Merge branch 'master' into staging

doomedraven · doomedraven · commit 746be3ff9c01 · 2025-07-10T22:39:14.000+02:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,58 @@
+# Copilot Instructions for CAPEv2
+
+## General Architecture
+- CAPEv2 is an automated malware analysis platform, based on Cuckoo Sandbox, with extensions for dynamic, static, and network analysis.
+- The backend is mainly Python, using SQLAlchemy for the database and Django/DRF for the web API.
+- Main components include:
+  - `lib/cuckoo/core/database.py`: database logic and ORM.
+  - `web/apiv2/views.py`: REST API endpoints (Django REST Framework).
+  - `lib/cuckoo/common/`: shared utilities, configuration, helpers.
+  - `storage/`: analysis results and temporary files.
+- Typical flow: sample upload → DB registration → VM assignment → analysis → result storage → API query.
+
+## Conventions and Patterns
+- Heavy use of SQLAlchemy 2.0 ORM, with explicit sessions and nested transactions (`begin_nested`).
+- Database models (Sample, Task, Machine, etc.) are always managed via `Database` object methods.
+- API endpoints always return a dict with `error`, `data`, and, if applicable, `error_value` keys.
+- Validation and request argument parsing is centralized in helpers (`parse_request_arguments`, etc.).
+- Integrity errors (e.g., duplicates) are handled with `try/except IntegrityError` and recovery of the existing object.
+- Tags are managed as comma-separated strings and normalized before associating to models.
+- Code avoids mutable global variables; configuration is accessed via `Config` objects.
+
+## Developer Workflows
+- No Makefile or standard build scripts; dependency management is usually via `poetry` or `pip`.
+- For testing, use virtual environments and run scripts manually.
+- Typical backend startup is via Django (`manage.py runserver`), and analysis workers are launched separately.
+- Database changes require manual migrations (see Alembic comments in `database.py`).
+
+## Integrations and Dependencies
+- Optional integration with MongoDB and Elasticsearch, controlled by configuration (`reporting.conf`).
+- The system can use different compression tools (zlib, 7zip) depending on config.
+- Sample analysis may invoke external utilities (e.g., Sflock, PE parsers).
+
+## Key Pattern Examples
+- IntegrityError handling example:
+  ```python
+  try:
+      with self.session.begin_nested():
+          self.session.add(sample)
+  except IntegrityError:
+      sample = self.session.scalar(select(Sample).where(Sample.md5 == file_md5))
+  ```
+- API response example:
+  ```python
+  return Response({"error": False, "data": result})
+  ```
+- Tag assignment example:
+  ```python
+  tags = ",".join(set(_tags))
+  ```
+
+## Key Files
+- `lib/cuckoo/core/database.py`: database logic, sample/task registration, machine management.
+- `web/apiv2/views.py`: REST endpoints, validation, high-level business logic.
+- `lib/cuckoo/common/`: utilities, helpers, configuration.
+
+---
+
+If you introduce new endpoints, helpers, or models, follow the validation, error handling, and standard response patterns. See the files above for implementation examples.
diff --git a/data/yara/CAPE/Lumma.yar b/data/yara/CAPE/Lumma.yar
@@ -10,6 +10,7 @@ rule Lumma
         $decode1 = {C1 (E9|EA) 02 [0-3] 0F B6 (44|4C) ?? FF 83 (F8|F9) 3D 74 05 83 (F8|F9) 2E 75 01 (49|4A) [0-30] 2E 75}
         $decode2 = {B0 40 C3 B0 3F C3 89 C8 04 D0 3C 09 77 06 80 C1 04 89 C8 C3 89 C8 04 BF 3C}
         $decode3 = {B0 40 C3 B0 3F C3 80 F9 30 72 ?? 80 F9 39 77 06 80 C1 04 89 C8 C3}
+        $decode4 = {89 C8 04 D0 3C 09 77 ?? [3-11] 89 C8 [0-1] C3 89 C8 04 BF 3C 1A 72 ?? 89 C8 04 9F 3C}
     condition:
         uint16(0) == 0x5a4d and any of them
 }
diff --git a/docs/book/src/installation/guest/requirements.rst b/docs/book/src/installation/guest/requirements.rst
@@ -18,7 +18,7 @@ Python is a strict requirement for the CAPE guest component (*analyzer*) to run
     version of Python can be 64-bit (x64).
 
 You can download the proper `Windows`_ / `Linux`_ installer from the `official website`_.
-Python versions > 3.6 are preferred.
+Python versions > 3.10 and < 3.13 are preferred.
 
 .. important::
     When installing Python, it is recommended to select the `Add Python <version> to PATH` option. And remove from that PATH `%USERPROFILE%\AppData\Local\Microsoft\WindowsApps`
diff --git a/installer/cape2.sh b/installer/cape2.sh
@@ -691,7 +691,7 @@ EOL
 function install_suricata() {
     echo '[+] Installing Suricata'
     sudo add-apt-repository -y ppa:oisf/suricata-stable
-    sudo apt-get install -y suricata suricata-update
+    sudo apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install -y suricata suricata-update
     touch /etc/suricata/threshold.config
 
     # Download etupdate to update Emerging Threats Open IDS rules:
diff --git a/installer/kvm-qemu.sh b/installer/kvm-qemu.sh
@@ -1202,6 +1202,10 @@ function cloning() {
     <dnsmasq:option value='dhcp-option=46,8'/>
     <!--Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.-->
     <dnsmasq:option value='dhcp-option=252,"\n"'/>
+    <!--Prevent DNS rebinding to internal hosts.-->
+    <dnsmasq:option value='stop-dns-rebind'/>
+    <!-- To allow rebinding for specific domains, uncomment and modify the following line. -->
+    <!-- <dnsmasq:option value='rebind-domain-ok=/example.com/'/> -->
   </dnsmasq:options>
 </network>
 EOF
diff --git a/modules/machinery/az.py b/modules/machinery/az.py
@@ -1215,7 +1215,7 @@ def _get_relevant_machines(self, tag):
         """
         # The number of relevant machines are those from the list of locked and unlocked machines
         # that have the correct tag in their name
-        return [machine for machine in self.db.list_machines([tag])]
+        return self.db.list_machines(tags=[tag])
 
     @staticmethod
     def _wait_for_concurrent_operations_to_complete(timeout=AZURE_TIMEOUT):
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,7 +29,7 @@ requests-file = ">=1.5.1"
 orjson = ">=3.9.15"
 # maec = "4.1.0.17"
 # regex = "2021.7.6"
-SFlock2 = {version = ">=0.3.66", extras = ["shellcode","linux"]}
+SFlock2 = {version = ">=0.3.76", extras = ["shellcode","linux"]}
 # volatility3 = "2.11.0"
 # XLMMacroDeobfuscator = "0.2.7"
 pyzipper = "0.3.6"
diff --git a/requirements.txt b/requirements.txt
@@ -1816,9 +1816,9 @@ setproctitle==1.3.2 ; python_version >= "3.10" and python_version < "4.0" \
 setuptools==78.1.1 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:c3a9c4211ff4c309edb8b8c4f1cbfa7ae324c4ba9f91ff254e3d305b9fd54561 \
     --hash=sha256:fcc17fd9cd898242f6b4adfaca46137a9edef687f43e6f78469692a5e70d851d
-sflock2==0.3.69 ; python_version >= "3.10" and python_version < "4.0" \
-    --hash=sha256:3f140ad380a51eb9f3ff5e436fa17c50daf365d845a5a40339896522291ef935 \
-    --hash=sha256:fb1ecbe635c776a15de92817c002a2fbc9c06d84168a0bde8e96f16fe5c81fb2
+sflock2==0.3.76 ; python_version >= "3.10" and python_version < "4.0" \
+    --hash=sha256:3d989d142fc49ebd049f75eb8d402451fcd20148cf27aaa20c540ac95a9c81ff \
+    --hash=sha256:eed75b32adf3c82a60d9339fda63a151355f9be7639d7d583de8f43ea6604e4c
 six==1.17.0 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \
     --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ rule Lumma`
`10`	`10`	`$decode1 = {C1 (E9\|EA) 02 [0-3] 0F B6 (44\|4C) ?? FF 83 (F8\|F9) 3D 74 05 83 (F8\|F9) 2E 75 01 (49\|4A) [0-30] 2E 75}`
`11`	`11`	`$decode2 = {B0 40 C3 B0 3F C3 89 C8 04 D0 3C 09 77 06 80 C1 04 89 C8 C3 89 C8 04 BF 3C}`
`12`	`12`	`$decode3 = {B0 40 C3 B0 3F C3 80 F9 30 72 ?? 80 F9 39 77 06 80 C1 04 89 C8 C3}`
	`13`	`+ $decode4 = {89 C8 04 D0 3C 09 77 ?? [3-11] 89 C8 [0-1] C3 89 C8 04 BF 3C 1A 72 ?? 89 C8 04 9F 3C}`
`13`	`14`	`condition:`
`14`	`15`	`uint16(0) == 0x5a4d and any of them`
`15`	`16`	`}`