def peChecks(info, infos): """ Check for duplicate imphashes :param info: :param infos: :return: """ # Some static values SIGNER_WHITELIST = ["Microsoft Windows", "Microsoft Corporation"] # Imphash check imphash_count = 0 for i in infos: if 'imphash' in i and 'imphash' in info: if i['imphash'] != "-" and i['imphash'] == info['imphash']: imphash_count += 1 if imphash_count > 1: printHighlighted("[!] Imphash - appeared %d times in this batch %s" % (imphash_count, info['imphash'])) # Signed Appeared multiple times try: signer_count = 0 for s in infos: if 'signer' in s and 'signer' in info: if s['signer'] != "-" and s['signer'] and s['signer'] == info['signer'] and \ not any(s in info['signer'] for s in SIGNER_WHITELIST): signer_count += 1 if signer_count > 1: printHighlighted("[!] Signer - appeared %d times in this batch %s" % (signer_count, info['signer'].encode('raw-unicode-escape'))) except KeyError as e: if args.debug: traceback.print_exc()
def processLines(lines, resultFile, nocsv=False, debug=False): """ Process the input file line by line """ # Infos of the current batch infos = [] printHighlighted("[+] Processing %d lines ..." % len(lines)) # Sorted if args.sort: lines = sorted(lines) for i, line in enumerate(lines): # Measure time (used for VT request throttling) start_time = time.time() # Process the line info, cooldown_time = processLine(line, debug) # Empty result if not info or (info['md5'] == "-" and info['sha1'] == "-" and info['sha256'] == "-"): continue # Print result printResult(info, i, len(lines)) # Comment on Sample if args.comment and info['sha256'] != "-": munin_vt.commentVTSample(info['sha256'], "%s %s" % (args.p, info['comment'])) # Download Samples if args.download and 'sha256' in info: downloadHybridAnalysisSample(info['sha256']) downloadMalwareBazarSample(info['sha256']) elif args.debug and args.download: print("[D] Didn't start download: No sha256 hash found!") # Print to CSV if not nocsv: writeCSV(info, resultFile) # Add to infos list infos.append(info) # Comparison Checks peChecks(info, infos) # Platform Checks platformChecks(info) # Wait the remaining cooldown time time.sleep(cooldown_time) return infos
def platformChecks(info): """ Performs certain comparison checks on the given info object compared to past evaluations from the current batch and cache :param info: :return: """ try: # MISP results if 'misp_available' in info: if info['misp_available']: for e in info['misp_info']: printHighlighted("[!] MISP event found EVENT_ID: {0} EVENT_INFO: {1} URL: {2}".format( e['event_id'], e['event_info'], e['url']) ) except KeyError as e: if args.debug: traceback.print_exc() try: # Malware Share availability if 'malshare_available' in info: if info['malshare_available']: printHighlighted("[!] Sample is available on malshare.com") except KeyError as e: if args.debug: traceback.print_exc() try: # Hybrid Analysis availability if 'hybrid_available' in info: if info['hybrid_available']: printHighlighted("[!] Sample is on hybrid-analysis.com SCORE: {0} URL: {1}/{2}".format( info["hybrid_score"], URL_HA, info['sha256'])) except KeyError as e: if args.debug: traceback.print_exc() try: # URLhaus availability if 'urlhaus_available' in info: if info['urlhaus_available']: printHighlighted("[!] Sample on URLHaus URL: %s" % info['urlhaus_download']) printHighlighted("[!] URLHaus info TYPE: %s FIRST_SEEN: %s LAST_SEEN: %s URL_COUNT: %s" % ( info['urlhaus_type'], info['urlhaus_first'], info['urlhaus_last'], info['urlhaus_url_count'] )) c = 0 for url in info['urlhaus_urls']: printHighlighted("[!] URLHaus STATUS: %s URL: %s" % (url['url_status'], url['url'])) c += 1 if c > URL_HAUS_MAX_URLS: break except KeyError as e: if args.debug: traceback.print_exc() try: # AnyRun availability if 'anyrun_available' in info: if info['anyrun_available']: printHighlighted("[!] Sample on ANY.RUN URL: %s" % (URL_ANYRUN % info['sha256'])) except KeyError as e: if args.debug: traceback.print_exc() try: # CAPE availability if 'cape_available' in info: if info['cape_available']: c = 0 for r in info['cape_reports']: printHighlighted("[!] Sample on CAPE sandbox URL: https://cape.contextis.com/analysis/%s/" % r) c += 1 if c > CAPE_MAX_REPORTS: break except KeyError as e: if args.debug: traceback.print_exc() # # Totalhash availability # if info['totalhash_available']: # printHighlighted("[!] Sample is available on https://totalhash.cymru.com") try: # VirusBay availability if info['virusbay_available']: printHighlighted("[!] Sample is on VirusBay " "URL: %s TAGS: %s" % (info['vb_link'], ", ".join(info['vb_tags']))) except KeyError as e: if args.debug: traceback.print_exc() try: # Valhalla availability if info['valhalla_match']: for m in info['valhalla_matches']: # Public Rule or Nextron Commercial Feed feed = "commercial feed only" if 'DEMO' in m['tags']: feed = "public rule LINK: https://github.com/Neo23x0/signature-base/search?q=%s" % m['rulename'] printHighlighted("[!] VALHALLA YARA rule match " "RULE: %s TYPE: %s AV: %s / %s TS: %s" % (m['rulename'], feed, m['positives'], m['total'], m['timestamp'])) except KeyError as e: if args.debug: traceback.print_exc()
print("[+] Results will be written to: %s" % resultFile) print("Exit with CTRL+C") while True: printKeyLine("PASTE CONTENT & PROCESS WITH CTRL+D:") contents = [] while True: try: line = input() except EOFError: break contents.append(line) # Process the input printKeyLine("END OF CONTENT") infos = processLines(contents, resultFile, nocsv=args.nocsv, debug=args.debug) if len(infos) == 0: printHighlighted("[!] Content needs at least 1 hash value in it") # Web Service ------------------------------------------------------------- if args.web: if 'flask' in deactivated_features: print("[E] Flask module has not been loaded. Try to install it with 'pip3 install flask' before using " "this feature") sys.exit(1) print("") print("Web Service Mode") print("") alreadyExists, resultFile = generateResultFilename(args.f) print("Send your requests to http://server:%d/value" % int(args.w)) printKeyLine("STARTING FLASK") app.run(port=int(args.w))