def dns_requests(self, dns_requests):
self._dns_requests = []
try:
for request in dns_requests:
if isinstance(request, DnsRequest):
if not self.whitelister.is_domain_whitelisted(request.request):
if RegexHelpers.is_ip(request.answer):
if not self.whitelister.is_ip_whitelisted(request.answer):
self._dns_requests.append(request)
elif RegexHelpers.is_domain(request.answer):
if not self.whitelister.is_domain_whitelisted(request.answer):
self._dns_requests.append(request)
else:
self._dns_requests.append(request)
except TypeError:
pass
def extract_indicators(self, check_whitelist=True):
# Make an Indicator for the sample's MD5 hash.
if RegexHelpers.is_md5(self.md5):
try:
ind = Indicator.Indicator(self.md5, "Hash - MD5")
ind.add_tags("sandboxed_sample")
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the sample's SHA1 hash.
if RegexHelpers.is_sha1(self.sha1):
try:
ind = Indicator.Indicator(self.sha1, "Hash - SHA1")
ind.add_tags("sandboxed_sample")
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the sample's SHA256 hash.
if RegexHelpers.is_sha256(self.sha256):
try:
ind = Indicator.Indicator(self.sha256, "Hash - SHA256")
ind.add_tags("sandboxed_sample")
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any contacted hosts.
for host in self.contacted_hosts:
# Make an Indicator for the IP itself.
if RegexHelpers.is_ip(host.ipv4):
try:
ind = Indicator.Indicator(host.ipv4, "Address - ipv4-addr")
ind.add_tags("contacted_host")
if host.protocol and host.port:
ind.add_tags(host.protocol + " " + host.port)
elif host.protocol and not host.port:
indicator.add_tag(host.protocol)
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any associated domains.
for domain in host.associated_domains:
if RegexHelpers.is_domain(domain["domain"]):
try:
ind = Indicator.Indicator(domain["domain"], "URI - Domain Name")
ind.add_tags("associated_to_" + host.ipv4)
ind.add_relationships(host.ipv4)
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any DNS requests.
for request in self.dns_requests:
# Make an Indicator for the requested domain.
if RegexHelpers.is_domain(request.request):
try:
ind = Indicator.Indicator(request.request, "URI - Domain Name")
ind.add_tags("dns_request")
# If the DNS answer is an IP, add a tag for it and
# also create an Indicator for it.
if RegexHelpers.is_ip(request.answer):
ind.add_tags(request.answer)
try:
ip_ind = Indicator.Indicator(request.answer, "Address - ipv4-addr")
ip_ind.add_tags(["dns_response", request.request])
self.iocs.append(ip_ind)
except ValueError:
pass
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any dropped files.
# TODO: Add back in the ability to only make Indicators for "interesting"
# dropped files, based on file type or file extension.
for file in self.dropped_files:
# Make an Indicator for the file path.
try:
ind = Indicator.Indicator(file.path, "Windows - FilePath")
ind.add_tags("dropped_file")
ind.add_relationships(file.filename)
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the file name.
try:
ind = Indicator.Indicator(file.filename, "Windows - FileName")
ind.add_tags("dropped_file")
ind.add_relationships([file.path, file.md5, file.sha1, file.sha256])
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the MD5 hash.
if RegexHelpers.is_md5(file.md5):
try:
ind = Indicator.Indicator(file.md5, "Hash - MD5")
ind.add_tags([file.filename, "dropped_file"])
ind.add_relationships([file.filename, file.path, file.sha1, file.sha256])
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the SHA1 hash.
if RegexHelpers.is_sha1(file.sha1):
try:
ind = Indicator.Indicator(file.sha1, "Hash - SHA1")
ind.add_tags([file.filename, "dropped_file"])
ind.add_relationships([file.filename, file.path, file.md5, file.sha256])
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the SHA256 hash.
if RegexHelpers.is_sha256(file.sha256):
try:
ind = Indicator.Indicator(file.sha256, "Hash - SHA256")
ind.add_tags([file.filename, "dropped_file"])
ind.add_relationships([file.filename, file.path, file.md5, file.sha1])
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any HTTP requests.
for request in self.http_requests:
# Check if the host is a domain or IP.
if RegexHelpers.is_ip(request.host):
indicator_type = "Address - ipv4-addr"
# Otherwise it must be a domain.
else:
indicator_type = "URI - Domain Name"
# Make an Indicator for the host.
try:
ind = Indicator.Indicator(request.host, indicator_type)
ind.add_tags(["http_request", request.method])
if request.method == "POST":
ind.add_tags("c2")
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the URI path.
if request.uri != "/":
try:
ind = Indicator.Indicator(request.uri, "URI - Path")
ind.add_tags(["http_request", request.method, request.host])
if request.method == "POST":
ind.add_tags("c2")
ind.add_relationships(request.host)
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the full URL.
try:
url = "http://" + request.host + request.uri
ind = Indicator.Indicator(url, "URI - URL")
ind.add_tags(["http_request", request.method])
if request.method == "POST":
ind.add_tags("c2")
ind.add_relationships([request.host, request.uri])
self.iocs.append(ind)
except ValueError:
pass
# Make an Indicator for the User-Agent.
try:
ind = Indicator.Indicator(request.user_agent, "URI - HTTP - UserAgent")
ind.add_tags(["http_request", request.method, request.host])
if request.method == "POST":
ind.add_tags("c2")
ind.add_relationships([request.host, request.uri])
self.iocs.append(ind)
except ValueError:
pass
# Make Indicators for any memory URLs. Currently, only VxStream
# has this memory URL feature.
indicator_list = Indicator.generate_url_indicators(self.memory_urls)
# Add some extra tags to the generated indicators and
# then add them to our main IOC list.
for ind in indicator_list:
ind.add_tags("url_in_memory")
self.iocs.append(ind)
# Make Indicators for any URLs found in the sample's strings.
indicator_list = Indicator.generate_url_indicators(self.strings_urls)
# Add some extra tags to the generated indicators and
# then add them to our main IOC list.
for ind in indicator_list:
ind.add_tags("url_in_strings")
self.iocs.append(ind)
# Make Indicators for any URLs found in the sample's process tree.
indicator_list = Indicator.generate_url_indicators(self.process_tree_urls)
# Add some extra tags to the generated indicators and
# then add them to our main IOC list.
for ind in indicator_list:
ind.add_tags("url_in_process_tree")
self.iocs.append(ind)
# Make Indicators for any mutexes.
for mutex in self.mutexes:
try:
ind = Indicator.Indicator(mutex, "Windows - Mutex")
ind.add_tags("mutex_created")
self.iocs.append(ind)
except ValueError:
pass
# Run the IOCs through the whitelists if requested.
if check_whitelist:
self.iocs = Indicator.run_whitelist(self.iocs)
# Finally merge the IOCs so we don't have any duplicates.
self.iocs = Indicator.merge_duplicate_indicators(self.iocs)