sync (#2761)

doomedraven · enzok · YungBinary · web-flow · commit 2e2391e5a68b · 2025-11-30T10:10:39.000+01:00
* Update AdaptixBeacon yara and add NitrogenBunnyDownloader yara * add missing hash * add missing update * Gemini nags * Additional Rhadamanthys patterns * Switch Suricata installation to version 7.0 Comment out the repository for Suricata 8 and use Suricata 7.0 instead. * Remove test_handle_process_invalid_data() from tests/test_analyzer.py * Tweak Rhadamanthys patterns - removed highly variable jump size in conditional jump (0x2e6 bytes code, size highly brittle) - replaced eax register in nice characteristic pattern as it can only be eax, since pattern contains the xor eax, eax instruction by which the code zeroes) * Rhadamanthys anti-anti detonation bypass * Rhadamanthys detection patterns * Enable protocol extended information to be generated without a TLS master secret (#2739) * Update NitroBunnyDownloader yara * Bump django from 5.1.13 to 5.1.14 (#2742) Bumps [django](https://github.com/django/django) from 5.1.13 to 5.1.14. - [Commits](django/django@5.1.13...5.1.14) --- updated-dependencies: - dependency-name: django dependency-version: 5.1.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update startup.py * Fix path handling for SHA256 calculation * Update startup.py * Monitor updates: see changelog for details * analyzer: remove obsolete 'suspended' parameter from CommandPipeHandler * Update routing.rst * Fix error list entry format in demux.py * prevent linux parsing errors (#2744) * Rhadamanthys unhook bypass * Add Suricata host (#2745) * Rename surihhost to surihost in search.html * Add 'surihost' key to Suricata alert mapping * Update lib/cuckoo/common/web_utils.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Monitor update: Add config option for monitor injection into supplied pid or "explorer" for shell: monitor=<pid/"explorer"> * SmokeLoader 2025 * Update installation step to include KnowledgeBaseBot Install dependencies from both requirements files. * Bump django from 5.1.13 to 5.1.14 (#2749) Bumps [django](https://github.com/django/django) from 5.1.13 to 5.1.14. - [Commits](django/django@5.1.13...5.1.14) --- updated-dependencies: - dependency-name: django dependency-version: 5.1.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: Update requirements.txt * Refactor auto_answer.yml to streamline dependency installation Updated the workflow to install dependencies using uv run with specified requirements files. * fix docs * Fix a bug that prevents terminal status from being reported by the agent (#2753) Updates the POST /status endpoint to unset the async subprocess if the new status is terminal. This makes GET /status report the final analysis state, rather than the child process state. * Fix 'machines' vars on Azure (#2755) * Monitor update: Fix issue with RESUME: monitor message from NtResumeProcess hook * Bump pypdf from 5.2.0 to 6.4.0 (#2757) Bumps [pypdf](https://github.com/py-pdf/pypdf) from 5.2.0 to 6.4.0. - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@5.2.0...6.4.0) --- updated-dependencies: - dependency-name: pypdf dependency-version: 6.4.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Prevent on_complete execution for matched signatures (#2758) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: enzok <7831008+enzok@users.noreply.github.com> Co-authored-by: Yung Binary <93540406+YungBinary@users.noreply.github.com> Co-authored-by: Kevin O'Reilly <kevoreilly@gmail.com> Co-authored-by: Fernando Domínguez <6620286+FernandoDoming@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: David Santos <44490090+dsecuma@users.noreply.github.com> Co-authored-by: Bart <3075118+bartblaze@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <action@github.com> Co-authored-by: Josh Feather <142008135+josh-feather@users.noreply.github.com> Co-authored-by: Lilian <86776930+Grand-Duc@users.noreply.github.com>
diff --git a/.github/workflows/auto_answer.yml b/.github/workflows/auto_answer.yml
@@ -22,14 +22,15 @@ jobs:
         with:
           enable-cache: true
 
-      - name: Install the project
-        run: uv run pip install -r requirements.txt
-
       - name: Run the answer bot with uv run
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
           REPO_NAME: ${{ github.repository }}
-        # This single step installs dependencies (if needed) and runs the script
-        run: cd KnowledgeBaseBot && uv run python auto_answer_bot.py
+        run: |
+          cd KnowledgeBaseBot && \
+          uv run \
+          --with-requirements ../requirements.txt \
+          --with-requirements requirements.txt \
+          python auto_answer_bot.py
diff --git a/agent/agent.py b/agent/agent.py
@@ -92,6 +92,8 @@ def _missing_(cls, value):
         return None
 
 
+TERMINAL_STATUSES = [Status.COMPLETE, Status.FAILED, Status.EXCEPTION]
+
 AGENT_BROWSER_EXT_PATH = ""
 AGENT_BROWSER_LOCK = Lock()
 ANALYZER_FOLDER = ""
@@ -494,6 +496,11 @@ def put_status():
     except ValueError:
         return json_error(400, "No valid status has been provided")
 
+    # If the new status is terminal, unset the async subprocess so /status reports
+    # the final analysis state rather than the child process state.
+    if status in TERMINAL_STATUSES:
+        state["async_subprocess"] = None
+
     state["status"] = status
     state["description"] = request.form.get("description")
     return json_success("Analysis status updated")
diff --git a/agent/test_agent.py b/agent/test_agent.py
@@ -639,6 +639,34 @@ def test_async_failure(self):
         js = self.confirm_status(str(agent.Status.FAILED))
         assert "process_id" not in js
 
+    def test_async_manual_status_override(self):
+        """Test that a manual status update overrides an in-progress async process."""
+        # Upload a Python file that sleeps for a short period, to ensure the
+        # async subprocess is running while we override the status.
+        file_contents = (
+            "import time",
+            "time.sleep(10)",
+        )
+
+        filepath = self.store_file(file_contents)
+        form = {"filepath": filepath, "async": 1}
+
+        execpy_resp = self.post_form("execpy", form)
+        assert execpy_resp.get("message") == "Successfully spawned command"
+
+        # While the subprocess is running, the status should initially be RUNNING.
+        self.confirm_status(str(agent.Status.RUNNING))
+
+        # Manually override the status to COMPLETE via POST /status.
+        override_form = {
+            "status": str(agent.Status.COMPLETE),
+            "description": "beep boop"
+        }
+        status_resp = self.post_form("status", override_form)
+        assert status_resp.get("message") == "Analysis status updated"
+
+        self.confirm_status(str(agent.Status.COMPLETE))
+
     def test_execute(self):
         """Test executing the 'date' command."""
         if sys.platform == "win32":
diff --git a/analyzer/windows/analyzer.py b/analyzer/windows/analyzer.py
@@ -1332,7 +1332,6 @@ def _handle_process(self, data):
         """Request for injection into a process."""
         # Parse the process identifier.
         # PROCESS:1:1824,2856
-        suspended = False
         process_id = thread_id = None
         # We parse the process ID.
         pid_s, tid_s = data.split(b",", 1)
@@ -1352,7 +1351,6 @@ def _handle_process(self, data):
                         config=self.analyzer.config,
                         pid=process_id,
                         thread_id=thread_id,
-                        suspended=suspended,
                     )
                     filepath = proc.get_filepath()  # .encode('utf8', 'replace')
                     # if it's a URL analysis, provide the URL to all processes as
diff --git a/analyzer/windows/data/yara/Rhadamanthys.yar b/analyzer/windows/data/yara/Rhadamanthys.yar
@@ -11,3 +11,26 @@ rule Rhadamanthys
     condition:
         2 of them
 }
+
+rule RhadaAnti
+{
+    meta:
+        author = "kevoreilly"
+        cape_options = "bp0=$anti,action0=jmp,count=0,ntdll-protect=0,dump-limit=0"
+    strings:
+        $anti = {74 0E FF 75 ?? 8D 45 ?? 50 E8 [4] 59 59 8D 45 ?? 50 56 68 04 01 00 00}
+    condition:
+        all of them
+}
+
+rule RhadUnhook
+{
+    meta:
+        cape_options = "bp0=$scan*,action0=scan:rbx,count=0,patch=$target+21:9090"
+        packed = "dd4af0f1888977f6d9eb820b19f4afc2a73d1c494a132ab4261498328005dda7"
+    strings:
+        $scan = {48 85 DB 0F 84 E1 00 00 00 4C 8D 44 24 70 48 8D 54 24 40 48 8B CE 44 89 7C 24 50 4C 89 64 24 40 48 C7 44 24 48 00 00 00 00 C6 44 24 54 00 FF}
+        $target = {4D 85 C9 48 8B C6 4A 8D 0C 1E 74 15 48 2B D8 49 2B DB 8A 04 0B 88 01 48 83 C1 01 49 83 E9 01 75 F1 5F 5E 5D 5B C3}
+    condition:
+        any of them
+}
diff --git a/analyzer/windows/data/yara/SmokeLoader.yar b/analyzer/windows/data/yara/SmokeLoader.yar
@@ -1,11 +1,11 @@
-rule SmokeLoader
+rule SmokeInjector
 {
     meta:
         author = "kevoreilly"
-        description = "SmokeLoader Payload"
-        cape_options = "bp0=$gate+19,action0=DumpSectionViews,count=1"
+        cape_options = "monitor=explorer"
+        packed = "d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30"
     strings:
-        $gate = {68 [2] 00 00 50 E8 [4] 8B 45 ?? 89 F1 8B 55 ?? 9A [2] 40 00 33 00 89 F9 89 FA 81 C1 [2] 00 00 81 C2 [2] 00 00 89 0A 8B 46 ?? 03 45 ?? 8B 4D ?? 8B 55 ?? 9A [2] 40 00 33 00}
+        $dec1 = {80 04 08 [0-7] (49|83 E9 01) [0-7] 41 [0-7] 81 F1 [2] 00 00 [0-7] 01 D9 [0-7] FF E1}
     condition:
         uint16(0) == 0x5A4D and any of them
 }
diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/analyzer/windows/tests/test_analyzer.py b/analyzer/windows/tests/test_analyzer.py
@@ -986,23 +986,3 @@ def test_handle_process(self, mock_process):
         self.assertIsNotNone(ana.LASTINJECT_TIME)
         mock_process.assert_called_once()
         self.assertEqual(1, ana.NUM_INJECTED)
-
-    @patch("analyzer.Process")
-    def test_handle_process_invalid_data(self, mock_process):
-        ana = self.analyzer
-        with self.assertRaises(ValueError):
-            data = bytes("does not have a colon".encode())
-            self.pipe_handler._handle_process(data=data)
-        with self.assertRaises(ValueError):
-            data = bytes("has:too:many:colons".encode())
-            self.pipe_handler._handle_process(data=data)
-
-        data = bytes("no_comma:non_digits".encode())
-        self.pipe_handler._handle_process(data=data)
-        self.assertIsNone(ana.LASTINJECT_TIME)
-        mock_process.assert_not_called()
-
-        data = bytes("with_comma:non_digits,non_digits".encode())
-        self.pipe_handler._handle_process(data=data)
-        self.assertIsNone(ana.LASTINJECT_TIME)
-        mock_process.assert_not_called()
diff --git a/changelog.md b/changelog.md
@@ -1,11 +1,29 @@
+### [24.11.2025]
+* Monitor update: Fix issue with RESUME: monitor message from NtResumeProcess hook
+
+### [17.11.2025]
+* Monitor update: Add config option for monitor injection into supplied pid or "explorer" for shell: monitor=<pid/"explorer">
+
+### [06.11.2025]
+* Monitor updates:
+    * path_from_object_attributes(): fix issue with memcpy from bad ObjectName->Buffer (e.g. 0a9d9b402fb39cf8df21ca4e68b84577c39b3ecf00415c999b28fcc92a695663)
+    * Fix/improve exception handling code which queries current SEH handler
+    * Harden our_stackwalk() against invalid stack pointers (hooking_64)
+    * Add exported function name logging to thread hooks: NtCreateThreadEx, CreateThread, NtQueueApcThread, NtQueueApcThreadEx
+
+### [03.11.2025]
+* Rhadamanthys:
+    * static config extraction - thanks @YungBinary
+    * anti-anti detonation bypass
+
 ### [22.10.2025]
+* Add monitor injection to previously unused RESUME: monitor message handler _handle_resume()
 * Remove obsolete 'suspended' parameter from PROCESS monitor message
 * Monitor updates:
     * WriteMemoryHandler: prevent analysis log spam for small PE writes
     * Cap per-process messages to prevent detonation slow-down & failure in e.g. 9f8333d81c13ea426953b758140836cff2cf7e7f32e36738f118c6257c6efd34
     * Experimental debugger action 'guard' to trap on guard violation
-    * (origin/capemon, origin/HEAD) YaraHarness: write rules canary detection to analysis log
-    * YaraHarness: simplify 'dump' option
+    * YaraHarness: write rules canary detection to analysis log & simplify 'dump' option
     * Deprecate Win7 wow64 breakpoint workaround
     * Implement Gemini suggestions from #111
     * Merge pull request #111 from StephanTLavavej/unordered_map
diff --git a/data/html/sections/behavior.html b/data/html/sections/behavior.html
@@ -100,7 +100,7 @@ <h4>{{process.process_name}} <small>PID: {{process.process_id}}, Parent PID: {{p
         <div>
             <h4><a href="javascript:showHide('process_{{process.process_id}}');">{{process.process_name}}</a>
                 <small>PID: {{process.process_id}}, Parent PID: {{process.parent_id}}, Full Path: <b>{{process.module_path}}</b>
-                    {% if process.environ.CommandLine %}
+                    {% if process.environ and process.environ.CommandLine %}
                     , Command Line: <b>{{ process.environ.CommandLine }}</b>
                     {% endif %}
                 </small>
@@ -158,6 +158,7 @@ <h4><a href="javascript:showHide('process_{{process.process_id}}');">{{process.p
         Nothing to display.
     {% endif %}
     {% endif %}
+    {% if results.behavior and results.behavior.summary %}
         <div class="card card-body">
             <b>Accessed Files</b>
             {% if results.behavior.summary.files %}
@@ -266,4 +267,5 @@ <h4><a href="javascript:showHide('process_{{process.process_id}}');">{{process.p
                 Nothing to display.
             {% endif %}
         </div>
+    {% endif %}
 </section>
diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar
@@ -6,11 +6,13 @@ rule AdaptixBeacon
         cape_type = "AdaptixBeacon Payload"
         hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d"
     strings:
-        $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04}
+        $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04 ?? E8}
         $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24}
         $conf_3 = {E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 58 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 60 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 68}
-        $wininet_1 = {B9 77 00 00 00 4? 89 50 28 E8 [4] B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24}
-        $wininet_2 = {B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24 ?? E8 [4] B9 65 00 00 00 88 44 24}
+        $conf_4 = {8D ?? ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 ?? 4? 8B ?? FF ?? ?? 4? 8B ?? 48 66 ?? 89 ?? ?? EB}
+        $conf_5 = {48 89 ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 D9 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89 ?? 4? 89 ?? 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89}
+        $wininet_1 = {B9 77 00 00 00 [0-4] E8 [4] B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24}
+        $wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24}
     condition:
         1 of ($conf_*) and 1 of ($wininet_*)
-}
+}
diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar
@@ -0,0 +1,18 @@
+rule NitroBunnyDownloader
+{
+    meta:
+        author = "enzok"
+        description = "NitroBunnyDownloader"
+        cape_type = "NitroBunnyDownloader Payload"
+        hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
+    strings:
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $string1 = "X-Amz-User-Agent:" wide
+        $string2 = "Amz-Security-Flag:" wide
+        $string3 = "/cart" wide
+        $string4 = "Cookie: " wide
+        $string5 = "wishlist" wide
+    condition:
+        uint16(0) == 0x5A4D and 1 of ($config*) and 2 of ($string*)
+}
diff --git a/data/yara/CAPE/Rhadamanthys.yar b/data/yara/CAPE/Rhadamanthys.yar
@@ -1,14 +1,32 @@
 rule Rhadamanthys
+{
+    meta:
+        author = "kevoreilly, YungBinary"
+        description = "Rhadamanthys Payload"
+        cape_type = "Rhadamanthys Payload"
+    strings:
+        $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
+        $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
+        $conf_1 = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
+        $conf_2 = {0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 45 F8 89 45 FC 89 45 08 8B C1}
+        $beef = {57 8D 44 33 FC 53 83 C6 FC 50 56 E8 [4] 83 C4 10 66 81 3F EF BE 0F 85}
+        $anti = {50 68 [4] 68 [4] E8 [4] 83 C4 0C A3 [4] 85 C0 74}
+        $dnr = {99 52 50 8D 45 ?? 99 52 50 8B C7 99 52 50 8B C3 99 52 50}
+        $sys = {83 E4 F0 6A 33 E8 00 00 00 00 83 04 24 05 CB}
+    condition:
+        2 of them
+}
+
+rule RhadamanthysLoader
 {
     meta:
         author = "kevoreilly"
         description = "Rhadamanthys Loader"
         cape_type = "Rhadamanthys Loader"
     strings:
-        $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
-        $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
-        $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
-        $cape_string = "cape_options"
+        $ref = {33 D2 B9 0B 00 00 00 F7 F1 B8 01 00 00 00 6B C8 00 8D 84 0D [4] 0F BE 0C 10 8B 95 [4] 03 95 [4] 0F B6 02 33 C1 8B 8D [4] 03 8D [4] 88 01}
+        $ntdll = {B9 6E 00 00 00 66 89 8D [4] BA 74 00 00 00 66 89 95 [4] B8 64 00 00 00 66 89 85 [4] B9 6C 00 00 00 66 89 8D [4] BA 6C 00 00 00 66 89 95}
+        $exit = {6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8B 95 [4] 52 8B 85 [4] 50 6A 00 68 FF FF 1F 00}
     condition:
-        2 of them and not $cape_string
+        2 of them
 }
diff --git a/data/yara/CAPE/SmokeLoader.yar b/data/yara/CAPE/SmokeLoader.yar
@@ -5,10 +5,12 @@ rule SmokeLoader
         description = "SmokeLoader Payload"
         cape_type = "SmokeLoader Payload"
     strings:
-        $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
+        $rc4_decrypt64_1 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
+        $rc4_decrypt64_2 = {03 C8 8B C1 89 44 [2] 0F B6 8C [2] 01 00 00 33 D2 8B 04 24 F7 F1 8B C2 8B C0 48 8B 8C [2] 01 00 00 0F B6 04 01 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00}
+        $rc4_decrypt64_3 = {8B 04 ?? FF C0 25 FF 00 00 00 89 04 ?? 8B 04 ?? 0F B6 44 [2] 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00}
         $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
-        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
+        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF)}
         $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
     condition:
-        2  of them
+        2 of them
 }
diff --git a/docs/book/src/installation/host/configuration.rst b/docs/book/src/installation/host/configuration.rst
@@ -53,16 +53,6 @@ want to pay more attention to are:
 .. _`SQLAlchemy`: http://www.sqlalchemy.org/
 .. _`Database Urls`: http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls
 
-.. warning:: Check your interface for resultserver IP! Some virtualization software (for example Virtualbox)
-    doesn't bring up the virtual networking interfaces until a virtual machine is started.
-    CAPE needs to have the interface where you bind the resultserver up before the start, so please
-    check your network setup. If you are not sure about how to get the interface up, a good trick is to manually start
-    and stop an analysis virtual machine, this will bring virtual networking up.
-    If you are using NAT/PAT in your network, you can set up the resultserver IP
-    to 0.0.0.0 to listen on all interfaces, then use the specific options `resultserver_ip` and `resultserver_port`
-    in *<machinery>.conf* to specify the address and port as every machine sees them. Note that if you set
-    resultserver IP to 0.0.0.0 in cuckoo.conf you have to set `resultserver_ip` for all your virtual machines.
-
 .. note:: Default freespace value is 50GB
     It is worth mentioning that the default ``freespace`` value in ``cuckoo.conf`` is 50000 MB aka 50 GB.
 
diff --git a/docs/book/src/installation/host/routing.rst b/docs/book/src/installation/host/routing.rst
@@ -574,9 +574,9 @@ Manually testing Internet connection
 ====================================
 You can manually test the Internet connection from inside the VMs without the need of performing any analysis. To do so, you have to use the . This utility allows you to enable or disable specific **routes** and debug them. It is a "Standalone script to debug VM problems that allows to enable routing on VM".
 
-First, **stop** the ``cape-rooter`` service with::
+First, **start** the ``cape-rooter`` service with::
 
-    $ sudo systemctl stop cape-rooter.service
+    $ sudo systemctl start cape-rooter.service
 
 Assuming you already have any VM running, to test the internet connection using ``router_manager.py`` you have to execute the following commands::
 
diff --git a/installer/cape2.sh b/installer/cape2.sh
@@ -690,7 +690,9 @@ EOL
 
 function install_suricata() {
     echo '[+] Installing Suricata'
-    sudo add-apt-repository -y ppa:oisf/suricata-stable
+    # Suricata 8 has many breaking changes. We don't have time to make it compatible
+    # sudo add-apt-repository -y ppa:oisf/suricata-stable
+    sudo add-apt-repository ppa:oisf/suricata-7.0
     sudo apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install -y suricata
     touch /etc/suricata/threshold.config
 
diff --git a/lib/cuckoo/common/demux.py b/lib/cuckoo/common/demux.py
@@ -340,7 +340,7 @@ def demux_sample(filename: bytes, package: str, options: str, use_sflock: bool =
     # original file
     if not retlist:
         if error_msg:
-            error_list.append({os.path.basename(filename).decode(), error_msg})
+            error_list.append({os.path.basename(filename).decode(): error_msg})
         new_retlist.append((filename, platform))
     else:
         for filename, platform, magic_type, file_size in retlist:
diff --git a/lib/cuckoo/common/web_utils.py b/lib/cuckoo/common/web_utils.py
@@ -1221,6 +1221,7 @@ def validate_task_by_path(tid):
     "suriurl": "suricata.http.uri",
     "suriua": "suricata.http.ua",
     "surireferrer": "suricata.http.referrer",
+    "surihost": "suricata.http.hostname",
     "suritlssubject": "suricata.tls.subject",
     "suritlsissuerdn": "suricata.tls.issuer",
     "suritlsfingerprint": "suricata.tls.fingerprint",
diff --git a/lib/cuckoo/core/plugins.py b/lib/cuckoo/core/plugins.py
@@ -683,6 +683,8 @@ def run(self, test_signature: str = False):
                             result = False
 
                         if result:
+                            if hasattr(sig, "on_complete"):
+                                log.debug("Signature: %s is matched! on_complete won't be executed!", sig.name)
                             sig.matched = True
 
             # Call the stop method on all remaining instances.
diff --git a/lib/cuckoo/core/startup.py b/lib/cuckoo/core/startup.py
@@ -350,9 +350,9 @@ def check_snapshot_state():
                 continue
 
             try:
-                domain = conn.lookupByName(machine_name)
                 machine_config = machinery_config.get(machine_name)
-
+                machine_name = machine_config.get("label")
+                domain = conn.lookupByName(machine_name)
                 # Check for valid architecture configuration.
                 arch = machine_config.get("arch")
                 if not arch:
diff --git a/modules/machinery/az.py b/modules/machinery/az.py
@@ -618,7 +618,7 @@ def get_first_machine(query: sqlalchemy.orm.Query) -> Optional[Machine]:
 
         machines = self.db.session.query(Machine).options(sqlalchemy.orm.joinedload(Machine.tags))
         filter_kwargs = {
-            "machines": machines,
+            "statement": machines,
             "label": task.machine,
             "tags": task_tags,
             "archs": task_archs,
diff --git a/modules/processing/network.py b/modules/processing/network.py
diff --git a/modules/processing/pcapng.py b/modules/processing/pcapng.py
diff --git a/poetry.lock b/poetry.lock
diff --git a/requirements.txt b/requirements.txt
diff --git a/web/templates/analysis/admin/index.html b/web/templates/analysis/admin/index.html
diff --git a/web/templates/analysis/search.html b/web/templates/analysis/search.html
