Skip to content

Adding code view in the similarity search for func searchA #144 #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
evilcel3ri wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adding code view in the similarity search for func searchA #144 #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a171ac
Adding code view in the similarity search for func searchA #144
Apr 14, 2023
b77de39
Fix + adding genetic analysis when possible to similar samples
Apr 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions bazaar/core/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,8 +237,7 @@ def get_matching_items_by_ssdeep(ssdeep_value, threshold_grade, index, sha256):
if ssdeep_grade >= threshold_grade:
sha256_list_to_return.append((record['_source']['sha256'], ssdeep_grade))

return sha256_list_to_return

return (sha256_list_to_return, None)

def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha256):
chunksize, chunk, double_chunk = ssdeep_value.split(':')
Expand Down Expand Up @@ -281,6 +280,7 @@ def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha2

results = es.search(index=index, body=query)
sha256_list_to_return = []
ssdeep_struct = None

for record in results['hits']['hits']:
for rule in record['_source']['andro_cfg']['rules']:
Expand All @@ -291,8 +291,11 @@ def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha2

if ssdeep_grade >= threshold_grade:
sha256_list_to_return.append((record['_source']['sha256'], ssdeep_grade))

return sha256_list_to_return

if f["dexofuzzy_hash"] == ssdeep_value:
ssdeep_struct = f

return (sha256_list_to_return, ssdeep_struct)


def get_matching_items_by_dexofuzzy(dexofuzzy_value, threshold_grade, index, sha256):
Expand Down Expand Up @@ -350,8 +353,7 @@ def get_matching_items_by_dexofuzzy(dexofuzzy_value, threshold_grade, index, sha
sha256_list_to_return.append(
(record['_source']['sha256'], dexofuzzy_grade))

return sha256_list_to_return

return (sha256_list_to_return, None)

def compute_genetic_analysis(results):
try:
Expand Down
11 changes: 7 additions & 4 deletions bazaar/front/view.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@

from bazaar.core.models import Yara
from bazaar.core.tasks import analyze, retrohunt
from bazaar.core.utils import get_sha256_of_file, get_matching_items_by_dexofuzzy
from bazaar.core.utils import get_sha256_of_file, get_matching_items_by_dexofuzzy, compute_genetic_analysis
from bazaar.front.forms import SearchForm, BasicUploadForm, SimilaritySearchForm, BasicUrlDownloadForm
from bazaar.front.og import generate_og_card
from bazaar.front.utils import transform_results, get_similarity_matrix, compute_status, generate_world_map, \
Expand Down Expand Up @@ -124,7 +124,7 @@ def get(self, request, *args, **kwargs):
try:
dexofuzzy_hash = result['dexofuzzy']['apk']
if dexofuzzy_hash:
similar_samples = get_matching_items_by_dexofuzzy(
similar_samples, _ = get_matching_items_by_dexofuzzy(
dexofuzzy_hash,
25,
settings.ELASTICSEARCH_DEXOFUZZY_APK_INDEX, sha)
Expand Down Expand Up @@ -236,8 +236,10 @@ def similarity_search_view(request, sha256=''):
form = SimilaritySearchForm(request.GET)
results = None
res = []
ssdeep_struct = None
genetic_analysis = None
if form.is_valid():
results = form.do_search(sha256)
results, ssdeep_struct = form.do_search(sha256)
for sha256, score in results:
apk = get_sample_light(sha256)
try:
Expand All @@ -248,8 +250,9 @@ def similarity_search_view(request, sha256=''):
res.append((apk[0]['source']['app_name'], apk[0]['source']['handle'], sha256, vt, score))

results = res
genetic_analysis = compute_genetic_analysis(results)

return render(request, 'front/similarity_search.html', {'form': form, 'results': results})
return render(request, 'front/similarity_search.html', {'form': form, 'results': results, 'andro_cfg': ssdeep_struct, 'genetic_analysis': genetic_analysis})


def download_sample_view(request, sha256):
Expand Down
9 changes: 9 additions & 0 deletions bazaar/templates/front/m_similarities.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% include "front/m_dendrogram.html" %}
<table class="table table-condensed">
<thead>
<tr>
Expand All @@ -6,6 +7,9 @@
<th>SHA256</th>
<th>VirusTotal Score</th>
<th>Similarity</th>
{% if andro_cfg %}
<th>Code</th>
{% endif %}
</tr>
</thead>
<tbody>
Expand Down Expand Up @@ -39,6 +43,11 @@
</div>
</div>
</td>
{% if andro_cfg %}
<td>
<a class="btn btn-sm btn-link p-0 text-decoration-none" target="_blank" href="{% url "front:get_andgrocfg_code" hash andro_cfg.evidence_file %}">{{andro_cfg.call_by}}</a>
</td>
{% endif%}
</tr>
{% endif %}
{% endfor %}
Expand Down