Skip to content

Commit

Permalink
Merge pull request #408 from kevross33/patch-39
Browse files Browse the repository at this point in the history
Create flarecapa_antianalysis.py
  • Loading branch information
doomedraven authored Apr 7, 2024
2 parents 344532b + 2c36697 commit df4ed6d
Showing 1 changed file with 69 additions and 0 deletions.
69 changes: 69 additions & 0 deletions modules/signatures/all/flarecapa_antianalysis.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Copyright (C) 2024 Kevin Ross
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

from lib.cuckoo.common.abstracts import Signature

class FlareCAPAAntiAnalysis(Signature):
name = "flare_capa_antianalysis"
description = "CAPA detected anti-analysis capabilities"
severity = 3
categories = ["anti-analysis"]
authors = ["Kevin Ross"]
minimum = "1.3"
evented = True
ttps = ["T1497"]

def run(self):
ret = False

target = self.results.get("target", {})
if target.get("category") in ("file", "static") and target.get("file"):
capa = self.results["target"]["file"].get("flare_capa", [])
if capa:
samplesha256 = capa["sha256"]
capabilities = capa["CAPABILITY"]
for namespace, capability in capabilities.items():
if "anti-analysis" in namespace:
ret = True
joined = ', '.join(capability)
self.data.append({"target": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)})

for block in self.results.get("CAPE", {}).get("payloads", []) or []:
capa = block.get("flare_capa", [])
if capa:
samplesha256 = capa["sha256"]
capabilities = capa["CAPABILITY"]
for namespace, capability in capabilities.items():
if "anti-analysis" in namespace:
ret = True
joined = ', '.join(capability)
self.data.append({"payload": "SHA256 %s - %s %s" % (samplesha256, namespace, joined)})

for keyword in ("procdump", "procmemory", "extracted", "dropped"):
if self.results.get(keyword) is not None:
for block in self.results.get(keyword, []):
if not isinstance(block, dict):
continue
capa = block.get("flare_capa", [])
if capa:
samplesha256 = capa["sha256"]
capabilities = capa["CAPABILITY"]
for namespace, capability in capabilities.items():
if "anti-analysis" in namespace:
ret = True
joined = ', '.join(capability)
self.data.append({keyword: "SHA256 %s - %s %s" % (samplesha256, namespace, joined)})

return ret

0 comments on commit df4ed6d

Please sign in to comment.