Py3 12 deprecations

analyzer/windows/modules/auxiliary/autoruns.py

@@ -4,6 +4,7 @@
 import platform
 import shlex
 import subprocess
+from contextlib import suppress
 from winreg import HKEY_CURRENT_USER, KEY_ALL_ACCESS, REG_DWORD, CreateKeyEx, SetValueEx
 
 from lib.common.abstracts import Auxiliary
@@ -34,11 +35,9 @@ def __init__(self, options, config):
         if not os.path.exists(self.output_dir):
             os.makedirs(self.output_dir)
             # reg.exe ADD "HKCU\Software\Sysinternals\Autoruns" /v EulaAccepted /t REG_DWORD /d 1 /f
-        try:
+        with suppress(OSError):
             with CreateKeyEx(HKEY_CURRENT_USER, "Software\Sysinternals\Autoruns", 0, KEY_ALL_ACCESS) as key:
                 SetValueEx(key, "EulaAccepted", 0, REG_DWORD, 1)
-        except OSError as e:
-            pass
 
         bin_path = os.path.join(os.getcwd(), "bin")
         # First figure out what architecture the system in running (64 or 86)
@@ -112,7 +111,7 @@ def stop(self):
                 else:
                     log.debug("Diff file is empty")
             except Exception as e:
-                log.debug("Diff file doesn't seem to exist")
+                log.debug("Diff file doesn't seem to exist: %s", str(e))
 
         # Upload the autoruns diff file to the host.
         log.debug(files_to_upload)

modules/signatures/all/banker_zeus_p2p.py

@@ -38,7 +38,7 @@ class ZeusP2P(Signature):
     def run(self):
         # Check zeus synchronization-mutex.
         count = 0
-        mutexes = self.check_mutex("^(Global|Local)\\\\\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}", regex=True, all=True)
+        mutexes = self.check_mutex(r"^(Global|Local)\\\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}", regex=True, all=True)
         if mutexes:
             count += len(mutexes)
 

modules/signatures/all/credential_access_phishingkit.py

@@ -20,7 +20,7 @@
 try:
     from chepy import Chepy
 except ImportError:
-    raise ImportError("Please install chepy")
+    raise ImportError("Optional! Missed dependency. Run: poetry run pip install chepy")
 
 import base64
 

modules/signatures/all/polymorphic.py

@@ -69,7 +69,7 @@ def run(self):
                         for path in drop["guest_paths"]:
                             self.data.append({"file": path})
                         self.data.append({"percent_match": percent})
-                except:
+                except Exception:
                     continue
 
         return found_polymorphic

modules/signatures/all/static_pe_anomaly.py

@@ -209,7 +209,7 @@ def run(self):
                     self.description = "The PE file contains a suspicious PDB path"
                     break
 
-            regex = re.compile("[a-zA-Z]:\\\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}[\x00-\xFF]{0,500}\.pdb")
+            regex = re.compile(r"[a-zA-Z]:\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}[\x00-\xFF]{0,500}\.pdb")
             if re.match(regex, pdbpath):
                 if self.severity != 2 and self.severity != 3:
                     self.severity = 2

modules/signatures/deprecated/betabot_apis.py

@@ -59,8 +59,8 @@ def on_complete(self):
         # Check for ADS deletion path (Always in hidden ProgramData)
         # TODO: make this use environ info
         ads_paths = [
-            "C:\\\\ProgramData\\\\.*:Zone\.Identifier$",
-            "C:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\\\.*:Zone\.Identifier$",
+            r"C:\\ProgramData\\.*:Zone\.Identifier$",
+            r"C:\\Program\\ Files\\Common\\ Files\\Microsoft\\.*:Zone\.Identifier$",
         ]
         for indicator in ads_paths:
             if self.check_delete_file(pattern=indicator, regex=True):
@@ -69,19 +69,19 @@ def on_complete(self):
         # Check for known filesystem behavior
         # TODO: make these use environ info
         file_paths = [
-            ".*\\\\jagexcache$",
-            ".*\\\\AppData\\\\Roaming\\\\\.minecraft$",
-            ".*\\\\Application\\ Data\\\\\.minecraft$",
-            ".*\\\\League\\ of\\ Legends$",
+            r".*\\jagexcache$",
+            r".*\\AppData\\Roaming\\\.minecraft$",
+            r".*\\Application\\ Data\\\.minecraft$",
+            r".*\\League\\ of\\ Legends$",
         ]
         for indicator in file_paths:
             if self.check_file(pattern=indicator, regex=True):
                 malscore += 1
 
         # Check for known registry behavior
         reg_paths = [
-            ".*\\\\SOFTWARE\\\\Classes\\\\origin$",
-            ".*\\\\SOFTWARE\\\\Blizzard\\ Entertainment$",
+            r".*\\SOFTWARE\\Classes\\origin$",
+            r".*\\SOFTWARE\\Blizzard\\ Entertainment$",
         ]
         for indicator in reg_paths:
             if self.check_key(pattern=indicator, regex=True):

modules/signatures/deprecated/codelux_apis.py

@@ -27,10 +27,10 @@ class CodeLux_APIs(Signature):
 
     def run(self):
         queryattribs = [
-            ".*\\\\CodeluxRunPE.resources.dll$",
-            ".*\\\\CodeluxRunPE.resources.exe$",
-            ".*\\\\CodeluxVisionStub.resources.exe$",
-            ".*\\\\CodeluxVisionStub.resources.dll$",
+            r".*\\CodeluxRunPE.resources.dll$",
+            r".*\\CodeluxRunPE.resources.exe$",
+            r".*\\CodeluxVisionStub.resources.exe$",
+            r".*\\CodeluxVisionStub.resources.dll$",
         ]
 
         for ioc in queryattribs:

modules/signatures/deprecated/dyre_apis.py

@@ -94,8 +94,8 @@ def on_complete(self):
         extract_c2s = True
 
         mutexs = [
-            "^(Global|Local)\\\\pen3j3832h$",
-            "^(Global|Local)\\\\u1nyj3rt20",
+            r"^(Global|Local)\\pen3j3832h$",
+            r"^(Global|Local)\\u1nyj3rt20",
         ]
         for mutex in mutexs:
             if self.check_mutex(pattern=mutex, regex=True):

modules/signatures/deprecated/hawkeye_apis.py

@@ -15,7 +15,7 @@
 
 try:
     import re2 as re
-except:
+except ImportError:
     import re
 
 from lib.cuckoo.common.abstracts import Signature
@@ -119,13 +119,13 @@ def on_call(self, call, process):
         self.lastcall = call["api"]
 
     def on_complete(self):
-        if self.check_file(pattern=".*\\\\pid.txt$", regex=True):
+        if self.check_file(pattern=r".*\\pid.txt$", regex=True):
             self.badness += 2
-        if self.check_file(pattern=".*\\\\pidloc.txt$", regex=True):
+        if self.check_file(pattern=r".*\\pidloc.txt$", regex=True):
             self.badness += 2
-        if self.check_file(pattern=".*\\\\holdermail.txt$", regex=True):
+        if self.check_file(pattern=r".*\\holdermail.txt$", regex=True):
             self.badness += 4
-        if self.check_file(pattern=".*\\\\holderwb.txt$", regex=True):
+        if self.check_file(pattern=r".*\\holderwb.txt$", regex=True):
             self.badness += 4
         if self.evmatch:
             self.badness += 5

modules/signatures/deprecated/kazybot_apis.py

@@ -58,10 +58,10 @@ def on_call(self, call, process):
 
     def on_complete(self):
         module_paths = [
-            ".*\\\\SharedCode\\\\SharedCode.dll$",
-            ".*\\\\SharedCode\\\\SharedCode.exe$",
-            ".*\\\\PluginServer\\\\PluginServer.dll$",
-            ".*\\\\PluginServer\\\\PluginServer.exe$",
+            r".*\\SharedCode\\SharedCode.dll$",
+            r".*\\SharedCode\\SharedCode.exe$",
+            r".*\\PluginServer\\PluginServer.dll$",
+            r".*\\PluginServer\\PluginServer.exe$",
         ]
         for indicator in module_paths:
             if self.check_file(pattern=indicator, regex=True):

modules/signatures/deprecated/kibex_apis.py

@@ -60,19 +60,19 @@ def on_call(self, call, process):
     def on_complete(self):
         bad_score = self.keylog_inits
         file_iocs = [
-            ".*\\\\ProgramData\\\\Browsers\.txt$",
-            ".*\\\\ProgramData\\\\Mails\.txt$",
-            ".*\\\\Temp\\\\\d{9,10}\.xml$",
+            r".*\\ProgramData\\Browsers\.txt$",
+            r".*\\ProgramData\\Mails\.txt$",
+            r".*\\Temp\\\d{9,10}\.xml$",
         ]
         for ioc in file_iocs:
             match = self.check_file(pattern=ioc, regex=True)
             if match:
                 bad_score += 3
 
         stealer_regkeys = [
-            ".*\\\\Google\\\\Google\\ Talk\\\\Accounts$",
-            ".*\\\\Google\\\\Google\\ Desktop\\\\Mailboxes$",
-            ".*\\\\Microsoft\\\\Internet\\ Account\\ Manager\\\\Accounts$",
+            r".*\\Google\\Google\\ Talk\\Accounts$",
+            r".*\\Google\\Google\\ Desktop\\Mailboxes$",
+            r".*\\Microsoft\\Internet\\ Account\\ Manager\\Accounts$",
         ]
         for ioc in stealer_regkeys:
             match = self.check_key(pattern=ioc, regex=True)

modules/signatures/deprecated/locker_regedit.py

@@ -31,7 +31,7 @@ class DisableRegedit(Signature):
 
     def run(self):
         if self.check_write_key(
-            pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools$",
+            pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools$",
             regex=True,
         ):
             return True

modules/signatures/deprecated/locker_taskmgr.py

@@ -31,7 +31,7 @@ class DisableTaskMgr(Signature):
 
     def run(self):
         if self.check_write_key(
-            pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr$",
+            pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr$",
             regex=True,
         ):
             return True

modules/signatures/deprecated/shifu_apis.py

@@ -68,18 +68,18 @@ def on_call(self, call, process):
 
     def on_complete(self):
         file_iocs = [
-            "^[A-Za-z]:\\\\sample\\\\pos.exe$",
-            "^[A-Za-z]:\\\\ProgramData\\\\ELBA5\\\\ELBA_data$",
-            "^[A-Za-z]:\\\\analysis$",
-            "^[A-Za-z]:\\\\tmp\\\\debug.txt$",
+            r"^[A-Za-z]:\\sample\\pos.exe$",
+            r"^[A-Za-z]:\\ProgramData\\ELBA5\\ELBA_data$",
+            r"^[A-Za-z]:\\analysis$",
+            r"^[A-Za-z]:\\tmp\\debug.txt$",
         ]
         for ioc in file_iocs:
             if self.check_file(pattern=ioc, regex=True):
                 self.mbcs += ["OC0001", "C0016"]  # micro-behaviour
                 self.malscore += 1
 
         mutex_iocs = [
-            "^(Global|Local)\\\\\{[0-9a-f]{20}\}$",
+            r"^(Global|Local)\\\{[0-9a-f]{20}\}$",
             "^[0-9a-f]{16}$",
         ]
         for ioc in mutex_iocs:

modules/signatures/deprecated/vawtrak_apis.py

@@ -15,7 +15,7 @@
 
 try:
     import re2 as re
-except:
+except ImportError:
     import re
 
 from lib.cuckoo.common.abstracts import Signature

modules/signatures/loader_alien.py

@@ -30,10 +30,10 @@ class AlienLoaderAPIs(Signature):
     # the downloaded payload in a new process after a sleeping time.
     ttps = [
         # Defense Evasion
-        "T1497.003",  # Virtualization/Sandbox Evasion – Time Based Evasion
-        "T1564"  # Hide Artefacts – Hidden Window
+        "T1497.003",  # Virtualization/Sandbox Evasion - Time Based Evasion
+        "T1564"  # Hide Artefacts - Hidden Window
         # Command and Control
-        "T1071.001",  # Application Layer Protocol – Web Protocols
+        "T1071.001",  # Application Layer Protocol - Web Protocols
     ]
     evented = True
 

modules/signatures/windows/accesses_netlogon.py

@@ -31,7 +31,7 @@ class AccessesMailslot(Signature):
 
     def run(self):
         indicators = [
-            "\\\\MAILSLOT\\\\NET\\\\NETLOGON$",
+            r"\\MAILSLOT\\NET\\NETLOGON$",
         ]
 
         for indicator in indicators:
@@ -57,7 +57,7 @@ class AccessesNetlogonRegkey(Signature):
     references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f"]
 
     def run(self):
-        indicators = ["HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\.*"]
+        indicators = [r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\.*"]
 
         for indicator in indicators:
             match = self.check_key(pattern=indicator, regex=True)

modules/signatures/windows/accesses_public_folder.py

@@ -26,9 +26,8 @@ class AccessesPublicFolder(Signature):
     evented = True
 
     def run(self):
-        file_indicator = "C:\\\\Users\\\\Public\\\\.*"
         found = False
-        file_match = self.check_file(pattern=file_indicator, regex=True, all=True)
+        file_match = self.check_file(pattern=r"C:\\Users\\Public\\.*", regex=True, all=True)
         if file_match:
             for match in file_match:
                 self.data.append({"file": match})

modules/signatures/windows/accesses_sysvol.py

@@ -30,7 +30,7 @@ class AccessesSysvol(Signature):
     mbcs += ["OC0001", "C0051"]  # micro-behaviour
 
     def run(self):
-        indicators = [".*\\\\Windows\\\\SYSVOL\\\\.*", "\\\\sysvol\\\\.*\\\\policies\\\\.*", "\\\\sysvol\\\\.*\\\\scripts\\\\.*"]
+        indicators = [r".*\\Windows\\SYSVOL\\.*", r"\\sysvol\\.*\\policies\\.*", r"\\sysvol\\.*\\scripts\\.*"]
 
         for indicator in indicators:
             match = self.check_file(pattern=indicator, regex=True)
@@ -53,7 +53,7 @@ class WritesSysvol(Signature):
     mbcs = ["OC0001", "C0052"]  # micro-behaviour
 
     def run(self):
-        indicators = [".*\\\\Windows\\\\SYSVOL\\\\.*", "\\\\sysvol\\\\.*\\\\policies\\\\.*", "\\\\sysvol\\\\.*\\\\scripts\\\\.*"]
+        indicators = [r".*\\Windows\\SYSVOL\\.*", r"\\sysvol\\.*\\policies\\.*", r"\\sysvol\\.*\\scripts\\.*"]
 
         for indicator in indicators:
             match = self.check_write_file(pattern=indicator, regex=True)

modules/signatures/windows/antianalysis_detectfile.py

@@ -21,43 +21,43 @@ class AntiAnalysisDetectFile(Signature):
 
     def run(self):
         file_indicators = [
-            "^[A-Za-z]:\\\\analysis",
-            "^[A-Za-z]:\\\\iDEFENSE",
-            "^[A-Za-z]:\\\\stuff\\\\odbg110",
-            "^[A-Za-z]:\\\\gnu\\bin",
-            "^[A-Za-z]:\\\\Virus\\ Analysis",
-            "^[A-Za-z]:\\\\popupkiller\.exe$",
-            "^[A-Za-z]:\\\\tools\\\\execute\.exe$",
-            "^[A-Za-z]:\\\\MDS\\\\WinDump\.exe$",
-            "^[A-Za-z]:\\\\MDS\\\\WinDump\.exe$",
-            "^[A-Za-z]:\\\\guest_tools\\\\start\.bat$",
-            "^[A-Za-z]:\\\\tools\\\\aswsnx",
-            "^[A-Za-z]:\\\\tools\\\\decodezeus",
-            "^[A-Za-z]:\\\\tool\\\\malmon",
-            "^[A-Za-z]:\\\\sandcastle\\\\tools",
-            "^[A-Za-z]:\\\\tsl\\\\raptorclient\.exe$",
-            "^[A-Za-z]:\\\\kit\\\\procexp\.exe$",
-            "^[A-Za-z]:\\\\winap\\\\ckmon\.pyw$",
-            "^[A-Za-z]:\\\\vmremote\\\\vmremoteguest\.exe$",
-            "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\Fiddler",
-            "^[A-Za-z]:\\\\ComboFix",
-            "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\FFDec",
-            "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\Wireshark",
-            "^[A-Za-z]:\\\\bin\\\\AHookMonitor\.dll$",
-            "^[A-Za-z]:\\\\bin\\\\hookanaapp\.exe$",
-            "^[A-Za-z]:\\\\bsa\\\\log_api",
-            "^[A-Za-z]:\\\\AVCTestSuite\\\\AVCTestSuite\.exe$",
-            "^[A-Za-z]:\\\\ipf\\\\BDCore_U\.dll$",
-            "^[A-Za-z]:\\\\Kit\\\\procexp\.exe$",
-            "^[A-Za-z]:\\\\manual\\\\grabme\.exe$",
-            "^[A-Za-z]:\\\\manual\\\\SilipTCPIP\.exe$",
-            "^[A-Za-z]:\\\\MWS\\\\bin\\\\agent",
-            "^[A-Za-z]:\\\\original\\\\AutoRepGui",
-            "^[A-Za-z]:\\\\totalcmd\\\\gfiles",
-            "^[A-Za-z]:\\\\tracer\\\\FortiTracer\.exe$",
-            "^[A-Za-z]:\\\\tracer\\\\mdare32_0\.sys$",
-            "^[A-Za-z]:\\\\plugins\\\\(import|process)\\\\.*\.dll$",
-            "^[A-Za-z]:\\\\sandbox_svc",
+            r"^[A-Za-z]:\\analysis",
+            r"^[A-Za-z]:\\iDEFENSE",
+            r"^[A-Za-z]:\\stuff\\odbg110",
+            r"^[A-Za-z]:\\gnu\\bin",
+            r"^[A-Za-z]:\\Virus\\ Analysis",
+            r"^[A-Za-z]:\\popupkiller\.exe$",
+            r"^[A-Za-z]:\\tools\\execute\.exe$",
+            r"^[A-Za-z]:\\MDS\\WinDump\.exe$",
+            r"^[A-Za-z]:\\MDS\\WinDump\.exe$",
+            r"^[A-Za-z]:\\guest_tools\\start\.bat$",
+            r"^[A-Za-z]:\\tools\\aswsnx",
+            r"^[A-Za-z]:\\tools\\decodezeus",
+            r"^[A-Za-z]:\\tool\\malmon",
+            r"^[A-Za-z]:\\sandcastle\\tools",
+            r"^[A-Za-z]:\\tsl\\raptorclient\.exe$",
+            r"^[A-Za-z]:\\kit\\procexp\.exe$",
+            r"^[A-Za-z]:\\winap\\ckmon\.pyw$",
+            r"^[A-Za-z]:\\vmremote\\vmremoteguest\.exe$",
+            r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\Fiddler",
+            r"^[A-Za-z]:\\ComboFix",
+            r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\FFDec",
+            r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\Wireshark",
+            r"^[A-Za-z]:\\bin\\AHookMonitor\.dll$",
+            r"^[A-Za-z]:\\bin\\hookanaapp\.exe$",
+            r"^[A-Za-z]:\\bsa\\log_api",
+            r"^[A-Za-z]:\\AVCTestSuite\\AVCTestSuite\.exe$",
+            r"^[A-Za-z]:\\ipf\\BDCore_U\.dll$",
+            r"^[A-Za-z]:\\Kit\\procexp\.exe$",
+            r"^[A-Za-z]:\\manual\\grabme\.exe$",
+            r"^[A-Za-z]:\\manual\\SilipTCPIP\.exe$",
+            r"^[A-Za-z]:\\MWS\\bin\\agent",
+            r"^[A-Za-z]:\\original\\AutoRepGui",
+            r"^[A-Za-z]:\\totalcmd\\gfiles",
+            r"^[A-Za-z]:\\tracer\\FortiTracer\.exe$",
+            r"^[A-Za-z]:\\tracer\\mdare32_0\.sys$",
+            r"^[A-Za-z]:\\plugins\\(import|process)\\.*\.dll$",
+            r"^[A-Za-z]:\\sandbox_svc",
         ]
         ret = False
         for indicator in file_indicators: