Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CAPE model errors - CapeReport.procmemory #2539

Open
ChrisThibodeaux opened this issue Dec 12, 2024 · 2 comments
Open

CAPE model errors - CapeReport.procmemory #2539

ChrisThibodeaux opened this issue Dec 12, 2024 · 2 comments

Comments

@ChrisThibodeaux
Copy link

Possibly related issue: #2466

Description

CAPA fails to process CAPE reports. Issue seems to be the structure of procmemory in the report does not conform to what CAPA expects.

Expected behavior:

CAPA able to process CAPE reports.

Actual behavior:

[Task 36] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 6 validation errors for CapeReport
procmemory.0
Input should be None [type=none_required, input_value={'path': '/opt/CAPEv2/sto...9a3a271d6c3492402ee9'}]}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.10/v/none_required

Versions

8.0.1

Additional Information

Example of the structure that procmemory currently takes:

  "procmemory": [
    {
      "path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp",
      "sha256": "8d752b624cc955ecf2d9970b6447ec2a373e4c3e6866853bb8bd7b71b30a4dbe",
      "pid": 7980,
      "name": "rundll32.exe",
      "proc_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
      "yara": [
        {
          "name": "shellcode_get_eip",
          "meta": {
            "author": "William Ballenthin",
            "email": "[email protected]",
            "license": "Apache 2.0",
            "copyright": "FireEye, Inc",
            "description": "Match x86 that appears to fetch $PC."
          },
          "strings": [
            "{ E8 00 00 00 00 58 }"
          ],
          "addresses": {
            "x86": 36632923
          }
        }
      ],
      "cape_yara": [],
      "address_space": [
        {
          "start": "0x00010000",
          "end": "0x00022000",
          "size": "0x00012000",
          "prot": "RW",
          "PE": false,
          "chunks": [
            {
              "start": "0x00010000",
              "end": "0x00020000",
              "size": "0x00010000",
              "prot": "RW",
              "state": 4096,
              "type": 262144,
              "offset": 24,
              "PE": false
            }
          ]
        },
      ],
      "strings_path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp.strings",
      "extracted_pe": [
        {
          "name": "7980_0x73510000",
          "path": "/opt/CAPEv2/storage/analyses/36/memory/7980_0x73510000",
          "guest_paths": null,
          "size": 2805760,
          "crc32": "692101BD",
          "md5": "3191...a4e8",
          "sha1": "20e3...53a5",
          "sha256": "507f...2b69",
          "sha512": "ba01...bea9",
          "rh_hash": null,
          "ssdeep": "4915...xz7h",
          "type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
          "yara": [
            {
              "name": "HeavensGate",
              "meta": {
                "author": "kevoreilly",
                "description": "Heaven's Gate: Switch from 32-bit to 64-mode",
                "cape_type": "Heaven's Gate"
              },
              "strings": [
                "{ 6A 33 E8 00 00 00 00 83 04 24 05 CB }"
              ],
              "addresses": {
                "gate_v1": 121034
              }
            }
          ],
          "cape_yara": [],
          "clamav": [],
          "tlsh": "T160...E36E",
          "sha3_384": "cf87...6eb4"
        },
      ]
    },
  ]
@mr-tz
Copy link
Collaborator

mr-tz commented Dec 13, 2024

Thanks! We haven't seen/modeled procmemory yet and these details are helpful for that.

@mr-tz mr-tz changed the title CAPE model errors CAPE model errors - CapeReport.procmemory Dec 13, 2024
@ChrisThibodeaux
Copy link
Author

@mr-tz No worries. If there is anything I can lend a hand with or give extra information on, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants