From 98d36e3f78dbc8b43f6a09a3864e8860541b87db Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 7 Mar 2024 07:01:53 +0000 Subject: [PATCH] style: Automatic code formatting --- modules/signatures/binary_yara.py | 7 +- .../credential_access_phishingkit.py | 68 +++++------ modules/signatures/suspicious_html.py | 113 +++++++++--------- .../signatures/windows/antivm_generic_cpu.py | 16 +-- .../signatures/windows/antivm_generic_disk.py | 2 +- .../windows/antivm_generic_system.py | 21 ++-- modules/signatures/windows/browser_proxy.py | 2 +- modules/signatures/windows/http_request.py | 2 +- .../signatures/windows/infostealer_cookies.py | 27 +++-- .../windows/network_docfile_http.py | 5 +- .../windows/network_payload_download.py | 1 + .../signatures/windows/windows_utilities.py | 25 ++-- 12 files changed, 153 insertions(+), 136 deletions(-) diff --git a/modules/signatures/binary_yara.py b/modules/signatures/binary_yara.py index 5000e999..9da0df8a 100644 --- a/modules/signatures/binary_yara.py +++ b/modules/signatures/binary_yara.py @@ -15,6 +15,7 @@ from lib.cuckoo.common.abstracts import Signature + class BinaryTriggeredYARA(Signature): name = "binary_yara" description = "Binary file triggered YARA rule" @@ -23,7 +24,7 @@ class BinaryTriggeredYARA(Signature): weight = 1 enabled = True categories = ["static"] - authors = ["Yasin Tas", "Eye Security"] + authors = ["Yasin Tas", "Eye Security"] minimum = "1.3" def run(self): @@ -37,7 +38,7 @@ def run(self): if count > 1: self.description = "Binary file triggered multiple YARA rules" elif count > 3: - self.weight = 3 + self.weight = 3 return True else: - return False \ No newline at end of file + return False diff --git a/modules/signatures/credential_access_phishingkit.py b/modules/signatures/credential_access_phishingkit.py index 43097bc5..f408bfcf 100644 --- a/modules/signatures/credential_access_phishingkit.py +++ b/modules/signatures/credential_access_phishingkit.py @@ -13,10 +13,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -from lib.cuckoo.common.abstracts import Signature - import re +from lib.cuckoo.common.abstracts import Signature + try: from chepy import Chepy except ImportError: @@ -24,18 +24,18 @@ import base64 + class HTMLPhisher_0(Signature): name = "phishing_kit_detected" description = "Phishing Kit Detected, sample is trying to harvest credentials" severity = 3 confidence = 100 - categories = ["credential_access","evasion","infostealer","phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + categories = ["credential_access", "evasion", "infostealer", "phishing", "static"] + authors = ["Yasin Tas", "Eye Security"] references = [ "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" - ] + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", + ] enabled = True minimum = "1.2" ttps = ["T1111", "T1193", "T1140"] # MITRE v6 @@ -47,10 +47,10 @@ def run(self): if self.results["info"]["package"] == "edge" or self.results["info"]["package"] == "html": if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []: return False - strings = self.results["target"]["file"]["strings"] + strings = self.results["target"]["file"]["strings"] regex_decodedURL = r"unescape\( \'([^&]+?)\' \) \);" - data = ''.join(strings) - decodeString = re.search(regex_decodedURL,data) + data = "".join(strings) + decodeString = re.search(regex_decodedURL, data) if decodeString: self.description = "File obfuscation detected, with url encoding" decodeString = decodeString.group(1) @@ -58,9 +58,9 @@ def run(self): regex_user = r'var encoded_string = "([^&]+?)"' regex_url = r"var url = window.atob\('([^&]+?)'\)" regex_post_url = r'window\.location\.href="([^&]+.*)";' - user = re.search(regex_user,decoded_string) - url = re.search(regex_url,decoded_string) - post_url = re.search(regex_post_url,decoded_string) + user = re.search(regex_user, decoded_string) + url = re.search(regex_url, decoded_string) + post_url = re.search(regex_post_url, decoded_string) if user and url and post_url: self.weight = 3 self.families = ["HTMLPhisher_2023"] @@ -71,17 +71,17 @@ def run(self): return True return False + class HTMLPhisher_1(Signature): name = "phishing_kit_detected" description = "Phishing Kit Detected, sample is trying to harvest credentials" severity = 3 confidence = 100 - categories = ["credential_access","evasion","infostealer","phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + categories = ["credential_access", "evasion", "infostealer", "phishing", "static"] + authors = ["Yasin Tas", "Eye Security"] references = [ - "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", ] enabled = True minimum = "1.2" @@ -95,23 +95,23 @@ def run(self): if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []: return False strings = self.results["target"]["file"]["strings"] - data = ''.join(strings) - regex_decoded = [ + data = "".join(strings) + regex_decoded = [ r"unescape\(\'([^&]+?)\'\)\); ", r"unescape\( \'([^&]+?)\' \) \);", r"unescape\(\'([^&]+?)\'\) \);", r"unescape\( \'([^&]+?)\'\) \);", ] for regex in regex_decoded: - decodeString = re.search(regex,data) + decodeString = re.search(regex, data) if decodeString: decodeString = decodeString.group(1) decoded_string = Chepy(decodeString).url_decode().url_decode().o self.description = "File obfuscation detected, with url encoding" regex_user = r'value="([^&]+?)"' regex_url = r"url: '([^&]+?)'," - user = re.search(regex_user,decoded_string) - url = re.search(regex_url,decoded_string) + user = re.search(regex_user, decoded_string) + url = re.search(regex_url, decoded_string) if user and url: self.weight = 3 self.families = ["HTMLPhisher_2023"] @@ -120,18 +120,18 @@ def run(self): self.data.append({"user": user.group(1)}) return True return False - + + class HTMLPhisher_2(Signature): name = "phishing_kit_detected" description = "Phishing Kit Detected, sample is trying to harvest credentials" severity = 3 confidence = 100 - categories = ["credential_access","evasion","infostealer","phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + categories = ["credential_access", "evasion", "infostealer", "phishing", "static"] + authors = ["Yasin Tas", "Eye Security"] references = [ - "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", ] enabled = True minimum = "1.2" @@ -145,12 +145,12 @@ def run(self): if "strings" not in self.results["target"]["file"] or self.results["target"]["file"]["strings"] == []: return False strings = self.results["target"]["file"]["strings"] - data = ''.join(strings) - + data = "".join(strings) + regex_user = r"" regex_url = r"
" - user = re.search(regex_user,data) - url = re.search(regex_url,data) + user = re.search(regex_user, data) + url = re.search(regex_url, data) if user and url: self.weight = 3 self.families = ["HTMLPhisher_2023"] @@ -158,4 +158,4 @@ def run(self): self.data.append({"url": url.group(1)}) self.data.append({"user": user.group(1)}) return True - return False \ No newline at end of file + return False diff --git a/modules/signatures/suspicious_html.py b/modules/signatures/suspicious_html.py index 18e91656..393d3f86 100644 --- a/modules/signatures/suspicious_html.py +++ b/modules/signatures/suspicious_html.py @@ -13,48 +13,47 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -from lib.cuckoo.common.abstracts import Signature - import re +from lib.cuckoo.common.abstracts import Signature + + class suspiciousHRML_Body(Signature): name = "suspicious_html_body" description = "Sample contains suspicious HTML body" severity = 1 confidence = 100 categories = ["phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + authors = ["Yasin Tas", "Eye Security"] references = [ - "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", ] enabled = True evented = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 mbcs = ["C0029.003"] # micro-behaviour - + def run(self): - packages = ['html', 'edge', 'chrome', 'firefox'] + packages = ["html", "edge", "chrome", "firefox"] indicators = [ - 'password', - 'email', - 'username', - 'encoded_string', - 'url', - '// remove email, and put ur mailer code', - 'headers' - 'tokenName', - 'headers', - ] + "password", + "email", + "username", + "encoded_string", + "url", + "// remove email, and put ur mailer code", + "headers" "tokenName", + "headers", + ] if self.results["info"]["package"] in packages: if "strings" in self.results["target"]["file"]: strings = self.results["target"]["file"]["strings"] - data = ''.join(strings) + data = "".join(strings) for indicator in indicators: if indicator in data: - self.add_match(None, 'string', f'Found {indicator} in HTML body') + self.add_match(None, "string", f"Found {indicator} in HTML body") return self.has_matches() @@ -64,79 +63,77 @@ class suspiciousHTML_Title(Signature): severity = 1 confidence = 100 categories = ["phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + authors = ["Yasin Tas", "Eye Security"] references = [ - "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", ] enabled = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 mbcs = ["C0029.003"] # micro-behaviour - + def run(self): - - packages = ['html', 'edge', 'chrome', 'firefox'] + + packages = ["html", "edge", "chrome", "firefox"] indicators = [ - 'Please wait', - 'Sign in', - '', # Empty title - 'Redirecting', - ] - - title_regex = re.compile(r'<\s*title[^>]*>(.*?)<\/\s*title\s*>') + "Please wait", + "Sign in", + "", # Empty title + "Redirecting", + ] + + title_regex = re.compile(r"<\s*title[^>]*>(.*?)<\/\s*title\s*>") if self.results["info"]["package"] in packages: if "strings" in self.results["target"]["file"]: strings = self.results["target"]["file"]["strings"] - data = ''.join(strings) + data = "".join(strings) title = title_regex.search(data) if not title: self.description = "Sample contains empty HTML title" - self.add_match(None, 'string', 'Empty HTML title') + self.add_match(None, "string", "Empty HTML title") else: for indicator in indicators: if indicator in title.group(1): - self.add_match(None, 'string', f'Found {indicator} in HTML title') - + self.add_match(None, "string", f"Found {indicator} in HTML title") + return self.has_matches() + class suspiciousHTML_Filename(Signature): name = "suspicious_html_name" description = "Sample contains suspicious HTML name" severity = 1 confidence = 80 categories = ["phishing", "static"] - authors = ["Yasin Tas", "Eye Security"] + authors = ["Yasin Tas", "Eye Security"] references = [ - "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", - "https://socradar.io/what-is-a-phishing-kit/" - "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" "https://github.com/SteveD3/kit_hunter/tree/master/tag_files", ] - enabled = True + enabled = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 mbcs = ["C0029.003"] # micro-behaviour - + def run(self): - packages = ['html', 'edge', 'chrome', 'firefox'] + packages = ["html", "edge", "chrome", "firefox"] indicators = [ - 'payment', - 'remittence', - 'remmitance ' - 'invoice', - 'inv', - 'voicemail', - 'remit', - 'voice', - 'statement', - ] - + "payment", + "remittence", + "remmitance " "invoice", + "inv", + "voicemail", + "remit", + "voice", + "statement", + ] + if self.results["info"]["package"] in packages: name = self.results["target"]["file"]["name"] lower = name.lower() for indicator in indicators: if indicator in lower: - self.add_match(None, 'string', f'Found {indicator} in HTML name') - return self.has_matches() \ No newline at end of file + self.add_match(None, "string", f"Found {indicator} in HTML name") + return self.has_matches() diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index b7c84c5b..2902ec10 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -29,11 +29,13 @@ class AntiVMCPU(Signature): mbcs = ["OB0001", "B0009", "B0009.005", "B0009.024", "OB0007", "E1082"] mbcs += ["OC0008", "C0036", "C0036.005"] # micro-behaviour - filter_apinames = set([ - "RegQueryValueExW", - "RegQueryValueExA", - "NtQueryValueKey", - ]) + filter_apinames = set( + [ + "RegQueryValueExW", + "RegQueryValueExA", + "NtQueryValueKey", + ] + ) filter_categories = set(["registry"]) def __init__(self, *args, **kwargs): @@ -58,6 +60,6 @@ def on_call(self, call, process): ) if match: self.add_match(process, "registry", match) - + def on_complete(self): - return self.has_matches() \ No newline at end of file + return self.has_matches() diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index 23a2b1bf..3ddf0714 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -51,7 +51,7 @@ def __init__(self, *args, **kwargs): def on_call(self, call, process): if process["process_name"].lower() in self.office_proc_list: return False - + ioctls = [ 0x2D1400, # IOCTL_STORAGE_QUERY_PROPERTY 0x70000, # IOCTL_DISK_GET_DRIVE_GEOMETRY diff --git a/modules/signatures/windows/antivm_generic_system.py b/modules/signatures/windows/antivm_generic_system.py index 3e96b318..cba852de 100644 --- a/modules/signatures/windows/antivm_generic_system.py +++ b/modules/signatures/windows/antivm_generic_system.py @@ -30,9 +30,11 @@ class AntiVMSystem(Signature): mbcs += ["OC0008", "C0036", "C0036.005"] # micro-behaviour evented = True - filter_category = set([ - "registry", - ]) + filter_category = set( + [ + "registry", + ] + ) def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -45,17 +47,20 @@ def __init__(self, *args, **kwargs): "acrord32.exe", "acrord64.exe", ] + def on_call(self, call, process): pname = process["process_name"].lower() if pname in self.office_proc_list: return False else: - match = self.check_argument_call(call, - pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer$", - category="registry", - regex=True) + match = self.check_argument_call( + call, + pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer$", + category="registry", + regex=True, + ) if match: self.add_match(process, "registry", match) def on_complete(self): - return self.has_matches() \ No newline at end of file + return self.has_matches() diff --git a/modules/signatures/windows/browser_proxy.py b/modules/signatures/windows/browser_proxy.py index 5e0c17a1..f8ce530a 100644 --- a/modules/signatures/windows/browser_proxy.py +++ b/modules/signatures/windows/browser_proxy.py @@ -62,7 +62,7 @@ def __init__(self, *args, **kwargs): ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadDecision$", ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadNetworkName$", ] - + def on_call(self, call, process): if process["process_name"].lower() in self.proc_safelist: return False diff --git a/modules/signatures/windows/http_request.py b/modules/signatures/windows/http_request.py index 89fa1f52..e223e2a4 100644 --- a/modules/signatures/windows/http_request.py +++ b/modules/signatures/windows/http_request.py @@ -46,7 +46,7 @@ def on_call(self, call, process): host = self.get_argument(call, "ServerName") port = self.get_argument(call, "ServerPort") self.lasthost = host - if any(domain in host for domain in domain_passlist) : + if any(domain in host for domain in domain_passlist): return None if host not in self.request: self.request[host] = dict() diff --git a/modules/signatures/windows/infostealer_cookies.py b/modules/signatures/windows/infostealer_cookies.py index 4e7659ea..ffcdb7bb 100644 --- a/modules/signatures/windows/infostealer_cookies.py +++ b/modules/signatures/windows/infostealer_cookies.py @@ -44,24 +44,27 @@ def __init__(self, *args, **kwargs): ".*\\\\Opera Software\\\\Opera Stable\\\\Cookies$", ".*\\\\Brave-Browser\\\\User Data\\\\.*\\\\Cookies$", ] - self.safe_indicators = ["chrome.exe", - "firefox.exe", - "opera.exe", - "msedge.exe", - "acrobat.exe", - "excel.exe", - "winword.exe", - ] + self.safe_indicators = [ + "chrome.exe", + "firefox.exe", + "opera.exe", + "msedge.exe", + "acrobat.exe", + "excel.exe", + "winword.exe", + ] + def on_call(self, call, process): pname = process["process_name"].lower() if pname in self.safe_indicators: return False else: for indicator in self.indicators: - match = self.check_argument_call(call, pattern=indicator, api="NtQueryAttributesFile", category="filesystem", regex=True) + match = self.check_argument_call( + call, pattern=indicator, api="NtQueryAttributesFile", category="filesystem", regex=True + ) if match: - self.add_match(process, 'file', match) - + self.add_match(process, "file", match) def on_complete(self): - return self.has_matches() \ No newline at end of file + return self.has_matches() diff --git a/modules/signatures/windows/network_docfile_http.py b/modules/signatures/windows/network_docfile_http.py index 490fd020..af36851a 100644 --- a/modules/signatures/windows/network_docfile_http.py +++ b/modules/signatures/windows/network_docfile_http.py @@ -17,6 +17,7 @@ from data.safelist.domains import domain_passlist + class NetworkDocumentHTTP(Signature): name = "network_document_http" description = "A document file initiated network communications indicative of a potential exploit or payload download" @@ -89,10 +90,10 @@ def on_complete(self): len(self.data) == 1 and "http_request" in self.data[0] and self.data[0]["http_request"].startswith("acrord32.exe_WSASend_get /10/rdr/enu/win/nooem/none/message.zip") - and self.check_url("http://acroipm.adobe.com/10/rdr/ENU/win/nooem/none/message.zip") + and self.check_url("http://acroipm.adobe.com/10/rdr/ENU/win/nooem/none/message.zip") ): return False - + if self.data: return True diff --git a/modules/signatures/windows/network_payload_download.py b/modules/signatures/windows/network_payload_download.py index b339702d..c87f3a00 100644 --- a/modules/signatures/windows/network_payload_download.py +++ b/modules/signatures/windows/network_payload_download.py @@ -17,6 +17,7 @@ from data.safelist.domains import domain_passlist + class NetworkDocumentFile(Signature): name = "network_document_file" description = "A document or script file initiated network communications indicative of a potential exploit or payload download" diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py index c3ce8601..98307c08 100644 --- a/modules/signatures/windows/windows_utilities.py +++ b/modules/signatures/windows/windows_utilities.py @@ -21,13 +21,15 @@ class UsesWindowsUtilitiesScheduler(Signature): evented = True - filter_processnames = set([ - "at ", - "at.exe", - "schtasks", - "schtasks.exe", - ]) - + filter_processnames = set( + [ + "at ", + "at.exe", + "schtasks", + "schtasks.exe", + ] + ) + def on_call(self, _, process): if process["process_name"].lower() in self.filter_processnames: self.ttps += ["T1053.005"] if process["process_name"].lower() == "schtasks" else ["T1053.002"] # MITRE v7,8 @@ -39,6 +41,7 @@ def on_call(self, _, process): return True return False + class UsesWindowsUtilities(Signature): name = "uses_windows_utilities" description = "Uses Windows utilities for basic functionality" @@ -118,12 +121,17 @@ def run(self): lower = cmdline.lower() for utility in utilities: if re.search(utility, lower): - if utility in lower and "-" + utility not in lower and not any(re.search(whitelist_regex, cmdline) for whitelist_regex in whitelist): + if ( + utility in lower + and "-" + utility not in lower + and not any(re.search(whitelist_regex, cmdline) for whitelist_regex in whitelist) + ): ret = True self.data.append({"command": cmdline}) return ret + GENERIC_CMD = '"c:\\windows\\system32\\cmd.exe" /c start /wait "" ' SUBSEQUENT_GENERIC_CMD = "c:\\windows\\system32\\cmd.exe /k " @@ -519,7 +527,6 @@ def run(self): return False - class UsesWindowsUtilitiesAppCmd(Signature): name = "uses_windows_utilities_appcmd" description = "Uses the IIS Command Line Tool, likely for installing a service or loading a file"