Merge branch 'kevoreilly:master' into master

Author: dsecuma

.github/actions/python-setup/action.yml

@@ -16,7 +16,7 @@ runs:
 
     - name: Install poetry
       shell: bash
-      run: PIP_BREAK_SYSTEM_PACKAGES=1 pip install poetry
+      run: PIP_BREAK_SYSTEM_PACKAGES=1 pip install poetry poetry-plugin-export
 
     - name: Set up Python ${{ inputs.python-version }}
       uses: actions/setup-python@v5

.github/workflows/python-package-windows.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.10", "3.11"]
+        python-version: ["3.10"]
 
     steps:
       - name: Check out repository code

.github/workflows/python-package.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.10", "3.11"]
+        python-version: ["3.10"]
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -37,23 +37,11 @@ jobs:
           poetry run pip install pyattck==7.1.2 maco
 
       - name: Run Ruff
-        run: poetry run ruff . --line-length 132 --ignore E501,E402
+        run: poetry run ruff check . --line-length 132 --ignore E501,E402
 
       - name: Run unit tests
         run: poetry run python -m pytest --import-mode=append
 
-      - name: See if any parser changed
-        uses: dorny/paths-filter@v3
-        id: changes
-        with:
-          filters: |
-            src:
-              - 'modules/processing/parsers/CAPE/*.py'
-
-      - name: Test parsers only if any parser changed
-        if: steps.changes.outputs.src == 'true'
-        run: poetry run python -m pytest tests_parsers -s --import-mode=append
-
   format:
     runs-on: ubuntu-latest
     timeout-minutes: 20

analyzer/windows/data/yara/Al-khaser.yar

@@ -38,4 +38,17 @@ rule NitrogenLoaderBypass
 		$exit = {33 C9 E8 [4] E8 [4] 48 8D 84 24 [4] 48 89 44 24 ?? 4? B? E4 00 00 00 4? 8B 05 [4] B? 03 00 00 00 48 8D}
 	condition:
         all of them
-}
+}
+
+rule NitrogenLoaderConfig
+{
+    meta:
+        author = "enzok"
+        description = "NitrogenLoader Config Extraction"
+        cape_options = "bp0=$decrypt1*+6,hc0=1,count=0,action0=string:rcx,typestring=NitrogenLoader Config"
+    strings:
+        $decrypt1 = {48 8B 8C 24 [4] 0F B6 04 01 89 ?? 24 [1-4] 48 63 4C 24 ?? 33 D2 48 8B C1 48 F7 B4 24 [4] 48 8B C2 48 8B 8C}
+        $decrypt2 = {8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A}
+    condition:
+        all of them
+}

analyzer/windows/data/yara/NitrogenLoader.yar

@@ -147,5 +147,7 @@ def choose_package(file_type, file_name, exports, target):
         return "autoit"
     elif file_name.endswith(("cmd", "bat")) or b"@echo off" in file_content:
         return "batch"
+    elif file_name.endswith(".rdp"):
+        return "rdp"
     else:
         return "generic"

analyzer/windows/data/yara/Pafish.yar

@@ -1002,7 +1002,7 @@ def _unpackSimpleType(self, record, info, event_property):
 
         data = formatted_data.value
         # Convert the formatted data if necessary
-        if out_type in TDH_CONVERTER_LOOKUP and type(data) != TDH_CONVERTER_LOOKUP[out_type]:
+        if out_type in TDH_CONVERTER_LOOKUP and type(data) is TDH_CONVERTER_LOOKUP[out_type]:
             data = TDH_CONVERTER_LOOKUP[out_type](data)
 
         return {name_field: data}

analyzer/windows/lib/core/packages.py

@@ -30,7 +30,6 @@
 from lib.common.rand import random_integer, random_string
 
 log = logging.getLogger(__name__)
-PERSISTENT_ROUTE_GATEWAY = "192.168.1.1"
 si = subprocess.STARTUPINFO()
 si.dwFlags |= subprocess.STARTF_USESHOWWINDOW
 
@@ -243,18 +242,14 @@ def randomizeUUID(self):
             # Replace the UUID with the new UUID
             SetValueEx(key, "MachineGuid", 0, REG_SZ, createdUUID)
 
-    def add_persistent_route(self):
-        self.run_as_system(
-            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "add", "0.0.0.0", "mask", "0.0.0.0", PERSISTENT_ROUTE_GATEWAY]
-        )
-        self.run_as_system(
-            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "change", "0.0.0.0", "mask", "0.0.0.0", PERSISTENT_ROUTE_GATEWAY]
-        )
+    def add_persistent_route(self, gateway: str):
+        self.run_as_system(["C:\\Windows\\System32\\ROUTE.exe", "-p", "add", "0.0.0.0", "mask", "0.0.0.0", gateway])
+        self.run_as_system(["C:\\Windows\\System32\\ROUTE.exe", "-p", "change", "0.0.0.0", "mask", "0.0.0.0", gateway])
 
     def start(self):
         if self.config.windows_static_route:
             log.info(f"Config for route is: {str(self.config.windows_static_route)}")
-            self.add_persistent_route()
+            self.add_persistent_route(self.config.windows_static_route_gateway)
         self.change_productid()
         self.set_office_mrus()
         self.ramnit()

analyzer/windows/modules/auxiliary/amsi.py

@@ -71,6 +71,7 @@
     "don't send",
     "don't save",
     "continue",
+    "connect",
     "unzip",
     "open",
     "close the program",
@@ -115,6 +116,7 @@
 DONT_CLICK_BUTTONS = (
     # english
     "check online for a solution",
+    "don't ask me again for remote connections from this publisher",
     "don't run",
     "do not ask again until the next update is available",
     "cancel",