kevoreilly · doomedraven · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025
diff --git a/conf/default/web.conf.default b/conf/default/web.conf.default
@@ -46,6 +46,8 @@ anon_viewable = no
 existent_tasks = no
 top_detections = yes
 top_asn = yes
+# Enable checking for samples in MongoDB before fetching from external sources. Disable to reduce MongoDB load when the database is large.
+check_sample_in_mongodb = no
 # hostname of the cape instance
 hostname = 127.0.0.1
 ;hostname = www.capesandbox.com

diff --git a/data/yara/CAPE/CobaltStrikeBeacon.yar b/data/yara/CAPE/CobaltStrikeBeacon.yar
@@ -17,9 +17,9 @@ rule CobaltStrikeBeacon
         $pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
         $pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
         $ver3a = {69 68 69 68 69 6b ?? ?? 69}
-        $ver3b = {69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69}
+        $ver3b = "iiiiiiiiiiiiiiii"
         $ver4a = {2e 2f 2e 2f 2e 2c ?? ?? 2e}
-        $ver4b = {2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e}
+        $ver4b = "................"
         $a1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x00-0xff)
         $a2 = "Started service %s on %s" xor(0x00-0xff)
         $a3 = "%s as %s\\%s: %d" xor(0x00-0xff)

diff --git a/data/yara/CAPE/NetTraveler.yar b/data/yara/CAPE/NetTraveler.yar
@@ -5,7 +5,7 @@ rule NetTraveler
         description = "NetTraveler Payload"
         cape_type = "NetTraveler Payload"
     strings:
-        $string1 = {4E 61 6D 65 3A 09 25 73 0D 0A 54 79 70 65 3A 09 25 73 0D 0A 53 65 72 76 65 72 3A 09 25 73 0D 0A} // "Name: %s  Type: %s  Server: %s "
+        $string1 = "Name:\t%s\r\nType:\t%s\r\nServer:\t%s\r\n"
         $string2 = "Password Expiried Time:"
         $string3 = "Memory: Total:%dMB,Left:%dMB (for %.2f%s)"
 

diff --git a/data/yara/CAPE/Zloader.yar b/data/yara/CAPE/Zloader.yar
@@ -8,7 +8,7 @@ rule Zloader
     strings:
         $rc4_init = {31 [1-3] 66 C7 8? 00 01 00 00 00 00 90 90 [0-5] 8? [5-90] 00 01 00 00 [0-15] (74|75)}
         $decrypt_conf = {83 C4 04 84 C0 74 5? E8 [4] E8 [4] E8 [4] E8 [4] ?8 [4] ?8 [4] ?8}
-        $decrypt_conf_1 = {48 8d [5] [0-6] e8 [4] 48 [3-4] 48 [3-4] 48 [6] E8}
+        $decrypt_conf_1 = {48 8d [5-11] e8 [4] 48 [3-4] 48 [3-4] 48 [6] E8}
         $decrypt_conf_2 = {48 8d [5] 4? [5] e8 [4] 48 [3-4] 48 8d [5] E8 [4] 48}
         $decrypt_key_1 = {66 89 C2 4? 8D 0D [3] 00 4? B? FC 03 00 00 E8 [4] 4? 83 C4 [1-2] C3}
         $decrypt_key_2 = {48 8d 0d [3] 00 66 89 ?? 4? 89 F0 4? [2-5] E8 [4-5] 4? 83 C4}

diff --git a/lib/cuckoo/core/database.py b/lib/cuckoo/core/database.py
@@ -2352,7 +2352,9 @@ def sample_path_by_hash(self, sample_hash: str = False, task_id: int = False):
                 if path_exists(path):
                     sample = [path]
 
-            if not sample:
+
+            if not sample and web_conf.general.check_sample_in_mongodb:
+                tasks = []
                 if repconf.mongodb.enabled:
                     tasks = mongo_find(
                         "analysis",
@@ -2368,8 +2370,6 @@ def sample_path_by_hash(self, sample_hash: str = False, task_id: int = False):
                             _source=["CAPE.payloads", "info.id"],
                         )["hits"]["hits"]
                     ]
-                else:
-                    tasks = []
 
                 if tasks:
                     for task in tasks:
@@ -2443,7 +2443,7 @@ def sample_path_by_hash(self, sample_hash: str = False, task_id: int = False):
                                 sample = [path]
                                 break
 
-            if not sample:
+            if not sample and web_conf.general.check_sample_in_mongodb:
                 # search in Suricata files folder
                 if repconf.mongodb.enabled:
                     tasks = mongo_find(