Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #4 from mboman/8479df2e0b20afada0a73e407f580c782e1…

…88350

Created signature to look for the creation of empty files
  • Loading branch information...
commit 980e5030a4ba606810674177c3d90977f7f9c37a 2 parents 10e8c1a + 8479df2
@botherder botherder authored
View
32 modules/signatures/empty_file.py
@@ -0,0 +1,32 @@
+# Copyright (C) 2012 Michael Boman (@mboman)
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from lib.cuckoo.common.abstracts import Signature
+
+class EmptyFile(Signature):
+ name = "empty_file"
+ description = "Creates a empty file"
+ severity = 2
+ categories = ["generic"]
+ authors = ["Michael Boman"]
+ minimum = "0.4"
+
+ def run(self, results):
+ for dropped_files in results["dropped"]:
+ if dropped_files["size"] == 0:
+ self.data.append({"dropped_files" : dropped_files})
+ return True
+
+ return False
View
29 modules/signatures/known_virustotal.py
@@ -0,0 +1,29 @@
+from lib.cuckoo.common.abstracts import Signature
+
+class KnownVirustotal(Signature):
+ name = "known_virustotal"
+ description = "File has been identified by AV on virustotal as malicious"
+ severity = 3
+ categories = ["generic"]
+ authors = ["Michael Boman"]
+
+ def run(self, results):
+ try:
+ results["virustotal"]
+ #if results["virustotal"]["positives"] != None:
+ # print "results['virustotal']['positives'] = " + str(results["virustotal"]["positives"])
+ # print "results['virustotal']['total'] = " + str(results["virustotal"]["total"])
+ # percent_f = (float(results["virustotal"]["positives"]) / float(results["virustotal"]["total"])) * 100.0
+ # percent_i = int(percent_f)
+ # print "Detection rate: " + str(percent_f) + "%"
+ # print "Detection rate: " + str(percent_i) + "%"
+ except NameError:
+ return False
+ else:
+ percent_f = (float(results["virustotal"]["positives"]) / float(results["virustotal"]["total"])) * 100.0
+ percent_i = int(percent_f)
+ if results["virustotal"]["positives"] > 0:
+ self.data.append({"virus_total" : results["virustotal"]})
+ return True
+
+ return False
Please sign in to comment.
Something went wrong with that request. Please try again.