From 7dbe67f1dd59409b84c29d82893811d407b4acae Mon Sep 17 00:00:00 2001
From: acd62081 <acd62081@yahoo.com>
Date: Sat, 3 Aug 2019 17:16:32 -0400
Subject: [PATCH 1/3] Uses domain.txt as whitelist in memdump_urls.py.

---
 modules/signatures/windows/memdump_urls.py | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py
index 309d97a60..73b484f90 100644
--- a/modules/signatures/windows/memdump_urls.py
+++ b/modules/signatures/windows/memdump_urls.py
@@ -1,6 +1,9 @@
 # Copyright (C) 2010-2015 Cuckoo Foundation.
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
+from cuckoo.misc import cwd
+import os
+from urlparse import urlsplit
 
 try:
     import re2 as re
@@ -17,10 +20,26 @@ class ProcMemDumpURLs(Signature):
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
 
+    whitelist_file = cwd("whitelist", "domain.txt")
+    whitelist = open(whitelist_file, "r")
+
+
     def on_complete(self):
         for procmem in self.get_results("procmemory", []):
             for url in procmem.get("urls", []):
-                self.mark_ioc("url", url)
+                #Extract top level domain from Procmem results
+                parts = urlsplit(url)
+                if parts[1]:
+                    url = parts[1]
+                else:
+                    pass
+                is_whitelisted = False
+                for white in ProcMemDumpURLs.whitelist:
+                    if re.match(white, url, re.IGNORECASE):
+                        is_whitelisted = True
+                        break
+                if not is_whitelisted:
+                    self.mark_ioc("url", url)
 
         return self.has_marks()
 
@@ -60,7 +79,6 @@ def on_complete(self):
             ".vivavtpaymaster.com",
             ".fraspartypay.com",
         ]
-
         for procmem in self.get_results("procmemory", []):
             for url in procmem.get("urls", []):
                 for indicator in indicators:

From d97c0c69061513abe9c8896566586636177302a0 Mon Sep 17 00:00:00 2001
From: acd62081 <acd62081@yahoo.com>
Date: Sat, 3 Aug 2019 18:10:59 -0400
Subject: [PATCH 2/3] Use cwd whitelist for memdump_urls.py signature

This allows users an easy way to whitelist domains using the domain.txt file located in cwd/whitelist/.  This signature caused misleading "hits "that require the analyst to spend large amounts of time sifting through legitimate URL's in order to find a malicious URL.
---
 modules/signatures/windows/memdump_urls.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py
index 73b484f90..9b2056d1a 100644
--- a/modules/signatures/windows/memdump_urls.py
+++ b/modules/signatures/windows/memdump_urls.py
@@ -1,9 +1,6 @@
 # Copyright (C) 2010-2015 Cuckoo Foundation.
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
-from cuckoo.misc import cwd
-import os
-from urlparse import urlsplit
 
 try:
     import re2 as re
@@ -11,6 +8,8 @@
     import re
 
 from lib.cuckoo.common.abstracts import Signature
+from cuckoo.misc import cwd
+from urlparse import urlsplit
 
 class ProcMemDumpURLs(Signature):
     name = "memdump_urls"

From fe6e407c7819d0047ca7eea3f96e00e12c15abd9 Mon Sep 17 00:00:00 2001
From: acd62081 <acd62081@yahoo.com>
Date: Sat, 10 Aug 2019 23:28:01 -0400
Subject: [PATCH 3/3] Whitelisting the Microsoft Temporary Owner Files

Microsoft states that:
"Owner File (Same Directory as Source File)
When a previously saved file is opened for editing, for printing, or for review, Word creates a temporary file that has a .doc file name extension. This file name extension begins with a tilde (~) that is followed by a dollar sign ($) that is followed by the remainder of the original file name."
https://support.microsoft.com/en-us/help/211632/description-of-how-word-creates-temporary-files
---
 modules/signatures/windows/creates_doc.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py
index e08e25b61..1005154e7 100644
--- a/modules/signatures/windows/creates_doc.py
+++ b/modules/signatures/windows/creates_doc.py
@@ -2,6 +2,9 @@
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
+import ntpath
+import logging
+
 from lib.cuckoo.common.abstracts import Signature
 
 class CreatesDocument(Signature):
@@ -15,7 +18,18 @@ class CreatesDocument(Signature):
     pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$"
 
     def on_complete(self):
+        log = logging.getLogger(__name__)
+        for fileopened in self.check_file(pattern=self.pattern, actions=["file_opened"], regex=True, all=True):
+            opened_dirpath, opened_files = ntpath.split(fileopened)
         for filepath in self.check_file(pattern=self.pattern, actions=["file_written"], regex=True, all=True):
-            self.mark_ioc("file", filepath)
-
+            file_dirpath, filepath_files = ntpath.split(filepath)
+            if opened_dirpath == file_dirpath and filepath_files[2:] in opened_files and filepath_files[0:2] == "~$":
+                if opened_dirpath == file_dirpath:
+                    log.debug("Parameter 1 of 3: {} is equal to {}...Passed...".format(opened_dirpath, file_dirpath))
+                    if filepath_files[2:] in opened_files:
+                        log.debug("Parameter 2 of 3: {} is in {}...Passed...".format(filepath_files[2:], opened_files))
+                        if filepath_files[0:2] == "~$":
+                            log.debug("Parameter 3 of 3: {} is equal to ~$...Passed...Whitelisted...".format(filepath_files[0:2])) 
+            else:
+                self.mark_ioc("file", filepath)
         return self.has_marks()