Method to identify an incomplete CAPE report #2035
Description
Hello, thank you for reading this issue.
I am currently using an unofficial version of CAPE, which seems to cause some fields to be missing in the CAPE reports. CAPA is unable to recognize these reports, resulting in the following error message:
D:\Study\capa-v7.0.1-windows>capa D:\Study\analyses\jsons\2496_reports_report.json -d
DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa: Using default embedded rules.
DEBUG:capa: To provide your own rules, use the form capa.exe -r ./path/to/rules/ /path/to/mal.exe.
DEBUG:capa: You can see the current default rule set here:
DEBUG:capa: https://github.com/mandiant/capa-rules
DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa: Using default embedded signatures.
DEBUG:capa: To provide your own signatures, use the form capa.exe --signature ./path/to/signatures/ /path/to/mal.exe.
DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa.rules:reading rules from directory C:\Users\DavidLee\AppData\Local\Temp_MEI336362\rules
DEBUG:capa.rules.cache:loading rule set from cache: C:\Users\DavidLee\AppData\Local\Temp_MEI336362\cache\capa-d2f2a22b.cache
DEBUG:capa:successfully loaded 866 rules
Traceback (most recent call last):
File "main.py", line 944, in
File "main.py", line 806, in main
File "main.py", line 643, in get_file_extractors_from_cli
File "loader.py", line 291, in get_file_extractors
File "features\extractors\cape\extractor.py", line 126, in from_report
File "pydantic\main.py", line 503, in model_validate
pydantic_core._pydantic_core.ValidationError: 3 validation errors for CapeReport
target.file.sha3_384
Field required [type=missing, input_value={'name': '5ceb25d26af3df6...: '2008-07-28 08:11:35'}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.4/v/missing
CAPE
Input should be a valid dictionary or instance of Cape [type=model_type, input_value=[], input_type=list]
For further information visit https://errors.pydantic.dev/2.4/v/model_type
dropped.0.sha3_384
Field required [type=missing, input_value={'name': 'msupdate.exe', ...al\Temp\msupdate.exe'}, input_type=dict]
For further information visit https://errors.pydantic.dev/2.4/v/missing
[28876] Failed to execute script 'main' due to unhandled exception!
Could you kindly suggest a method for batch processing these reports to ensure compatibility with CAPA?
The JSON report generated by CAPE has been attached.
2496_reports_report.json
Thank you for your attention.