def run(self): """Run analysis. @return: analysis results dict or None. """ if not os.path.exists(self.file_path): return None try: self.pe = pefile.PE(self.file_path) except pefile.PEFormatError: return None results = {} pretime = datetime.now() results["peid_signatures"] = self._get_peid_signatures() posttime = datetime.now() timediff = posttime - pretime self.add_statistic( "peid", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000))) results["pe_imagebase"] = self._get_imagebase() results["pe_entrypoint"] = self._get_entrypoint() results["pe_reported_checksum"] = self._get_reported_checksum() results["pe_actual_checksum"] = self._get_actual_checksum() results["pe_osversion"] = self._get_osversion() results["pe_pdbpath"] = self._get_pdb_path() results["pe_imports"] = self._get_imported_symbols() results["pe_exported_dll_name"] = self._get_exported_dll_name() results["pe_exports"] = self._get_exported_symbols() results["pe_dirents"] = self._get_directory_entries() results["pe_sections"] = self._get_sections() results["pe_overlay"] = self._get_overlay() results["pe_resources"] = self._get_resources() results["pe_icon"], results["pe_icon_hash"], results[ "pe_icon_fuzzy"] = self._get_icon_info() results["pe_versioninfo"] = self._get_versioninfo() results["pe_imphash"] = self._get_imphash() results["pe_timestamp"] = self._get_timestamp() results["digital_signers"] = self._get_digital_signers() results["imported_dll_count"] = len( [x for x in results["pe_imports"] if x.get("dll")]) pretime = datetime.now() darkcomet_config = darkcomet.extract_config(self.file_path, self.pe) if darkcomet_config: results["darkcomet_config"] = darkcomet_config njrat_config = njrat.extract_config(self.file_path) if njrat_config: results["njrat_config"] = njrat_config posttime = datetime.now() timediff = posttime - pretime self.add_statistic( "config_decoder", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000))) return results
def run(self): """Run analysis. @return: analysis results dict or None. """ if not os.path.exists(self.file_path): return None try: self.pe = pefile.PE(self.file_path) except pefile.PEFormatError: return None results = {} pretime = datetime.now() results["peid_signatures"] = self._get_peid_signatures() posttime = datetime.now() timediff = posttime - pretime self.add_statistic("peid", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000))) results["pe_imagebase"] = self._get_imagebase() results["pe_entrypoint"] = self._get_entrypoint() results["pe_reported_checksum"] = self._get_reported_checksum() results["pe_actual_checksum"] = self._get_actual_checksum() results["pe_osversion"] = self._get_osversion() results["pe_pdbpath"] = self._get_pdb_path() results["pe_imports"] = self._get_imported_symbols() results["pe_exported_dll_name"] = self._get_exported_dll_name() results["pe_exports"] = self._get_exported_symbols() results["pe_dirents"] = self._get_directory_entries() results["pe_sections"] = self._get_sections() results["pe_overlay"] = self._get_overlay() results["pe_resources"] = self._get_resources() results["pe_icon"], results["pe_icon_hash"], results["pe_icon_fuzzy"] = self._get_icon_info() results["pe_versioninfo"] = self._get_versioninfo() results["pe_imphash"] = self._get_imphash() results["pe_timestamp"] = self._get_timestamp() results["digital_signers"] = self._get_digital_signers() results["imported_dll_count"] = len([x for x in results["pe_imports"] if x.get("dll")]) pretime = datetime.now() darkcomet_config = darkcomet.extract_config(self.file_path, self.pe) if darkcomet_config: results["darkcomet_config"] = darkcomet_config njrat_config = njrat.extract_config(self.file_path) if njrat_config: results["njrat_config"] = njrat_config posttime = datetime.now() timediff = posttime - pretime self.add_statistic("config_decoder", "time", float("%d.%03d" % (timediff.seconds, timediff.microseconds / 1000))) return results
def run(self): """Run analysis. @return: analysis results dict or None. """ if not os.path.exists(self.file_path): return None try: self.pe = pefile.PE(self.file_path) except pefile.PEFormatError: return None results = {} results["peid_signatures"] = self._get_peid_signatures() results["pe_imagebase"] = self._get_imagebase() results["pe_entrypoint"] = self._get_entrypoint() results["pe_osversion"] = self._get_osversion() results["pe_pdbpath"] = self._get_pdb_path() results["pe_imports"] = self._get_imported_symbols() results["pe_exports"] = self._get_exported_symbols() results["pe_dirents"] = self._get_directory_entries() results["pe_sections"] = self._get_sections() results["pe_overlay"] = self._get_overlay() results["pe_resources"] = self._get_resources() results["pe_icon"] = self._get_icon() results["pe_versioninfo"] = self._get_versioninfo() results["pe_imphash"] = self._get_imphash() results["pe_timestamp"] = self._get_timestamp() results["digital_signers"] = self._get_digital_signers() results["imported_dll_count"] = len([x for x in results["pe_imports"] if x.get("dll")]) darkcomet_config = darkcomet.extract_config(self.file_path, self.pe) if darkcomet_config: results["darkcomet_config"] = darkcomet_config njrat_config = njrat.extract_config(self.file_path) if njrat_config: results["njrat_config"] = njrat_config return results
def run(self): """Run analysis. @return: analysis results dict or None. """ if not os.path.exists(self.file_path): return None try: self.pe = pefile.PE(self.file_path) except pefile.PEFormatError: return None results = {} results["peid_signatures"] = self._get_peid_signatures() results["pe_imagebase"] = self._get_imagebase() results["pe_entrypoint"] = self._get_entrypoint() results["pe_imports"] = self._get_imported_symbols() results["pe_exports"] = self._get_exported_symbols() results["pe_dirents"] = self._get_directory_entries() results["pe_sections"] = self._get_sections() results["pe_overlay"] = self._get_overlay() results["pe_resources"] = self._get_resources() # results["pe_icon"] = self._get_icon() results["pe_versioninfo"] = self._get_versioninfo() results["pe_imphash"] = self._get_imphash() results["pe_timestamp"] = self._get_timestamp() results["digital_signers"] = self._get_digital_signers() results["imported_dll_count"] = len( [x for x in results["pe_imports"] if x.get("dll")]) darkcomet_config = darkcomet.extract_config(self.file_path, self.pe) if darkcomet_config: results["darkcomet_config"] = darkcomet_config njrat_config = njrat.extract_config(self.file_path) if njrat_config: results["njrat_config"] = njrat_config return results