예제 #1
0
 def addAnalysis(self):
     """Adds analysis header."""
     analysis = maec.AnalysisType(
         id="%s:ana:1" % self.idMap['prefix'],
         analysis_method='Dynamic',
         start_datetime=datetime_to_iso(self.results["info"]["started"]),
         complete_datetime=datetime_to_iso(self.results["info"]["ended"]),
         lastupdate_datetime=datetime_to_iso(self.results["info"]["ended"]))
     # Add tool
     analysis.set_Tools_Used(self.createTools())
     # Add subject
     analysis.add_Subject(self.createSubject(self.results['file']))
     self.analyses.add_Analysis(analysis)
예제 #2
0
파일: maec11.py 프로젝트: BwRy/test-av
 def addAnalysis(self):
     """Adds analysis header."""
     analysis = maec.AnalysisType(
                             id = "%s:ana:1" % self.idMap['prefix'],
                             analysis_method = 'Dynamic',
                             start_datetime = datetime_to_iso(self.results["info"]["started"]),
                             complete_datetime = datetime_to_iso(self.results["info"]["ended"]),
                             lastupdate_datetime = datetime_to_iso(self.results["info"]["ended"])
                             )
     # Add tool
     analysis.set_Tools_Used(self.createTools())
     # Add subject
     analysis.add_Subject(self.createSubject(self.results['file']))
     self.analyses.add_Analysis(analysis)
예제 #3
0
    def addMetadata(self):
        """Generates header for MAEC xml and root components."""
        if self.results["target"]["category"] == "file":
            id = "cuckoo:%s" % self.results["target"]["file"]["md5"]
        elif self.results["target"]["category"] == "url":
            id = "cuckoo:%s" % hashlib.md5(
                self.results["target"]["url"]).hexdigest()
        else:
            raise CuckooReportError("Unknown target type")

        self.m = maec.malwareMetaData(
            version="1.1",
            id=id,
            author="Cuckoo Sandbox %s" % self.results["info"]["version"],
            comment=
            "Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org"
            % self.results["info"]["version"],
            timestamp=datetime_to_iso(self.results["info"]["started"]))
        # Objects
        self.objects = maec.objectsType()
        self.m.set_objects(self.objects)
        # Object Properties
        self.properties = maec.objectPropertiesType()
        self.m.set_objectProperties(self.properties)
        # Relationships
        self.relationships = maec.relationshipsType()
        self.m.set_relationships(self.relationships)
예제 #4
0
파일: mmdef.py 프로젝트: 1000rub/cuckoo
    def addMetadata(self):
        """Generates header for MAEC xml and root components."""
        if self.results["target"]["category"] == "file":
            id = "cuckoo:%s" % self.results["target"]["file"]["md5"]
        elif self.results["target"]["category"] == "url":
            id = "cuckoo:%s" % hashlib.md5(self.results["target"]["url"]).hexdigest()
        else:
            raise CuckooReportError("Unknown target type")

        self.m = maec.malwareMetaData(
            version="1.1",
            id=id,
            author="Cuckoo Sandbox %s" % self.results["info"]["version"],
            comment="Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org" % self.results["info"]["version"],
            timestamp=datetime_to_iso(self.results["info"]["started"])
        )
        # Objects
        self.objects = maec.objectsType()
        self.m.set_objects(self.objects)
        # Object Properties
        self.properties = maec.objectPropertiesType()
        self.m.set_objectProperties(self.properties)
        # Relationships
        self.relationships = maec.relationshipsType()
        self.m.set_relationships(self.relationships)
예제 #5
0
    def addWrapper(self):
        """Generates MMDEF malwareMetaData structure."""
        self.idMap['prefix'] = "mmdef:%s" % self.results['file']['md5']

        # Generate the outer xml container and add meta data
        self.m = mmdef.malwareMetaData(
                                id = "%s:bnd:1" % self.idMap['prefix'], 
                                version='1.2'
                                )
        self.m.set_author("Cuckoo Automated Analysis")
        self.m.set_comment("Cuckoo Automated Analysis from Cuckoo "+self.results['info']['version'])
        self.m.set_company("N/A")
        self.m.set_timestamp(datetime_to_iso(self.results["info"]["ended"]))

        # add all of the objects (registry keys, hosts, files, etc that were accessed)
        self.objects = mmdef.objectsType()
        self.m.set_objects(self.objects)
        
        #object properties
        self.objectProperties = mmdef.objectPropertiesType()
        self.m.set_objectProperties(self.objectProperties)
        
        
        # relationships
        self.addedRelationships = [] # use this to prevent duplicate relationships
        self.relationships = mmdef.relationshipsType()
        self.m.set_relationships(self.relationships)
예제 #6
0
 def addAnalysis(self):
     """Adds analysis header."""
     analysis = maec.AnalysisType(
                             id = "%s:ana:1" % self.idMap["prefix"],
                             analysis_method = "Dynamic",
                             start_datetime = datetime_to_iso(self.results["info"]["started"]),
                             complete_datetime = datetime_to_iso(self.results["info"]["ended"]),
                             lastupdate_datetime = datetime_to_iso(self.results["info"]["ended"])
                             )
     # Add tool
     analysis.set_Tools_Used(self.createTools())
     # Add subject
     if self.results["target"]["category"] == "file":
         analysis.add_Subject(self.createSubjectFile(self.results["target"]["file"]))
     elif self.results["target"]["category"] == "url":
         analysis.add_Subject(self.createSubjectUrl(self.results["target"]["url"]))
     
     self.analyses.add_Analysis(analysis)
예제 #7
0
파일: maec11.py 프로젝트: xarly/cuckoo
    def addAnalysis(self):
        """Adds analysis header."""
        analysis = maec.AnalysisType(
            id="%s:ana:1" % self.idMap["prefix"],
            analysis_method="Dynamic",
            start_datetime=datetime_to_iso(self.results["info"]["started"]),
            complete_datetime=datetime_to_iso(self.results["info"]["ended"]),
            lastupdate_datetime=datetime_to_iso(self.results["info"]["ended"]))
        # Add tool
        analysis.set_Tools_Used(self.createTools())
        # Add subject
        if self.results["target"]["category"] == "file":
            analysis.add_Subject(
                self.createSubjectFile(self.results["target"]["file"]))
        elif self.results["target"]["category"] == "url":
            analysis.add_Subject(
                self.createSubjectUrl(self.results["target"]["url"]))

        self.analyses.add_Analysis(analysis)
예제 #8
0
파일: metadata.py 프로젝트: BwRy/test-av
 def addMetadata(self):
     """Generates header for MAEC xml and root components."""
     self.m = maec.malwareMetaData(
         version = "1.1",
         id = "cuckoo:%s" % self.results['file']['md5'],
         author = "Cuckoo Sandbox %s" % self.results["info"]["version"],
         comment = "Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org" % self.results["info"]["version"],
         timestamp = datetime_to_iso(self.results["info"]["started"])
     )
     # Objects
     self.objects = maec.objectsType()
     self.m.set_objects(self.objects)
     # Object Properties
     self.properties = maec.objectPropertiesType()
     self.m.set_objectProperties(self.properties)
     # Relationships
     self.relationships = maec.relationshipsType()
     self.m.set_relationships(self.relationships)
예제 #9
0
 def addMetadata(self):
     """Generates header for MAEC xml and root components."""
     self.m = maec.malwareMetaData(
         version="1.1",
         id="cuckoo:%s" % self.results['file']['md5'],
         author="Cuckoo Sandbox %s" % self.results["info"]["version"],
         comment=
         "Report created with Cuckoo Sandbox %s automated and open source malware sandbox: http://www.cuckoosandbox.org"
         % self.results["info"]["version"],
         timestamp=datetime_to_iso(self.results["info"]["started"]))
     # Objects
     self.objects = maec.objectsType()
     self.m.set_objects(self.objects)
     # Object Properties
     self.properties = maec.objectPropertiesType()
     self.m.set_objectProperties(self.properties)
     # Relationships
     self.relationships = maec.relationshipsType()
     self.m.set_relationships(self.relationships)
예제 #10
0
    def run(self, results):
        """CENTS reporting module
        - checks if we have a extracted config
        - checks if we have a parser for the malware family
        - if yes it proceeds and tries to create Suricata rules for the malware family
        - writes a new rule file to the reports_path

        :param results: Cuckoo results dict.
        :type results: `dict`
        :raise CuckooReportError: if fails to write rules file.
        """
        rule_list = []
        md5 = results.get("target", {}).get("file",
                                            {}).get("md5",
                                                    "")  # md5 of the sample
        date = (datetime_to_iso(results.get("info", {}).get(
            "started",
            "")).split("T", 1)[0].replace("-",
                                          "_"))  # timestamp of the sample run
        task_id = int(results.get("info",
                                  {}).get("id",
                                          0))  # task id of the analysis run
        task_link = f"{self.hostname}/analysis/{task_id}/"
        if self.hostname.endswith("/"):
            task_link = f"{self.hostname}analysis/{task_id}/"
        configs = results.get("CAPE", {}).get("configs", [])
        results["info"]["has_cents_rules"] = False
        if not configs:
            # no config extracted, nothing to do for CENTS
            return

        # sometimes there is more than one extracted config that is identical
        configs_dedup = []
        for entry in configs:
            if entry in configs_dedup:
                continue
            configs_dedup.append(entry)

        for config in configs_dedup:
            if not config or not isinstance(config, dict):
                continue
            for config_name, config_dict in config.items():
                rules = None
                if config_name == "Remcos":
                    rules = cents_remcos(config_dict, self.sid_counter, md5,
                                         date, task_link)
                elif config_name == "SquirrelWaffle":
                    rules = cents_squirrelwaffle(config_dict, self.sid_counter,
                                                 md5, date, task_link)
                elif config_name == "TrickBot":
                    rules = cents_trickbot(config_dict,
                                           results.get("suricata",
                                                       {}), self.sid_counter,
                                           md5, date, task_link)
                else:
                    # config for this family not implemented yet
                    log.debug(
                        "[CENTS] Config for family %s not implemented yet",
                        config_name)
                    continue

                if rules:
                    log.debug("[CENTS] Created %d rule(s) for %s", len(rules),
                              config_name)
                    self.sid_counter += len(rules)
                    rule_list += rules
                else:
                    log.warning(
                        "[CENTS] Found config for %s, but couldn't create rules",
                        config_name)

        if not rule_list:
            # no rules have been created
            return

        try:
            with open(os.path.join(self.reports_path, "cents.rules"),
                      "w") as f:
                # header lines
                f.write("# This ruleset has been automatically generated\n")
                f.write("# CENTS\n")
                f.write(f"# Created {len(rule_list)} rules.\n")
                # rules
                for line in rule_list:
                    f.write(f"{line}\n")
                log.info("[CENTS] Wrote %d rule(s) to rule file at: %s",
                         len(rule_list), f.name)
                results["info"]["has_cents_rules"] = True
        except IOError as e:
            raise CuckooReportError(f"Failed to generate CENTS report: {e}")
예제 #11
0
 def test_convert_date(self):
     assert_equal("2000-01-01T11:43:35", utils.datetime_to_iso("2000-01-01 11:43:35"))
예제 #12
0
 def test_convert_date(self):
     assert_equal("2000-01-01T11:43:35", utils.datetime_to_iso("2000-01-01 11:43:35"))