Пример #1
0
def helper_percentages_mongo(tid1,
                             tid2,
                             ignore_categories: set = None) -> dict:
    if ignore_categories is None:
        ignore_categories = {"misc"}
    counts = {}

    for tid in (tid1, tid2):
        counts[tid] = {}

        pids_calls = mongo_find_one("analysis", {"info.id": int(tid)}, {
            "behavior.processes.process_id": 1,
            "behavior.processes.calls": 1
        })

        if not pids_calls:
            continue

        for pdoc in pids_calls["behavior"]["processes"]:
            pid = pdoc["process_id"]
            counts[tid][pid] = {}

            for coid in pdoc["calls"]:
                chunk = mongo_find_one("calls", {"_id": coid},
                                       {"calls.category": 1})
                category_counts = behavior_categories_percent(chunk["calls"])
                for cat, count in category_counts.items():
                    if cat in ignore_categories:
                        continue
                    counts[tid][pid][cat] = counts[tid][pid].get(cat,
                                                                 0) + count

    return combine_behavior_percentages(counts)
Пример #2
0
def helper_summary_mongo(tid1, tid2):
    left_sum, right_sum = None, None
    left_sum = mongo_find_one("analysis", {"info.id": int(tid1)},
                              {"behavior.summary": 1})
    right_sum = mongo_find_one("analysis", {"info.id": int(tid2)},
                               {"behavior.summary": 1})
    return get_similar_summary(left_sum,
                               right_sum) if left_sum and right_sum else {}
Пример #3
0
def static_config_lookup(file_path, sha256=False):
    if not sha256:
        sha256 = hashlib.sha256(open(file_path, "rb").read()).hexdigest()

    if repconf.mongodb.enabled:
        document_dict = mongo_find_one("analysis",
                                       {"target.file.sha256": sha256}, {
                                           "CAPE.configs": 1,
                                           "info.id": 1,
                                           "_id": 0
                                       },
                                       sort=[("_id", -1)])
    elif repconf.elasticsearchdb.enabled:
        document_dict = es.search(
            index=get_analysis_index(),
            body={"query": {
                "match": {
                    "target.file.sha256": sha256
                }
            }},
            _source=["CAPE.configs", "info.id"],
            sort={"_id": {
                "order": "desc"
            }},
        )["hits"]["hits"][0]["_source"]
    else:
        document_dict = None

    if not document_dict:
        return

    has_config = document_dict.get("CAPE", {}).get("configs", [])
    if has_config:
        return document_dict["info"]
Пример #4
0
def category_all_files(task_id, category, base_path):
    analysis = False
    query_category = category
    if category == "CAPE":
        category = "CAPE.payloads"
    if repconf.mongodb.enabled:
        analysis = mongo_find_one("analysis", {"info.id": int(task_id)}, {
            f"{category}.sha256": 1,
            "_id": 0
        },
                                  sort=[("_id", -1)])
    # if es_as_db:
    #    # ToDo missed category
    #    analysis = es.search(index=get_analysis_index(), query=get_query_by_info_id(task_id))["hits"]["hits"][0]["_source"]

    if analysis:
        if query_category == "CAPE":
            return [
                os.path.join(base_path, block["sha256"])
                for block in analysis.get(query_category, {}).get(
                    "payloads", [])
            ]
        else:
            return [
                os.path.join(base_path, block["sha256"])
                for block in analysis.get(category, [])
            ]
Пример #5
0
def both(request, left_id, right_id):
    if enabledconf["mongodb"]:
        left = mongo_find_one("analysis", {"info.id": int(left_id)}, {
            "target": 1,
            "info": 1,
            "summary": 1
        })
        right = mongo_find_one("analysis", {"info.id": int(right_id)}, {
            "target": 1,
            "info": 1,
            "summary": 1
        })
        # Execute comparison.
        counts = compare.helper_percentages_mongo(left_id, right_id)
        summary_compare = compare.helper_summary_mongo(left_id, right_id)
    elif es_as_db:
        left = es.search(index=get_analysis_index(),
                         query=get_query_by_info_id(left_id),
                         _source=["target",
                                  "info"])["hits"]["hits"][-1]["_source"]
        right = es.search(index=get_analysis_index(),
                          query=get_query_by_info_id(right_id),
                          _source=["target",
                                   "info"])["hits"]["hits"][-1]["_source"]
        counts = compare.helper_percentages_elastic(es, left_id, right_id)
        summary_compare = compare.helper_summary_elastic(es, left_id, right_id)

    return render(
        request,
        "compare/both.html",
        {
            "left": left,
            "right": right,
            "left_counts": counts[left_id],
            "right_counts": counts[right_id],
            "summary": summary_compare,
        },
    )
Пример #6
0
def _load_report(task_id: int, return_one: bool = False):

    if repconf.mongodb.enabled:
        if return_one:
            analysis = mongo_find_one("analysis", {"info.id": int(task_id)},
                                      sort=[("_id", -1)])
            for process in analysis.get("behavior", {}).get("processes", []):
                calls = []
                for call in process["calls"]:
                    calls.append(ObjectId(call))
                process["calls"] = []
                for call in mongo_find("calls", {"_id": {
                        "$in": calls
                }},
                                       sort=[("_id", 1)]) or []:
                    process["calls"] += call["calls"]
            return analysis

        else:
            return mongo_find("analysis", {"info.id": int(task_id)})

    if repconf.elasticsearchdb.enabled and not repconf.elasticsearchdb.searchonly:
        try:
            analyses = (es.search(index=get_analysis_index(),
                                  query=get_query_by_info_id(task_id),
                                  sort={
                                      "info.id": {
                                          "order": "desc"
                                      }
                                  }).get("hits", {}).get("hits", []))
            if analyses:
                if return_one:
                    return analyses[0]
                else:
                    return analyses
        except ESRequestError as e:
            print(e)

    return False
Пример #7
0
def left(request, left_id):
    if enabledconf["mongodb"]:
        left = mongo_find_one("analysis", {"info.id": int(left_id)}, {
            "target": 1,
            "info": 1
        })
    if es_as_db:
        hits = es.search(index=get_analysis_index(),
                         query=get_query_by_info_id(left_id))["hits"]["hits"]
        if hits:
            left = hits[-1]["_source"]
        else:
            left = None
    if not left:
        return render(request, "error.html",
                      {"error": "No analysis found with specified ID"})

    # Select all analyses with same file hash.
    if enabledconf["mongodb"]:
        records = mongo_find(
            "analysis",
            {
                "$and": [{
                    "target.file.md5": left["target"]["file"]["md5"]
                }, {
                    "info.id": {
                        "$ne": int(left_id)
                    }
                }]
            },
            {
                "target": 1,
                "info": 1
            },
        )
    if es_as_db:
        records = []
        q = {
            "query": {
                "bool": {
                    "must": [{
                        "match": {
                            "target.file.md5": left["target"]["file"]["md5"]
                        }
                    }],
                    "must_not": [{
                        "match": {
                            "info.id": left_id
                        }
                    }],
                }
            }
        }
        results = es.search(index=get_analysis_index(), body=q)["hits"]["hits"]
        for item in results:
            records.append(item["_source"])

    return render(request, "compare/left.html", {
        "left": left,
        "records": records
    })