def test_extract_scripts(self):
set_cwd(self.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
es = ExtractScripts(ba)
es.handle_event({
"command_line": "cmd.exe /c ping 1.2.3.4",
"first_seen": 1,
"pid": 1234,
})
es.handle_event({
"command_line": (
"powershell.exe -e "
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA="
),
"first_seen": 2,
"pid": 1235,
})
assert es.run() is None
e = Extracted()
e.set_task(Dictionary({
"id": 1,
}))
out = e.run()
assert out == [{
"category": "script",
"first_seen": 1,
"pid": 1234,
"program": "cmd",
"raw": cwd("extracted", "0.bat", analysis=1),
"yara": [],
"info": {},
}, {
"category": "script",
"first_seen": 2,
"pid": 1235,
"program": "powershell",
"raw": cwd("extracted", "1.ps1", analysis=1),
"yara": [],
"info": {},
}]
assert open(out[0]["raw"], "rb").read() == "ping 1.2.3.4"
assert open(out[1]["raw"], "rb").read() == 'echo "Recursive"'
def test_extract_scripts(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
es = ExtractScripts(ba)
es.handle_event({
"command_line": "cmd.exe /c ping 1.2.3.4",
"first_seen": 1,
"pid": 1234,
})
es.handle_event({
"command_line": (
"powershell.exe -e "
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA="
),
"first_seen": 2,
"pid": 1235,
})
assert es.run() is None
e = Extracted()
e.set_task(Dictionary({
"id": 1,
}))
out = e.run()
assert out == [{
"category": "script",
"first_seen": 1,
"pid": 1234,
"program": "cmd",
"raw": cwd("extracted", "0.bat", analysis=1),
"yara": [],
"info": {},
}, {
"category": "script",
"first_seen": 2,
"pid": 1235,
"program": "powershell",
"raw": cwd("extracted", "1.ps1", analysis=1),
"yara": [],
"info": {},
}]
assert open(out[0]["raw"], "rb").read() == "ping 1.2.3.4"
assert open(out[1]["raw"], "rb").read() == 'echo "Recursive"'