various signature improvements and bugfixes

Rename the mark() function to be more distinct - mark_call(). There is no longer an add_match() function, just match(). One of the on_ functions has to return True for the signature to really match. Forgot to filter API names in the recon_systeminfo signature.
cuckoosandbox · Aug 23, 2015 · 73a132e · 73a132e
1 parent 3f934eb
commit 73a132e
Show file tree

Hide file tree

Showing 32 changed files with 47 additions and 45 deletions.
diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py
@@ -45,5 +45,5 @@ def on_call(self, call, process):
             class_name = call["arguments"].get("class_name", "").lower()
 
             if indicator == window_name or indicator == class_name:
-                self.mark()
+                self.mark_call()
                 return True
diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py
@@ -29,5 +29,5 @@ class HookMouse(Signature):
     def on_call(self, call, process):
         if call["arguments"]["hook_identifier"] in [7, 14]:
             if not call["arguments"]["thread_identifier"]:
-                self.mark()
+                self.mark_call()
                 return True
diff --git a/modules/signatures/windows/antisandbox_productid.py b/modules/signatures/windows/antisandbox_productid.py
@@ -29,5 +29,5 @@ class GetProductID(Signature):
     def on_call(self, call, process):
         regkey = call["arguments"].get("regkey", "").lower()
         if regkey.endswith("productid"):
-            self.mark()
+            self.mark_call()
             return True
diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py
@@ -26,5 +26,5 @@ class Unhook(Signature):
     filter_apinames = "__anomaly__",
 
     def on_call(self, call, process):
-        self.mark()
+        self.mark_call()
         return True
diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py
@@ -28,4 +28,5 @@ class AntiVMBios(Signature):
     def on_call(self, call, process):
         regkey = call["arguments"].get("regkey", "").lower()
         if regkey.endswith(("systembiosversion", "videobiosversion")):
-            self.mark()
+            self.mark_call()
+            return True
diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py
@@ -44,9 +44,9 @@ def on_call(self, call, process):
         if call["api"] == "NtCreateFile":
             filepath = call["arguments"]["filepath"].lower()
             if "scsi0" in filepath or "physicaldrive0" in filepath:
-                self.mark()
+                self.mark_call()
 
         if call["api"] in ["DeviceIoControl", "NtDeviceIoControlFile"]:
             if self.marked and call["arguments"]["control_code"] in self.ioctls:
-                self.mark()
+                self.mark_call()
                 return True
diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py
@@ -26,7 +26,7 @@ class AntiVMServices(Signature):
     filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW"
 
     def on_call(self, call, process):
-        self.mark()
+        self.mark_call()
         return True
 
     def on_complete(self):

diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py
@@ -50,4 +50,4 @@ def on_complete(self):
         for indicator in self.indicators:
             filepath = self.check_file(pattern=indicator, regex=True)
             if filepath:
-                self.add_match(None, "file", filepath=filepath)
+                self.match(None, "file", filepath=filepath)
diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py
@@ -28,4 +28,4 @@ class VBoxDetectKeys(Signature):
     def on_complete(self):
         regkey = self.check_key(pattern=self.indicator, regex=True)
         if regkey:
-            self.add_match(None, "registry", regkey=regkey)
+            self.match(None, "registry", regkey=regkey)
diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py
@@ -35,5 +35,5 @@ def on_call(self, call, process):
             class_name = call["arguments"].get("class_name", "").lower()
 
             if indicator == window_name or indicator == class_name:
-                self.mark()
+                self.mark_call()
                 return True
diff --git a/modules/signatures/windows/apt_turlacarbon.py b/modules/signatures/windows/apt_turlacarbon.py
@@ -52,7 +52,7 @@ def on_call(self, call, process):
                 break
         else:
             self.wrote = True
-            self.mark()
+            self.mark_call()
             return True
 
     def on_complete(self):

diff --git a/modules/signatures/windows/banker_prinimalka.py b/modules/signatures/windows/banker_prinimalka.py
@@ -29,5 +29,5 @@ class Prinimalka(Signature):
     def on_call(self, call, process):
         regkey = call["arguments"]["regkey"].lower()
         if regkey.endswith("_opt_server1"):
-            self.mark(c2=call["arguments"]["value"])
+            self.mark_call(c2=call["arguments"]["value"])
             return True
diff --git a/modules/signatures/windows/banker_spyeye_mutex.py b/modules/signatures/windows/banker_spyeye_mutex.py
@@ -36,4 +36,4 @@ def on_complete(self):
         for indicator in self.indicators:
             mutex = self.check_mutex(pattern=indicator, regex=True)
             if mutex:
-                self.add_match(None, "mutex", mutex=mutex)
+                self.match(None, "mutex", mutex=mutex)
diff --git a/modules/signatures/windows/banker_zeus_url.py b/modules/signatures/windows/banker_zeus_url.py
@@ -37,4 +37,4 @@ def on_complete(self):
         for indicator in self.indicators:
             url = self.check_url(pattern=indicator, regex=True)
             if url:
-                self.add_match(None, "url", url=url)
+                self.match(None, "url", url=url)
diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py
@@ -26,4 +26,4 @@ class BitcoinOpenCL(Signature):
     def on_complete(self):
         filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True)
         if filepath:
-            self.add_match(None, "file", filepath=filepath)
+            self.match(None, "file", filepath=filepath)
diff --git a/modules/signatures/windows/bot_russkill.py b/modules/signatures/windows/bot_russkill.py
@@ -27,4 +27,4 @@ class Ruskill(Signature):
     def on_complete(self):
         mutex = self.check_mutex(pattern="FvLQ49IlzIyLjj6m")
         if mutex:
-            self.add_match(None, "mutex", mutex=mutex)
+            self.match(None, "mutex", mutex=mutex)
diff --git a/modules/signatures/windows/downloader_cabby.py b/modules/signatures/windows/downloader_cabby.py
@@ -52,5 +52,4 @@ def on_complete(self):
         else:
             return False
 
-        self.add_match(None, 'cabby_ioc', signs)
-        return True
+        self.match(None, 'cabby_ioc', signs)
diff --git a/modules/signatures/windows/exec_crash.py b/modules/signatures/windows/exec_crash.py
@@ -27,4 +27,5 @@ class Crash(Signature):
 
     def on_call(self, call, process):
         if "faultrep.dll" in call["arguments"]["module_name"].lower():
-            self.mark()
+            self.mark_call()
+            return True
diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py
@@ -43,4 +43,4 @@ def on_complete(self):
         for indicator in self.indicators:
             filepath = self.check_file(pattern=indicator, regex=True)
             if filepath:
-                self.add_match(None, "file", filepath=filepath)
+                self.match(None, "file", filepath=filepath)
diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py
@@ -29,5 +29,5 @@ class Keylogger(Signature):
     def on_call(self, call, process):
         if call["arguments"]["hook_identifier"] in [2, 13]:
             if not call["arguments"]["thread_identifier"]:
-                self.mark()
+                self.mark_call()
                 return True
diff --git a/modules/signatures/windows/injection_runpe.py b/modules/signatures/windows/injection_runpe.py
@@ -46,12 +46,10 @@ def on_process(self, process):
 
     def on_call(self, call, process):
         self.functions[process["pid"]].add(call["api"])
-        self.mark()
+        self.mark_call()
 
     def on_complete(self):
-        # Only mark this signature if one or more of the following matches.
-        self.marked = False
-
         for pid, functions in self.functions.items():
             if len(functions) >= len(self.filter_apinames)-2:
                 self.match(None, "injection", pid=pid)
+                return True
diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py
@@ -45,12 +45,10 @@ def on_process(self, process):
 
     def on_call(self, call, process):
         self.functions[process["pid"]].add(call["api"])
-        self.mark()
+        self.mark_call()
 
     def on_complete(self):
-        # Only mark this signature if one or more of the following matches.
-        self.marked = False
-
         for pid, functions in self.functions.items():
             if len(functions) >= len(self.filter_apinames)-2:
                 self.match(None, "injection", pid=pid)
+                return True
diff --git a/modules/signatures/windows/network_tor.py b/modules/signatures/windows/network_tor.py
@@ -41,10 +41,12 @@ def on_call(self, call, process):
 
         if service_name == "Tor Win32 Service" or \
                 display_name == "Tor Win32 Service":
-            self.mark()
+            self.mark_call()
+            return True
 
     def on_complete(self):
         for indicator in self.indicators:
             filepath = self.check_file(pattern=indicator, regex=True)
             if filepath:
                 self.match(None, "file", filepath=filepath)
+                return True
diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py
@@ -34,7 +34,7 @@ def on_complete(self):
             total_pe_data += int(section["size_of_data"], 16)
 
             if float(section["entropy"]) > 6.8:
-                self.add_match(None, "section", section)
+                self.match(None, "section", section)
                 total_compressed += int(section["size_of_data"], 16)
 
         if total_pe_data and float(total_compressed) / total_pe_data > .2:

diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py
@@ -58,9 +58,9 @@ def on_complete(self):
         for indicator in self.indicators:
             regkey = self.check_key(pattern=indicator, regex=True)
             if regkey:
-                self.add_match(None, "autorun", regkey=regkey)
+                self.match(None, "autorun", regkey=regkey)
 
         for indicator in self.indicators2:
             filepath = self.check_file(pattern=indicator, regex=True)
             if filepath:
-                self.add_match(None, "autorun", filepath=filepath)
+                self.match(None, "autorun", filepath=filepath)
diff --git a/modules/signatures/windows/rat_comRAT.py b/modules/signatures/windows/rat_comRAT.py
@@ -63,19 +63,19 @@ def on_call(self, call, process):
                                          subject=oldfilepath,
                                          regex=True):
                         self.move_count += 1
-                        self.mark()
+                        self.mark_call()
 
         if call["api"] == "CreateProcessInternalW":
             # start rundll32.exe Install?
             if "rundll32.exe" in call["arguments"]["command_line"] and \
                     "Install" in call["arguments"]["command_line"]:
                 self.created_process = True
-                self.mark()
+                self.mark_call()
 
         if call["api"] == "NtWriteFile" and \
                 call["arguments"]["buffer"][:2] == "MZ":
             self.wrote_pe_file = True
-            self.mark()
+            self.mark_call()
 
     def on_complete(self):
         if not self.check_key(pattern=registry_indicator, regex=True):

diff --git a/modules/signatures/windows/rat_fynloski_mutex.py b/modules/signatures/windows/rat_fynloski_mutex.py
@@ -36,4 +36,4 @@ def on_complete(self):
         for indicator in self.indicators:
             mutex = self.check_mutex(pattern=indicator, regex=True)
             if mutex:
-                self.add_match(None, "mutex", mutex=mutex)
+                self.match(None, "mutex", mutex=mutex)
diff --git a/modules/signatures/windows/rat_pcclient.py b/modules/signatures/windows/rat_pcclient.py
@@ -41,9 +41,9 @@ def on_complete(self):
         for indicator in self.indicators:
             mutex = self.check_mutex(pattern=indicator, regex=True)
             if mutex:
-                self.add_match(None, "mutex", mutex=mutex)
+                self.match(None, "mutex", mutex=mutex)
 
         for indicator in self.indicators2:
             filepath = self.check_file(pattern=indicator, regex=True)
             if filepath:
-                self.add_match(None, "file", filepath=filepath)
+                self.match(None, "file", filepath=filepath)
diff --git a/modules/signatures/windows/rat_spynet.py b/modules/signatures/windows/rat_spynet.py
@@ -49,9 +49,9 @@ def on_complete(self):
         for indicator in self.indicators:
             mutex = self.check_mutex(pattern=indicator, regex=True)
             if mutex:
-                self.add_match(None, "mutex", mutex=mutex)
+                self.match(None, "mutex", mutex=mutex)
 
         for indicator in self.indicators2:
             regkey = self.check_key(pattern=indicator, regex=True)
             if regkey:
-                self.add_match(None, "registry", regkey)
+                self.match(None, "registry", regkey)
diff --git a/modules/signatures/windows/rat_xtreme_mutex.py b/modules/signatures/windows/rat_xtreme_mutex.py
@@ -38,4 +38,4 @@ def on_complete(self):
         for indicator in self.indicators:
             mutex = self.check_mutex(pattern=indicator, regex=True)
             if mutex:
-                self.add_match(None, "mutex", mutex=mutex)
+                self.match(None, "mutex", mutex=mutex)
diff --git a/modules/signatures/windows/recon_checkip.py b/modules/signatures/windows/recon_checkip.py
@@ -43,4 +43,4 @@ def on_complete(self):
         for indicator in self.indicators:
             domain = self.check_domain(pattern=indicator)
             if domain:
-                self.add_match(None, "domain", domain=domain)
+                self.match(None, "domain", domain=domain)
diff --git a/modules/signatures/windows/recon_systeminfo.py b/modules/signatures/windows/recon_systeminfo.py
@@ -23,8 +23,11 @@ class SystemInfo(Signature):
     authors = ["nex"]
     minimum = "2.0"
 
+    filter_apinames = "CreateProcessInternalW",
+
     def on_call(self, call, process):
         if self._check_value(pattern="^cmd\.exe.*(systeminfo|ipconfig|netstat)",
                              subject=call["arguments"]["command_line"],
                              regex=True):
-            self.mark()
+            self.mark_call()
+            return True