예제 #1
0
    def parse_signatures(self):
        """
        Parse signatures part
        """
        if self._all:
            indicator = Indicator.factory(
                module_cls_name=self._module_cls_name,
                name="_signatures",
                content_type=Type.JSON,
                content=json.dumps(self._json_cuckoo["signatures"]),
                score=0,
                option=self._task_id)
            self._ms.add_indicator(indicator)

        for sign in self._json_cuckoo['signatures']:

            signature = {
                "description": sign['description'],
                "severity": sign['severity'],
                "name": sign['name']
            }

            indicator = Indicator.factory(
                module_cls_name=self._module_cls_name,
                name="signature",
                content_type=Type.STRING,
                content=json.dumps(signature),
                score=0,
                option=self._task_id)
            self._ms.add_indicator(indicator)
예제 #2
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_jsbeautify = self.json_decode(self._result)
        if not json_jsbeautify:
            return

        if 'code' in json_jsbeautify:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="code",
                                          content_type=Type.BASE64,
                                          content=json_jsbeautify["code"],
                                          score=0)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
        if 'error' in json_jsbeautify:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="error",
                                          content_type=Type.BASE64,
                                          content=json_jsbeautify["error"],
                                          score=-1)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
예제 #3
0
 def parse_info(self):
     """
     Parse info part
     """
     if self._all:
         indicator = Indicator.factory(
             module_cls_name=self._module_cls_name,
             name="_info",
             content_type=Type.JSON,
             content=json.dumps(self._json_cuckoo["info"]),
             score=0,
             option=self._task_id)
         self._ms.add_indicator(indicator)
     # SCORE
     indicator = Indicator.factory(module_cls_name=self._module_cls_name,
                                   name="score",
                                   content_type=Type.INTEGER,
                                   content=str(
                                       self._json_cuckoo["info"]['score']),
                                   score=self._json_cuckoo['info']['score'],
                                   option=self._task_id)
     self._ms.add_indicator(indicator)
     # MACHINE LABEL
     indicator = Indicator.factory(
         module_cls_name=self._module_cls_name,
         name="machine_label",
         content_type=Type.INTEGER,
         content=str(self._json_cuckoo["info"]['machine']['label']),
         score=0,
         option=self._task_id)
     self._ms.add_indicator(indicator)
     self._ms.add_indicator(indicator)
예제 #4
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_ole = self.json_decode(self._result)
        if not json_ole:
            return

        for item in json_ole:
            if 'type' in item and (item['type'] == 'MHTML'
                                   or item['type'] == 'OLE'):
                if 'analysis' in item and item['analysis']:
                    for analyse in item['analysis']:
                        if "IOC" in analyse["type"]:
                            score = 7
                        elif "AutoExec" in analyse["type"]:
                            score = 7
                        elif "Suspicious" in analyse["type"]:
                            score = 5
                        elif "VBA string" in analyse["type"]:
                            score = 3
                        elif "Hex String" in analyse["type"]:
                            score = 1
                        else:
                            score = -1

                        indicator = Indicator.factory(
                            module_cls_name=self.module_cls_name,
                            name="analysis",
                            content_type=Type.JSON,
                            content=json.dumps(analyse),
                            score=score)
                        self._malware.get_module_status(
                            self.module_cls_name).add_indicator(indicator)
                if 'macros' in item:
                    for analyse in item['macros']:
                        indicator = Indicator.factory(
                            module_cls_name=self.module_cls_name,
                            name="macros",
                            content_type=Type.JSON,
                            content=json.dumps(analyse),
                            score=3)
                        self._malware.get_module_status(
                            self.module_cls_name).add_indicator(indicator)
                        extract_malware = self.malware.add_extract_malware(
                            self.module_cls_name, analyse['code'])
                        Input.analyse_malware(extract_malware)
예제 #5
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """

        if not self._result:
            return

        json_ole = self.json_decode(self._result)
        if not json_ole:
            return

        if 'returncode' in json_ole:
            returncode = json_ole['returncode']
            if returncode == 0:
                # No macro
                score = 1
            elif returncode == 1:
                # Not MS Office
                score = 0
            elif returncode == 2:
                # Macro OK
                score = 1
            elif returncode == 10:
                # error
                score = 0
            elif returncode == 20:
                # SUSPICIOUS
                score = 5
            else:
                # Other ???
                score = 0

            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="returncode",
                                          content_type=Type.INTEGER,
                                          content=returncode,
                                          score=score)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)

        if 'out' in json_ole:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="out",
                                          content_type=Type.JSON,
                                          content=json_ole['out'],
                                          score=0)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
예제 #6
0
    def _get_files(self, extract_path):
        """
        Retreive files and upload it on FTP server
        """
        files = os.path.join(extract_path, "files")
        files_path = []
        for f in os.listdir(files):
            file_path = files + "/" + f
            # send
            ftp_file_path = LamaFtp.upload_from_module(
                file_path,
                self._malware.analysis_uid,
                self._malware.uid,
                self._module_cls_name,
                remote_path=("{}/files").format(self._task_id))
            files_path.append(ftp_file_path)
            extract_file = self._malware.add_extract_malware_path(
                self._module_cls_name, file_path, f)
            Input.analyse_malware(extract_file)

        indicator = Indicator.factory(module_cls_name=self._module_cls_name,
                                      name="files",
                                      content_type=Type.FILE,
                                      content=",".join(files_path),
                                      score=0,
                                      option=self._task_id)
        self._ms.add_indicator(indicator)
예제 #7
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_res = self.json_decode(self._result)
        if not json_res:
            return

        if "file" in json_res:
            name = "file"
            path = json_res['file']
            file_path = os.path.join(path, name)
            extract_file = self.malware.add_extract_malware_path(
                self.module_cls_name, file_path, name)
            Input.analyse_malware(extract_file)

        if "key1" in json_res:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="key1",
                                          content_type=Type.STRING,
                                          content=json_res["key1"],
                                          score=0)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
예제 #8
0
    def parse_result(self):
        """
        Main function to parse results
        Add indicator in malware.
        """
        # download full archive
        tar_url = "{}/tasks/report/{}/all".format(self._cuckoo_url,
                                                  self._task_id)
        folder_path = File.download_to_tmp(tar_url, "all.tar.gz")

        # send archive to FTP server
        tar_path = LamaFtp.upload_from_module(folder_path + "/all.tar.gz",
                                              self._malware.analysis_uid,
                                              self._malware.uid,
                                              self._module_cls_name,
                                              remote_path=str(self._task_id) +
                                              "/all")

        # add indicator
        indicator = Indicator.factory(module_cls_name=self._module_cls_name,
                                      name="all",
                                      content_type=Type.FILE,
                                      content=tar_path,
                                      score=0,
                                      option=self._task_id)
        self._ms.add_indicator(indicator)

        # untar and analyze report.json
        tar = tarfile.open(folder_path + "/all.tar.gz")
        extract_path = folder_path + "/extract"
        os.mkdir(extract_path)
        tar.extractall(extract_path)
        json_report_file = open(extract_path + "/reports/report.json", "r")
        self._json_input = json_report_file.read()

        self._json_cuckoo = self.json_decoder.decode(self._json_input)

        # TODO move on submodule JSON ?
        if "info" in self._json_cuckoo:
            self.parse_info()
        if "target" in self._json_cuckoo:
            self.parse_target()
        if "strings" in self._json_cuckoo:
            self.parse_strings()
        if "signatures" in self._json_cuckoo:
            self.parse_signatures()
        if "buffer" in self._json_cuckoo:
            self.parse_buffer()
        if "network" in self._json_cuckoo:
            self.parse_network()
        if "behavior" in self._json_cuckoo:
            self.parse_process()

        # upload screenshots/pcap to FTP server
        self._get_screenshots(extract_path)
        self._get_files(extract_path)
        self._get_pcap(extract_path)

        # remove extracts files
        File.remove_tmp_dir(folder_path)
예제 #9
0
 def parse_result(self):
     """
     Abstract parse_result method.
     It calls when analyze is finished.
     It uptade malware with indicators.
     """
     # get results
     request_str = "{}/results/{}".format(IrmaModule.URL,
                                          self._result_id)
     logging.debug(request_str)
     headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
     request = requests.get(request_str, headers=headers)
     json_res = IrmaModule.json_decoder.decode(request.text)
     for res in json_res['probe_results']:
         # add result for each probe
         if res['status'] == 1:
             score = 10
         elif res['status'] == 0:
             score = 0
         else:
             score = -1
         indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                       name="probe_results",
                                       content_type=Type.JSON,
                                       content=json.dumps(res),
                                       score=score)
         self._malware.get_module_status(self.module_cls_name
                                         ).add_indicator(indicator)
예제 #10
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_unpack = self.json_decode(self._result)
        if not json_unpack:
            return

        if "res" in json_unpack and json_unpack["res"] == "ok":
            for path, subdirs, files in os.walk(self._out_tmp_path):
                for name in files:
                    file_path = os.path.join(path, name)
                    extract_malware = self.malware.add_extract_malware_path(
                        self.module_cls_name, file_path, name)
                    Input.analyse_malware(extract_malware)

        if "error" in json_unpack:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="error",
                                          content_type=Type.BASE64,
                                          content=json_unpack["error"],
                                          score=-1)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
예제 #11
0
    def _get_screenshots(self, extract_path):
        """
        Retreive snapshot and upload it on FTP server
        """
        shots_path = os.path.join(extract_path, "shots")
        screenshots_path = []
        for f in os.listdir(shots_path):
            img_path = shots_path + "/" + f
            # resize
            img = Image.open(img_path)
            basewidth = 500
            wpercent = (basewidth / float(img.size[0]))
            hsize = int((float(img.size[1]) * float(wpercent)))
            img = img.resize((basewidth, hsize), Image.ANTIALIAS)
            img.save(img_path)
            # send
            path = LamaFtp.upload_from_module(
                img_path,
                self._malware.analysis_uid,
                self._malware.uid,
                self._module_cls_name,
                remote_path=("{}/screenshots").format(self._task_id))
            screenshots_path.append(path)

        indicator = Indicator.factory(module_cls_name=self._module_cls_name,
                                      name="screenshots",
                                      content_type=Type.FILE,
                                      content=",".join(screenshots_path),
                                      score=0,
                                      option=self._task_id)
        self._ms.add_indicator(indicator)
예제 #12
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_urls = self.json_decode(self._result)
        if not json_urls:
            return

        if 'urls' in json_urls:
            for url in json_urls['urls']:
                if 'path' in json_urls['urls'][url]:
                    path = json_urls['urls'][url]['path']
                    if path.startswith("/lama/out/"):
                        path = path[10:]
                    file_path = os.path.join(self._out_tmp_path, path)
                    path, name = os.path.split(file_path)
                    extract_malware = self.malware.add_extract_malware_path(
                        self.module_cls_name, file_path, name)
                    Input.analyse_malware(extract_malware)
                if 'error' in json_urls['urls'][url]:
                    content = "{} : {}".format(url,
                                               json_urls['urls'][url]['error'])
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="error",
                        content_type=Type.STRING,
                        content=content,
                        score=-1)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

        if 'error' in json_urls:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="error",
                                          content_type=Type.STRING,
                                          content=json_urls["error"],
                                          score=-1)
            self._malware.get_module_status(
                self.module_cls_name).add_indicator(indicator)
예제 #13
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_jsunpackn = self.json_decode(self._result)
        if not json_jsunpackn:
            return

        if 'info' in json_jsunpackn:
            info = json_jsunpackn['info']
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="info",
                                          content_type=Type.STRING,
                                          content=info,
                                          score=0)
            self._malware.get_module_status(self.module_cls_name
                                            ).add_indicator(indicator)
        if 'sources' in json_jsunpackn:
            for source in json_jsunpackn['sources']:
                indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                              name="source",
                                              content_type=Type.BASE64,
                                              content=source,
                                              score=4)
                self._malware.get_module_status(self.module_cls_name
                                                ).add_indicator(indicator)
                extract_malware = self.malware.add_extract_malware(self.module_cls_name,
                                                                   base64.b64decode(source))
                Input.analyse_malware(extract_malware)

        if 'error' in json_jsunpackn:
            indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                          name="error",
                                          content_type=Type.STRING,
                                          content=json_jsunpackn["error"],
                                          score=-1)
            self._malware.get_module_status(self.module_cls_name
                                            ).add_indicator(indicator)
예제 #14
0
 def test_attrs(self):
     ind = Indicator.factory(module_cls_name="test_module",
                             name="test_name", content_type=Type.STRING,
                             content="content", score=4, option="option")
     self.assertEqual(ind.module_cls_name, "test_module")
     self.assertEqual(ind.name, "test_name")
     self.assertEqual(ind.content_type, Type.STRING)
     self.assertEqual(ind.content, "content")
     self.assertEqual(ind.score, 4)
     self.assertEqual(ind.option, "option")
예제 #15
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_jsextract = self.json_decode(self._result)
        if not json_jsextract:
            return

        if 'code' in json_jsextract:
            for i, c in enumerate(json_jsextract['code']):
                if bool(c[0] and c[0].strip()):
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="code_header",
                        content_type=Type.BASE64,
                        content=base64.b64encode(bytes(
                            c[0], "utf-8")).decode('utf-8'),
                        option=i,
                        score=0)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

                if bool(c[1] and c[1].strip()):
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="code_body",
                        content_type=Type.BASE64,
                        content=base64.b64encode(bytes(
                            c[1], "utf-8")).decode('utf-8'),
                        option=i,
                        score=0)
                    extract_malware = self.malware.add_extract_malware(
                        self.module_cls_name, c[1])
                    Input.analyse_malware(extract_malware)

                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)
예제 #16
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """

        # save all scipts
        script_dir = os.path.join(self._out_tmp_path, "extract", "scripts")
        for path, subdirs, files in os.walk(script_dir):
            for name in files:
                script_path = os.path.join(path, name)
                with open(script_path, 'r') as script_file:
                    script_content = script_file.read()
                    # convert script to b64
                    codeb64 = base64.b64encode(bytes(script_content,
                                                     "utf-8")).decode('utf-8')
                    script_dict = dict()
                    script_dict['filename'] = script_path.replace(script_dir,
                                                                  "")[1:]
                    script_dict['code'] = codeb64
                    indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                                  name="script",
                                                  content_type=Type.BASE64,
                                                  content=json.dumps(script_dict),
                                                  score=0)
                    self._malware.get_module_status(self.module_cls_name
                                                    ).add_indicator(indicator)

        tar_path = os.path.join(self._out_tmp_path, "out.tar.gz")
        remote_tar_path = LamaFtp.upload_from_module(tar_path,
                                                     self.malware.analysis_uid,
                                                     self.malware.uid,
                                                     self.module_cls_name)

        indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                      name="tar",
                                      content_type=Type.FILE,
                                      content=remote_tar_path,
                                      score=0)
        self._malware.get_module_status(self.module_cls_name
                                        ).add_indicator(indicator)
예제 #17
0
 def parse_process(self):
     if 'processtree' in self._json_cuckoo['behavior']:
         proc = self._json_cuckoo['behavior']['processtree']
         indicator = Indicator.factory(
             module_cls_name=self._module_cls_name,
             name="process",
             content_type=Type.STRING,
             content=json.dumps(proc),
             score=0,
             option=self._task_id)
         self._ms.add_indicator(indicator)
예제 #18
0
 def parse_network(self):
     """
     Parse network part
     """
     indicator = Indicator.factory(module_cls_name=self._module_cls_name,
                                   name="network",
                                   content_type=Type.JSON,
                                   content=json.dumps(
                                       self._json_cuckoo["network"]),
                                   score=0,
                                   option=self._task_id)
     self._ms.add_indicator(indicator)
예제 #19
0
 def parse_result(self):
     """
     Abstract parse_result method.
     It calls when analyze is finished.
     It uptade malware with indicators.
     """
     indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                   name="name1",
                                   content_type=Type.STRING,
                                   content="content1",
                                   score=0)
     self._malware.get_module_status(
         self.module_cls_name).add_indicator(indicator)
예제 #20
0
 def parse_strings(self):
     """
     Parse string part
     """
     if self._all:
         indicator = Indicator.factory(
             module_cls_name=self._module_cls_name,
             name="_strings",
             content_type=Type.JSON,
             content=json.dumps(self._json_cuckoo["strings"]),
             score=0,
             option=self._task_id)
         self._ms.add_indicator(indicator)
예제 #21
0
    def parse_buffer(self):
        """
        Parse buffer part
        """
        if self._all:
            indicator = Indicator.factory(
                module_cls_name=self._module_cls_name,
                name="_buffer",
                content_type=Type.JSON,
                content=json.dumps(self._json_cuckoo["buffer"]),
                score=0,
                option=self._task_id)
            self._ms.add_indicator(indicator)

        for buff in self._json_cuckoo['buffer']:
            if len(buff['yara']):
                indicator = Indicator.factory(
                    module_cls_name=self._module_cls_name,
                    name="buff_yara",
                    content_type=Type.JSON,
                    content=json.dumps(buff['yara']),
                    score=0,
                    option=self._task_id)
                self._ms.add_indicator(indicator)
예제 #22
0
    def test_case_2(self):
        a = Analysis.factory()

        for i in range(1, 4):
            m = Malware.empty_malware()
            m.factory(local_path=TestModels.TEST_FILE,
                      remote_path="remote_path",
                      name="malware_filte_test.txt_" + str(i))
            a.add_malware(m)

            self.assertEqual(len(a.malwares), i)
            self.assertEqual(m.nb_module, 0)
            self.assertEqual(len(m.module_status), 0)
            self.assertEqual(a.is_finish(), False)

        for m in a.malwares:
            for i in range(1, 4):
                ms_name = "test_module_" + str(i)
                m.set_module_status(ms_name, ModuleStatus.MODULE_IN_PROGRESS)
                m.add_nb_module()

                self.assertEqual(m.nb_module, i)
                self.assertEqual(len(m.module_status), i)
                self.assertEqual(a.is_finish(), False)

                m.set_module_status(ms_name, ModuleStatus.MODULE_FINISH)
                ms = m.get_module_status(ms_name)

                self.assertEqual(len(ms.indicators), 0)

                for j in range(1, 4):
                    ind = Indicator.factory(module_cls_name=ms_name,
                                            name="test_name_" + str(i),
                                            content_type=Type.STRING,
                                            content="content",
                                            score=4,
                                            option="option" + str(i))
                    ms.add_indicator(ind)

                    self.assertEqual(len(ms.indicators), j)
                    self.assertEqual(a.is_finish(), False)

                m.set_module_status(ms_name, ModuleStatus.MODULE_REPORTED)

        self.assertEqual(a.is_finish(), True)
예제 #23
0
    def test_case_1(self):
        a = Analysis.factory()

        self.assertEqual(len(a.malwares), 0)
        self.assertEqual(a.is_finish(), False)

        m = Malware.empty_malware()
        m.factory(local_path=TestModels.TEST_FILE,
                  remote_path="remote_path",
                  name="malware_filte_test.txt")
        a.add_malware(m)

        self.assertEqual(len(a.malwares), 1)
        self.assertEqual(m.nb_module, 0)
        self.assertEqual(len(m.module_status), 0)
        self.assertEqual(a.is_finish(), False)

        m.set_module_status("test_module", ModuleStatus.MODULE_IN_PROGRESS)
        m.add_nb_module()

        self.assertEqual(m.nb_module, 1)
        self.assertEqual(len(m.module_status), 1)
        self.assertEqual(a.is_finish(), False)

        m.set_module_status("test_module", ModuleStatus.MODULE_FINISH)
        ms = m.get_module_status("test_module")

        self.assertEqual(len(ms.indicators), 0)

        ind = Indicator.factory(module_cls_name="test_module",
                                name="test_name",
                                content_type=Type.STRING,
                                content="content",
                                score=4,
                                option="option")
        ms.add_indicator(ind)

        self.assertEqual(len(ms.indicators), 1)
        self.assertEqual(a.is_finish(), False)

        m.set_module_status("test_module", ModuleStatus.MODULE_REPORTED)

        self.assertEqual(a.is_finish(), True)
예제 #24
0
    def _get_pcap(self, extract_path):
        """
        Retreive PCAP and upload it on FTP server
        """
        if os.path.isfile(extract_path + "/dump.pcap"):
            pcap_path = LamaFtp.upload_from_module(
                extract_path + "/dump.pcap",
                self._malware.analysis_uid,
                self._malware.uid,
                self._module_cls_name,
                remote_path=str(self._task_id) + "/pcap")

            indicator = Indicator.factory(
                module_cls_name=self._module_cls_name,
                name="pcap",
                content_type=Type.FILE,
                content=pcap_path,
                score=0,
                option=self._task_id)
            self._ms.add_indicator(indicator)
예제 #25
0
    def parse_result(self):
        """
        Abstract parse_result method.
        It calls when analyze is finished.
        It uptade malware with indicators.
        """
        if not self._result:
            return

        json_pe = self.json_decode(self._result)
        if not json_pe:
            return

        tmp_result_file = File.create_tmp_file("peframe.txt", self._result)
        remote_path = LamaFtp.upload_from_module(
            local_path=tmp_result_file + "/peframe.txt",
            analysis_uid=self.malware.analysis_uid,
            malware_uid=self.malware.uid,
            module_cls_name=self.module_cls_name,
            remote_path="",
            remote_name="peframe.txt")

        indicator = Indicator.factory(module_cls_name=self.module_cls_name,
                                      name="result_json",
                                      content_type=Type.FILE,
                                      content=remote_path,
                                      score=0)
        self._malware.get_module_status(
            self.module_cls_name).add_indicator(indicator)

        # ip_found
        if "ip_found" in json_pe:
            for ip in json_pe['ip_found']:
                indicator = Indicator.factory(
                    module_cls_name=self.module_cls_name,
                    name="ip",
                    content_type=Type.IP,
                    content=ip,
                    score=3)
                self._malware.get_module_status(
                    self.module_cls_name).add_indicator(indicator)

        # url_found
        if "url_found" in json_pe:
            for url in json_pe['url_found']:
                indicator = Indicator.factory(
                    module_cls_name=self.module_cls_name,
                    name="url",
                    content_type=Type.URL,
                    content=url,
                    score=2)
                self._malware.get_module_status(
                    self.module_cls_name).add_indicator(indicator)

        # url_found
        if "file_found" in json_pe:
            file_found = json_pe['file_found']

            # file_found->WebPage
            if "Web Page" in file_found:
                for webpage in file_found['Web Page']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="webpage",
                        content_type=Type.URL,
                        content=webpage,
                        score=1)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

        # pe_info
        if "pe_info" in json_pe and json_pe['pe_info']:
            pe_info = json_pe['pe_info']

            # pe_info->sections_info
            if "sections_info" in pe_info:
                for section in pe_info['sections_info']:
                    score = 3 if section['suspicious'] else 0
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="section_info",
                        content_type=Type.STRING,
                        content=section['name'],
                        score=score)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->detected
            if "detected" in pe_info:
                for detected in pe_info['detected']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="detected",
                        content_type=Type.STRING,
                        content=detected,
                        score=4)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->packer_info
            if "packer_info" in pe_info:
                for pack_info in pe_info['packer_info']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="packer_info",
                        content_type=Type.STRING,
                        content=pack_info,
                        score=0)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->directories
            if "directories" in pe_info:
                for directorie in pe_info['directories']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="directories",
                        content_type=Type.STRING,
                        content=directorie,
                        score=0)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->apialert_info
            if "apialert_info" in pe_info:
                for api in pe_info['apialert_info']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="apialert_info",
                        content_type=Type.STRING,
                        content=api,
                        score=0)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->antidbg_info
            if "antidbg_info" in pe_info:
                for antidbg in pe_info['antidbg_info']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="antidbg_info",
                        content_type=Type.STRING,
                        content=antidbg,
                        score=3)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)

            # pe_info->antivm_info
            if "antivm_info" in pe_info:
                for antidbg in pe_info['antivm_info']:
                    indicator = Indicator.factory(
                        module_cls_name=self.module_cls_name,
                        name="antivm_info",
                        content_type=Type.STRING,
                        content=antidbg,
                        score=4)
                    self._malware.get_module_status(
                        self.module_cls_name).add_indicator(indicator)