Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAPE model errors - CapeReport.procmemory #2539

Open
ChrisThibodeaux opened this issue Dec 12, 2024 · 9 comments
Open

CAPE model errors - CapeReport.procmemory #2539

ChrisThibodeaux opened this issue Dec 12, 2024 · 9 comments

Comments

@ChrisThibodeaux
Copy link

Possibly related issue: #2466

Description

CAPA fails to process CAPE reports. Issue seems to be the structure of procmemory in the report does not conform to what CAPA expects.

Expected behavior:

CAPA able to process CAPE reports.

Actual behavior:

[Task 36] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 6 validation errors for CapeReport
procmemory.0
Input should be None [type=none_required, input_value={'path': '/opt/CAPEv2/sto...9a3a271d6c3492402ee9'}]}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.10/v/none_required

Versions

8.0.1

Additional Information

Example of the structure that procmemory currently takes:

  "procmemory": [
    {
      "path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp",
      "sha256": "8d752b624cc955ecf2d9970b6447ec2a373e4c3e6866853bb8bd7b71b30a4dbe",
      "pid": 7980,
      "name": "rundll32.exe",
      "proc_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
      "yara": [
        {
          "name": "shellcode_get_eip",
          "meta": {
            "author": "William Ballenthin",
            "email": "[email protected]",
            "license": "Apache 2.0",
            "copyright": "FireEye, Inc",
            "description": "Match x86 that appears to fetch $PC."
          },
          "strings": [
            "{ E8 00 00 00 00 58 }"
          ],
          "addresses": {
            "x86": 36632923
          }
        }
      ],
      "cape_yara": [],
      "address_space": [
        {
          "start": "0x00010000",
          "end": "0x00022000",
          "size": "0x00012000",
          "prot": "RW",
          "PE": false,
          "chunks": [
            {
              "start": "0x00010000",
              "end": "0x00020000",
              "size": "0x00010000",
              "prot": "RW",
              "state": 4096,
              "type": 262144,
              "offset": 24,
              "PE": false
            }
          ]
        },
      ],
      "strings_path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp.strings",
      "extracted_pe": [
        {
          "name": "7980_0x73510000",
          "path": "/opt/CAPEv2/storage/analyses/36/memory/7980_0x73510000",
          "guest_paths": null,
          "size": 2805760,
          "crc32": "692101BD",
          "md5": "3191...a4e8",
          "sha1": "20e3...53a5",
          "sha256": "507f...2b69",
          "sha512": "ba01...bea9",
          "rh_hash": null,
          "ssdeep": "4915...xz7h",
          "type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
          "yara": [
            {
              "name": "HeavensGate",
              "meta": {
                "author": "kevoreilly",
                "description": "Heaven's Gate: Switch from 32-bit to 64-mode",
                "cape_type": "Heaven's Gate"
              },
              "strings": [
                "{ 6A 33 E8 00 00 00 00 83 04 24 05 CB }"
              ],
              "addresses": {
                "gate_v1": 121034
              }
            }
          ],
          "cape_yara": [],
          "clamav": [],
          "tlsh": "T160...E36E",
          "sha3_384": "cf87...6eb4"
        },
      ]
    },
  ]
@mr-tz
Copy link
Collaborator

mr-tz commented Dec 13, 2024

Thanks! We haven't seen/modeled procmemory yet and these details are helpful for that.

@mr-tz mr-tz changed the title CAPE model errors CAPE model errors - CapeReport.procmemory Dec 13, 2024
@ChrisThibodeaux
Copy link
Author

@mr-tz No worries. If there is anything I can lend a hand with or give extra information on, please let me know.

@mr-tz
Copy link
Collaborator

mr-tz commented Dec 14, 2024

If you want to contribute (parts of) the model and/or submit a PR that could speed a solution up :)

@ChrisThibodeaux
Copy link
Author

Sounds good to me. I will be able to really get after this in about a week or so when things slow down work wise.

@nishantsaini55
Copy link

Hi, @ChrisThibodeaux are you currently working on this issue as I would like to lend a hand either by individually working or if you are working then we can do this together.

@mr-tz
Copy link
Collaborator

mr-tz commented Jan 2, 2025

I'd suggest you can go ahead for now and @ChrisThibodeaux can chime in with his progress or ideas so far.

@nishantsaini55
Copy link

okay @mr-tz. I'll go forward with the same. Thank you

@ChrisThibodeaux
Copy link
Author

@nishantsaini55 Thank you for working on this. Work has not slowed down for us, just the opposite... Not sure when I would be able to aid on this

@nishantsaini55
Copy link

@ChrisThibodeaux no problem pal , I'll be continuing working on this .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mr-tz @nishantsaini55 @ChrisThibodeaux