search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.54k stars 1.7k forks source link

[Improvement] New parser for the report.json file #2117

Open LetMeR00t opened 6 years ago

LetMeR00t commented 6 years ago

Hello, I would like to share with you an improvement concerning the parsing of "report.json" file using by the API.

The generated report is done using this part of the cuckoo's code : https://github.com/cuckoosandbox/cuckoo/blob/77448957ea9769ba8cca38eb63961baebdb91836/cuckoo/web/controllers/analysis/api.py#L251-L255

However, the result of this parsing is only a brief summary of the analysis. Here is an example :

{
  "file_type": "url",
  "signatures": [
    "Performs some HTTP requests",
    "Allocates read-write-execute memory (usually to unpack itself)",
    "File has been identified by 3 AntiVirus engines on VirusTotal as malicious",
    "One or more thread handles in other processes",
    "PEB modified to hide loaded modules. Dll very likely not loaded by LoadLibrary",
    "Malfind detects one or more injected processes",
    "Kernel module without a name",
    "Stopped Firewall service",
    "Stopped Application Layer Gateway service"
  ],
  "hosts": [
    "104.41.151.54",
    "2.22.112.131",
    "204.79.197.200",
    "40.68.222.212",
    "8.8.8.8",
    "93.184.220.29"
  ],
  "malfamily": null,
  "suricata_alerts": [],
  "malscore": 4.6,
  "yara": "http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com",
  "uri": [
    "http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico",
    "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
    "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0a7d655a2622f8ce",
    "http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/",
    "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D"
  ],
  "snort_alerts": []
}

It could be great to have more information in this report, what do you think about it ?

doomedraven commented 6 years ago

checks prs there should be /iocs which kinda getting the same info

LetMeR00t commented 6 years ago

Do you mean that we can ask IOCs using using "/api/task/report/" ? I don't have access to the documentation (it seems that there is a certificate problem for now)

doomedraven commented 6 years ago

that isn't in documentation, that is in pull requests, and docu is fine here http://cuckoo.readthedocs.io/en/latest/