assemblyline 4.4.1.dev332__tar.gz → 4.4.1.dev336__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (169) hide show
  1. {assemblyline-4.4.1.dev332/assemblyline.egg-info → assemblyline-4.4.1.dev336}/PKG-INFO +1 -1
  2. assemblyline-4.4.1.dev336/assemblyline/VERSION +1 -0
  3. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/custom.yara +51 -3
  4. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/identify_defaults.py +5 -0
  5. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/str_utils.py +13 -4
  6. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/ontology.py +1 -1
  7. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/malware_config.py +1 -0
  8. assemblyline-4.4.1.dev336/assemblyline/run/__init__.py +0 -0
  9. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336/assemblyline.egg-info}/PKG-INFO +1 -1
  10. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline.egg-info/SOURCES.txt +1 -0
  11. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/setup.py +3 -2
  12. assemblyline-4.4.1.dev332/assemblyline/VERSION +0 -1
  13. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/LICENCE.md +0 -0
  14. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/MANIFEST.in +0 -0
  15. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/README.md +0 -0
  16. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/__init__.py +0 -0
  17. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/cachestore/__init__.py +0 -0
  18. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/__init__.py +0 -0
  19. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/archiving.py +0 -0
  20. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/attack_map.py +0 -0
  21. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/backupmanager.py +0 -0
  22. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/banner.py +0 -0
  23. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/bundling.py +0 -0
  24. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/caching.py +0 -0
  25. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/chunk.py +0 -0
  26. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/classification.py +0 -0
  27. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/classification.yml +0 -0
  28. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/cleanup_filestore.py +0 -0
  29. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/codec.py +0 -0
  30. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/comms.py +0 -0
  31. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/constants.py +0 -0
  32. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/custom.magic +0 -0
  33. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/dict_utils.py +0 -0
  34. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/digests.py +0 -0
  35. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/entropy.py +0 -0
  36. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/exceptions.py +0 -0
  37. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/file.py +0 -0
  38. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/forge.py +0 -0
  39. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/frequency.c +0 -0
  40. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/frequency.pyx +0 -0
  41. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/heuristics.py +0 -0
  42. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/hexdump.py +0 -0
  43. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/identify.py +0 -0
  44. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/importing.py +0 -0
  45. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/iprange.py +0 -0
  46. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/isotime.py +0 -0
  47. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/log.py +0 -0
  48. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/logformat.py +0 -0
  49. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/lucene.lark +0 -0
  50. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/memory_zip.py +0 -0
  51. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/metrics.py +0 -0
  52. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/net.py +0 -0
  53. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/net_static.py +0 -0
  54. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/null.py +0 -0
  55. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/path.py +0 -0
  56. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/postprocess.py +0 -0
  57. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/random_user.py +0 -0
  58. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/security.py +0 -0
  59. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/signaturing.py +0 -0
  60. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/tag_safelist.yml +0 -0
  61. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/tagging.py +0 -0
  62. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/uid.py +0 -0
  63. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/version.py +0 -0
  64. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datasource/__init__.py +0 -0
  65. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datasource/al.py +0 -0
  66. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datasource/alert.py +0 -0
  67. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datasource/common.py +0 -0
  68. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/__init__.py +0 -0
  69. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/bulk.py +0 -0
  70. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/collection.py +0 -0
  71. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/exceptions.py +0 -0
  72. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/helper.py +0 -0
  73. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/store.py +0 -0
  74. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/support/__init__.py +0 -0
  75. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/support/build.py +0 -0
  76. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/datastore/support/schemas.py +0 -0
  77. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/__init__.py +0 -0
  78. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/__init__.py +0 -0
  79. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/azure.py +0 -0
  80. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/base.py +0 -0
  81. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/ftp.py +0 -0
  82. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/http.py +0 -0
  83. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/local.py +0 -0
  84. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/s3.py +0 -0
  85. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/filestore/transport/sftp.py +0 -0
  86. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/__init__.py +0 -0
  87. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/base.py +0 -0
  88. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/common.py +0 -0
  89. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/__init__.py +0 -0
  90. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/alert.py +0 -0
  91. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/alerter_heartbeat.py +0 -0
  92. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/archive_heartbeat.py +0 -0
  93. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/changes.py +0 -0
  94. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/dispatcher_heartbeat.py +0 -0
  95. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/dispatching.py +0 -0
  96. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/expiry_heartbeat.py +0 -0
  97. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/ingest_heartbeat.py +0 -0
  98. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/metrics.py +0 -0
  99. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/scaler_heartbeat.py +0 -0
  100. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/scaler_status_heartbeat.py +0 -0
  101. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/service_heartbeat.py +0 -0
  102. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/service_timing_heartbeat.py +0 -0
  103. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/submission.py +0 -0
  104. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/task.py +0 -0
  105. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/messages/vacuum_heartbeat.py +0 -0
  106. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/__init__.py +0 -0
  107. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/actions.py +0 -0
  108. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/alert.py +0 -0
  109. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/badlist.py +0 -0
  110. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/cached_file.py +0 -0
  111. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/config.py +0 -0
  112. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/emptyresult.py +0 -0
  113. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/error.py +0 -0
  114. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/file.py +0 -0
  115. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/filescore.py +0 -0
  116. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/heuristic.py +0 -0
  117. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/__init__.py +0 -0
  118. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/filetypes/__init__.py +0 -0
  119. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/filetypes/pe.py +0 -0
  120. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/__init__.py +0 -0
  121. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/antivirus.py +0 -0
  122. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/network.py +0 -0
  123. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/process.py +0 -0
  124. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/sandbox.py +0 -0
  125. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/signature.py +0 -0
  126. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/replay.py +0 -0
  127. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/result.py +0 -0
  128. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/retrohunt.py +0 -0
  129. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/safelist.py +0 -0
  130. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/service.py +0 -0
  131. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/service_delta.py +0 -0
  132. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/signature.py +0 -0
  133. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/statistics.py +0 -0
  134. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/submission.py +0 -0
  135. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/submission_summary.py +0 -0
  136. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/submission_tree.py +0 -0
  137. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/tagging.py +0 -0
  138. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/user.py +0 -0
  139. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/user_favorites.py +0 -0
  140. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/user_settings.py +0 -0
  141. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/workflow.py +0 -0
  142. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/random_data/__init__.py +0 -0
  143. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/random_data/create_test_data.py +0 -0
  144. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/random_data/sample_rules.yar +0 -0
  145. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/random_data/sample_suricata.rules +0 -0
  146. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/randomizer.py +0 -0
  147. /assemblyline-4.4.1.dev332/assemblyline/remote/__init__.py → /assemblyline-4.4.1.dev336/assemblyline/py.typed +0 -0
  148. {assemblyline-4.4.1.dev332/assemblyline/remote/datatypes/queues → assemblyline-4.4.1.dev336/assemblyline/remote}/__init__.py +0 -0
  149. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/__init__.py +0 -0
  150. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/counters.py +0 -0
  151. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/events.py +0 -0
  152. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/exporting_counter.py +0 -0
  153. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/hash.py +0 -0
  154. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/lock.py +0 -0
  155. {assemblyline-4.4.1.dev332/assemblyline/run → assemblyline-4.4.1.dev336/assemblyline/remote/datatypes/queues}/__init__.py +0 -0
  156. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/queues/comms.py +0 -0
  157. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/queues/multi.py +0 -0
  158. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/queues/named.py +0 -0
  159. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/queues/priority.py +0 -0
  160. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/set.py +0 -0
  161. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/remote/datatypes/user_quota_tracker.py +0 -0
  162. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/run/cli.py +0 -0
  163. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/run/pubsub_reader.py +0 -0
  164. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/run/suricata_importer.py +0 -0
  165. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/run/yara_importer.py +0 -0
  166. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline.egg-info/dependency_links.txt +0 -0
  167. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline.egg-info/requires.txt +0 -0
  168. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline.egg-info/top_level.txt +0 -0
  169. {assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/setup.cfg +0 -0
{assemblyline-4.4.1.dev332/assemblyline.egg-info → assemblyline-4.4.1.dev336}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: assemblyline
3
- Version: 4.4.1.dev332
3
+ Version: 4.4.1.dev336
4
4
  Summary: Assemblyline 4 - Automated malware analysis framework
5
5
  Home-page: https://github.com/CybercentreCanada/assemblyline-base
6
6
  Author: CCCS Assemblyline development team
assemblyline-4.4.1.dev336/assemblyline/VERSION ADDED
@@ -0,0 +1 @@
1
+ 4.4.1.dev336
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/custom.yara RENAMED
@@ -10,9 +10,11 @@ rule code_javascript {
10
10
  strings:
11
11
  $not_html = /^\s*<\w/
12
12
 
13
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L431
13
14
  $strong_js2 = /\beval[ \t]*\(['"]/
14
15
 
15
16
  // jscript
17
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L659
16
18
  $strong_js3 = /new[ \t]+ActiveXObject\(/
17
19
 
18
20
  $strong_js4 = /Scripting\.Dictionary['"]/
@@ -21,6 +23,8 @@ rule code_javascript {
21
23
  $strong_js7 = /submitForm\(['"]/
22
24
  $strong_js8 = /\b(document|window)(\[['"a-zA-Z]|\.)\w+\b/
23
25
  $strong_js9 = "setTimeout("
26
+ // Suported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L659
27
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L431
24
28
  $strong_js10 = /(^|;|\s)(var|let|const)[ \t]+\w+[ \t]*=/
25
29
  // If this is exactly in the sample, will trigger a second time because of strong_js10
26
30
  $strong_js11 = /(^|\n)window.location.href[ \t]*=/
@@ -31,13 +35,24 @@ rule code_javascript {
31
35
  // Firefox browser specific method
32
36
  $strong_js13 = /user_pref\("[\w.]+",\s*[\w"']+\)/
33
37
 
38
+ // Inspired by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L431
39
+ $strong_js14 = "alert("
40
+ $strong_js15 = ".charAt("
41
+ $strong_js16 = "decodeURIComponent("
42
+ $strong_js17 = ".charCodeAt("
43
+ $strong_js18 = ".toString("
44
+
45
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L659
46
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L431
34
47
  // This method of function declaration is shared with PowerShell, so it should be considered weak-ish
35
48
  $function_declaration = /(^|;|\s|\(|\*\/)function([ \t]*|[ \t]+[\w|_]+[ \t]*)\([\w_ \t,]*\)[ \t\n\r]*{/
36
49
 
37
50
  $weak_js2 = /String(\[['"]|\.)(fromCharCode|raw)(['"]\])?\(/
51
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L431
38
52
  $weak_js3 = /Math\.(round|pow|sin|cos)\(/
39
53
  $weak_js4 = /(isNaN|isFinite|parseInt|parseFloat|toLowerCase|toUpperCase)\(/
40
- $weak_js5 = /([^\w]|^)this\.[\w]+/
54
+ // Supported and inspired by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L659
55
+ $weak_js5 = /([^\w]|^)this[\.\[][\w'"]+/
41
56
  // This is shared in PowerShell (although in PowerShell it should be .Length)
42
57
  $weak_js6 = /([^\w]|^)[\w]+\.length/
43
58
  // This is shared in C++
@@ -134,20 +149,32 @@ rule code_vbs {
134
149
  strings:
135
150
  $multiline = " = @'\r\n" //powershell multiline string
136
151
 
152
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
153
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L485
137
154
  $strong_vbs1 = /(^|\n)On[ \t]+Error[ \t]+Resume[ \t]+Next/i ascii wide
155
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
156
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L485
138
157
  $strong_vbs2 = /(^|\n|\()(Private|Public)?[ \t]*(Sub|Function)[ \t]+\w+\([ \t]*((ByVal[ \t]+)?\w+([ \t]+As[ \t]+\w+)?,?)*\)[ \t]*[\)\r]/i ascii wide
158
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
159
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L485
139
160
  $strong_vbs3 = /(^|\n)[ \t]*End[ \t]+(Module|Function|Sub|If)/i ascii wide
140
161
  $strong_vbs4 = "\nExecuteGlobal" ascii wide
162
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L485
141
163
  $strong_vbs6 = /(^|\n|:)(Attribute|Set|const)[ \t]+\w+[ \t]+=/i ascii wide
142
164
  $strong_vbs7 = /(^|\n)[ \t]*Err.Raise[ \t]+\d+(,[ \t]+"[^"]+")+/i ascii wide
143
165
  $strong_vbs8 = /[ \t(=]replace\(/i ascii wide
166
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
144
167
  // CreateObject("blah")
145
168
  $strong_vbs9 = "CreateObject(" nocase ascii wide
146
169
  $strong_vbs10 = "GetObject(" nocase ascii wide
147
170
  $strong_vbs11 = "\nEval(" nocase ascii wide
171
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
148
172
  $strong_vbs12 = "Execute(" nocase ascii wide
149
173
  $strong_vbs13 = "\nMsgBox \"" nocase ascii wide
174
+ // Inspired by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L650
175
+ $strong_vbs14 = "Array(" nocase ascii wide
150
176
  // Dim blah
177
+ // Supported by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L485
151
178
  $weak_vbs1 = /\bDim\b\s+\w+[\r:]/i ascii wide
152
179
 
153
180
  condition:
@@ -226,7 +253,9 @@ rule code_html_1 {
226
253
  score = 10
227
254
 
228
255
  strings:
256
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L670
229
257
  $html_doctype = /(^|\n|\>)[ \t]*<!doctype html>/i
258
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L670
230
259
  $html_start = /(^|\n|\>)[ \t]*<html/i
231
260
  $html_end = /(^|\n|\>)[ \t]*<\/html/i
232
261
 
@@ -303,6 +332,7 @@ rule code_html_component {
303
332
  strings:
304
333
  $component1 = "public:component " nocase
305
334
  $component2 = "/public:component" nocase
335
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L670
306
336
  $script = "<script" nocase
307
337
  $lang_js1 = "language=\"javascript\"" nocase
308
338
  $lang_js2 = "language=\"jscript\"" nocase
@@ -504,8 +534,11 @@ rule code_ps1 {
504
534
  score = 1
505
535
 
506
536
  strings:
507
- $strong_pwsh1 = /(IWR|Add-(MpPreference|Type)|Start-(BitsTransfer|Sleep)|Get-(ExecutionPolicy|Service|Process|Counter|WinEvent|ChildItem|Variable|Item)|Where-Object|ConvertTo-HTML|Select-Object|Clear-(History|Content)|ForEach-Object|Compare-Object|New-(ItemProperty|Object|WebServiceProxy)|Set-(Alias|Location|Item)|Wait-Job|Test-Path|Rename-Item|Stop-Process|Out-String|Write-Error|Invoke-(Expression|WebRequest))\b/i ascii wide
537
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L671
538
+ // Supported and inspired by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L406
539
+ $strong_pwsh1 = /(IWR|Add-(MpPreference|Type)|Start-(BitsTransfer|Sleep|Process)|Get-(ExecutionPolicy|Service|Process|Counter|WinEvent|ChildItem|Variable|Item|WmiObject)|Where-Object|ConvertTo-HTML|Select-Object|Clear-(History|Content)|ForEach-Object|Compare-Object|New-(ItemProperty|Object|WebServiceProxy)|Set-(Alias|Location|Item|ItemProperty|StringMode)|Wait-Job|Test-Path|Rename-Item|Stop-Process|Out-String|Write-Error|Invoke-(Expression|WebRequest)|Copy-Item)\b/i ascii wide
508
540
  $strong_pwsh2 = /(-ExclusionPath|-memberDefinition|-Name|-namespace|-passthru|-command|-TypeName|-join|-split|-sou|-dest|-property|-OutF(ile)?|-ExecutionPolicy Bypass|-uri|-AllowStartIfOnBatteries|-MultipleInstances|-TaskName|-Trigger)\b/i ascii wide
541
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L671
509
542
  $strong_pwsh3 = /(\.Get(String|Field|Type|Method)|FromBase64String)\(/i ascii wide
510
543
  $strong_pwsh4 = "System.Net.WebClient" nocase ascii wide
511
544
  $strong_pwsh5 = "Net.ServicePointManager" nocase ascii wide
@@ -517,6 +550,10 @@ rule code_ps1 {
517
550
  $strong_pwsh11 = /\[Microsoft\.VisualBasic\.(Interaction|CallType)\]/i ascii wide
518
551
  $strong_pwsh12 = /[ \t;\n]foreach[ \t]*\([ \t]*\$\w+[ \t]+in[ \t]+[^)]+\)[ \t;\n]*{/i ascii wide
519
552
  $strong_pwsh13 = /\[char\][ \t]*(\d\d|0x[0-9a-f]{1,2})/i ascii wide
553
+ // Inspired by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L671
554
+ $strong_pwsh14 = /\|[ \t]*iex\b/i ascii wide
555
+ // Inspired by https://github.com/CAPESandbox/sflock/blob/1e0ed7e18ddfe723c2d2603875ca26d63887c189/sflock/ident.py#L406
556
+ $strong_pwsh15 = "$PSHOME" nocase ascii wide
520
557
  $weak_pwsh1 = /\$\w+[ \t]*=[ \t]*[^;\n|]+[;\n|]/ ascii wide
521
558
 
522
559
  // https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-7.3
@@ -535,6 +572,7 @@ rule code_ps1 {
535
572
  $weak_pwsh7 = /[\s\(]\-(not)\s/ ascii wide
536
573
  $weak_pwsh8 = /\s\-(and|or|xor)\s/ ascii wide
537
574
 
575
+ // Supported by https://github.com/CERT-Polska/karton-classifier/blob/4cf125296e3a0c1d6c1cb8c16f97d608054c7f19/karton/classifier/classifier.py#L659
538
576
  // This method of function declaration is shared with JavaScript, so it should be considered weak
539
577
  $weak_pwsh9 = /(^|;|\s|\(|\*\/)function([ \t]*|[ \t]+[\w|_]+[ \t]*)\([\w_ \t,]*\)[ \t\n\r]*{/
540
578
 
@@ -1083,11 +1121,21 @@ rule code_a3x {
1083
1121
  $ = "/AutoIt3ExecuteLine" ascii wide
1084
1122
  $ = "/AutoIt3ExecuteScript" ascii wide
1085
1123
  $ = "/AutoIt3OutputDebug" ascii wide
1086
- $ = ">>>AUTOIT NO CMDEXECUTE<<<" ascii wide
1087
1124
  $ = ">>>AUTOIT SCRIPT<<<" ascii wide
1125
+
1126
+ // Supported by https://github.com/CERT-Polska/karton-autoit-ripper/blob/9aef5046d012f4a14f0c12de7a682fad0202c19c/karton/autoit_ripper/autoit.yar
1127
+ $ = ">>>AUTOIT NO CMDEXECUTE<<<" ascii wide
1088
1128
  $ = "This is a third-party compiled AutoIt script." ascii wide
1089
1129
  $ = "AU3!EA06" ascii wide
1090
1130
 
1131
+ // Inspired by https://github.com/CERT-Polska/karton-autoit-ripper/blob/9aef5046d012f4a14f0c12de7a682fad0202c19c/karton/autoit_ripper/autoit.yar
1132
+ $ = "AutoIt v3" ascii wide
1133
+ $ = "AU3_GetPluginDetails" ascii wide
1134
+ $ = "AU3!EA05"
1135
+ $ = "AutoIt script files (*.au3, *.a3x)" wide
1136
+ $ = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D 41 55 33 21 45 41 30 36 }
1137
+ $ = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D 41 55 33 21 45 41 30 35 }
1138
+
1091
1139
  condition:
1092
1140
  uint16(0) != 0x5A4D and any of them
1093
1141
  }
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/identify_defaults.py RENAMED
@@ -367,6 +367,11 @@ trusted_mimes = {
367
367
  "application/vnd.ms-cab-compressed": "archive/cabinet",
368
368
  "application/zstd": "archive/zstd",
369
369
  "application/x-zstd": "archive/zstd",
370
+
371
+ # Inspired by https://github.com/CAPESandbox/sflock/blob/1fe3cf32d01d66c4ad38696c609b13d4f4bc9ea3/sflock/ident.py#L116
372
+ "application/x-7z-compressed": "archive/7-zip",
373
+ "application/x-bzip2": "archive/bzip2",
374
+ "application/java-archive": "java/jar",
370
375
 
371
376
  # JAVA Class
372
377
  "application/x-java-applet": "java/class",
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/common/str_utils.py RENAMED
@@ -1,7 +1,8 @@
1
- import chardet
2
1
  import re
3
2
  from copy import copy
4
- from typing import Union
3
+ from typing import Literal, Union, overload
4
+
5
+ import chardet
5
6
 
6
7
 
7
8
  def remove_bidir_unicode_controls(in_str):
@@ -108,6 +109,14 @@ def escape_str_strict(s: bytes, reversible=True) -> str:
108
109
  return escaped.decode('utf-8')
109
110
 
110
111
 
112
+ @overload
113
+ def safe_str(s: object, force_str: Literal[True]) -> str: ...
114
+
115
+
116
+ @overload
117
+ def safe_str(s: Union[str, bytes], force_str: Literal[False] = False) -> str: ...
118
+
119
+
111
120
  def safe_str(s, force_str=False):
112
121
  return escape_str(s, reversible=False, force_str=force_str)
113
122
 
@@ -117,7 +126,7 @@ def is_safe_str(s) -> bool:
117
126
 
118
127
 
119
128
  # noinspection PyBroadException
120
- def translate_str(s, min_confidence=0.7) -> dict:
129
+ def translate_str(s: Union[str, bytes], min_confidence=0.7) -> dict:
121
130
  if not isinstance(s, (str, bytes)):
122
131
  raise TypeError(f'Expected str or bytes got {type(s)}')
123
132
 
@@ -131,7 +140,7 @@ def translate_str(s, min_confidence=0.7) -> dict:
131
140
 
132
141
  if r['confidence'] > 0 and r['confidence'] >= min_confidence:
133
142
  try:
134
- t = s.decode(r['encoding'])
143
+ t: Union[bytes, str] = s.decode(r['encoding'])
135
144
  except Exception:
136
145
  t = s
137
146
  else:
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/ontology.py RENAMED
@@ -5,7 +5,7 @@ from assemblyline.odm.models.ontology.results import Antivirus, Process, Sandbox
5
5
  from assemblyline.odm.models.ontology.filetypes import PE
6
6
 
7
7
  Classification = forge.get_classification()
8
- ODM_VERSION = "1.5"
8
+ ODM_VERSION = "1.6"
9
9
 
10
10
 
11
11
  @odm.model(description="File Characteristics")
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline/odm/models/ontology/results/malware_config.py RENAMED
@@ -161,6 +161,7 @@ class MalwareConfig(odm.Model):
161
161
  mutex = odm.Optional(odm.List(odm.Text()), description="Mutex")
162
162
  pipe = odm.Optional(odm.List(odm.Text()), description="Pipe")
163
163
  sleep_delay = odm.Optional(odm.Integer(), description="Sleep Delay")
164
+ sleep_delay_jitter = odm.Optional(odm.Integer(), description="Sleep Delay Jitter")
164
165
  inject_exe = odm.Optional(odm.List(odm.Text()), description="Injected EXE")
165
166
 
166
167
  binaries = odm.Optional(odm.List(odm.Compound(Binary)), description="Binaries")
assemblyline-4.4.1.dev336/assemblyline/run/__init__.py ADDED
File without changes
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336/assemblyline.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: assemblyline
3
- Version: 4.4.1.dev332
3
+ Version: 4.4.1.dev336
4
4
  Summary: Assemblyline 4 - Automated malware analysis framework
5
5
  Home-page: https://github.com/CybercentreCanada/assemblyline-base
6
6
  Author: CCCS Assemblyline development team
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/assemblyline.egg-info/SOURCES.txt RENAMED
@@ -5,6 +5,7 @@ setup.cfg
5
5
  setup.py
6
6
  assemblyline/VERSION
7
7
  assemblyline/__init__.py
8
+ assemblyline/py.typed
8
9
  assemblyline.egg-info/PKG-INFO
9
10
  assemblyline.egg-info/SOURCES.txt
10
11
  assemblyline.egg-info/dependency_links.txt
{assemblyline-4.4.1.dev332 → assemblyline-4.4.1.dev336}/setup.py RENAMED
@@ -1,6 +1,6 @@
1
1
  import os
2
2
 
3
- from setuptools import setup, find_packages, Extension
3
+ from setuptools import Extension, find_packages, setup
4
4
 
5
5
  try:
6
6
  # noinspection PyUnresolvedReferences,PyPackageRequirements
@@ -115,6 +115,7 @@ setup(
115
115
  "*.pxd",
116
116
  "*.lark",
117
117
  "VERSION",
118
- ]
118
+ ],
119
+ "assemblyline": ["py.typed"]
119
120
  }
120
121
  )
assemblyline-4.4.1.dev332/assemblyline/VERSION DELETED
@@ -1 +0,0 @@
1
- 4.4.1.dev332