def vm_conf(request):
cfg = Config()
machinery_name = cfg.cuckoo.machinery
vm_conf = Config(os.path.join(CUCKOO_ROOT, "conf", "%s.conf" % machinery_name))
options = vm_conf.get(machinery_name)
machines = []
#pprint.pprint(options)
if options.get("machines"):
for machine_id in options.get("machines").strip().split(","):
machine_opts = vm_conf.get(machine_id.strip())
machine = Dictionary()
machine.id = machine_id.strip()
machine.label = machine_opts["label"]
machine.platform = machine_opts["platform"]
machine.tags = machine_opts.get("tags", None)
machine.ip = machine_opts["ip"]
machine.snapshot = machine_opts.get("snapshot", None)
machines.append(machine)
else:
machines = None
return render_to_response("analysis/vm_conf.html",
{"machines": machines,
"options": options,
"machinery": machinery_name},
context_instance=RequestContext(request))
def init_routing():
"""Initialize and check whether the routing information is correct."""
cuckoo = Config()
vpn = Config("vpn")
# Check whether all VPNs exist if configured and make their configuration
# available through the vpns variable. Also enable NAT on each interface.
if vpn.vpn.enabled:
for name in vpn.vpn.vpns.split(","):
name = name.strip()
if not name:
continue
if not hasattr(vpn, name):
raise CuckooStartupError(
"Could not find VPN configuration for %s" % name
)
entry = vpn.get(name)
if not rooter("nic_available", entry.interface):
raise CuckooStartupError(
"The network interface that has been configured for "
"VPN %s is not available." % entry.name
)
vpns[entry.name] = entry
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", entry.interface)
rooter("enable_nat", entry.interface)
# Check whether the default VPN exists if specified.
if cuckoo.routing.route not in ("none", "internet"):
if not vpn.vpn.enabled:
raise CuckooStartupError(
"A VPN has been configured as default routing interface for "
"VMs, but VPNs have not been enabled in vpn.conf"
)
if cuckoo.routing.route not in vpns:
raise CuckooStartupError(
"The VPN defined as default routing target has not been "
"configured in vpn.conf."
)
# Check whether the dirty line exists if it has been defined.
if cuckoo.routing.internet != "none":
if not rooter("nic_available", cuckoo.routing.internet):
raise CuckooStartupError(
"The network interface that has been configured as dirty "
"line is not available."
)
# Enable NAT for this network interface.
rooter("enable_nat", cuckoo.routing.internet)
def main():
def checkConfigs():
'''check for config file and define variables'''
config = os.path.join(CUCKOO_ROOT,"cuckooinbox","cuckooinbox.conf")
if not os.path.exists(config):
raise CuckooStartupError("Config file does not exist at path: %s" % config)
checkConfigs()
config = Config(cfg=os.path.join(CUCKOO_ROOT,"cuckooinbox","cuckooinbox.conf"))
config = config.get('cuckooinbox')
username = config['username']
passwd = config['passwd']
imap = config['imap']
imap_ssl = config['imap_ssl']
email_whitelist = config['email_whitelist']
interval = config['interval']
'''welcome screen'''
print '\n\n'
print '\t\t@\tsend your malware to %s !\n' % (username)
welcome_message = ' _,\n ((\')\n /\'--)\n | _.\'\n / |`=\n \'^\''
print welcome_message
'''thread main function'''
def analyze(message):
request = CuckooRequest(message)
request.fetch(message)
request.sendReport()
'''define imap connection'''
server = IMAPClient(imap, use_uid=True, ssl=imap_ssl)
'''connect, login'''
server.login(username, passwd)
while True:
try:
'''set retrieve folder'''
select_info = server.select_folder('INBOX')
'''search for new message from email whitelist'''
for account in email_whitelist.split(','):
messages = server.search('UNSEEN FROM "%s"' % account)
'''analyze emails from one account at a time'''
if messages:
for message in messages:
thread = threading.Thread( target = analyze, args = (message,))
thread.daemon = True
thread.start()
time.sleep(interval)
except:
'''reconnect to mail account'''
server = IMAPClient(imap, use_uid=True, ssl=imap_ssl)
server.login(username, passwd)
pass
def render_index(request, kwargs={}):
files = os.listdir(os.path.join(settings.CUCKOO_PATH, "analyzer", "windows", "modules", "packages"))
cfg_docker = Config()
cfg_docker.__init__("docker-mach")
#docker_section = cfg_docker.docker.images
docker_section = cfg_docker.get("docker-mach").get("images")
docker_images = []
docker_images = re.split('\s*,\s*', docker_section)
packages = []
for name in files:
name = os.path.splitext(name)[0]
if name == "__init__":
continue
packages.append(name)
# Prepare a list of VM names, description label based on tags.
machines = []
for machine in Database().list_machines():
tags = []
for tag in machine.tags:
tags.append(tag.name)
if tags:
label = machine.label + ": " + ", ".join(tags)
else:
label = machine.label
machines.append((machine.label, label))
# Prepend ALL/ANY options.
machines.insert(0, ("", "First available"))
machines.insert(1, ("all", "All"))
values = {
"packages": sorted(packages),
"machines": machines,
"vpns": vpns.values(),
"route": cfg.routing.route,
"internet": cfg.routing.internet,
"docker_images": docker_images,
}
values.update(kwargs)
return render_to_response("submission/index.html", values,
context_instance=RequestContext(request))
def __init__(self, task_id, results):
"""@param task_id: ID of the analyses to process."""
self.task = Database().view_task(task_id).to_dict()
self.task_id = task_id
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task_id))
self.cfg = Config("processing")
self.results = results
def __init__(self, task, machine, guest_manager):
self.task = task
self.machine = machine
self.guest_manager = guest_manager
self.cfg = Config("auxiliary")
self.enabled = []
class RunAuxiliary(object):
"""Auxiliary modules manager."""
def __init__(self, task, machine):
self.task = task
self.machine = machine
self.cfg = Config("auxiliary")
self.enabled = []
def start(self):
for module in list_plugins(group="auxiliary"):
try:
current = module()
except:
log.exception("Failed to load the auxiliary module "
"\"{0}\":".format(module))
return
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug("Auxiliary module %s not found in "
"configuration file", module_name)
continue
if not options.enabled:
continue
current.set_task(self.task)
current.set_machine(self.machine)
current.set_options(options)
try:
current.start()
except NotImplementedError:
pass
except Exception as e:
log.warning("Unable to start auxiliary module %s: %s",
module_name, e)
else:
log.debug("Started auxiliary module: %s",
current.__class__.__name__)
self.enabled.append(current)
def stop(self):
for module in self.enabled:
try:
module.stop()
except NotImplementedError:
pass
except Exception as e:
log.warning("Unable to stop auxiliary module: %s", e)
else:
log.debug("Stopped auxiliary module: %s",
module.__class__.__name__)
def __init__(self, analysis_path, custom=""):
"""@param analysis_path: analysis folder path.
@param custom: custom options.
"""
self.analysis_path = analysis_path
self.custom = custom
self.cfg = Config(cfg=os.path.join(CUCKOO_ROOT, "conf", "reporting.conf"))
self.__populate(plugins)
def __init__(self, task, results):
"""@param analysis_path: analysis folder path."""
self.task = task
self.results = results
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task["id"]))
self.cfg = Config("reporting")
self.task["options"] = parse_options(self.task["options"])
def __init__(self, message):
self.message = message
'''cuckooinbox config variables'''
config = Config(cfg=os.path.join(CUCKOO_ROOT,"cuckooinbox","cuckooinbox.conf"))
config = config.get('cuckooinbox')
self.username = config['username']
self.passwd = config['passwd']
self.imap = config['imap']
self.imap_ssl = config['imap_ssl']
self.smtp_server = config['smtp']
self.interval = config['interval']
self.archive_folder = config['archive_folder']
self.email_whitelist = config['email_whitelist']
self.url_limit = config['url_limit']
self.attachment_limit = config['attachment_limit']
self.zip_reports = config['zip_reports']
self.zip_password = config['zip_password']
self.url_blacklist = config['url_blacklist']
self.url_file_backlist = config['url_file_backlist']
self.machine = config['machine']
'''imap variables'''
self.server = IMAPClient(self.imap, use_uid=True, ssl=self.imap_ssl)
self.server.login(self.username, self.passwd)
self.attachment_counter = 0
'''message variables'''
self.msg = MIMEMultipart()
self.response_msg = MIMEMultipart()
self.response_urls = []
self.response_attachments = []
self.sender = ''
self.subject = ''
self.cc_list = []
'''logging object'''
self.log_entry = Logger('cuckooinbox.log')
'''cuckoo variables'''
self.taskids = []
self.db = Database()
self.url_counter = 0 # tracks url count to not exceed url_limit
def __init__(self, task, results):
"""@param analysis_path: analysis folder path."""
self.task = task
# remove unwanted/duplicate information from reporting
for process in results["behavior"]["processes"]:
process["calls"].begin_reporting()
self.results = results
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task["id"]))
self.cfg = Config("reporting")
def init_modules():
"""Initializes plugins."""
log.debug("Importing modules...")
# Import all processing modules.
import_package(modules.processing)
# Import all signatures.
import_package(modules.signatures)
# Import only enabled reporting modules.
report_cfg = Config(cfg=os.path.join(CUCKOO_ROOT,
"conf",
"reporting.conf"))
prefix = modules.reporting.__name__ + "."
for loader, name, ispkg in pkgutil.iter_modules(modules.reporting.__path__):
if ispkg:
continue
try:
options = report_cfg.get(name)
except AttributeError:
log.debug("Reporting module %s not found in "
"configuration file" % module_name)
if not options.enabled:
continue
import_plugin("%s.%s" % (modules.reporting.__name__, name))
# Import machine manager.
import_plugin("modules.machinemanagers.%s"
% Config().cuckoo.machine_manager)
for category, mods in list_plugins().items():
log.debug("Imported \"%s\" modules:" % category)
for mod in mods:
if mod == mods[-1]:
log.debug("\t `-- %s" % mod.__name__)
else:
log.debug("\t |-- %s" % mod.__name__)
def __init__(self, task_id):
"""@param analysis_path: analysis folder path.
"""
self.task = Database().view_task(task_id).to_dict()
self.analysis_path = os.path.join(CUCKOO_ROOT,
"storage",
"analyses",
str(task_id))
self.cfg = Config(cfg=os.path.join(CUCKOO_ROOT,
"conf",
"reporting.conf"))
def __init__(self, task_id):
"""@param task_id: ID of the analyses to process."""
self.task = Database().view_task(task_id).to_dict()
self.task_id = task_id
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task_id))
self.cfg = Config("processing")
# This is the results container. It's what will be used by all the
# reporting modules to make it consumable by humans and machines.
# It will contain all the results generated by every processing
# module available. Its structure can be observed through the JSON
# dump in the analysis' reports folder. (If jsondump is enabled.)
# We friendly call this "fat dict".
self.results = { }
def __init__(self, task_id, interaction=0):
"""@param task_id: ID of the analyses to process."""
self.task = Database().view_task(task_id).to_dict()
self.analysis_path = os.path.join(CUCKOO_ROOT,
"storage",
"analyses",
str(task_id))
self.cfg = Config(cfg=os.path.join(CUCKOO_ROOT,
"conf",
"processing.conf"))
### JG: added interaction variable
self.interaction = interaction
def setExternalParameters(self):
'''
Configures the plugin ratings and any other parameters which were passed.
Uses two sources - the ratings.conf file and the tasks custom field (dictionary dumped as a json).
'''
try:
self.analysisConfig = CuckooConfig(self.conf_path)
ratingsConf = CuckooConfig(os.path.join(self.rulePath, "ratings.conf"))
for rating in ratingsConf.get("ratings").iteritems():
self.params[rating[0]] = rating[1]
except Exception as e:
log.warning("Preconfigure - %s" % str(e))
return False
try:
params = json.loads(self.analysisConfig.get("analysis").get("custom"))
for param in params.iteritems():
self.params[param[0]] = param[1]
except ValueError as e:
if self.analysisConfig.get("analysis").get("custom") != "None":
log.warning("Couldn't load json object from custom, skip")
return False
return True
class TestConfig:
CONF_EXAMPLE = """
[cuckoo]
debug = off
analysis_timeout = 120
critical_timeout = 600
delete_original = off
machine_manager = kvm
use_sniffer = no
tcpdump = /usr/sbin/tcpdump
interface = vboxnet0
"""
def setUp(self):
self.file = tempfile.mkstemp()[1]
self._load_conf(self.CONF_EXAMPLE)
self.c = Config(self.file)
def _load_conf(self, conf):
"""Loads a configuration from a string.
@param conf: configuration string.
"""
f = open(self.file, "w")
f.write(conf)
f.close()
def test_get_option_exist(self):
"""Fetch an option of each type from default config file."""
assert_equals(self.c.get("cuckoo")["debug"], False)
assert_equals(self.c.get("cuckoo")["tcpdump"], "/usr/sbin/tcpdump")
assert_equals(self.c.get("cuckoo")["critical_timeout"], 600)
def test_config_file_not_found(self):
assert Config("foo")
@raises(CuckooOperationalError)
def test_get_option_not_found(self):
self.c.get("foo")
@raises(CuckooOperationalError)
def test_get_option_not_found_in_file_not_found(self):
self.c = Config("bar")
self.c.get("foo")
def __init__(self, memfile, osprofile=None):
self.mask_pid = []
self.taint_pid = set()
self.memfile = memfile
conf_path = os.path.join(CUCKOO_ROOT, "conf", "memory.conf")
if not os.path.exists(conf_path):
log.error("Configuration file volatility.conf not found".format(conf_path))
self.voptions = False
return
self.voptions = Config("memory")
for pid in self.voptions.mask.pid_generic.split(","):
pid = pid.strip()
if pid:
self.mask_pid.append(int(pid))
self.no_filter = not self.voptions.mask.enabled
if self.voptions.basic.guest_profile:
self.osprofile = self.voptions.basic.guest_profile
else:
self.osprofile = osprofile or self.get_osprofile()
# Copyright (C) 2010-2015 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
from __future__ import absolute_import
import os
import json
from datetime import datetime
from lib.cuckoo.common.abstracts import Processing
from lib.cuckoo.common.objects import File
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.utils import convert_to_printable
from lib.cuckoo.common.cape_utils import flare_capa_details
processing_conf = Config("processing")
class ProcDump(Processing):
"""ProcDump files analysis."""
def run(self):
"""Run analysis.
@return: list of process dumps with related information.
"""
self.key = "procdump"
procdump_files = []
buf = self.options.get("buffer", 8192)
if not os.path.exists(self.procdump_path):
return None
meta = dict()
if os.path.exists(self.files_metadata):
# Copyright (C) 2010-2013 Claudio Guarnieri.
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import pymongo
import sys
# Cuckoo path.
CUCKOO_PATH = os.path.join(os.getcwd(), "..")
sys.path.append(CUCKOO_PATH)
from lib.cuckoo.common.config import Config
cfg = Config("reporting")
# Checks if mongo reporting is enabled in Cuckoo.
if not cfg.mongodb.get("enabled"):
raise Exception(
"Mongo reporting module is not enabled in cuckoo, aborting!")
# Get connection options from reporting.conf.
MONGO_HOST = cfg.mongodb.get("host", "127.0.0.1")
MONGO_PORT = cfg.mongodb.get("port", 27017)
MONGO_DB = cfg.mongodb.get("db", "cuckoo")
try:
MONGO = pymongo.MongoClient(MONGO_HOST, MONGO_PORT)[MONGO_DB]
except Exception as e:
raise Exception("Unable to connect to Mongo: %s" % e)
class RunReporting:
"""Reporting Engine.
This class handles the loading and execution of the enabled reporting
modules. It receives the analysis results dictionary from the Processing
Engine and pass it over to the reporting modules before executing them.
"""
def __init__(self, task_id, results):
"""@param analysis_path: analysis folder path."""
self.task = Database().view_task(task_id).to_dict()
self.results = results
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task_id))
self.cfg = Config("reporting")
def process(self, module):
"""Run a single reporting module.
@param module: reporting module.
@param results: results results from analysis.
"""
# Initialize current reporting module.
try:
current = module()
except:
log.exception("Failed to load the reporting module \"{0}\":".format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug("Reporting module %s not found in configuration file", module_name)
return
# If the reporting module is disabled in the config, skip it.
if not options.enabled:
return
# Give it the path to the analysis results folder.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the the relevant reporting.conf section.
current.set_options(options)
# Load the content of the analysis.conf file.
current.cfg = Config(cfg=current.conf_path)
try:
current.run(self.results)
log.debug("Executed reporting module \"%s\"", current.__class__.__name__)
except CuckooDependencyError as e:
log.warning("The reporting module \"%s\" has missing dependencies: %s", current.__class__.__name__, e)
except CuckooReportError as e:
log.warning("The reporting module \"%s\" returned the following error: %s", current.__class__.__name__, e)
except:
log.exception("Failed to run the reporting module \"%s\":", current.__class__.__name__)
def run(self):
"""Generates all reports.
@raise CuckooReportError: if a report module fails.
"""
# In every reporting module you can specify a numeric value that
# represents at which position that module should be executed among
# all the available ones. It can be used in the case where a
# module requires another one to be already executed beforehand.
reporting_list = list_plugins(group="reporting")
# Return if no reporting modules are loaded.
if reporting_list:
reporting_list.sort(key=lambda module: module.order)
# Run every loaded reporting module.
for module in reporting_list:
self.process(module)
else:
log.info("No reporting modules loaded")
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
if not PYMISP:
log.error("pyMISP dependency is missing.")
return
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
self.iocs = deque()
self.misper = dict()
threads_list = list()
self.misp_full_report = dict()
self.lock = threading.Lock()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
self.misp = PyMISP(url, apikey, False, "json")
if self.options.get("extend_context", ""):
for drop in results.get("dropped", []):
if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist:
self.iocs.append(drop["md5"])
if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist:
self.iocs.append(results["target"]["file"]["md5"])
for block in results.get("network", {}).get("hosts", []):
if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist:
self.iocs.append(block["ip"])
if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist:
self.iocs.append(block["hostname"])
if not self.iocs:
return
for thread_id in xrange(int(self.threads)):
thread = threading.Thread(target=self.misper_thread, args=(url,))
thread.daemon = True
thread.start()
threads_list.append(thread)
for thread in threads_list:
thread.join()
if self.misper:
results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True)
misp_report_path = os.path.join(self.reports_path, "misp.json")
full_report = open(misp_report_path, "wb")
full_report.write(json.dumps(self.misp_full_report))
full_report.close()
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
self.cuckoo2misp(results, whitelist)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e)
class RunAuxiliary(object):
"""Auxiliary modules manager."""
def __init__(self, task, machine):
self.task = task
self.machine = machine
self.cfg = Config("auxiliary")
self.enabled = []
def start(self):
auxiliary_list = list_plugins(group="auxiliary")
if auxiliary_list:
for module in auxiliary_list:
try:
current = module()
except:
log.exception("Failed to load the auxiliary module "
'"{0}":'.format(module))
return
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug(
"Auxiliary module %s not found in "
"configuration file", module_name)
continue
if not options.enabled:
continue
current.set_task(self.task)
current.set_machine(self.machine)
current.set_options(options)
try:
current.start()
except NotImplementedError:
pass
except Exception as e:
log.warning("Unable to start auxiliary module %s: %s",
module_name, e)
else:
log.debug("Started auxiliary module: %s",
current.__class__.__name__)
self.enabled.append(current)
def callback(self, name, *args, **kwargs):
def default(*args, **kwargs):
pass
enabled = []
for module in self.enabled:
try:
getattr(module, "cb_%s" % name, default)(*args, **kwargs)
except NotImplementedError:
pass
except CuckooDisableModule:
continue
except:
log.exception(
"Error performing callback %r on auxiliary module %r",
name,
module.__class__.__name__,
extra={"task_id": self.task["id"]})
enabled.append(module)
self.enabled = enabled
def stop(self):
for module in self.enabled:
try:
module.stop()
except NotImplementedError:
pass
except Exception as e:
log.warning("Unable to stop auxiliary module: %s", e)
else:
log.debug("Stopped auxiliary module: %s",
module.__class__.__name__)
class RunProcessing(object):
"""Analysis Results Processing Engine.
This class handles the loading and execution of the processing modules.
It executes the enabled ones sequentially and generates a dictionary which
is then passed over the reporting engine.
"""
def __init__(self, task, results):
"""@param task: task dictionary of the analysis to process."""
self.task = task
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses",
str(task["id"]))
self.cfg = Config("processing")
self.cuckoo_cfg = Config()
self.results = results
def process(self, module):
"""Run a processing module.
@param module: processing module to run.
@return: results generated by module.
"""
# Initialize the specified processing module.
try:
current = module(self.results)
except:
log.exception("Failed to load the processing module "
'"{0}":'.format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug("Processing module %s not found in configuration file",
module_name)
return None
# If the processing module is disabled in the config, skip it.
if not options.enabled:
return None
# Give it path to the analysis results.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the options from the relevant processing.conf section.
current.set_options(options)
try:
# Run the processing module and retrieve the generated data to be
# appended to the general results container.
log.debug(
'Executing processing module "%s" on analysis at '
'"%s"', current.__class__.__name__, self.analysis_path)
pretime = datetime.now()
data = current.run()
posttime = datetime.now()
timediff = posttime - pretime
self.results["statistics"]["processing"].append({
"name":
current.__class__.__name__,
"time":
float("%d.%03d" %
(timediff.seconds, timediff.microseconds / 1000)),
})
# If succeeded, return they module's key name and the data to be
# appended to it.
return {current.key: data}
except CuckooDependencyError as e:
log.warning(
'The processing module "%s" has missing dependencies: %s',
current.__class__.__name__, e)
except CuckooProcessingError as e:
log.warning(
'The processing module "%s" returned the following '
"error: %s", current.__class__.__name__, e)
except:
log.exception('Failed to run the processing module "%s":',
current.__class__.__name__)
return None
def run(self):
"""Run all processing modules and all signatures.
@return: processing results.
"""
# Order modules using the user-defined sequence number.
# If none is specified for the modules, they are selected in
# alphabetical order.
processing_list = list_plugins(group="processing")
# If no modules are loaded, return an empty dictionary.
if processing_list:
processing_list.sort(key=lambda module: module.order)
# Run every loaded processing module.
for module in processing_list:
result = self.process(module)
# If it provided some results, append it to the big results
# container.
if result:
self.results.update(result)
else:
log.info("No processing modules loaded")
# For correct error log on webgui
logs = os.path.join(self.analysis_path, "logs")
if os.path.exists(logs):
for file_name in os.listdir(logs):
file_path = os.path.join(logs, file_name)
if os.path.isdir(file_path):
continue
# Skipping the current log file if it's too big.
if os.stat(
file_path
).st_size > self.cuckoo_cfg.processing.analysis_size_limit:
if not hasattr(self.results, "debug"):
self.results.setdefault("debug", dict()).setdefault(
"errors", list())
self.results["debug"]["errors"].append(
"Behavioral log {0} too big to be processed, skipped. Increase analysis_size_limit in cuckoo.conf"
.format(file_name))
continue
else:
log.info(
"Logs folder doesn't exist, maybe something with with analyzer folder, any change?"
)
family = ""
self.results["malfamily_tag"] = ""
if self.cfg.detections.enabled:
if self.results.get("detections",
False) and self.cfg.detections.yara:
family = self.results["detections"]
self.results["malfamily_tag"] = "Yara"
elif self.cfg.detections.suricata and not family and "suricata" in self.results and "alerts" in self.results[
"suricata"] and self.results["suricata"]["alerts"]:
for alert in self.results["suricata"]["alerts"]:
if alert.get("signature",
"") and alert["signature"].startswith(
(et_categories)):
family = get_suricata_family(alert["signature"])
if family:
self.results["malfamily_tag"] = "Suricata"
self.results["detections"] = family
elif (self.cfg.detections.virustotal and not family
and self.results["info"]["category"] == "file"
and "virustotal" in self.results
and "results" in self.results["virustotal"]
and self.results["virustotal"]["results"]):
detectnames = []
for res in self.results["virustotal"]["results"]:
if res["sig"] and "Trojan.Heur." not in res["sig"]:
# weight Microsoft's detection, they seem to be more accurate than the rest
if res["vendor"] == "Microsoft":
detectnames.append(res["sig"])
detectnames.append(res["sig"])
family = get_vt_consensus(detectnames)
self.results["malfamily_tag"] = "VirusTotal"
# fall back to ClamAV detection
elif (self.cfg.detections.clamav and not family
and self.results["info"]["category"] == "file"
and "clamav" in self.results.get("target", {}).get(
"file", {})
and self.results["target"]["file"]["clamav"]):
for detection in self.results["target"]["file"]["clamav"]:
if detection.startswith("Win.Trojan."):
words = re.findall(r"[A-Za-z0-9]+", detection)
family = words[2]
self.results["malfamily_tag"] = "ClamAV"
if family:
self.results["detections"] = family
return self.results
def __init__(self, task, results):
self.task = task
self.results = results
self.ttps = dict()
self.cfg_processing = Config("processing")
# Copyright (C) 2010-2015 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import sys
import os
# Cuckoo path.
CUCKOO_PATH = os.path.join(os.getcwd(), "..")
sys.path.append(CUCKOO_PATH)
from lib.cuckoo.common.config import Config
cfg = Config("reporting").mongodb
# Checks if mongo reporting is enabled in Cuckoo.
if not cfg.get("enabled"):
raise Exception("Mongo reporting module is not enabled in cuckoo, aborting!")
# Get connection options from reporting.conf.
MONGO_HOST = cfg.get("host", "127.0.0.1")
MONGO_PORT = cfg.get("port", 27017)
MONGO_DB = cfg.get("db", "cuckoo")
moloch_cfg = Config("reporting").moloch
aux_cfg = Config("auxiliary")
vtdl_cfg = Config("auxiliary").virustotaldl
MOLOCH_BASE = moloch_cfg.get("base", None)
MOLOCH_NODE = moloch_cfg.get("node", None)
MOLOCH_ENABLED = moloch_cfg.get("enabled", False)
def submit_url(request):
if request.method == "POST":
package = request.POST.get("package", "")
timeout = min(force_int(request.POST.get("timeout")), 60 * 60 * 24)
options = request.POST.get("options", "")
priority = force_int(request.POST.get("priority"))
machine = request.POST.get("machine", "")
gateway = request.POST.get("gateway", None)
clock = request.POST.get("clock", None)
custom = request.POST.get("custom", "")
memory = bool(request.POST.get("memory", False))
enforce_timeout = bool(request.POST.get("enforce_timeout", False))
status = bool(request.POST.get("user_status", False))
if not status:
user_status=0
else:
user_status=1
if request.user.id==None:
user_id = 1
else:
user_id = request.user.id
tags = request.POST.get("tags", None)
if request.POST.get("free"):
if options:
options += ","
options += "free=yes"
if request.POST.get("nohuman"):
if options:
options += ","
options += "nohuman=yes"
if request.POST.get("tor"):
if options:
options += ","
options += "tor=yes"
if request.POST.get("process_memory"):
if options:
options += ","
options += "procmemdump=yes"
if request.POST.get("kernel_analysis"):
if options:
options += ","
options += "kernel_analysis=yes"
if gateway and gateway in settings.GATEWAYS:
if "," in settings.GATEWAYS[gateway]:
tgateway = random.choice(settings.GATEWAYS[gateway].split(","))
ngateway = settings.GATEWAYS[tgateway]
else:
ngateway = settings.GATEWAYS[gateway]
if options:
options += ","
options += "setgw=%s" % (ngateway)
db = Database()
task_ids = []
task_machines = []
if machine.lower() == "all":
for entry in db.list_machines():
task_machines.append(entry.label)
else:
task_machines.append(machine)
if "url" in request.POST and request.POST.get("url").strip():
url = request.POST.get("url").strip()
if not url:
return render_to_response("error.html",
{"error": "You specified an invalid URL!"},
context_instance=RequestContext(request))
provious_analysis = results_db.analysis.find({"target.url": url}).sort([["_id", -1]])
task = []
for single in provious_analysis:
#pp.pprint(single)
single["info"]["base64"] = until.encrpt(single["info"]["id"])
single["info"]["url"] = single["target"]["url"]
pp.pprint(single["info"])
task.append(single["info"])
second_post = json.dumps({"url":url,"package":package,"timeout":timeout,"options":options,"priority":priority,"custom":custom,"memory":memory,"enforce_timeout":enforce_timeout,"tags":tags,"clock":clock,"user_status":user_status,"user_id":user_id},sort_keys=True)
if provious_analysis.count()>=1:
return render_to_response("submission/ShowSimilarUrl.html",
{"tasks" : task, "params" : second_post},
context_instance=RequestContext(request))
url = url.replace("hxxps://", "https://").replace("hxxp://", "http://").replace("[.]", ".")
for entry in task_machines:
task_id = db.add_url(url=url,
package=package,
timeout=timeout,
options=options,
priority=priority,
machine=entry,
custom=custom,
memory=memory,
enforce_timeout=enforce_timeout,
tags=tags,
clock=clock,
user_status=user_status,
user_id=user_id)
if task_id:
#pp.pprint(task_id)
task_ids.append(until.encrpt(task_id))
tasks_count = len(task_ids)
if tasks_count > 0:
return render_to_response("submission/complete.html",
{"tasks" : task_ids,
"tasks_count" : tasks_count},
context_instance=RequestContext(request))
else:
return render_to_response("error.html",
{"error": "Error adding task to Cuckoo's database."},
context_instance=RequestContext(request))
else:
enabledconf = dict()
enabledconf["vt"] = settings.VTDL_ENABLED
enabledconf["kernel"] = settings.OPT_ZER0M0N
enabledconf["memory"] = Config("processing").memory.get("enabled")
enabledconf["procmemory"] = Config("processing").procmemory.get("enabled")
enabledconf["tor"] = Config("auxiliary").tor.get("enabled")
if Config("auxiliary").gateways:
enabledconf["gateways"] = True
else:
enabledconf["gateways"] = False
enabledconf["tags"] = False
# Get enabled machinery
machinery = Config("cuckoo").cuckoo.get("machinery")
# Get VM names for machinery config elements
vms = [x.strip() for x in getattr(Config(machinery), machinery).get("machines").split(",")]
# Check each VM config element for tags
for vmtag in vms:
if "tags" in getattr(Config(machinery), vmtag).keys():
enabledconf["tags"] = True
files = os.listdir(os.path.join(settings.CUCKOO_PATH, "analyzer", "windows", "modules", "packages"))
packages = []
for name in files:
name = os.path.splitext(name)[0]
if name == "__init__":
continue
packages.append(name)
# Prepare a list of VM names, description label based on tags.
machines = []
for machine in Database().list_machines():
tags = []
for tag in machine.tags:
tags.append(tag.name)
if tags:
label = machine.label + ": " + ", ".join(tags)
else:
label = machine.label
machines.append((machine.label, label))
# Prepend ALL/ANY options.
machines.insert(0, ("", "First available"))
machines.insert(1, ("all", "All"))
return render_to_response("submission/submit_url.html",
{"packages": sorted(packages),
"machines": machines,
"gateways": settings.GATEWAYS,
"config": enabledconf},
context_instance=RequestContext(request))
def __init__(self, maxcount=None):
self.running = True
self.cfg = Config()
self.db = Database()
self.maxcount = maxcount
self.total_analysis_count = 0
from lib.cuckoo.common.exceptions import CuckooCriticalError
from lib.cuckoo.common.objects import File, HAVE_PEFILE, pefile
from lib.cuckoo.common.utils import create_folder, get_memdump_path, free_space_monitor
from lib.cuckoo.core.database import Database, TASK_COMPLETED
from lib.cuckoo.core.guest import GuestManager
from lib.cuckoo.core.plugins import list_plugins, RunAuxiliary
from lib.cuckoo.core.resultserver import ResultServer
from lib.cuckoo.core.rooter import rooter, vpns, _load_socks5_operational
from lib.cuckoo.common.utils import convert_to_printable, get_options
log = logging.getLogger(__name__)
machinery = None
machine_lock = None
latest_symlink_lock = threading.Lock()
routing = Config("routing")
active_analysis_count = 0
class CuckooDeadMachine(Exception):
"""Exception thrown when a machine turns dead.
When this exception has been thrown, the analysis task will start again,
and will try to use another machine, when available.
"""
pass
class AnalysisManager(threading.Thread):
IS_DPKT = False
# Imports for the batch sort.
# http://stackoverflow.com/questions/10665925/how-to-sort-huge-files-with-python
# http://code.activestate.com/recipes/576755/
import heapq
from itertools import islice
from collections import namedtuple
TLS_HANDSHAKE = 22
Keyed = namedtuple("Keyed", ["key", "obj"])
Packet = namedtuple("Packet", ["raw", "ts"])
log = logging.getLogger(__name__)
cfg = Config()
proc_cfg = Config("processing")
enabled_whitelist = proc_cfg.network.dnswhitelist
whitelist_file = proc_cfg.network.dnswhitelist_file
enabled_ip_whitelist = proc_cfg.network.ipwhitelist
ip_whitelist_file = proc_cfg.network.ipwhitelist_file
class Pcap:
"""Reads network data from PCAP file."""
def __init__(self, filepath, ja3_fprints):
"""Creates a new instance.
@param filepath: path to PCAP file
"""
self.filepath = filepath
def process(self, module):
"""Run a single reporting module.
@param module: reporting module.
@param results: results results from analysis.
"""
# Initialize current reporting module.
try:
current = module()
except:
log.exception(
'Failed to load the reporting module "{0}":'.format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.info("Reporting module %s not found in configuration file",
module_name)
return
# If the reporting module is disabled in the config, skip it.
if not options.enabled:
return
# Give it the path to the analysis results folder.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the the relevant reporting.conf section.
current.set_options(options)
# Load the content of the analysis.conf file.
current.cfg = Config(cfg=current.conf_path)
try:
log.debug('Executing reporting module "%s"',
current.__class__.__name__)
pretime = datetime.now()
if module_name == "submitCAPE" and self.reprocess:
tasks = db.list_parents(self.task["id"])
if tasks:
self.results["CAPE_children"] = tasks
return
else:
current.run(self.results)
posttime = datetime.now()
timediff = posttime - pretime
self.results["statistics"]["reporting"].append({
"name":
current.__class__.__name__,
"time":
float("%d.%03d" %
(timediff.seconds, timediff.microseconds / 1000)),
})
except CuckooDependencyError as e:
log.warning(
'The reporting module "%s" has missing dependencies: %s',
current.__class__.__name__, e)
except CuckooReportError as e:
log.warning(
'The reporting module "%s" returned the following error: %s',
current.__class__.__name__, e)
except:
log.exception('Failed to run the reporting module "%s":',
current.__class__.__name__)
class RunReporting:
"""Reporting Engine.
This class handles the loading and execution of the enabled reporting
modules. It receives the analysis results dictionary from the Processing
Engine and pass it over to the reporting modules before executing them.
"""
def __init__(self, task, results, reprocess=False):
"""@param analysis_path: analysis folder path."""
self.task = task
# remove unwanted/duplicate information from reporting
for process in results["behavior"]["processes"]:
process["calls"].begin_reporting()
# required to convert object to list
process["calls"] = list(process["calls"])
self.results = results
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses",
str(task["id"]))
self.cfg = Config("reporting")
self.reprocess = reprocess
def process(self, module):
"""Run a single reporting module.
@param module: reporting module.
@param results: results results from analysis.
"""
# Initialize current reporting module.
try:
current = module()
except:
log.exception(
'Failed to load the reporting module "{0}":'.format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.info("Reporting module %s not found in configuration file",
module_name)
return
# If the reporting module is disabled in the config, skip it.
if not options.enabled:
return
# Give it the path to the analysis results folder.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the the relevant reporting.conf section.
current.set_options(options)
# Load the content of the analysis.conf file.
current.cfg = Config(cfg=current.conf_path)
try:
log.debug('Executing reporting module "%s"',
current.__class__.__name__)
pretime = datetime.now()
if module_name == "submitCAPE" and self.reprocess:
tasks = db.list_parents(self.task["id"])
if tasks:
self.results["CAPE_children"] = tasks
return
else:
current.run(self.results)
posttime = datetime.now()
timediff = posttime - pretime
self.results["statistics"]["reporting"].append({
"name":
current.__class__.__name__,
"time":
float("%d.%03d" %
(timediff.seconds, timediff.microseconds / 1000)),
})
except CuckooDependencyError as e:
log.warning(
'The reporting module "%s" has missing dependencies: %s',
current.__class__.__name__, e)
except CuckooReportError as e:
log.warning(
'The reporting module "%s" returned the following error: %s',
current.__class__.__name__, e)
except:
log.exception('Failed to run the reporting module "%s":',
current.__class__.__name__)
def run(self):
"""Generates all reports.
@raise CuckooReportError: if a report module fails.
"""
# In every reporting module you can specify a numeric value that
# represents at which position that module should be executed among
# all the available ones. It can be used in the case where a
# module requires another one to be already executed beforehand.
reporting_list = list_plugins(group="reporting")
# Return if no reporting modules are loaded.
if reporting_list:
reporting_list.sort(key=lambda module: module.order)
# Run every loaded reporting module.
for module in reporting_list:
self.process(module)
else:
log.info("No reporting modules loaded")
from lib.cuckoo.common.utils import create_folder, get_memdump_path, free_space_monitor
from lib.cuckoo.core.database import Database, TASK_COMPLETED
from lib.cuckoo.core.guest import GuestManager
from lib.cuckoo.core.plugins import list_plugins, RunAuxiliary
from lib.cuckoo.core.resultserver import ResultServer
from lib.cuckoo.core.rooter import rooter, vpns, _load_socks5_operational
from lib.cuckoo.common.utils import convert_to_printable
log = logging.getLogger(__name__)
machinery = None
machine_lock = None
latest_symlink_lock = threading.Lock()
active_analysis_count = 0
routing_cfg = Config("routing")
class CuckooDeadMachine(Exception):
"""Exception thrown when a machine turns dead.
When this exception has been thrown, the analysis task will start again,
and will try to use another machine, when available.
"""
pass
class AnalysisManager(threading.Thread):
"""Analysis Manager.
This class handles the full analysis process for a given task. It takes
def __init__(self, task, machine):
self.task = task
self.machine = machine
self.cfg = Config("auxiliary")
self.enabled = []
def __init__(self, filepath, ja3_fprints):
"""Creates a new instance.
@param filepath: path to PCAP file
"""
self.filepath = filepath
self.ja3_fprints = ja3_fprints
# List of all hosts.
self.hosts = []
# List containing all non-private IP addresses.
self.unique_hosts = []
# List of unique domains.
self.unique_domains = []
# List containing all TCP packets.
self.tcp_connections = []
self.tcp_connections_seen = set()
# List containing all UDP packets.
self.udp_connections = []
self.udp_connections_seen = set()
# List containing all ICMP requests.
self.icmp_requests = []
# List containing all HTTP requests.
self.http_requests = OrderedDict()
# List containing all DNS requests.
self.dns_requests = OrderedDict()
self.dns_answers = set()
# List containing all SMTP requests.
self.smtp_requests = []
# Reconstruncted SMTP flow.
self.smtp_flow = {}
# List containing all IRC requests.
self.irc_requests = []
# List containing all JA3 hashes.
self.ja3_records = []
# Dictionary containing all the results of this processing.
self.results = {}
# Config
self.config = Config()
# DNS Whitelist
self.domain_whitelist = [
# Certificate Trust Update domains
"^ocsp\.usertrust\.com$",
"\.windows\.com$",
"^ocsp\.comodoca\.com$",
"^ctldl\.windowsupdate\.com$",
"^crl\.microsoft\.com$",
"\.microsoft\.com$",
"\.skype\.com$",
"\.live\.com$",
"\clients[0-9]+\.google\.com$",
"\.googleapis\.com$",
"\.gvt1\.com$",
"\.msedge\.net$",
"\.msftncsi\.com$",
"^apps\.identrust\.com$",
"^isrg\.trustid\.ocsp\.identrust\.com$",
"^urs\.microsoft\.com$",
"^config\.edge\.skype\.com$",
"^client-office365-tas\.msedge\.net$",
"^files\.acrobat\.com$",
"^acroipm2\.adobe\.com$",
"^acroipm\.adobe\.com$",
"^ocsp\.trust-provider\.com$",
"^ocsp\.comodoca4\.com$",
"^ocsp\.pki\.goog$",
]
if enabled_whitelist and whitelist_file:
with open(os.path.join(CUCKOO_ROOT, whitelist_file), 'r') as f:
self.domain_whitelist += self.domain_whitelist + f.read(
).split("\n")
self.domain_whitelist = list(set(self.domain_whitelist))
self.ip_whitelist = set()
def __init__(self, dsn=None, schema_check=True):
"""@param dsn: database connection string.
@param schema_check: disable or enable the db schema version check
"""
self._lock = SuperLock()
cfg = Config()
if dsn:
self._connect_database(dsn)
elif cfg.database.connection:
self._connect_database(cfg.database.connection)
else:
db_file = os.path.join(CUCKOO_ROOT, "db", "cuckoo.db")
if not os.path.exists(db_file):
db_dir = os.path.dirname(db_file)
if not os.path.exists(db_dir):
try:
create_folder(folder=db_dir)
except CuckooOperationalError as e:
raise CuckooDatabaseError(
"Unable to create database directory: {0}".format(
e))
self._connect_database("sqlite:///%s" % db_file)
# Disable SQL logging. Turn it on for debugging.
self.engine.echo = False
# Connection timeout.
if cfg.database.timeout:
self.engine.pool_timeout = cfg.database.timeout
else:
self.engine.pool_timeout = 60
# Create schema.
try:
Base.metadata.create_all(self.engine)
except SQLAlchemyError as e:
raise CuckooDatabaseError(
"Unable to create or connect to database: {0}".format(e))
# Get db session.
self.Session = sessionmaker(bind=self.engine)
# Deal with schema versioning.
# TODO: it's a little bit dirty, needs refactoring.
tmp_session = self.Session()
if not tmp_session.query(AlembicVersion).count():
# Set database schema version.
tmp_session.add(AlembicVersion(version_num=SCHEMA_VERSION))
try:
tmp_session.commit()
except SQLAlchemyError as e:
raise CuckooDatabaseError(
"Unable to set schema version: {0}".format(e))
tmp_session.rollback()
finally:
tmp_session.close()
else:
# Check if db version is the expected one.
last = tmp_session.query(AlembicVersion).first()
tmp_session.close()
if last.version_num != SCHEMA_VERSION and schema_check:
raise CuckooDatabaseError(
"DB schema version mismatch: found {0}, expected {1}. "
"Try to apply all migrations (cd utils/db_migration/ && "
"alembic upgrade head).".format(last.version_num,
SCHEMA_VERSION))
import sys
import os
try:
import re2 as re
except ImportError:
import re
# Cuckoo path.
CUCKOO_PATH = os.path.join(os.getcwd(), "..")
sys.path.append(CUCKOO_PATH)
from lib.cuckoo.common.config import Config
# Build a list of VPN endpoints for display in the submission page
vpn = Config("vpn")
if vpn.vpn.enabled:
for name in vpn.vpn.vpns.split(","):
name = name.strip()
if not name:
continue
entry = vpn.get(name)
vpn.vpn[entry.name] = entry
cuckoo_cfg = Config()
repconf = Config("reporting")
aux_cfg = Config("auxiliary")
vtdl_cfg = aux_cfg.virustotaldl
zip_cfg = aux_cfg.zipped_download
# Error handling for database backends
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
if not PYMISP:
log.error("pyMISP dependency is missing.")
return
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
whitelist_ua = list()
self.iocs = deque()
self.misper = dict()
threads_list = list()
self.misp_full_report = dict()
self.lock = threading.Lock()
self.master_obj = None
self.slaves_id = deque()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
whitelist_ua = Config("misp").whitelist.whitelist_ua
if whitelist_ua:
whitelist_ua = [ioc.strip() for ioc in whitelist_ua.split(",")]
self.misp = PyMISP(url, apikey, False, "json")
if self.options.get("extend_context", ""):
for drop in results.get("dropped", []):
if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist and "PE32" in drop["type"] :
self.iocs.append(drop["md5"])
if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist:
self.iocs.append(results["target"]["file"]["md5"])
for block in results.get("network", {}).get("hosts", []):
if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist:
self.iocs.append(block["ip"])
if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist:
self.iocs.append(block["hostname"])
if not self.iocs:
return
for thread_id in xrange(int(self.threads)):
thread = threading.Thread(target=self.misper_thread, args=(url,))
thread.daemon = True
thread.start()
threads_list.append(thread)
for thread in threads_list:
thread.join()
if self.misper:
results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True)
misp_report_path = os.path.join(self.reports_path, "misp.json")
full_report = open(misp_report_path, "wb")
full_report.write(json.dumps(self.misp_full_report))
full_report.close()
tag_ids = self.options.get("tag", None)
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
self.cuckoo2misp(results, whitelist, whitelist_ua, tag_ids)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e)
def __init__(self, logs_path):
"""@param logs_path: logs path."""
self._logs_path = logs_path
self.cfg = Config()
def submit_file(request):
if request.method == "POST":
package = request.POST.get("package", "")
timeout = min(force_int(request.POST.get("timeout")), 60 * 60 * 24)
options = request.POST.get("options", "")
priority = force_int(request.POST.get("priority"))
machine = request.POST.get("machine", "")
gateway = request.POST.get("gateway", None)
clock = request.POST.get("clock", None)
custom = request.POST.get("custom", "")
memory = bool(request.POST.get("memory", False))
enforce_timeout = bool(request.POST.get("enforce_timeout", False))
status = bool(request.POST.get("user_status", False))
if not status:
user_status=0
else:
user_status=1
if request.user.id==None:
user_id = 1
else:
user_id = request.user.id
tags = request.POST.get("tags", None)
if request.POST.get("free"):
if options:
options += ","
options += "free=yes"
if request.POST.get("nohuman"):
if options:
options += ","
options += "nohuman=yes"
if request.POST.get("tor"):
if options:
options += ","
options += "tor=yes"
if request.POST.get("process_memory"):
if options:
options += ","
options += "procmemdump=yes"
if request.POST.get("kernel_analysis"):
if options:
options += ","
options += "kernel_analysis=yes"
if gateway and gateway in settings.GATEWAYS:
if "," in settings.GATEWAYS[gateway]:
tgateway = random.choice(settings.GATEWAYS[gateway].split(","))
ngateway = settings.GATEWAYS[tgateway]
else:
ngateway = settings.GATEWAYS[gateway]
if options:
options += ","
options += "setgw=%s" % (ngateway)
db = Database()
task_ids = []
task_machines = []
if machine.lower() == "all":
for entry in db.list_machines():
task_machines.append(entry.label)
else:
task_machines.append(machine)
if "sample" in request.FILES:
for sample in request.FILES.getlist("sample"):
if sample.size == 0:
return render_to_response("error.html",
{"error": "You uploaded an empty file."},
context_instance=RequestContext(request))
elif sample.size > settings.MAX_UPLOAD_SIZE:
return render_to_response("error.html",
{"error": "You uploaded a file that exceeds that maximum allowed upload size."},
context_instance=RequestContext(request))
# Moving sample from django temporary file to Cuckoo temporary storage to
# let it persist between reboot (if user like to configure it in that way).
path = store_temp_file(sample.read(),
sample.name)
pp.pprint("\nFile Path is %s\n" % path)
currentMD5 = until.getBigFileMD5(path)
provious_analysis = results_db.analysis.find({"target.file.md5": currentMD5}).sort([["_id", -1]])
task = []
for single in provious_analysis:
#pp.pprint(single)
single["info"]["base64"] = until.encrpt(single["info"]["id"])
single["info"]["filename"] = single["target"]["file"]["name"]
pp.pprint(single["info"])
task.append(single["info"])
second_post = json.dumps({"file_path":path,"package":package,"timeout":timeout,"options":options,"machine":machine,"priority":priority,"custom":custom,"memory":memory,"enforce_timeout":enforce_timeout,"tags":tags,"clock":clock,"user_status":user_status,"user_id":user_id}, sort_keys=True)
pp.pprint(second_post)
if provious_analysis.count()>=1:
return render_to_response("submission/ShowSimilar.html",
{"tasks" : task, "params" : second_post},
context_instance=RequestContext(request))
else:
#tempfilePath = request.POST.get("file_path", "")
for entry in task_machines:
task_ids_new = db.demux_sample_and_add_to_db(file_path=path, package=package, timeout=timeout, options=options, priority=priority,
machine=entry, custom=custom, memory=memory, enforce_timeout=enforce_timeout, tags=tags, clock=clock, user_status=user_status, user_id=user_id)
pp.pprint(task_ids_new)
final_task_ids=[]
for taskId in task_ids_new:
final_task_ids.append(until.encrpt(taskId))
task_ids.extend(final_task_ids)
tasks_count = len(task_ids)
pp.pprint(task_ids)
if tasks_count > 0:
return render_to_response("submission/complete.html",
{"tasks" : task_ids,
"tasks_count" : tasks_count},
context_instance=RequestContext(request))
else:
return render_to_response("error.html",
{"error": "Error adding task to Cuckoo's database."},
context_instance=RequestContext(request))
else:
enabledconf = dict()
enabledconf["vt"] = settings.VTDL_ENABLED
enabledconf["kernel"] = settings.OPT_ZER0M0N
enabledconf["memory"] = Config("processing").memory.get("enabled")
enabledconf["procmemory"] = Config("processing").procmemory.get("enabled")
enabledconf["tor"] = Config("auxiliary").tor.get("enabled")
if Config("auxiliary").gateways:
enabledconf["gateways"] = True
else:
enabledconf["gateways"] = False
enabledconf["tags"] = False
# Get enabled machinery
machinery = Config("cuckoo").cuckoo.get("machinery")
# Get VM names for machinery config elements
vms = [x.strip() for x in getattr(Config(machinery), machinery).get("machines").split(",")]
# Check each VM config element for tags
for vmtag in vms:
if "tags" in getattr(Config(machinery), vmtag).keys():
enabledconf["tags"] = True
files = os.listdir(os.path.join(settings.CUCKOO_PATH, "analyzer", "windows", "modules", "packages"))
packages = []
for name in files:
name = os.path.splitext(name)[0]
if name == "__init__":
continue
packages.append(name)
# Prepare a list of VM names, description label based on tags.
machines = []
for machine in Database().list_machines():
tags = []
for tag in machine.tags:
tags.append(tag.name)
if tags:
label = machine.label + ": " + ", ".join(tags)
else:
label = machine.label
machines.append((machine.label, label))
# Prepend ALL/ANY options.
machines.insert(0, ("", "First available"))
machines.insert(1, ("all", "All"))
return render_to_response("submission/submit_file.html",
{"packages": sorted(packages),
"machines": machines,
"gateways": settings.GATEWAYS,
"config": enabledconf},
context_instance=RequestContext(request))
from django.core.exceptions import PermissionDenied
from urllib import quote
sys.path.append(settings.CUCKOO_PATH)
from lib.cuckoo.core.database import Database, TASK_PENDING
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.constants import CUCKOO_ROOT
import modules.processing.network as network
TASK_LIMIT = 25
# Used for displaying enabled config options in Django UI
enabledconf = dict()
for cfile in ["reporting", "processing"]:
curconf = Config(cfile)
confdata = curconf.get_config()
for item in confdata:
if confdata[item]["enabled"] == "yes":
enabledconf[item] = True
else:
enabledconf[item] = False
if enabledconf["mongodb"]:
import pymongo
from bson.objectid import ObjectId
from gridfs import GridFS
results_db = pymongo.MongoClient(settings.MONGO_HOST, settings.MONGO_PORT)[settings.MONGO_DB]
fs = GridFS(results_db)
def __init__(self):
self.running = True
self.cfg = Config()
self.db = Database()
def initialize(self):
"""Initialize the machine manager."""
global machinery, machine_lock
machinery_name = self.cfg.cuckoo.machinery
max_vmstartup_count = self.cfg.cuckoo.max_vmstartup_count
if max_vmstartup_count:
machine_lock = threading.Semaphore(max_vmstartup_count)
else:
machine_lock = threading.Lock()
log.info(
'Using "%s" machine manager with max_analysis_count=%d, '
"max_machines_count=%d, and max_vmstartup_count=%d",
machinery_name,
self.cfg.cuckoo.max_analysis_count,
self.cfg.cuckoo.max_machines_count,
self.cfg.cuckoo.max_vmstartup_count,
)
# Get registered class name. Only one machine manager is imported,
# therefore there should be only one class in the list.
plugin = list_plugins("machinery")[0]
# Initialize the machine manager.
machinery = plugin()
# Find its configuration file.
conf = os.path.join(CUCKOO_ROOT, "conf", "%s.conf" % machinery_name)
if not os.path.exists(conf):
raise CuckooCriticalError("The configuration file for machine "
'manager "{0}" does not exist at path:'
" {1}".format(machinery_name, conf))
# Provide a dictionary with the configuration options to the
# machine manager instance.
machinery.set_options(Config(machinery_name))
# Initialize the machine manager.
try:
machinery.initialize(machinery_name)
except CuckooMachineError as e:
raise CuckooCriticalError("Error initializing machines: %s" % e)
# At this point all the available machines should have been identified
# and added to the list. If none were found, Cuckoo needs to abort the
# execution.
if not len(machinery.machines()):
raise CuckooCriticalError("No machines available.")
else:
log.info("Loaded %s machine/s", len(machinery.machines()))
if len(machinery.machines()) > 1 and self.db.engine.name == "sqlite":
log.warning("As you've configured Cuckoo to execute parallel "
"analyses, we recommend you to switch to a MySQL "
"a PostgreSQL database as SQLite might cause some "
"issues.")
# Drop all existing packet forwarding rules for each VM. Just in case
# Cuckoo was terminated for some reason and various forwarding rules
# have thus not been dropped yet.
for machine in machinery.machines():
if not machine.interface:
log.info(
"Unable to determine the network interface for VM "
"with name %s, Cuckoo will not be able to give it "
"full internet access or route it through a VPN! "
"Please define a default network interface for the "
"machinery or define a network interface for each "
"VM.",
machine.name,
)
continue
# Drop forwarding rule to each VPN.
for vpn in vpns.values():
rooter("forward_disable", machine.interface, vpn.interface,
machine.ip)
# Drop forwarding rule to the internet / dirty line.
if routing.routing.internet != "none":
rooter("forward_disable", machine.interface,
routing.routing.internet, machine.ip)
# Imports for the batch sort.
# http://stackoverflow.com/questions/10665925/how-to-sort-huge-files-with-python
# http://code.activestate.com/recipes/576755/
import heapq
from itertools import islice
from collections import namedtuple
TLS_HANDSHAKE = 22
Keyed = namedtuple("Keyed", ["key", "obj"])
Packet = namedtuple("Packet", ["raw", "ts"])
log = logging.getLogger(__name__)
enabled_whitelist = Config("processing").network.dnswhitelist
whitelist_file = Config("processing").network.dnswhitelist_file
class Pcap:
"""Reads network data from PCAP file."""
def __init__(self, filepath, ja3_fprints):
"""Creates a new instance.
@param filepath: path to PCAP file
"""
self.filepath = filepath
self.ja3_fprints = ja3_fprints
# List of all hosts.
self.hosts = []
# List containing all non-private IP addresses.
# Copyright (C) 2010-2014 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import sys
import os
import json
from django.conf import settings
sys.path.append(settings.CUCKOO_PATH)
from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.config import Config
cfg = Config(cfg=os.path.join(CUCKOO_ROOT, "conf", "reporting.conf")).mongodb
moloch_cfg = Config(cfg=os.path.join(CUCKOO_ROOT, "conf", "reporting.conf")).moloch
aux_cfg = Config(cfg=os.path.join(CUCKOO_ROOT, "conf", "auxiliary.conf"))
vtdl_cfg = Config(cfg=os.path.join(CUCKOO_ROOT, "conf", "auxiliary.conf")).virustotaldl
# Checks if mongo reporting is enabled in Cuckoo.
if not cfg.get("enabled"):
raise Exception("Mongo reporting module is not enabled in cuckoo, aborting!")
# Get connection options from reporting.conf.
settings.MONGO_HOST = cfg.get("host", "127.0.0.1")
settings.MONGO_PORT = cfg.get("port", 27017)
settings.MONGO_PORT = cfg.get("port", 27017)
settings.MOLOCH_BASE = moloch_cfg.get("base", None)
settings.MOLOCH_NODE = moloch_cfg.get("node", None)
settings.MOLOCH_ENABLED = moloch_cfg.get("enabled", False)
import hashlib
import subprocess
from io import BytesIO
from collections import Mapping, Iterable
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.objects import File
log = logging.getLogger(__name__)
malware_parsers = dict()
cape_malware_parsers = dict()
# Config variables
repconf = Config("reporting")
if repconf.mongodb.enabled:
import pymongo
results_db = pymongo.MongoClient(
repconf.mongodb.host,
port=repconf.mongodb.port,
username=repconf.mongodb.get("username", None),
password=repconf.mongodb.get("password", None),
authSource=repconf.mongodb.db)[repconf.mongodb.db]
try:
import pefile
HAVE_PEFILE = True
except ImportError:
print("Missed pefile library. Install it with: pip3 install pefile")
class RunProcessing(object):
"""Analysis Results Processing Engine.
This class handles the loading and execution of the processing modules.
It executes the enabled ones sequentially and generates a dictionary which
is then passed over the reporting engine.
"""
def __init__(self, task, results):
"""@param task: task dictionary of the analysis to process."""
self.task = task
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task["id"]))
self.cfg = Config("processing")
self.results = results
def process(self, module):
"""Run a processing module.
@param module: processing module to run.
@return: results generated by module.
"""
# Initialize the specified processing module.
try:
current = module(self.results)
except:
log.exception("Failed to load the processing module "
"\"{0}\":".format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug("Processing module %s not found in configuration file",
module_name)
return None
# If the processing module is disabled in the config, skip it.
if not options.enabled:
return None
# Give it path to the analysis results.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the options from the relevant processing.conf section.
current.set_options(options)
try:
# Run the processing module and retrieve the generated data to be
# appended to the general results container.
log.debug("Executing processing module \"%s\" on analysis at "
"\"%s\"", current.__class__.__name__, self.analysis_path)
pretime = datetime.now()
data = current.run()
posttime = datetime.now()
timediff = posttime - pretime
self.results["statistics"]["processing"].append({
"name": current.__class__.__name__,
"time": float("%d.%03d" % (timediff.seconds,
timediff.microseconds / 1000)),
})
# If succeeded, return they module's key name and the data to be
# appended to it.
return {current.key: data}
except CuckooDependencyError as e:
log.warning("The processing module \"%s\" has missing dependencies: %s", current.__class__.__name__, e)
except CuckooProcessingError as e:
log.warning("The processing module \"%s\" returned the following "
"error: %s", current.__class__.__name__, e)
except:
log.exception("Failed to run the processing module \"%s\":",
current.__class__.__name__)
return None
def run(self):
"""Run all processing modules and all signatures.
@return: processing results.
"""
# Order modules using the user-defined sequence number.
# If none is specified for the modules, they are selected in
# alphabetical order.
processing_list = list_plugins(group="processing")
# If no modules are loaded, return an empty dictionary.
if processing_list:
processing_list.sort(key=lambda module: module.order)
# Run every loaded processing module.
for module in processing_list:
result = self.process(module)
# If it provided some results, append it to the big results
# container.
if result:
self.results.update(result)
else:
log.info("No processing modules loaded")
return self.results
def demux_zip(filename, options):
retlist = []
try:
# only extract from files with no extension or with .bin (downloaded from us) or .zip extensions
ext = os.path.splitext(filename)[1]
if ext != "" and ext != ".zip" and ext != ".bin":
return retlist
extracted = []
password = "******"
fields = options.split(",")
for field in fields:
try:
key, value = field.split("=", 1)
if key == "password":
password = value
break
except:
pass
with ZipFile(filename, "r") as archive:
infolist = archive.infolist()
for info in infolist:
# avoid obvious bombs
if info.file_size > 100 * 1024 * 1024 or not info.file_size:
continue
# ignore empty filenames
if not info.filename:
continue
# ignore directories
if info.filename.endswith("/"):
continue
base, ext = os.path.splitext(info.filename)
basename = os.path.basename(info.filename)
ext = ext.lower()
if ext == "" and len(basename) and basename[0] == ".":
continue
for theext in demux_extensions_list:
if ext == theext:
extracted.append(info.filename)
break
if extracted:
options = Config()
tmp_path = options.cuckoo.get("tmppath", "/tmp")
target_path = os.path.join(tmp_path, "cuckoo-zip-tmp")
if not os.path.exists(target_path):
os.mkdir(target_path)
tmp_dir = tempfile.mkdtemp(prefix='cuckoozip_',
dir=target_path)
for extfile in extracted:
try:
retlist.append(
archive.extract(extfile,
path=tmp_dir,
pwd=password))
except:
retlist.append(archive.extract(extfile, path=tmp_dir))
except:
pass
return retlist
def run(self, manager=None, vm=None):
results = {}
# Exit if options were not loaded.
if not self.voptions:
return
# Check if theres a memory profile configured in the machinery config.
profile = Config(manager).get(vm).get("mem_profile")
if profile == None:
profile = self.osprofile
vol = VolatilityAPI(self.memfile, profile)
# TODO: improve the load of volatility functions.
if self.voptions.pslist.enabled:
results["pslist"] = vol.pslist()
if self.voptions.psxview.enabled:
results["psxview"] = vol.psxview()
if self.voptions.callbacks.enabled:
results["callbacks"] = vol.callbacks()
if self.voptions.idt.enabled:
try:
results["idt"] = vol.idt()
except:
pass
if self.voptions.ssdt.enabled:
results["ssdt"] = vol.ssdt()
if self.voptions.gdt.enabled:
try:
results["gdt"] = vol.gdt()
except:
pass
if self.voptions.timers.enabled:
results["timers"] = vol.timers()
if self.voptions.messagehooks.enabled:
results["messagehooks"] = vol.messagehooks()
if self.voptions.getsids.enabled:
results["getsids"] = vol.getsids()
if self.voptions.privs.enabled:
results["privs"] = vol.privs()
if self.voptions.malfind.enabled:
results["malfind"] = vol.malfind()
if self.voptions.apihooks.enabled:
results["apihooks"] = vol.apihooks()
if self.voptions.dlllist.enabled:
results["dlllist"] = vol.dlllist()
if self.voptions.handles.enabled:
results["handles"] = vol.handles()
if self.voptions.ldrmodules.enabled:
results["ldrmodules"] = vol.ldrmodules()
if self.voptions.mutantscan.enabled:
results["mutantscan"] = vol.mutantscan()
if self.voptions.devicetree.enabled:
results["devicetree"] = vol.devicetree()
if self.voptions.svcscan.enabled:
results["svcscan"] = vol.svcscan()
if self.voptions.modscan.enabled:
results["modscan"] = vol.modscan()
if self.voptions.yarascan.enabled:
results["yarascan"] = vol.yarascan()
if self.voptions.sockscan.enabled and profile.lower().startswith("winxp"):
results["sockscan"] = vol.sockscan()
if self.voptions.netscan.enabled and (
profile.lower().startswith("win7") or profile.lower().startswith("vista")):
results["netscan"] = vol.netscan()
self.find_taint(results)
self.do_strings()
self.zipdump()
self.cleanup()
return self.mask_filter(results)
def demux_rar(filename, options):
retlist = []
if not HAS_RARFILE:
return retlist
try:
extracted = []
password = "******"
fields = options.split(",")
for field in fields:
try:
key, value = field.split("=", 1)
if key == "password":
password = value
break
except:
pass
with RarFile(filename, "r") as archive:
infolist = archive.infolist()
for info in infolist:
# avoid obvious bombs
if info.file_size > 100 * 1024 * 1024 or not info.file_size:
continue
# ignore empty filenames
if not info.filename:
continue
# ignore directories
if info.filename.endswith("\\"):
continue
# add some more sanity checking since RarFile invokes an external handler
if "..\\" in info.filename:
continue
base, ext = os.path.splitext(info.filename)
basename = os.path.basename(info.filename)
ext = ext.lower()
if ext == "" and len(basename) and basename[0] == ".":
continue
for theext in demux_extensions_list:
if ext == theext:
extracted.append(info.filename)
break
if extracted:
options = Config()
tmp_path = options.cuckoo.get("tmppath", "/tmp")
target_path = os.path.join(tmp_path, "cuckoo-rar-tmp")
if not os.path.exists(target_path):
os.mkdir(target_path)
tmp_dir = tempfile.mkdtemp(prefix='cuckoorar_',
dir=target_path)
for extfile in extracted:
# RarFile differs from ZipFile in that extract() doesn't return the path of the extracted file
# so we have to make it up ourselves
try:
archive.extract(extfile, path=tmp_dir, pwd=password)
retlist.append(
os.path.join(tmp_dir, extfile.replace("\\", "/")))
except:
archive.extract(extfile, path=tmp_dir)
retlist.append(
os.path.join(tmp_dir, extfile.replace("\\", "/")))
except:
pass
return retlist
'django.contrib.staticfiles',
'bootstrap3',
'home',
#'south',
'taggit',
'analysis',
'bootstrap3',
'alerts',
#'debug_toolbar'
)
SESSION_ENGINE = 'django.contrib.sessions.backends.file'
if CUCKOO_FOUND:
sys.path.append(CUCKOO_PATH)
from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.config import Config
cfg = Config(cfg=os.path.join(CUCKOO_PATH,"conf", "reporting.conf")).mongodb
# Checks if mongo reporting is enabled in Cuckoo.
if not cfg.get("enabled"):
raise Exception("Mongo reporting module is not enabled in cuckoo, aborting!")
# Get connection options from reporting.conf.
MONGO_HOST = cfg.get("host", "127.0.0.1")
MONGO_PORT = cfg.get("port", 27017)
def demux_tar(filename, options):
retlist = []
ext = ""
try:
# only extract from files with no extension or with .bin (downloaded from us) or .tar/tarball extensions
ext = os.path.splitext(filename)[1]
if ext != "" and ext != ".tar" and ext != ".gz" and ext != ".tgz" and ext != ".bz2" and ext != ".tbz2" and ext != ".bin":
return retlist
extracted = []
with tarfile.open(filename, "r") as archive:
infolist = archive.getmembers()
for info in infolist:
# avoid obvious bombs
if info.size > 100 * 1024 * 1024 or not info.size:
continue
# ignore non-regular files
if not info.isreg():
continue
base, ext = os.path.splitext(info.name)
basename = os.path.basename(info.name)
ext = ext.lower()
if ext == "" and len(basename) and basename[0] == ".":
continue
for theext in demux_extensions_list:
if ext == theext:
extracted.append(info)
break
if extracted:
options = Config()
tmp_path = options.cuckoo.get("tmppath", "/tmp")
target_path = os.path.join(tmp_path, "cuckoo-tar-tmp")
if not os.path.exists(target_path):
os.mkdir(target_path)
tmp_dir = tempfile.mkdtemp(prefix='cuckootar_',
dir=target_path)
for extfile in extracted:
fobj = archive.extractfile(extfile)
outpath = os.path.join(tmp_dir, extfile.name)
outfile = open(outpath, "wb")
outfile.write(fobj.read())
fobj.close()
outfile.close()
retlist.append(outpath)
except:
if ext == ".tgz" or ext == ".tbz2" or ext == ".tar":
return retlist
# handle gzip
try:
gzfinal = os.path.basename(os.path.splitext(filename)[0])
with gzip.open(filename, "rb") as fobj:
options = Config()
tmp_path = options.cuckoo.get("tmppath", "/tmp")
target_path = os.path.join(tmp_path, "cuckoo-tar-tmp")
if not os.path.exists(target_path):
os.mkdir(target_path)
tmp_dir = tempfile.mkdtemp(prefix='cuckootar_',
dir=target_path)
outpath = os.path.join(tmp_dir, gzfinal)
outfile = open(outpath, "wb")
outfile.write(fobj.read())
outfile.close()
retlist.append(outpath)
except:
pass
# handle bzip2
try:
gzfinal = os.path.basename(os.path.splitext(filename)[0])
with BZ2File(filename, "rb") as fobj:
options = Config()
tmp_path = options.cuckoo.get("tmppath", "/tmp")
target_path = os.path.join(tmp_path, "cuckoo-tar-tmp")
if not os.path.exists(target_path):
os.mkdir(target_path)
tmp_dir = tempfile.mkdtemp(prefix='cuckootar_',
dir=target_path)
outpath = os.path.join(tmp_dir, gzfinal)
outfile = open(outpath, "wb")
outfile.write(fobj.read())
outfile.close()
retlist.append(outpath)
except:
pass
return retlist
def __init__(self, task):
"""@param task: task dictionary of the analysis to process."""
self.task = task
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task["id"]))
self.baseline_path = os.path.join(CUCKOO_ROOT, "storage", "baseline")
self.cfg = Config("processing")
def run(self, manager=None, vm=None):
results = {}
# Exit if options were not loaded.
if not self.voptions:
return
# Check if theres a memory profile configured in the machinery config.
profile = Config(manager).get(vm).get("mem_profile")
if profile == None:
vol = VolatilityAPI(self.memfile, self.osprofile)
else:
vol = VolatilityAPI(self.memfile, profile)
# TODO: improve the load of volatility functions.
if self.voptions.pslist.enabled:
results["pslist"] = vol.pslist()
if self.voptions.psxview.enabled:
results["psxview"] = vol.psxview()
if self.voptions.callbacks.enabled:
results["callbacks"] = vol.callbacks()
if self.voptions.idt.enabled:
try:
results["idt"] = vol.idt()
except:
pass
if self.voptions.ssdt.enabled:
results["ssdt"] = vol.ssdt()
if self.voptions.gdt.enabled:
try:
results["gdt"] = vol.gdt()
except:
pass
if self.voptions.timers.enabled:
results["timers"] = vol.timers()
if self.voptions.messagehooks.enabled:
results["messagehooks"] = vol.messagehooks()
if self.voptions.getsids.enabled:
results["getsids"] = vol.getsids()
if self.voptions.privs.enabled:
results["privs"] = vol.privs()
if self.voptions.malfind.enabled:
results["malfind"] = vol.malfind()
if self.voptions.apihooks.enabled:
results["apihooks"] = vol.apihooks()
if self.voptions.dlllist.enabled:
results["dlllist"] = vol.dlllist()
if self.voptions.handles.enabled:
results["handles"] = vol.handles()
if self.voptions.ldrmodules.enabled:
results["ldrmodules"] = vol.ldrmodules()
if self.voptions.mutantscan.enabled:
results["mutantscan"] = vol.mutantscan()
if self.voptions.devicetree.enabled:
results["devicetree"] = vol.devicetree()
if self.voptions.svcscan.enabled:
results["svcscan"] = vol.svcscan()
if self.voptions.modscan.enabled:
results["modscan"] = vol.modscan()
if self.voptions.yarascan.enabled:
results["yarascan"] = vol.yarascan()
if self.voptions.sockscan.enabled and profile.lower().startswith(
"winxp"):
results["sockscan"] = vol.sockscan()
if self.voptions.netscan.enabled and (
profile.lower().startswith("win7")
or profile.lower().startswith("vista")):
results["netscan"] = vol.netscan()
self.find_taint(results)
self.cleanup()
return self.mask_filter(results)
class VolatilityManager(object):
"""Handle several volatility results."""
PLUGINS = [
"pslist",
"psxview",
"callbacks",
"idt",
"ssdt",
"gdt",
"timers",
"messagehooks",
"getsids",
"privs",
"malfind",
"apihooks",
"dlllist",
"handles",
"ldrmodules",
"mutantscan",
"devicetree",
"svcscan",
"modscan",
"yarascan",
["sockscan", "winxp"],
["netscan", "vista", "win7"],
]
def __init__(self, memfile, osprofile=None):
self.mask_pid = []
self.taint_pid = set()
self.memfile = memfile
conf_path = os.path.join(CUCKOO_ROOT, "conf", "memory.conf")
if not os.path.exists(conf_path):
log.error("Configuration file volatility.conf not found".format(conf_path))
self.voptions = False
return
self.voptions = Config("memory")
for pid in self.voptions.mask.pid_generic.split(","):
pid = pid.strip()
if pid:
self.mask_pid.append(int(pid))
self.no_filter = not self.voptions.mask.enabled
if self.voptions.basic.guest_profile:
self.osprofile = self.voptions.basic.guest_profile
else:
self.osprofile = osprofile or self.get_osprofile()
def get_osprofile(self):
"""Get the OS profile"""
return VolatilityAPI(self.memfile).imageinfo()["data"][0]["osprofile"]
def run(self):
results = {}
# Exit if options were not loaded.
if not self.voptions:
return
vol = VolatilityAPI(self.memfile, self.osprofile)
for plugin_name in self.PLUGINS:
if isinstance(plugin_name, list):
plugin_name, profiles = plugin_name[0], plugin_name[1:]
else:
profiles = []
# Some plugins can only run in certain profiles.
for profile in profiles:
if self.osprofile.lower().startswith(profile):
break
else:
if profiles:
continue
plugin = self.voptions.get(plugin_name)
if not plugin or not plugin.enabled:
log.debug("Skipping '%s' volatility module", plugin_name)
continue
if plugin_name in vol.plugins:
log.debug("Executing volatility '%s' module.", plugin_name)
results[plugin_name] = getattr(vol, plugin_name)()
self.find_taint(results)
self.cleanup()
return self.mask_filter(results)
def mask_filter(self, old):
"""Filter out masked stuff. Keep tainted stuff."""
new = {}
for akey in old.keys():
new[akey] = {"config": old[akey]["config"], "data": []}
conf = getattr(self.voptions, akey, None)
new[akey]["config"]["filter"] = conf.filter
for item in old[akey]["data"]:
# TODO: need to improve this logic.
if not conf.filter:
new[akey]["data"].append(item)
elif "process_id" in item and \
item["process_id"] in self.mask_pid and \
item["process_id"] not in self.taint_pid:
pass
else:
new[akey]["data"].append(item)
return new
def find_taint(self, res):
"""Find tainted items."""
if "malfind" in res:
for item in res["malfind"]["data"]:
self.taint_pid.add(item["process_id"])
def cleanup(self):
"""Delete the memory dump (if configured to do so)."""
if self.voptions.basic.delete_memdump:
try:
os.remove(self.memfile)
except OSError:
log.error("Unable to delete memory dump file at path \"%s\" ", self.memfile)
from __future__ import absolute_import
import os
import shutil
import logging
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.abstracts import Report
from lib.cuckoo.common.utils import get_memdump_path
log = logging.getLogger(__name__)
reporting_conf = Config("reporting")
class RAMFSCLEAN(Report):
"Remove/save memdump"
order = 9998
def run(self, results):
action = "delete"
src = get_memdump_path(results["info"]["id"])
if reporting_conf.ramfsclean.key in results:
if any(["checkme" in block for block in results[reporting_conf.ramfsclean.key]]):
action = "store"
if action == "delete":
log.debug("Deleting memdump: {}".format(src))
if os.path.exists(src):
os.remove(src)
else:
dest = get_memdump_path(results["info"]["id"], analysis_folder=True)
log.debug("Storing memdump: {}".format(dest))
class RunProcessing(object):
"""Analysis Results Processing Engine.
This class handles the loading and execution of the processing modules.
It executes the enabled ones sequentially and generates a dictionary which
is then passed over the reporting engine.
"""
def __init__(self, task_id):
"""@param task_id: ID of the analyses to process."""
self.task = Database().view_task(task_id).to_dict()
self.analysis_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task_id))
self.cfg = Config("processing")
def process(self, module):
"""Run a processing module.
@param module: processing module to run.
@param results: results dict.
@return: results generated by module.
"""
# Initialize the specified processing module.
try:
current = module()
except:
log.exception("Failed to load the processing module "
"\"{0}\":".format(module))
return
# Extract the module name.
module_name = inspect.getmodule(current).__name__
if "." in module_name:
module_name = module_name.rsplit(".", 1)[1]
try:
options = self.cfg.get(module_name)
except CuckooOperationalError:
log.debug("Processing module %s not found in configuration file",
module_name)
return None
# If the processing module is disabled in the config, skip it.
if not options.enabled:
return None
# Give it path to the analysis results.
current.set_path(self.analysis_path)
# Give it the analysis task object.
current.set_task(self.task)
# Give it the options from the relevant processing.conf section.
current.set_options(options)
try:
# Run the processing module and retrieve the generated data to be
# appended to the general results container.
data = current.run()
log.debug("Executed processing module \"%s\" on analysis at "
"\"%s\"", current.__class__.__name__, self.analysis_path)
# If succeeded, return they module's key name and the data to be
# appended to it.
return {current.key: data}
except CuckooDependencyError as e:
log.warning("The processing module \"%s\" has missing dependencies: %s", current.__class__.__name__, e)
except CuckooProcessingError as e:
log.warning("The processing module \"%s\" returned the following "
"error: %s", current.__class__.__name__, e)
except:
log.exception("Failed to run the processing module \"%s\":",
current.__class__.__name__)
return None
def run(self):
"""Run all processing modules and all signatures.
@return: processing results.
"""
# This is the results container. It's what will be used by all the
# reporting modules to make it consumable by humans and machines.
# It will contain all the results generated by every processing
# module available. Its structure can be observed through the JSON
# dump in the analysis' reports folder. (If jsondump is enabled.)
# We friendly call this "fat dict".
results = {}
# Order modules using the user-defined sequence number.
# If none is specified for the modules, they are selected in
# alphabetical order.
processing_list = list_plugins(group="processing")
# If no modules are loaded, return an empty dictionary.
if processing_list:
processing_list.sort(key=lambda module: module.order)
# Run every loaded processing module.
for module in processing_list:
result = self.process(module)
# If it provided some results, append it to the big results
# container.
if result:
results.update(result)
else:
log.info("No processing modules loaded")
# Return the fat dict.
return results
def index(request):
if request.method == "POST":
package = request.POST.get("package", "")
timeout = min(force_int(request.POST.get("timeout")), 60 * 60 * 24)
options = request.POST.get("options", "")
priority = force_int(request.POST.get("priority"))
machine = request.POST.get("machine", "")
gateway = request.POST.get("gateway", None)
clock = request.POST.get("clock", None)
custom = request.POST.get("custom", "")
memory = bool(request.POST.get("memory", False))
enforce_timeout = bool(request.POST.get("enforce_timeout", False))
tags = request.POST.get("tags", None)
if request.POST.get("free"):
if options:
options += ","
options += "free=yes"
if request.POST.get("nohuman"):
if options:
options += ","
options += "nohuman=yes"
if request.POST.get("tor"):
if options:
options += ","
options += "tor=yes"
if request.POST.get("process_memory"):
if options:
options += ","
options += "procmemdump=yes"
if request.POST.get("kernel_analysis"):
if options:
options += ","
options += "kernel_analysis=yes"
if gateway and gateway in settings.GATEWAYS:
if "," in settings.GATEWAYS[gateway]:
tgateway = random.choice(settings.GATEWAYS[gateway].split(","))
ngateway = settings.GATEWAYS[tgateway]
else:
ngateway = settings.GATEWAYS[gateway]
if options:
options += ","
options += "setgw=%s" % (ngateway)
db = Database()
task_ids = []
task_machines = []
if machine.lower() == "all":
for entry in db.list_machines():
task_machines.append(entry.label)
else:
task_machines.append(machine)
if "sample" in request.FILES:
for sample in request.FILES.getlist("sample"):
if sample.size == 0:
return render_to_response(
"error.html", {"error": "You uploaded an empty file."},
context_instance=RequestContext(request))
elif sample.size > settings.MAX_UPLOAD_SIZE:
return render_to_response("error.html", {
"error":
"You uploaded a file that exceeds that maximum allowed upload size."
},
context_instance=RequestContext(
request))
# Moving sample from django temporary file to Cuckoo temporary storage to
# let it persist between reboot (if user like to configure it in that way).
path = store_temp_file(sample.read(), sample.name)
for entry in task_machines:
task_ids_new = db.demux_sample_and_add_to_db(
file_path=path,
package=package,
timeout=timeout,
options=options,
priority=priority,
machine=entry,
custom=custom,
memory=memory,
enforce_timeout=enforce_timeout,
tags=tags,
clock=clock)
task_ids.extend(task_ids_new)
elif "quarantine" in request.FILES:
for sample in request.FILES.getlist("quarantine"):
if sample.size == 0:
return render_to_response(
"error.html",
{"error": "You uploaded an empty quarantine file."},
context_instance=RequestContext(request))
elif sample.size > settings.MAX_UPLOAD_SIZE:
return render_to_response("error.html", {
"error":
"You uploaded a quarantine file that exceeds that maximum allowed upload size."
},
context_instance=RequestContext(
request))
# Moving sample from django temporary file to Cuckoo temporary storage to
# let it persist between reboot (if user like to configure it in that way).
tmp_path = store_temp_file(sample.read(), sample.name)
path = unquarantine(tmp_path)
try:
os.remove(tmp_path)
except:
pass
if not path:
return render_to_response(
"error.html", {
"error":
"You uploaded an unsupported quarantine file."
},
context_instance=RequestContext(request))
for entry in task_machines:
task_ids_new = db.demux_sample_and_add_to_db(
file_path=path,
package=package,
timeout=timeout,
options=options,
priority=priority,
machine=entry,
custom=custom,
memory=memory,
enforce_timeout=enforce_timeout,
tags=tags,
clock=clock)
task_ids.extend(task_ids_new)
elif "url" in request.POST and request.POST.get("url").strip():
url = request.POST.get("url").strip()
if not url:
return render_to_response(
"error.html", {"error": "You specified an invalid URL!"},
context_instance=RequestContext(request))
url = url.replace("hxxps://", "https://").replace(
"hxxp://", "http://").replace("[.]", ".")
for entry in task_machines:
task_id = db.add_url(url=url,
package=package,
timeout=timeout,
options=options,
priority=priority,
machine=entry,
custom=custom,
memory=memory,
enforce_timeout=enforce_timeout,
tags=tags,
clock=clock)
if task_id:
task_ids.append(task_id)
elif settings.VTDL_ENABLED and "vtdl" in request.POST:
vtdl = request.POST.get("vtdl").strip()
if (not settings.VTDL_PRIV_KEY
and not settings.VTDL_INTEL_KEY) or not settings.VTDL_PATH:
return render_to_response("error.html", {
"error":
"You specified VirusTotal but must edit the file and specify your VTDL_PRIV_KEY or VTDL_INTEL_KEY variable and VTDL_PATH base directory"
},
context_instance=RequestContext(
request))
else:
base_dir = tempfile.mkdtemp(prefix='cuckoovtdl',
dir=settings.VTDL_PATH)
hashlist = []
if "," in vtdl:
hashlist = vtdl.split(",")
else:
hashlist.append(vtdl)
onesuccess = False
for h in hashlist:
filename = base_dir + "/" + h
if settings.VTDL_PRIV_KEY:
url = 'https://www.virustotal.com/vtapi/v2/file/download'
params = {'apikey': settings.VTDL_PRIV_KEY, 'hash': h}
else:
url = 'https://www.virustotal.com/intelligence/download/'
params = {'apikey': settings.VTDL_INTEL_KEY, 'hash': h}
try:
r = requests.get(url, params=params, verify=True)
except requests.exceptions.RequestException as e:
return render_to_response(
"error.html", {
"error":
"Error completing connection to VirusTotal: {0}"
.format(e)
},
context_instance=RequestContext(request))
if r.status_code == 200:
try:
f = open(filename, 'wb')
f.write(r.content)
f.close()
except:
return render_to_response("error.html", {
"error":
"Error writing VirusTotal download file to temporary path"
},
context_instance=
RequestContext(request))
onesuccess = True
for entry in task_machines:
task_ids_new = db.demux_sample_and_add_to_db(
file_path=filename,
package=package,
timeout=timeout,
options=options,
priority=priority,
machine=entry,
custom=custom,
memory=memory,
enforce_timeout=enforce_timeout,
tags=tags,
clock=clock)
task_ids.extend(task_ids_new)
elif r.status_code == 403:
return render_to_response("error.html", {
"error":
"API key provided is not a valid VirusTotal key or is not authorized for VirusTotal downloads"
},
context_instance=
RequestContext(request))
if not onesuccess:
return render_to_response(
"error.html",
{"error": "Provided hash not found on VirusTotal"},
context_instance=RequestContext(request))
tasks_count = len(task_ids)
if tasks_count > 0:
return render_to_response("submission/complete.html", {
"tasks": task_ids,
"tasks_count": tasks_count
},
context_instance=RequestContext(request))
else:
return render_to_response(
"error.html",
{"error": "Error adding task to Cuckoo's database."},
context_instance=RequestContext(request))
else:
enabledconf = dict()
enabledconf["vt"] = settings.VTDL_ENABLED
enabledconf["kernel"] = settings.OPT_ZER0M0N
enabledconf["memory"] = Config("processing").memory.get("enabled")
enabledconf["procmemory"] = Config("processing").procmemory.get(
"enabled")
enabledconf["tor"] = Config("auxiliary").tor.get("enabled")
if Config("auxiliary").gateways:
enabledconf["gateways"] = True
else:
enabledconf["gateways"] = False
enabledconf["tags"] = False
# Get enabled machinery
machinery = Config("cuckoo").cuckoo.get("machinery")
# Get VM names for machinery config elements
vms = [
x.strip() for x in getattr(Config(machinery), machinery).get(
"machines").split(",")
]
# Check each VM config element for tags
for vmtag in vms:
if "tags" in getattr(Config(machinery), vmtag).keys():
enabledconf["tags"] = True
files = os.listdir(
os.path.join(settings.CUCKOO_PATH, "analyzer", "windows",
"modules", "packages"))
packages = []
for name in files:
name = os.path.splitext(name)[0]
if name == "__init__":
continue
packages.append(name)
# Prepare a list of VM names, description label based on tags.
machines = []
for machine in Database().list_machines():
tags = []
for tag in machine.tags:
tags.append(tag.name)
if tags:
label = machine.label + ": " + ", ".join(tags)
else:
label = machine.label
machines.append((machine.label, label))
# Prepend ALL/ANY options.
machines.insert(0, ("", "First available"))
machines.insert(1, ("all", "All"))
return render_to_response("submission/index.html", {
"packages": sorted(packages),
"machines": machines,
"gateways": settings.GATEWAYS,
"config": enabledconf
},
context_instance=RequestContext(request))
def __init__(self, task, machine):
self.task = task
self.machine = machine
self.cfg = Config("auxiliary")
self.enabled = []
def submit_url(request):
enabledconf = dict()
enabledconf["vt"] = settings.VTDL_ENABLED
enabledconf["kernel"] = settings.OPT_ZER0M0N
enabledconf["memory"] = Config("processing").memory.get("enabled")
enabledconf["procmemory"] = Config("processing").procmemory.get("enabled")
enabledconf["tor"] = Config("auxiliary").tor.get("enabled")
if Config("auxiliary").gateways:
enabledconf["gateways"] = True
else:
enabledconf["gateways"] = False
enabledconf["tags"] = False
# Get enabled machinery
machinery = Config("cuckoo").cuckoo.get("machinery")
# Get VM names for machinery config elements
vms = [
x.strip() for x in getattr(Config(machinery), machinery).get(
"machines").split(",")
]
# Check each VM config element for tags
for vmtag in vms:
if "tags" in getattr(Config(machinery), vmtag).keys():
enabledconf["tags"] = True
files = os.listdir(
os.path.join(settings.CUCKOO_PATH, "analyzer", "windows", "modules",
"packages"))
packages = []
for name in files:
name = os.path.splitext(name)[0]
if name == "__init__":
continue
packages.append(name)
# Prepare a list of VM names, description label based on tags.
machines = []
for machine in Database().list_machines():
tags = []
for tag in machine.tags:
tags.append(tag.name)
if tags:
label = machine.label + ": " + ", ".join(tags)
else:
label = machine.label
machines.append((machine.label, label))
# Prepend ALL/ANY options.
machines.insert(0, ("", "First available"))
machines.insert(1, ("all", "All"))
return render_to_response("submission/submit_url.html", {
"packages": sorted(packages),
"machines": machines,
"gateways": settings.GATEWAYS,
"config": enabledconf
},
context_instance=RequestContext(request))
