2016-12-07 17:36:31 +01:00
|
|
|
import json
|
2018-12-11 15:29:09 +01:00
|
|
|
import base64
|
2016-12-07 17:36:31 +01:00
|
|
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
|
|
|
|
userConfig = {}
|
|
|
|
|
inputSource = ['file']
|
|
|
|
|
|
|
|
|
|
moduleinfo = {'version': '0.1', 'author': 'Victor van der Stoep',
|
|
|
|
|
'description': 'Cuckoo JSON import',
|
|
|
|
|
'module-type': ['import']}
|
|
|
|
|
|
|
|
|
|
moduleconfig = []
|
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
def handler(q=False):
|
|
|
|
|
# Just in case we have no data
|
|
|
|
|
if q is False:
|
|
|
|
|
return False
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# The return value
|
|
|
|
|
r = {'results': []}
|
|
|
|
|
|
|
|
|
|
# Load up that JSON
|
2018-12-11 15:29:09 +01:00
|
|
|
q = json.loads(q)
|
2016-12-07 17:36:31 +01:00
|
|
|
data = base64.b64decode(q.get("data")).decode('utf-8')
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# If something really weird happened
|
|
|
|
|
if not data:
|
|
|
|
|
return json.dumps({"success": 0})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
data = json.loads(data)
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
# Get characteristics of file
|
2016-12-07 17:36:31 +01:00
|
|
|
targetFile = data['target']['file']
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Process the inital binary
|
2018-12-11 15:29:09 +01:00
|
|
|
processBinary(r, targetFile, initial=True)
|
|
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Get binary information for dropped files
|
|
|
|
|
if(data.get('dropped')):
|
|
|
|
|
for droppedFile in data['dropped']:
|
2018-12-11 15:29:09 +01:00
|
|
|
processBinary(r, droppedFile, dropped=True)
|
|
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Add malscore to results
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
|
|
|
|
"values": "Malscore: {} ".format(data['malscore']),
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "comment",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": "Payload delivery",
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": "Cuckoo analysis: MalScore"
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Add virustotal data, if exists
|
|
|
|
|
if(data.get('virustotal')):
|
|
|
|
|
processVT(r, data['virustotal'])
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Add network information, should be improved
|
|
|
|
|
processNetwork(r, data['network'])
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# Add behavioral information
|
|
|
|
|
processSummary(r, data['behavior']['summary'])
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
# Return
|
2016-12-07 17:36:31 +01:00
|
|
|
return r
|
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
def processSummary(r, summary):
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
|
|
|
|
"values": summary['mutexes'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "mutex",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": "Artifacts dropped",
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": "Cuckoo analysis: Observed mutexes"
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
def processVT(r, virustotal):
|
|
|
|
|
category = "Antivirus detection"
|
2018-12-11 15:29:09 +01:00
|
|
|
comment = "VirusTotal analysis"
|
|
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
if(virustotal.get('permalink')):
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
|
|
|
|
"values": virustotal['permalink'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "link",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comments": comment + " - Permalink"
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
if(virustotal.get('total')):
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
2016-12-07 17:36:31 +01:00
|
|
|
"values": "VirusTotal detection rate {}/{}".format(
|
|
|
|
|
virustotal['positives'],
|
|
|
|
|
virustotal['total']
|
2018-12-11 15:29:09 +01:00
|
|
|
),
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "comment",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
2018-12-11 15:29:09 +01:00
|
|
|
})
|
|
|
|
|
else:
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": "Sample not detected on VirusTotal",
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "comment",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
|
|
|
|
|
def processNetwork(r, network):
|
|
|
|
|
category = "Network activity"
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
for host in network['hosts']:
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
|
|
|
|
"values": host['ip'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "ip-dst",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": "Cuckoo analysis: Observed network traffic"
|
|
|
|
|
})
|
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
def processBinary(r, target, initial=False, dropped=False):
|
|
|
|
|
if(initial):
|
2016-12-07 17:36:31 +01:00
|
|
|
comment = "Cuckoo analysis: Initial file"
|
|
|
|
|
category = "Payload delivery"
|
|
|
|
|
elif(dropped):
|
|
|
|
|
category = "Artifacts dropped"
|
|
|
|
|
comment = "Cuckoo analysis: Dropped file"
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": target['name'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "filename",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": target['md5'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "md5",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": target['sha1'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "sha1",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": target['sha256'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "sha256",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
|
|
|
|
r["results"].append({
|
|
|
|
|
"values": target['sha512'],
|
2016-12-07 17:36:31 +01:00
|
|
|
"types": "sha512",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": category,
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
# todo : add file size?
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
if(target.get('guest_paths')):
|
2018-12-11 15:29:09 +01:00
|
|
|
r["results"].append({
|
2016-12-07 17:36:31 +01:00
|
|
|
"values": target['guest_paths'],
|
|
|
|
|
"types": "filename",
|
2018-12-11 15:29:09 +01:00
|
|
|
"categories": "Payload installation",
|
2016-12-07 17:36:31 +01:00
|
|
|
"comment": comment + " - Path"
|
|
|
|
|
})
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
|
|
|
|
|
def introspection():
|
|
|
|
|
modulesetup = {}
|
|
|
|
|
try:
|
|
|
|
|
userConfig
|
|
|
|
|
modulesetup['userConfig'] = userConfig
|
|
|
|
|
except NameError:
|
|
|
|
|
pass
|
|
|
|
|
try:
|
|
|
|
|
inputSource
|
|
|
|
|
modulesetup['inputSource'] = inputSource
|
|
|
|
|
except NameError:
|
|
|
|
|
pass
|
|
|
|
|
return modulesetup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def version():
|
|
|
|
|
moduleinfo['config'] = moduleconfig
|
|
|
|
|
return moduleinfo
|
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
if __name__ == '__main__':
|
|
|
|
|
x = open('test.json', 'r')
|
|
|
|
|
q = []
|
|
|
|
|
q['data'] = x.read()
|
|
|
|
|
q = base64.base64encode(q)
|
2018-12-11 15:29:09 +01:00
|
|
|
|
2016-12-07 17:36:31 +01:00
|
|
|
handler(q)
|
