function Ransomware.HeaderComparison()

in ransomware/artifact.lua [2894:2957]

• 44 lines of code
• 11 McCabe index (conditional complexity)

function Ransomware.HeaderComparison(eventData, processData, extensionData)
    local headerMismatch = false

    if nil == extensionData then
        return headerMismatch
    end

    if #extensionData.magicBytes == 0 then
        return headerMismatch
    end

    local magicBytesTable = extensionData.magicBytes
    table.insert(magicBytesTable, globals.t_null_1)
    table.insert(magicBytesTable, globals.t_xml_1)

    for _, v in pairs(magicBytesTable) do
        headerMismatch = false
        local bar = table.move(v, 1, 16, 1, {})
        local subHeader = table.move(eventData.headerBytes, 1, #v, 1, {})

        
        for k4, v4 in pairs(subHeader) do
            
            if v4 ~= bar[k4] then
                headerMismatch = true
                break
            end
        end

        if false == headerMismatch then
            break
        end
    end

    if true == headerMismatch then
        alert.RaiseFileAlertMetric(eventData, 'HEADER_MISMATCH')
    end

    
    
    
    
    

    local fileExtension = ''

    if extensionData == eventData.currentExtensionData then
        fileExtension = eventData.fileExtension
    else
        fileExtension = eventData.filePreviousExtension
    end

    if headerMismatch then
        if not utils.TableHasKey(processData.headerMismatchExtensions, fileExtension) then
            processData.headerMismatchExtensions[fileExtension] = 0
            utils.DebugLog('NEW EXTENSION HEADER MISMATCH: ' .. fileExtension)
            processData.numHeaderMismatchExtensions = processData.numHeaderMismatchExtensions + 1
        end

        processData.headerMismatchExtensions[fileExtension] = processData.headerMismatchExtensions[fileExtension] + 1
    end

    return headerMismatch
end