CAPE model errors - CapeReport.procmemory

[ChrisThibodeaux]

Possibly related issue: #2466

Description

CAPA fails to process CAPE reports. Issue seems to be the structure of procmemory in the report does not conform to what CAPA expects.

Expected behavior:

CAPA able to process CAPE reports.

Actual behavior:

[Task 36] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 6 validation errors for CapeReport
procmemory.0
Input should be None [type=none_required, input_value={'path': '/opt/CAPEv2/sto...9a3a271d6c3492402ee9'}]}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.10/v/none_required

Versions

8.0.1

Additional Information

Example of the structure that procmemory currently takes:

  "procmemory": [
    {
      "path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp",
      "sha256": "8d752b624cc955ecf2d9970b6447ec2a373e4c3e6866853bb8bd7b71b30a4dbe",
      "pid": 7980,
      "name": "rundll32.exe",
      "proc_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
      "yara": [
        {
          "name": "shellcode_get_eip",
          "meta": {
            "author": "William Ballenthin",
            "email": "[email protected]",
            "license": "Apache 2.0",
            "copyright": "FireEye, Inc",
            "description": "Match x86 that appears to fetch $PC."
          },
          "strings": [
            "{ E8 00 00 00 00 58 }"
          ],
          "addresses": {
            "x86": 36632923
          }
        }
      ],
      "cape_yara": [],
      "address_space": [
        {
          "start": "0x00010000",
          "end": "0x00022000",
          "size": "0x00012000",
          "prot": "RW",
          "PE": false,
          "chunks": [
            {
              "start": "0x00010000",
              "end": "0x00020000",
              "size": "0x00010000",
              "prot": "RW",
              "state": 4096,
              "type": 262144,
              "offset": 24,
              "PE": false
            }
          ]
        },
      ],
      "strings_path": "/opt/CAPEv2/storage/analyses/36/memory/7980.dmp.strings",
      "extracted_pe": [
        {
          "name": "7980_0x73510000",
          "path": "/opt/CAPEv2/storage/analyses/36/memory/7980_0x73510000",
          "guest_paths": null,
          "size": 2805760,
          "crc32": "692101BD",
          "md5": "3191...a4e8",
          "sha1": "20e3...53a5",
          "sha256": "507f...2b69",
          "sha512": "ba01...bea9",
          "rh_hash": null,
          "ssdeep": "4915...xz7h",
          "type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
          "yara": [
            {
              "name": "HeavensGate",
              "meta": {
                "author": "kevoreilly",
                "description": "Heaven's Gate: Switch from 32-bit to 64-mode",
                "cape_type": "Heaven's Gate"
              },
              "strings": [
                "{ 6A 33 E8 00 00 00 00 83 04 24 05 CB }"
              ],
              "addresses": {
                "gate_v1": 121034
              }
            }
          ],
          "cape_yara": [],
          "clamav": [],
          "tlsh": "T160...E36E",
          "sha3_384": "cf87...6eb4"
        },
      ]
    },
  ]

[mr-tz]

Thanks! We haven't seen/modeled procmemory yet and these details are helpful for that.

[ChrisThibodeaux]

@mr-tz No worries. If there is anything I can lend a hand with or give extra information on, please let me know.

[mr-tz]

If you want to contribute (parts of) the model and/or submit a PR that could speed a solution up :)

[ChrisThibodeaux]

Sounds good to me. I will be able to really get after this in about a week or so when things slow down work wise.