-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
combine capa detection with tool detection to attempt to alleviate fns
- Loading branch information
1 parent
c7eed5d
commit fa0ec0c
Showing
12 changed files
with
421 additions
and
84 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
import sys | ||
import os | ||
import argparse | ||
import json | ||
import numpy as np | ||
|
||
def get_data(capaFN, drFN): | ||
# Load CAPA results | ||
content = json.loads(open(capaFN,'r').read()) | ||
|
||
capa_result = dict() | ||
|
||
for rule_name in content['rules']: | ||
|
||
# Skip rule if... (from: https://github.com/fireeye/capa/blob/8510f0465122ef11c1d259e47eadc0b0f6946f6c/capa/render/utils.py#L31) | ||
rule = content['rules'][rule_name] | ||
if rule["meta"].get("lib"): | ||
continue | ||
if rule["meta"].get("capa/subscope"): | ||
continue | ||
if rule["meta"].get("maec/analysis-conclusion"): | ||
continue | ||
if rule["meta"].get("maec/analysis-conclusion-ov"): | ||
continue | ||
if rule["meta"].get("maec/malware-category"): | ||
continue | ||
if rule["meta"].get("maec/malware-category-ov"): | ||
continue | ||
|
||
scope = content['rules'][rule_name]['meta']['scope'] | ||
|
||
for addr in content['rules'][rule_name]['matches']: | ||
success = content['rules'][rule_name]['matches'][addr]['success'] | ||
|
||
if success is True: | ||
capa_result[int(addr)] = '{0}: {1}'.format(rule_name,scope) | ||
|
||
# Load DeepReflect results | ||
deepreflect_result = np.load(drFN) | ||
dr_addr = deepreflect_result['addr'] | ||
dr_y = deepreflect_result['y'] | ||
dr_score = deepreflect_result['score'] | ||
|
||
|
||
addr = list() | ||
score = list() | ||
label = list() | ||
|
||
# For each DeepReflect address, determine if CAPA flagged it | ||
for e,a in enumerate(dr_addr): | ||
l = dr_y[e] | ||
|
||
# If address in capa results, it means CAPA has flagged this function | ||
if a in capa_result.keys(): | ||
s = 1.0 | ||
# Else, score is DR score | ||
else: | ||
s = dr_score[e] | ||
|
||
addr.append(a) | ||
score.append(s) | ||
label.append(l) | ||
|
||
return addr,score,label | ||
|
||
def _main(): | ||
# Each argument comes in pairs [CAPA json, DR npz] | ||
length = len(sys.argv) - 2 | ||
if length % 2 != 0: | ||
sys.stderr.write('Error, arguments incorrect\n') | ||
sys.exit(2) | ||
|
||
# Last argument is output numpy file | ||
outFN = sys.argv[-1] | ||
|
||
addr = list() | ||
score = list() | ||
label = list() | ||
|
||
# For each file pair | ||
for i in range(1,length,2): | ||
capaFN = sys.argv[i] | ||
drFN = sys.argv[i+1] | ||
|
||
a,s,l = get_data(capaFN,drFN) | ||
addr.extend(a) | ||
score.extend(s) | ||
label.extend(l) | ||
|
||
# Output data file | ||
np.savez(outFN, | ||
y=np.asarray(label), | ||
score=np.asarray(score), | ||
addr=np.asarray(addr)) | ||
|
||
if __name__ == '__main__': | ||
_main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,56 +1,43 @@ | ||
#!/bin/bash | ||
|
||
function capa() { | ||
target="${1}/${2}" | ||
output="${3}_${2}.json" | ||
target="${1}" | ||
output="${2}.json" | ||
|
||
# Extract CAPA data | ||
./capa -j "$target" > "$output" | ||
} | ||
|
||
# Rbot | ||
echo "Rbot" | ||
root="../../malware-gt/old/" | ||
root="../malware/" | ||
family="rbot" | ||
name="rbot.exe" | ||
capa $root $name $family | ||
python output_data.py "${family}_${name}.json" "../rbot_final_corrected/rbot_ae_acfg_plus_roc_data_func.npz" \ | ||
"${family}_capa_data_func.npz" | ||
base="${root}/${family}/" | ||
mkdir -p "${family}" | ||
capa "${base}/rbot.exe" "${family}/rbot" | ||
|
||
# Pegasus | ||
echo "Pegasus" | ||
root="../../malware-gt/new/pegasus/binres" | ||
root="../malware/" | ||
family="pegasus" | ||
capa $root "idd.x32" $family | ||
capa $root "mod_CmdExec.x32" $family | ||
capa $root "mod_DomainReplication.x32" $family | ||
capa $root "mod_LogonPasswords.x32" $family | ||
capa $root "mod_NetworkConnectivity.x32" $family | ||
capa $root "rse.x32" $family | ||
python output_data.py "${family}_idd.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_idd_data_func.npz" \ | ||
"${family}_mod_CmdExec.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_mod_cmdexec_data_func.npz" \ | ||
"${family}_mod_DomainReplication.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_mod_domainreplication_data_func.npz" \ | ||
"${family}_mod_LogonPasswords.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_mod_logonpasswords_data_func.npz" \ | ||
"${family}_mod_NetworkConnectivity.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_mod_networkconnectivity_data_func.npz" \ | ||
"${family}_rse.x32.json" "../pegasus_final/pegasus_ae_acfg_plus_roc_pegasus_rse_data_func.npz" \ | ||
"${family}_capa_data_func.npz" | ||
base="${root}/${family}/" | ||
mkdir -p "${family}" | ||
capa "${root}/${family}/idd.x32" "${family}/idd" | ||
capa "${root}/${family}/mod_CmdExec.x32" "${family}/mod_CmdExec" | ||
capa "${root}/${family}/mod_DomainReplication.x32" "${family}/mod_DomainReplication" | ||
capa "${root}/${family}/mod_LogonPasswords.x32" "${family}/mod_LogonPasswords" | ||
capa "${root}/${family}/mod_NetworkConnectivity.x32" "${family}/mod_NetworkConnectivity" | ||
capa "${root}/${family}/rse.x32" "${family}/rse" | ||
|
||
# Carbanak | ||
echo "Carbanak" | ||
root="../../malware-gt/new/carbanak/bin/Release" | ||
root="../malware/" | ||
family="carbanak" | ||
capa $root "bot.exe" $family | ||
capa $root "botcmd.exe" $family | ||
capa $root "downloader.exe" $family | ||
root2="../../malware-gt/new/carbanak/bin/Release simple/plugins/" | ||
capa "$root2" "AutorunSidebar.dll" $family | ||
capa "$root2" "cve2014-4113.dll" $family | ||
capa "$root2" "rdpwrap.dll" $family | ||
python output_data.py "${family}_bot.exe.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_bot_data_func.npz" \ | ||
"${family}_botcmd.exe.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_botcmd_data_func.npz" \ | ||
"${family}_downloader.exe.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_downloader_data_func.npz" \ | ||
"${family}_AutorunSidebar.dll.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_autorunsidebar_data_func.npz" \ | ||
"${family}_cve2014-4113.dll.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_cve2014-4113_data_func.npz" \ | ||
"${family}_rdpwrap.dll.json" "../carbanak_final/carbanak_ae_acfg_plus_roc_carbanak_rdpwrap_data_func.npz" \ | ||
"${family}_capa_data_func.npz" | ||
|
||
base="${root}/${family}/" | ||
mkdir -p "${family}" | ||
capa "${root}/${family}/bot.exe" "${family}/bot" | ||
capa "${root}/${family}/botcmd.exe" "${family}/botcmd" | ||
capa "${root}/${family}/downloader.exe" "${family}/downloader" | ||
capa "${root}/${family}/AutorunSidebar.dll" "${family}/AutorunSidebar" | ||
capa "${root}/${family}/cve2014-4113.dll" "${family}/cve2014-4113" | ||
capa "${root}/${family}/rdpwrap.dll" "${family}/rdpwrap" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.