def peChecks(info, infos):
"""
Check for duplicate imphashes
:param info:
:param infos:
:return:
"""
# Some static values
SIGNER_WHITELIST = ["Microsoft Windows", "Microsoft Corporation"]
# Imphash check
imphash_count = 0
for i in infos:
if 'imphash' in i and 'imphash' in info:
if i['imphash'] != "-" and i['imphash'] == info['imphash']:
imphash_count += 1
if imphash_count > 1:
printHighlighted("[!] Imphash - appeared %d times in this batch %s" %
(imphash_count, info['imphash']))
# Signed Appeared multiple times
try:
signer_count = 0
for s in infos:
if 'signer' in s and 'signer' in info:
if s['signer'] != "-" and s['signer'] and s['signer'] == info['signer'] and \
not any(s in info['signer'] for s in SIGNER_WHITELIST):
signer_count += 1
if signer_count > 1:
printHighlighted("[!] Signer - appeared %d times in this batch %s" %
(signer_count, info['signer'].encode('raw-unicode-escape')))
except KeyError as e:
if args.debug:
traceback.print_exc()
def processLines(lines, resultFile, nocsv=False, debug=False):
"""
Process the input file line by line
"""
# Infos of the current batch
infos = []
printHighlighted("[+] Processing %d lines ..." % len(lines))
# Sorted
if args.sort:
lines = sorted(lines)
for i, line in enumerate(lines):
# Measure time (used for VT request throttling)
start_time = time.time()
# Process the line
info, cooldown_time = processLine(line, debug)
# Empty result
if not info or (info['md5'] == "-" and info['sha1'] == "-"
and info['sha256'] == "-"):
continue
# Print result
printResult(info, i, len(lines))
# Comment on Sample
if args.comment and info['sha256'] != "-":
munin_vt.commentVTSample(info['sha256'],
"%s %s" % (args.p, info['comment']))
# Download Samples
if args.download and 'sha256' in info:
downloadHybridAnalysisSample(info['sha256'])
downloadMalwareBazarSample(info['sha256'])
elif args.debug and args.download:
print("[D] Didn't start download: No sha256 hash found!")
# Print to CSV
if not nocsv:
writeCSV(info, resultFile)
# Add to infos list
infos.append(info)
# Comparison Checks
peChecks(info, infos)
# Platform Checks
platformChecks(info)
# Wait the remaining cooldown time
time.sleep(cooldown_time)
return infos
def platformChecks(info):
"""
Performs certain comparison checks on the given info object compared to past
evaluations from the current batch and cache
:param info:
:return:
"""
try:
# MISP results
if 'misp_available' in info:
if info['misp_available']:
for e in info['misp_info']:
printHighlighted("[!] MISP event found EVENT_ID: {0} EVENT_INFO: {1} URL: {2}".format(
e['event_id'], e['event_info'], e['url'])
)
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# Malware Share availability
if 'malshare_available' in info:
if info['malshare_available']:
printHighlighted("[!] Sample is available on malshare.com")
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# Hybrid Analysis availability
if 'hybrid_available' in info:
if info['hybrid_available']:
printHighlighted("[!] Sample is on hybrid-analysis.com SCORE: {0} URL: {1}/{2}".format(
info["hybrid_score"], URL_HA, info['sha256']))
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# URLhaus availability
if 'urlhaus_available' in info:
if info['urlhaus_available']:
printHighlighted("[!] Sample on URLHaus URL: %s" % info['urlhaus_download'])
printHighlighted("[!] URLHaus info TYPE: %s FIRST_SEEN: %s LAST_SEEN: %s URL_COUNT: %s" % (
info['urlhaus_type'],
info['urlhaus_first'],
info['urlhaus_last'],
info['urlhaus_url_count']
))
c = 0
for url in info['urlhaus_urls']:
printHighlighted("[!] URLHaus STATUS: %s URL: %s" % (url['url_status'], url['url']))
c += 1
if c > URL_HAUS_MAX_URLS:
break
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# AnyRun availability
if 'anyrun_available' in info:
if info['anyrun_available']:
printHighlighted("[!] Sample on ANY.RUN URL: %s" % (URL_ANYRUN % info['sha256']))
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# CAPE availability
if 'cape_available' in info:
if info['cape_available']:
c = 0
for r in info['cape_reports']:
printHighlighted("[!] Sample on CAPE sandbox URL: https://cape.contextis.com/analysis/%s/" % r)
c += 1
if c > CAPE_MAX_REPORTS:
break
except KeyError as e:
if args.debug:
traceback.print_exc()
# # Totalhash availability
# if info['totalhash_available']:
# printHighlighted("[!] Sample is available on https://totalhash.cymru.com")
try:
# VirusBay availability
if info['virusbay_available']:
printHighlighted("[!] Sample is on VirusBay "
"URL: %s TAGS: %s" % (info['vb_link'], ", ".join(info['vb_tags'])))
except KeyError as e:
if args.debug:
traceback.print_exc()
try:
# Valhalla availability
if info['valhalla_match']:
for m in info['valhalla_matches']:
# Public Rule or Nextron Commercial Feed
feed = "commercial feed only"
if 'DEMO' in m['tags']:
feed = "public rule LINK: https://github.com/Neo23x0/signature-base/search?q=%s" % m['rulename']
printHighlighted("[!] VALHALLA YARA rule match "
"RULE: %s TYPE: %s AV: %s / %s TS: %s" %
(m['rulename'], feed, m['positives'], m['total'], m['timestamp']))
except KeyError as e:
if args.debug:
traceback.print_exc()
print("[+] Results will be written to: %s" % resultFile)
print("Exit with CTRL+C")
while True:
printKeyLine("PASTE CONTENT & PROCESS WITH CTRL+D:")
contents = []
while True:
try:
line = input()
except EOFError:
break
contents.append(line)
# Process the input
printKeyLine("END OF CONTENT")
infos = processLines(contents, resultFile, nocsv=args.nocsv, debug=args.debug)
if len(infos) == 0:
printHighlighted("[!] Content needs at least 1 hash value in it")
# Web Service -------------------------------------------------------------
if args.web:
if 'flask' in deactivated_features:
print("[E] Flask module has not been loaded. Try to install it with 'pip3 install flask' before using "
"this feature")
sys.exit(1)
print("")
print("Web Service Mode")
print("")
alreadyExists, resultFile = generateResultFilename(args.f)
print("Send your requests to http://server:%d/value" % int(args.w))
printKeyLine("STARTING FLASK")
app.run(port=int(args.w))