file_object.add_attribute("size-in-bytes", value=raw_report["size"])
if ("exiftool" in raw_report["additional_info"]):
file_object.add_attribute(
"mimetype",
value=raw_report["additional_info"]["exiftool"]["MIMEType"])
for filename in raw_report["submission_names"]:
file_object.add_attribute("filename", value=filename)
file_object.add_attribute("state",
value="Malicious",
to_ids=False,
disable_correlation=True)
vtreport.add_reference(referenced_uuid=file_object.uuid,
relationship_type="annotates")
urls = []
for url in raw_report["ITW_urls"]:
parsed = urlsplit(url)
url_object = GenericObjectGenerator('url')
url_object.add_attribute("url", value=parsed.geturl())
url_object.add_attribute("host", value=parsed.hostname)
url_object.add_attribute("scheme", value=parsed.scheme)
url_object.add_attribute("port", value=parsed.port)
file_object.add_reference(referenced_uuid=url_object.uuid,
relationship_type="downloaded-from")
me.add_object(url_object)
me.add_object(file_object)
me.add_object(vtreport)
def addSampleByHash(hashes, event):
hash=""
if ( type(hashes) is list):
hash=hashes[0]
elif ( type(hashes) is str):
hash=hashes
hashes=[hash]
sample_json = _getSampleJson(hash)
if (sample_json is None):
return
sampl = GenericObjectGenerator('file')
sampl.add_attribute("md5", value=sample_json['md5_hash'], to_ids=True)
sampl.add_attribute("filename", value=sample_json['file_name'], to_ids=False, disable_correlation=True)
sampl.add_attribute("sha1", value=sample_json['sha1_hash'], to_ids=True)
sampl.add_attribute("sha256", value=sample_json['sha256_hash'], to_ids=True)
sampl.add_attribute("ssdeep", value=sample_json['ssdeep'], to_ids=True)
sampl.add_attribute("size-in-bytes", value=sample_json['file_size'], to_ids=False, disable_correlation=True)
sampl.add_attribute("state", value="Malicious", to_ids=False, disable_correlation=True)
sampl.add_attribute("mimetype", value=sample_json['file_type_mime'].replace('\\',''), to_ids=False, disable_correlation=True)
# if it exists, add the comment
if ( 'comment' in sample_json ):
comment=sample_json['comment']
if ( comment is not None ) and (len(comment) > 0):
commattrs=pm.freetext(event, comment)
for commattr in commattrs:
if (commattr['value'] in attributes):
attr=attributes[commattr['value']]
sampl.add_reference(referenced_uuid=attr.uuid, relationship_type='related-to')
else:
attr=event.add_attribute(commattr['type'], commattr['value'])
attributes.update({commattr['value']:attr})
sampl.add_reference(referenced_uuid=attr.uuid, relationship_type='related-to')
# find and add x-references
if ( 'file_information' in sample_json):
info=sample_json['file_information']
if (info is not None):
for context_set in info:
context=context_set['context']
value=context_set['value']
print("context: {}, value: {}".format(context, value))
if ( context in API_REF_CONTEXTS ):
ref_uuid=""
addedSample=None
# if referenced sample is not already represented, recursively create it and add to the event and to samples<dict>
if (( value not in samples ) and (value not in hashes) ) :
addedSample=addSampleByHash([value]+hashes, event)
if (addedSample is not None):
ref_uuid=samples[value].uuid
if (context == "dropped_by_sha256"):
sampl.add_reference(referenced_uuid=ref_uuid, relationship_type='dropped-by')
else:
sampl.add_reference(referenced_uuid=ref_uuid, relationship_type='drops')
elif ( context.casefold() in API_LINK_CONTEXTS ):
url_ref=value.replace('\\','')
attribute = None
if ( url_ref not in attributes):
attribute = event.add_attribute('url', url_ref, to_ids=False, disable_correlation=True)
attributes.update({attribute.value : attribute})
sampl.add_reference(referenced_uuid=attribute.uuid, relationship_type='related-to')
else:
sampl.add_reference(referenced_uuid=attributes[url_ref].uuid, relationship_type='related-to')
else:
print("Lost context: {}".format(context))
attribute = None
report_url="https://bazaar.abuse.ch/sample/{}/".format(hash)
if (report_url not in attributes):
attribute = event.add_attribute("url", "https://bazaar.abuse.ch/sample/{}/".format(hash), to_ids = False, disable_correlation=True)
attributes.update({attribute.value : attribute})
else:
attribute=attributes[report_url]
sampl.add_reference(referenced_uuid=attribute.uuid, relationship_type='derived-from')
sampl=event.add_object(sampl)
samples.update({hash:sampl})
return sampl
#x509
xfive = None
if ("issuer" in data):
if (len(data["issuer"]) > 2):
xfive = GenericObjectGenerator('x509')
xfive.add_attribute("issuer",
value=data["issuer"],
to_ids=True)
if (len(data["subject"]) > 0):
xfive.add_attribute("subject",
value=data["subject"],
to_ids=True)
xfive.first_seen = fseen
xfive.last_seen = lseen
xfive.add_reference(referenced_uuid=host.uuid,
relationship_type='characterizes')
me.add_object(xfive)
#credential
useracc = None
user = ""
if (len(data["domain"]) > 1):
if (re.match("^[\?|\_|\-|\~]+$|no_domain", data["domain"])):
user = data["username"]
else:
user = data["domain"] + "\\" + data["username"]
useracc = None
if (len(user) > 0):
useracc = GenericObjectGenerator('credential')