def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return None
results = {}
pretime = datetime.now()
results["peid_signatures"] = self._get_peid_signatures()
posttime = datetime.now()
timediff = posttime - pretime
self.add_statistic(
"peid", "time",
float("%d.%03d" %
(timediff.seconds, timediff.microseconds / 1000)))
results["pe_imagebase"] = self._get_imagebase()
results["pe_entrypoint"] = self._get_entrypoint()
results["pe_reported_checksum"] = self._get_reported_checksum()
results["pe_actual_checksum"] = self._get_actual_checksum()
results["pe_osversion"] = self._get_osversion()
results["pe_pdbpath"] = self._get_pdb_path()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exported_dll_name"] = self._get_exported_dll_name()
results["pe_exports"] = self._get_exported_symbols()
results["pe_dirents"] = self._get_directory_entries()
results["pe_sections"] = self._get_sections()
results["pe_overlay"] = self._get_overlay()
results["pe_resources"] = self._get_resources()
results["pe_icon"], results["pe_icon_hash"], results[
"pe_icon_fuzzy"] = self._get_icon_info()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["digital_signers"] = self._get_digital_signers()
results["imported_dll_count"] = len(
[x for x in results["pe_imports"] if x.get("dll")])
pretime = datetime.now()
darkcomet_config = darkcomet.extract_config(self.file_path, self.pe)
if darkcomet_config:
results["darkcomet_config"] = darkcomet_config
njrat_config = njrat.extract_config(self.file_path)
if njrat_config:
results["njrat_config"] = njrat_config
posttime = datetime.now()
timediff = posttime - pretime
self.add_statistic(
"config_decoder", "time",
float("%d.%03d" %
(timediff.seconds, timediff.microseconds / 1000)))
return results
def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return None
results = {}
pretime = datetime.now()
results["peid_signatures"] = self._get_peid_signatures()
posttime = datetime.now()
timediff = posttime - pretime
self.add_statistic("peid", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000)))
results["pe_imagebase"] = self._get_imagebase()
results["pe_entrypoint"] = self._get_entrypoint()
results["pe_reported_checksum"] = self._get_reported_checksum()
results["pe_actual_checksum"] = self._get_actual_checksum()
results["pe_osversion"] = self._get_osversion()
results["pe_pdbpath"] = self._get_pdb_path()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exported_dll_name"] = self._get_exported_dll_name()
results["pe_exports"] = self._get_exported_symbols()
results["pe_dirents"] = self._get_directory_entries()
results["pe_sections"] = self._get_sections()
results["pe_overlay"] = self._get_overlay()
results["pe_resources"] = self._get_resources()
results["pe_icon"], results["pe_icon_hash"], results["pe_icon_fuzzy"] = self._get_icon_info()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["digital_signers"] = self._get_digital_signers()
results["imported_dll_count"] = len([x for x in results["pe_imports"] if x.get("dll")])
pretime = datetime.now()
darkcomet_config = darkcomet.extract_config(self.file_path, self.pe)
if darkcomet_config:
results["darkcomet_config"] = darkcomet_config
njrat_config = njrat.extract_config(self.file_path)
if njrat_config:
results["njrat_config"] = njrat_config
posttime = datetime.now()
timediff = posttime - pretime
self.add_statistic("config_decoder", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000)))
return results
def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return None
results = {}
results["peid_signatures"] = self._get_peid_signatures()
results["pe_imagebase"] = self._get_imagebase()
results["pe_entrypoint"] = self._get_entrypoint()
results["pe_osversion"] = self._get_osversion()
results["pe_pdbpath"] = self._get_pdb_path()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exports"] = self._get_exported_symbols()
results["pe_dirents"] = self._get_directory_entries()
results["pe_sections"] = self._get_sections()
results["pe_overlay"] = self._get_overlay()
results["pe_resources"] = self._get_resources()
results["pe_icon"] = self._get_icon()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["digital_signers"] = self._get_digital_signers()
results["imported_dll_count"] = len([x for x in results["pe_imports"] if x.get("dll")])
darkcomet_config = darkcomet.extract_config(self.file_path, self.pe)
if darkcomet_config:
results["darkcomet_config"] = darkcomet_config
njrat_config = njrat.extract_config(self.file_path)
if njrat_config:
results["njrat_config"] = njrat_config
return results
def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return None
results = {}
results["peid_signatures"] = self._get_peid_signatures()
results["pe_imagebase"] = self._get_imagebase()
results["pe_entrypoint"] = self._get_entrypoint()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exports"] = self._get_exported_symbols()
results["pe_dirents"] = self._get_directory_entries()
results["pe_sections"] = self._get_sections()
results["pe_overlay"] = self._get_overlay()
results["pe_resources"] = self._get_resources()
# results["pe_icon"] = self._get_icon()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["digital_signers"] = self._get_digital_signers()
results["imported_dll_count"] = len(
[x for x in results["pe_imports"] if x.get("dll")])
darkcomet_config = darkcomet.extract_config(self.file_path, self.pe)
if darkcomet_config:
results["darkcomet_config"] = darkcomet_config
njrat_config = njrat.extract_config(self.file_path)
if njrat_config:
results["njrat_config"] = njrat_config
return results
