diff --git a/.github/workflows/auto_answer.yml b/.github/workflows/auto_answer.yml index 21223dfb5e4..650358392be 100644 --- a/.github/workflows/auto_answer.yml +++ b/.github/workflows/auto_answer.yml @@ -22,14 +22,15 @@ jobs: with: enable-cache: true - - name: Install the project - run: uv run pip install -r requirements.txt - - name: Run the answer bot with uv run env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} ISSUE_NUMBER: ${{ github.event.issue.number }} REPO_NAME: ${{ github.repository }} - # This single step installs dependencies (if needed) and runs the script - run: cd KnowledgeBaseBot && uv run python auto_answer_bot.py + run: | + cd KnowledgeBaseBot && \ + uv run \ + --with-requirements ../requirements.txt \ + --with-requirements requirements.txt \ + python auto_answer_bot.py diff --git a/analyzer/windows/data/yara/SmokeLoader.yar b/analyzer/windows/data/yara/SmokeLoader.yar index c49bb22a99a..eb7902c3cae 100644 --- a/analyzer/windows/data/yara/SmokeLoader.yar +++ b/analyzer/windows/data/yara/SmokeLoader.yar @@ -1,11 +1,11 @@ -rule SmokeLoader +rule SmokeInjector { meta: author = "kevoreilly" - description = "SmokeLoader Payload" - cape_options = "bp0=$gate+19,action0=DumpSectionViews,count=1" + cape_options = "monitor=explorer" + packed = "d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30" strings: - $gate = {68 [2] 00 00 50 E8 [4] 8B 45 ?? 89 F1 8B 55 ?? 9A [2] 40 00 33 00 89 F9 89 FA 81 C1 [2] 00 00 81 C2 [2] 00 00 89 0A 8B 46 ?? 03 45 ?? 8B 4D ?? 8B 55 ?? 9A [2] 40 00 33 00} + $dec1 = {80 04 08 [0-7] (49|83 E9 01) [0-7] 41 [0-7] 81 F1 [2] 00 00 [0-7] 01 D9 [0-7] FF E1} condition: uint16(0) == 0x5A4D and any of them } diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar index 733efe3a41a..53ebcbba24d 100644 --- a/data/yara/CAPE/NitroBunnyDownloader.yar +++ b/data/yara/CAPE/NitroBunnyDownloader.yar @@ -6,12 +6,13 @@ rule NitroBunnyDownloader cape_type = "NitroBunnyDownloader Payload" hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b" strings: - $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00} + $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00} + $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00} $string1 = "X-Amz-User-Agent:" wide $string2 = "Amz-Security-Flag:" wide $string3 = "/cart" wide $string4 = "Cookie: " wide $string5 = "wishlist" wide condition: - uint16(0) == 0x5A4D and $config and 2 of ($string*) + uint16(0) == 0x5A4D and 1 of ($config*) and 2 of ($string*) } diff --git a/data/yara/CAPE/SmokeLoader.yar b/data/yara/CAPE/SmokeLoader.yar index 988425e5421..8447a546a48 100644 --- a/data/yara/CAPE/SmokeLoader.yar +++ b/data/yara/CAPE/SmokeLoader.yar @@ -5,10 +5,12 @@ rule SmokeLoader description = "SmokeLoader Payload" cape_type = "SmokeLoader Payload" strings: - $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75} + $rc4_decrypt64_1 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75} + $rc4_decrypt64_2 = {03 C8 8B C1 89 44 [2] 0F B6 8C [2] 01 00 00 33 D2 8B 04 24 F7 F1 8B C2 8B C0 48 8B 8C [2] 01 00 00 0F B6 04 01 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00} + $rc4_decrypt64_3 = {8B 04 ?? FF C0 25 FF 00 00 00 89 04 ?? 8B 04 ?? 0F B6 44 [2] 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00} $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0} - $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05} + $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF)} $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9} condition: - 2 of them + 2 of them } diff --git a/poetry.lock b/poetry.lock index 0a3c6ee0a0c..4f635467a40 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.2.0 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. [[package]] name = "alembic" @@ -912,14 +912,14 @@ files = [ [[package]] name = "django" -version = "5.1.13" +version = "5.1.14" description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design." optional = false python-versions = ">=3.10" groups = ["main"] files = [ - {file = "django-5.1.13-py3-none-any.whl", hash = "sha256:06f257f79dc4c17f3f9e23b106a4c5ed1335abecbe731e83c598c941d14fbeed"}, - {file = "django-5.1.13.tar.gz", hash = "sha256:543ff21679f15e80edfc01fe7ea35f8291b6d4ea589433882913626a7c1cf929"}, + {file = "django-5.1.14-py3-none-any.whl", hash = "sha256:2a4b9c20404fd1bf50aaaa5542a19d860594cba1354f688f642feb271b91df27"}, + {file = "django-5.1.14.tar.gz", hash = "sha256:b98409fb31fdd6e8c3a6ba2eef3415cc5c0020057b43b21ba7af6eff5f014831"}, ] [package.dependencies] @@ -4381,6 +4381,9 @@ files = [ {file = "stpyv8-13.1.201.22-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:6cb5e8751aee2487cc3b5f21eac6d459041a7180a779941b64db5736e27276ee"}, {file = "stpyv8-13.1.201.22-cp313-cp313-manylinux_2_31_x86_64.whl", hash = "sha256:834b9761bb7f49da8b887847c7647495a2cf6c45f69e2124ae0e3f024493bc15"}, {file = "stpyv8-13.1.201.22-cp313-cp313-win_amd64.whl", hash = "sha256:c8189b8c4d87579f353705441757f11e2f2260578b82000925dadf0ed59a47e3"}, + {file = "stpyv8-13.1.201.22-cp314-cp314-macosx_13_0_x86_64.whl", hash = "sha256:c4bf3048c96a6a1561861da0c74be842c79a71373d3bec0d53c4e8f6eaa7b6e8"}, + {file = "stpyv8-13.1.201.22-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:6fdbc3a8b1aa941064ec0976a5a85761f50e9090468ce275c22d0774293d2668"}, + {file = "stpyv8-13.1.201.22-cp314-cp314-manylinux_2_35_x86_64.whl", hash = "sha256:c0b258c7c5a79c5f19e636b93eece90d3cf9109af9a11c5394bdb807ed68e04a"}, {file = "stpyv8-13.1.201.22-cp39-cp39-macosx_13_0_x86_64.whl", hash = "sha256:05c3ecaaf2dd8dbe06bdb70f3192b7e6161337ee04e6830a57b58eb4be7c70bd"}, {file = "stpyv8-13.1.201.22-cp39-cp39-manylinux_2_31_x86_64.whl", hash = "sha256:bf51578ec84dba6519d75ca81a154a070910e638da0ec384f4bf6d535f9b5218"}, {file = "stpyv8-13.1.201.22-cp39-cp39-win_amd64.whl", hash = "sha256:d00a220268d63d68490682b571d082d5b197de1f19d6f478a88357c61da94f7a"}, diff --git a/requirements.txt b/requirements.txt index 19cd2edf13a..e87680e82f2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1908,6 +1908,7 @@ stpyv8==13.1.201.22 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:4d737935167c52ed72e5a78264d9adfeaf089bf54693b88f12cbdb439a36a102 \ --hash=sha256:6cb5e8751aee2487cc3b5f21eac6d459041a7180a779941b64db5736e27276ee \ --hash=sha256:6dc40b656cea7fe541f6bdbad83b6b4ed51e5ead985b54c139319a731253a55e \ + --hash=sha256:6fdbc3a8b1aa941064ec0976a5a85761f50e9090468ce275c22d0774293d2668 \ --hash=sha256:8019f19b29621ccde85125d86f60f5814175b17670f5949d2671cf22cf453ea6 \ --hash=sha256:834b9761bb7f49da8b887847c7647495a2cf6c45f69e2124ae0e3f024493bc15 \ --hash=sha256:90568ff08dfaf0ebd3bf1c79f7d21db06d82eada412a6e914b995bead7c78666 \ @@ -1915,8 +1916,10 @@ stpyv8==13.1.201.22 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:b53df6114a88698ee6f3820cf46476e83ee09c9a67dd9f7cf58ca6a2928238b0 \ --hash=sha256:b9d9499ed2007cc097a5d2ae0cb18226b2bf3ca429301811b2e12a787a8f137e \ --hash=sha256:bf51578ec84dba6519d75ca81a154a070910e638da0ec384f4bf6d535f9b5218 \ + --hash=sha256:c0b258c7c5a79c5f19e636b93eece90d3cf9109af9a11c5394bdb807ed68e04a \ --hash=sha256:c24aa4215c64db7d67fc6c42c0d7731cabcf300596bf9c826ae74f426fe3b771 \ --hash=sha256:c4292843c8133fc99833aceef25925a97edf01031e186335582deb077b99d2bf \ + --hash=sha256:c4bf3048c96a6a1561861da0c74be842c79a71373d3bec0d53c4e8f6eaa7b6e8 \ --hash=sha256:c8189b8c4d87579f353705441757f11e2f2260578b82000925dadf0ed59a47e3 \ --hash=sha256:d00a220268d63d68490682b571d082d5b197de1f19d6f478a88357c61da94f7a \ --hash=sha256:da6d8f2945bd057057c64bc93ea3c064cc848b75f55d6d651120ee5d115e0761 \