diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 02153d248..fd819438d 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -16,7 +16,7 @@ from lib.cuckoo.common.abstracts import Signature class BochsDetectKeys(Signature): - name = "antivm_xen_keys" + name = "antivm_bochs_keys" description = "Detects Bochs through the presence of a registry key" severity = 3 categories = ["anti-vm"] diff --git a/modules/signatures/windows/apt_uroburos_file.py b/modules/signatures/windows/apt_uroburos_file.py index 80ab5a313..2d08891e6 100644 --- a/modules/signatures/windows/apt_uroburos_file.py +++ b/modules/signatures/windows/apt_uroburos_file.py @@ -14,13 +14,15 @@ class UroburosFile(Signature): authors = ["RedSocks"] minimum = "2.0" - mutexes_re = [ - ".*turla10", - ".*msdata\\\\.*", - ".*1396695624", + files_re = [ + ".*\\\\drivers\\\\wo2ifsl.sys", + ".*\\\\drivers\\\\acpied.sys", + ".*\\\\drivers\\\\atmarpd.sys", + ".*\\\\temp\\\\msmsgsmon.exe", + ".*\\\\temp\\\\msdattst.ocx", ] def on_complete(self): - for mutex in self.mutexes_re: - if self.check_mutex(pattern=mutex, regex=True): + for indicator in self.files_re: + if self.check_file(pattern=indicator, regex=True): return True diff --git a/modules/signatures/windows/apt_uroburos_mutex.py b/modules/signatures/windows/apt_uroburos_mutex.py index f3a3c9dce..e0a70a1f4 100644 --- a/modules/signatures/windows/apt_uroburos_mutex.py +++ b/modules/signatures/windows/apt_uroburos_mutex.py @@ -14,18 +14,13 @@ class UroburosMutexes(Signature): authors = ["RedSocks"] minimum = "2.0" - files_re = [ - ".*\\\\drivers\\\\wo2ifsl.sys", - ".*\\\\drivers\\\\acpied.sys", - ".*\\\\drivers\\\\atmarpd.sys", - ".*\\\\temp\\\\msmsgsmon.exe", - ".*\\\\temp\\\\msdattst.ocx", + mutexes_re = [ + ".*turla10", + ".*msdata\\\\.*", + ".*1396695624", ] def on_complete(self): - for indicator in self.files_re: - if self.check_mutex(pattern=indicator, regex=True): - return True - - if self.check_file(pattern=indicator, regex=True): - return True + for mutex in self.mutexes_re: + if self.check_mutex(pattern=mutex, regex=True): + return True \ No newline at end of file diff --git a/modules/signatures/windows/bot_dirtjumper.py b/modules/signatures/windows/bot_dirtjumper.py index ef49c0f37..58ce460b2 100644 --- a/modules/signatures/windows/bot_dirtjumper.py +++ b/modules/signatures/windows/bot_dirtjumper.py @@ -31,3 +31,5 @@ def on_complete(self): if http["method"] == "POST" and http["body"].startswith("k=") and \ http.get("user-agent", "") == self.user_agent: self.mark_ioc("http", http) + + return self.has_marks() \ No newline at end of file diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 282c1b7ec..296648d13 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -16,7 +16,7 @@ from lib.cuckoo.common.abstracts import Signature class DriverLoad(Signature): - name = "shutdown_system" + name = "load_driver" description = "Loads a driver" severity = 3 categories = ["stealth"] diff --git a/modules/signatures/windows/trojan_pincav.py b/modules/signatures/windows/trojan_pincav.py index f54d7c56f..da2268dc4 100644 --- a/modules/signatures/windows/trojan_pincav.py +++ b/modules/signatures/windows/trojan_pincav.py @@ -18,3 +18,11 @@ class TrojanLethic(Signature): ".*jK1dDfggS", ".*zBIYku2BMUdN9unB87sa2sa", ] + + def on_complete(self): + for indicator in self.mutexes_re: + mutex = self.check_mutex(pattern=indicator, regex=True) + if mutex: + self.mark_ioc("mutex", mutex) + + return self.has_marks() \ No newline at end of file