Merge pull request #1965 from kevoreilly/vnc_port_2_options

expose VNC port via options in task info
kevoreilly · Feb 15, 2024 · 6b944b5 · 6b944b5
2 parents 017d2c4 + 3cb46ca
commit 6b944b5
Show file tree

Hide file tree

Showing 37 changed files with 1,662 additions and 1,137 deletions.
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -42,11 +42,16 @@ jobs:
           # check-latest: true
           python-version: ${{ matrix.python-version }}
           cache: 'poetry'
+
       - name: Install requirements
         if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
         run: |
           poetry install --no-interaction --no-root
 
+      - name: Install pyattck
+        run: |
+          poetry run pip install pyattck==7.1.2
+
       - name: Run Ruff
         run: poetry run ruff . --line-length 132 --ignore E501,E402
 

diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/changelog.md b/changelog.md
@@ -1,3 +1,16 @@
+### [14.02.2024]
+* Monitor update: Protect NtFreeVirtualMemory hook against spurious pointer values (e.g. f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2)
+
+### [08.02.2024] CAPA 7 + CAPE
+* [CAPA](https://github.com/mandiant/capa) allows to generate a summary of CAPE's analysis. This gives quick abstract summary of analysis. More details [CAPA v7 blogpost](https://www.mandiant.com/resources/blog/dynamic-capa-executable-behavior-cape-sandbox)
+* Monitor update: Fix logging bug causing rare buffer overflows (e.g. 780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3)
+
+### [05.02.2024]
+* PhemedroneStealer config extractor - thanks @tccontre18 - Br3akp0int
+
+### [31.01.2024]
+* Monitor update: Protect 64-bit hooks against unaligned stack (e.g. 780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3)
+
 ### [24.01.2024]
 * Monitor update: Improve handling of irregularly mapped PE images (e.g. from 7911e39e07995e3afb97ac0e5a4608c10c2e278bef29924ecc3924edfcc495ca)
 
@@ -26,7 +39,7 @@
 * Monitor update: fix bug in dumping malformed PEs
 
 ### [05.12.2023]
-* Monitor updates: 
+* Monitor updates:
     * Process dump filter enhancements & fix
     * Enhanced checks (parent process path) for service hookset assignment
     * Misc fixes

diff --git a/conf/cuckoo.conf.default b/conf/cuckoo.conf.default
@@ -177,6 +177,9 @@ psql_ssl_mode = disable
 # If empty, default is set to 60 seconds.
 timeout =
 
+# Log all SQL statements issued to the database.
+log_statements = off
+
 [timeouts]
 # Set the default analysis timeout expressed in seconds. This value will be
 # used to define after how many seconds the analysis will terminate unless
@@ -210,3 +213,13 @@ path = /mnt/tmpfs/
 # in mb
 freespace = 2000
 
+[cleaner]
+# Invoke cleanup if <= of free space detected. see/set freespace/freespace_processing
+enabled = no
+# set any value to 0 to disable it. In days
+binaries_days = 5
+tmp_days = 5
+# Remove analysis folder
+analysis_days = 5
+# Delete mongo data
+mongo = no
diff --git a/conf/reporting.conf.default b/conf/reporting.conf.default
@@ -4,6 +4,11 @@
 # You can also add additional options under the section of your module and
 # they will be available in your Python class.
 
+# Generate CAPE's analysis summary by FLARE/Mandiant's CAPA
+[flare_capa_summary]
+enabled = yes
+on_demand= no
+
 # Community
 [cents]
 enabled = no

diff --git a/extra/optional_dependencies.txt b/extra/optional_dependencies.txt
@@ -23,3 +23,4 @@ urlextract==1.5.0
 pdfminer==20191125
 pg_activity
 python-tlsh
+pyattck = "7.1.2"
diff --git a/installer/cape2.sh b/installer/cape2.sh
@@ -959,6 +959,7 @@ function dependencies() {
 
 
     sudo apt update 2>/dev/null
+    sudo systemctl stop [email protected] && sudo systemctl disable [email protected]
     apt install tor deb.torproject.org-keyring libzstd1 -y
 
     sed -i 's/#RunAsDaemon 1/RunAsDaemon 1/g' /etc/tor/torrc
@@ -1345,6 +1346,13 @@ function install_DIE() {
     wget "https://github.com/horsicq/DIE-engine/releases/download/${DIE_VERSION}/die_${DIE_VERSION}_Ubuntu_${UBUNTU_VERSION}_amd64.deb" -O DIE.deb && dpkg -i DIE.deb
 }
 
+function install_fluentd() {
+    curl -sSO https://dl.google.com/cloudagents/add-logging-agent-repo.sh && sudo bash add-logging-agent-repo.sh
+    sudo apt-get update && sudo apt-get install google-fluentd
+    sudo apt-get install -y google-fluentd-catch-all-config-structured
+    sudo service google-fluentd start && sudo service google-fluentd status
+}
+
 # Doesn't work ${$1,,}
 COMMAND=$(echo "$1"|tr "{A-Z}" "{a-z}")
 
@@ -1477,6 +1485,8 @@ case "$COMMAND" in
     install_crowdsecurity;;
 'die')
     install_DIE;;
+'fluentd')
+    install_fluentd;;
 *)
     usage;;
 esac
diff --git a/lib/cuckoo/common/abstracts.py b/lib/cuckoo/common/abstracts.py
@@ -844,6 +844,7 @@ def set_path(self, analysis_path):
         # self.memory_path = os.path.join(self.analysis_path, "memory.dmp")
         self.memory_path = get_memdump_path(analysis_path.rsplit("/", 1)[-1])
         self.self_extracted = os.path.join(self.analysis_path, "selfextracted")
+        self.files_metadata = os.path.join(self.analysis_path, "files.json")
 
         try:
             create_folder(folder=self.reports_path)