def parse_signatures(self):
"""
Parse signatures part
"""
if self._all:
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="_signatures",
content_type=Type.JSON,
content=json.dumps(self._json_cuckoo["signatures"]),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
for sign in self._json_cuckoo['signatures']:
signature = {
"description": sign['description'],
"severity": sign['severity'],
"name": sign['name']
}
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="signature",
content_type=Type.STRING,
content=json.dumps(signature),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_jsbeautify = self.json_decode(self._result)
if not json_jsbeautify:
return
if 'code' in json_jsbeautify:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="code",
content_type=Type.BASE64,
content=json_jsbeautify["code"],
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
if 'error' in json_jsbeautify:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="error",
content_type=Type.BASE64,
content=json_jsbeautify["error"],
score=-1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def parse_info(self):
"""
Parse info part
"""
if self._all:
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="_info",
content_type=Type.JSON,
content=json.dumps(self._json_cuckoo["info"]),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
# SCORE
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="score",
content_type=Type.INTEGER,
content=str(
self._json_cuckoo["info"]['score']),
score=self._json_cuckoo['info']['score'],
option=self._task_id)
self._ms.add_indicator(indicator)
# MACHINE LABEL
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="machine_label",
content_type=Type.INTEGER,
content=str(self._json_cuckoo["info"]['machine']['label']),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_ole = self.json_decode(self._result)
if not json_ole:
return
for item in json_ole:
if 'type' in item and (item['type'] == 'MHTML'
or item['type'] == 'OLE'):
if 'analysis' in item and item['analysis']:
for analyse in item['analysis']:
if "IOC" in analyse["type"]:
score = 7
elif "AutoExec" in analyse["type"]:
score = 7
elif "Suspicious" in analyse["type"]:
score = 5
elif "VBA string" in analyse["type"]:
score = 3
elif "Hex String" in analyse["type"]:
score = 1
else:
score = -1
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="analysis",
content_type=Type.JSON,
content=json.dumps(analyse),
score=score)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
if 'macros' in item:
for analyse in item['macros']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="macros",
content_type=Type.JSON,
content=json.dumps(analyse),
score=3)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
extract_malware = self.malware.add_extract_malware(
self.module_cls_name, analyse['code'])
Input.analyse_malware(extract_malware)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_ole = self.json_decode(self._result)
if not json_ole:
return
if 'returncode' in json_ole:
returncode = json_ole['returncode']
if returncode == 0:
# No macro
score = 1
elif returncode == 1:
# Not MS Office
score = 0
elif returncode == 2:
# Macro OK
score = 1
elif returncode == 10:
# error
score = 0
elif returncode == 20:
# SUSPICIOUS
score = 5
else:
# Other ???
score = 0
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="returncode",
content_type=Type.INTEGER,
content=returncode,
score=score)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
if 'out' in json_ole:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="out",
content_type=Type.JSON,
content=json_ole['out'],
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def _get_files(self, extract_path):
"""
Retreive files and upload it on FTP server
"""
files = os.path.join(extract_path, "files")
files_path = []
for f in os.listdir(files):
file_path = files + "/" + f
# send
ftp_file_path = LamaFtp.upload_from_module(
file_path,
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=("{}/files").format(self._task_id))
files_path.append(ftp_file_path)
extract_file = self._malware.add_extract_malware_path(
self._module_cls_name, file_path, f)
Input.analyse_malware(extract_file)
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="files",
content_type=Type.FILE,
content=",".join(files_path),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_res = self.json_decode(self._result)
if not json_res:
return
if "file" in json_res:
name = "file"
path = json_res['file']
file_path = os.path.join(path, name)
extract_file = self.malware.add_extract_malware_path(
self.module_cls_name, file_path, name)
Input.analyse_malware(extract_file)
if "key1" in json_res:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="key1",
content_type=Type.STRING,
content=json_res["key1"],
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def parse_result(self):
"""
Main function to parse results
Add indicator in malware.
"""
# download full archive
tar_url = "{}/tasks/report/{}/all".format(self._cuckoo_url,
self._task_id)
folder_path = File.download_to_tmp(tar_url, "all.tar.gz")
# send archive to FTP server
tar_path = LamaFtp.upload_from_module(folder_path + "/all.tar.gz",
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=str(self._task_id) +
"/all")
# add indicator
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="all",
content_type=Type.FILE,
content=tar_path,
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
# untar and analyze report.json
tar = tarfile.open(folder_path + "/all.tar.gz")
extract_path = folder_path + "/extract"
os.mkdir(extract_path)
tar.extractall(extract_path)
json_report_file = open(extract_path + "/reports/report.json", "r")
self._json_input = json_report_file.read()
self._json_cuckoo = self.json_decoder.decode(self._json_input)
# TODO move on submodule JSON ?
if "info" in self._json_cuckoo:
self.parse_info()
if "target" in self._json_cuckoo:
self.parse_target()
if "strings" in self._json_cuckoo:
self.parse_strings()
if "signatures" in self._json_cuckoo:
self.parse_signatures()
if "buffer" in self._json_cuckoo:
self.parse_buffer()
if "network" in self._json_cuckoo:
self.parse_network()
if "behavior" in self._json_cuckoo:
self.parse_process()
# upload screenshots/pcap to FTP server
self._get_screenshots(extract_path)
self._get_files(extract_path)
self._get_pcap(extract_path)
# remove extracts files
File.remove_tmp_dir(folder_path)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
# get results
request_str = "{}/results/{}".format(IrmaModule.URL,
self._result_id)
logging.debug(request_str)
headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
request = requests.get(request_str, headers=headers)
json_res = IrmaModule.json_decoder.decode(request.text)
for res in json_res['probe_results']:
# add result for each probe
if res['status'] == 1:
score = 10
elif res['status'] == 0:
score = 0
else:
score = -1
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="probe_results",
content_type=Type.JSON,
content=json.dumps(res),
score=score)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_unpack = self.json_decode(self._result)
if not json_unpack:
return
if "res" in json_unpack and json_unpack["res"] == "ok":
for path, subdirs, files in os.walk(self._out_tmp_path):
for name in files:
file_path = os.path.join(path, name)
extract_malware = self.malware.add_extract_malware_path(
self.module_cls_name, file_path, name)
Input.analyse_malware(extract_malware)
if "error" in json_unpack:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="error",
content_type=Type.BASE64,
content=json_unpack["error"],
score=-1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def _get_screenshots(self, extract_path):
"""
Retreive snapshot and upload it on FTP server
"""
shots_path = os.path.join(extract_path, "shots")
screenshots_path = []
for f in os.listdir(shots_path):
img_path = shots_path + "/" + f
# resize
img = Image.open(img_path)
basewidth = 500
wpercent = (basewidth / float(img.size[0]))
hsize = int((float(img.size[1]) * float(wpercent)))
img = img.resize((basewidth, hsize), Image.ANTIALIAS)
img.save(img_path)
# send
path = LamaFtp.upload_from_module(
img_path,
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=("{}/screenshots").format(self._task_id))
screenshots_path.append(path)
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="screenshots",
content_type=Type.FILE,
content=",".join(screenshots_path),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_urls = self.json_decode(self._result)
if not json_urls:
return
if 'urls' in json_urls:
for url in json_urls['urls']:
if 'path' in json_urls['urls'][url]:
path = json_urls['urls'][url]['path']
if path.startswith("/lama/out/"):
path = path[10:]
file_path = os.path.join(self._out_tmp_path, path)
path, name = os.path.split(file_path)
extract_malware = self.malware.add_extract_malware_path(
self.module_cls_name, file_path, name)
Input.analyse_malware(extract_malware)
if 'error' in json_urls['urls'][url]:
content = "{} : {}".format(url,
json_urls['urls'][url]['error'])
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="error",
content_type=Type.STRING,
content=content,
score=-1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
if 'error' in json_urls:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="error",
content_type=Type.STRING,
content=json_urls["error"],
score=-1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_jsunpackn = self.json_decode(self._result)
if not json_jsunpackn:
return
if 'info' in json_jsunpackn:
info = json_jsunpackn['info']
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="info",
content_type=Type.STRING,
content=info,
score=0)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
if 'sources' in json_jsunpackn:
for source in json_jsunpackn['sources']:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="source",
content_type=Type.BASE64,
content=source,
score=4)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
extract_malware = self.malware.add_extract_malware(self.module_cls_name,
base64.b64decode(source))
Input.analyse_malware(extract_malware)
if 'error' in json_jsunpackn:
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="error",
content_type=Type.STRING,
content=json_jsunpackn["error"],
score=-1)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
def test_attrs(self):
ind = Indicator.factory(module_cls_name="test_module",
name="test_name", content_type=Type.STRING,
content="content", score=4, option="option")
self.assertEqual(ind.module_cls_name, "test_module")
self.assertEqual(ind.name, "test_name")
self.assertEqual(ind.content_type, Type.STRING)
self.assertEqual(ind.content, "content")
self.assertEqual(ind.score, 4)
self.assertEqual(ind.option, "option")
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_jsextract = self.json_decode(self._result)
if not json_jsextract:
return
if 'code' in json_jsextract:
for i, c in enumerate(json_jsextract['code']):
if bool(c[0] and c[0].strip()):
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="code_header",
content_type=Type.BASE64,
content=base64.b64encode(bytes(
c[0], "utf-8")).decode('utf-8'),
option=i,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
if bool(c[1] and c[1].strip()):
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="code_body",
content_type=Type.BASE64,
content=base64.b64encode(bytes(
c[1], "utf-8")).decode('utf-8'),
option=i,
score=0)
extract_malware = self.malware.add_extract_malware(
self.module_cls_name, c[1])
Input.analyse_malware(extract_malware)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
# save all scipts
script_dir = os.path.join(self._out_tmp_path, "extract", "scripts")
for path, subdirs, files in os.walk(script_dir):
for name in files:
script_path = os.path.join(path, name)
with open(script_path, 'r') as script_file:
script_content = script_file.read()
# convert script to b64
codeb64 = base64.b64encode(bytes(script_content,
"utf-8")).decode('utf-8')
script_dict = dict()
script_dict['filename'] = script_path.replace(script_dir,
"")[1:]
script_dict['code'] = codeb64
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="script",
content_type=Type.BASE64,
content=json.dumps(script_dict),
score=0)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
tar_path = os.path.join(self._out_tmp_path, "out.tar.gz")
remote_tar_path = LamaFtp.upload_from_module(tar_path,
self.malware.analysis_uid,
self.malware.uid,
self.module_cls_name)
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="tar",
content_type=Type.FILE,
content=remote_tar_path,
score=0)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
def parse_process(self):
if 'processtree' in self._json_cuckoo['behavior']:
proc = self._json_cuckoo['behavior']['processtree']
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="process",
content_type=Type.STRING,
content=json.dumps(proc),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_network(self):
"""
Parse network part
"""
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="network",
content_type=Type.JSON,
content=json.dumps(
self._json_cuckoo["network"]),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="name1",
content_type=Type.STRING,
content="content1",
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
def parse_strings(self):
"""
Parse string part
"""
if self._all:
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="_strings",
content_type=Type.JSON,
content=json.dumps(self._json_cuckoo["strings"]),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_buffer(self):
"""
Parse buffer part
"""
if self._all:
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="_buffer",
content_type=Type.JSON,
content=json.dumps(self._json_cuckoo["buffer"]),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
for buff in self._json_cuckoo['buffer']:
if len(buff['yara']):
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="buff_yara",
content_type=Type.JSON,
content=json.dumps(buff['yara']),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def test_case_2(self):
a = Analysis.factory()
for i in range(1, 4):
m = Malware.empty_malware()
m.factory(local_path=TestModels.TEST_FILE,
remote_path="remote_path",
name="malware_filte_test.txt_" + str(i))
a.add_malware(m)
self.assertEqual(len(a.malwares), i)
self.assertEqual(m.nb_module, 0)
self.assertEqual(len(m.module_status), 0)
self.assertEqual(a.is_finish(), False)
for m in a.malwares:
for i in range(1, 4):
ms_name = "test_module_" + str(i)
m.set_module_status(ms_name, ModuleStatus.MODULE_IN_PROGRESS)
m.add_nb_module()
self.assertEqual(m.nb_module, i)
self.assertEqual(len(m.module_status), i)
self.assertEqual(a.is_finish(), False)
m.set_module_status(ms_name, ModuleStatus.MODULE_FINISH)
ms = m.get_module_status(ms_name)
self.assertEqual(len(ms.indicators), 0)
for j in range(1, 4):
ind = Indicator.factory(module_cls_name=ms_name,
name="test_name_" + str(i),
content_type=Type.STRING,
content="content",
score=4,
option="option" + str(i))
ms.add_indicator(ind)
self.assertEqual(len(ms.indicators), j)
self.assertEqual(a.is_finish(), False)
m.set_module_status(ms_name, ModuleStatus.MODULE_REPORTED)
self.assertEqual(a.is_finish(), True)
def test_case_1(self):
a = Analysis.factory()
self.assertEqual(len(a.malwares), 0)
self.assertEqual(a.is_finish(), False)
m = Malware.empty_malware()
m.factory(local_path=TestModels.TEST_FILE,
remote_path="remote_path",
name="malware_filte_test.txt")
a.add_malware(m)
self.assertEqual(len(a.malwares), 1)
self.assertEqual(m.nb_module, 0)
self.assertEqual(len(m.module_status), 0)
self.assertEqual(a.is_finish(), False)
m.set_module_status("test_module", ModuleStatus.MODULE_IN_PROGRESS)
m.add_nb_module()
self.assertEqual(m.nb_module, 1)
self.assertEqual(len(m.module_status), 1)
self.assertEqual(a.is_finish(), False)
m.set_module_status("test_module", ModuleStatus.MODULE_FINISH)
ms = m.get_module_status("test_module")
self.assertEqual(len(ms.indicators), 0)
ind = Indicator.factory(module_cls_name="test_module",
name="test_name",
content_type=Type.STRING,
content="content",
score=4,
option="option")
ms.add_indicator(ind)
self.assertEqual(len(ms.indicators), 1)
self.assertEqual(a.is_finish(), False)
m.set_module_status("test_module", ModuleStatus.MODULE_REPORTED)
self.assertEqual(a.is_finish(), True)
def _get_pcap(self, extract_path):
"""
Retreive PCAP and upload it on FTP server
"""
if os.path.isfile(extract_path + "/dump.pcap"):
pcap_path = LamaFtp.upload_from_module(
extract_path + "/dump.pcap",
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=str(self._task_id) + "/pcap")
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="pcap",
content_type=Type.FILE,
content=pcap_path,
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_pe = self.json_decode(self._result)
if not json_pe:
return
tmp_result_file = File.create_tmp_file("peframe.txt", self._result)
remote_path = LamaFtp.upload_from_module(
local_path=tmp_result_file + "/peframe.txt",
analysis_uid=self.malware.analysis_uid,
malware_uid=self.malware.uid,
module_cls_name=self.module_cls_name,
remote_path="",
remote_name="peframe.txt")
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="result_json",
content_type=Type.FILE,
content=remote_path,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# ip_found
if "ip_found" in json_pe:
for ip in json_pe['ip_found']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="ip",
content_type=Type.IP,
content=ip,
score=3)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# url_found
if "url_found" in json_pe:
for url in json_pe['url_found']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="url",
content_type=Type.URL,
content=url,
score=2)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# url_found
if "file_found" in json_pe:
file_found = json_pe['file_found']
# file_found->WebPage
if "Web Page" in file_found:
for webpage in file_found['Web Page']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="webpage",
content_type=Type.URL,
content=webpage,
score=1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info
if "pe_info" in json_pe and json_pe['pe_info']:
pe_info = json_pe['pe_info']
# pe_info->sections_info
if "sections_info" in pe_info:
for section in pe_info['sections_info']:
score = 3 if section['suspicious'] else 0
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="section_info",
content_type=Type.STRING,
content=section['name'],
score=score)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->detected
if "detected" in pe_info:
for detected in pe_info['detected']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="detected",
content_type=Type.STRING,
content=detected,
score=4)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->packer_info
if "packer_info" in pe_info:
for pack_info in pe_info['packer_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="packer_info",
content_type=Type.STRING,
content=pack_info,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->directories
if "directories" in pe_info:
for directorie in pe_info['directories']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="directories",
content_type=Type.STRING,
content=directorie,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->apialert_info
if "apialert_info" in pe_info:
for api in pe_info['apialert_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="apialert_info",
content_type=Type.STRING,
content=api,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->antidbg_info
if "antidbg_info" in pe_info:
for antidbg in pe_info['antidbg_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="antidbg_info",
content_type=Type.STRING,
content=antidbg,
score=3)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->antivm_info
if "antivm_info" in pe_info:
for antidbg in pe_info['antivm_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="antivm_info",
content_type=Type.STRING,
content=antidbg,
score=4)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)