kevross33
commented
7 years ago 
Open kevross33 opened 7 years ago
kevross33
commented
7 years ago
Nwinternights
commented
7 years ago @kevross33 I got this error: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 398, in call_signature if not signature.matched and handler(*args, **kwargs): File "/home/socadmin/.cuckoo/signatures/windows/office.py", line 293, in on_complete for macro in office["macros"]: TypeError: list indices must be integers, not str misses: if "macros" in office:
kevross33
commented
7 years ago Nwinternights do you have MD5 for sample showing this?
kevross33
commented
7 years ago EPS signature improvements: Sample tested
Name: Confirmation_letter.docx Exploit: CVE-2017-0261 (although AV detects wrong CVE) MD5: 2abe3cc4bff46455a945d56c27e9fb45 Reference: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
Note: For this I do have a version for the new monitor where filepath is available where it only shows the name of the EPS file rather than the content
Nwinternights
commented
7 years ago @kevross33 I need to search for it. As soon as I get it I'll send you the sample. regards
Nwinternights
commented
7 years ago @kevross33 cea5278394bce8713dc1f282619c0c44 https://malwr.com/analysis/M2VhNDNkNjc3NWJkNDAyOThhNzE1ZjYxYmUyZmMwNjk/
ERROR: Failed to run 'on_complete' of the office_macro signature Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 398, in call_signature if not signature.matched and handler(*args, **kwargs): File "/home/socadmin/.cuckoo/signatures/windows/office.py", line 343, in on_complete for macro in office["macros"]: TypeError: list indices must be integers, not str
kevross33
commented
7 years ago Added a sikgnature to detect VBA imports of APIs such as in sample 929fb9558479a5c1c33f71a7373c3962
kevross33
commented
6 years ago 
Add in contains macro signature
Updated to include FernandoDoming's changes into 1 pull request #323 & https://github.com/cuckoosandbox/community/pull/317/files (mostly so I can pull it altogether easier in 1 go for my use)
Improved EPS signatures: extract more info & added in additional signature for creating EPS signtures which detects EPS exploits which are embedded that do not trigger static analysis. It is worth noting I do have an improved version of this sig for new monitor where instead of dumping the call in its entirety I flag the EPS filename as the call can have a lot of text and some exploits dump various EPS files so it can sometimes get a little messy.