def hash_lookup(args, query):
# Dictionary mapping the raw data for each type of sample analysis
analysis_data = build_field_list()
# Map analysis types to analysis_data keys
analysis_data_map = {
AFServiceActivity: "service",
AFRegistryActivity: "registry",
AFProcessActivity: "process",
AFJavaApiActivity: "japi",
AFApiActivity: "misc",
AFUserAgentFragment: "user_agent",
AFMutexActivity: "mutex",
AFHttpActivity: "http",
AFDnsActivity: "dns",
AFBehaviorAnalysis: "behavior_desc",
AFBehaviorTypeAnalysis: "behavior_type",
AFConnectionActivity: "connection",
AFFileActivity: "file",
AFApkActivityAnalysis: "apk_misc",
AFApkIntentFilterAnalysis: "apk_filter",
AFApkReceiverAnalysis: "apk_receiver",
AFApkSensorAnalysis: "apk_sensor",
AFApkServiceAnalysis: "apk_service",
AFApkEmbededUrlAnalysis: "apk_embedurl",
AFApkRequestedPermissionAnalysis: "apk_permission",
AFApkSensitiveApiCallAnalysis: "apk_sensitiveapi",
AFApkSuspiciousApiCallAnalysis: "apk_suspiciousapi",
AFApkSuspiciousFileAnalysis: "apk_file",
AFApkSuspiciousStringAnalysis: "apl_string"
}
# If there are no counts for the activity, ignore them for the filter
for sample in AFSample.search(af_query("hash", query)):
for analysis in sample.get_analyses():
analysis_data_section = analysis_data_map.get(
type(analysis), "default")
try:
if (analysis.benign_count + analysis.grayware_count +
analysis.malware_count) < args.filter:
analysis_data[analysis_data_section].append(
analysis._raw_line)
except:
pass
# Handle Behaviors which have no BGM values
if type(analysis) == AFBehaviorTypeAnalysis or type(
analysis) == AFBehaviorAnalysis:
analysis_data[analysis_data_section].append(analysis._raw_line)
if sample.imphash:
analysis_data["imphash"].append(sample.imphash)
if sample.digital_signer:
analysis_data["digital_signer"].append(sample.digital_signer)
return analysis_data
def do_search(self):
res = []
for sample in AFSample.search(self.search):
res.append({
'metadata':
sample.serialize(),
'tags':
[tag.serialize() for tag in sample.__getattribute__('tags')]
})
return {'search': self.search, 'records': res}
def execute_autofocus_service(self):
data = self.getData()
AutoFocusAPI.api_key = self.autofocus_key
if self.service == 'get_sample_analysis' and self.data_type in [
'hash'
]:
sample = AFSample.get(data)
res = {
'metadata':
sample.serialize(),
'tags':
[tag.serialize() for tag in sample.__getattribute__('tags')],
'analysis': {}
}
for analyse in sample.get_analyses():
analysis_type = analyse.__class__.__name__
if analysis_type not in res['analysis']:
res['analysis'][analysis_type] = []
res['analysis'][analysis_type].append(analyse.serialize())
return res
elif self.service == 'search_ioc' and self.data_type in ['ip']:
searchIP = SearchJson_IP(data)
return searchIP.do_search()
elif self.service == 'search_ioc' and self.data_type in [
'domain', 'fqdn'
]:
searchDomain = SearchJson_Domain(data)
return searchDomain.do_search()
elif self.service == 'search_ioc' and self.data_type in ['mutex']:
searchMutex = SearchJson_Mutex(data)
return searchMutex.do_search()
elif self.service == 'search_ioc' and self.data_type in ['imphash']:
searchImpash = SearchJson_Imphash(data)
return searchImpash.do_search()
elif self.service == 'search_ioc' and self.data_type in ['tag']:
searchTag = SearchJson_TAG(data)
return searchTag.do_search()
elif self.service == 'search_ioc' and self.data_type in ['url']:
searchURL = SearchJson_URL(data)
return searchURL.do_search()
elif self.service == 'search_ioc' and self.data_type in ['user-agent']:
searchUserAgent = SearchJson_UserAgent(data)
return searchUserAgent.do_search()
elif self.service == 'search_json' and self.data_type in ['other']:
search = SearchJson(data)
return search.do_search()
else:
self.error('Unknown AutoFocus service or invalid data type')
def search_hash(hash):
print("Searching for {}".format(hash))
query = {
"operator":
"all",
"children": [{
"field": "sample.sha256",
"operator": "is",
"value": None # Will be filled with a hash
}]
}
query['children'][0]['value'] = hash
for sample in AFSample.search(query):
print("sha256:{} md5:{} m:{} b:{} g:{}"\
.format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware))
break
return None
def search_hash(hash):
print "Searching for {}".format(hash)
query = {
"operator": "all",
"children": [
{
"field": "sample.sha256",
"operator": "is",
"value": None # Will be filled with a hash
}
]
}
query['children'][0]['value'] = hash
for sample in AFSample.search(query):
print "sha256:{} md5:{} m:{} b:{} g:{}"\
.format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware)
break
return None
from autofocus import AFSample, AFSampleAbsent
#AutoFocusAPI.api_key = "<my API key>"
###############################
# Searching for a single hash #
###############################
hash = "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c"
try:
# sample is instance of AFSample()
sample = AFSample.get(hash)
# Using instrospection, you can analyze the attributes of the AFSample instance
print "Pulled sample {} and got the follow attributes".format(hash)
for k, v in sample.__dict__.items():
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
for sample in AFSample.search(query):
from autofocus import AFSample, AFConnectionActivity, AFUserAgentFragment, AFRelatedMacro
#AutoFocusAPI.api_key = "<my API key>"
sample = AFSample.get(
"8404e06ff383275462298e830bebe9540fab2092eca5523649d74e6e596ac23d")
for analysis in sample.get_analyses(AFConnectionActivity):
analysis
# user agent fragments
sample = AFSample.get(
"66ee855c9ea5dbad47c7da966dbdb7fef630c0421984f7eeb238f26fb45493f2")
# Can pull the user agent analyses in many different ways.
for analysis in sample.get_analyses(AFUserAgentFragment):
print analysis
for analysis in sample.get_analyses('user_agent'):
print analysis
for analysis in sample.get_analyses([AFUserAgentFragment]):
print analysis
for analysis in sample.get_analyses(['user_agent']):
print analysis
# service activity
sample = AFSample.get(
"652c70c144f0d2d177695c5dc47ed9fcc1606ebdf78a636cace91988f12185fa")
from autofocus import AFSample, AFSampleAbsent
#AutoFocusAPI.api_key = "<my API key>"
###############################
# Searching for a single hash #
###############################
hash = "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c"
try:
# sample is instance of AFSample()
sample = AFSample.get(hash)
# Using instrospection, you can analyze the attributes of the AFSample instance
print("Pulled sample {} and got the following attributes".format(hash))
for k, v in list(sample.serialize().items()):
print("\t{}={}".format(k, v))
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
for sample in AFSample.search(query):
from autofocus import AFSample, AFSampleAbsent
#AutoFocusAPI.api_key = "<my API key>"
###############################
# Searching for a single hash #
###############################
hash = "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c"
try:
# sample is instance of AFSample()
sample = AFSample.get(hash)
# Using instrospection, you can analyze the attributes of the AFSample instance
print "Pulled sample {} and got the follow attributes".format(hash)
for k,v in sample.__dict__.items():
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
from autofocus import AFSample, AFConnectionActivity, AFUserAgentFragment
#AutoFocusAPI.api_key = "<my API key>"
sample = AFSample.get("8404e06ff383275462298e830bebe9540fab2092eca5523649d74e6e596ac23d")
for analysis in sample.get_analyses(AFConnectionActivity):
analysis
# user agent fragments
sample = AFSample.get("66ee855c9ea5dbad47c7da966dbdb7fef630c0421984f7eeb238f26fb45493f2")
# Can pull the user agent analyses in many different ways.
for analysis in sample.get_analyses(AFUserAgentFragment):
print analysis
for analysis in sample.get_analyses('user_agent'):
print analysis
for analysis in sample.get_analyses([AFUserAgentFragment]):
print analysis
for analysis in sample.get_analyses(['user_agent']):
print analysis
# service activity
sample = AFSample.get("652c70c144f0d2d177695c5dc47ed9fcc1606ebdf78a636cace91988f12185fa")
for analysis in sample.get_analyses(['service']):
print analysis
