First Commit

Signed-off-by: Pin <wf6DJd8a3xSSCZbn@protonmail.com>
2021-04-29 15:20:18 -04:00
commit 1d30645893
4 changed files with 433 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,3 @@
 *.iso
 ansible.cfg
 .ansible.hosts.yml
--- a/analysis.sh
+++ b/analysis.sh
@@ -0,0 +1,238 @@
 #!/bin/bash
 function EchoStatus {
 printf "\033[33;5m$1\033[0m\n"
 }
 function EchoWarn {
 printf "\033[31;5m$1\033[0m\n"
 }
 if [[ "$EUID" -ne 0 ]]; then
  EchoWarn "Please run as root... exiting"
  exit 1
 fi
 if [[ ! $(pwd | grep -E ".cuckoo/storage/analyses/[0-9]{1,}") ]] && [[ -z "$SKIP_CHECKS" ]]; then
  echo "This script is intended to be called while you are in
 ~/.cuckoo/storage/analyses/{n}"
  exit 1
 fi
 if ! command -v docker >/dev/null; then
  EchoWarn "Please ensure Docker is installed"
 fi
 EchoStatus "Creating /opt/latex-gen"
 mkdir -p /opt/latex-gen
 EchoStatus "Generating Memory Profile"
 mem_profile=${mem_profile:-$(volatility -f $1 imageinfo 2>/dev/null | grep "Suggested Profile(s)" | tr -s " " | cut -d " " -f 5 | sed 's/,$//')}
 ## Psxview Section
 EchoStatus "Generating psxview report"
 psxview_report=$(volatility -f "$1" --profile="$mem_profile" psxview 2>/dev/null | tail -n +3 | tr -s " " | sed 's/ / \& /g;s/$/ \\\\/g')
 ## Svcscan Section
 EchoStatus "Generating svcscan report"
 svcscan_scan=$(volatility -f "$1" --profile="$mem_profile" svcscan 2>/dev/null)
 declare -a svcscan_array=()
 x=0
 while IFS= read -r line; do
 	if [[ -z $line ]]; then
 		x=$(( $x + 1 ))
 	else
 		svcscan_array[$x]="${svcscan_array[$x]}$line "
 	fi
 done <<< $svcscan_scan
 ## Dlllist Section
 EchoStatus "Generating dlllist report"
 dlllist_scan=$(volatility -f "$1" --profile="$mem_profile" dlllist 2>/dev/null)
 declare -a dlllist_array=()
 x=0
 while IFS= read -r line; do
 	if [[ $line == "************************************************************************" ]]; then
 		x=$(( $x + 1 ))
 	else
 		dlllist_array[$x]="${dlllist_array[$x]}$line|"
 	fi
 done <<< $dlllist_scan
 ## Hash Dump Section
 EchoStatus "Generating hashdump report"
 hashdump_scan=$(volatility -f "$1" --profile="$mem_profile" hashdump 2>/dev/null)
 ## Envars Section
 EchoStatus "Generating envars report"
 envars_scan=$(volatility -f "$1" --profile="$mem_profile" envars 2>/dev/null | tail -n +3 | sed -E 's|[ ]{2,}| \& |g;s|(.*)(0x[0-9a-fA-F]{1,})(.*)|\1\2 \&\3|;s|( \& [0-9]{1,})|\1 \&|;s|\\|\\textbackslash{}|g;s/^ \& //g;s/$/ \\\\/g;s|\$|\\\$|g;s|_|\\_|g')
 ## Json Report Data
 EchoStatus "Generating general run information"
 report_started=$(date -d@$(jq .info.started reports/report.json))
 run_options=$(jq .info.options reports/report.json)
 run_score=$(jq .info.score reports/report.json)
 run_log=$(jq -r .debug.log reports/report.json | tail -n +2 | head -n -1 | sed -E 's/[ ]{1,}"//g;s/\\n"[,]{0,1}$//g')
 # Set file var
 EchoStatus "Generating /opt/latex-gen/main.tex"
 tex_file="/opt/latex-gen/main.tex"
 EchoStatus "Generating LaTeX Doc"
 # Empty Temp File
 echo "" > $tex_file 
 # Generate file header
 echo "\documentclass[12pt]{article}
 \usepackage[margin=1in]{geometry} % Set margin to 1in
 \usepackage{tgtermes} % Times Font
 \usepackage{setspace} % Set spacing to 1.5
 \onehalfspacing
 \usepackage{graphicx} % Include Graphicx
 \graphicspath{{./images}}
 \usepackage{hyperref}
 \usepackage{float}
 \usepackage{listings}
 \usepackage{tabularx}
 \usepackage{ltablex}
 \usepackage{multicol}
 \newcolumntype{s}{>{\hsize=.45\hsize}X}
 \newcolumntype{m}{>{\hsize=.95\hsize}X}
 \newcolumntype{b}{>{\hsize=1.5\hsize}X}
 \lstset{
 basicstyle=\small\ttfamily,
 columns=flexible,
 breaklines=true
 }
 \title{Cuckoo Report for: $(basename $(jq -r .target task.json))}
 \author{Report generated with analysis.sh}
 \date{\today}
 \begin{document}
 \maketitle
 \newpage
 \tableofcontents
 \newpage
 " >> $tex_file 
 # Basic info section
 echo "\section{Basic Information}" >> $tex_file
 echo "\begin{lstlisting}[
    basicstyle=\small
 ]
 Run Started: $report_started
 Memory Profile Used: $mem_profile
 Run Options: $run_options
 Run Score: $run_score
 Executable Name: $(basename $(jq -r .target task.json))
 Cuckoo Run ID: $(jq -r .id task.json)
 \end{lstlisting}
 " >> $tex_file
 # Generate psxview section
 echo "
 \section{Psxview Log}
 \tiny
 \begin{tabularx}{\linewidth}{ |b|m|s|s|s|s|s|s|s|s|s|s|s| } 
 \hline
 Offset & Name & PID & pslist & psscan & thrdproc & pspcid & csrss & session & deskthrd & Exit Date & Exit Time & Exit Zone \\\\ 
 \hline" >> $tex_file
 echo "$psxview_report" >> $tex_file
 echo " \hline
 \end{tabularx}
 " >> $tex_file
 # Svcscan Section
 echo "\section{Svcscan Section}" >> $tex_file
 echo "\begin{multicols}{2}
 \begin{lstlisting}[
    basicstyle=\tiny
 ]
 " >> $tex_file
 echo "$svcscan_scan" >> $tex_file
 echo "\end{lstlisting}
 \end{multicols}" >> $tex_file
 # Generate run log section
 echo "\section{Run Log}
 " >> $tex_file
 echo "\begin{lstlisting}[
    basicstyle=\tiny
 ]
 " >> $tex_file
 echo "$run_log" >> $tex_file
 echo "\end{lstlisting}
 " >> $tex_file
 # User HashDump Section
 echo "\section{Hash Dump}
 \begin{lstlisting}[
    basicstyle=\small
 ]
 " >> $tex_file
 echo "$hashdump_scan" >> $tex_file
 echo "\end{lstlisting}
 " >> $tex_file
 # Envar Section
 echo "
 \section{Envars}
 \tiny
 \begin{tabularx}{\linewidth}{ |s|s|m|m|b| } 
 \hline
 Pid & Process Name & Offset & Var & Value \\\\ 
 \hline" >> $tex_file
 echo "$envars_scan" >> $tex_file
 echo " \hline
 \end{tabularx}
 " >> $tex_file
 # Dlllist Section
 echo "\section{Dlllist}
 \begin{lstlisting}[
    basicstyle=\tiny
 ]
 " >> $tex_file
 echo "$dlllist_scan" >> $tex_file
 echo "\end{lstlisting}
 " >> $tex_file
 # Generate file end
 echo "\end{document}
 " >> $tex_file
 ## Docker Setup
 EchoStatus "Ensureing docker image is present"
 docker pull blang/latex >/dev/null
 EchoStatus "Typesetting LaTeX Doc"
 docker run -it --rm -v /opt/latex-gen:/mnt blang/latex pdflatex -halt-on-error -output-directory=/mnt /mnt/main.tex >/dev/null && EchoStatus "/opt/latex-gen/main.pdf has been created" || EchoWarn "There was an issue generating main.pdf"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,185 @@
 ---
 - name:
  package:
    name: "{{ package_name }}"
    state: present
  loop:
    - python
    - python-pip
    - python-dev
    - libffi-dev
    - libssl-dev
    - python-virtualenv
    - python-setuptools
    - libjpeg-dev
    - zlib1g-dev
    - swig
    - postgresql
    - libpq-dev
    - qemu-kvm
    - libvirt-bin
    - bridge-utils
    - python-libvirt
    - ubuntu-vm-builder
    - tcpdump
    - apparmor-utils
    - volatility
    - mongodb
    - virt-manager
    - inetsim
    - curl
  loop_control:
    loop_var: package_name
 - name: Disable AppArmor for Tcpdump
  shell: aa-disable /usr/sbin/tcpdump || echo "Disabled"
 - name: Create groups
  group:
    name: "{{ group_name }}"
    state: present
  loop:
    - pcap
    - cuckoo
  loop_control:
    loop_var: group_name
 - name: Create the Cuckoo user
  user:
    name: cuckoo
    comment: "Cuckoo user"
    group: cuckoo
    shell: /bin/bash
 - name: Add groups to Cuckoo user
  user:
    name: cuckoo
    groups: pcap,libvirt,libvirt-qemu
    append: yes
 - name: Change tcpdump to pcap group
  file:
    path: /usr/sbin/tcpdump
    group: pcap
    mode: "2755"
 - name: Set cap for tcpdump binary
  community.general.capabilities:
    path: /usr/sbin/tcpdump
    capability: cap_net_admin,cap_net_raw+eip
    state: present
 - name: Create Cuckoo Python Virt Env
  file:
    path: /opt/cuckoo-env
    state: directory
    owner: root
    group: root
    mode: "0744"
 - name: Upgrade Pip
  pip:
    name:
      - pip
      - setuptools
    virtualenv: /opt/cuckoo-env
    virtualenv_python: python2
 - name: Install m2crypto & Cuckoo
  pip:
    name:
      - m2crypto
      - cuckoo
    virtualenv: /opt/cuckoo-env
    virtualenv_python: python2
 - name: Setting Activate Binary to executable
  file:
    path: /opt/cuckoo-env/bin/activate
    mode: u+x,g+x
 - name:
  shell: /opt/cuckoo-env/bin/activate && /opt/cuckoo-env/bin/cuckoo init || echo "Created"
 - name: Enabling MongoDB
  ini_file:
    path: /root/.cuckoo/conf/reporting.conf
    section: mongodb
    option: enabled
    value: 'yes'
 - name: Setting qemu as virtual machine provider
  lineinfile:
    path: /root/.cuckoo/conf/cuckoo.conf
    state: present
    regexp: '^machinery'
    line: machinery = qemu
 - name: Enabling memory dump
  lineinfile:
    path: /root/.cuckoo/conf/cuckoo.conf
    state: present
    regexp: '^memory_dump'
    line: memory_dump = yes
 - name: Configuring Cuckoo kvm
  ini_file:
    path: /root/.cuckoo/conf/qemu.conf
    section: "{{ kvm_conf.section }}"
    option: "{{ kvm_conf.option }}"
    value: "{{ kvm_conf.value }}"
  loop:
    - option: label
      value: win7
      section: win7
    - option: image
      value: /var/lib/libvirt/images/win7.qcow2
      section: win7
    - option: snapshot
      value: 1619566313
      section: win7
    - option: enable_kvm
      value: 'no'
      section: win7
    - option: platform
      value: linux
      section: win7
    - option: ip
      value: 192.168.24.200
      section: win7
    - option: machines
      value: win7
      section: qemu
    - option: interface
      value: virbr1
      section: qemu
  loop_control:
    loop_var: kvm_conf
  tags:
    - never
    - conf_kvm
 - name: Set correct listening IP address
  lineinfile:
    path: /root/.cuckoo/conf/cuckoo.conf
    state: present
    regexp: '^ip ='
    line: "ip = {{ ansible_default_ipv4.address }}"
 - name: Create ISO Folder
  file:
    path: /root/iso
    state: directory
    owner: root
    group: root
    mode: '0640'
 - name: Copy Win10 ISO to host
  copy:
    src: ./Win10_20H2_v2_English_x64.iso
    dest: /root/iso/Win10.iso
    owner: root
    group: root
    mode: '0640'
 ...
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -0,0 +1,7 @@
 ---
 - hosts: all
  become: true
  roles:
    - src
 ...