add: Parsing processes called by the file analyzed in the joe sandbox report

chrisr3d · chrisr3d · commit 29e681ef81ce · 2019-05-13T17:30:01.000+02:00
diff --git a/misp_modules/modules/import_mod/joe_import.py b/misp_modules/modules/import_mod/joe_import.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 from collections import defaultdict
+from datetime import datetime
 from pymisp import MISPEvent, MISPObject
 import json
 import base64
@@ -25,6 +26,9 @@
                      'LegalCopyright': 'legal-copyright', 'OriginalFilename': 'original-filename',
                      'ProductName': 'product-filename', 'ProductVersion': 'product-version',
                      'Translation': 'lang-id'}
+process_object_fields = {'cmdline': 'command-line', 'name': 'name',
+                         'parentpid': 'parent-pid', 'pid': 'pid',
+                         'path': 'current-directory'}
 section_object_mapping = {'characteristics': ('text', 'characteristic'),
                           'entropy': ('float', 'entropy'),
                           'name': ('text', 'name'), 'rawaddr': ('hex', 'offset'),
@@ -43,6 +47,7 @@ def __init__(self, data):
 
     def parse_joe(self):
         self.parse_fileinfo()
+        self.parse_behavior()
         if self.references:
             self.build_references()
         self.finalize_results()
@@ -54,6 +59,24 @@ def build_references(self):
                 for reference in self.references[object_uuid]:
                     misp_object.add_reference(reference['idref'], reference['relationship'])
 
+    def parse_behavior(self):
+        self.parse_behavior_system()
+        self.parse_behavior_network()
+
+    def parse_behavior_network(self):
+        network = self.data['behavior']['network']
+
+    def parse_behavior_system(self):
+        processes = self.data['behavior']['system']['processes']['process'][0]
+        general = processes['general']
+        process_object = MISPObject('process')
+        for feature, relation in process_object_fields.items():
+            process_object.add_attribute(relation, **{'type': 'text', 'value': general[feature]})
+        start_time = datetime.strptime('{} {}'.format(general['date'], general['time']), '%d/%m/%Y %H:%M:%S')
+        process_object.add_attribute('start-time', **{'type': 'datetime', 'value': start_time})
+        self.misp_event.add_object(**process_object)
+        self.references[self.fileinfo_uuid].append({'idref': process_object.uuid, 'relationship': 'calls'})
+
     def parse_fileinfo(self):
         fileinfo = self.data['fileinfo']
         file_object = MISPObject('file')
