mr-tz
commented
6 months ago You can try to mark sha3_384 optional here:
I can take a closer look next week.
Closed Iroxious closed 5 months ago
mr-tz
commented
6 months ago You can try to mark sha3_384 optional here:
I can take a closer look next week.
mr-tz
commented
6 months ago @Iroxious, please check if https://github.com/mandiant/capa/pull/2042 fixes this for you.
Iroxious
commented
6 months ago @Iroxious, please check if #2042 fixes this for you.
It worked! Thank you very much for your assistance!
mr-tz
commented
6 months ago @Iroxious, can you provide an excerpt how the CAPE data looks like when it's not an empty list?
Iroxious
commented
5 months ago I'm sorry, I cannot determine the type of the non-empty value of the CAPE field. Due to time constraints and configuration environment reasons, we are currently unable to directly use the official CAPE code. The previous speculation that the version of CAPE might affect the field values was somewhat arbitrary, as there is also a possibility that using the official CAPE code may result in such empty values, but we are temporarily unable to ascertain.
Hello, thank you for reading this issue. I am currently using an unofficial version of CAPE, which seems to cause some fields to be missing in the CAPE reports. CAPA is unable to recognize these reports, resulting in the following error message:
D:\Study\capa-v7.0.1-windows>capa D:\Study\analyses\jsons\2496_reports_report.json -d DEBUG:capa:-------------------------------------------------------------------------------- DEBUG:capa: Using default embedded rules. DEBUG:capa: To provide your own rules, use the form
File "main.py", line 806, in main
File "main.py", line 643, in get_file_extractors_from_cli
File "loader.py", line 291, in get_file_extractors
File "features\extractors\cape\extractor.py", line 126, in from_report
File "pydantic\main.py", line 503, in model_validate
pydantic_core._pydantic_core.ValidationError: 3 validation errors for CapeReport
target.file.sha3_384
Field required [type=missing, input_value={'name': '5ceb25d26af3df6...: '2008-07-28 08:11:35'}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.4/v/missing
CAPE
Input should be a valid dictionary or instance of Cape [type=model_type, input_value=[], input_type=list]
For further information visit https://errors.pydantic.dev/2.4/v/model_type
dropped.0.sha3_384
Field required [type=missing, input_value={'name': 'msupdate.exe', ...al\Temp\msupdate.exe'}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.4/v/missing
[28876] Failed to execute script 'main' due to unhandled exception!
capa.exe -r ./path/to/rules/ /path/to/mal.exe. DEBUG:capa: You can see the current default rule set here: DEBUG:capa: https://github.com/mandiant/capa-rules DEBUG:capa:-------------------------------------------------------------------------------- DEBUG:capa:-------------------------------------------------------------------------------- DEBUG:capa: Using default embedded signatures. DEBUG:capa: To provide your own signatures, use the formcapa.exe --signature ./path/to/signatures/ /path/to/mal.exe. DEBUG:capa:-------------------------------------------------------------------------------- DEBUG:capa.rules:reading rules from directory C:\Users\DavidLee\AppData\Local\Temp_MEI336362\rules DEBUG:capa.rules.cache:loading rule set from cache: C:\Users\DavidLee\AppData\Local\Temp_MEI336362\cache\capa-d2f2a22b.cache DEBUG:capa:successfully loaded 866 rules Traceback (most recent call last): File "main.py", line 944, inCould you kindly suggest a method for batch processing these reports to ensure compatibility with CAPA? The JSON report generated by CAPE has been attached. 2496_reports_report.json Thank you for your attention.