polyswarm · sbneto · Oct 27, 2023 · Oct 30, 2023 · Nov 6, 2023 · Nov 6, 2023
diff --git a/analyzer/windows/modules/packages/edge.py b/analyzer/windows/modules/packages/edge.py
@@ -6,10 +6,20 @@ class Edge(Package):
 
     PATHS = [
         ("ProgramFiles", "Microsoft", "Edge", "Application", "msedge.exe"),
+        ("ProgramFiles(x86)", "Microsoft", "EdgeCore", "*", "msedge.exe"),
     ]
     summary = "Opens the URL in Microsoft Edge."
     description = """Uses msedge.exe to open the supplied url."""
 
     def start(self, url):
-        edge = self.get_path("msedge.exe")
-        return self.execute(edge, f'"{url}"', url)
+        edge = self.get_path_glob("msedge.exe")
+        args = [
+            "--disable-features=RendererCodeIntegrity",
+            "--disable-extensions",
+            "--no-first-run",
+            "--no-default-browser-check",
+            "--profile-directory=maxine",
+        ]
+        args.append('"{}"'.format(url))
+        args = " ".join(args)
+        return self.execute(edge, args, url)
diff --git a/analyzer/windows/modules/packages/firefox.py b/analyzer/windows/modules/packages/firefox.py
@@ -10,6 +10,7 @@ class Firefox(Package):
 
     PATHS = [
         ("ProgramFiles", "Mozilla Firefox", "firefox.exe"),
+        ("ProgramFiles(x86)", "Mozilla Firefox", "firefox.exe")
     ]
     summary = "Opens the URL in firefox."
     description = """Uses firefox.exe to open the supplied url."""

diff --git a/extra/yara_installer.sh b/extra/yara_installer.sh
@@ -8,9 +8,16 @@ if [ ! -d /tmp/yara-python ]; then
     git clone --recursive https://github.com/VirusTotal/yara-python /tmp/yara-python
 fi
 
-/etc/poetry/bin/poetry --directory /opt/CAPEv2 run bash -c "cd /tmp/yara-python && python setup.py build --enable-cuckoo --enable-magic --enable-profiling"
-/etc/poetry/bin/poetry --directory /opt/CAPEv2 run pip install /tmp/yara-python
+cd /tmp/yara-python
+git checkout ${YARA_PYTHON_GITHUB_SHA}
+
+poetry --directory /opt/CAPEv2 run python setup.py build --enable-cuckoo --enable-magic --enable-profiling
+poetry --directory /opt/CAPEv2 run pip install .
 
 if [ -d /tmp/yara-python ]; then
     rm -rf /tmp/yara-python
 fi
+
+if [ -d yara-python ]; then
+    rm -rf yara-python
+fi
diff --git a/installer/cape2.sh b/installer/cape2.sh
@@ -56,7 +56,7 @@ librenms_mdadm_enable=0
 librenms_megaraid_enable=0
 
 # disabling this will result in the web interface being disabled
-MONGO_ENABLE=1
+MONGO_ENABLE=0
 
 DIE_VERSION="3.10"
 
@@ -739,9 +739,9 @@ EOF
     sed -i '$a include:\n  - cape.yaml\n' /etc/suricata/suricata.yaml
     usermod -aG pcap suricata
     usermod -aG suricata "${USER}"
-    # sudo chmod -R g+w /var/log/suricata/
-    # sudo chmod -R g+w /var/run/suricata/
-    # sudo chmod -R g+w /etc/suricata
+
+#    chown ${USER}:${USER} -R /etc/suricata
+#    chown ${USER}:${USER} -R /var/log/suricata
     systemctl restart suricata
 
     # How to verify config options
@@ -797,7 +797,7 @@ function install_yara() {
     ldconfig
 
     # Run yara installer script
-    sudo -u ${USER} /etc/poetry/bin/poetry --directory /opt/CAPEv2 run extra/yara_installer.sh
+    sudo -u ${USER} bash -c "YARA_PYTHON_GITHUB_SHA=${YARA_PYTHON_GITHUB_SHA} poetry --directory /opt/CAPEv2/ run /opt/CAPEv2/extra/yara_installer.sh"
 
     if [ -d yara-python ]; then
         sudo rm -rf yara-python
@@ -846,8 +846,8 @@ function install_mongo(){
             systemctl stop mongod.service
             systemctl disable mongod.service
             rm /lib/systemd/system/mongod.service
-            rm /lib/systemd/system/mongod.service
-            systemctl daemon-reload
+#            rm /lib/systemd/system/mongod.service
+#            systemctl daemon-reload
         fi
 
         if [ ! -f /lib/systemd/system/mongodb.service ]; then
@@ -880,8 +880,8 @@ EOF
         sudo mkdir -p /data/{config,}db
         sudo chown mongodb:mongodb /data/ -R
         systemctl unmask mongodb.service
-        systemctl enable mongodb.service
-        systemctl restart mongodb.service
+#        systemctl enable mongodb.service
+#        systemctl restart mongodb.service
 
         if ! crontab -l | grep -q -F 'delete-unused-file-data-in-mongo'; then
             crontab -l | { cat; echo "30 1 * * 0 cd /opt/CAPEv2 && sudo -u ${USER} /etc/poetry/bin/poetry run python ./utils/cleaners.py --delete-unused-file-data-in-mongo"; } | crontab -
@@ -1259,16 +1259,15 @@ function install_CAPE() {
     # Adapting owner permissions to the ${USER} path folder
     cd "/opt/CAPEv2/" || return
     sudo -u ${USER} bash -c 'export PYTHON_KEYRING_BACKEND=keyring.backends.null.Keyring; CRYPTOGRAPHY_DONT_BUILD_RUST=1 /etc/poetry/bin/poetry install'
-
     if [ "$DISABLE_LIBVIRT" -eq 0 ]; then
-        sudo -u ${USER} bash -c 'export PYTHON_KEYRING_BACKEND=keyring.backends.null.Keyring; /etc/poetry/bin/poetry run extra/libvirt_installer.sh'
+        sudo -u ${USER} bash -c 'export PYTHON_KEYRING_BACKEND=keyring.backends.null.Keyring; poetry run /opt/CAPEv2/extra/libvirt_installer.sh'
         sudo usermod -aG kvm ${USER}
         sudo usermod -aG libvirt ${USER}
     fi
 
     #packages are needed for build options in extra/yara_installer.sh
-    sudo apt-get install -y libjansson-dev libmagic1 libmagic-dev
-    sudo -u ${USER} bash -c '/etc/poetry/bin/poetry run /opt/CAPEv2/extra/yara_installer.sh'
+    apt-get install libjansson-dev libmagic1 libmagic-dev -y
+    sudo -u ${USER} bash -c "YARA_PYTHON_GITHUB_SHA=${YARA_PYTHON_GITHUB_SHA} poetry run /opt/CAPEv2/extra/yara_installer.sh"
 
     if [ -d /tmp/yara-python ]; then
         sudo rm -rf /tmp/yara-python
@@ -1285,6 +1284,8 @@ function install_CAPE() {
 
     chown ${USER}:${USER} -R "/opt/CAPEv2/"
 
+    sudo -u ${USER} bash -c '/etc/poetry/bin/poetry --directory /opt/CAPEv2/ run pip install -U git+https://github.com/polyswarm/httpreplay'
+
     if [ "$MONGO_ENABLE" -ge 1 ]; then
         crudini --set conf/reporting.conf mongodb enabled yes
     fi
@@ -1320,6 +1321,8 @@ exec $@
 EOF
     chmod +x /opt/mitmproxy/mitmdump_wrapper.sh
 fi
+    sed -i 's/security_driver = "apparmor"/security_driver = "none"/g' /etc/libvirt/qemu.conf
+
 }
 
 function install_systemd() {
@@ -1332,7 +1335,7 @@ function install_systemd() {
     systemctl daemon-reload
     cape_web_enable_string=''
     if [ "$MONGO_ENABLE" -ge 1 ]; then
-        cape_web_enable_string="cape-web"
+      cape_web_enable_string="cape-web"
     fi
 
     systemctl enable cape cape-rooter cape-processor "$cape_web_enable_string" suricata
@@ -1392,9 +1395,9 @@ function install_node_exporter() {
 
 function install_volatility3() {
     echo "[+] Installing volatility3"
-    sudo apt-get install -y unzip
-    sudo -u ${USER} /etc/poetry/bin/poetry run pip3 install git+https://github.com/volatilityfoundation/volatility3
-    vol_path=$(sudo -u ${USER} /etc/poetry/bin/poetry run python3 -c "import volatility3.plugins;print(volatility3.__file__.replace('__init__.py', 'symbols/'))")
+    sudo apt-get install unzip
+    sudo -u ${USER} poetry --directory /opt/CAPEv2/ run pip3 install git+https://github.com/volatilityfoundation/volatility3
+    vol_path=$(sudo -u ${USER} poetry --directory /opt/CAPEv2/ run python3 -c "import volatility3.plugins;print(volatility3.__file__.replace('__init__.py', 'symbols/'))")
     cd $vol_path || return
     wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip -O windows.zip
     unzip -o windows.zip