fixes

Author: doomedraven

modules/signatures/windows/abuse_hvci.py

@@ -92,7 +92,7 @@ def __init__(self, *args, **kwargs):
         self.falseProcess = ("securityhealthservice", "ikernel.exe")
 
     def on_call(self, call, process):
-        if not process["process_name"].lower() in self.falseProcess:
+        if process["process_name"].lower() not in self.falseProcess:
             if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
                 regKeyPath = self.get_argument(call, "FullName").lower()
                 buf = self.get_argument(call, "Buffer")

modules/signatures/windows/bootkit.py

@@ -122,7 +122,7 @@ class AccessesPrimaryPartition(Signature):
 
     def run(self):
         ret = False
-        match = self.check_write_file(pattern="^\\Device\\HarddiskVolume0\\DR0$", regex=True)
+        match = self.check_write_file(pattern=r"^\\Device\\HarddiskVolume0\\DR0$", regex=True)
         if match:
             self.data.append({"file": match})
             ret = True

modules/signatures/windows/bypass_uac.py

@@ -229,7 +229,7 @@ class ChecksUACStatus(Signature):
 
     def run(self):
         match = self.check_key(
-            pattern=r".*\SOFTWARE\(Wow6432Node\)?Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA$", regex=True
+            pattern=r".*\\SOFTWARE\(Wow6432Node\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA$", regex=True
         )
         if match:
             self.data.append({"regkey": match})
@@ -253,8 +253,6 @@ class UACBypassWindowsBackup(Signature):
     filter_apinames = set(["CreateProcessInternalW"])
 
     def on_call(self, call, process):
-        pname = process["process_name"].lower()
-
         # Checking parent process for false positives.
         if process["process_name"].lower() == "sdclt.exe" and call["api"] == "CreateProcessInternalW":
             cmdline = self.get_argument(call, "CommandLine")

modules/signatures/windows/disables_windefender.py

@@ -127,7 +127,7 @@ def run(self):
             r"HKEY_CLASSES_ROOT\\Directory\\shellex\\ContextMenuHandlers\\EPP$",
             r"HKEY_CLASSES_ROOT\\Drive\\shellex\\ContextMenuHandlers\\EPP$",
         )
-        pat = re.compile(".*\\shellex\\contextmenuhandlers\\epp")
+        pat = re.compile(r".*\\shellex\\contextmenuhandlers\\epp")
 
         for indicator in indicators:
             match = self.check_write_key(pattern=indicator, regex=True)

modules/signatures/windows/infostealer_mail.py

@@ -32,17 +32,17 @@ def run(self):
             r".*\\Thunderbird\\Profiles\\.*\.default$",
             r".*\\AppData\\Roaming\\Thunderbird\\profiles.ini$",
         )
-        registry_indicators = (
+        registry_indicators = [
             r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\MSMapiApps.*",
             r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\Profiles.*",
             r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Windows\\ Messaging\\ Subsystem\\Profiles.*",
             r".*\\Microsoft\\Office\\.*\\Outlook\\Profiles\\Outlook.*",
             r".*\\Microsoft\\Office\\Outlook\\OMI\\ Account\\ Manager\\Accounts.*",
             r".*\\Microsoft\\Internet\\ Account\\ Manager\\Accounts.*",
             r".*\\Software\\(Wow6432Node\\)?IncrediMail.*" r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\ Live\\ Mail.*",
-        )
+        ]
         if self.results.get("target", {}).get("category", "") == "file":
-            registry_indicators.append(".*\\Software\\(Wow6432Node\\)?Clients\\Mail.*")
+            registry_indicators.append(r".*\\Software\\(Wow6432Node\\)?Clients\\Mail.*")
 
         found_stealer = False
         for indicator in file_indicators:

modules/signatures/windows/office_dll_loading.py

@@ -34,10 +34,10 @@ class OfficeAddinLoading(Signature):
 
     def run(self):
         indicators = [
-            ".*\\AppData\\Roaming\\Microsoft\\Word\\startup\\*.wll",
-            ".*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*.xll",
-            ".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xlam",
-            ".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xla",
+            r".*\\AppData\\Roaming\\Microsoft\\Word\\startup\\*.wll",
+            r".*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*.xll",
+            r".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xlam",
+            r".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xla",
         ]
 
         for indicator in indicators:
@@ -61,7 +61,7 @@ class OfficePerfKey(Signature):
     mbcs += ["OC0008", "C0036"]  # micro-behaviour
 
     def run(self):
-        indicators = ["HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf$"]
+        indicators = [r"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf$"]
 
         for indicator in indicators:
             match = self.check_write_key(pattern=indicator, regex=True)

modules/signatures/windows/rat_modi.py

@@ -28,8 +28,8 @@ class ModiRATBehavior(Signature):
 
     def run(self):
         reg_indicators = (
-            "HKEY_CURRENT_USER\\Software\\FFMPEG_URL.*",
-            "HKEY_CURRENT_USER\\Software\\Telegram_Notifier.*",
+            r"HKEY_CURRENT_USER\\Software\\FFMPEG_URL.*",
+            r"HKEY_CURRENT_USER\\Software\\Telegram_Notifier.*",
         )
         file_indicators = (
             r"[A-Z]:\\ProgramData\\ffmpeg\.exe$",

modules/signatures/windows/rat_nanocore.py

@@ -53,13 +53,13 @@ def on_call(self, call, process):
 
     def on_complete(self):
         badness = 0
-        guid = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}" "-[0-9a-fA-F]{12}"
+        guid = r"[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}" "-[0-9a-fA-F]{12}"
         fileiocs = (
-            r".*\\" + guid + "\\run\.dat$",
-            r".*\\" + guid + "\\task\.dat$",
-            r".*\\" + guid + "\\catelog\.dat$",
-            r".*\\" + guid + "\\storage\.dat$",
-            r".*\\" + guid + "\\settings\.bin$",
+            r".*\\" + guid + r"\\run\.dat$",
+            r".*\\" + guid + r"\\task\.dat$",
+            r".*\\" + guid + r"\\catelog\.dat$",
+            r".*\\" + guid + r"\\storage\.dat$",
+            r".*\\" + guid + r"\\settings\.bin$",
         )
         for ioc in fileiocs:
             if self.check_write_file(pattern=ioc, regex=True):

modules/signatures/windows/stealth_webhistory.py

@@ -20,7 +20,7 @@ def run(self):
             r".*\\Temporary\\ Internet\\ Files\\Content\.IE5\\.*",
         ]
         if self.results.get("target", {}).get("category", "") == "file":
-            file_indicators.append(".*\\Cookies\\.*")
+            file_indicators.append(r".*\\Cookies\\.*")
         found_cleaner = False
         for indicator in file_indicators:
             file_match = self.check_delete_file(pattern=indicator, regex=True, all=True)

modules/signatures/windows/trojan_ursnif.py

@@ -43,7 +43,7 @@ def run(self):
         mutex_indicators = r"^Local\\\{[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}$"
 
         for rkey in regkeys:
-            registry_indicators.append(regpath + "\\" + guid + "\\" + rkey + "$")
+            registry_indicators.append(regpath + r"\\" + guid + r"\\" + rkey + "$")
 
         registry_indicators.append(r".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableSPDY3_0$")