def hash_lookup(args, query): # Dictionary mapping the raw data for each type of sample analysis analysis_data = build_field_list() # Map analysis types to analysis_data keys analysis_data_map = { AFServiceActivity: "service", AFRegistryActivity: "registry", AFProcessActivity: "process", AFJavaApiActivity: "japi", AFApiActivity: "misc", AFUserAgentFragment: "user_agent", AFMutexActivity: "mutex", AFHttpActivity: "http", AFDnsActivity: "dns", AFBehaviorAnalysis: "behavior_desc", AFBehaviorTypeAnalysis: "behavior_type", AFConnectionActivity: "connection", AFFileActivity: "file", AFApkActivityAnalysis: "apk_misc", AFApkIntentFilterAnalysis: "apk_filter", AFApkReceiverAnalysis: "apk_receiver", AFApkSensorAnalysis: "apk_sensor", AFApkServiceAnalysis: "apk_service", AFApkEmbededUrlAnalysis: "apk_embedurl", AFApkRequestedPermissionAnalysis: "apk_permission", AFApkSensitiveApiCallAnalysis: "apk_sensitiveapi", AFApkSuspiciousApiCallAnalysis: "apk_suspiciousapi", AFApkSuspiciousFileAnalysis: "apk_file", AFApkSuspiciousStringAnalysis: "apl_string" } # If there are no counts for the activity, ignore them for the filter for sample in AFSample.search(af_query("hash", query)): for analysis in sample.get_analyses(): analysis_data_section = analysis_data_map.get( type(analysis), "default") try: if (analysis.benign_count + analysis.grayware_count + analysis.malware_count) < args.filter: analysis_data[analysis_data_section].append( analysis._raw_line) except: pass # Handle Behaviors which have no BGM values if type(analysis) == AFBehaviorTypeAnalysis or type( analysis) == AFBehaviorAnalysis: analysis_data[analysis_data_section].append(analysis._raw_line) if sample.imphash: analysis_data["imphash"].append(sample.imphash) if sample.digital_signer: analysis_data["digital_signer"].append(sample.digital_signer) return analysis_data
def do_search(self): res = [] for sample in AFSample.search(self.search): res.append({ 'metadata': sample.serialize(), 'tags': [tag.serialize() for tag in sample.__getattribute__('tags')] }) return {'search': self.search, 'records': res}
def search_hash(hash): print("Searching for {}".format(hash)) query = { "operator": "all", "children": [{ "field": "sample.sha256", "operator": "is", "value": None # Will be filled with a hash }] } query['children'][0]['value'] = hash for sample in AFSample.search(query): print("sha256:{} md5:{} m:{} b:{} g:{}"\ .format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware)) break return None
def search_hash(hash): print "Searching for {}".format(hash) query = { "operator": "all", "children": [ { "field": "sample.sha256", "operator": "is", "value": None # Will be filled with a hash } ] } query['children'][0]['value'] = hash for sample in AFSample.search(query): print "sha256:{} md5:{} m:{} b:{} g:{}"\ .format(sample.sha256, sample.md5, sample.malware, sample.benign, sample.grayware) break return None
for k, v in sample.__dict__.items(): print "\t{}={}".format(k, v) except AFSampleAbsent: pass # The sample isn't in AutoFocus ################################################ # Run an autofocus query (Exported via the UI) # ################################################ query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}' # * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common # to search for large datasets # * The client library handles all paging for you, so you just need to pose a question # and parse the results for sample in AFSample.search(query): # sample is an instance of AFSample print sample.sha256 break ################################# # Searching for multiple hashes # ################################# # Get a list of hashes you're interested in looking for # IMPORTANT: The API currently has a 100 hash limit per query. You'll have to chunk hashes # if you want to run more than 100 hashes. hashes = [ "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c", "9906a8a55e5a50d2993408c7f1ba9cf97d8f38ca3fe68750bb62a8d0785b8c4b", "b25a964c954d386ab67df52d20dbf210e803f0ada2ed6feb38fc5dc93e31c873",
"09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde") for analysis in sample.get_analyses(['process']): print analysis # Miscellaneous sample = AFSample.get( "09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde") for analysis in sample.get_analyses(['misc']): print analysis # Mutex Analysis for sample in AFSample.search({ "field": "sample.tasks.mutex", "operator": "has any value", "value": "" }): for analysis in sample.get_analyses(['mutex']): print analysis.function_name break # Java API Analysis sample = AFSample.get( "2b69dcee474f802bab494983d1329d2dc3f7d7bb4c9f16836efc794284276c8e") for analysis in sample.get_analyses(['japi']): print type(analysis) # HTTP Analysis sample = AFSample.get(
print "\t{}={}".format(k, v) except AFSampleAbsent: pass # The sample isn't in AutoFocus ################################################ # Run an autofocus query (Exported via the UI) # ################################################ query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}' # * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common # to search for large datasets # * The client library handles all paging for you, so you just need to pose a question # and parse the results for sample in AFSample.search(query): # sample is an instance of AFSample print sample.sha256 break ################################# # Searching for multiple hashes # ################################# # Get a list of hashes you're interested in looking for # IMPORTANT: The API currently has a 100 hash limit per query. You'll have to chunk hashes # if you want to run more than 100 hashes. hashes = [ "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c", "9906a8a55e5a50d2993408c7f1ba9cf97d8f38ca3fe68750bb62a8d0785b8c4b", "b25a964c954d386ab67df52d20dbf210e803f0ada2ed6feb38fc5dc93e31c873",
print analysis # process activity sample = AFSample.get("09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde") for analysis in sample.get_analyses(['process']): print analysis # Miscellaneous sample = AFSample.get("09dd98c93cde02935f885a72a9789973e1e17b8a1d2b8e3bd34d5fc27db46fde") for analysis in sample.get_analyses(['misc']): print analysis # Mutex Analysis for sample in AFSample.search({ "field" : "sample.tasks.mutex", "operator" : "has any value", "value" : ""}): for analysis in sample.get_analyses(['mutex']): print analysis.function_name break # Java API Analysis sample = AFSample.get("2b69dcee474f802bab494983d1329d2dc3f7d7bb4c9f16836efc794284276c8e") for analysis in sample.get_analyses(['japi']): print type(analysis) # HTTP Analysis sample = AFSample.get("c1dc94d92c0ea361636d2f08b63059848ec1fb971678bfc34bcb4a960a120f7e") for analysis in sample.get_analyses(['http']): print type(analysis)