commit 1d30645893e42daf8e32d02ad3efc69426de2ff9 Author: Pin Date: Thu Apr 29 15:20:18 2021 -0400 First Commit Signed-off-by: Pin diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f04ee45 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.iso +ansible.cfg +.ansible.hosts.yml diff --git a/analysis.sh b/analysis.sh new file mode 100644 index 0000000..b365685 --- /dev/null +++ b/analysis.sh @@ -0,0 +1,238 @@ +#!/bin/bash + +function EchoStatus { +printf "\033[33;5m$1\033[0m\n" +} + +function EchoWarn { +printf "\033[31;5m$1\033[0m\n" +} + +if [[ "$EUID" -ne 0 ]]; then + EchoWarn "Please run as root... exiting" + exit 1 +fi + +if [[ ! $(pwd | grep -E ".cuckoo/storage/analyses/[0-9]{1,}") ]] && [[ -z "$SKIP_CHECKS" ]]; then + echo "This script is intended to be called while you are in +~/.cuckoo/storage/analyses/{n}" + exit 1 +fi + +if ! command -v docker >/dev/null; then + EchoWarn "Please ensure Docker is installed" +fi + +EchoStatus "Creating /opt/latex-gen" +mkdir -p /opt/latex-gen + +EchoStatus "Generating Memory Profile" +mem_profile=${mem_profile:-$(volatility -f $1 imageinfo 2>/dev/null | grep "Suggested Profile(s)" | tr -s " " | cut -d " " -f 5 | sed 's/,$//')} + +## Psxview Section +EchoStatus "Generating psxview report" +psxview_report=$(volatility -f "$1" --profile="$mem_profile" psxview 2>/dev/null | tail -n +3 | tr -s " " | sed 's/ / \& /g;s/$/ \\\\/g') + +## Svcscan Section +EchoStatus "Generating svcscan report" +svcscan_scan=$(volatility -f "$1" --profile="$mem_profile" svcscan 2>/dev/null) +declare -a svcscan_array=() + +x=0 +while IFS= read -r line; do + if [[ -z $line ]]; then + x=$(( $x + 1 )) + else + svcscan_array[$x]="${svcscan_array[$x]}$line " + fi +done <<< $svcscan_scan + +## Dlllist Section +EchoStatus "Generating dlllist report" +dlllist_scan=$(volatility -f "$1" --profile="$mem_profile" dlllist 2>/dev/null) +declare -a dlllist_array=() + +x=0 +while IFS= read -r line; do + if [[ $line == "************************************************************************" ]]; then + x=$(( $x + 1 )) + else + dlllist_array[$x]="${dlllist_array[$x]}$line|" + fi +done <<< $dlllist_scan + +## Hash Dump Section +EchoStatus "Generating hashdump report" +hashdump_scan=$(volatility -f "$1" --profile="$mem_profile" hashdump 2>/dev/null) + +## Envars Section +EchoStatus "Generating envars report" +envars_scan=$(volatility -f "$1" --profile="$mem_profile" envars 2>/dev/null | tail -n +3 | sed -E 's|[ ]{2,}| \& |g;s|(.*)(0x[0-9a-fA-F]{1,})(.*)|\1\2 \&\3|;s|( \& [0-9]{1,})|\1 \&|;s|\\|\\textbackslash{}|g;s/^ \& //g;s/$/ \\\\/g;s|\$|\\\$|g;s|_|\\_|g') + +## Json Report Data +EchoStatus "Generating general run information" +report_started=$(date -d@$(jq .info.started reports/report.json)) +run_options=$(jq .info.options reports/report.json) +run_score=$(jq .info.score reports/report.json) +run_log=$(jq -r .debug.log reports/report.json | tail -n +2 | head -n -1 | sed -E 's/[ ]{1,}"//g;s/\\n"[,]{0,1}$//g') + +# Set file var +EchoStatus "Generating /opt/latex-gen/main.tex" +tex_file="/opt/latex-gen/main.tex" + +EchoStatus "Generating LaTeX Doc" +# Empty Temp File +echo "" > $tex_file + +# Generate file header +echo "\documentclass[12pt]{article} +\usepackage[margin=1in]{geometry} % Set margin to 1in +\usepackage{tgtermes} % Times Font +\usepackage{setspace} % Set spacing to 1.5 +\onehalfspacing +\usepackage{graphicx} % Include Graphicx +\graphicspath{{./images}} +\usepackage{hyperref} +\usepackage{float} +\usepackage{listings} +\usepackage{tabularx} +\usepackage{ltablex} +\usepackage{multicol} +\newcolumntype{s}{>{\hsize=.45\hsize}X} +\newcolumntype{m}{>{\hsize=.95\hsize}X} +\newcolumntype{b}{>{\hsize=1.5\hsize}X} +\lstset{ +basicstyle=\small\ttfamily, +columns=flexible, +breaklines=true +} + +\title{Cuckoo Report for: $(basename $(jq -r .target task.json))} +\author{Report generated with analysis.sh} + + +\date{\today} + +\begin{document} + +\maketitle + +\newpage + +\tableofcontents + +\newpage +" >> $tex_file + +# Basic info section + +echo "\section{Basic Information}" >> $tex_file + +echo "\begin{lstlisting}[ + basicstyle=\small +] +Run Started: $report_started +Memory Profile Used: $mem_profile +Run Options: $run_options +Run Score: $run_score +Executable Name: $(basename $(jq -r .target task.json)) +Cuckoo Run ID: $(jq -r .id task.json) +\end{lstlisting} +" >> $tex_file + +# Generate psxview section +echo " +\section{Psxview Log} +\tiny +\begin{tabularx}{\linewidth}{ |b|m|s|s|s|s|s|s|s|s|s|s|s| } + \hline + Offset & Name & PID & pslist & psscan & thrdproc & pspcid & csrss & session & deskthrd & Exit Date & Exit Time & Exit Zone \\\\ + \hline" >> $tex_file + +echo "$psxview_report" >> $tex_file + +echo " \hline +\end{tabularx} +" >> $tex_file + +# Svcscan Section + +echo "\section{Svcscan Section}" >> $tex_file + +echo "\begin{multicols}{2} +\begin{lstlisting}[ + basicstyle=\tiny +] +" >> $tex_file + +echo "$svcscan_scan" >> $tex_file + +echo "\end{lstlisting} +\end{multicols}" >> $tex_file + +# Generate run log section +echo "\section{Run Log} +" >> $tex_file + +echo "\begin{lstlisting}[ + basicstyle=\tiny +] +" >> $tex_file + +echo "$run_log" >> $tex_file + +echo "\end{lstlisting} +" >> $tex_file + +# User HashDump Section + +echo "\section{Hash Dump} +\begin{lstlisting}[ + basicstyle=\small +] +" >> $tex_file + +echo "$hashdump_scan" >> $tex_file + +echo "\end{lstlisting} +" >> $tex_file + +# Envar Section +echo " +\section{Envars} +\tiny +\begin{tabularx}{\linewidth}{ |s|s|m|m|b| } + \hline + Pid & Process Name & Offset & Var & Value \\\\ + \hline" >> $tex_file + +echo "$envars_scan" >> $tex_file + +echo " \hline +\end{tabularx} +" >> $tex_file + +# Dlllist Section + +echo "\section{Dlllist} +\begin{lstlisting}[ + basicstyle=\tiny +] +" >> $tex_file + +echo "$dlllist_scan" >> $tex_file + +echo "\end{lstlisting} +" >> $tex_file + +# Generate file end + +echo "\end{document} +" >> $tex_file + +## Docker Setup + +EchoStatus "Ensureing docker image is present" +docker pull blang/latex >/dev/null +EchoStatus "Typesetting LaTeX Doc" +docker run -it --rm -v /opt/latex-gen:/mnt blang/latex pdflatex -halt-on-error -output-directory=/mnt /mnt/main.tex >/dev/null && EchoStatus "/opt/latex-gen/main.pdf has been created" || EchoWarn "There was an issue generating main.pdf" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..e026780 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,185 @@ +--- +- name: + package: + name: "{{ package_name }}" + state: present + loop: + - python + - python-pip + - python-dev + - libffi-dev + - libssl-dev + - python-virtualenv + - python-setuptools + - libjpeg-dev + - zlib1g-dev + - swig + - postgresql + - libpq-dev + - qemu-kvm + - libvirt-bin + - bridge-utils + - python-libvirt + - ubuntu-vm-builder + - tcpdump + - apparmor-utils + - volatility + - mongodb + - virt-manager + - inetsim + - curl + loop_control: + loop_var: package_name + +- name: Disable AppArmor for Tcpdump + shell: aa-disable /usr/sbin/tcpdump || echo "Disabled" + +- name: Create groups + group: + name: "{{ group_name }}" + state: present + loop: + - pcap + - cuckoo + loop_control: + loop_var: group_name + +- name: Create the Cuckoo user + user: + name: cuckoo + comment: "Cuckoo user" + group: cuckoo + shell: /bin/bash + +- name: Add groups to Cuckoo user + user: + name: cuckoo + groups: pcap,libvirt,libvirt-qemu + append: yes + +- name: Change tcpdump to pcap group + file: + path: /usr/sbin/tcpdump + group: pcap + mode: "2755" + +- name: Set cap for tcpdump binary + community.general.capabilities: + path: /usr/sbin/tcpdump + capability: cap_net_admin,cap_net_raw+eip + state: present + +- name: Create Cuckoo Python Virt Env + file: + path: /opt/cuckoo-env + state: directory + owner: root + group: root + mode: "0744" + +- name: Upgrade Pip + pip: + name: + - pip + - setuptools + virtualenv: /opt/cuckoo-env + virtualenv_python: python2 + +- name: Install m2crypto & Cuckoo + pip: + name: + - m2crypto + - cuckoo + virtualenv: /opt/cuckoo-env + virtualenv_python: python2 + +- name: Setting Activate Binary to executable + file: + path: /opt/cuckoo-env/bin/activate + mode: u+x,g+x + +- name: + shell: /opt/cuckoo-env/bin/activate && /opt/cuckoo-env/bin/cuckoo init || echo "Created" + +- name: Enabling MongoDB + ini_file: + path: /root/.cuckoo/conf/reporting.conf + section: mongodb + option: enabled + value: 'yes' + +- name: Setting qemu as virtual machine provider + lineinfile: + path: /root/.cuckoo/conf/cuckoo.conf + state: present + regexp: '^machinery' + line: machinery = qemu + +- name: Enabling memory dump + lineinfile: + path: /root/.cuckoo/conf/cuckoo.conf + state: present + regexp: '^memory_dump' + line: memory_dump = yes + +- name: Configuring Cuckoo kvm + ini_file: + path: /root/.cuckoo/conf/qemu.conf + section: "{{ kvm_conf.section }}" + option: "{{ kvm_conf.option }}" + value: "{{ kvm_conf.value }}" + loop: + - option: label + value: win7 + section: win7 + - option: image + value: /var/lib/libvirt/images/win7.qcow2 + section: win7 + - option: snapshot + value: 1619566313 + section: win7 + - option: enable_kvm + value: 'no' + section: win7 + - option: platform + value: linux + section: win7 + - option: ip + value: 192.168.24.200 + section: win7 + - option: machines + value: win7 + section: qemu + - option: interface + value: virbr1 + section: qemu + loop_control: + loop_var: kvm_conf + tags: + - never + - conf_kvm + +- name: Set correct listening IP address + lineinfile: + path: /root/.cuckoo/conf/cuckoo.conf + state: present + regexp: '^ip =' + line: "ip = {{ ansible_default_ipv4.address }}" + +- name: Create ISO Folder + file: + path: /root/iso + state: directory + owner: root + group: root + mode: '0640' + +- name: Copy Win10 ISO to host + copy: + src: ./Win10_20H2_v2_English_x64.iso + dest: /root/iso/Win10.iso + owner: root + group: root + mode: '0640' + +... diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..ea03e97 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,7 @@ +--- +- hosts: all + become: true + roles: + - src +... +