def main(): args = docopt(__doc__, version='0.1') debug = args["--debug"] verbose = args["--verbose"] if not os.path.exists("log"): os.makedirs("log") configure_logging("log/lama_api.log", debug=debug, verbose=verbose) cmd_line = "COMMAND : "+" ".join(sys.argv) logging.info(cmd_line) try: Lamadb.create_db() LamaFtp.create_ftp() run_api(debug=debug) except KeyboardInterrupt: Analyzer.stop_analyzer()
def parse_result(self): """ Main function to parse results Add indicator in malware. """ # download full archive tar_url = "{}/tasks/report/{}/all".format(self._cuckoo_url, self._task_id) folder_path = File.download_to_tmp(tar_url, "all.tar.gz") # send archive to FTP server tar_path = LamaFtp.upload_from_module(folder_path + "/all.tar.gz", self._malware.analysis_uid, self._malware.uid, self._module_cls_name, remote_path=str(self._task_id) + "/all") # add indicator indicator = Indicator.factory(module_cls_name=self._module_cls_name, name="all", content_type=Type.FILE, content=tar_path, score=0, option=self._task_id) self._ms.add_indicator(indicator) # untar and analyze report.json tar = tarfile.open(folder_path + "/all.tar.gz") extract_path = folder_path + "/extract" os.mkdir(extract_path) tar.extractall(extract_path) json_report_file = open(extract_path + "/reports/report.json", "r") self._json_input = json_report_file.read() self._json_cuckoo = self.json_decoder.decode(self._json_input) # TODO move on submodule JSON ? if "info" in self._json_cuckoo: self.parse_info() if "target" in self._json_cuckoo: self.parse_target() if "strings" in self._json_cuckoo: self.parse_strings() if "signatures" in self._json_cuckoo: self.parse_signatures() if "buffer" in self._json_cuckoo: self.parse_buffer() if "network" in self._json_cuckoo: self.parse_network() if "behavior" in self._json_cuckoo: self.parse_process() # upload screenshots/pcap to FTP server self._get_screenshots(extract_path) self._get_files(extract_path) self._get_pcap(extract_path) # remove extracts files File.remove_tmp_dir(folder_path)
def _get_files(self, extract_path): """ Retreive files and upload it on FTP server """ files = os.path.join(extract_path, "files") files_path = [] for f in os.listdir(files): file_path = files + "/" + f # send ftp_file_path = LamaFtp.upload_from_module( file_path, self._malware.analysis_uid, self._malware.uid, self._module_cls_name, remote_path=("{}/files").format(self._task_id)) files_path.append(ftp_file_path) extract_file = self._malware.add_extract_malware_path( self._module_cls_name, file_path, f) Input.analyse_malware(extract_file) indicator = Indicator.factory(module_cls_name=self._module_cls_name, name="files", content_type=Type.FILE, content=",".join(files_path), score=0, option=self._task_id) self._ms.add_indicator(indicator)
def _get_screenshots(self, extract_path): """ Retreive snapshot and upload it on FTP server """ shots_path = os.path.join(extract_path, "shots") screenshots_path = [] for f in os.listdir(shots_path): img_path = shots_path + "/" + f # resize img = Image.open(img_path) basewidth = 500 wpercent = (basewidth / float(img.size[0])) hsize = int((float(img.size[1]) * float(wpercent))) img = img.resize((basewidth, hsize), Image.ANTIALIAS) img.save(img_path) # send path = LamaFtp.upload_from_module( img_path, self._malware.analysis_uid, self._malware.uid, self._module_cls_name, remote_path=("{}/screenshots").format(self._task_id)) screenshots_path.append(path) indicator = Indicator.factory(module_cls_name=self._module_cls_name, name="screenshots", content_type=Type.FILE, content=",".join(screenshots_path), score=0, option=self._task_id) self._ms.add_indicator(indicator)
def download(self): """ Download the malware on local machine. """ local_path, _ = LamaFtp.download_to_tmp( str(self.analysis_uid) + "/" + str(self.uid) + "/" + self.name) return local_path
def add_extract_malware_path(self, module_cls_name, path, name, malware_type=None): """ Add a extracted malware to a malware with his path. It's for binary exctact. Args : **module_cls_name** (Sting) : Class name of the analysis module. **path** (String) : Path of the extracted malware. **name** (String) : Name of the extracted malware. """ # create empty malware to have his uid m = Malware.empty_malware() # set link child/parent m._parent_uid = self.uid m.analysis_uid = self.analysis_uid # define the remote dir remote_dir = "{}/{}".format(str(m.analysis_uid), str(m.uid)) # create the malware with other informations new_name = m.factory(path, remote_dir, name) if malware_type: m.mime = malware_type res = m.persist() if not res: # TODO handle error logging.debug("Error persist malware") # send to FTp server LamaFtp.upload(path, remote_dir, new_name) # add the extracted malware to the list of extracted malware self._extract_malware.append(m) return m
def parse_result(self): """ Abstract parse_result method. It calls when analyze is finished. It uptade malware with indicators. """ # save all scipts script_dir = os.path.join(self._out_tmp_path, "extract", "scripts") for path, subdirs, files in os.walk(script_dir): for name in files: script_path = os.path.join(path, name) with open(script_path, 'r') as script_file: script_content = script_file.read() # convert script to b64 codeb64 = base64.b64encode(bytes(script_content, "utf-8")).decode('utf-8') script_dict = dict() script_dict['filename'] = script_path.replace(script_dir, "")[1:] script_dict['code'] = codeb64 indicator = Indicator.factory(module_cls_name=self.module_cls_name, name="script", content_type=Type.BASE64, content=json.dumps(script_dict), score=0) self._malware.get_module_status(self.module_cls_name ).add_indicator(indicator) tar_path = os.path.join(self._out_tmp_path, "out.tar.gz") remote_tar_path = LamaFtp.upload_from_module(tar_path, self.malware.analysis_uid, self.malware.uid, self.module_cls_name) indicator = Indicator.factory(module_cls_name=self.module_cls_name, name="tar", content_type=Type.FILE, content=remote_tar_path, score=0) self._malware.get_module_status(self.module_cls_name ).add_indicator(indicator)
def _get_pcap(self, extract_path): """ Retreive PCAP and upload it on FTP server """ if os.path.isfile(extract_path + "/dump.pcap"): pcap_path = LamaFtp.upload_from_module( extract_path + "/dump.pcap", self._malware.analysis_uid, self._malware.uid, self._module_cls_name, remote_path=str(self._task_id) + "/pcap") indicator = Indicator.factory( module_cls_name=self._module_cls_name, name="pcap", content_type=Type.FILE, content=pcap_path, score=0, option=self._task_id) self._ms.add_indicator(indicator)
def parse_result(self): """ Abstract parse_result method. It calls when analyze is finished. It uptade malware with indicators. """ if not self._result: return json_pe = self.json_decode(self._result) if not json_pe: return tmp_result_file = File.create_tmp_file("peframe.txt", self._result) remote_path = LamaFtp.upload_from_module( local_path=tmp_result_file + "/peframe.txt", analysis_uid=self.malware.analysis_uid, malware_uid=self.malware.uid, module_cls_name=self.module_cls_name, remote_path="", remote_name="peframe.txt") indicator = Indicator.factory(module_cls_name=self.module_cls_name, name="result_json", content_type=Type.FILE, content=remote_path, score=0) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # ip_found if "ip_found" in json_pe: for ip in json_pe['ip_found']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="ip", content_type=Type.IP, content=ip, score=3) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # url_found if "url_found" in json_pe: for url in json_pe['url_found']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="url", content_type=Type.URL, content=url, score=2) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # url_found if "file_found" in json_pe: file_found = json_pe['file_found'] # file_found->WebPage if "Web Page" in file_found: for webpage in file_found['Web Page']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="webpage", content_type=Type.URL, content=webpage, score=1) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info if "pe_info" in json_pe and json_pe['pe_info']: pe_info = json_pe['pe_info'] # pe_info->sections_info if "sections_info" in pe_info: for section in pe_info['sections_info']: score = 3 if section['suspicious'] else 0 indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="section_info", content_type=Type.STRING, content=section['name'], score=score) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->detected if "detected" in pe_info: for detected in pe_info['detected']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="detected", content_type=Type.STRING, content=detected, score=4) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->packer_info if "packer_info" in pe_info: for pack_info in pe_info['packer_info']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="packer_info", content_type=Type.STRING, content=pack_info, score=0) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->directories if "directories" in pe_info: for directorie in pe_info['directories']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="directories", content_type=Type.STRING, content=directorie, score=0) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->apialert_info if "apialert_info" in pe_info: for api in pe_info['apialert_info']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="apialert_info", content_type=Type.STRING, content=api, score=0) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->antidbg_info if "antidbg_info" in pe_info: for antidbg in pe_info['antidbg_info']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="antidbg_info", content_type=Type.STRING, content=antidbg, score=3) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator) # pe_info->antivm_info if "antivm_info" in pe_info: for antidbg in pe_info['antivm_info']: indicator = Indicator.factory( module_cls_name=self.module_cls_name, name="antivm_info", content_type=Type.STRING, content=antidbg, score=4) self._malware.get_module_status( self.module_cls_name).add_indicator(indicator)