def analyze(self, line): if line.startswith('#') or line.startswith('\n'): return try: url = toolbox.find_urls(line)[0] except Exception, e: # if find_ip raises an exception, it means no ip # was found in the line, so we return return
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. #print dict #return mdl = Url() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier mdl['feed'] = "MDLTracker" try: mdl['value'] = toolbox.find_urls(dict['description'])[0] except Exception,e: return
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier evil["feed"] = "SpyEyeConfigs" evil["url"] = toolbox.find_urls(dict["description"])[0] # description evil["description"] = dict["link"] + " " + dict["description"] # status if dict["description"].find("offline") != -1: evil["status"] = "offline" else: evil["status"] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})", dict["description"]) if md5 != None: evil["md5"] = md5.group("md5") else: evil["md5"] = "No MD5" # linkback evil["source"] = dict["guid"] # type evil["type"] = "evil" # tags evil["tags"] += ["spyeye", "malware", "SpyEyeConfigs"] # date_retreived evil["date_retreived"] = datetime.datetime.utcnow() # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil["value"] = "SpyEye Config" if md5: evil["value"] += " (MD5: %s)" % evil["md5"] else: evil["value"] += " (URL: %s)" % evil["url"] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. evil, status = self.analytics.save_element(evil, with_status=True) if status["updatedExisting"] == False: self.elements_fetched += 1 # Create an URL element url = Url(evil["url"], ["evil", "SpyEyeConfigs"]) # Save it to the DB. url, status = self.analytics.save_element(url, with_status=True) if status["updatedExisting"] == False: self.elements_fetched += 1 # Connect the URL element to the Evil element self.analytics.data.connect(url, evil, ["hosting"])
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier evil['feed'] = "SpyEyeDropzones" evil['url'] = toolbox.find_urls(dict['description'])[0] # description evil['description'] = dict['link'] + " " + dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['source'] = dict['guid'] # type evil['type'] = 'evil' # tags evil['tags'] += ['spyeye', 'malware', 'SpyEyeDropzones'] # date_retreived evil['date_retreived'] = datetime.datetime.utcnow() # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "SpyEye Dropzone (%s)"%evil['url'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. evil, status = self.analytics.save_element(evil, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Create an URL element url = Url(evil['url'], ['evil', 'SpyEyeDropzones']) # Save it to the DB. url, status = self.analytics.save_element(url, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Connect the URL element to the Evil element self.analytics.data.connect(url, evil, 'hosting')
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier evil['feed'] = "ZeusTrackerBinaries" evil['url'] = toolbox.find_urls(dict['description'])[0] # description evil['description'] = dict['link'] + " " + dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})", dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['source'] = dict['guid'] # type evil['type'] = 'evil' # context evil['context'] += ['zeus', 'malware', 'ZeusTrackerBinaries'] # date_retreived evil['date_retreived'] = datetime.datetime.utcnow() # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "ZeuS bot" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % evil['url'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. evil, status = self.analytics.save_element(evil, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Create an URL element url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries']) # Save it to the DB. url, status = self.analytics.save_element(url, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Connect the URL element to the Evil element self.analytics.data.connect(url, evil, ['hosting'])
def analytics(self, analytics): self.elements_fetched = 0 for entry in self.parsed: # Evil object evil = Evil() evil['feed'] = "ZeusTrackerBinaries" evil['url'] = toolbox.find_urls(entry['description'])[0] # description evil['description'] = entry['link'] + " " + entry['description'] # status if entry['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",entry['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['source'] = entry['guid'] # type evil['type'] = 'evil' # context evil['context'] += ['zeus', 'malware'] # date_retreived evil['date_retreived'] = datetime.datetime.utcnow() evil['value'] = "ZeuS bot" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % evil['url'] # commit to db evil = analytics.save_element(evil, ['ZeusTrackerBinaries']) # URL object url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries']) # commit to db url = analytics.save_element(url) # connect url with malware analytics.data.connect(url, evil, ['hosting']) if evil.is_recent(): self.elements_fetched += 1 if url.is_recent(): self.elements_fetched += 1 analytics.process()