From b66b7b2ce754fed2be680b3838a4896708e476ee Mon Sep 17 00:00:00 2001 From: doomedraven Date: Tue, 11 Feb 2025 14:55:18 +0100 Subject: [PATCH] selfextract conf renamed to integrations conf --- changelog.md | 6 ++- ...conf.default => integrations.conf.default} | 13 +++++- conf/default/processing.conf.default | 11 ----- lib/cuckoo/common/abstracts.py | 6 +-- .../common/integrations/file_extra_info.py | 46 +++++++++---------- .../common/integrations/mandiant_intel.py | 8 ++-- lib/cuckoo/common/load_extra_modules.py | 6 +-- 7 files changed, 50 insertions(+), 46 deletions(-) rename conf/default/{selfextract.conf.default => integrations.conf.default} (89%) diff --git a/changelog.md b/changelog.md index b1c8352fd0e..d1ddc612643 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,7 @@ +### [11.02.2025] +* `selfextract.conf` renamed to `integrations.conf`. + * Please rename your config file. + ### [10.02.2025] * We are now on `Poetry v2`. If you see next message, you need to upgrade your `poetry` version. * This one might be tricky as depends if your `poetry` was installed with `apt` or script. But something like this should works: @@ -534,7 +538,7 @@ rule X_cryptor { * You need to download version for your CPU and extract it to `data/NETReactorSlayer.CLI` * In case if you are on x64 host, then just run: `poetry run python utils/community.py -waf` * Add execution permission with `chmod a+x data/NETReactorSlayer.CLI` -* Now each section inside of `selfextract.conf` has timeout value. Default is 60 seconds +* Now each section inside of `integrations.conf` has timeout value. Default is 60 seconds ### [24.12.2022] * Monitor updates: Fix NtAllocateVirtualMemoryEx & NtMapViewOfSectionEx hooks and rebuild with Visual Studio 2022 diff --git a/conf/default/selfextract.conf.default b/conf/default/integrations.conf.default similarity index 89% rename from conf/default/selfextract.conf.default rename to conf/default/integrations.conf.default index 3bae1bdae21..de155518039 100644 --- a/conf/default/selfextract.conf.default +++ b/conf/default/integrations.conf.default @@ -1,4 +1,4 @@ -# This config is to be able to enable/disable things like MSI/NSIS/UnAutoIt etc +# This config is to be able to enable/disable things like MSI/NSIS/UnAutoIt, 3rd part services integraitons, etc [general] pefiles = yes @@ -14,6 +14,17 @@ hwp = yes # Number of workers for pool to run them in parallel max_workers = 6 +[mandiant_intel] +enabled = no +api_access = +api_secret = + +# Create your apikey: https://threatfox.abuse.ch/api/#auth_key +[threatfox] +enabled = no +apikey = + + # sudo apt install msitools [msi_extract] enabled = yes diff --git a/conf/default/processing.conf.default b/conf/default/processing.conf.default index 930076063bf..218582ca280 100644 --- a/conf/default/processing.conf.default +++ b/conf/default/processing.conf.default @@ -340,14 +340,3 @@ sigs_path = data/flare-signatures [html_scraper] enabled = no - -[mandiant_intel] -enabled = no -api_access = -api_secret = - -### Signature utility -# Create your apikey: https://threatfox.abuse.ch/api/#auth_key -[threatfox] -enabled = no -apikey = diff --git a/lib/cuckoo/common/abstracts.py b/lib/cuckoo/common/abstracts.py index 38d49a68154..ea90282f8c7 100644 --- a/lib/cuckoo/common/abstracts.py +++ b/lib/cuckoo/common/abstracts.py @@ -63,7 +63,7 @@ HAVE_TLDEXTRACT = False repconf = Config("reporting") -procconf = Config("processing") +integrations_conf = Config("integrations") _, categories_need_VM = load_categories() mitre, HAVE_MITRE, _ = mitre_load(repconf.mitre.enabled) @@ -1361,13 +1361,13 @@ def check_argument(self, pattern, name=None, api=None, category=None, process=No return None def check_threatfox(self, searchterm: str): - if not procconf.threatfox.enabled or not procconf.threatfox.apikey: + if not integrations_conf.threatfox.enabled or not integrations_conf.threatfox.apikey: return try: response = requests.post( "https://threatfox-api.abuse.ch/api/v1/", data={"query": "search_ioc", "search_term": searchterm}, - headers={"Auth-Key": procconf.threatfox.apikey, "User-Agent": "CAPE Sandbox"}, + headers={"Auth-Key": integrations_conf.threatfox.apikey, "User-Agent": "CAPE Sandbox"}, ) return response.json() except Exception as e: diff --git a/lib/cuckoo/common/integrations/file_extra_info.py b/lib/cuckoo/common/integrations/file_extra_info.py index 72128427fc8..2daeb1c24fa 100644 --- a/lib/cuckoo/common/integrations/file_extra_info.py +++ b/lib/cuckoo/common/integrations/file_extra_info.py @@ -65,7 +65,7 @@ cfg = Config() processing_conf = Config("processing") -selfextract_conf = Config("selfextract") +integration_conf = Config("integrations") try: from modules.signatures.recon_checkip import dns_indicators @@ -108,9 +108,9 @@ HAVE_BAT_DECODER = False print("OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/DissectMalware/batch_deobfuscator") -unautoit_binary = os.path.join(CUCKOO_ROOT, selfextract_conf.UnAutoIt_extract.binary) -innoextact_binary = os.path.join(CUCKOO_ROOT, selfextract_conf.Inno_extract.binary) -sevenzip_binary = os.path.join(CUCKOO_ROOT, selfextract_conf.SevenZip_unpack.binary) +unautoit_binary = os.path.join(CUCKOO_ROOT, integration_conf.UnAutoIt_extract.binary) +innoextact_binary = os.path.join(CUCKOO_ROOT, integration_conf.Inno_extract.binary) +sevenzip_binary = os.path.join(CUCKOO_ROOT, integration_conf.SevenZip_unpack.binary) if not path_exists(sevenzip_binary): sevenzip_binary = "/usr/bin/7z" @@ -136,7 +136,7 @@ HAVE_VIRUSTOTAL = True HAVE_MANDIANT_INTEL = False -if processing_conf.mandiant_intel.enabled: +if integration_conf.mandiant_intel.enabled: from lib.cuckoo.common.integrations.mandiant_intel import mandiant_lookup HAVE_MANDIANT_INTEL = True @@ -186,40 +186,40 @@ def static_file_info( data_dictionary["floss"] = floss_strings if "Mono" in data_dictionary["type"]: - if selfextract_conf.general.dotnet: + if integration_conf.general.dotnet: data_dictionary["dotnet"] = DotNETExecutable(file_path).run() if processing_conf.strings.dotnet: dotnet_strings = dotnet_user_strings(file_path) if dotnet_strings: data_dictionary.setdefault("dotnet_strings", dotnet_strings) - elif HAVE_OLETOOLS and package in {"doc", "ppt", "xls", "pub"} and selfextract_conf.general.office: + elif HAVE_OLETOOLS and package in {"doc", "ppt", "xls", "pub"} and integration_conf.general.office: # options is dict where we need to get pass get_options data_dictionary["office"] = Office(file_path, task_id, data_dictionary["sha256"], options_dict).run() - elif ("PDF" in data_dictionary["type"] or file_path.endswith(".pdf")) and selfextract_conf.general.pdf: + elif ("PDF" in data_dictionary["type"] or file_path.endswith(".pdf")) and integration_conf.general.pdf: data_dictionary["pdf"] = PDF(file_path).run() elif ( package in {"wsf", "hta"} or data_dictionary["type"] == "XML document text" or file_path.endswith(".wsf") - ) and selfextract_conf.general.windows_script: + ) and integration_conf.general.windows_script: data_dictionary["wsf"] = WindowsScriptFile(file_path).run() # elif package in {"js", "vbs"}: # data_dictionary["js"] = EncodedScriptFile(file_path).run() - elif (package == "lnk" or "MS Windows shortcut" in data_dictionary["type"]) and selfextract_conf.general.lnk: + elif (package == "lnk" or "MS Windows shortcut" in data_dictionary["type"]) and integration_conf.general.lnk: data_dictionary["lnk"] = LnkShortcut(file_path).run() - elif ("Java Jar" in data_dictionary["type"] or file_path.endswith(".jar")) and selfextract_conf.general.java: - if selfextract_conf.procyon.binary and not path_exists(selfextract_conf.procyon.binary): + elif ("Java Jar" in data_dictionary["type"] or file_path.endswith(".jar")) and integration_conf.general.java: + if integration_conf.procyon.binary and not path_exists(integration_conf.procyon.binary): log.error("procyon_path specified in processing.conf but the file does not exist") else: - data_dictionary["java"] = Java(file_path, selfextract_conf.procyon.binary).run() + data_dictionary["java"] = Java(file_path, integration_conf.procyon.binary).run() elif file_path.endswith(".rdp") or data_dictionary.get("name", {}).endswith(".rdp"): data_dictionary["rdp"] = parse_rdp_file(file_path) # It's possible to fool libmagic into thinking our 2007+ file is a zip. # So until we have static analysis for zip files, we can use oleid to fail us out silently, # yeilding no static analysis results for actual zip files. - # elif ("ELF" in data_dictionary["type"] or file_path.endswith(".elf")) and selfextract_conf.general.elf: + # elif ("ELF" in data_dictionary["type"] or file_path.endswith(".elf")) and integration_conf.general.elf: # data_dictionary["elf"] = ELF(file_path).run() # data_dictionary["keys"] = f.get_keys() - # elif HAVE_OLETOOLS and package == "hwp" and selfextract_conf.general.hwp: + # elif HAVE_OLETOOLS and package == "hwp" and integration_conf.general.hwp: # data_dictionary["hwp"] = HwpDocument(file_path).run() data = path_read_file(file_path) @@ -467,7 +467,7 @@ def generic_file_extractors( ] futures = {} - with pebble.ProcessPool(max_workers=int(selfextract_conf.general.max_workers)) as pool: + with pebble.ProcessPool(max_workers=int(integration_conf.general.max_workers)) as pool: # Prefer custom modules over the built-in ones, since only 1 is allowed # to be the extracted_files_tool. if extra_info_modules: @@ -479,12 +479,12 @@ def generic_file_extractors( for extraction_func in file_info_funcs: funcname = extraction_func.__name__.split(".")[-1] if ( - not getattr(selfextract_conf, funcname, {}).get("enabled", False) + not getattr(integration_conf, funcname, {}).get("enabled", False) and getattr(extraction_func, "enabled", False) is False ): continue - func_timeout = int(getattr(selfextract_conf, funcname, {}).get("timeout", 60)) + func_timeout = int(getattr(integration_conf, funcname, {}).get("timeout", 60)) futures[funcname] = pool.schedule(extraction_func, args=args, kwargs=kwargs, timeout=func_timeout) pool.join() @@ -602,7 +602,7 @@ def eziriz_deobfuscate(file: str, *, data_dictionary: dict, **_) -> ExtractorRet if all(".NET Reactor" not in string for string in data_dictionary.get("die", [])): return - binary = shlex.split(selfextract_conf.eziriz_deobfuscate.binary.strip())[0] + binary = shlex.split(integration_conf.eziriz_deobfuscate.binary.strip())[0] binary = os.path.join(CUCKOO_ROOT, binary) if not binary: log.warning("eziriz_deobfuscate.binary is not defined in the configuration.") @@ -625,7 +625,7 @@ def eziriz_deobfuscate(file: str, *, data_dictionary: dict, **_) -> ExtractorRet _ = run_tool( [ os.path.join(CUCKOO_ROOT, binary), - *shlex.split(selfextract_conf.eziriz_deobfuscate.extra_args.strip()), + *shlex.split(integration_conf.eziriz_deobfuscate.extra_args.strip()), file, ], universal_newlines=True, @@ -644,7 +644,7 @@ def de4dot_deobfuscate(file: str, *, filetype: str, **_) -> ExtractorReturnType: if "Mono" not in filetype: return - binary = shlex.split(selfextract_conf.de4dot_deobfuscate.binary.strip())[0] + binary = shlex.split(integration_conf.de4dot_deobfuscate.binary.strip())[0] if not binary: log.warning("de4dot_deobfuscate.binary is not defined in the configuration.") return @@ -658,7 +658,7 @@ def de4dot_deobfuscate(file: str, *, filetype: str, **_) -> ExtractorReturnType: _ = run_tool( [ binary, - *shlex.split(selfextract_conf.de4dot_deobfuscate.extra_args.strip()), + *shlex.split(integration_conf.de4dot_deobfuscate.extra_args.strip()), "-f", file, "-o", @@ -687,7 +687,7 @@ def msi_extract(file: str, *, filetype: str, **kwargs) -> ExtractorReturnType: if not kwargs.get("tests"): # msiextract in different way that 7z, we need to add subfolder support output = run_tool( - [selfextract_conf.msi_extract.binary, file, "--directory", tempdir], + [integration_conf.msi_extract.binary, file, "--directory", tempdir], universal_newlines=True, stderr=subprocess.PIPE, ) diff --git a/lib/cuckoo/common/integrations/mandiant_intel.py b/lib/cuckoo/common/integrations/mandiant_intel.py index f14f6033406..53f4fca393f 100644 --- a/lib/cuckoo/common/integrations/mandiant_intel.py +++ b/lib/cuckoo/common/integrations/mandiant_intel.py @@ -17,10 +17,10 @@ MANDIANT_AUTH_URL = "https://api.intelligence.mandiant.com/token" MANDIANT_SEARCH_URL = "https://api.intelligence.mandiant.com/v4/search" -processing_conf = Config("processing") +integragrations_conf = Config("integrations") -api_access = processing_conf.mandiant_intel.api_access -api_secret = processing_conf.mandiant_intel.api_secret +api_access = integragrations_conf.mandiant_intel.api_access +api_secret = integragrations_conf.mandiant_intel.api_secret class MandiantAPIClient: @@ -116,7 +116,7 @@ def parse_response(self, response): def mandiant_lookup(category: str, target: str, results: dict = {}): - if not processing_conf.mandiant_intel.enabled: + if not integragrations_conf.mandiant_intel.enabled: return results mandiant_intel = {} diff --git a/lib/cuckoo/common/load_extra_modules.py b/lib/cuckoo/common/load_extra_modules.py index a3d02ad76b5..d9320de928c 100644 --- a/lib/cuckoo/common/load_extra_modules.py +++ b/lib/cuckoo/common/load_extra_modules.py @@ -7,7 +7,7 @@ from lib.cuckoo.common.config import Config -selfextract_conf = Config("selfextract") +integrations_conf = Config("integrations") def ratdecodedr_load_decoders(path: str): @@ -146,7 +146,7 @@ def file_extra_info_load_modules(CUCKOO_ROOT: str): This function searches for Python modules in the "file_extra_info_modules" directory within the given CUCKOO_ROOT path. It imports and returns a list of modules that are - enabled based on their internal configuration or the selfextract_conf settings. + enabled based on their internal configuration or the integrations_conf settings. Args: CUCKOO_ROOT (str): The root directory of the CUCKOO installation. @@ -170,7 +170,7 @@ def file_extra_info_load_modules(CUCKOO_ROOT: str): for name in EXTRA_MODULES: try: module = importlib.import_module(f"lib.cuckoo.common.integrations.file_extra_info_modules.{name}") - if not getattr(module, "enabled", False) and not selfextract_conf.__dict__.get(name, {}).get("enabled", False): + if not getattr(module, "enabled", False) and not integrations_conf.__dict__.get(name, {}).get("enabled", False): continue file_extra_modules.append(module) except (ImportError, IndexError, AttributeError) as e: