Spencer/Cuckoo-Report
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
Cuckoo-Report/analysis.sh
Pin 1d30645893 First Commit 
Signed-off-by: Pin <wf6DJd8a3xSSCZbn@protonmail.com>
2021-04-29 16:52:36 -04:00

239 lines
5.5 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
function EchoStatus {
printf "\033[33;5m$1\033[0m\n"
}
function EchoWarn {
printf "\033[31;5m$1\033[0m\n"
}
if [[ "$EUID" -ne 0 ]]; then
EchoWarn "Please run as root... exiting"
exit 1
fi
if [[ ! $(pwd | grep -E ".cuckoo/storage/analyses/[0-9]{1,}") ]] && [[ -z "$SKIP_CHECKS" ]]; then
echo "This script is intended to be called while you are in
~/.cuckoo/storage/analyses/{n}"
exit 1
fi
if ! command -v docker >/dev/null; then
EchoWarn "Please ensure Docker is installed"
fi
EchoStatus "Creating /opt/latex-gen"
mkdir -p /opt/latex-gen
EchoStatus "Generating Memory Profile"
mem_profile=${mem_profile:-$(volatility -f $1 imageinfo 2>/dev/null | grep "Suggested Profile(s)" | tr -s " " | cut -d " " -f 5 | sed 's/,$//')}
## Psxview Section
EchoStatus "Generating psxview report"
psxview_report=$(volatility -f "$1" --profile="$mem_profile" psxview 2>/dev/null | tail -n +3 | tr -s " " | sed 's/ / \& /g;s/$/ \\\\/g')
## Svcscan Section
EchoStatus "Generating svcscan report"
svcscan_scan=$(volatility -f "$1" --profile="$mem_profile" svcscan 2>/dev/null)
declare -a svcscan_array=()
x=0
while IFS= read -r line; do
if [[ -z $line ]]; then
x=$(( $x + 1 ))
else
svcscan_array[$x]="${svcscan_array[$x]}$line "
fi
done <<< $svcscan_scan
## Dlllist Section
EchoStatus "Generating dlllist report"
dlllist_scan=$(volatility -f "$1" --profile="$mem_profile" dlllist 2>/dev/null)
declare -a dlllist_array=()
x=0
while IFS= read -r line; do
if [[ $line == "************************************************************************" ]]; then
x=$(( $x + 1 ))
else
dlllist_array[$x]="${dlllist_array[$x]}$line|"
fi
done <<< $dlllist_scan
## Hash Dump Section
EchoStatus "Generating hashdump report"
hashdump_scan=$(volatility -f "$1" --profile="$mem_profile" hashdump 2>/dev/null)
## Envars Section
EchoStatus "Generating envars report"
envars_scan=$(volatility -f "$1" --profile="$mem_profile" envars 2>/dev/null | tail -n +3 | sed -E 's|[ ]{2,}| \& |g;s|(.*)(0x[0-9a-fA-F]{1,})(.*)|\1\2 \&\3|;s|( \& [0-9]{1,})|\1 \&|;s|\\|\\textbackslash{}|g;s/^ \& //g;s/$/ \\\\/g;s|\$|\\\$|g;s|_|\\_|g')
## Json Report Data
EchoStatus "Generating general run information"
report_started=$(date -d@$(jq .info.started reports/report.json))
run_options=$(jq .info.options reports/report.json)
run_score=$(jq .info.score reports/report.json)
run_log=$(jq -r .debug.log reports/report.json | tail -n +2 | head -n -1 | sed -E 's/[ ]{1,}"//g;s/\\n"[,]{0,1}$//g')
# Set file var
EchoStatus "Generating /opt/latex-gen/main.tex"
tex_file="/opt/latex-gen/main.tex"
EchoStatus "Generating LaTeX Doc"
# Empty Temp File
echo "" > $tex_file
# Generate file header
echo "\documentclass[12pt]{article}
\usepackage[margin=1in]{geometry} % Set margin to 1in
\usepackage{tgtermes} % Times Font
\usepackage{setspace} % Set spacing to 1.5
\onehalfspacing
\usepackage{graphicx} % Include Graphicx
\graphicspath{{./images}}
\usepackage{hyperref}
\usepackage{float}
\usepackage{listings}
\usepackage{tabularx}
\usepackage{ltablex}
\usepackage{multicol}
\newcolumntype{s}{>{\hsize=.45\hsize}X}
\newcolumntype{m}{>{\hsize=.95\hsize}X}
\newcolumntype{b}{>{\hsize=1.5\hsize}X}
\lstset{
basicstyle=\small\ttfamily,
columns=flexible,
breaklines=true
}
\title{Cuckoo Report for: $(basename $(jq -r .target task.json))}
\author{Report generated with analysis.sh}
\date{\today}
\begin{document}
\maketitle
\newpage
\tableofcontents
\newpage
" >> $tex_file
# Basic info section
echo "\section{Basic Information}" >> $tex_file
echo "\begin{lstlisting}[
basicstyle=\small
]
Run Started: $report_started
Memory Profile Used: $mem_profile
Run Options: $run_options
Run Score: $run_score
Executable Name: $(basename $(jq -r .target task.json))
Cuckoo Run ID: $(jq -r .id task.json)
\end{lstlisting}
" >> $tex_file
# Generate psxview section
echo "
\section{Psxview Log}
\tiny
\begin{tabularx}{\linewidth}{ |b|m|s|s|s|s|s|s|s|s|s|s|s| }
\hline
Offset & Name & PID & pslist & psscan & thrdproc & pspcid & csrss & session & deskthrd & Exit Date & Exit Time & Exit Zone \\\\
\hline" >> $tex_file
echo "$psxview_report" >> $tex_file
echo " \hline
\end{tabularx}
" >> $tex_file
# Svcscan Section
echo "\section{Svcscan Section}" >> $tex_file
echo "\begin{multicols}{2}
\begin{lstlisting}[
basicstyle=\tiny
]
" >> $tex_file
echo "$svcscan_scan" >> $tex_file
echo "\end{lstlisting}
\end{multicols}" >> $tex_file
# Generate run log section
echo "\section{Run Log}
" >> $tex_file
echo "\begin{lstlisting}[
basicstyle=\tiny
]
" >> $tex_file
echo "$run_log" >> $tex_file
echo "\end{lstlisting}
" >> $tex_file
# User HashDump Section
echo "\section{Hash Dump}
\begin{lstlisting}[
basicstyle=\small
]
" >> $tex_file
echo "$hashdump_scan" >> $tex_file
echo "\end{lstlisting}
" >> $tex_file
# Envar Section
echo "
\section{Envars}
\tiny
\begin{tabularx}{\linewidth}{ |s|s|m|m|b| }
\hline
Pid & Process Name & Offset & Var & Value \\\\
\hline" >> $tex_file
echo "$envars_scan" >> $tex_file
echo " \hline
\end{tabularx}
" >> $tex_file
# Dlllist Section
echo "\section{Dlllist}
\begin{lstlisting}[
basicstyle=\tiny
]
" >> $tex_file
echo "$dlllist_scan" >> $tex_file
echo "\end{lstlisting}
" >> $tex_file
# Generate file end
echo "\end{document}
" >> $tex_file
## Docker Setup
EchoStatus "Ensureing docker image is present"
docker pull blang/latex >/dev/null
EchoStatus "Typesetting LaTeX Doc"
docker run -it --rm -v /opt/latex-gen:/mnt blang/latex pdflatex -halt-on-error -output-directory=/mnt /mnt/main.tex >/dev/null && EchoStatus "/opt/latex-gen/main.pdf has been created" || EchoWarn "There was an issue generating main.pdf"
Reference in New Issue View Git Blame Copy Permalink