Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong identification of Python code #284

Open
kam193 opened this issue Nov 8, 2024 · 2 comments
Open

Wrong identification of Python code #284

kam193 opened this issue Nov 8, 2024 · 2 comments
Assignees
@gdesmar
Labels
assess We still haven't decided if this will be worked on or not bug Something isn't working

Comments

@kam193
Copy link

kam193 commented Nov 8, 2024

Describe the bug
As usual, there are a couple of Python code files that were not identified correctly :)

cc: @gdesmar

Password for all files: zippy. As usual, they can contact dangerous code.

The following files were identified as text/plain:

  1. BitForger.py.zip
    • possible characteristics: import urllib.request, subprocess.run, urllib.request.urlretrieve
  2. _deobfuscated_code_FINAL.py (kopia).zip
    • characteristic executor: exec(lzma.decompress(
  3. init.py.zip
    • quite similar to the (1), but a little longer
  4. init.py(1).zip
    • import urllib.parse, import aiohttp
  5. init.py (kopia).zip
    • subprocess.Popen
  6. tools.py.zip
    • similar to (2), exec(lzma.decompress(base64.b64decode

The following files were identified as code/ps1. Those are more complicated, as they do contain PowerShell commands, but they are Python scripts:

  1. init.py.zip
  2. uidesign.py.zip

The same story, but with code/batch identification:

  1. 4a2353d4be195e06172985931534fe14dbe5746c452c7a27c1d4a5d51d516eb6.zip

To Reproduce
Steps to reproduce the behavior:

  1. Upload and see the wrong file type

Expected behavior
Identification as code/python.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information if pertinent):

  • Assemblyline Version: 4.5.0.x - those files were collected for some time
  • Browser: [e.g. chrome, safari]

Additional context
Add any other context about the problem here.
@kam193 kam193 added assess We still haven't decided if this will be worked on or not bug Something isn't working labels Nov 8, 2024
@gdesmar gdesmar self-assigned this Nov 8, 2024
@kam193 kam193 mentioned this issue Nov 8, 2024
Closed
@kam193
Copy link
Author

kam193 commented Nov 9, 2024

And a little different case - wrong identified JavaScript. Interestingly, the mime type was originally application/javascript, but the final one is unknown -> maybe even for untrusted mimes, it would be useful to fall back to them if there is nothing better?
9bc1e972b4c7e11256f817954f51c07963fd6f17161c0c2ce867f0c3ba4173d1.zip
3adf910188dc6f0df92eca9a835aac4b31e3232b57adf661c8cfef4992812ea2.zip

@kam193
Copy link
Author

kam193 commented Nov 14, 2024

A new example - Python code identified as text, interesting as it's just a revshell: setup.py(4).zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gdesmar gdesmar

Labels
assess We still haven't decided if this will be worked on or not bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kam193 @gdesmar