-
Notifications
You must be signed in to change notification settings - Fork 0
/
dynamic_make_csv.py
125 lines (89 loc) · 9.24 KB
/
dynamic_make_csv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# import orjson
# import time
import os
import json
import pandas as pd
dlls_list_top_100 = []
domains_list_top_100 = []
dlls_list_top_100_with_freq = [('kernel32.dll', 7335), ('advapi32.dll', 6780), ('oleaut32.dll', 5161), ('shell32.dll', 4893), ('comctl32.dll', 4791), ('dwmapi.dll', 4698), ('ole32.dll', 4122), ('user32.dll', 3643), ('rpcrt4.dll', 3476), ('c:\\windows\\system32\\ole32.dll', 3375), ('uxtheme.dll', 3239), ('kernel32', 3007), ('ws2_32.dll', 2570), ('wininet.dll', 2340), ('gdi32.dll', 2277), ('api-ms-win-security-sddl-l1-1-0.dll', 2256), ('shlwapi.dll', 2102), ('setupapi.dll', 2088), ('ntmarta.dll', 2032), ('imm32.dll', 2024), ('apphelp.dll', 2022), ('cryptsp.dll', 1941), ('c:\\windows\\system32\\uxtheme.dll', 1909), ('profapi.dll', 1874), ('dnsapi.dll', 1704), ('advapi32', 1550), ('iphlpapi.dll', 1492), ('api-ms-win-service-management-l1-1-0.dll', 1488), ('api-ms-win-core-localregistry-l1-1-0.dll', 1427), ('c:\\windows\\system32\\imm32.dll', 1427), ('api-ms-win-service-winsvc-l1-1-0.dll', 1406), ('comctl32', 1401), ('user32', 1340), ('sxs.dll', 1273), ('shell32', 1212), ('propsys.dll', 1207), ('psapi', 1109), ('version.dll', 1099), ('wintrust.dll', 964), ('msvbvm60.dll', 947), ('ntdll.dll', 940), ('c:\\windows\\system32\\kernel32.dll', 929), ('c:\\windows\\system32\\vb6chs.dll', 924), ('shfolder', 923), ('msvcrt.dll', 878), ('c:\\windows\\system32\\mswsock.dll', 834), ('psapi.dll', 834), ('windowscodecs.dll', 823), ('mpr.dll', 776), ('dhcpcsvc.dll', 738), ('rtutils.dll', 702), ('msvcp60.dll', 686), ('rasman.dll', 683), ('c:\\windows\\system32\\napinsp.dll', 674), ('c:\\windows\\system32\\pnrpnsp.dll', 673), ('c:\\windows\\system32\\winrnr.dll', 673), ('netapi32.dll', 630), ('c:\\windows\\system32\\oleaut32.dll', 614), ('urlmon.dll', 570), ('c:\\windows\\system32\\ntshrui.dll', 519), ('c:\\windows\\system32\\ehstorshell.dll', 515), ('rasapi32.dll', 513), ('c:\\windows\\system32\\cscui.dll', 512), ('c:\\windows\\system32\\shell32.dll', 500), ('c:\\windows\\system32\\nlaapi.dll', 498), ('c:\\windows\\system32\\odbcint.dll', 494), ('snmpapi.dll', 484), ('c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll', 474), ('odbc32.dll', 469), ('netmsg', 468), ('api-ms-win-core-synch-l1-2-0', 445), ('api-ms-win-core-fibers-l1-1-1', 445), ('netutils.dll', 443), ('winhttp.dll', 438), ('sensapi.dll', 435), ('crypt32.dll', 434), ('comdlg32.dll', 422), ('api-ms-win-core-localization-l1-2-1', 405), ('c:\\windows\\system32\\version.dll', 405), ('wsock32.dll', 381), ('msimg32.dll', 375), ('winmm.dll', 374), ('c:\\windows\\system32\\bcryptprimitives.dll', 366), ('icmp.dll', 366), ('secur32.dll', 352), ('riched20.dll', 347), ('gdiplus.dll', 345), ('credssp.dll', 326), ('rasadhlp.dll', 320), ('msftedit.dll', 316), ('avicap32.dll', 313), ('c:\\windows\\system32\\dwmapi.dll', 306), ('api-ms-win-security-lsalookup-l1-1-0.dll', 298), ('c:\\windows\\system32\\userenv.dll', 295), ('c:\\windows\\system32\\setupapi.dll', 294), ('c:\\windows\\system32\\shlwapi.dll', 290), ('c:\\windows\\system32\\apphelp.dll', 290), ('shfolder.dll', 285), ('clbcatq.dll', 284), ('c:\\windows\\system32\\advapi32.dll', 284)]
domains_list_top_100_with_freq = [('cc.iitk.ac.in', 13098), ('iitk.ac.in', 13098), ('junta.iitk.ac.in', 13098), ('mirror5.internetdownloadmanager.com', 4961), ('secure.internetdownloadmanager.com', 4961), ('registeridm.com', 4961), ('mirror3.internetdownloadmanager.com', 4961), ('www.internetdownloadmanager.com', 4961), ('test.internetdownloadmanager.com', 4961), ('teredo.ipv6.microsoft.com', 4961), ('dns.msftncsi.com', 4956), ('_googlecast._tcp.local', 4948), ('clientservices.googleapis.com', 4713), ('www.google.com', 4691), ('www.google.co.in', 4505), ('wpad.cse.iitk.ac.in', 3013), ('wpad.openstacklocal', 1945), ('isatap.cse.iitk.ac.in', 1514), ('isatap.openstacklocal', 1067), ('zexhuvkamyrvm.cse.iitk.ac.in', 1018), ('aymwknwl.cse.iitk.ac.in', 1015), ('nylnoou.cse.iitk.ac.in', 1015), ('zexhuvkamyrvm.openstacklocal', 735), ('aymwknwl.openstacklocal', 731), ('nylnoou.openstacklocal', 731), ('amyrvmcgszqobp.cse.iitk.ac.in', 338), ('uasmzexh.cse.iitk.ac.in', 260), ('nwljtfnyl.cse.iitk.ac.in', 251), ('amyrvmcgszqobp.openstacklocal', 216), ('iobpfpratk.cse.iitk.ac.in', 214), ('akdvrzacozqw.cse.iitk.ac.in', 211), ('ztijowokk.cse.iitk.ac.in', 209), ('uasmzexh.openstacklocal', 171), ('nwljtfnyl.openstacklocal', 169), ('zqwkagzti.cse.iitk.ac.in', 154), ('okklrgb.cse.iitk.ac.in', 154), ('fpratklcvakdvrz.cse.iitk.ac.in', 154), ('iobpfpratk.openstacklocal', 152), ('tsziobplqsatk.cse.iitk.ac.in', 151), ('ztijowokk.openstacklocal', 151), ('akdvrzacozqw.openstacklocal', 151), ('irdvrza.cse.iitk.ac.in', 146), ('qwkageobjowokx.cse.iitk.ac.in', 145), ('smzexhuvkamyr.cse.iitk.ac.in', 144), ('gszqobphcsau.cse.iitk.ac.in', 144), ('tfnylno.cse.iitk.ac.in', 143), ('qwkageobjowokx.openstacklocal', 113), ('irdvrza.openstacklocal', 113), ('tsziobplqsatk.openstacklocal', 113), ('tinypic.com', 96), ('match.com', 96), ('daum.net', 96), ('smzexhuvkamyr.openstacklocal', 91), ('gszqobphcsau.openstacklocal', 91), ('tfnylno.openstacklocal', 89), ('dvrzadatqwka.cse.iitk.ac.in', 84), ('bjowokx.cse.iitk.ac.in', 84), ('obplqsatklc.cse.iitk.ac.in', 84), ('asftbxh.cse.iitk.ac.in', 77), ('osjrvmcgtciobp.cse.iitk.ac.in', 77), ('jtfnrzi.cse.iitk.ac.in', 77), ('kosjrvmcgtciob.cse.iitk.ac.in', 70), ('mhtklcjrelvr.cse.iitk.ac.in', 70), ('rzioouasftbx.cse.iitk.ac.in', 70), ('ilikearts.com', 70), ('artsbizworld.com', 70), ('realquickmedia.com', 70), ('fpratklcvakdvrz.openstacklocal', 67), ('okklrgb.openstacklocal', 67), ('zqwkagzti.openstacklocal', 67), ('oouasmzexh.cse.iitk.ac.in', 67), ('qgszayip.cse.iitk.ac.in', 66), ('rtqicigvsbjjbik.cse.iitk.ac.in', 65), ('apwbcbrrdfu.cse.iitk.ac.in', 65), ('jtfnrzi.openstacklocal', 65), ('asftbxh.openstacklocal', 64), ('ymwknwljtfn.cse.iitk.ac.in', 64), ('osjrvmcgtciobp.openstacklocal', 63), ('sqgszqotdwcsau.cse.iitk.ac.in', 58), ('dvrzadatqwka.openstacklocal', 51), ('obplqsatklc.openstacklocal', 50), ('bjowokx.openstacklocal', 50), ('tvmqgszqobp.cse.iitk.ac.in', 49), ('rtqzmagvsbjdkok.cse.iitk.ac.in', 47), ('atylcbrrdqe.cse.iitk.ac.in', 47), ('igvsbjjbikzthg.cse.iitk.ac.in', 44), ('rrdfukagrt.cse.iitk.ac.in', 43), ('ayipwcsapw.cse.iitk.ac.in', 43), ('qgszayip.openstacklocal', 41), ('apwbcbrrdfu.openstacklocal', 40), ('rtqicigvsbjjbik.openstacklocal', 40), ('oouasmzexh.openstacklocal', 40), ('mediaartsplaza.com', 40), ('theheroarts.com', 40), ('superartsacademy.com', 40), ('ikea.com', 39), ('ymwknwljtfn.openstacklocal', 38), ('sitesell.com', 38), ('google.ae', 38), ('knwlpyhnyl.cse.iitk.ac.in', 36)]
for t in dlls_list_top_100_with_freq:
dlls_list_top_100.append(t[0])
for t in domains_list_top_100_with_freq:
domains_list_top_100.append(t[0])
# = = = = = = = = = = BENIGN = = = = = = = = = =
file_list = open("file_list_benign1.txt", "r").read()
os.chdir("./Dynamic_Analysis_Data_Part1/Benign")
file_list = file_list.split('\n')
dlls_dict_top_100_benign = {key: None for key in dlls_list_top_100}
list_of_dlls_dict_top_100_benign = []
hashes_list_benign = []
for file in file_list:
data = json.loads(open(file).read())
try:
dll_list = data["behavior"]["summary"]["dll_loaded"]
except:
dll_list = []
# convert list to lowercase
dll_list = [i.lower() for i in dll_list]
# 1. Dll Loaded
for key in dlls_list_top_100:
if key in dll_list:
dlls_dict_top_100_benign[key] = True
# print(True)
else:
dlls_dict_top_100_benign[key] = False
hashes_list_benign.append(file)
list_of_dlls_dict_top_100_benign.append((dlls_dict_top_100_benign.copy()))
# print(dlls_dict_top_100_benign)
# print(list_of_dlls_dict_top_100_benign)
# print(hashes_list_benign)
columns = {key : [] for key in dlls_list_top_100}
for i in list_of_dlls_dict_top_100_benign:
for key, value in i.items():
columns[key].append(value)
columns['legit'] = True
columns['hash'] = hashes_list_benign
df_benign = pd.DataFrame(columns)
# os.chdir("../../")
# df_benign.to_csv("benign_dynamic.csv")
print("benign done")
# = = = = = = = = = = MALWARE = = = = = = = = = =
os.chdir("../../")
file_list = open("file_list_malware1.txt", "r").read()
os.chdir("./Dynamic_Analysis_Data_Part1/Malware")
file_list = file_list.split('\n')
dlls_dict_top_100_malware = {key: None for key in dlls_list_top_100}
list_of_dlls_dict_top_100_malware = []
hashes_list_malware = []
for file in file_list:
data = json.loads(open(file).read())
try:
dll_list = data["behavior"]["summary"]["dll_loaded"]
except:
dll_list = []
# convert list to lowercase
dll_list = [i.lower() for i in dll_list]
# 1. Dll Loaded
for key in dlls_list_top_100:
if key in dll_list:
dlls_dict_top_100_malware[key] = True
else:
dlls_dict_top_100_malware[key] = False
list_of_dlls_dict_top_100_malware.append(dlls_dict_top_100_malware.copy())
hashes_list_malware.append(file)
columns = {key : [] for key in dlls_list_top_100}
for i in list_of_dlls_dict_top_100_malware:
for key, value in i.items():
columns[key].append(value)
columns['legit'] = False
columns['hash'] = hashes_list_malware
df_malware = pd.DataFrame(columns)
# os.chdir("../../")
# df_malware.to_csv("malware_dynamic.csv")
print("malware done")
# # = = = = = = = = = = COMBINED PROCESSING = = = = = = = = = =
df = [df_benign, df_malware]
df = pd.concat(df, ignore_index=True)
os.chdir("../../")
df.to_csv("final_data_dynamic.csv")