In [2]:
import os
import sys
import json

In [1]:
JSON_DIR = '2_compiled_json'
TXT_DIR = '3_compiled_txt'

In [3]:
json_files = [f.name for f in os.scandir(JSON_DIR) if f.is_file()]

if not os.path.exists(TXT_DIR):
    os.makedirs(TXT_DIR)

In [7]:
def count_if_exist(json_file, key):
    if key in json_file:
        json_file[key] += 1
    else:
        json_file[key] = 1

In [22]:
for json_file in json_files:
    print(f"Process {json_file}")
    
    with open(f'{JSON_DIR}/{json_file}', 'r') as f:
        data = json.load(f)
        txt = {}
        
        # PE imports
        pe_imports = data['static']['pe_imports']
        for pe_import in pe_imports:
            dll = pe_import['dll'].lower()
            count_if_exist(txt, dll)
            imports = pe_import['imports']
            for import_ in imports:
                import_ = import_.lower()
                count_if_exist(txt, import_)
        
        # Processes
        processes = data['behaviours']['processes']
        for process in processes:
            commandline = process['commandline'].lower()
            commandline_parts = commandline.split()
            for part in commandline_parts:
                count_if_exist(txt, part)

            # Count if the process is injected
            if process['injected']:
                count_if_exist(txt, 'is_injected')
        
        # Hosts resolved
        host_resolved = data['behaviours']['host_resolved']
        for host in host_resolved:
            count_if_exist(txt, host)
        
        # File interactions
        files = data['behaviours']['files']
        for file in files:
            src = file['srcpath'].lower()
            dst = file['dstpath'].lower()
            action = file['action'].lower()
            effect = file['effect'].lower()

            if dst == '':
                entry_file = f'{src}-{action}'
            else:
                entry_file = f'{src}-{dst}-{action}'
            
            entry_action_effect = f'{action}-{effect}'

            count_if_exist(txt, entry_file)
            count_if_exist(txt, entry_action_effect)
        
        # Registry interactions
        registry = data['behaviours']['registry']
        for reg in registry:
            key = reg['path'].lower()
            value = reg['valuetype'].lower()
            action = reg['action'].lower()
            effect = reg['effect'].lower()

            if dst == '':
                entry_key = f'{key}-{action}'
            else:
                entry_key = f'{key}-{value}-{action}'
            
            entry_action_effect = f'{action}-{effect}'

            count_if_exist(txt, entry_key)
            count_if_exist(txt, entry_action_effect)

        # print(json.dumps(txt, indent=2))

        with open(f'{TXT_DIR}/{json_file}', 'w') as f:
            json.dump(txt, f, indent=2)
        
        print(f"TXT data file created: {TXT_DIR}/{json_file}")

Process EPSN21.json
TXT data file created: 3_compiled_txt/EPSN21.json
Process FQ0GOW.json
TXT data file created: 3_compiled_txt/FQ0GOW.json
Process WVMWHB.json
TXT data file created: 3_compiled_txt/WVMWHB.json
Process LMS9JO.json
TXT data file created: 3_compiled_txt/LMS9JO.json
Process Y5GV4L.json
TXT data file created: 3_compiled_txt/Y5GV4L.json
Process LICI1N.json
TXT data file created: 3_compiled_txt/LICI1N.json
Process FCRATJ.json
TXT data file created: 3_compiled_txt/FCRATJ.json
Process 2ITDKB.json
TXT data file created: 3_compiled_txt/2ITDKB.json
Process BJBD1Y.json
TXT data file created: 3_compiled_txt/BJBD1Y.json
Process 23DLXF.json
TXT data file created: 3_compiled_txt/23DLXF.json
Process FOQFD6.json
TXT data file created: 3_compiled_txt/FOQFD6.json
Process DA3XA9.json
TXT data file created: 3_compiled_txt/DA3XA9.json
Process M6W7SH.json
TXT data file created: 3_compiled_txt/M6W7SH.json
Process GONV7I.json
TXT data file created: 3_compiled_txt/GONV7I.json
Process DJX1CV.json
