-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsubmit_some_malware.sh
137 lines (115 loc) · 4.81 KB
/
submit_some_malware.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/bash
# arguments
if [ "$1" -gt "0" ]; then
MAX_ANALYSIS=$1
else
echo "give a number greater than 0 of malware to analyse as argument"
exit
fi
#Detects if script are not running as root...
#if [ "$UID" != "0" ]; then
# if whereis sudo &>/dev/null; then
# sudo $0 $*
# else
# echo "Sudo not found. You will need to run this script as root."
# fi
# exit
#fi
# parameters to change if needed
BATCH_SIZE=15
FOLDER_SHARED="shared_with_docker"
FOLDER_TO_ANALYSE="malwares/todo"
FOLDER_MONITOR="monitor"
FOLDER_RESULTS="results"
FOLDER_SCRIPTS="scripts"
FOLDER_CUCKOO="cuckoo_default"
CUCKOO_LOG_FILE="cuckoo.log"
ALREADY_DONE_FILE="malware_done.txt"
ERROR_FILE="malware_error.txt"
CONTAINER_NAME="cuckooVB"
# end parameters; don't change what follows!
ANALYSIS_NOT_DONE=$MAX_ANALYSIS
TOTAL_ANALYSIS=$MAX_ANALYSIS
RED='\033[1;31m'
GREEN='\033[1;32m'
BLUE='\033[1;34m'
NC='\033[0m'
# get directory of the script
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )
"$DIR/docker/create_container.sh" $CONTAINER_NAME $FOLDER_CUCKOO
"$DIR/docker/stop_all.sh"
"$DIR/docker/start_container.sh" $CONTAINER_NAME
# create directory of result
if [ ! -e "$DIR/$FOLDER_RESULTS" ]; then
mkdir "$DIR/$FOLDER_RESULTS"
fi
if [ ! -e "$DIR/$FOLDER_RESULTS/$ALREADY_DONE_FILE" ]; then
touch "$DIR/$FOLDER_RESULTS/$ALREADY_DONE_FILE"
fi
if [ ! -e "$DIR/$FOLDER_RESULTS/$ERROR_FILE" ]; then
touch "$DIR/$FOLDER_RESULTS/$ERROR_FILE"
fi
# clean cuckoo to be sure
echo "cleaning cuckoo! It will delete all folder still in cuckoo storage."
docker exec -it $CONTAINER_NAME cuckoo clean
# iterate over all monitor
echo -e "Analyzing $BLUE$TOTAL_ANALYSIS$NC malwares by batch of $BLUE$BATCH_SIZE$NC"
for monitor in $(find "$FOLDER_SHARED/$FOLDER_MONITOR" -maxdepth 1 -print | tail -n +2); do
if [ $MAX_ANALYSIS -le 0 ]; then # if there is nothing more to analyse finish script
break
fi
#echo "Using monitor: $monitor"
monitor_name="$(echo "$monitor" | rev | cut -d '/' -f 1 | rev)"
# create symbolic link
if [ ! -e "$DIR/$FOLDER_CUCKOO/monitor/$monitor_name" ]; then
docker exec -it $CONTAINER_NAME ln -sd "/home/cuckoo/mymonitor/$monitor_name" "/root/.cuckoo/monitor/$monitor_name"
fi
echo "Submitting analysis...."
tmp=$MAX_ANALYSIS
for malware in $(find "$FOLDER_SHARED/$FOLDER_TO_ANALYSE" -print | tail -n +2); do
if [ $MAX_ANALYSIS -le 0 ]; then # if there is nothing more to analyse finish script
break
fi
malware_name="$(echo "$malware" | rev | cut -d '/' -f 1 | rev)"
if grep --quiet -P "$malware_name\t$monitor_name" "$DIR/$FOLDER_RESULTS/$ALREADY_DONE_FILE" || grep --quiet -P "$malware_name\t$monitor_name" "$DIR/$FOLDER_RESULTS/$ERROR_FILE"; then :
else
# submit with the monitor
docker exec -it $CONTAINER_NAME cuckoo submit "/home/cuckoo/$FOLDER_TO_ANALYSE/$malware_name" --options="monitor=$monitor_name" >> "$DIR/$FOLDER_RESULTS/$CUCKOO_LOG_FILE"
#echo "Submitting malware: $malware"
MAX_ANALYSIS=$((MAX_ANALYSIS-1))
fi
done
echo -e "$GREEN$((tmp-MAX_ANALYSIS))$NC malwares submitted"
# iterate to execute all malwares and get the report
while [ $ANALYSIS_NOT_DONE -gt $MAX_ANALYSIS ]; do
# restart mongodb if needed
ismongoup=$(service mongod status | grep "Active")
if echo $imongoup | grep "running" --quiet; then :
else sudo service mongod restart; fi
max=$((diff = ANALYSIS_NOT_DONE-MAX_ANALYSIS, diff>BATCH_SIZE?BATCH_SIZE:diff))
echo -e "Running $BLUE$max$NC malwares..."
docker exec -it $CONTAINER_NAME cuckoo -m $max >> "$DIR/$FOLDER_RESULTS/$CUCKOO_LOG_FILE"
if tail -n 2 "$DIR/$FOLDER_RESULTS/$CUCKOO_LOG_FILE" | grep --quiet "CuckooCriticalError: Unable to bind ResultServer"; then
# reconnect the network
echo "Restarting network...."
vboxmanage hostonlyif remove vboxnet0
vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
sudo ip link set vboxnet0 up
else
ANALYSIS_NOT_DONE=$((ANALYSIS_NOT_DONE-max))
# remove the results of cuckoo to clean memory and store in db
"$DIR/$FOLDER_SCRIPTS/store_in_db.py"
echo -e "$BLUE$ANALYSIS_NOT_DONE$NC analysis left"
fi
done
# remove symbolic link
rm "$DIR/$FOLDER_SHARED/$FOLDER_CUCKOO/monitor/$monitor_name"
done
"$DIR/docker/stop_container.sh" $CONTAINER_NAME
if [ $ANALYSIS_NOT_DONE -eq 0 ]; then
echo -e "$GREEN$TOTAL_ANALYSIS analysis were done.$NC"
else
echo -e "There is still $RED$ANALYSIS_NOT_DONE not done$NC. All analysis have already been done, there is no more malware neither monitor."
fi
echo "Script finished!"