def hash_lookup(args, query):
# Dictionary mapping the raw data for each type of sample analysis
analysis_data = build_field_list()
# Map analysis types to analysis_data keys
analysis_data_map = {
AFServiceActivity: "service",
AFRegistryActivity: "registry",
AFProcessActivity: "process",
AFJavaApiActivity: "japi",
AFApiActivity: "misc",
AFUserAgentFragment: "user_agent",
AFMutexActivity: "mutex",
AFHttpActivity: "http",
AFDnsActivity: "dns",
AFBehaviorAnalysis: "behavior_desc",
AFBehaviorTypeAnalysis: "behavior_type",
AFConnectionActivity: "connection",
AFFileActivity: "file",
AFApkActivityAnalysis: "apk_misc",
AFApkIntentFilterAnalysis: "apk_filter",
AFApkReceiverAnalysis: "apk_receiver",
AFApkSensorAnalysis: "apk_sensor",
AFApkServiceAnalysis: "apk_service",
AFApkEmbededUrlAnalysis: "apk_embedurl",
AFApkRequestedPermissionAnalysis: "apk_permission",
AFApkSensitiveApiCallAnalysis: "apk_sensitiveapi",
AFApkSuspiciousApiCallAnalysis: "apk_suspiciousapi",
AFApkSuspiciousFileAnalysis: "apk_file",
AFApkSuspiciousStringAnalysis: "apl_string"
}
# If there are no counts for the activity, ignore them for the filter
for sample in AFSample.search(af_query("hash", query)):
for analysis in sample.get_analyses():
analysis_data_section = analysis_data_map.get(
type(analysis), "default")
try:
if (analysis.benign_count + analysis.grayware_count +
analysis.malware_count) < args.filter:
analysis_data[analysis_data_section].append(
analysis._raw_line)
except:
pass
# Handle Behaviors which have no BGM values
if type(analysis) == AFBehaviorTypeAnalysis or type(
analysis) == AFBehaviorAnalysis:
analysis_data[analysis_data_section].append(analysis._raw_line)
if sample.imphash:
analysis_data["imphash"].append(sample.imphash)
if sample.digital_signer:
analysis_data["digital_signer"].append(sample.digital_signer)
return analysis_data
def do_search(self):
res = []
for sample in AFSample.search(self.search):
res.append({
'metadata':
sample.serialize(),
'tags':
[tag.serialize() for tag in sample.__getattribute__('tags')]
})
return {'search': self.search, 'records': res}
def search_hash(hash):
print("Searching for {}".format(hash))
query = {
"operator":
"all",
"children": [{
"field": "sample.sha256",
"operator": "is",
"value": None # Will be filled with a hash
}]
}
query['children'][0]['value'] = hash
for sample in AFSample.search(query):
print("sha256:{} md5:{} m:{} b:{} g:{}"\
.format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware))
break
return None
def search_hash(hash):
print "Searching for {}".format(hash)
query = {
"operator": "all",
"children": [
{
"field": "sample.sha256",
"operator": "is",
"value": None # Will be filled with a hash
}
]
}
query['children'][0]['value'] = hash
for sample in AFSample.search(query):
print "sha256:{} md5:{} m:{} b:{} g:{}"\
.format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware)
break
return None
for k, v in sample.__dict__.items():
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
for sample in AFSample.search(query):
# sample is an instance of AFSample
print sample.sha256
break
#################################
# Searching for multiple hashes #
#################################
# Get a list of hashes you're interested in looking for
# IMPORTANT: The API currently has a 100 hash limit per query. You'll have to chunk hashes
# if you want to run more than 100 hashes.
hashes = [
"7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c",
"9906a8a55e5a50d2993408c7f1ba9cf97d8f38ca3fe68750bb62a8d0785b8c4b",
"b25a964c954d386ab67df52d20dbf210e803f0ada2ed6feb38fc5dc93e31c873",
"09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde")
for analysis in sample.get_analyses(['process']):
print analysis
# Miscellaneous
sample = AFSample.get(
"09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde")
for analysis in sample.get_analyses(['misc']):
print analysis
# Mutex Analysis
for sample in AFSample.search({
"field": "sample.tasks.mutex",
"operator": "has any value",
"value": ""
}):
for analysis in sample.get_analyses(['mutex']):
print analysis.function_name
break
# Java API Analysis
sample = AFSample.get(
"2b69dcee474f802bab494983d1329d2dc3f7d7bb4c9f16836efc794284276c8e")
for analysis in sample.get_analyses(['japi']):
print type(analysis)
# HTTP Analysis
sample = AFSample.get(
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
for sample in AFSample.search(query):
# sample is an instance of AFSample
print sample.sha256
break
#################################
# Searching for multiple hashes #
#################################
# Get a list of hashes you're interested in looking for
# IMPORTANT: The API currently has a 100 hash limit per query. You'll have to chunk hashes
# if you want to run more than 100 hashes.
hashes = [
"7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c",
"9906a8a55e5a50d2993408c7f1ba9cf97d8f38ca3fe68750bb62a8d0785b8c4b",
"b25a964c954d386ab67df52d20dbf210e803f0ada2ed6feb38fc5dc93e31c873",
print analysis
# process activity
sample = AFSample.get("09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde")
for analysis in sample.get_analyses(['process']):
print analysis
# Miscellaneous
sample = AFSample.get("09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde")
for analysis in sample.get_analyses(['misc']):
print analysis
# Mutex Analysis
for sample in AFSample.search({ "field" : "sample.tasks.mutex", "operator" : "has any value", "value" : ""}):
for analysis in sample.get_analyses(['mutex']):
print analysis.function_name
break
# Java API Analysis
sample = AFSample.get("2b69dcee474f802bab494983d1329d2dc3f7d7bb4c9f16836efc794284276c8e")
for analysis in sample.get_analyses(['japi']):
print type(analysis)
# HTTP Analysis
sample = AFSample.get("c1dc94d92c0ea361636d2f08b63059848ec1fb971678bfc34bcb4a960a120f7e")
for analysis in sample.get_analyses(['http']):
print type(analysis)
