From 2a171ac3d20d37951d2340bd6cb2dc057b2bc353 Mon Sep 17 00:00:00 2001 From: Christopher Talib Date: Fri, 14 Apr 2023 13:08:23 +0200 Subject: [PATCH 1/2] Adding code view in the similarity search for func searchA #144 Nice to have, preventing to have to do back and forth --- bazaar/core/utils.py | 14 ++++++++------ bazaar/front/view.py | 5 +++-- bazaar/templates/front/m_similarities.html | 9 +++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/bazaar/core/utils.py b/bazaar/core/utils.py index 4348a0b..dda3c4f 100644 --- a/bazaar/core/utils.py +++ b/bazaar/core/utils.py @@ -237,8 +237,7 @@ def get_matching_items_by_ssdeep(ssdeep_value, threshold_grade, index, sha256): if ssdeep_grade >= threshold_grade: sha256_list_to_return.append((record['_source']['sha256'], ssdeep_grade)) - return sha256_list_to_return - + return (sha256_list_to_return, None) def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha256): chunksize, chunk, double_chunk = ssdeep_value.split(':') @@ -281,6 +280,7 @@ def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha2 results = es.search(index=index, body=query) sha256_list_to_return = [] + ssdeep_struct = None for record in results['hits']['hits']: for rule in record['_source']['andro_cfg']['rules']: @@ -291,8 +291,11 @@ def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha2 if ssdeep_grade >= threshold_grade: sha256_list_to_return.append((record['_source']['sha256'], ssdeep_grade)) - - return sha256_list_to_return + + if f["dexofuzzy_hash"] == ssdeep_value: + ssdeep_struct = f + + return (sha256_list_to_return, ssdeep_struct) def get_matching_items_by_dexofuzzy(dexofuzzy_value, threshold_grade, index, sha256): @@ -350,8 +353,7 @@ def get_matching_items_by_dexofuzzy(dexofuzzy_value, threshold_grade, index, sha sha256_list_to_return.append( (record['_source']['sha256'], dexofuzzy_grade)) - return sha256_list_to_return - + return (sha256_list_to_return, None) def compute_genetic_analysis(results): try: diff --git a/bazaar/front/view.py b/bazaar/front/view.py index da619fe..f85dddf 100644 --- a/bazaar/front/view.py +++ b/bazaar/front/view.py @@ -236,8 +236,9 @@ def similarity_search_view(request, sha256=''): form = SimilaritySearchForm(request.GET) results = None res = [] + ssdeep_struct = None if form.is_valid(): - results = form.do_search(sha256) + results, ssdeep_struct = form.do_search(sha256) for sha256, score in results: apk = get_sample_light(sha256) try: @@ -249,7 +250,7 @@ def similarity_search_view(request, sha256=''): results = res - return render(request, 'front/similarity_search.html', {'form': form, 'results': results}) + return render(request, 'front/similarity_search.html', {'form': form, 'results': results, 'andro_cfg': ssdeep_struct}) def download_sample_view(request, sha256): diff --git a/bazaar/templates/front/m_similarities.html b/bazaar/templates/front/m_similarities.html index 25dc9c3..3b9bd3e 100644 --- a/bazaar/templates/front/m_similarities.html +++ b/bazaar/templates/front/m_similarities.html @@ -1,3 +1,4 @@ + @@ -6,6 +7,9 @@ + {% if andro_cfg %} + + {% endif %} @@ -39,6 +43,11 @@ + {% if andro_cfg %} + + {% endif%} {% endif %} {% endfor %} From b77de39737e9d2916dd20d5a5f7f8f1811956eb7 Mon Sep 17 00:00:00 2001 From: Christopher Talib Date: Fri, 14 Apr 2023 23:01:08 +0200 Subject: [PATCH 2/2] Fix + adding genetic analysis when possible to similar samples --- bazaar/front/view.py | 8 +++++--- bazaar/templates/front/m_similarities.html | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/bazaar/front/view.py b/bazaar/front/view.py index f85dddf..c26e332 100644 --- a/bazaar/front/view.py +++ b/bazaar/front/view.py @@ -29,7 +29,7 @@ from bazaar.core.models import Yara from bazaar.core.tasks import analyze, retrohunt -from bazaar.core.utils import get_sha256_of_file, get_matching_items_by_dexofuzzy +from bazaar.core.utils import get_sha256_of_file, get_matching_items_by_dexofuzzy, compute_genetic_analysis from bazaar.front.forms import SearchForm, BasicUploadForm, SimilaritySearchForm, BasicUrlDownloadForm from bazaar.front.og import generate_og_card from bazaar.front.utils import transform_results, get_similarity_matrix, compute_status, generate_world_map, \ @@ -124,7 +124,7 @@ def get(self, request, *args, **kwargs): try: dexofuzzy_hash = result['dexofuzzy']['apk'] if dexofuzzy_hash: - similar_samples = get_matching_items_by_dexofuzzy( + similar_samples, _ = get_matching_items_by_dexofuzzy( dexofuzzy_hash, 25, settings.ELASTICSEARCH_DEXOFUZZY_APK_INDEX, sha) @@ -237,6 +237,7 @@ def similarity_search_view(request, sha256=''): results = None res = [] ssdeep_struct = None + genetic_analysis = None if form.is_valid(): results, ssdeep_struct = form.do_search(sha256) for sha256, score in results: @@ -249,8 +250,9 @@ def similarity_search_view(request, sha256=''): res.append((apk[0]['source']['app_name'], apk[0]['source']['handle'], sha256, vt, score)) results = res + genetic_analysis = compute_genetic_analysis(results) - return render(request, 'front/similarity_search.html', {'form': form, 'results': results, 'andro_cfg': ssdeep_struct}) + return render(request, 'front/similarity_search.html', {'form': form, 'results': results, 'andro_cfg': ssdeep_struct, 'genetic_analysis': genetic_analysis}) def download_sample_view(request, sha256): diff --git a/bazaar/templates/front/m_similarities.html b/bazaar/templates/front/m_similarities.html index 3b9bd3e..48b1b9e 100644 --- a/bazaar/templates/front/m_similarities.html +++ b/bazaar/templates/front/m_similarities.html @@ -1,4 +1,4 @@ - +{% include "front/m_dendrogram.html" %}
SHA256 VirusTotal Score SimilarityCode
+ {{andro_cfg.call_by}} +