def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
url = toolbox.find_urls(line)[0]
except Exception, e:
# if find_urls raises an exception, it means no ip was found in the line, so we return
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
url = toolbox.find_urls(line)[0]
except Exception, e:
# if find_urls raises an exception, it means no ip was found in the line, so we return
return
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['guid'] = dict['guid']
# tags
evil['tags'] += ['spyeye', 'malware']
url = Url(toolbox.find_urls(dict['description'])[0],
tags=['spyeye', 'malware', 'exe'])
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "SpyEye bot"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % url['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
return url, evil
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
# description
evil['description'] = dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['guid'] = dict['guid']
# tags
evil['tags'] += ['zeus', 'malware', 'ZeusTrackerDropzones']
# Create an URL element
url = Url(toolbox.find_urls(dict['description'])[0], ['evil', 'ZeusTrackerDropzones'])
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "ZeuS Dropzone"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % url['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
return url, evil
def analyze(self, dict):
try:
url = toolbox.find_urls(dict["title"])[0]
except Exception:
return # if no URL is found, bail
url = Url(url=url, tags=[dict["description"].lower()])
evil = {}
evil["description"] = "%s CC" % (dict["description"].lower())
evil["date_added"] = datetime.datetime.strptime(dict["pubDate"], "%d-%m-%Y")
evil["id"] = md5.new(dict["title"] + dict["pubDate"] + dict["description"]).hexdigest()
evil["source"] = self.name
url.seen(first=evil["date_added"])
url.add_evil(evil)
self.commit_to_db(url)
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
#print dict
#return
mdl = Url()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
mdl['feed'] = "MDLTracker"
try:
mdl['value'] = toolbox.find_urls(dict['description'])[0]
except Exception, e:
return
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. #print dict #return mdl = Url() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier mdl['feed'] = "MDLTracker" try: mdl['value'] = toolbox.find_urls(dict['description'])[0] except Exception,e: return
def analyze(self, dict):
try:
url = toolbox.find_urls(dict['title'])[0]
except Exception:
return # if no URL is found, bail
url = Url(url=url, tags=['evil'])
evil = {}
dict['pubDate'] = dict['pubDate'].split('+')[0]
evil['description'] = "%s CC" % (dict['description'].lower())
evil['date_added'] = datetime.datetime.strptime(dict['pubDate'], "%a, %d %b %Y %X ")
evil['id'] = md5.new(dict['title']+dict['pubDate']+dict['description']).hexdigest()
evil['source'] = self.name
url.seen(first=evil['date_added'])
url.add_evil(evil)
self.commit_to_db(url)
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
evil['feed'] = "SpyEyeConfigs"
evil['url'] = toolbox.find_urls(dict['description'])[0]
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['source'] = dict['guid']
# type
evil['type'] = 'evil'
# tags
evil['tags'] += ['spyeye', 'malware', 'SpyEyeConfigs']
# date_retreived
evil['date_retreived'] = datetime.datetime.utcnow()
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "SpyEye Config"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % evil['url']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
evil, status = self.analytics.save_element(evil, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Create an URL element
url = Url(evil['url'], ['evil', 'SpyEyeConfigs'])
# Save it to the DB.
url, status = self.analytics.save_element(url, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Connect the URL element to the Evil element
self.analytics.data.connect(url, evil, 'hosting')
def analyze(self, dict, testing=False): try: url = toolbox.find_urls(dict['title'])[0] except Exception, e: return # if no URL is found, bail
def analyze(self, dict): try: url = toolbox.find_urls(dict['title'])[0] except Exception, e: return # if no URL is found, bail
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
evil['feed'] = "SpyEyeBinaries"
evil['url'] = toolbox.find_urls(dict['description'])[0]
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['source'] = dict['guid']
# type
evil['type'] = 'evil'
# tags
evil['tags'] += ['spyeye', 'malware', 'SpyEyeBinaries']
# date_retreived
evil['date_retreived'] = datetime.datetime.utcnow()
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "SpyEye bot"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % evil['url']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
evil, status = self.analytics.save_element(evil, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Create an URL element
url = Url(evil['url'], ['evil', 'SpyEyeBinaries'])
# Save it to the DB.
url, status = self.analytics.save_element(url, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Connect the URL element to the Evil element
self.analytics.data.connect(url, evil, 'hosting')
def analyze(self, dict):
try:
url = toolbox.find_urls(dict['link'])[0]
except Exception, e:
return
def analyze(self, dict): try: url = toolbox.find_urls(dict['link'])[0] except Exception, e: return
def analyze(self, dict):
try:
url = toolbox.find_urls(dict['description'])[0]
except Exception, e:
return # no URL found, bail
def analyze(self, dict): try: url = toolbox.find_urls(dict['description'])[0] except Exception, e: return # no URL found, bail
