def run(self):
self.key = "tia"
if self.task["category"] != "file":
return None
dictTIA = {'BitDefender': None, 'TrendMicro': None, 'Symantec': None, 'F-Secure': None, 'ESET-NOD32': None, 'DrWeb': None, 'Avira': None, 'AntiVir': None, 'Microsoft': None, 'Sophos': None, 'Panda': None, 'BitDefender': None, 'McAfee': None, 'ClamAV': None}
key = self.options.get("key", None)
if not key:
raise CuckooProcessingError("TIA API key not configured, skip")
response_data = ""
queryStringPart = ""
#print self.results["virustotal"]["results"]
if "results" in self.results["virustotal"]:
for entry in self.results["virustotal"]["results"]:
if entry["sig"] != None:
if entry["vendor"] in dictTIA:
queryStringPart = combineTIAresults(queryStringPart, entry["vendor"], entry["sig"])
#print r.content
if "ClamAV=" not in queryStringPart and self.results["target"]["file"].has_key("clamav") and self.results["target"]["file"]["clamav"]:
queryStringPart = combineTIAresults(queryStringPart,"ClamAV",self.results["target"]["file"]["clamav"])
if queryStringPart != "":
response_data = tia_request(queryStringPart, key)
json_object = []
try:
json_object = json.loads(response_data)
except ValueError, e:
raise CuckooProcessingError("TIA error processing combined JSON: " + response_data)
def run(self):
"""Run Google play unofficial python api the get the google play information
@return: list of google play features
"""
self.key = "googleplay"
googleplay = {}
if ("file" not in self.task["category"]):
return
if ("apk" in choose_package(
File(self.task["target"]).get_type(),
File(self.task["target"]).get_name())):
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: \"%s\"" % self.file_path)
android_id = self.options.get("android_id", None)
google_login = self.options.get("google_login", None)
google_password = self.options.get("google_password", None)
#auth_token = self.options.get("auth_token", None)
if not (android_id or google_login or google_password):
raise CuckooProcessingError(
"Google Play Credentials not configured, skip")
try:
a = apk.APK(self.file_path)
if a.is_valid_APK():
package = a.get_package()
# Connect
api = GooglePlayAPI(android_id)
api.login(google_login, google_password, None)
# Get the version code and the offer type from the app details
app_data = api.details(package)
app_detail = app_data.docV2.details.appDetails
if (app_detail.installationSize == 0):
return googleplay
googleplay["title"] = app_detail.title
googleplay["app_category"] = app_detail.appCategory._values
googleplay["version_code"] = app_detail.versionCode
googleplay["app_type"] = app_detail.appType
googleplay["content_rating"] = app_detail.contentRating
googleplay["developer_email"] = app_detail.developerEmail
googleplay["developer_name"] = app_detail.developerName
googleplay[
"developer_website"] = app_detail.developerWebsite
googleplay[
"installation_size"] = app_detail.installationSize
googleplay["num_downloads"] = app_detail.numDownloads
googleplay["upload_date"] = app_detail.uploadDate
googleplay["permissions"] = app_detail.permission._values
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return googleplay
def run(self):
"""Runs VirusTotal processing
@return: full VirusTotal report.
"""
self.key = "virustotal"
if not key:
raise CuckooProcessingError(
"VirusTotal API key not configured, skip")
if processing_conf.virustotal.get("on_demand", False):
log.debug("VT on_demand enabled, returning")
return dict()
target = False
if self.task["category"] == "file" and do_file_lookup:
target = self.file_path
elif self.task["category"] == "url" and do_url_lookup:
target = self.task["target"]
else:
# Not supported type, exit.
return dict()
vt_response = vt_lookup(self.task["category"], target)
if "error" in vt_response:
raise CuckooProcessingError(vt_response["msg"])
return vt_response
def run(self):
"""Runs VirusTotal processing
@return: full VirusTotal report.
"""
self.key = "virustotal"
apikey = self.options.get("key")
timeout = int(self.options.get("timeout", 60))
self.scan = int(self.options.get("scan", 0))
if not apikey:
raise CuckooProcessingError("VirusTotal API key not "
"configured, skipping VirusTotal "
"processing module.")
self.vt = VirusTotalAPI(apikey, timeout)
# Scan the original sample or URL.
if self.task["category"] == "file":
results = self.scan_file(self.file_path)
elif self.task["category"] == "url":
results = self.scan_url(self.task["target"])
else:
raise CuckooProcessingError("Unsupported task category: %s" %
self.task["category"])
# Scan any dropped files that have an interesting filetype.
for row in self.results.get("dropped", []):
if not self.should_scan_file(row["type"]):
continue
row["virustotal"] = self.scan_file(row["path"], summary=True)
return results
def process_pcap_binary(self):
"""Process a PCAP file with Suricata by running Suricata.
Using the socket mode is preferred as the plain binary mode requires
Suricata to load all its rules for every PCAP file and thus takes a
couple of performance heavy seconds to set itself up.
"""
if not os.path.isfile(self.suricata):
raise CuckooProcessingError("Unable to locate Suricata binary")
if not os.path.isfile(self.config_path):
raise CuckooProcessingError(
"Unable to locate Suricata configuration")
args = [
self.suricata,
"-c", self.config_path,
"-k", "none",
"-l", self.suricata_path,
"-r", self.pcap_path,
]
try:
subprocess.check_call(args)
except subprocess.CalledProcessError as e:
raise CuckooProcessingError(
"Suricata returned an error processing this pcap: %s" % e)
def run(self):
"""Run debug analysis.
@return: debug information dict.
"""
self.key = "debug"
debug = {"log": [], "cuckoo": [], "errors": []}
if os.path.exists(self.log_path):
try:
f = codecs.open(self.log_path, "rb", "utf-8")
debug["log"] = f.readlines()
except ValueError as e:
raise CuckooProcessingError("Error decoding %s: %s" %
(self.log_path, e))
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening %s: %s" %
(self.log_path, e))
if os.path.exists(self.cuckoolog_path):
debug["cuckoo"] = Logfile(self.cuckoolog_path)
for error in Database().view_errors(int(self.task["id"])):
debug["errors"].append(error.message)
if os.path.exists(self.mitmerr_path):
mitmerr = open(self.mitmerr_path, "rb").read()
if mitmerr:
debug["errors"].append(mitmerr)
return debug
def run(self):
"""Run extract of printable strings.
@return: list of printable strings.
"""
self.key = "strings"
strings = []
if self.task["category"] in ("file", "static"):
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
try:
data = open(self.file_path, "rb").read()
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening file %s" % e)
nulltermonly = self.options.get("nullterminated_only", True)
minchars = self.options.get("minchars", 5)
endlimit = b""
if not HAVE_RE2:
endlimit = b"8192"
if nulltermonly:
apat = b"([\x20-\x7e]{" + str(minchars).encode("utf-8") + b"," + endlimit + b"})\x00"
upat = b"((?:[\x20-\x7e][\x00]){" + str(minchars).encode("utf-8") + b"," + endlimit + b"})\x00\x00"
else:
apat = b"[\x20-\x7e]{" + str(minchars).encode("utf-8") + b"," + endlimit + b"}"
upat = b"(?:[\x20-\x7e][\x00]){" + str(minchars).encode("utf-8") + b"," + endlimit + b"}"
strings = [bytes2str(string) for string in re.findall(apat, data)]
for ws in re.findall(upat, data):
strings.append(str(ws.decode("utf-16le")))
return strings
def run(self):
"""Run extract of printable strings.
@return: list of printable strings.
"""
self.key = "strings"
strings = []
if self.task["category"] == "file":
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: \"%s\"" % self.file_path)
try:
data = open(self.file_path, "rb").read()
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening file %s" % e)
nulltermonly = self.options.get("nullterminated_only", True)
minchars = self.options.get("minchars", 5)
if nulltermonly:
apat = "([\x20-\x7e]{" + str(minchars) + ",})\x00"
upat = "((?:[\x20-\x7e][\x00]){" + str(
minchars) + ",})\x00\x00"
else:
apat = "[\x20-\x7e]{" + str(minchars) + ",}"
upat = "(?:[\x20-\x7e][\x00]){" + str(minchars) + ",}"
strings = re.findall(apat, data)
for ws in re.findall(upat, data):
strings.append(str(ws.decode("utf-16le")))
return strings
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
f = File(self.task["target"])
if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: \"%s\"" % self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
# manifest["permissions"]=a.get_details_permissions_new()
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
# manifest["receivers_actions"]=a.get__extended_receivers()
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
# apkinfo["certificate"] = a.get_certificate()
static_calls = {}
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
static_calls["all_methods"] = self.get_methods(vmx)
static_calls[
"is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(
vmx)
static_calls[
"is_reflection_code"] = analysis.is_reflection_code(
vmx)
# static_calls["dynamic_method_calls"]= analysis.get_show_DynCode(vmx)
# static_calls["reflection_method_calls"]= analysis.get_show_ReflectionCode(vmx)
# static_calls["permissions_method_calls"]= analysis.get_show_Permissions(vmx)
# static_calls["crypto_method_calls"]= analysis.get_show_CryptoCode(vmx)
# static_calls["native_method_calls"]= analysis.get_show_NativeMethods(vmx)
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
def run(self):
"""Runs VirusTotal processing
@return: full VirusTotal report.
"""
self.key = "virustotal"
virustotal = []
key = self.options.get("key", None)
timeout = self.options.get("timeout", 60)
if not key:
raise CuckooProcessingError("VirusTotal API key not "
"configured, skip")
if self.task["category"] == "file":
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"File {0} not found, skipping it".format(self.file_path))
resource = File(self.file_path).get_md5()
url = VIRUSTOTAL_FILE_URL
elif self.task["category"] == "url":
resource = self.task["target"]
url = VIRUSTOTAL_URL_URL
else:
# Not supported type, exit.
return virustotal
data = urllib.urlencode({"resource": resource, "apikey": key})
try:
request = urllib2.Request(url, data)
response = urllib2.urlopen(request, timeout=int(timeout))
response_data = response.read()
except urllib2.URLError as e:
raise CuckooProcessingError("Unable to establish connection "
"to VirusTotal: {0}".format(e))
except urllib2.HTTPError as e:
raise CuckooProcessingError("Unable to perform HTTP request to "
"VirusTotal "
"(http code={0})".format(e.code))
try:
virustotal = json.loads(response_data)
except ValueError as e:
raise CuckooProcessingError("Unable to convert response to "
"JSON: {0}".format(e))
if "scans" in virustotal:
items = virustotal["scans"].items()
virustotal["scans"] = dict((engine.replace(".", "_"), signature)
for engine, signature in items)
return virustotal
def run(self, results):
self.moloch_capture = \
self.options.get("moloch_capture", "/data/moloch/bin/moloch-capture")
self.config_path = self.options.get("conf",
"/data/moloch/etc/config.ini")
self.instance = self.options.get("instance", "cuckoo")
if not os.path.isfile(self.pcap_path):
log.warning("Unable to run Moloch as no pcap is available")
return
if not os.path.isfile(self.moloch_capture):
raise CuckooProcessingError("Unable to locate Moloch binary")
if not os.path.isfile(self.config_path):
raise CuckooProcessingError(
"Unable to locate Moloch configuration")
args = [
self.moloch_capture,
"-c",
self.config_path,
"-r",
self.pcap_path,
"-n",
self.instance,
"-q",
]
tags = {}
tags[self.instance] = self.task["id"]
if self.task["category"] == "file":
# Tag file hashes.
f = results.get("target", {}).get("file", {})
for field in ("md5", "sha1", "sha256", "sha512"):
if field in f:
tags[field] = f[field]
# Tag normalized VirusTotal results.
for variant in results.get("virustotal", {}).get("normalized", []):
tags["virustotal"] = variant
for key, value in tags.items():
args += [
"-t",
"%s:%s" % (key, value),
]
try:
subprocess.check_call(args)
except subprocess.CalledProcessError as e:
raise CuckooProcessingError("Error submitting PCAP to Moloch: %s" %
e)
def had_timeout(self):
""" Test if the analysis had a timeout
"""
if os.path.exists(self.log_path):
try:
analysis_log = codecs.open(self.log_path, "rb", "utf-8").read()
except ValueError as e:
raise CuckooProcessingError("Error decoding %s: %s" % (self.log_path, e))
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening %s: %s" % (self.log_path, e))
else:
if "INFO: Analysis timeout hit, terminating analysis" in analysis_log:
return True
return False
def run(self):
self.key = "reversinglabs"
if not processing_conf.reversinglabs.key:
raise CuckooProcessingError(
"ReversingLabs API key not configured, skipping")
if self.task["category"] not in ("file", "static"):
return {}
target = self.task["target"]
log.debug(f"Looking up: {target}")
reversing_labs_response = reversing_labs_lookup(target)
if "error" in reversing_labs_response:
raise CuckooProcessingError(reversing_labs_response["msg"])
return reversing_labs_response
def had_timeout(self):
"""Test if the analysis had a timeout"""
if os.path.exists(self.log_path):
try:
with codecs.open(self.log_path, "rb", "utf-8") as f:
analysis_log = f.read()
if "INFO: Analysis timeout hit, terminating analysis" in analysis_log:
return True
except ValueError as e:
raise CuckooProcessingError(
f"Error decoding {self.log_path}: {e}") from e
except (IOError, OSError) as e:
raise CuckooProcessingError(
f"Error opening {self.log_path}: {e}") from e
return False
def run(self):
"""Run extract of printable strings.
@return: list of printable strings.
"""
self.key = "droidmon"
if ("file" not in self.task["category"]):
return self.droidmon
#if not("apk" in choose_package(File(self.task["target"]).get_type(),File(self.task["target"]).get_name())):
# return api_calls_map
results = {}
log_path = self.logs_path + "/droidmon.log"
if not os.path.exists(log_path):
return results
try:
with open(log_path) as log_file:
for line in log_file:
try:
api_call = json.loads(line)
self.droidmon["raw"].append(self.keyCleaner(api_call))
call = api_call["class"] + "_" + api_call["method"]
call = call.replace(".", "_")
call = call.replace("$", "_")
try:
func = getattr(self, call)
func(api_call)
except Exception as e:
self.droidmon["error"].append(e.message + " " +
line)
except Exception as e:
log.error(
CuckooProcessingError(
"error parsing json line: %s" % line +
" error" + e.message))
except Exception as e:
raise CuckooProcessingError("Error opening file %s" % e)
for key in self.droidmon.keys():
if len(self.droidmon[key]) > 0:
if type(self.droidmon[key]) is list:
results[key] = self.droidmon[key]
else:
results[key] = list(self.droidmon[key])
return results
def run(self):
"""Run analysis.
@return: the number of engines that detected as a malware.
"""
self.key = "teamcymru"
response = 'NO_DATA'
if self.task["category"] == "file":
if not os.path.exists(self.file_path):
raise CuckooProcessingError("File {0} not found, skip".format(self.file_path))
md5_hash = File(self.file_path).get_md5()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("hash.cymru.com", 43))
sock.send(md5_hash + "\r\n")
while True:
d = sock.recv(4096)
response += d
if d == '':
break
sock.close()
response = response.split(" ")[2].split("\n")[0]
if response != "NO_DATA":
return "%s%%" % response
else:
return response
def run(self):
self.key = "sysmon"
# Determine oldest sysmon log and remove the rest
lastlog = os.listdir("%s/sysmon/" % self.analysis_path)
lastlog.sort()
lastlog = lastlog[-1]
# Leave only the most recent file
for f in os.listdir("%s/sysmon/" % self.analysis_path):
if f != lastlog:
try:
os.remove("%s/sysmon/%s" % (self.analysis_path, f))
except:
log.error("Failed to remove sysmon file log %s" % f)
os.rename("%s/sysmon/%s" % (self.analysis_path, lastlog),
"%s/sysmon/sysmon.xml" % self.analysis_path)
data = None
try:
xml = open("%s/sysmon/sysmon.xml" % self.analysis_path).read()
xml = xml.decode("latin1").encode("utf8")
data = xmltodict.parse(xml)["Events"]["Event"]
except Exception as e:
raise CuckooProcessingError("Failed parsing sysmon.xml: %s" %
e.message)
return self.remove_noise(data)
def run(self):
self.key = "sysmon"
# Determine oldest sysmon log and remove the rest
lastlog = os.listdir("%s/sysmon/" % self.analysis_path)
lastlog.sort()
lastlog = lastlog[-1]
# Leave only the most recent file
for f in os.listdir("%s/sysmon/" % self.analysis_path):
if f != lastlog:
try:
os.remove("%s/sysmon/%s" % (self.analysis_path, f))
except:
log.error("Failed to remove sysmon file log %s" % f)
os.rename("%s/sysmon/%s" % (self.analysis_path, lastlog),
"%s/sysmon/sysmon.xml" % self.analysis_path)
data = None
try:
tree = ET.parse("%s/sysmon/sysmon.xml" % self.analysis_path)
root = tree.getroot()
data = parseXmlToJson(root.attrib)
except Exception as e:
raise CuckooProcessingError(
"Failed parsing sysmon.xml with ET: %s" % e.message)
if root is False:
return
data = self.remove_noise(data)
log.debug(data)
return data
def do_strings(self):
if self.voptions.basic.dostrings:
try:
data = open(self.memfile, "rb").read()
except (IOError, OSError, MemoryError) as e:
raise CuckooProcessingError(f"Error opening file {e}")
nulltermonly = self.voptions.basic.get(
"strings_nullterminated_only", True)
minchars = str(self.voptions.basic.get("strings_minchars",
5)).encode()
if nulltermonly:
apat = b"([\x20-\x7e]{" + minchars + b",})\x00"
upat = b"((?:[\x20-\x7e][\x00]){" + minchars + b",})\x00\x00"
else:
apat = b"[\x20-\x7e]{" + minchars + b",}"
upat = b"(?:[\x20-\x7e][\x00]){" + minchars + b",}"
strings = re.findall(apat, data)
for ws in re.findall(upat, data):
strings.append(ws.decode("utf-16le").encode())
f = open(f"{self.memfile}.strings", "wb")
f.write(b"\n".join(strings))
f.close()
return f"{self.memfile}.strings"
return None
def run(self):
"""Run extract of trid output.
@return: list of trid output.
"""
self.key = "trid"
strings = []
if self.task["category"] in ("file", "static"):
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: {}".format(self.file_path))
trid_binary = os.path.join(CUCKOO_ROOT,
self.options.get("identifier", "trid/trid"))
definitions = os.path.join(
CUCKOO_ROOT, self.options.get("definitions", "trid/triddefs.trd"))
try:
output = subprocess.check_output(
[trid_binary,
"-d:%s" % definitions, self.file_path],
stderr=subprocess.STDOUT,
universal_newlines=True)
strings = output.split("\n")
# trim data
strings = strings[6:-1]
except subprocess.CalledProcessError:
log.warning(
"You need to configure your server to make TrID work properly")
log.warning(
"sudo rm -f /usr/lib/locale/locale-archive && sudo locale-gen --no-archive"
)
return strings
def run(self):
"""Run extract of trid output.
@return: list of trid output.
"""
self.key = "trid"
strings = []
if self.task["category"] in ("file", "static"):
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: {}".format(self.file_path))
trid_binary = os.path.join(
CUCKOO_ROOT, self.options.get("identifier", "trid/trid"))
definitions = os.path.join(
CUCKOO_ROOT,
self.options.get("definitions", "trid/triddefs.trd"))
output = subprocess.check_output(
[trid_binary, "-d:%s" % definitions, self.file_path],
stderr=subprocess.STDOUT)
strings = output.split('\n')
# trim data
strings = strings[6:-1]
return strings
def run(self):
"""Run extract of trid output.
@return: list of trid output.
"""
self.key = "trid"
strings = []
if self.task["category"] == "file":
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: \"%s\"" % self.file_path)
trid_binary = self.options.get("identifier",
"/home/cuckoo/trid/trid")
definitions = self.options.get("definitions",
"/home/cuckoo/trid/triddefs.trd")
output = subprocess.check_output(
[trid_binary,
"-d:%s" % definitions, self.file_path],
stderr=subprocess.STDOUT)
strings = output.split('\n')
# trim data
strings = strings[6:-1]
return strings
def extract_strings(path, nulltermonly, minchars):
strings = []
try:
data = open(path, "rb").read()
except (IOError, OSError) as e:
raise CuckooProcessingError(f"Error opening file {e}")
endlimit = b""
if not HAVE_RE2:
endlimit = b"8192"
if nulltermonly:
apat = b"([\x20-\x7e]{" + str(
minchars).encode() + b"," + endlimit + b"})\x00"
upat = b"((?:[\x20-\x7e][\x00]){" + str(
minchars).encode() + b"," + endlimit + b"})\x00\x00"
else:
apat = b"[\x20-\x7e]{" + str(
minchars).encode() + b"," + endlimit + b"}"
upat = b"(?:[\x20-\x7e][\x00]){" + str(
minchars).encode() + b"," + endlimit + b"}"
strings = [bytes2str(string) for string in re.findall(apat, data)]
for ws in re.findall(upat, data):
strings.append(str(ws.decode("utf-16le")))
return strings
def do_strings(self):
strings_path = None
if self.voptions.basic.dostrings:
try:
data = open(self.memfile, "rb").read()
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening file %s" % e)
nulltermonly = self.voptions.basic.get(
"strings_nullterminated_only", True)
minchars = self.voptions.basic.get("strings_minchars", 5)
if nulltermonly:
apat = "([\x20-\x7e]{" + str(minchars) + ",})\x00"
upat = "((?:[\x20-\x7e][\x00]){" + str(
minchars) + ",})\x00\x00"
else:
apat = "[\x20-\x7e]{" + str(minchars) + ",}"
upat = "(?:[\x20-\x7e][\x00]){" + str(minchars) + ",}"
strings = re.findall(apat, data)
for ws in re.findall(upat, data):
strings.append(str(ws.decode("utf-16le")))
data = None
f = open(self.memfile + ".strings", "w")
f.write("\n".join(strings))
f.close()
def get_package(self):
""" Get the actually used package name
"""
package = self.task["package"]
if not package and os.path.exists(self.log_path):
try:
analysis_log = codecs.open(self.log_path, "rb", "utf-8").read()
except ValueError as e:
raise CuckooProcessingError("Error decoding %s: %s" % (self.log_path, e))
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening %s: %s" % (self.log_path, e))
else:
try:
idx = analysis_log.index('INFO: Automatically selected analysis package "')
package = analysis_log[idx + 47 :].split('"', 1)[0]
except:
pass
return package
def combineTIAresults(responsedata, tmpString):
if is_json(tmpString):
if responsedata == "":
responsedata = "[" + tmpString
else:
responsedata = responsedata + "," + tmpString
else:
CuckooProcessingError("TIA error processing JSON: " + tmpString)
return responsedata
def process_pcap_socket(self):
"""Process a PCAP file with Suricata in socket mode."""
if not HAVE_SURICATASC:
raise CuckooProcessingError(
"Suricata has been configured to run in socket mode but "
"suricatasc has not been installed, please re-install "
"Suricata or SuricataSC")
if not os.path.exists(self.socket):
raise CuckooProcessingError(
"Suricata has been configured to run in socket mode "
"but the socket is unavailable")
suri = suricatasc.SuricataSC(self.socket)
try:
suri.connect()
except suricatasc.SuricataException as e:
raise CuckooProcessingError("Error connecting to Suricata in "
"socket mode: %s" % e)
# Submit the PCAP file.
ret = suri.send_command("pcap-file", {
"filename": self.pcap_path,
"output-dir": self.suricata_path,
})
if not ret or ret["return"] != "OK":
raise CuckooProcessingError(
"Error submitting PCAP file to Suricata in socket mode, "
"return value: %s" % ret)
# TODO Should we add a timeout here? If we do so we should also add
# timeout logic to the binary mode.
while True:
ret = suri.send_command("pcap-current")
# When the pcap file has been processed the "current pcap" file
# will be none.
if ret and ret["message"] == "None":
break
time.sleep(1)
def tia_request(vendorQueryString, apikey): #performs HTTP GET against TIA API and returns results
url = "https://threatintelligenceaggregator.org/api/v1/MultipleRequests/?" + vendorQueryString
data = {"ApiKey": apikey}
timeout = 60
try:
r = requests.get(url, params=data, verify=True, timeout=timeout) #set verify=False to bypass certificate verification
except requests.exceptions.RequestException as e:
raise CuckooProcessingError("Unable to complete connection to TIA: {0}".format(e))
return r.content
def run(self):
"""Run extract of printable strings.
@return: list of printable strings.
"""
self.key = "strings"
strings = []
if self.task["category"] == "file":
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
try:
data = open(self.file_path, "r").read()
except (IOError, OSError) as e:
raise CuckooProcessingError("Error opening file %s" % e)
strings = re.findall("[\x1f-\x7e]{6,}", data)
strings += [str(ws.decode("utf-16le")) for ws in re.findall("(?:[\x1f-\x7e][\x00]){6,}", data)]
return strings
def run(self):
"""Run debug analysis.
@return: debug information dict.
"""
self.key = "debug"
debug = {"log": "", "errors": []}
if os.path.exists(self.log_path):
try:
debug["log"] = codecs.open(self.log_path, "rb", "utf-8").read()
except ValueError as e:
raise CuckooProcessingError(f"Error decoding {self.log_path}: {e}")
except (IOError, OSError) as e:
raise CuckooProcessingError(f"Error opening {self.log_path}: {e}")
for error in Database().view_errors(int(self.task["id"])):
debug["errors"].append(error.message)
return debug
