diff --git a/bazaar/core/utils.py b/bazaar/core/utils.py index 4348a0b..0c1dbf0 100644 --- a/bazaar/core/utils.py +++ b/bazaar/core/utils.py @@ -22,7 +22,6 @@ from scipy.spatial.distance import pdist import pandas as pd - def get_sha256_of_file_path(file_path): sha256_hash = hashlib.sha256() with open(file_path, "rb") as f: @@ -240,7 +239,7 @@ def get_matching_items_by_ssdeep(ssdeep_value, threshold_grade, index, sha256): return sha256_list_to_return -def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index, sha256): +def get_matching_items_by_ssdeep_func(ssdeep_value, threshold_grade, index): chunksize, chunk, double_chunk = ssdeep_value.split(':') chunksize = int(chunksize) es = Elasticsearch(settings.ELASTICSEARCH_HOSTS) diff --git a/bazaar/front/forms.py b/bazaar/front/forms.py index 60f8e6b..76cd29f 100644 --- a/bazaar/front/forms.py +++ b/bazaar/front/forms.py @@ -48,7 +48,7 @@ def do_search(self, sha=''): if algorithm == 'ssdeep': results = get_matching_items_by_ssdeep(hash, 25, settings.ELASTICSEARCH_SSDEEP_APK_INDEX, sha) if algorithm == 'func_hash': - results = get_matching_items_by_ssdeep_func(hash, 25, settings.ELASTICSEARCH_APK_INDEX, sha) + results = get_matching_items_by_ssdeep_func(hash, 25, settings.ELASTICSEARCH_APK_INDEX) except Exception as e: print(e) @@ -114,3 +114,85 @@ class YaraCreateForm(ModelForm): class Meta: model = Yara fields = ['title', 'content', 'is_private'] + + +class CompareSearchForm(forms.Form): + left_sha = forms.CharField() + right_sha = forms.CharField() + + def do_search(self): + shas = [] + shas.append(self['left_sha'].value()) + shas.append(self['right_sha'].value()) + + results = [] + for sha in shas: + query = { + "query": { + "query_string": { + "default_field": "sha256", + "query": sha, + } + }, + "highlight": { + "fields": { + "*": {"pre_tags": [""], "post_tags": [""]} + } + }, + "aggs": { + "permissions": { + "terms": {"field": "permissions.keyword"} + }, + "domains": { + "terms": {"field": "domains_analysis._name.keyword"} + }, + "android_features": { + "terms": {"field": "features.keyword"} + } + }, + "sort": {"analysis_date": "desc"}, + "_source": [ + "uaid", + "signatures", + "is_signed", + "is_signed_v1", + "is_signed_v2", + "is_signed_v3", + "certificates", + "dexofuzzy", + "apkid", + "manifest_analysis", + "browsable_activities", + "niap_analysis", + "code_analysis", + "detailed_permissions", + "trackers", + "quark.crimes", + "android_api_analysis", + "ssdeep", + "version_name", + "apk_hash", + "app_name", + "dexofuzzy.apk", + "features" + "frosting_data.is_frosted", + "handle", + "is_signed", + "md5", + "quark.threat_level", + "sha1", + "sha256", + "size", + "uploaded_at", + "version_code", + ], + "size": 1, + } + es = Elasticsearch(settings.ELASTICSEARCH_HOSTS) + try: + raw_results = es.search(index=settings.ELASTICSEARCH_APK_INDEX, body=query) + results.append(transform_hl_results(raw_results)) + except Exception as e: + return [] + + return results diff --git a/bazaar/front/urls.py b/bazaar/front/urls.py index 57a67ef..e772ce0 100644 --- a/bazaar/front/urls.py +++ b/bazaar/front/urls.py @@ -3,7 +3,7 @@ from bazaar.front.view import HomeView, ReportView, basic_upload_view, similarity_search_view, export_report_view, \ download_sample_view, my_rules_view, my_rule_edit_view, my_rule_create_view, my_rule_delete_view, og_card_view, \ - my_retrohunt_view, get_andgrocfg_code, get_genom, basic_url_download_view + my_retrohunt_view, get_andgrocfg_code, get_genom, basic_url_download_view, compare_analysis_view app_name = "front" urlpatterns = [ @@ -23,5 +23,6 @@ path("rules//delete", view=my_rule_delete_view, name="my_rule_delete"), path("rules//retro", view=my_retrohunt_view, name="my_rule_retro"), path("androcfg//", view=get_andgrocfg_code, name="get_andgrocfg_code"), - path("androcfg/all", view=get_genom, name="get_genom") + path("androcfg/all", view=get_genom, name="get_genom"), + path("compare/", view=compare_analysis_view, name="compare_analysis") ] diff --git a/bazaar/front/view.py b/bazaar/front/view.py index da619fe..61a3a14 100644 --- a/bazaar/front/view.py +++ b/bazaar/front/view.py @@ -30,7 +30,7 @@ from bazaar.core.models import Yara from bazaar.core.tasks import analyze, retrohunt from bazaar.core.utils import get_sha256_of_file, get_matching_items_by_dexofuzzy -from bazaar.front.forms import SearchForm, BasicUploadForm, SimilaritySearchForm, BasicUrlDownloadForm +from bazaar.front.forms import SearchForm, BasicUploadForm, SimilaritySearchForm, BasicUrlDownloadForm, CompareSearchForm from bazaar.front.og import generate_og_card from bazaar.front.utils import transform_results, get_similarity_matrix, compute_status, generate_world_map, \ transform_hl_results, get_sample_timeline, get_andro_cfg_storage_path @@ -511,3 +511,22 @@ def get_genom(request): response = HttpResponse('\n'.join(entire_genom), content_type='text/csv') response['Content-Disposition'] = f'inline; filename=pithus_genom.csv' return response + +def compare_analysis_view(request, *args, **kwargs): + if request.method == 'GET': + f = CompareSearchForm(request.GET) + + res = [] + left_res = None + right_res = None + if f.is_valid: + res = f.do_search() + if res: + left_res = res[0][0]['source'] + right_res = res[1][0]['source'] + else: + return render(request, 'front/compare_analysis.html') + + print(res) + return render(request, 'front/compare_analysis.html', context={'left_analysis': left_res, 'right_analysis': right_res}) + diff --git a/bazaar/templates/front/compare_analysis.html b/bazaar/templates/front/compare_analysis.html new file mode 100644 index 0000000..a042d17 --- /dev/null +++ b/bazaar/templates/front/compare_analysis.html @@ -0,0 +1,273 @@ +{% extends "base.html" %} +{% load static %} +{% load crispy_forms_tags %} +{% load get %} +{% load comma_to_br %} + +{% block whole_content %} +
+
+
+
+

Compare two analysis

+
+ +
+
+
+
+
+ +
+
+
+
+ +
+
+
+ +
+
+
+
+
+
+ + {% if left_analysis and right_analysis %} +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {% if left_analysis.manifest_analysis or right_analysis.manifest_analysis %} + + + + + + {% endif %} + + {% if left_analysis.browsable_activities and right_analysis.browsable_activities %} + + + + + + {% endif %} + + + {% if left_analysis.niap_analysis and right_analysis.niap_analysis %} + + + + + + {% endif %} + + {% if left_analysis.code_analysis and right_analysis.code_analysis %} + + + + + + {% endif %} + + {% if left_analysis.detailed_permissions and right_analysis.detailed_permissions %} + + + + + + {% endif %} + + {% if left_analysis.trackers and right_analysis.trackers %} + + + + + + {% endif %} + + {% if left_analysis.quark.crimes and right_analysis.quark.crimes %} + + + + + + {% endif %} + + {% if left_analysis.android_api_analysis and right_analysis.android_api_analysis %} + + + + + + {% endif %} + + +
{{left_analysis.sha256}}{{right_analysis.sha256}} +
+

File sums

+ 		+ {% include "front/report/m_file.html" with d=left_analysis %} + + {% include "front/report/m_file.html" with d=right_analysis %} +
+

APKiD

+

Information computed with APKiD. +

+ 		+ {% include "front/report/m_apkid.html" with d=left_analysis %} + + {% include "front/report/m_apkid.html" with d=right_analysis %} +
+

SSdeep

+

Information computed with ssdeep. +

+ 		+ {% include "front/report/m_ssdeep.html" with d=left_analysis %} + + {% include "front/report/m_ssdeep.html" with d=right_analysis %} +
+

Dexofuzzy

+ 		+ {% include "front/report/m_dexofuzzy.html" with d=left_analysis %} + + {% include "front/report/m_dexofuzzy.html" with d=right_analysis %} +
+

APK details

+

Information computed with AndroGuard + and Pithus. +

+ 		+ {% include "front/report/m_apk.html" with d=left_analysis %} + + {% include "front/report/m_apk.html" with d=right_analysis %} +
+

Certificate

+

Information computed with AndroGuard. +

+ 		+ {% include "front/report/m_certificate.html" with d=left_analysis %} + + {% include "front/report/m_certificate.html" with d=left_analysis %} +
+

Manifest

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_manifest.html" with d=left_analysis %} + + {% include "front/report/m_manifest.html" with d=right_analysis %} +
+

Browsable activities

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_browsable_activities.html" with d=left_analysis %} + + {% include "front/report/m_browsable_activities.html" with d=right_analysis %} +
+

NIAP analysis

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_niap.html" with d=left_analysis %} + + {% include "front/report/m_niap.html" with d=right_analysis %} +
+

Code analysis

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_code.html" with d=left_analysis %} + + {% include "front/report/m_code.html" with d=right_analysis %} +
+

Permissions analysis

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_permissions.html" with d=left_analysis %} + + {% include "front/report/m_permissions.html" with d=right_analysis %} +
+

Tracking analysis

+

Information computed with Exodus-core. +

+ 		+ {% include "front/report/m_trackers.html" with d=left_analysis %} + + {% include "front/report/m_trackers.html" with d=right_analysis %} +
+

Threat analysis

+

Information computed with Quark-Engine. +

+ 		+ {% include "front/report/m_quark.html" with d=left_analysis %} + + {% include "front/report/m_quark.html" with d=right_analysis %} +
+

Behavior analysis

+

Information computed with MobSF. +

+ 		+ {% include "front/report/m_api.html" with d=left_analysis %} + + {% include "front/report/m_api.html" with d=right_analysis %} +
+ {% endif %} +
+
+{% endblock whole_content %} \ No newline at end of file diff --git a/bazaar/templates/front/m_similarities.html b/bazaar/templates/front/m_similarities.html index 25dc9c3..41aad5b 100644 --- a/bazaar/templates/front/m_similarities.html +++ b/bazaar/templates/front/m_similarities.html @@ -39,6 +39,11 @@ + +
+ Compare +
+ {% endif %} {% endfor %} diff --git a/bazaar/templates/front/report/m_androcfg.html b/bazaar/templates/front/report/m_androcfg.html index b48c406..1248df3 100644 --- a/bazaar/templates/front/report/m_androcfg.html +++ b/bazaar/templates/front/report/m_androcfg.html @@ -14,9 +14,9 @@

{{ r.rule.title }}

{% for f in r.findings %}
  • {{f.call_by}} - - + href="{% url "front:get_andgrocfg_code" sha256 f.evidence_file %}">{{f.call_by}} + +
    • {% endfor %} diff --git a/bazaar/templates/front/report/m_file.html b/bazaar/templates/front/report/m_file.html index 25be16d..bc58e7d 100644 --- a/bazaar/templates/front/report/m_file.html +++ b/bazaar/templates/front/report/m_file.html @@ -32,4 +32,4 @@ {% endif %} - + \ No newline at end of file