From 29e681ef81ceea22ec3b91936fb89957ec4e5c83 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Mon, 13 May 2019 17:30:01 +0200
Subject: [PATCH] add: Parsing processes called by the file analyzed in the joe
 sandbox report

---
 misp_modules/modules/import_mod/joe_import.py | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/misp_modules/modules/import_mod/joe_import.py b/misp_modules/modules/import_mod/joe_import.py
index e378bc2..bae920f 100644
--- a/misp_modules/modules/import_mod/joe_import.py
+++ b/misp_modules/modules/import_mod/joe_import.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 from collections import defaultdict
+from datetime import datetime
 from pymisp import MISPEvent, MISPObject
 import json
 import base64
@@ -25,6 +26,9 @@ pe_object_mapping = {'CompanyName': 'company-name', 'FileDescription': 'file-des
                      'LegalCopyright': 'legal-copyright', 'OriginalFilename': 'original-filename',
                      'ProductName': 'product-filename', 'ProductVersion': 'product-version',
                      'Translation': 'lang-id'}
+process_object_fields = {'cmdline': 'command-line', 'name': 'name',
+                         'parentpid': 'parent-pid', 'pid': 'pid',
+                         'path': 'current-directory'}
 section_object_mapping = {'characteristics': ('text', 'characteristic'),
                           'entropy': ('float', 'entropy'),
                           'name': ('text', 'name'), 'rawaddr': ('hex', 'offset'),
@@ -43,6 +47,7 @@ class JoeParser():
 
     def parse_joe(self):
         self.parse_fileinfo()
+        self.parse_behavior()
         if self.references:
             self.build_references()
         self.finalize_results()
@@ -54,6 +59,24 @@ class JoeParser():
                 for reference in self.references[object_uuid]:
                     misp_object.add_reference(reference['idref'], reference['relationship'])
 
+    def parse_behavior(self):
+        self.parse_behavior_system()
+        self.parse_behavior_network()
+
+    def parse_behavior_network(self):
+        network = self.data['behavior']['network']
+
+    def parse_behavior_system(self):
+        processes = self.data['behavior']['system']['processes']['process'][0]
+        general = processes['general']
+        process_object = MISPObject('process')
+        for feature, relation in process_object_fields.items():
+            process_object.add_attribute(relation, **{'type': 'text', 'value': general[feature]})
+        start_time = datetime.strptime('{} {}'.format(general['date'], general['time']), '%d/%m/%Y %H:%M:%S')
+        process_object.add_attribute('start-time', **{'type': 'datetime', 'value': start_time})
+        self.misp_event.add_object(**process_object)
+        self.references[self.fileinfo_uuid].append({'idref': process_object.uuid, 'relationship': 'calls'})
+
     def parse_fileinfo(self):
         fileinfo = self.data['fileinfo']
         file_object = MISPObject('file')