def analyze(self, line): if line.startswith('#') or line.startswith('\n'): return try: url = toolbox.find_urls(line)[0] except Exception, e: # if find_urls raises an exception, it means no ip was found in the line, so we return return
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier # description evil['description'] = dict['link'] + " " + dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})", dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['guid'] = dict['guid'] # tags evil['tags'] += ['spyeye', 'malware'] url = Url(toolbox.find_urls(dict['description'])[0], tags=['spyeye', 'malware', 'exe']) # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "SpyEye bot" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % url['value'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. return url, evil
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier # description evil['description'] = dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['guid'] = dict['guid'] # tags evil['tags'] += ['zeus', 'malware', 'ZeusTrackerDropzones'] # Create an URL element url = Url(toolbox.find_urls(dict['description'])[0], ['evil', 'ZeusTrackerDropzones']) # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "ZeuS Dropzone" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % url['value'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. return url, evil
def analyze(self, dict): try: url = toolbox.find_urls(dict["title"])[0] except Exception: return # if no URL is found, bail url = Url(url=url, tags=[dict["description"].lower()]) evil = {} evil["description"] = "%s CC" % (dict["description"].lower()) evil["date_added"] = datetime.datetime.strptime(dict["pubDate"], "%d-%m-%Y") evil["id"] = md5.new(dict["title"] + dict["pubDate"] + dict["description"]).hexdigest() evil["source"] = self.name url.seen(first=evil["date_added"]) url.add_evil(evil) self.commit_to_db(url)
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. #print dict #return mdl = Url() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier mdl['feed'] = "MDLTracker" try: mdl['value'] = toolbox.find_urls(dict['description'])[0] except Exception, e: return
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. #print dict #return mdl = Url() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier mdl['feed'] = "MDLTracker" try: mdl['value'] = toolbox.find_urls(dict['description'])[0] except Exception,e: return
def analyze(self, dict): try: url = toolbox.find_urls(dict['title'])[0] except Exception: return # if no URL is found, bail url = Url(url=url, tags=['evil']) evil = {} dict['pubDate'] = dict['pubDate'].split('+')[0] evil['description'] = "%s CC" % (dict['description'].lower()) evil['date_added'] = datetime.datetime.strptime(dict['pubDate'], "%a, %d %b %Y %X ") evil['id'] = md5.new(dict['title']+dict['pubDate']+dict['description']).hexdigest() evil['source'] = self.name url.seen(first=evil['date_added']) url.add_evil(evil) self.commit_to_db(url)
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier evil['feed'] = "SpyEyeConfigs" evil['url'] = toolbox.find_urls(dict['description'])[0] # description evil['description'] = dict['link'] + " " + dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})", dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['source'] = dict['guid'] # type evil['type'] = 'evil' # tags evil['tags'] += ['spyeye', 'malware', 'SpyEyeConfigs'] # date_retreived evil['date_retreived'] = datetime.datetime.utcnow() # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "SpyEye Config" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % evil['url'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. evil, status = self.analytics.save_element(evil, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Create an URL element url = Url(evil['url'], ['evil', 'SpyEyeConfigs']) # Save it to the DB. url, status = self.analytics.save_element(url, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Connect the URL element to the Evil element self.analytics.data.connect(url, evil, 'hosting')
def analyze(self, dict, testing=False): try: url = toolbox.find_urls(dict['title'])[0] except Exception, e: return # if no URL is found, bail
def analyze(self, dict): try: url = toolbox.find_urls(dict['title'])[0] except Exception, e: return # if no URL is found, bail
def analyze(self, dict): # We create an Evil object. Evil objects are what Malcom uses # to store anything it considers evil. Malware, spam sources, etc. # Remember that you can create your own datatypes, if need be. evil = Evil() # We start populating the Evil() object's attributes with # information from the dict we parsed earlier evil['feed'] = "SpyEyeBinaries" evil['url'] = toolbox.find_urls(dict['description'])[0] # description evil['description'] = dict['link'] + " " + dict['description'] # status if dict['description'].find("offline") != -1: evil['status'] = "offline" else: evil['status'] = "online" # md5 md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description']) if md5 != None: evil['md5'] = md5.group('md5') else: evil['md5'] = "No MD5" # linkback evil['source'] = dict['guid'] # type evil['type'] = 'evil' # tags evil['tags'] += ['spyeye', 'malware', 'SpyEyeBinaries'] # date_retreived evil['date_retreived'] = datetime.datetime.utcnow() # This is important. Values have to be unique, since it's this way that # Malcom will identify them in the database. # This is probably not the best way, but it will do for now. evil['value'] = "SpyEye bot" if md5: evil['value'] += " (MD5: %s)" % evil['md5'] else: evil['value'] += " (URL: %s)" % evil['url'] # Save elements to DB. The status field will contain information on # whether this element already existed in the DB. evil, status = self.analytics.save_element(evil, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Create an URL element url = Url(evil['url'], ['evil', 'SpyEyeBinaries']) # Save it to the DB. url, status = self.analytics.save_element(url, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # Connect the URL element to the Evil element self.analytics.data.connect(url, evil, 'hosting')
def analyze(self, dict): try: url = toolbox.find_urls(dict['link'])[0] except Exception, e: return
def analyze(self, dict): try: url = toolbox.find_urls(dict['description'])[0] except Exception, e: return # no URL found, bail