Merge branch 'master' of https://github.com/CAPESandbox/community

CAPESandbox · Oct 28, 2024 · ee3ca89 · ee3ca89
2 parents 11adf0d + d2276cc
commit ee3ca89
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/modules/signatures/all/static_pe_anomaly.py b/modules/signatures/all/static_pe_anomaly.py
@@ -4,8 +4,10 @@
 
 import re
 from datetime import datetime
+
 from lib.cuckoo.common.abstracts import Signature
 
+
 class PEAnomaly(Signature):
     name = "static_pe_anomaly"
     description = "Anomalous binary characteristics"
@@ -40,7 +42,9 @@ def run(self):
                 osver = pe["osversion"]
                 osmajor = int(osver.split(".")[0], 10)
                 if osmajor < 4 and compiletime.year >= 2000:
-                    self.data.append({"anomaly": "Minimum OS version is older than NT4 yet the PE timestamp year is newer than 2000"})
+                    self.data.append(
+                        {"anomaly": "Minimum OS version is older than NT4 yet the PE timestamp year is newer than 2000"}
+                    )
                     self.ttps += ["T1099"]  # MITRE v6
                     self.ttps += ["T1070"]  # MITRE v6,7,8
                     self.ttps += ["T1070.006"]  # MITRE v7,8
@@ -53,7 +57,9 @@ def run(self):
                             compiletime.year == bad_date_map[osver][0] and compiletime.month < bad_date_map[osver][1]
                         ):
                             self.data.append(
-                                {"anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"}
+                                {
+                                    "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
+                                }
                             )
                             self.ttps += ["T1099"]  # MITRE v6
                             self.ttps += ["T1070", "T1070.006"]  # MITRE v7,8
@@ -123,8 +129,8 @@ def run(self):
                             and "DLL" not in self.results.get("target", {})["file"].get("type", "")
                         ):
                             self.data.append(
-                            {"anomaly": "OriginalFilename version info claims file is a DLL but binary is a main executable"}
-                        )
+                                {"anomaly": "OriginalFilename version info claims file is a DLL but binary is a main executable"}
+                            )
                             self.weight += 1
 
                 if "reported_checksum" in pe and "actual_checksum" in pe:
@@ -138,6 +144,7 @@ def run(self):
             return True
         return False
 
+
 class StaticPEPDBPath(Signature):
     name = "static_pe_pdbpath"
     description = "The PE file contains a PDB path"
@@ -191,7 +198,7 @@ def run(self):
             pe = self.results["target"]["file"].get("pe", [])
             if pe:
                 pdbpath = pe["pdbpath"]
-                if pdbpath:                 
+                if pdbpath:
                     for suspiciousname in suspiciousnames:
                         if suspiciousname in pdbpath.lower():
                             if self.severity != 3:
@@ -224,6 +231,7 @@ def run(self):
 
         return ret
 
+
 class PECompileTimeStomping(Signature):
     name = "pe_compile_timestomping"
     description = "Binary compilation timestomping detected"
@@ -240,7 +248,7 @@ def run(self):
         target = self.results.get("target", {})
         if target.get("category") in ("file", "static") and target.get("file"):
             pe = self.results["target"]["file"].get("pe", [])
-            if pe:              
+            if pe:
                 rawcompiletime = pe["timestamp"]
                 if rawcompiletime:
                     compiletime = datetime.strptime(rawcompiletime, "%Y-%m-%d %H:%M:%S")