]
regex_decodedURL = r"unescape\( \'([^&]+?)\' \) \);</script>"
data = ''.join(strings)
decodeString = re.search(regex_decodedURL,data)
data = "".join(strings)
decodeString = re.search(regex_decodedURL, data)
if decodeString:
self.description = "File obfuscation detected, with url encoding"
decodeString = decodeString.group(1)
decoded_string = Chepy(decodeString).url_decode().url_decode().o
regex_user = r'var encoded_string = "([^&]+?)"'
regex_url = r"var url = window.atob\('([^&]+?)'\)"
regex_post_url = r'window\.location\.href="([^&]+.*)";'
user = re.search(regex_user,decoded_string)
url = re.search(regex_url,decoded_string)
post_url = re.search(regex_post_url,decoded_string)
user = re.search(regex_user, decoded_string)
url = re.search(regex_url, decoded_string)
post_url = re.search(regex_post_url, decoded_string)
if user and url and post_url:
self.weight = 3
self.families = ["HTMLPhisher_2023"]
Expand All @@ -71,17 +71,17 @@ def run(self):
return True
return False


class HTMLPhisher_1(Signature):
name = "phishing_kit_detected"
description = "Phishing Kit Detected, sample is trying to harvest credentials"
severity = 3
confidence = 100
categories = ["credential_access","evasion","infostealer","phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
categories = ["credential_access", "evasion", "infostealer", "phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
minimum = "1.2"
Expand All @@ -95,23 +95,23 @@ def run(self):
if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []:
return False
strings = self.results["target"]["file"]["strings"]
data = ''.join(strings)
regex_decoded = [
data = "".join(strings)
regex_decoded = [
r"unescape\(\'([^&]+?)\'\)\); </script>",
r"unescape\( \'([^&]+?)\' \) \);</script>",
r"unescape\(\'([^&]+?)\'\) \);</script>",
r"unescape\( \'([^&]+?)\'\) \);</script>",
]
for regex in regex_decoded:
decodeString = re.search(regex,data)
decodeString = re.search(regex, data)
if decodeString:
decodeString = decodeString.group(1)
decoded_string = Chepy(decodeString).url_decode().url_decode().o
self.description = "File obfuscation detected, with url encoding"
regex_user = r'value="([^&]+?)"'
regex_url = r"url: '([^&]+?)',"
user = re.search(regex_user,decoded_string)
url = re.search(regex_url,decoded_string)
user = re.search(regex_user, decoded_string)
url = re.search(regex_url, decoded_string)
if user and url:
self.weight = 3
self.families = ["HTMLPhisher_2023"]
Expand All @@ -120,18 +120,18 @@ def run(self):
self.data.append({"user": user.group(1)})
return True
return False



class HTMLPhisher_2(Signature):
name = "phishing_kit_detected"
description = "Phishing Kit Detected, sample is trying to harvest credentials"
severity = 3
confidence = 100
categories = ["credential_access","evasion","infostealer","phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
categories = ["credential_access", "evasion", "infostealer", "phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
minimum = "1.2"
Expand All @@ -145,17 +145,17 @@ def run(self):
if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []:
return False
strings = self.results["target"]["file"]["strings"]
data = ''.join(strings)
data = "".join(strings)

regex_user = r"<input name=\"login\" type=\"email\" value=\"([^&]+?)\" disabled>"
regex_url = r"<form method=\"post\" action=\"([^&]+?)\">"
user = re.search(regex_user,data)
url = re.search(regex_url,data)
user = re.search(regex_user, data)
url = re.search(regex_url, data)
if user and url:
self.weight = 3
self.families = ["HTMLPhisher_2023"]
self.description = "Phishing kit detected, extracted config from sample"
self.data.append({"url": url.group(1)})
self.data.append({"user": user.group(1)})
return True
return False
return False
113 changes: 55 additions & 58 deletions modules/signatures/suspicious_html.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,48 +13,47 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

from lib.cuckoo.common.abstracts import Signature

import re

from lib.cuckoo.common.abstracts import Signature


class suspiciousHRML_Body(Signature):
name = "suspicious_html_body"
description = "Sample contains suspicious HTML body"
severity = 1
confidence = 100
categories = ["phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
evented = True
minimum = "1.2"
ttps = ["T1566.001"] # MITRE v6,7,8
mbcs = ["C0029.003"] # micro-behaviour

def run(self):
packages = ['html', 'edge', 'chrome', 'firefox']
packages = ["html", "edge", "chrome", "firefox"]
indicators = [
'password',
'email',
'username',
'encoded_string',
'url',
'// remove email, and put ur mailer code',
'headers'
'tokenName',
'headers',
]
"password",
"email",
"username",
"encoded_string",
"url",
"// remove email, and put ur mailer code",
"headers" "tokenName",
"headers",
]
if self.results["info"]["package"] in packages:
if "strings" in self.results["target"]["file"]:
strings = self.results["target"]["file"]["strings"]
data = ''.join(strings)
data = "".join(strings)
for indicator in indicators:
if indicator in data:
self.add_match(None, 'string', f'Found {indicator} in HTML body')
self.add_match(None, "string", f"Found {indicator} in HTML body")
return self.has_matches()


Expand All @@ -64,79 +63,77 @@ class suspiciousHTML_Title(Signature):
severity = 1
confidence = 100
categories = ["phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
minimum = "1.2"
ttps = ["T1566.001"] # MITRE v6,7,8
mbcs = ["C0029.003"] # micro-behaviour

def run(self):
packages = ['html', 'edge', 'chrome', 'firefox']

packages = ["html", "edge", "chrome", "firefox"]
indicators = [
'Please wait',
'Sign in',
'<title></title>', # Empty title
'Redirecting',
]
title_regex = re.compile(r'<\s*title[^>]*>(.*?)<\/\s*title\s*>')
"Please wait",
"Sign in",
"<title></title>", # Empty title
"Redirecting",
]

title_regex = re.compile(r"<\s*title[^>]*>(.*?)<\/\s*title\s*>")

if self.results["info"]["package"] in packages:
if "strings" in self.results["target"]["file"]:
strings = self.results["target"]["file"]["strings"]
data = ''.join(strings)
data = "".join(strings)
title = title_regex.search(data)
if not title:
self.description = "Sample contains empty HTML title"
self.add_match(None, 'string', 'Empty HTML title')
self.add_match(None, "string", "Empty HTML title")
else:
for indicator in indicators:
if indicator in title.group(1):
self.add_match(None, 'string', f'Found {indicator} in HTML title')
self.add_match(None, "string", f"Found {indicator} in HTML title")

return self.has_matches()


class suspiciousHTML_Filename(Signature):
name = "suspicious_html_name"
description = "Sample contains suspicious HTML name"
severity = 1
confidence = 80
categories = ["phishing", "static"]
authors = ["Yasin Tas", "Eye Security"]
authors = ["Yasin Tas", "Eye Security"]
references = [
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/"
"https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
"https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
"https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files",
]
enabled = True
enabled = True
minimum = "1.2"
ttps = ["T1566.001"] # MITRE v6,7,8
mbcs = ["C0029.003"] # micro-behaviour

def run(self):
packages = ['html', 'edge', 'chrome', 'firefox']
packages = ["html", "edge", "chrome", "firefox"]
indicators = [
'payment',
'remittence',
'remmitance '
'invoice',
'inv',
'voicemail',
'remit',
'voice',
'statement',
]

"payment",
"remittence",
"remmitance " "invoice",
"inv",
"voicemail",
"remit",
"voice",
"statement",
]

if self.results["info"]["package"] in packages:
name = self.results["target"]["file"]["name"]
lower = name.lower()
for indicator in indicators:
if indicator in lower:
self.add_match(None, 'string', f'Found {indicator} in HTML name')
return self.has_matches()
self.add_match(None, "string", f"Found {indicator} in HTML name")
return self.has_matches()
Loading

0 comments on commit 98d36e3

Please sign in to comment.