def addAnalysis(self):
"""Adds analysis header."""
analysis = maec.AnalysisType(
id="%s:ana:1" % self.idMap['prefix'],
analysis_method='Dynamic',
start_datetime=datetime_to_iso(self.results["info"]["started"]),
complete_datetime=datetime_to_iso(self.results["info"]["ended"]),
lastupdate_datetime=datetime_to_iso(self.results["info"]["ended"]))
# Add tool
analysis.set_Tools_Used(self.createTools())
# Add subject
analysis.add_Subject(self.createSubject(self.results['file']))
self.analyses.add_Analysis(analysis)
def addAnalysis(self):
"""Adds analysis header."""
analysis = maec.AnalysisType(
id = "%s:ana:1" % self.idMap['prefix'],
analysis_method = 'Dynamic',
start_datetime = datetime_to_iso(self.results["info"]["started"]),
complete_datetime = datetime_to_iso(self.results["info"]["ended"]),
lastupdate_datetime = datetime_to_iso(self.results["info"]["ended"])
)
# Add tool
analysis.set_Tools_Used(self.createTools())
# Add subject
analysis.add_Subject(self.createSubject(self.results['file']))
self.analyses.add_Analysis(analysis)
def addMetadata(self):
"""Generates header for MAEC xml and root components."""
if self.results["target"]["category"] == "file":
id = "cuckoo:%s" % self.results["target"]["file"]["md5"]
elif self.results["target"]["category"] == "url":
id = "cuckoo:%s" % hashlib.md5(
self.results["target"]["url"]).hexdigest()
else:
raise CuckooReportError("Unknown target type")
self.m = maec.malwareMetaData(
version="1.1",
id=id,
author="Cuckoo Sandbox %s" % self.results["info"]["version"],
comment=
"Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org"
% self.results["info"]["version"],
timestamp=datetime_to_iso(self.results["info"]["started"]))
# Objects
self.objects = maec.objectsType()
self.m.set_objects(self.objects)
# Object Properties
self.properties = maec.objectPropertiesType()
self.m.set_objectProperties(self.properties)
# Relationships
self.relationships = maec.relationshipsType()
self.m.set_relationships(self.relationships)
def addMetadata(self):
"""Generates header for MAEC xml and root components."""
if self.results["target"]["category"] == "file":
id = "cuckoo:%s" % self.results["target"]["file"]["md5"]
elif self.results["target"]["category"] == "url":
id = "cuckoo:%s" % hashlib.md5(self.results["target"]["url"]).hexdigest()
else:
raise CuckooReportError("Unknown target type")
self.m = maec.malwareMetaData(
version="1.1",
id=id,
author="Cuckoo Sandbox %s" % self.results["info"]["version"],
comment="Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org" % self.results["info"]["version"],
timestamp=datetime_to_iso(self.results["info"]["started"])
)
# Objects
self.objects = maec.objectsType()
self.m.set_objects(self.objects)
# Object Properties
self.properties = maec.objectPropertiesType()
self.m.set_objectProperties(self.properties)
# Relationships
self.relationships = maec.relationshipsType()
self.m.set_relationships(self.relationships)
def addWrapper(self):
"""Generates MMDEF malwareMetaData structure."""
self.idMap['prefix'] = "mmdef:%s" % self.results['file']['md5']
# Generate the outer xml container and add meta data
self.m = mmdef.malwareMetaData(
id = "%s:bnd:1" % self.idMap['prefix'],
version='1.2'
)
self.m.set_author("Cuckoo Automated Analysis")
self.m.set_comment("Cuckoo Automated Analysis from Cuckoo "+self.results['info']['version'])
self.m.set_company("N/A")
self.m.set_timestamp(datetime_to_iso(self.results["info"]["ended"]))
# add all of the objects (registry keys, hosts, files, etc that were accessed)
self.objects = mmdef.objectsType()
self.m.set_objects(self.objects)
#object properties
self.objectProperties = mmdef.objectPropertiesType()
self.m.set_objectProperties(self.objectProperties)
# relationships
self.addedRelationships = [] # use this to prevent duplicate relationships
self.relationships = mmdef.relationshipsType()
self.m.set_relationships(self.relationships)
def addAnalysis(self):
"""Adds analysis header."""
analysis = maec.AnalysisType(
id = "%s:ana:1" % self.idMap["prefix"],
analysis_method = "Dynamic",
start_datetime = datetime_to_iso(self.results["info"]["started"]),
complete_datetime = datetime_to_iso(self.results["info"]["ended"]),
lastupdate_datetime = datetime_to_iso(self.results["info"]["ended"])
)
# Add tool
analysis.set_Tools_Used(self.createTools())
# Add subject
if self.results["target"]["category"] == "file":
analysis.add_Subject(self.createSubjectFile(self.results["target"]["file"]))
elif self.results["target"]["category"] == "url":
analysis.add_Subject(self.createSubjectUrl(self.results["target"]["url"]))
self.analyses.add_Analysis(analysis)
def addAnalysis(self):
"""Adds analysis header."""
analysis = maec.AnalysisType(
id="%s:ana:1" % self.idMap["prefix"],
analysis_method="Dynamic",
start_datetime=datetime_to_iso(self.results["info"]["started"]),
complete_datetime=datetime_to_iso(self.results["info"]["ended"]),
lastupdate_datetime=datetime_to_iso(self.results["info"]["ended"]))
# Add tool
analysis.set_Tools_Used(self.createTools())
# Add subject
if self.results["target"]["category"] == "file":
analysis.add_Subject(
self.createSubjectFile(self.results["target"]["file"]))
elif self.results["target"]["category"] == "url":
analysis.add_Subject(
self.createSubjectUrl(self.results["target"]["url"]))
self.analyses.add_Analysis(analysis)
def addMetadata(self):
"""Generates header for MAEC xml and root components."""
self.m = maec.malwareMetaData(
version = "1.1",
id = "cuckoo:%s" % self.results['file']['md5'],
author = "Cuckoo Sandbox %s" % self.results["info"]["version"],
comment = "Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org" % self.results["info"]["version"],
timestamp = datetime_to_iso(self.results["info"]["started"])
)
# Objects
self.objects = maec.objectsType()
self.m.set_objects(self.objects)
# Object Properties
self.properties = maec.objectPropertiesType()
self.m.set_objectProperties(self.properties)
# Relationships
self.relationships = maec.relationshipsType()
self.m.set_relationships(self.relationships)
def addMetadata(self):
"""Generates header for MAEC xml and root components."""
self.m = maec.malwareMetaData(
version="1.1",
id="cuckoo:%s" % self.results['file']['md5'],
author="Cuckoo Sandbox %s" % self.results["info"]["version"],
comment=
"Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org"
% self.results["info"]["version"],
timestamp=datetime_to_iso(self.results["info"]["started"]))
# Objects
self.objects = maec.objectsType()
self.m.set_objects(self.objects)
# Object Properties
self.properties = maec.objectPropertiesType()
self.m.set_objectProperties(self.properties)
# Relationships
self.relationships = maec.relationshipsType()
self.m.set_relationships(self.relationships)
def run(self, results):
"""CENTS reporting module
- checks if we have a extracted config
- checks if we have a parser for the malware family
- if yes it proceeds and tries to create Suricata rules for the malware family
- writes a new rule file to the reports_path
:param results: Cuckoo results dict.
:type results: `dict`
:raise CuckooReportError: if fails to write rules file.
"""
rule_list = []
md5 = results.get("target", {}).get("file",
{}).get("md5",
"") # md5 of the sample
date = (datetime_to_iso(results.get("info", {}).get(
"started",
"")).split("T", 1)[0].replace("-",
"_")) # timestamp of the sample run
task_id = int(results.get("info",
{}).get("id",
0)) # task id of the analysis run
task_link = f"{self.hostname}/analysis/{task_id}/"
if self.hostname.endswith("/"):
task_link = f"{self.hostname}analysis/{task_id}/"
configs = results.get("CAPE", {}).get("configs", [])
results["info"]["has_cents_rules"] = False
if not configs:
# no config extracted, nothing to do for CENTS
return
# sometimes there is more than one extracted config that is identical
configs_dedup = []
for entry in configs:
if entry in configs_dedup:
continue
configs_dedup.append(entry)
for config in configs_dedup:
if not config or not isinstance(config, dict):
continue
for config_name, config_dict in config.items():
rules = None
if config_name == "Remcos":
rules = cents_remcos(config_dict, self.sid_counter, md5,
date, task_link)
elif config_name == "SquirrelWaffle":
rules = cents_squirrelwaffle(config_dict, self.sid_counter,
md5, date, task_link)
elif config_name == "TrickBot":
rules = cents_trickbot(config_dict,
results.get("suricata",
{}), self.sid_counter,
md5, date, task_link)
else:
# config for this family not implemented yet
log.debug(
"[CENTS] Config for family %s not implemented yet",
config_name)
continue
if rules:
log.debug("[CENTS] Created %d rule(s) for %s", len(rules),
config_name)
self.sid_counter += len(rules)
rule_list += rules
else:
log.warning(
"[CENTS] Found config for %s, but couldn't create rules",
config_name)
if not rule_list:
# no rules have been created
return
try:
with open(os.path.join(self.reports_path, "cents.rules"),
"w") as f:
# header lines
f.write("# This ruleset has been automatically generated\n")
f.write("# CENTS\n")
f.write(f"# Created {len(rule_list)} rules.\n")
# rules
for line in rule_list:
f.write(f"{line}\n")
log.info("[CENTS] Wrote %d rule(s) to rule file at: %s",
len(rule_list), f.name)
results["info"]["has_cents_rules"] = True
except IOError as e:
raise CuckooReportError(f"Failed to generate CENTS report: {e}")
def test_convert_date(self):
assert_equal("2000-01-01T11:43:35", utils.datetime_to_iso("2000-01-01 11:43:35"))
def test_convert_date(self):
assert_equal("2000-01-01T11:43:35", utils.datetime_to_iso("2000-01-01 11:43:35"))
