Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memdump_urls.py use cwd whitelist #457

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Memdump_urls.py use cwd whitelist #457

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7dbe67f
Uses domain.txt as whitelist in memdump_urls.py.
acd62081 Aug 3, 2019
d97c0c6
Use cwd whitelist for memdump_urls.py signature
acd62081 Aug 3, 2019
fe6e407
Whitelisting the Microsoft Temporary Owner Files
acd62081 Aug 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions modules/signatures/windows/creates_doc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.

import ntpath
import logging

from lib.cuckoo.common.abstracts import Signature

class CreatesDocument(Signature):
Expand All @@ -15,7 +18,18 @@ class CreatesDocument(Signature):
pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$"

def on_complete(self):
log = logging.getLogger(__name__)
for fileopened in self.check_file(pattern=self.pattern, actions=["file_opened"], regex=True, all=True):
opened_dirpath, opened_files = ntpath.split(fileopened)
for filepath in self.check_file(pattern=self.pattern, actions=["file_written"], regex=True, all=True):
self.mark_ioc("file", filepath)

file_dirpath, filepath_files = ntpath.split(filepath)
if opened_dirpath == file_dirpath and filepath_files[2:] in opened_files and filepath_files[0:2] == "~$":
if opened_dirpath == file_dirpath:
log.debug("Parameter 1 of 3: {} is equal to {}...Passed...".format(opened_dirpath, file_dirpath))
if filepath_files[2:] in opened_files:
log.debug("Parameter 2 of 3: {} is in {}...Passed...".format(filepath_files[2:], opened_files))
if filepath_files[0:2] == "~$":
log.debug("Parameter 3 of 3: {} is equal to ~$...Passed...Whitelisted...".format(filepath_files[0:2]))
else:
self.mark_ioc("file", filepath)
return self.has_marks()
21 changes: 19 additions & 2 deletions modules/signatures/windows/memdump_urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
import re

from lib.cuckoo.common.abstracts import Signature
from cuckoo.misc import cwd
from urlparse import urlsplit

class ProcMemDumpURLs(Signature):
name = "memdump_urls"
Expand All @@ -17,10 +19,26 @@ class ProcMemDumpURLs(Signature):
authors = ["Cuckoo Technologies"]
minimum = "2.0"

whitelist_file = cwd("whitelist", "domain.txt")
whitelist = open(whitelist_file, "r")


def on_complete(self):
for procmem in self.get_results("procmemory", []):
for url in procmem.get("urls", []):
self.mark_ioc("url", url)
#Extract top level domain from Procmem results
parts = urlsplit(url)
if parts[1]:
url = parts[1]
else:
pass
is_whitelisted = False
for white in ProcMemDumpURLs.whitelist:
if re.match(white, url, re.IGNORECASE):
is_whitelisted = True
break
if not is_whitelisted:
self.mark_ioc("url", url)

return self.has_marks()

Expand Down Expand Up @@ -60,7 +78,6 @@ def on_complete(self):
".vivavtpaymaster.com",
".fraspartypay.com",
]

for procmem in self.get_results("procmemory", []):
for url in procmem.get("urls", []):
for indicator in indicators:
Expand Down