From 62c8992497b37ef424ee8ffc6cf08b785ecc21df Mon Sep 17 00:00:00 2001 From: digital4rensics Date: Thu, 29 Nov 2012 15:55:40 -0500 Subject: [PATCH 1/2] Added Malwr.com Check --- FileLookup.py | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/FileLookup.py b/FileLookup.py index b01acdd..fb24517 100644 --- a/FileLookup.py +++ b/FileLookup.py @@ -49,12 +49,7 @@ def main(): # Verify supplied path exists or die if not os.path.exists(args['Path']): print "[!] The supplied path does not exist" - sys.exit() - - # Verify supplied path exists or die - if not os.path.exists(args['Path']): - print "[!] The supplied path does not exist" - sys.exit() + sys.exit() def doWork(file): results = [] @@ -64,7 +59,8 @@ def doWork(file): results.append("VirusTotal:\t\t%s" % virustotal(file)) results.append("Cymru:\t\t\t%s" % cymru(file)) results.append("ShadowServer A/V:\t%s" % ss_av(file)) - results.append("ShadowServer Known:\t%s" % ss_known(file)) + results.append("ShadowServer Known:\t%s" % ss_known(file)) + results.append("Malwr Known:\t\t%s" % malwr(file)) results.append("") print '\n'.join(results) @@ -246,7 +242,25 @@ def cymru(file): except socket.error: result = "Error" - return result + return result + +# Added 11/29/2012 by Keith Gilbert - @digital4rensics +def malwr(file): + """ + Return existence of file in Malwr database. + site : http://www.malwr.com + """ + hash = md5(file) + url = 'http://malwr.com/analysis/' + hash + '/' + try: + present = urllib2.urlopen(url).read() + for line in present.split('\n'): + if line.find("Malwr - Analysis") == 1: + return "Matching Report" + else: + return "No Match" + except: + return "Error" if __name__ == "__main__": main() From 997f885c2d113785dc22cc01200d46f7a3239533 Mon Sep 17 00:00:00 2001 From: digital4rensics Date: Thu, 29 Nov 2012 21:35:44 -0500 Subject: [PATCH 2/2] Added ThreatExpert Detection --- FileLookup.py | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/FileLookup.py b/FileLookup.py index fb24517..1b254c1 100644 --- a/FileLookup.py +++ b/FileLookup.py @@ -60,7 +60,8 @@ def doWork(file): results.append("Cymru:\t\t\t%s" % cymru(file)) results.append("ShadowServer A/V:\t%s" % ss_av(file)) results.append("ShadowServer Known:\t%s" % ss_known(file)) - results.append("Malwr Known:\t\t%s" % malwr(file)) + results.append("Malwr Known:\t\t%s" % malwr(file)) + results.append("ThreatExpert Known:\t%s" % threatexpert(file)) results.append("") print '\n'.join(results) @@ -247,7 +248,7 @@ def cymru(file): # Added 11/29/2012 by Keith Gilbert - @digital4rensics def malwr(file): """ - Return existence of file in Malwr database. + Return existence of Report in Malwr database. site : http://www.malwr.com """ hash = md5(file) @@ -260,7 +261,25 @@ def malwr(file): else: return "No Match" except: - return "Error" + return "Error" + +# Added 11/29/2012 by Keith Gilbert - @digital4rensics Note: Greatly increases time required +def threatexpert(file): + """ + Return existence of report in ThreatExpert database. + site : http://www.threatexpert.com + """ + hash = md5(file) + url = 'http://threatexpert.com/report.aspx?md5=' + hash + try: + page = urllib2.urlopen(url).read() + for line in page.split('\n'): + if line.find("Submission Summary:") == 1: + return "Matching Report" + else: + return "No Match" + except: + return "Error" if __name__ == "__main__": main()