-
Notifications
You must be signed in to change notification settings - Fork 43
/
malware_sample.py
119 lines (95 loc) · 4.68 KB
/
malware_sample.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
import utils
import os, pwd, shutil
import magic
import hashlib
import datetime
def get_md5(malware_path):
"""Wrapper for the usual md5 call because it's so verbose."""
return hashlib.md5(file(malware_path, 'r').read()).hexdigest()
def get_sha256(malware_path):
"""Wrapper for the usual sha256 call because it's so verbose."""
return hashlib.sha256(file(malware_path, 'r').read()).hexdigest()
def get_ssdeep(malware_path):
"""Wrapper for the usual pyssdeep call because it's so verbose."""
return "Not yet implimented"
def get_mimetype(malware_path):
"""Finds the standard mimetype for file and returns type name."""
mime = magic.Magic(mime=True)
return mime.from_file(malware_path)
def get_yara(malware_path, yara_rules):
"""Checks malware against a Yara ruleset and returns a dictionary of matched rules."""
tags = []
try:
import yara
rules = yara.compile(filepath=yara_rules, includes=True)
yara_tags = rules.match(malware_path)
for tag in yara_tags:
tags.append(str(tag))
except ImportError:
raise
except yara.Error as e:
print("Yara signature file doesn't exist.")
tags = []
return tags
class MalwareSample(object):
"""malware_sample represents a piece of malware within Malwarehouse"""
def __init__(self, malware_path, config, sample_source="", sample_notes="", yara_rules=None):
super(MalwareSample, self).__init__()
self.malware_path = malware_path
self.filename = os.path.basename(malware_path)
self.config = config
self.yara_rules = self.config.get('settings', 'yararules') if not yara_rules else yara_rules
# Hash characteristics
self.hash_md5 = get_md5(malware_path)
self.hash_sha256 = get_sha256(malware_path)
# Meta characteristics
self.meta_tags = get_yara(malware_path, yara_rules)
self.meta_source = sample_source
self.meta_notes = sample_notes.split(',')
self.initialize_sample_environment()
def initialize_sample_environment(self):
dirs = ["bin", "report"]
base_dir = os.path.expanduser(self.config.get('settings', 'basedir'))
sample_dir = os.path.join(base_dir, self.hash_sha256)
# Create sample root directory
if not os.path.exists(sample_dir):
os.makedirs(sample_dir)
# Create analysis directories
for dir in dirs:
os.makedirs(os.path.join(sample_dir, dir))
# Analysis characteristics
self.analysis_datetime = str(datetime.datetime.now())
self.analysis_user = pwd.getpwuid(os.getuid())[0]
self.analysis_sample_directory = sample_dir
# Malware binary location
self.analysis_sample_location = os.path.join(sample_dir, "bin", self.filename)
# Reports location
self.analysis_report_directory = os.path.join(sample_dir, "report")
# Make a copy of the file
print "Copying sample to %s" % self.analysis_sample_location
shutil.copy(self.malware_path, os.path.join(sample_dir, "bin"))
@staticmethod
def summary(malware_definition):
return "- %s (%s) - %s" % (malware_definition['name'], malware_definition['source'], malware_definition['md5'])
def details(self):
"""Prints an easy to read summary of the malware."""
try:
details = " Analysis ".center(50, "=")
details += "\ndatetime:".ljust(25) + "%s\n" % (self.malware_definition['datetime'])
details += " File ".center(50, "=")
details += "\nsample name:".ljust(25) + "%s\n" % (self.malware_definition['name'])
details += "mimetype:".ljust(25) + "%s\n" % (self.malware_definition['mimetype'])
details += "size:".ljust(25) + "%s\n" % (self.malware_definition['size'])
details += " Hashes ".center(50, "=")
details += "\nmd5:".ljust(26) + "%s\n" % (self.malware_definition['md5'])
details += "sha256:".ljust(26) + "%s\n" % (self.malware_definition['sha256'])
details += " Meta ".center(50, "=")
details += "\ntags:".ljust(26) + "%s\n" % (self.malware_definition['tags'])
details += "source:".ljust(26) + "%s\n" % (self.malware_definition['source'])
details += " Meta ".center(50, "=")
details += "\nnotes:".ljust(25) + "%s" % (self.malware_definition["notes"])
details += "\n"
details += "sample directory: %s" % self.malware_definition["sample_dir"]
return details
except Exception, err:
print "%s - %s" % (Exception.message, err)