def main():
args = docopt(__doc__, version='0.1')
debug = args["--debug"]
verbose = args["--verbose"]
if not os.path.exists("log"):
os.makedirs("log")
configure_logging("log/lama_api.log", debug=debug, verbose=verbose)
cmd_line = "COMMAND : "+" ".join(sys.argv)
logging.info(cmd_line)
try:
Lamadb.create_db()
LamaFtp.create_ftp()
run_api(debug=debug)
except KeyboardInterrupt:
Analyzer.stop_analyzer()
def parse_result(self):
"""
Main function to parse results
Add indicator in malware.
"""
# download full archive
tar_url = "{}/tasks/report/{}/all".format(self._cuckoo_url,
self._task_id)
folder_path = File.download_to_tmp(tar_url, "all.tar.gz")
# send archive to FTP server
tar_path = LamaFtp.upload_from_module(folder_path + "/all.tar.gz",
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=str(self._task_id) +
"/all")
# add indicator
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="all",
content_type=Type.FILE,
content=tar_path,
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
# untar and analyze report.json
tar = tarfile.open(folder_path + "/all.tar.gz")
extract_path = folder_path + "/extract"
os.mkdir(extract_path)
tar.extractall(extract_path)
json_report_file = open(extract_path + "/reports/report.json", "r")
self._json_input = json_report_file.read()
self._json_cuckoo = self.json_decoder.decode(self._json_input)
# TODO move on submodule JSON ?
if "info" in self._json_cuckoo:
self.parse_info()
if "target" in self._json_cuckoo:
self.parse_target()
if "strings" in self._json_cuckoo:
self.parse_strings()
if "signatures" in self._json_cuckoo:
self.parse_signatures()
if "buffer" in self._json_cuckoo:
self.parse_buffer()
if "network" in self._json_cuckoo:
self.parse_network()
if "behavior" in self._json_cuckoo:
self.parse_process()
# upload screenshots/pcap to FTP server
self._get_screenshots(extract_path)
self._get_files(extract_path)
self._get_pcap(extract_path)
# remove extracts files
File.remove_tmp_dir(folder_path)
def _get_files(self, extract_path):
"""
Retreive files and upload it on FTP server
"""
files = os.path.join(extract_path, "files")
files_path = []
for f in os.listdir(files):
file_path = files + "/" + f
# send
ftp_file_path = LamaFtp.upload_from_module(
file_path,
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=("{}/files").format(self._task_id))
files_path.append(ftp_file_path)
extract_file = self._malware.add_extract_malware_path(
self._module_cls_name, file_path, f)
Input.analyse_malware(extract_file)
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="files",
content_type=Type.FILE,
content=",".join(files_path),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def _get_screenshots(self, extract_path):
"""
Retreive snapshot and upload it on FTP server
"""
shots_path = os.path.join(extract_path, "shots")
screenshots_path = []
for f in os.listdir(shots_path):
img_path = shots_path + "/" + f
# resize
img = Image.open(img_path)
basewidth = 500
wpercent = (basewidth / float(img.size[0]))
hsize = int((float(img.size[1]) * float(wpercent)))
img = img.resize((basewidth, hsize), Image.ANTIALIAS)
img.save(img_path)
# send
path = LamaFtp.upload_from_module(
img_path,
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=("{}/screenshots").format(self._task_id))
screenshots_path.append(path)
indicator = Indicator.factory(module_cls_name=self._module_cls_name,
name="screenshots",
content_type=Type.FILE,
content=",".join(screenshots_path),
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def download(self):
"""
Download the malware on local machine.
"""
local_path, _ = LamaFtp.download_to_tmp(
str(self.analysis_uid) + "/" + str(self.uid) + "/" + self.name)
return local_path
def add_extract_malware_path(self,
module_cls_name,
path,
name,
malware_type=None):
"""
Add a extracted malware to a malware with his path.
It's for binary exctact.
Args :
**module_cls_name** (Sting) : Class name of the analysis module.
**path** (String) : Path of the extracted malware.
**name** (String) : Name of the extracted malware.
"""
# create empty malware to have his uid
m = Malware.empty_malware()
# set link child/parent
m._parent_uid = self.uid
m.analysis_uid = self.analysis_uid
# define the remote dir
remote_dir = "{}/{}".format(str(m.analysis_uid), str(m.uid))
# create the malware with other informations
new_name = m.factory(path, remote_dir, name)
if malware_type:
m.mime = malware_type
res = m.persist()
if not res:
# TODO handle error
logging.debug("Error persist malware")
# send to FTp server
LamaFtp.upload(path, remote_dir, new_name)
# add the extracted malware to the list of extracted malware
self._extract_malware.append(m)
return m
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
# save all scipts
script_dir = os.path.join(self._out_tmp_path, "extract", "scripts")
for path, subdirs, files in os.walk(script_dir):
for name in files:
script_path = os.path.join(path, name)
with open(script_path, 'r') as script_file:
script_content = script_file.read()
# convert script to b64
codeb64 = base64.b64encode(bytes(script_content,
"utf-8")).decode('utf-8')
script_dict = dict()
script_dict['filename'] = script_path.replace(script_dir,
"")[1:]
script_dict['code'] = codeb64
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="script",
content_type=Type.BASE64,
content=json.dumps(script_dict),
score=0)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
tar_path = os.path.join(self._out_tmp_path, "out.tar.gz")
remote_tar_path = LamaFtp.upload_from_module(tar_path,
self.malware.analysis_uid,
self.malware.uid,
self.module_cls_name)
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="tar",
content_type=Type.FILE,
content=remote_tar_path,
score=0)
self._malware.get_module_status(self.module_cls_name
).add_indicator(indicator)
def _get_pcap(self, extract_path):
"""
Retreive PCAP and upload it on FTP server
"""
if os.path.isfile(extract_path + "/dump.pcap"):
pcap_path = LamaFtp.upload_from_module(
extract_path + "/dump.pcap",
self._malware.analysis_uid,
self._malware.uid,
self._module_cls_name,
remote_path=str(self._task_id) + "/pcap")
indicator = Indicator.factory(
module_cls_name=self._module_cls_name,
name="pcap",
content_type=Type.FILE,
content=pcap_path,
score=0,
option=self._task_id)
self._ms.add_indicator(indicator)
def parse_result(self):
"""
Abstract parse_result method.
It calls when analyze is finished.
It uptade malware with indicators.
"""
if not self._result:
return
json_pe = self.json_decode(self._result)
if not json_pe:
return
tmp_result_file = File.create_tmp_file("peframe.txt", self._result)
remote_path = LamaFtp.upload_from_module(
local_path=tmp_result_file + "/peframe.txt",
analysis_uid=self.malware.analysis_uid,
malware_uid=self.malware.uid,
module_cls_name=self.module_cls_name,
remote_path="",
remote_name="peframe.txt")
indicator = Indicator.factory(module_cls_name=self.module_cls_name,
name="result_json",
content_type=Type.FILE,
content=remote_path,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# ip_found
if "ip_found" in json_pe:
for ip in json_pe['ip_found']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="ip",
content_type=Type.IP,
content=ip,
score=3)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# url_found
if "url_found" in json_pe:
for url in json_pe['url_found']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="url",
content_type=Type.URL,
content=url,
score=2)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# url_found
if "file_found" in json_pe:
file_found = json_pe['file_found']
# file_found->WebPage
if "Web Page" in file_found:
for webpage in file_found['Web Page']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="webpage",
content_type=Type.URL,
content=webpage,
score=1)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info
if "pe_info" in json_pe and json_pe['pe_info']:
pe_info = json_pe['pe_info']
# pe_info->sections_info
if "sections_info" in pe_info:
for section in pe_info['sections_info']:
score = 3 if section['suspicious'] else 0
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="section_info",
content_type=Type.STRING,
content=section['name'],
score=score)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->detected
if "detected" in pe_info:
for detected in pe_info['detected']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="detected",
content_type=Type.STRING,
content=detected,
score=4)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->packer_info
if "packer_info" in pe_info:
for pack_info in pe_info['packer_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="packer_info",
content_type=Type.STRING,
content=pack_info,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->directories
if "directories" in pe_info:
for directorie in pe_info['directories']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="directories",
content_type=Type.STRING,
content=directorie,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->apialert_info
if "apialert_info" in pe_info:
for api in pe_info['apialert_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="apialert_info",
content_type=Type.STRING,
content=api,
score=0)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->antidbg_info
if "antidbg_info" in pe_info:
for antidbg in pe_info['antidbg_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="antidbg_info",
content_type=Type.STRING,
content=antidbg,
score=3)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)
# pe_info->antivm_info
if "antivm_info" in pe_info:
for antidbg in pe_info['antivm_info']:
indicator = Indicator.factory(
module_cls_name=self.module_cls_name,
name="antivm_info",
content_type=Type.STRING,
content=antidbg,
score=4)
self._malware.get_module_status(
self.module_cls_name).add_indicator(indicator)