├── .canari ├── .gitignore ├── MANIFEST.in ├── README.md ├── maltego └── entities.mtz ├── setup.py └── src └── cuckooforcanari ├── __init__.py ├── resources ├── __init__.py ├── etc │ ├── __init__.py │ └── cuckooforcanari.conf ├── external │ └── __init__.py ├── images │ └── __init__.py └── maltego │ ├── __init__.py │ └── entities.mtz └── transforms ├── __init__.py ├── common ├── __init__.py ├── cuckooapi.py ├── cuckooparse.py └── entities.py ├── cuckoosigs.py ├── dropped2md5.py ├── dropped2sha1.py ├── dropped2sha256.py ├── dropped2type.py ├── submitfile.py ├── submiturl.py ├── to_peid.py ├── to_pesections.py ├── tobehavior_section.py ├── todnsreq.py ├── todomainips.py ├── todomains.py ├── todropped_section.py ├── todroppedfiles.py ├── tofiledetails_section.py ├── tofilename.py ├── tohosts.py ├── tohttpurl.py ├── tomd5.py ├── tomutexes.py ├── tonetworkanalysis_section.py ├── toopenfiles.py ├── toprocesses.py ├── toprocesses_section.py ├── toregentries.py ├── tosha1.py ├── tosha256.py ├── tosiganalysis_section.py ├── tostaticanalysis_section.py ├── virustotal.py └── yarasigs.py /.canari: -------------------------------------------------------------------------------- 1 | [metadata] 2 | 3 | author = bostonlink 4 | project = Cuckooforcanari 5 | maintainer = bostonlink 6 | email = bostonlink@pentest-labs.org 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.py[co] 2 | *.mtz 3 | 4 | # Packages 5 | *.egg 6 | *.egg-info 7 | dist 8 | build 9 | eggs 10 | parts 11 | bin 12 | var 13 | sdist 14 | develop-eggs 15 | .installed.cfg 16 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include *.md 2 | recursive-include src *.py *.conf *.gif *.png *.mtz *.machine 3 | recursive-include maltego *.mtz 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cuckooforcanari - Cuckoo Sandbox Local Maltego Transforms 2 | 3 | Author : David Bressler (@bostonlink) 4 | 5 | Demo Video: http://www.youtube.com/watch?v=1GGArfEijgE 6 | 7 | ## About 8 | 9 | Cuckooforcanari is a Maltego local transform project, built within the Canari Framework that integrates the Cuckoo Sandbox API into maltego entity output. The main goal of this project is to allow security analysts, researchers, investigators, and teams to graphically display a Cuckoo Sandbox file or URL analysis. 10 | 11 | Directory Structure: 12 | 13 | * `src/cuckooforcanari` directory is where all the magic stuff goes and happens. 14 | * `src/cuckooforcanari/transforms` directory is where all the transform modules are located. 15 | * `src/cuckooforcanari/transforms/common` directory is where common code for all transforms are stored. 16 | * `src/cuckooforcanari/transforms/common/entities.py` is where custom entities are defined. 17 | * `maltego/` is where the Maltego entity exports are stored. 18 | * `src/cuckooforcanari/resources/maltego` directory is where the `entities.mtz` and `*.machine` files are stored for auto install and uninstall. 19 | 20 | ## 2.0 - Installation 21 | 22 | ### 2.1 - Supported Platforms 23 | cuckooforcanari has currently been tested on Mac OS X and Linux. 24 | 25 | ### 2.2 - Requirements 26 | cuckooforcanari is supported and tested on Python 2.7.3 27 | 28 | The canari framework must be installed to use this package 29 | See: https://github.com/allfro/canari 30 | 31 | A Cuckoo Sandbox v0.5 or later local network or host installation and have the Cuckoo API running. 32 | See: http://docs.cuckoosandbox.org/en/latest/usage/api/#starting-the-api-server 33 | 34 | This package depends on the python requests package added requirement to setup.py will automatically download and install the requests package if needed. 35 | 36 | ### 2.3 - How to install 37 | Once you have the Canari framework installed and working, follow the directions below to install cuckooforcanari 38 | 39 | Install the package: 40 | 41 | ```bash 42 | $ cd cuckooforcanari 43 | $ python setup.py install 44 | ``` 45 | Then install the canari package by issuing the following: 46 | 47 | ```bash 48 | $ canari create-profile cuckooforcanari 49 | ``` 50 | Then do the following (thanks to Nadeem Douba @ndouba): 51 | 52 | INSTRUCTIONS: 53 | ------------- 54 | 1. Open Maltego. 55 | 2. Click on the home button (Maltego icon, top-left corner). 56 | 3. Click on 'Import'. 57 | 4. Click on 'Import Configuration'. 58 | 5. Follow prompts. 59 | 6. Enjoy! 60 | 61 | Once installed you must edit the cuckooforcanari.conf file with local environment settings. 62 | 63 | ```bash 64 | $ vim ~/.canari/cuckooforcanari.conf 65 | ``` 66 | All Done!! Have fun! 67 | 68 | ## Special Thanks! 69 | 70 | Rich Popson (@Rastafari0728) 71 | Nadeem Douba (@ndouba) 72 | Paterva (@Paterva) 73 | Cuckoo Sandbox (@cuckoosandbox) 74 | MassHackers (@MassHackers) 75 | -------------------------------------------------------------------------------- /maltego/entities.mtz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bostonlink/cuckooforcanari/0ae8a046540cfdc5e091d3e0b3b457cc79517832/maltego/entities.mtz -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup, find_packages 2 | 3 | setup( 4 | name='cuckooforcanari', 5 | author='bostonlink', 6 | version='1.1', 7 | author_email='bostonlink@pentest-labs.org', 8 | description='Cuckoo Sandbox Local Maltego Transforms Project', 9 | license='GPL', 10 | packages=find_packages('src'), 11 | package_dir={ '' : 'src' }, 12 | zip_safe=False, 13 | package_data={ 14 | '' : [ '*.gif', '*.png', '*.conf', '*.mtz', '*.machine' ] # list of resources 15 | }, 16 | install_requires=[ 17 | 'requests', 18 | 'canari' 19 | # Name of packages required for easy_install 20 | ], 21 | dependency_links=[ 22 | # custom links for the install_requires 23 | ] 24 | ) -------------------------------------------------------------------------------- /src/cuckooforcanari/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' 12 | __all__ = [ 13 | 'resources', 14 | 'transforms' 15 | ] -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' 12 | __all__ = [ 13 | 'etc', 14 | 'images', 15 | 'maltego', 16 | 'external' 17 | ] -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/etc/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/etc/cuckooforcanari.conf: -------------------------------------------------------------------------------- 1 | # Configuration files for Cuckoo Maltego Transforms 2 | 3 | [cuckoo] 4 | 5 | # Cuckoo Hostname or IP address 6 | host=host 7 | 8 | # Cuckoo API port only change if you changed the API port while starting the API. 8090 is the default 9 | port=8090 10 | 11 | # Malware directory - specify a directory that holds all malware samples to be analyzed 12 | malware_dir=malware directory -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/external/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/images/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/maltego/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2013, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '0.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' -------------------------------------------------------------------------------- /src/cuckooforcanari/resources/maltego/entities.mtz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bostonlink/cuckooforcanari/0ae8a046540cfdc5e091d3e0b3b457cc79517832/src/cuckooforcanari/resources/maltego/entities.mtz -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' 12 | __all__ = [ 13 | 'common', 14 | 'yarasigs', 15 | 'virustotal', 16 | 'tofilename', 17 | 'tohosts', 18 | 'tomd5', 19 | 'tosha1', 20 | 'tosha256', 21 | 'todroppedfiles', 22 | 'dropped2type', 23 | 'dropped2md5', 24 | 'dropped2sha1', 25 | 'dropped2sha256', 26 | 'todomains', 27 | 'todomainips', 28 | 'todnsreq', 29 | 'tohttpurl', 30 | 'cuckoosigs', 31 | 'tomutexes', 32 | 'toopenfiles', 33 | 'toregentries', 34 | 'toprocesses', 35 | 'submitfile', 36 | 'submiturl', 37 | 'to_pesections', 38 | 'to_peid', 39 | 'tofiledetails_section', 40 | 'tosiganalysis_section', 41 | 'tonetworkanalysis_section', 42 | 'tostaticanalysis_section', 43 | 'todropped_section', 44 | 'tobehavior_section', 45 | 'toprocesses_section' 46 | ] -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/common/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __author__ = 'bostonlink' 4 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 5 | __credits__ = [] 6 | 7 | __license__ = 'GPL' 8 | __version__ = '1.1' 9 | __maintainer__ = 'bostonlink' 10 | __email__ = 'bostonlink@pentest-labs.org' 11 | __status__ = 'Development' 12 | __all__ = [ 13 | 'entities' 14 | 'cuckooapi' 15 | 'cuckooparse' 16 | ] -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/common/cuckooapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Cuckoo API python module for maltego transforms 4 | # Author: David Bressler (@bostonlink) 5 | 6 | # Cuckoo API Documentation http://docs.cuckoosandbox.org/en/latest/usage/api/ 7 | 8 | import requests 9 | from canari.config import config 10 | from canari.maltego.message import MaltegoException 11 | 12 | # Submit file for analysis 13 | def submit_file(sample): 14 | url = 'http://%s:%s/tasks/create/file' % (config['cuckoo/host'], config['cuckoo/port']) 15 | samples = {'file': open(sample, 'rb')} 16 | try: 17 | r = requests.post(url, files=samples) 18 | return r.json() 19 | except Exception as e: 20 | raise MaltegoException("The Transform has returned: %s" % e) 21 | 22 | # Submit URL for analysis 23 | def submit_url(analysis_url): 24 | url = 'http://%s:%s/tasks/create/url' % (config['cuckoo/host'], config['cuckoo/port']) 25 | if analysis_url.startswith('http://') or analysis_url.startswith('https://'): 26 | data = {'url': analysis_url} 27 | else: 28 | analysis_url = 'http://' + analysis_url 29 | data = {'url': analysis_url} 30 | 31 | try: 32 | r = requests.post(url, data=data) 33 | return r.json() 34 | except Exception as e: 35 | raise MaltegoException("The Transform has returned: %s" % e) 36 | 37 | # Return task list 38 | def task_list(): 39 | url = 'http://%s:%s/tasks/list' % (config['cuckoo/host'], config['cuckoo/port']) 40 | try: 41 | r = requests.get(url) 42 | return r.json() 43 | except Exception as e: 44 | raise MaltegoException("The Transform has returned: %s" % e) 45 | 46 | # Returns task status 47 | def task_view(task_id): 48 | url = 'http://%s:%s/tasks/view/%s' % (config['cuckoo/host'], config['cuckoo/port'], task_id) 49 | try: 50 | r = requests.get(url) 51 | return r.json() 52 | except Exception as e: 53 | raise MaltegoException("The Transform has returned: %s" % e) 54 | 55 | # Returns full report 56 | def report(task_id): 57 | url = 'http://%s:%s/tasks/report/%s' % (config['cuckoo/host'], config['cuckoo/port'], task_id) 58 | try: 59 | r = requests.get(url) 60 | return r.json() 61 | except Exception as e: 62 | raise MaltegoException("The Transform has returned: %s" % e) 63 | 64 | # Returns file details from a task id 65 | def file_search_id(task_id): 66 | url = 'http://%s:%s/files/view/id/%s' % (config['cuckoo/host'], config['cuckoo/port'], task_id) 67 | try: 68 | r = requests.get(url) 69 | return r.json() 70 | except Exception as e: 71 | raise MaltegoException("The Transform has returned: %s" % e) 72 | 73 | # Returns file details from a sha256 hash 74 | def file_search_sha256(sha256): 75 | url = 'http://%s:%s/files/view/sha256/%s' % (config['cuckoo/host'], config['cuckoo/port'], sha256) 76 | try: 77 | r = requests.get(url) 78 | return r.json() 79 | except Exception as e: 80 | raise MaltegoException("The Transform has returned: %s" % e) 81 | 82 | # Returns file details from a md5 hash 83 | def file_search_md5(md5): 84 | url = 'http://%s:%s/files/view/md5/%s' % (config['cuckoo/host'], config['cuckoo/port'], md5) 85 | try: 86 | r = requests.get(url) 87 | return r.json() 88 | except Exception as e: 89 | raise MaltegoException("The Transform has returned: %s" % e) -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/common/cuckooparse.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Cuckoo report parser python module for maltego transforms 4 | # Author: David Bressler (@bostonlink) 5 | 6 | # Returns dic of analysis information 7 | def analysis_info(report): 8 | return report['info'] 9 | 10 | # Returns list of yara signatures 11 | def yara_sigs(report): 12 | return report['target']['file']['yara'] 13 | 14 | # Returns list of cuckoo signatures 15 | def cuckoo_sigs(report): 16 | return report['signatures'] 17 | 18 | # Returns dic of VT results 19 | def vt_results(report): 20 | return report['virustotal'] 21 | 22 | # Returns dic of networking results 23 | def network(report): 24 | return report['network'] 25 | 26 | # Returns dic of static analysis results 27 | def static_results(report): 28 | return report['static'] 29 | 30 | # Returns list of dropped files 31 | def dropped_files(report): 32 | return report['dropped'] 33 | 34 | # Returns dic of behavior results 35 | def behavior(report): 36 | return report['behavior'] 37 | 38 | # Returns dic of debug logs for analysis 39 | def debug_logs(report): 40 | return report['debug'] 41 | 42 | # Returns list of strings from sample 43 | def strings(report): 44 | return report['strings'] 45 | 46 | # Returns dic of target file results 47 | def target_info(report): 48 | return report['target'] -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/common/entities.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.maltego.message import Entity, EntityField 4 | 5 | __author__ = 'bostonlink' 6 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 7 | __credits__ = [] 8 | 9 | __license__ = 'GPL' 10 | __version__ = '1.1' 11 | __maintainer__ = 'bostonlink' 12 | __email__ = 'bostonlink@pentest-labs.org' 13 | __status__ = 'Development' 14 | 15 | __all__ = [ 16 | 'CuckooEntity', 17 | 'CuckooTaskID', 18 | 'CuckooSig', 19 | 'CuckooDropped', 20 | 'CuckooMalwareFilename', 21 | 'CuckooHash', 22 | 'CuckooVT', 23 | 'CuckooYara', 24 | 'CuckooMutex', 25 | 'CuckooProcess', 26 | 'CuckooMalwareSample', 27 | 'FileDetails', 28 | 'SignatureAnalysis', 29 | 'NetworkAnalysis', 30 | 'StaticAnalysis', 31 | 'DroppedFiles', 32 | 'BehaviorAnalysis', 33 | 'Processes' 34 | 35 | ] 36 | 37 | 38 | @EntityField(name='taskid', propname='taskid', displayname='Task ID') 39 | class CuckooEntity(Entity): 40 | _namespace_ = 'cuckoo' 41 | 42 | 43 | @EntityField(name='filename', propname='filename', displayname='Filename') 44 | @EntityField(name='status', propname='status', displayname='Status') 45 | class CuckooTaskID(CuckooEntity): 46 | pass 47 | 48 | 49 | class CuckooSig(CuckooEntity): 50 | pass 51 | 52 | 53 | @EntityField(name='ftype', propname='ftype', displayname='File Type') 54 | class CuckooDropped(CuckooEntity): 55 | pass 56 | 57 | 58 | class CuckooOpenFile(CuckooEntity): 59 | pass 60 | 61 | 62 | class CuckooMalwareFilename(CuckooEntity): 63 | pass 64 | 65 | 66 | @EntityField(name='hashtype', propname='hashtype', displayname='Hash Type') 67 | class CuckooHash(CuckooEntity): 68 | pass 69 | 70 | 71 | @EntityField(name='vtlink', propname='vtlink', displayname='VT Link') 72 | class CuckooVT(CuckooEntity): 73 | pass 74 | 75 | 76 | class CuckooYara(CuckooEntity): 77 | pass 78 | 79 | 80 | class CuckooMalwareSample(CuckooEntity): 81 | pass 82 | 83 | 84 | class CuckooMutex(CuckooEntity): 85 | pass 86 | 87 | 88 | class CuckooProcess(CuckooEntity): 89 | pass 90 | 91 | 92 | class FileDetails(CuckooEntity): 93 | pass 94 | 95 | 96 | class SignatureAnalysis(CuckooEntity): 97 | pass 98 | 99 | 100 | class NetworkAnalysis(CuckooEntity): 101 | pass 102 | 103 | 104 | class StaticAnalysis(CuckooEntity): 105 | pass 106 | 107 | 108 | class DroppedFiles(CuckooEntity): 109 | pass 110 | 111 | 112 | class BehaviorAnalysis(CuckooEntity): 113 | pass 114 | 115 | 116 | class Processes(CuckooEntity): 117 | pass 118 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/cuckoosigs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooSig, SignatureAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import cuckoo_sigs 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Cuckoo Community Signatures [Cuckoo Sandbox]', 25 | description='Returns Cuckoo signature names hit during the Cuckoo file analysis.', 26 | uuids=[ 'cuckooforcanari.v2.IDToCuckooSigs_Cuckoo', 27 | 'cuckooforcanari.v2.FileToCuckooSigs_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToCuckooSigs_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', SignatureAnalysis )], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | csigz = cuckoo_sigs(report(task)) 43 | for d in csigz: 44 | response += CuckooSig( 45 | d['description'].decode('ascii'), 46 | taskid = task, 47 | ) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/dropped2md5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooDropped, CuckooHash 5 | from common.cuckooapi import report 6 | from common.cuckooparse import dropped_files 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Dropped MD5 [Cuckoo Sandbox]', 25 | description='Returns dropped file MD5 hash', 26 | uuids=[ 'cuckooforcanari.v2.ToDroppedMD5_Cuckoo' ], 27 | inputs=[ ( 'Cuckoo Sandbox', CuckooDropped ) ], 28 | remote=False, 29 | debug=False 30 | ) 31 | def dotransform(request, response, config): 32 | fname = request.value 33 | if 'taskid' in request.fields: 34 | task = request.fields['taskid'] 35 | else: 36 | task = request.value 37 | 38 | dropped = dropped_files(report(task)) 39 | for d in dropped: 40 | if d['name'] == fname: 41 | response += CuckooHash(d['md5'].decode('ascii')) 42 | 43 | return response 44 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/dropped2sha1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooDropped, CuckooHash 5 | from common.cuckooapi import report 6 | from common.cuckooparse import dropped_files 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Dropped SHA1 [Cuckoo Sandbox]', 25 | description='Returns dropped file SHA1 hash', 26 | uuids=[ 'cuckooforcanari.v2.ToDroppedSHA1_Cuckoo' ], 27 | inputs=[ ( 'Cuckoo Sandbox', CuckooDropped ) ], 28 | remote=False, 29 | debug=False 30 | ) 31 | def dotransform(request, response, config): 32 | fname = request.value 33 | 34 | if 'taskid' in request.fields: 35 | task = request.fields['taskid'] 36 | else: 37 | task = request.value 38 | 39 | dropped = dropped_files(report(task)) 40 | for d in dropped: 41 | if d['name'] == fname: 42 | response += CuckooHash(d['sha1'].decode('ascii')) 43 | 44 | return response 45 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/dropped2sha256.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooDropped, CuckooHash 5 | from common.cuckooapi import report 6 | from common.cuckooparse import dropped_files 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Dropped SHA256 [Cuckoo Sandbox]', 25 | description='Returns dropped file SHA256 hash', 26 | uuids=[ 'cuckooforcanari.v2.ToDroppedSHA256_Cuckoo' ], 27 | inputs=[ ( 'Cuckoo Sandbox', CuckooDropped ) ], 28 | remote=False, 29 | debug=False 30 | ) 31 | def dotransform(request, response, config): 32 | fname = request.value 33 | 34 | if 'taskid' in request.fields: 35 | task = request.fields['taskid'] 36 | else: 37 | task = request.value 38 | 39 | dropped = dropped_files(report(task)) 40 | for d in dropped: 41 | if d['name'] == fname: 42 | response += CuckooHash(d['sha256'].decode('ascii')) 43 | 44 | return response 45 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/dropped2type.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Phrase 5 | from common.entities import CuckooDropped 6 | from common.cuckooapi import report 7 | from common.cuckooparse import dropped_files 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To Dropped File Type [Cuckoo Sandbox]', 26 | description='Returns dropped file types during the Cuckoo file analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToDroppedType_Cuckoo' ], 28 | inputs=[ ( 'Cuckoo Sandbox', CuckooDropped ) ], 29 | remote=False, 30 | debug=False 31 | ) 32 | def dotransform(request, response, config): 33 | fname = request.value 34 | 35 | if 'taskid' in request.fields: 36 | task = request.fields['taskid'] 37 | else: 38 | task = request.value 39 | 40 | dropped = dropped_files(report(task)) 41 | for d in dropped: 42 | if d['name'] == fname: 43 | response += Phrase(d['type'].decode('ascii')) 44 | 45 | return response 46 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/submitfile.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os.path 4 | from time import sleep 5 | from canari.easygui import fileopenbox 6 | from canari.framework import configure 7 | from canari.config import config 8 | from common.entities import CuckooMalwareSample, CuckooTaskID 9 | from common.cuckooapi import submit_file, task_view 10 | 11 | __author__ = 'bostonlink' 12 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 13 | __credits__ = [] 14 | 15 | __license__ = 'GPL' 16 | __version__ = '1.1' 17 | __maintainer__ = 'bostonlink' 18 | __email__ = 'bostonlink@pentest-labs.org' 19 | __status__ = 'Development' 20 | 21 | __all__ = [ 22 | 'dotransform' 23 | ] 24 | 25 | 26 | @configure( 27 | label='Submit File for Analysis [Cuckoo Sandbox]', 28 | description='Submits a File to Cuckoo and returns the analysis task id after analysis is complete.', 29 | uuids=[ 'cuckooforcanari.v2.SubmitFile_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooMalwareSample ) ], 31 | remote=False, 32 | debug=False 33 | ) 34 | def dotransform(request, response, config): 35 | 36 | if request.value == "Sample Filename": 37 | msg = 'Please select the sample to submit.' 38 | title = 'Cuckoo Sandbox File Submission' 39 | default = os.path.join(config['cuckoo/malware_dir'], '*.*') 40 | # if other filetypes need to be submitted add them to the list or just submit via specific filename 41 | filetypes = ["*.exe", "*.dll", "*.pdf", "*.jar", "*.zip"] 42 | sample = fileopenbox(msg, title, default, filetypes) 43 | else: 44 | sample = os.path.join(config['cuckoo/malware_dir'], request.value) 45 | 46 | task = submit_file(sample)['task_id'] 47 | status = task_view(task)['task']['status'] 48 | 49 | # loop to check status of analysis 50 | while status == 'pending' or status == 'processing': 51 | sleep(20) 52 | status = task_view(task)['task']['status'] 53 | 54 | response += CuckooTaskID( 55 | task, 56 | status = status, 57 | filename = sample 58 | ) 59 | 60 | return response 61 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/submiturl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from time import sleep 4 | from canari.framework import configure 5 | from canari.maltego.entities import URL 6 | from common.entities import CuckooTaskID 7 | from common.cuckooapi import submit_url, task_view 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='Submit URL for Analysis [Cuckoo Sandbox]', 26 | description='Submits a url to Cuckoo and returns the analysis task id after analysis is complete.', 27 | uuids=[ 'cuckooforcanari.v2.SubmitURL_Cuckoo' ], 28 | inputs=[ ( 'Cuckoo Sandbox', URL ) ], 29 | remote=False, 30 | debug=False 31 | ) 32 | def dotransform(request, response, config): 33 | 34 | url = request.value 35 | task = submit_url(url)['task_id'] 36 | status = task_view(task)['task']['status'] 37 | 38 | # loop to check status of analysis 39 | while status == 'pending' or status == 'processing': 40 | sleep(20) 41 | status = task_view(task)['task']['status'] 42 | 43 | response += CuckooTaskID( 44 | task, 45 | status = status, 46 | url = url 47 | ) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/to_peid.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Phrase 5 | from common.entities import StaticAnalysis, CuckooTaskID, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import static_results 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To PEID Signature [Cuckoo Sandbox]', 26 | description='Returns PEID signature of the malware sample.', 27 | uuids=[ 'cuckooforcanari.v2.IDToCuckooPEIDSig_Cuckoo', 28 | 'cuckooforcanari.v2.FileToCuckooPEIDSig_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToCuckooPEIDSig_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', StaticAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | secs = static_results(report(task))['peid_signatures'] 44 | if secs is None: 45 | pass 46 | else: 47 | for i in secs: 48 | response += Phrase(i) 49 | 50 | return response 51 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/to_pesections.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Phrase 5 | from common.entities import StaticAnalysis, CuckooTaskID, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import static_results 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To PE Sections [Cuckoo Sandbox]', 26 | description='Returns PE sections of the malware sample.', 27 | uuids=[ 'cuckooforcanari.v2.IDToCuckooPESec_Cuckoo', 28 | 'cuckooforcanari.v2.FileToCuckooPESec_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToCuckooPESec_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', StaticAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | secs = static_results(report(task))['pe_sections'] 44 | for d in secs: 45 | response += Phrase(d['name'].decode('ascii')) 46 | 47 | return response 48 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tobehavior_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import BehaviorAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Behavior Analysis Section [Cuckoo Sandbox]', 23 | description='Returns behavior analysis section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToBehaviorssection_Cuckoo', 'cuckooforcanari.v2.FileToBehaviorSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += BehaviorAnalysis('Behavior Analysis', taskid = task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/todnsreq.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import NSRecord 5 | from common.entities import CuckooTaskID, NetworkAnalysis, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import network 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To DNS Request [Cuckoo Sandbox]', 26 | description='Returns DNS requests made during the Cuckoo file analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToDNSReq_Cuckoo', 28 | 'cuckooforcanari.v2.FileToDNSReq_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToDNSReq_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', NetworkAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | netw = network(report(task)) 44 | dns_lst = [] 45 | for d in netw['dns']: 46 | if d['request'] not in dns_lst: 47 | response += NSRecord( 48 | d['request'].decode('ascii'), 49 | taskid = task ) 50 | dns_lst.append(d['request']) 51 | 52 | return response 53 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/todomainips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import IPv4Address, Domain 5 | from common.entities import CuckooTaskID, NetworkAnalysis, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import network 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To Domain IP [Cuckoo Sandbox]', 26 | description='Returns domain resolved IP address at the time of the Cuckoo file analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToDomainIP_Cuckoo', 28 | 'cuckooforcanari.v2.FileToDomainIP_Cuckoo', 29 | 'cuckooforcanari.v2.DomainToDomainIP_Cuckoo', 30 | 'cuckooforcanari.v2.SectionToDomainIP_Cuckoo' ], 31 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 32 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 33 | ( 'Cuckoo Sandbox', Domain), 34 | ( 'Cuckoo Sandbox', NetworkAnalysis) ], 35 | remote=False, 36 | debug=False 37 | ) 38 | def dotransform(request, response, config): 39 | 40 | if 'taskid' in request.fields: 41 | task = request.fields['taskid'] 42 | else: 43 | task = request.value 44 | 45 | netw = network(report(task)) 46 | for d in netw['domains']: 47 | response += IPv4Address( 48 | d['ip'].decode('ascii'), 49 | taskid=task) 50 | 51 | return response 52 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/todomains.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Domain 5 | from common.entities import CuckooTaskID, NetworkAnalysis, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import network 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To Domain [Cuckoo Sandbox]', 26 | description='Returns domains communicated with during the Cuckoo file analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToDomain_Cuckoo', 28 | 'cuckooforcanari.v2.FileToDomain_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToDomain_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', NetworkAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | netw = network(report(task)) 44 | for d in netw['domains']: 45 | response += Domain( 46 | d['domain'].decode('ascii'), 47 | taskid=task) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/todropped_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import DroppedFiles, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Dropped Files Section [Cuckoo Sandbox]', 23 | description='Returns dropped files section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToDroppedFilessection_Cuckoo', 'cuckooforcanari.v2.FileToDroppedFilesSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += DroppedFiles('Dropped Files', taskid=task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/todroppedfiles.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooDropped, DroppedFiles, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import dropped_files 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Dropped Files [Cuckoo Sandbox]', 25 | description='Returns dropped files during the Cuckoo file analysis.', 26 | uuids=[ 'cuckooforcanari.v2.IDToDropped_Cuckoo', 27 | 'cuckooforcanari.v2.FileToDropped_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToDropped_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', DroppedFiles ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | dropped = dropped_files(report(task)) 43 | for d in dropped: 44 | response += CuckooDropped( 45 | d['name'].decode('ascii'), 46 | taskid=task, 47 | ftype=d['type']) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tofiledetails_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import FileDetails, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To File Details Section [Cuckoo Sandbox]', 23 | description='Returns file details section entity, to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToFileDetailsSection_Cuckoo', 'cuckooforcanari.v2.FileToFileDetailsSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += FileDetails('File Details', taskid = task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tofilename.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooMalwareFilename, FileDetails, CuckooTaskID 5 | from common.cuckooapi import report 6 | from common.cuckooparse import target_info 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Filename [Cuckoo Sandbox]', 25 | description='Returns filename of the initial file analyzed.', 26 | uuids=[ 'cuckooforcanari.v2.IDToFilename_Cuckoo', 'cuckooforcanari.v2.SectionToFilename_Cuckoo' ], 27 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), ( 'Cuckoo Sandbox', FileDetails ) ], 28 | remote=False, 29 | debug=False 30 | ) 31 | def dotransform(request, response, config): 32 | 33 | if 'taskid' in request.fields: 34 | task = request.fields['taskid'] 35 | else: 36 | task = request.value 37 | 38 | target = target_info(report(task)) 39 | 40 | response += CuckooMalwareFilename( 41 | target['file']['name'].decode('ascii'), 42 | taskid=task) 43 | 44 | return response 45 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tohosts.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import IPv4Address 5 | from common.entities import CuckooTaskID, NetworkAnalysis, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import network 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To Hosts [Cuckoo Sandbox]', 26 | description='Returns host IP addresses associated with the Cuckoo analysis task id.', 27 | uuids=[ 'cuckooforcanari.v2.IDToHosts_Cuckoo', 28 | 'cuckooforcanari.v2.FileToHosts_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToHosts_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', NetworkAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | netw = network(report(task)) 44 | for d in netw['hosts']: 45 | response += IPv4Address( 46 | d.decode('ascii'), 47 | taskid=task) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tohttpurl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Website 5 | from common.entities import CuckooTaskID, NetworkAnalysis, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import network 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To HTTP Request URL [Cuckoo Sandbox]', 26 | description='Returns URLs communicated with at the time of the Cuckoo file analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToURL_Cuckoo', 28 | 'cuckooforcanari.v2.FileToURL_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToURL_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', NetworkAnalysis) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | netw = network(report(task)) 44 | for d in netw['http']: 45 | response += Website( 46 | d['uri'].decode('ascii'), 47 | taskid=task) 48 | 49 | return response 50 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tomd5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooHash, FileDetails, CuckooMalwareFilename, CuckooTaskID 5 | from common.cuckooapi import report 6 | from common.cuckooparse import target_info 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To MD5 [Cuckoo Sandbox]', 25 | description='Returns filename of the initial file analyzed.', 26 | uuids=[ 'cuckooforcanari.v2.IDToMD5_Cuckoo', 27 | 'cuckooforcanari.v2.FileToMD5_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToMD5_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', FileDetails ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | target = target_info(report(task))['file'] 43 | response += CuckooHash( 44 | target['md5'].decode('ascii'), 45 | taskid=task) 46 | 47 | return response 48 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tomutexes.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooMutex, BehaviorAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import behavior 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Mutexes [Cuckoo Sandbox]', 25 | description='Returns mutexes created during the Cuckoo analysis.', 26 | uuids=[ 'cuckooforcanari.v2.IDToCuckooMutex_Cuckoo', 27 | 'cuckooforcanari.v2.FileToCuckooMutex_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToCuckooMutex_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', BehaviorAnalysis ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | mutexes = behavior(report(task))['summary']['mutexes'] 43 | for d in mutexes: 44 | response += CuckooMutex( 45 | d.decode('ascii'), 46 | taskid=task) 47 | 48 | return response 49 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tonetworkanalysis_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import NetworkAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2013, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Network Analysis Section [Cuckoo Sandbox]', 23 | description='Returns network analysis section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToNetAnalysisSection_Cuckoo', 'cuckooforcanari.v2.FileToNetAnalysisSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += NetworkAnalysis('Network Analysis', taskid=task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/toopenfiles.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooOpenFile, BehaviorAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import behavior 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Files Opened [Cuckoo Sandbox]', 25 | description='Returns opened and created files during the Cuckoo analysis.', 26 | uuids=[ 'cuckooforcanari.v2.IDToCuckooFOpen_Cuckoo', 27 | 'cuckooforcanari.v2.FileToCuckooFOpen_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToCuckooFOpen_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', BehaviorAnalysis ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | files = behavior(report(task))['summary']['files'] 43 | for d in files: 44 | response += CuckooOpenFile(d.decode('ascii'), 45 | taskid=task) 46 | 47 | return response 48 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/toprocesses.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooProcess, Processes, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import behavior 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Processes [Cuckoo Sandbox]', 25 | description='Returns processes created during the Cuckoo analysis.', 26 | uuids=[ 'cuckooforcanari.v2.IDToCuckooProcess_Cuckoo', 27 | 'cuckooforcanari.v2.FileToCuckooProcess_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToCuckooProcess_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', Processes ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | processes = behavior(report(task))['processes'] 43 | for d in processes: 44 | response += CuckooProcess( 45 | d['process_name'].decode('ascii'), 46 | taskid=task) 47 | 48 | return response 49 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/toprocesses_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import Processes, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Process Analysis Section [Cuckoo Sandbox]', 23 | description='Returns process analysis section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToProcessSection_Cuckoo', 'cuckooforcanari.v2.FileToProcessSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += Processes('Process Analysis', taskid=task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/toregentries.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from canari.maltego.entities import Phrase 5 | from common.entities import BehaviorAnalysis, CuckooTaskID, CuckooMalwareFilename 6 | from common.cuckooapi import report 7 | from common.cuckooparse import behavior 8 | 9 | __author__ = 'bostonlink' 10 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 11 | __credits__ = [] 12 | 13 | __license__ = 'GPL' 14 | __version__ = '1.1' 15 | __maintainer__ = 'bostonlink' 16 | __email__ = 'bostonlink@pentest-labs.org' 17 | __status__ = 'Development' 18 | 19 | __all__ = [ 20 | 'dotransform' 21 | ] 22 | 23 | 24 | @configure( 25 | label='To Registry Keys [Cuckoo Sandbox]', 26 | description='Returns registry keys created during the Cuckoo analysis.', 27 | uuids=[ 'cuckooforcanari.v2.IDToCuckooRegKeys_Cuckoo', 28 | 'cuckooforcanari.v2.FileToCuckooRegKeys_Cuckoo', 29 | 'cuckooforcanari.v2.SectionToCuckooRegKeys_Cuckoo' ], 30 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 31 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 32 | ( 'Cuckoo Sandbox', BehaviorAnalysis ) ], 33 | remote=False, 34 | debug=False 35 | ) 36 | def dotransform(request, response, config): 37 | 38 | if 'taskid' in request.fields: 39 | task = request.fields['taskid'] 40 | else: 41 | task = request.value 42 | 43 | reg = behavior(report(task))['summary']['keys'] 44 | for d in reg: 45 | response += Phrase(d.decode('ascii')) 46 | 47 | return response 48 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tosha1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooHash, FileDetails, CuckooMalwareFilename, CuckooTaskID 5 | from common.cuckooapi import report 6 | from common.cuckooparse import target_info 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To SHA1 [Cuckoo Sandbox]', 25 | description='Returns filename of the initial file analyzed.', 26 | uuids=[ 'cuckooforcanari.v2.IDToSHA1_Cuckoo', 27 | 'cuckooforcanari.v2.FileToSHA1_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToSHA1_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', FileDetails ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | target = target_info(report(task))['file'] 43 | response += CuckooHash(target['sha1'].decode('ascii'), 44 | taskid=task) 45 | 46 | return response 47 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tosha256.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooHash, FileDetails, CuckooMalwareFilename, CuckooTaskID 5 | from common.cuckooapi import report 6 | from common.cuckooparse import target_info 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To SHA256 [Cuckoo Sandbox]', 25 | description='Returns filename of the initial file analyzed.', 26 | uuids=[ 'cuckooforcanari.v2.IDToSHA256_Cuckoo', 27 | 'cuckooforcanari.v2.FileToSHA256_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToSHA256_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', FileDetails ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | target = target_info(report(task))['file'] 43 | response += CuckooHash(target['sha256'].decode('ascii'), 44 | taskid=task) 45 | 46 | return response 47 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tosiganalysis_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import SignatureAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Signature Analysis Section [Cuckoo Sandbox]', 23 | description='Returns signature analysis section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToSigAnalysisSection_Cuckoo', 'cuckooforcanari.v2.FileToSigAnalysisSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += SignatureAnalysis('Signature Analysis', taskid=task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/tostaticanalysis_section.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import StaticAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | 6 | __author__ = 'bostonlink' 7 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 8 | __credits__ = [] 9 | 10 | __license__ = 'GPL' 11 | __version__ = '1.1' 12 | __maintainer__ = 'bostonlink' 13 | __email__ = 'bostonlink@pentest-labs.org' 14 | __status__ = 'Development' 15 | 16 | __all__ = [ 17 | 'dotransform' 18 | ] 19 | 20 | 21 | @configure( 22 | label='To Static Analysis Section [Cuckoo Sandbox]', 23 | description='Returns static analysis section entity, used to separate analysis sections.', 24 | uuids=[ 'cuckooforcanari.v2.IDToStaticAnalysisSection_Cuckoo', 'cuckooforcanari.v2.FileToStaticAnalysisSection_Cuckoo' ], 25 | inputs=[ ( 'Cuckoo Sandbox Analysis Sections', CuckooTaskID ), ( 'Cuckoo Sandbox Analysis Sections', CuckooMalwareFilename ) ], 26 | remote=False, 27 | debug=False 28 | ) 29 | def dotransform(request, response, config): 30 | 31 | if 'taskid' in request.fields: 32 | task = request.fields['taskid'] 33 | else: 34 | task = request.value 35 | response += StaticAnalysis('Static Analysis', taskid=task) 36 | return response 37 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/virustotal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooVT, SignatureAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import vt_results 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To VirusTotal Results [Cuckoo Sandbox]', 25 | description='Returns Yara signature names associated with the Cuckoo analysis task id.', 26 | uuids=[ 'cuckooforcanari.v2.IDToVTresults_Cuckoo', 27 | 'cuckooforcanari.v2.FileToVTResults_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToVTResults_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', SignatureAnalysis )], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | vt = vt_results(report(task)) 43 | if vt['response_code'] == 1: 44 | for k, v in vt['scans'].iteritems(): 45 | if None != v['result']: 46 | value = k + ' - ' + v['result'] 47 | response += CuckooVT( 48 | value.decode('ascii'), 49 | taskid=task, 50 | vtlink=vt['permalink'] 51 | ) 52 | else: 53 | pass 54 | 55 | return response 56 | -------------------------------------------------------------------------------- /src/cuckooforcanari/transforms/yarasigs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from canari.framework import configure 4 | from common.entities import CuckooYara, SignatureAnalysis, CuckooTaskID, CuckooMalwareFilename 5 | from common.cuckooapi import report 6 | from common.cuckooparse import yara_sigs 7 | 8 | __author__ = 'bostonlink' 9 | __copyright__ = 'Copyright 2014, Cuckooforcanari Project' 10 | __credits__ = [] 11 | 12 | __license__ = 'GPL' 13 | __version__ = '1.1' 14 | __maintainer__ = 'bostonlink' 15 | __email__ = 'bostonlink@pentest-labs.org' 16 | __status__ = 'Development' 17 | 18 | __all__ = [ 19 | 'dotransform' 20 | ] 21 | 22 | 23 | @configure( 24 | label='To Yara Signatures [Cuckoo Sandbox]', 25 | description='Returns Yara signature names associated with the Cuckoo analysis task id.', 26 | uuids=[ 'cuckooforcanari.v2.IDToYaraSigs_Cuckoo', 27 | 'cuckooforcanari.v2.FileToYaraSigs_Cuckoo', 28 | 'cuckooforcanari.v2.SectionToYaraSigs_Cuckoo' ], 29 | inputs=[ ( 'Cuckoo Sandbox', CuckooTaskID ), 30 | ( 'Cuckoo Sandbox', CuckooMalwareFilename ), 31 | ( 'Cuckoo Sandbox', SignatureAnalysis ) ], 32 | remote=False, 33 | debug=False 34 | ) 35 | def dotransform(request, response, config): 36 | 37 | if 'taskid' in request.fields: 38 | task = request.fields['taskid'] 39 | else: 40 | task = request.value 41 | 42 | ysigz = yara_sigs(report(task)) 43 | for d in ysigz: 44 | for k, v in d.iteritems(): 45 | if 'meta' in k: 46 | response += CuckooYara( 47 | v['description'].decode('ascii'), 48 | taskid=task, 49 | ) 50 | 51 | return response 52 | --------------------------------------------------------------------------------