sync

CAPESandbox · Oct 30, 2024 · 28aa28e · 28aa28e
1 parent f539f6b
commit 28aa28e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py
@@ -205,11 +205,11 @@ class UACBypassCMSTPCOM(Signature):
 
     def run(self):
         # CMSTPLUA, CMLUAUTIL, Connection Manager LUA Host Object
-        indicators = [
-            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?",
-            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?",
-            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?",
-        ]
+        indicators = (
+            r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?",
+            r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?",
+            r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?",
+        )
 
         for indicator in indicators:
             match = self.check_executed_command(pattern=indicator, regex=True)
@@ -253,3 +253,4 @@ def on_complete(self):
             if "sdclt.exe" in lower and "/kickoffelev" in lower:
                 return True
         return False
+
diff --git a/modules/signatures/windows/misc.py b/modules/signatures/windows/misc.py
@@ -257,17 +257,17 @@ def __init__(self, *args, **kwargs):
         self.detected = False
 
     def on_call(self, call, process):
-        if process["name"] in ("wscript.exe", "cscript.exe") and call["api"] == "CreateProcessInternalW":
+        if process["process_name"] in ("wscript.exe", "cscript.exe") and call["api"] == "CreateProcessInternalW":
             cmdline = self.get_argument(call, "CommandLine")
             lower = cmdline.lower()
             if (
-                "jave.exe" in lower
+                "java.exe" in lower
                 and "-jar" in lower
                 and any(arg in lower for arg in ("\\appdata\\", "\\public\\", "\\programdata\\"))
             ):
                 self.detected = True
 
     def on_complete(self):
-        if self.detected:
-            return True
-        return False
+        return self.detected
+
+