Malware Configuration And Payload Extraction

Overview

CAPEv2 (Python3) has now been released

With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade to the Python 3 version as soon as possible.

CAPE: Malware Configuration And Payload Extraction

CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence.

There is a community version online which is free for anyone to try:

https://cape.contextis.com/submit

CAPE can detect a number of malware techniques or behaviours, as well as specific malware families, from its initial run on a sample. This detection may then trigger a further run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.

CAPE works by controlling malware via a bespoke debugger and API hooks. Detection to trigger a CAPE package can be based on API or Yara signatures. The debugger uses Yara signatures or API hooks to allow breakpoints to be set on individual instructions, memory regions or function calls. Once a region of interest is reached, it can be manipulated and dumped for processing and analysis, and possibly configuration parsing.

The techniques or behaviours that CAPE detects and has packages for include:

  • Process injection
    • Shellcode injection
    • DLL injection
    • Process Hollowing
    • Process Doppelganging
  • Decompression of executable modules in memory
  • Extraction of executable modules or shellcode in memory

Packages for these behaviours will dump the payloads being injected, extracted or decompressed for further analysis. This is often the malware payload in unpacked form.

CAPE automatically creates a process dump for each process, or, in the case of a DLL, the DLL's module image in memory. This is useful for samples packed with simple packers, where often the module image dump is fully unpacked. Yara signatures may trigger on the process dumps, possibly resulting in submission with a specific package or configuration parsing.

CAPE also has a package which can dynamically unpack samples that use 'hacked' (modified) UPX, very popular with malware authors. These samples are run in CAPE's debugger until their OEP (original entry point), whereupon they are dumped, fixed and their imports are automatically reconstructed, ready for analysis.

Currently CAPE has specific packages dumping configuration and payloads for the following malware families:

  • PlugX
  • EvilGrab
  • Sedreco
  • Cerber
  • TrickBot
  • Hancitor
  • Ursnif
  • QakBot

CAPE has config parsers/decoders for the following malware families, whose payloads are automatically extracted by a behavioural package:

  • Emotet
  • RedLeaf
  • ChChes
  • HttpBrowser
  • Enfal
  • PoisonIvy
  • Screech
  • TSCookie
  • Dridex
  • SmokeLoader

Many other malware families have their payloads automatically extracted by behavioural packages, for which CAPE uses Yara signatures to detect the payloads. This list is growing, and includes:

  • Azorult, Formbook, Ryuk, Hermes, Shade, Remcos, Ramnit, Gootkit, QtBot, ZeroT, WanaCry, NetTraveler, Locky, BadRabbit, Magniber, Redsip, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, IcedID, Scarab, Cutlet, RokRat, OlympicDestroyer, Gandcrab, Fareit, ZeusPanda, AgentTesla, Imminent, Arkei, Sorgu, tRat, T5000, TClient, TreasureHunter.

Configuration data may be output from either family packages, or in payloads resulting from behavioural packages. Configuration parsing may then be performed on this by virtue of Yara-based detection, and config parsing based on either of CAPE's config parsing frameworks, the RATDecoders framework from malwareconfig.com and DC3-MWCP (Defense Cyber Crime Center - Malware Configuration Parser). The many parsers/decoders from malwareconfig.com are also included, comprising among many others: Sakula, DarkComet, PredatorPain and PoisonIvy. Thanks to Kevin Breen/TechAnarchy for this framework and parsers (https://github.com/kevthehermit/RATDecoders), and to DC3 for their framework (https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP). Special thanks to Jason Reaves (@sysopfb) for the TrickBot parser and Fabien Perigaud for the PlugX parser.

Utility packages are also included: 'DumpOnAPI' allows a module to be dumped when it calls a specific API function which can be specified in the web interface. 'DumpConfigRegion' allows the memory region containing C2 information or other config data to be dumped for commonly used API calls. These packages can be useful for quickly unpacking/dumping novel samples or configs. The 'Trace' package allows quick access to the debugger by accepting four breakpoints (RVA values) to set on instructions, whereupon a short instruction trace will be output. An optional 'base-on-api' parameter allows the image base to be set by API call.

The CAPE debugger allows breakpoints to be set on read, write or execute of a memory address or region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code, API hooks or Yara signatures. Thanks to the embedded distorm library the debugger can output the disassembly of instructions during single-step mode or when breakpoints are hit, resulting in instruction traces.

Processes, modules and memory regions can variously be dumped by CAPE through use of a simple API. These dumps can then be scanned and parsed for configuration information. Executable modules are fixed on being dumped, and may also have their imports automatically reconstructed (based on Scylla: https://github.com/NtQuery/Scylla). Packages can be written based on API hooks, the CAPE debugger, or a combination of both. There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.

The repository containing the code for the monitor DLLs which form the basis of these packages is a distinct one: https://github.com/ctxis/capemon. This repository is organised in branches for the various packages.

CAPE is derived from spender-sandbox (https://github.com/spender-sandbox), which is derived from Cuckoo Sandbox (https://github.com/cuckoosandbox), so thanks to Brad Spengler, Claudio Guarnieri, Jurriaan Bremer and the countless other Cuckoo contributors without whom this work would not be possible. It also depends on Yara (https://github.com/VirusTotal/yara) from VirusTotal. Thanks to Decalage (@decalage2) for oletools, Didier Stevens and peepdf (@peepdf) for the PDF tools, MalwareCantFly for Vba2Graph and Matt Holley (@mrmolley) for binGraph. A big thanks also to doomedraven (@D00m3dR4v3n), Sandor Nemes (@sandornemes), Kevin Ross and Enzo (@enzok) for their support and contributions.

Please contribute to this project by helping create new packages for further malware families, packers, techniques or configuration parsers. Alternatively contact @CapeSandbox or Kevin O'Reilly for further details of CAPE development.

Installation recommendations and scripts for optimal performance

  1. For best compability we strongly suggest installing on Ubuntu 18.04 LTS
  2. KVM is recommended as hypervisor
  • sudo ./kvm-qemu.sh all <username>
  1. To install CAPE itself, cuckoo.sh with all optimizations
  • sudo ./cuckoo.sh all cape
  1. Reboot and enjoy

* All scripts contain help -h, but please check the scripts to understand what they are doing.

Comments
  • Ursnif Config Extraction

    Ursnif Config Extraction

    Requesting config extraction for Ursnif. I am able to get the final Ursnif payload that's injected into Explorer.exe using CAPE extraction and a yara rule. I've done some RE and have the functions that build the comms strings prior to encryption. At this point, I'd like to dump the data along with the encryption key. Would this require a capemon dll to hook these functions? Thoughts?

    opened by enzok 82
  • KVM Analysis Never Starts

    KVM Analysis Never Starts

    2019-09-04 09:23:11,633 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/Grammar.txt
    2019-09-04 09:23:11,682 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/PatternGrammar.txt
    2019-09-04 09:23:15,710 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=0, max_machines_count=2, and max_vmstartup_count=2
    2019-09-04 09:23:16,263 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
    2019-09-04 09:23:16,272 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
    

    Host: Debian 10 VM: Windows 10 x64 VM Config: UAC disabled, Firewall Disabled, Defender Disabled Machinery: KVM

    Not sure why, but when using KVM as my machinery, the analysis never starts. It just sits there waiting for analysis tasks, despite showing 1 pending task.

    Is there a way to enable debug logging so I can maybe see what isn't happening?

    opened by hackdefendr 61
  • VPN not selectable in Web Interface

    VPN not selectable in Web Interface

    Dear all,

    I am running CAPE with VirtualBox machinery and rooter to route traffic through tor if the need arises. The tor network is selectable as expected when I submit an analysis.

    The circumvent geofencing of some malware I thought it would make sense to buy a vpn (like NordVPN) and create a VPN tunnel for every country I want to be able to use and select this VPN in the web interface before submitting the task.

    Unfortunately I don't see the VPNs I added under conf/vpn.conf. As stated before Tor is running fine through rooter and the OpenVPN tunnel itsself is running fine also.

    Here is my vpn.conf:

    [vpn]
    vpns = vpn0
    
    [vpn0]
    name = vpn0
    description = openvpn_tunnel
    interface = tun0
    rt_table = tun0
    

    Here is my /etc/iproute2/rt_tables:

    255 local
    254 main
    253 default
    0 unspec
    
    400 eno1
    401 tun0
    

    (eno1 is my dirty/internet line)

    Here is the crucial part of my cuckoo.conf:

    [routing]
    route = internet
    internet = eno1
    rt_table = main
    auto_rt = yes
    
    tor = on
    tor_dnsport = 5353
    tor_proxyport = 9040
    tor_interface = eno1
    

    Please excuse if I understood the whole thing wrong and this isn't possible at all to display all VPN connections in the dropdown on the web interface.

    Every suggestion is highly appreciated!

    Thanks

    opened by hariomenkel 36
  • django web UI broken with postgresql

    django web UI broken with postgresql

    cc @kevoreilly

    @doomedraven's distributed changes a few commits back causes this error

    python manage.py runserver Performing system checks...

    Unhandled exception in thread started by <function wrapper at 0x7fc63c059050> Traceback (most recent call last): File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/autoreload.py", line 228, in wrapper fn(*args, **kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/commands/runserver.py", line 124, in inner_run self.check(display_num_errors=True) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/base.py", line 359, in check include_deployment_checks=include_deployment_checks, File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/base.py", line 346, in _run_checks return checks.run_checks(**kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/registry.py", line 81, in run_checks new_errors = check(app_configs=app_configs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/urls.py", line 16, in check_url_config return check_resolver(resolver) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/urls.py", line 26, in check_resolver return check_method() File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 256, in check for pattern in self.url_patterns: File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get res = instance.dict[self.name] = self.func(instance) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 407, in url_patterns patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get res = instance.dict[self.name] = self.func(instance) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 400, in urlconf_module return import_module(self.urlconf_name) File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module import(name) File "/home/cuckoo/CAPE/web/web/urls.py", line 15, in from submission import urls as submission File "/home/cuckoo/CAPE/web/submission/urls.py", line 6, in from submission import views File "/home/cuckoo/CAPE/web/submission/views.py", line 83, in session = create_session(repconf.distributed.db) File "/home/cuckoo/CAPE/web/../lib/cuckoo/common/dist_db.py", line 95, in create_session engine = create_engine(db_connectionn, pool_size=20, max_overflow=100) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/init.py", line 425, in create_engine return strategy.create(*args, **kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/strategies.py", line 162, in create engineclass.name)) TypeError: Invalid argument(s) 'pool_size','max_overflow' sent to create_engine(), using configuration SQLiteDialect_pysqlite/NullPool/Engine. Please check that the keyword arguments are appropriate for this combination of components.

    opened by seanthegeek 32
  • Powershell scripts not executing properly with Capemon enabled

    Powershell scripts not executing properly with Capemon enabled

    This Word doc has a macro that executes an encoded powershell script: 5bc978433646fa357d6b2c29ab45f6789b14379c224d2d3fc25d310cc7258733

    If I run with behavioral analysis either disabled or set disable_hook_content=1, the script will execute fully and attempt to download the next stage. However, if full hooking is left enabled the script is executed (shows up in executed_commands), but the network activity does not occur.

    opened by enzok 30
  • ERROR: Failed to run the processing module

    ERROR: Failed to run the processing module "Dropped":

    Hi I'm having an issue with CAPE connecting to my guest VM. I have verified that networking is not the issue and am able to curl vmip:8000 and get code 501. I continually get

    2019-08-09 10:34:46,303 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:47,305 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:48,306 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:49,307 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:50,309 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:51,311 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:52,313 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:53,314 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet

    and no activity on my VM. After timeout I get the following error

    2019-08-09 10:35:02,698 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped": Traceback (most recent call last): File "/home/cuckoo/CAPE/lib/cuckoo/core/plugins.py", line 197, in process data = current.run() File "/home/cuckoo/CAPE/modules/processing/dropped.py", line 28, in run file_names = os.listdir(self.dropped_path) OSError: [Errno 2] No such file or directory: '/opt/CAPE/storage/analyses/6/files'

    After going to the dir I noticed the "files" dir doesn't exists. Any tips for resolving this issue.

    opened by YESIHACK 23
  • oletools and olefile should be dependencies

    oletools and olefile should be dependencies

    I just noticed that CAPE includes copies of the files olefile.py, olevba, oleid, etc. (which is great, I'm glad they are useful) As those tools are regularly updated to fix bugs and to support new formats and new obfuscation tricks, it would be better not to include old copies here, but to install the latest versions with pip. Is there a specific reason why they are copied rather than imported?

    opened by decalage2 23
  • Signature Errors with latest commits

    Signature Errors with latest commits

    I added the latest commits and am now getting the following errors. I've run multiple samples and get the same results.

    2018-07-09 22:00:36,972 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "CheckRemoteDebuggerPresent":
    Traceback (most recent call last):
      File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
        result = sig.on_call(call, proc)
      File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 558, in on_call
        ProcessInformationClass = int(self.get_raw_argument(call, "ProcessInformationClass"), 0)
    TypeError: int() can't convert non-string with explicit base
    2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "critical_process":
    Traceback (most recent call last):
      File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
        result = sig.on_call(call, proc)
      File "/opt/cuckoo/utils/../modules/signatures/critical_process.py", line 34, in on_call
        value = int(self.get_argument(call, "Value"))
    TypeError: int() argument must be a string or a number, not 'NoneType'
    2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "dep_disable":
    Traceback (most recent call last):
      File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
        result = sig.on_call(call, proc)
      File "/opt/cuckoo/utils/../modules/signatures/dep_disable.py", line 34, in on_call
        value = int(self.get_argument(call, "Value"))
    TypeError: int() argument must be a string or a number, not 'NoneType'
    2018-07-09 22:00:37,071 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtSetInformationThread":
    Traceback (most recent call last):
      File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
        result = sig.on_call(call, proc)
      File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 497, in on_call
        ThreadInformationClass = int(self.get_raw_argument(call, "ThreadInformationClass"), 0)
    TypeError: int() can't convert non-string with explicit base
    
    
    opened by enzok 23
  • Debugger doesn't work in KVM virtual machines.

    Debugger doesn't work in KVM virtual machines.

    It's been observed that CAPE's debugger does not work in KVM VMs - this is to do with the fact that KVM doesn't allow for use of the debug registers by the guest as discussed here:

    https://patchwork.kernel.org/patch/4717311/ https://patchwork.kernel.org/patch/8436261/ https://bugzilla.redhat.com/show_bug.cgi?id=1068627

    This means that several packages, most notably including the 'Extraction' behavioural package, will not work properly on these systems due to their dependence on the debugger.

    If anyone knows of a workaround to allow use of debug registers within guest VMs on KVM, please let me know.

    opened by kevoreilly 22
  • Help!Unable to passthrough root command

    Help!Unable to passthrough root command

    image start with No handlers could be found for logger "lib.cuckoo.common.abstracts" image works fine until I submit a file image

    CRITICAL: Unable to passthrough root command (drop_enable) as the rooter unix socket doesn't exist.

    and it got stuck at DEBUG: cuckoo1: waiting for status 0x0001

    opened by He1loC 21
  • alembic upgrade head

    alembic upgrade head

    Unable to go ahead after below step

    INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL.

    opened by DefenderLab 21
  • The PCAP file does not exist

    The PCAP file does not exist

    Hello, I have problem with start suricata and pcap file. I followed similar errors, but I did not manage to solve it, and i need a help to resolve the issue.

    022-11-16 23:05:09,272 [Task 45] [modules.processing.behavior] INFO: Analysis results folder does not contain any file or injection was disabled 2022-11-16 23:05:09,279 [Task 45] [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/45/dump.pcap" 2022-11-16 23:05:09,280 [Task 45] [modules.processing.suricata] WARNING: Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/45/dump.pcap does not exist

    opened by Loky85 0
  • Bump lief from 0.9.0 to 0.12.2 in /lib/cuckoo/common/graphs/binGraph

    Bump lief from 0.9.0 to 0.12.2 in /lib/cuckoo/common/graphs/binGraph

    Bumps lief from 0.9.0 to 0.12.2.

    Release notes

    Sourced from lief's releases.

    0.12.2

    No release notes provided.

    0.12.1

    See: https://lief-project.github.io/doc/stable/changelog.html#april-08-2022

    0.12.0

    Changelog is here: https://lief-project.github.io/doc/latest/changelog.html#march-25-2022

    0.11.5

    No release notes provided.

    0.11.4

    No release notes provided.

    0.11.3

    No release notes provided.

    0.11.2

    See: https://lief.quarkslab.com/doc/stable/changelog.html#february-22-2021

    0.11.1

    See: https://lief.quarkslab.com/blog/2021-02-22-lief-0-11-1/

    0.11.0

    See: https://lief.quarkslab.com/doc/stable/changelog.html#v0.11.0

    0.10.1

    No release notes provided.

    0.10.0

    No release notes provided.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 0
  • Bump numpy from 1.15.0 to 1.22.0

    Bump numpy from 1.15.0 to 1.22.0

    Bumps numpy from 1.15.0 to 1.22.0.

    Release notes

    Sourced from numpy's releases.

    v1.22.0

    NumPy 1.22.0 Release Notes

    NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

    • Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
    • A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
    • NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
    • New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
    • A new configurable allocator for use by downstream projects.

    These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

    The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

    Expired deprecations

    Deprecated numeric style dtype strings have been removed

    Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

    (gh-19539)

    Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

    numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

    (gh-19615)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 0
  • Bump numpy from 1.15.0 to 1.22.0 in /lib/cuckoo/common/graphs/binGraph

    Bump numpy from 1.15.0 to 1.22.0 in /lib/cuckoo/common/graphs/binGraph

    Bumps numpy from 1.15.0 to 1.22.0.

    Release notes

    Sourced from numpy's releases.

    v1.22.0

    NumPy 1.22.0 Release Notes

    NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

    • Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
    • A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
    • NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
    • New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
    • A new configurable allocator for use by downstream projects.

    These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

    The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

    Expired deprecations

    Deprecated numeric style dtype strings have been removed

    Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

    (gh-19539)

    Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

    numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

    (gh-19615)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 0
  • Memory Dump on proxmox

    Memory Dump on proxmox

    When I enable the memory dump to integrate malconfscan functionality into an environment with proxmox, I notice that the memory dump does not work (memory dump not found), and the machinery/proxmox source code I do not see the function for the dump. Am I doing something wrong?

    opened by vinceplayer 1
  • Invalid URL under C2Server

    Invalid URL under C2Server

    In the CAPE report, inside CAPE.configs, in a CobalStrike sample, I found the following value under "C2Server": 185.150.119.33,/pixel

    There is a "," (comma) between the IP and the path which renders the URL invalid. Is this on purpose or is this a bug?

    The sample hash is 1b9309cc3159a8dc44bcde02642e559b65d1065f

    opened by CrimsonGlory 1
Owner
Context Information Security
Context Information Security
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ?? , use it commercial

c3rb3ru5 103 Dec 18, 2022
Malware arcane - Scripts and notes on my malware analysis journey

Malware Arcane Repository of notes and scripts I use when doing malware analysis

null 9 Jun 1, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Extendable payload obfuscation and delivery framework

NSGenCS What Is? An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. Installation Requirements Currently

null 123 Dec 19, 2022
macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Leo Pitt 206 Dec 31, 2022
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

BaoGuo 368 Jan 2, 2023
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

youhacker55 117 Dec 30, 2022
proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Evi1cg 63 Nov 15, 2022
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

null 534 Dec 14, 2022
Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Abir Abedin Khan 6 Oct 7, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Rasmus 7 Nov 17, 2022
PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

null 3 Mar 25, 2022
Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Abram (^o^) 7 Sep 30, 2022
A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

null 11 Nov 15, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own computer

Li Ka Lok 2 Dec 2, 2022
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Abdallah Elshinbary 48 Dec 19, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

null 27 Sep 23, 2022