Improvements to Extraction package and MWCP integration.

ctxis · Jan 27, 2017 · f095398 · f095398
1 parent 2c77944
commit f095398
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,8 @@ The techniques or behaviours that CAPE detects and has packages for include:
     - Extraction of executable modules or shellcode in memory
 
 Packages for these behaviours will dump the payloads being injected, extracted or decompressed for further analysis. This is often the malware payload in unpacked form.    
+
+In addition to specific behaviour,s CAPE also automatically creates a process dump for each process' main executable, or, in the case of a DLL, the DLL's module image in memory. This is useful for samples packed with simple packers, where often the module image dump is fully unpacked.
 
 CAPE can also extract the payloads from 'hacked' (modified) packers derived from UPX, a favourite with malware authors.
 
@@ -27,9 +29,9 @@ There are a number of other malware family packages currently in the works, so w
 
 A number of other malware families have their payloads extracted by some of the behavioural packages, configuration parsing on the output of some of these is also currently being worked on.
 
-In addition, a number of malware families are covered by static configuration extraction based on malwareconfig.com (thanks to Kevin Breen/TechAnarchy for this).
+CAPE has two config parsing frameworks inbuilt. DC3-MWCP (Defense Cyber Crime Center - Malware Configuration Parser) and the RATDecoders parser from malwareconfig.com (Kevin Breen/TechAnarchy). The publicly available decoders from malwareconfig.com are also included in CAPE.
 
-Detection to trigger a CAPE package can be based from either 'Cuckoo' (API) or Yara signatures.
+Detection to trigger a CAPE package can be based from on 'Cuckoo' (API) or Yara signatures.
 
 Packages can be written based on API hooks, the CAPE debugger, or a combination of both.
 

diff --git a/analyzer/windows/dll/CAPE_Extraction.dll b/analyzer/windows/dll/CAPE_Extraction.dll
diff --git a/cuckoo.sln b/cuckoo.sln
@@ -1,8 +1,6 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
-MinimumVisualStudioVersion = 10.0.40219.1
+# Visual Studio 2012
 Project("{888888A0-9F3D-457C-B088-3A5042F75D52}") = "cuckoo", "cuckoo.pyproj", "{365A3967-518E-457B-972A-3C90834F0F80}"
 EndProject
 Global

diff --git a/modules/processing/parsers/mwcp/malwareconfigreporter.py b/modules/processing/parsers/mwcp/malwareconfigreporter.py
@@ -79,7 +79,7 @@ class malwareconfigreporter(object):
     '''
 
     #changing this is not recommended
-    __parsernamepostfix = "_malwareconfigparser"
+    __parsernamepostfix = ""
 
     def __init__(self,
                  parserdir = None,

diff --git a/modules/reporting/submitCAPE.py b/modules/reporting/submitCAPE.py
@@ -219,11 +219,11 @@ def run(self, results):
         if 'CAPE_EvilGrab' in detections:
             package = 'CAPE_EvilGrab'	
 
-        if 'CAPE_Crossfire' in detections:
+        if 'CAPE_Azzy' in detections:
             if parent_package=='dll':
-                package = 'CAPE_Crossfire_dll'
+                package = 'CAPE_Azzy_dll'
             else:
-                package = 'CAPE_Crossfire'
+                package = 'CAPE_Azzy'
 
         if self.task_options_stack:
             self.task_options=','.join(self.task_options_stack)            

diff --git a/web/templates/analysis/CAPE/index.html b/web/templates/analysis/CAPE/index.html
@@ -16,7 +16,19 @@
                         <th style="border-top: 0; width: 15%;"><b>{{key}}</b></th>
                         <td style="border-top: 0; word-wrap: break-word;">
                         {% for subvalue in value %}
-                            <div>{{subvalue}}</div>
+                            {% if subvalue|length > 1 %}
+                                {% for subsubvalue in subvalue %}
+                                    {% if subsubvalue|length > 1 %}
+                                        <div>{{subsubvalue}}</div>
+                                    {% else %}
+                                        {% if forloop.first %}
+                                            <div>{{subvalue}}</div>
+                                        {% endif %}
+                                    {% endif %}
+                                {% endfor %}
+                            {% else %}
+                                <div>{{subvalue}}</div>
+                            {% endif %}
                         {% endfor %}
                         </td>
                     </tr>