def test_extract_scripts(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
es = ExtractScripts(ba)
es.handle_event({
"command_line": "cmd.exe /c ping 1.2.3.4",
"first_seen": 1,
"pid": 1234,
})
es.handle_event({
"command_line": (
"powershell.exe -e "
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA="
),
"first_seen": 2,
"pid": 1235,
})
assert es.run() is None
e = Extracted()
e.set_task(Dictionary({
"id": 1,
}))
out = e.run()
assert out == [{
"category": "script",
"first_seen": 1,
"pid": 1234,
"program": "cmd",
"raw": cwd("extracted", "0.bat", analysis=1),
"yara": [],
"info": {},
}, {
"category": "script",
"first_seen": 2,
"pid": 1235,
"program": "powershell",
"raw": cwd("extracted", "1.ps1", analysis=1),
"yara": [],
"info": {},
}]
assert open(out[0]["raw"], "rb").read() == "ping 1.2.3.4"
assert open(out[1]["raw"], "rb").read() == 'echo "Recursive"'
def test_bson_limit(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
mkdir(cwd(analysis=1))
mkdir(cwd("logs", analysis=1))
# 256mb should be fine, right?
with open(cwd("logs", "1.txt", analysis=1), "wb") as f:
f.write("A"*256*1024*1024)
with open(cwd("logs", "2.txt", analysis=1), "wb") as f:
f.write("A"*1024*1024)
assert ba.run() == {}
assert sorted(list(ba._enum_logs())) == [
cwd("logs", "2.txt", analysis=1),
]
def test_extract_scripts(self):
set_cwd(self.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
es = ExtractScripts(ba)
es.handle_event({
"command_line": "cmd.exe /c ping 1.2.3.4",
"first_seen": 1,
"pid": 1234,
})
es.handle_event({
"command_line": (
"powershell.exe -e "
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA="
),
"first_seen": 2,
"pid": 1235,
})
assert es.run() is None
e = Extracted()
e.set_task(Dictionary({
"id": 1,
}))
out = e.run()
assert out == [{
"category": "script",
"first_seen": 1,
"pid": 1234,
"program": "cmd",
"raw": cwd("extracted", "0.bat", analysis=1),
"yara": [],
"info": {},
}, {
"category": "script",
"first_seen": 2,
"pid": 1235,
"program": "powershell",
"raw": cwd("extracted", "1.ps1", analysis=1),
"yara": [],
"info": {},
}]
assert open(out[0]["raw"], "rb").read() == "ping 1.2.3.4"
assert open(out[1]["raw"], "rb").read() == 'echo "Recursive"'
def test_stap_log(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
mkdir(cwd("logs", analysis=1))
shutil.copy(
"tests/files/log_full.stap", cwd("logs", "all.stap", analysis=1)
)
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
assert ba.run() == {
"generic": [{
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"process_path": None,
"summary": {},
}, {
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"process_path": None,
"summary": {},
}, {
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"process_path": None,
"summary": {},
}],
"processes": [{
"calls": [],
"command_line": "/bin/sh /tmp/execve.sh",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"type": "process"
}, {
"calls": [],
"command_line": (
"/bin/bash -c python -c 'import subprocess; "
"subprocess.call([\"/bin/ls\", \"/hax\"])'"
),
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"type": "process"
}, {
"calls": [],
"command_line": "/bin/ls /hax",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"type": "process"
}],
"processtree": [{
"children": [{
"children": [{
"children": [],
"command_line": "/bin/ls /hax",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"track": True
}],
"command_line": (
"/bin/bash -c python -c 'import subprocess; "
"subprocess.call([\"/bin/ls\", \"/hax\"])'"
),
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"track": True
}],
"command_line": "/bin/sh /tmp/execve.sh",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"track": True
}],
}
def test_stap_log(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_yara()
mkdir(cwd(analysis=1))
mkdir(cwd("logs", analysis=1))
shutil.copy(
"tests/files/log_full.stap", cwd("logs", "all.stap", analysis=1)
)
ba = BehaviorAnalysis()
ba.set_path(cwd(analysis=1))
ba.set_task({
"id": 1,
})
assert ba.run() == {
"generic": [{
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"process_path": None,
"summary": {},
}, {
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"process_path": None,
"summary": {},
}, {
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"process_path": None,
"summary": {},
}],
"processes": [{
"calls": [],
"command_line": "/bin/sh /tmp/execve.sh",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"type": "process"
}, {
"calls": [],
"command_line": (
"/bin/bash -c python -c 'import subprocess; "
"subprocess.call([\"/bin/ls\", \"/hax\"])'"
),
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"type": "process"
}, {
"calls": [],
"command_line": "/bin/ls /hax",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"type": "process"
}],
"processtree": [{
"children": [{
"children": [{
"children": [],
"command_line": "/bin/ls /hax",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 646318),
"pid": 822,
"ppid": 821,
"process_name": "ls",
"track": True
}],
"command_line": (
"/bin/bash -c python -c 'import subprocess; "
"subprocess.call([\"/bin/ls\", \"/hax\"])'"
),
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 619135),
"pid": 821,
"ppid": 820,
"process_name": "bash",
"track": True
}],
"command_line": "/bin/sh /tmp/execve.sh",
"first_seen": datetime.datetime(2017, 8, 28, 14, 29, 32, 618541),
"pid": 820,
"ppid": 819,
"process_name": "sh",
"track": True
}],
}