def dotransform(request, response):
if request.fields.has_key("parents"):
parents=ast.literal_eval(request.fields['parents'])
for parent in parents:
r=Hash(str(parent))
r.linklabel="vt_rep->parents"
response+=r
return response
def dotransform(request, response):
search_param = 'peresource:"%s"' % str(request.fields['sha256'])
hits = search_vt(search_param)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "resource->VT"
response += r
return response
def dotransform(request, response):
search = str("pets:%s" % request.value)
hits = search_vt(search)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "pets->vt"
response += r
return response
def dotransform(request, response):
search_param='sectionmd5:"%s"' % str(request.fields['md5'])
hits=search_vt(search_param)
if hits:
for hsh in hits:
r=Hash(str(hsh))
r.linklabel="section->VT"
response+=r
return response
def dotransform(request, response):
search_param = 'itw:"%s"' % str(request.value)
hits = search_vt(search_param)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "itw->VT"
response += r
return response
def dotransform(request, response):
search_param = 'ssdeep:"%s"' % str(urllib.quote_plus(request.value))
debug(search_param)
hits = search_vt(search_param)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "ssdeep->VT"
response += r
return response
def dotransform(request, response):
# Report transform progress
progress(50)
hash = request.value
total = ""
try:
e = Hash(hash)
text = ''
resp = urllib2.urlopen(
'https://innocuous.shadowserver.org/api/?query=' + hash).read()
start_results = resp.find("{")
end_results = resp.find("}")
av_results = resp[start_results + 1:end_results].replace('"', '')
text += av_results + ','
e += Field('AV Name', text, displayname='AV Name')
response += e
except IOError:
print 'IO Error'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
#Build the request
type = 'hash'
page = build(request.value, type)
global count
global count2
count = 1
try:
list = page.find(
text='Dropped File').previous.previous.parent.findAll('p')
except:
raise MaltegoException('No Dropped Files')
for item in list:
count2 = 1
if count % 2 == 1:
split = item.findAll('a')
for s in split:
if count2 % 2 == 1:
pass
else:
e = Hash(s.text)
name = s.previous.previous.previous.text
e += Field('Filename', name)
response += e
count2 += 1
elif count % 2 == 0:
pass
count += 1
return response
def dotransform(request, response):
try:
items = ast.literal_eval(request.fields['detected_downloaded_samples'])
except:
return response
for item in items:
sha256 = item['sha256']
date = item['date']
r = Hash(sha256)
r.linklabel = date
response += r
return response
def dotransform(request, response):
try:
search_param = 'engines:"%s"' % str(request.value)
except:
debug("ripVT: Error - value not present in property.")
return response
hits = search_vt(search_param)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "engines->VT"
response += r
return response
def dotransform(request, response):
try:
search_param = 'sigcheck:"%s"' % str(request.fields['issuer'])
except:
debug("ripVT: Error - value not present in property.")
return response
hits = search_vt(search_param)
if hits:
for hsh in hits:
r = Hash(str(hsh))
r.linklabel = "cert_issuer->VT"
response += r
return response
def dotransform(request, response):
data = bsearch(request.value)
try:
if data['response_code'] == 1:
results = data['hashes']
for result in results:
response += Hash(result)
except:
response += UIMessage(data['verbose_msg'])
return response
def dotransform(request, response):
hash = request.value
host = 'hash.cymru.com'
result = whois(hash, host)
attribs = result.split()
hsh = attribs[0]
time = float(attribs[1])
percent = attribs[2]
if attribs[2] == "NO_DATA":
e = Hash(hsh)
e += Field("TeamCymru", "Not Detected", displayname='TeamCymru')
else:
e = Hash(hsh)
e += Field("Cymru Date", datetime.utcfromtimestamp(time), displayname='Cymru Date')
e += Field("Percent Detected", percent, displayname='Percent Detected')
response += e
return response
def dotransform(request, response):
try:
items = ast.literal_eval(request.fields['detected_referrer_samples'])
except:
return response
for item in items:
sha256 = item['sha256']
r = Hash(sha256)
response += r
return response
def dotransform(request, response):
#Build Request
page = build(request.value)
#Find the dropped files section, and parse MD5 hashes
try:
procs = page.find("div", {"id": "dropped_files"}).findAll('tr')
for element in procs:
if element.findNext('td').text == "MD5:":
response += Hash(element.text[4::])
except:
return response
return response
def dotransform(request, response):
#Build the request
type = 'name'
page = build(request.value, type)
try:
list = page.findAll(text='MD5:')
except:
raise MaltegoException('No DNS Queries')
for item in list:
if item != 'none':
md5 = Hash(item.next.next)
name = item.previous.previous.previous
md5 += Field('Filename', name)
response += md5
return response
def dotransform(request, response):
page = build(request.value)
if page.find('span', {'id': 'error'}):
# No Matches in Malc0de
return response
else:
for hit in page.findAll('tr', {'class': 'class1'}):
temp = []
for column in hit.findAll('td'):
temp.append(column.text)
e = Hash(temp[6])
e += Field('URL', temp[1], displayname='URL')
e += Field('AS', temp[4], displayname='AS')
e += Field('Date', temp[0], displayname='Date')
response += e
return response
def dotransform(request, response):
#Build the request
page = build(request.value)
#Locate the dropped files section of the report
try:
dfiles = page.find(text='The following files were created in the system:').findNext('table')
except:
dfiles = None
pass
if dfiles is not None:
#Find the appropriate cell and extract the MD5 hash
for file in dfiles.findAll("td", {"class" : "cell_1"}):
text = file.text.splitlines()
for entry in text:
if re.search('MD5:', entry):
response += Hash(entry[7:39])
else:
return response
return response
def dotransform(request, response):
search_param = 'similar-to:"%s"' % str(request.value)
hits = search_vt(search_param)
if hits:
for hsh in hits:
if request.fields.has_key('sha256'):
if not hsh == request.fields['sha256']:
r = Hash(str(hsh))
r.linklabel = "similar->VT"
response += r
else:
r = Hash(str(hsh))
r.linklabel = "similar->VT"
response += r
return response
