Skip to content

Commit

Permalink
Redo the static analysis code, namespace each kind of static analysis…
Browse files Browse the repository at this point in the history 
… to avoid django clutter. Add the basic code needed for the to-be-added Java static analysis. Remove RAT config clutter, pull in an AlienSpy decoder from Kevin Breen and add iconfuzzy/iconhash search to the normal web interface (it was only in the API before).
  • Loading branch information
@brad-sp
brad-sp committed Oct 28, 2015
1 parent f54cad8 commit 4b8f2aa
Show file tree
Hide file tree
Showing 12 changed files with 335 additions and 241 deletions.
4 changes: 4 additions & 0 deletions cuckoo.pyproj
View file
Expand Up @@ -129,6 +129,9 @@
<Compile Include="analyzer\windows\modules\packages\swf.py" />
<Compile Include="cuckoo.py" />
<Compile Include="agent\agent.py" />
<Compile Include="lib\cuckoo\common\decoders\alienspy.py">
<SubType>Code</SubType>
</Compile>
<Compile Include="lib\cuckoo\common\decoders\darkcomet.py">
<SubType>Code</SubType>
</Compile>
Expand Down Expand Up @@ -397,6 +400,7 @@
<Content Include="web\templates\analysis\comments\index.html" />
<Content Include="web\templates\analysis\network\_smtp.html" />
<Content Include="web\templates\analysis\static\_dotnet.html" />
<Content Include="web\templates\analysis\static\_java.html" />
<Content Include="web\templates\analysis\statistics\index.html" />
<Content Include="web\templates\analysis\similar\index.html" />
<Content Include="web\templates\analysis\network\_cif.html" />
Expand Down
88 changes: 42 additions & 46 deletions data/html/sections/static.html
View file
Expand Up @@ -2,9 +2,7 @@
<div class="section-title">
<h4>Static Analysis</h4>
</div>
{% if results.static or results.strings %}
{% if results.static %}
{% if results.static.pe_imagebase or results.static.pe_entrypoint or results.static.pe_osversion or results.static.pe_pdbpath or results.static.pe_timestamp or results.static.pe_imphash or results.static.pe_icon %}
{% if results.static and results.static.pe %}
<div>
{% if summary_report %}
<h4>PE Information</h4>
Expand All @@ -14,85 +12,84 @@ <h4><a href="javascript:showHide('pe_information');">PE Information</a></h4>
<div id="pe_information" style="display: none;">
{% endif %}
<table class="table table-striped table-bordered" style="table-layout: fixed;">
{% if results.static.pe_imagebase %}
{% if results.static.pe.imagebase %}
<tr>
<th style="width: 15%;">Image Base</th>
<td>{{results.static.pe_imagebase}}</td>
<td>{{results.static.pe.imagebase}}</td>
</tr>
{% endif %}
{% if results.static.pe_entrypoint %}
{% if results.static.pe.entrypoint %}
<tr>
<th style="width: 15%;">Entry Point</th>
<td>{{results.static.pe_entrypoint}}</td>
<td>{{results.static.pe.entrypoint}}</td>
</tr>
{% endif %}
{% if results.static.pe_reported_checksum %}
{% if results.static.pe.reported_checksum %}
<tr>
<th style="width: 15%;">Reported Checksum</th>
<td>{{results.static.pe_reported_checksum}}</td>
<td>{{results.static.pe.reported_checksum}}</td>
</tr>
{% endif %}
{% if results.static.pe_actual_checksum %}
{% if results.static.pe.actual_checksum %}
<tr>
<th style="width: 15%;">Actual Checksum</th>
<td>{{results.static.pe_actual_checksum}}</td>
<td>{{results.static.pe.actual_checksum}}</td>
</tr>
{% endif %}
{% if results.static.pe_osversion %}
{% if results.static.pe.osversion %}
<tr>
<th style="width: 15%;">Minimum OS Version</th>
<td>{{results.static.pe_osversion}}</td>
<td>{{results.static.pe.osversion}}</td>
</tr>
{% endif %}
{% if results.static.pe_pdbpath %}
{% if results.static.pe.pdbpath %}
<tr>
<th style="width: 15%;">PDB Path</th>
<td>{{results.static.pe_pdbpath}}</td>
<td>{{results.static.pe.pdbpath}}</td>
</tr>
{% endif %}
{% if results.static.pe_timestamp %}
{% if results.static.pe.timestamp %}
<tr>
<th style="width: 15%;">Compile Time</th>
<td>{{results.static.pe_timestamp}}</td>
<td>{{results.static.pe.timestamp}}</td>
</tr>
{% endif %}
{% if results.static.pe_imphash %}
{% if results.static.pe.imphash %}
<tr>
<th style="width: 15%;">Import Hash</th>
<td>{{results.static.pe_imphash}}</td>
<td>{{results.static.pe.imphash}}</td>
</tr>
{% endif %}
{% if results.static.pe_icon %}
{% if results.static.pe.icon %}
<tr>
<th style="width: 15%;">Icon</th>
<td><img src="data:image/jpeg;base64,{{results.static.pe_icon}}"/></td>
<td><img src="data:image/jpeg;base64,{{results.static.pe.icon}}"/></td>
</tr>
{% endif %}
{% if results.static.pe_icon_hash %}
{% if results.static.pe.icon_hash %}
<tr>
<th style="width: 15%;">Icon Exact Hash</th>
<td>{{results.static.pe_icon_hash}}</td>
<td>{{results.static.pe.icon_hash}}</td>
</tr>
{% endif %}
{% if results.static.pe_icon_fuzzy %}
{% if results.static.pe.icon_fuzzy %}
<tr>
<th style="width: 15%;">Icon Similarity Hash</th>
<td>{{results.static.pe_icon_fuzzy}}</td>
<td>{{results.static.pe.icon_fuzzy}}</td>
</tr>
{% endif %}
{% if results.static.pe_exported_dll_name %}
{% if results.static.pe.exported_dll_name %}
<tr>
<th style="width: 15%;">Exported DLL Name</th>
<td>{{results.static.pe_exported_dll_name}}</td>
<td>{{results.static.pe.exported_dll_name}}</td>
</tr>
{% endif %}
</table>
</div>
</div>
<hr />
{% endif %}

{% if results.static.pe_versioninfo %}
{% if results.static.pe.versioninfo %}
<div>
{% if summary_report %}
<h4>Version Infos</h4>
Expand All @@ -106,7 +103,7 @@ <h4><a href="javascript:showHide('pe_versioninfo');">Version Infos</a></h4>
<col width="150" />
<col width="*" />
</colgroup>
{% for info in results.static.pe_versioninfo %}
{% for info in results.static.pe.versioninfo %}
{% if info.name %}
<tr>
<td><strong>{{info.name}}</strong>:</td>
Expand All @@ -119,7 +116,7 @@ <h4><a href="javascript:showHide('pe_versioninfo');">Version Infos</a></h4>
</div>
{% endif %}

{% if results.static.pe_sections %}
{% if results.static.pe.sections %}
<div>
{% if summary_report %}
<h4>Sections</h4>
Expand All @@ -137,7 +134,7 @@ <h4><a href="javascript:showHide('pe_sections');">Sections</a></h4>
<th>Characteristics</th>
<th>Entropy</th>
</tr>
{% for section in results.static.pe_sections %}
{% for section in results.static.pe.sections %}
<tr>
<td>{{section.name}}</td>
<td>{{section.virtual_address}}</td>
Expand All @@ -152,7 +149,7 @@ <h4><a href="javascript:showHide('pe_sections');">Sections</a></h4>
</div>
{% endif %}

{% if results.static.pe_overlay %}
{% if results.static.pe.overlay %}
<div>
{% if summary_report %}
<h4>Overlay</h4>
Expand All @@ -168,18 +165,18 @@ <h4><a href="javascript:showHide('pe_overlay');">Overlay</a></h4>
</colgroup>
<tr>
<td><strong>Offset</strong>:</td>
<td>{{results.static.pe_overlay.offset}}</td>
<td>{{results.static.pe.overlay.offset}}</td>
</tr>
<tr>
<td><strong>Size</strong>:</td>
<td>{{results.static.pe_overlay.size}}</td>
<td>{{results.static.pe.overlay.size}}</td>
</tr>
</table>
</div>
</div>
{% endif %}

{% if results.static.pe_resources %}
{% if results.static.pe.resources %}
<div>
{% if summary_report %}
<h4>Resources</h4>
Expand All @@ -198,7 +195,7 @@ <h4><a href="javascript:showHide('pe_resources');">Resources</a></h4>
<th>Entropy</th>
<th>File type</th>
</tr>
{% for section in results.static.pe_resources %}
{% for section in results.static.pe.resources %}
<tr>
<td>{{section.name}}</td>
<td>{{section.offset}}</td>
Expand All @@ -214,7 +211,7 @@ <h4><a href="javascript:showHide('pe_resources');">Resources</a></h4>
</div>
{% endif %}

{% if results.static.pe_imports %}
{% if results.static.pe.imports %}
<div>
{% if summary_report %}
<h4>Imports</h4>
Expand All @@ -223,7 +220,7 @@ <h4>Imports</h4>
<h4><a href="javascript:showHide('pe_imports');">Imports</a></h4>
<div id="pe_imports" style="display: none;">
{% endif %}
{% for library in results.static.pe_imports %}
{% for library in results.static.pe.imports %}
<div class="well">
<div><strong>Library {{library.dll}}</strong>:</div>
{% for function in library.imports %}
Expand All @@ -235,7 +232,7 @@ <h4><a href="javascript:showHide('pe_imports');">Imports</a></h4>
</div>
{% endif %}

{% if results.static.pe_exports %}
{% if results.static.pe.exports %}
<div>
{% if summary_report %}
<h4>Exports</h4>
Expand All @@ -250,7 +247,7 @@ <h4><a href="javascript:showHide('pe_exports');">Exports</a></h4>
<th>Address</th>
<th>Name</th>
</tr>
{% for export in results.static.pe_exports %}
{% for export in results.static.pe.exports %}
<tr>
<td>{{export.ordinal}}</td>
<td>{{export.address}}</td>
Expand All @@ -261,9 +258,9 @@ <h4><a href="javascript:showHide('pe_exports');">Exports</a></h4>
</div>
</div>
{% endif %}
{% endif %}
{% endif %}

{% if results.strings and not summary_report %}
{% if results.strings and not summary_report %}
<div>
<h4><a href="javascript:showHide('strings');">Strings</a></h4>
<div id="strings" style="display: none;">
Expand All @@ -272,10 +269,9 @@ <h4><a href="javascript:showHide('strings');">Strings</a></h4>
{% endfor %}
</div>
</div>
{% endif %}

{% endif %}

{% else %}
{% if not results.strings and not results.static %}
Nothing to display.
{% endif %}
</section>
72 changes: 72 additions & 0 deletions lib/cuckoo/common/decoders/alienspy.py
View file
@@ -0,0 +1,72 @@
# Copyright (C) 2014-2015 Kevin Breen (http://techanarchy.net)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.

import os
import re
import sys
import json
import string
from zipfile import ZipFile
from cStringIO import StringIO

#Non Standard Imports
from Crypto.Cipher import ARC4

#Helper Functions Go Here

def string_print(line):
try:
return filter(lambda x: x in string.printable, str(line))
except:
return line

####RC4 Cipher ####
def decrypt_RC4(enckey, data):
cipher = ARC4.new(enckey) # set the ciper
return cipher.decrypt(data) # decrypt the data

def parse_config(raw_config):
config_dict = {}
if 'JSocket' in raw_config:
config = json.loads(raw_config)
for k, v in config.iteritems():
config_dict[k] = v
else:
for line in raw_config.split('\n'):
if line.startswith('<entry key'):
config_dict[re.findall('key="(.*?)"', line)[0]] = re.findall('>(.*?)</entry', line)[0]
return config_dict

def extract_config(file_name):
enckey = coded_jar = False
config = None
try:
with ZipFile(file_name, 'r') as zip:
for name in zip.namelist():
if name == 'ID':
pre_key = zip.read(name)
enckey = '{0}H3SUW7E82IKQK2J2J2IISIS'.format(pre_key)
elif name == 'a.txt':
pre_key = zip.read(name)
enckey = '{0}{1}{0}{1}a'.format('plowkmsssssPosq34r', pre_key)
if name == 'MANIFEST.MF':
coded_jar = zip.read(name)
elif name == 'b.txt':
coded_jar = zip.read(name)

if enckey and coded_jar:
decoded_data = decrypt_RC4(enckey, coded_jar)
decoded_jar = StringIO(decoded_data)
else:
return

with ZipFile(decoded_jar) as zip:
for name in zip.namelist():
if name in ['config.xml', 'org/jsocket/resources/config.json']:
raw_config = zip.read(name)
config = parse_config(raw_config)
except:
pass
return config

0 comments on commit 4b8f2aa

Please sign in to comment.