def helper_percentages_mongo(tid1,
tid2,
ignore_categories: set = None) -> dict:
if ignore_categories is None:
ignore_categories = {"misc"}
counts = {}
for tid in (tid1, tid2):
counts[tid] = {}
pids_calls = mongo_find_one("analysis", {"info.id": int(tid)}, {
"behavior.processes.process_id": 1,
"behavior.processes.calls": 1
})
if not pids_calls:
continue
for pdoc in pids_calls["behavior"]["processes"]:
pid = pdoc["process_id"]
counts[tid][pid] = {}
for coid in pdoc["calls"]:
chunk = mongo_find_one("calls", {"_id": coid},
{"calls.category": 1})
category_counts = behavior_categories_percent(chunk["calls"])
for cat, count in category_counts.items():
if cat in ignore_categories:
continue
counts[tid][pid][cat] = counts[tid][pid].get(cat,
0) + count
return combine_behavior_percentages(counts)
def helper_summary_mongo(tid1, tid2):
left_sum, right_sum = None, None
left_sum = mongo_find_one("analysis", {"info.id": int(tid1)},
{"behavior.summary": 1})
right_sum = mongo_find_one("analysis", {"info.id": int(tid2)},
{"behavior.summary": 1})
return get_similar_summary(left_sum,
right_sum) if left_sum and right_sum else {}
def static_config_lookup(file_path, sha256=False):
if not sha256:
sha256 = hashlib.sha256(open(file_path, "rb").read()).hexdigest()
if repconf.mongodb.enabled:
document_dict = mongo_find_one("analysis",
{"target.file.sha256": sha256}, {
"CAPE.configs": 1,
"info.id": 1,
"_id": 0
},
sort=[("_id", -1)])
elif repconf.elasticsearchdb.enabled:
document_dict = es.search(
index=get_analysis_index(),
body={"query": {
"match": {
"target.file.sha256": sha256
}
}},
_source=["CAPE.configs", "info.id"],
sort={"_id": {
"order": "desc"
}},
)["hits"]["hits"][0]["_source"]
else:
document_dict = None
if not document_dict:
return
has_config = document_dict.get("CAPE", {}).get("configs", [])
if has_config:
return document_dict["info"]
def category_all_files(task_id, category, base_path):
analysis = False
query_category = category
if category == "CAPE":
category = "CAPE.payloads"
if repconf.mongodb.enabled:
analysis = mongo_find_one("analysis", {"info.id": int(task_id)}, {
f"{category}.sha256": 1,
"_id": 0
},
sort=[("_id", -1)])
# if es_as_db:
# # ToDo missed category
# analysis = es.search(index=get_analysis_index(), query=get_query_by_info_id(task_id))["hits"]["hits"][0]["_source"]
if analysis:
if query_category == "CAPE":
return [
os.path.join(base_path, block["sha256"])
for block in analysis.get(query_category, {}).get(
"payloads", [])
]
else:
return [
os.path.join(base_path, block["sha256"])
for block in analysis.get(category, [])
]
def both(request, left_id, right_id):
if enabledconf["mongodb"]:
left = mongo_find_one("analysis", {"info.id": int(left_id)}, {
"target": 1,
"info": 1,
"summary": 1
})
right = mongo_find_one("analysis", {"info.id": int(right_id)}, {
"target": 1,
"info": 1,
"summary": 1
})
# Execute comparison.
counts = compare.helper_percentages_mongo(left_id, right_id)
summary_compare = compare.helper_summary_mongo(left_id, right_id)
elif es_as_db:
left = es.search(index=get_analysis_index(),
query=get_query_by_info_id(left_id),
_source=["target",
"info"])["hits"]["hits"][-1]["_source"]
right = es.search(index=get_analysis_index(),
query=get_query_by_info_id(right_id),
_source=["target",
"info"])["hits"]["hits"][-1]["_source"]
counts = compare.helper_percentages_elastic(es, left_id, right_id)
summary_compare = compare.helper_summary_elastic(es, left_id, right_id)
return render(
request,
"compare/both.html",
{
"left": left,
"right": right,
"left_counts": counts[left_id],
"right_counts": counts[right_id],
"summary": summary_compare,
},
)
def _load_report(task_id: int, return_one: bool = False):
if repconf.mongodb.enabled:
if return_one:
analysis = mongo_find_one("analysis", {"info.id": int(task_id)},
sort=[("_id", -1)])
for process in analysis.get("behavior", {}).get("processes", []):
calls = []
for call in process["calls"]:
calls.append(ObjectId(call))
process["calls"] = []
for call in mongo_find("calls", {"_id": {
"$in": calls
}},
sort=[("_id", 1)]) or []:
process["calls"] += call["calls"]
return analysis
else:
return mongo_find("analysis", {"info.id": int(task_id)})
if repconf.elasticsearchdb.enabled and not repconf.elasticsearchdb.searchonly:
try:
analyses = (es.search(index=get_analysis_index(),
query=get_query_by_info_id(task_id),
sort={
"info.id": {
"order": "desc"
}
}).get("hits", {}).get("hits", []))
if analyses:
if return_one:
return analyses[0]
else:
return analyses
except ESRequestError as e:
print(e)
return False
def left(request, left_id):
if enabledconf["mongodb"]:
left = mongo_find_one("analysis", {"info.id": int(left_id)}, {
"target": 1,
"info": 1
})
if es_as_db:
hits = es.search(index=get_analysis_index(),
query=get_query_by_info_id(left_id))["hits"]["hits"]
if hits:
left = hits[-1]["_source"]
else:
left = None
if not left:
return render(request, "error.html",
{"error": "No analysis found with specified ID"})
# Select all analyses with same file hash.
if enabledconf["mongodb"]:
records = mongo_find(
"analysis",
{
"$and": [{
"target.file.md5": left["target"]["file"]["md5"]
}, {
"info.id": {
"$ne": int(left_id)
}
}]
},
{
"target": 1,
"info": 1
},
)
if es_as_db:
records = []
q = {
"query": {
"bool": {
"must": [{
"match": {
"target.file.md5": left["target"]["file"]["md5"]
}
}],
"must_not": [{
"match": {
"info.id": left_id
}
}],
}
}
}
results = es.search(index=get_analysis_index(), body=q)["hits"]["hits"]
for item in results:
records.append(item["_source"])
return render(request, "compare/left.html", {
"left": left,
"records": records
})