#533 ehance report and add hashes of decrypted document

TheHive-Project · Sep 20, 2019 · 0cebd39 · 0cebd39
1 parent 51fb59b
commit 0cebd39
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -41,7 +41,24 @@ def check_file(self, **kwargs):
 
     def analyze_file(self, path):
         # Run the analyze functions
-        self.encypted = is_encrypted(path)
+        self.encrypted = {'encrypted': is_encrypted(path)}
+        if is_encrypted(path):
+            import io, hashlib
+
+            with io.open(path, 'rb') as fh:
+                buf = fh.read()
+                md5 = hashlib.md5()
+                md5.update(buf)
+                sha1 = hashlib.sha1()
+                sha1.update(buf)
+                sha256 = hashlib.sha256()
+                sha256.update(buf)
+
+            self.encrypted = {'encrypted': is_encrypted(path),
+                             'sha256': sha256.hexdigest(),
+                             'sha1': sha1.hexdigest(),
+                             'md5': md5.hexdigest()}
+
         self.analyze_vba(path)
         self.analyze_dde(path)
 
@@ -98,8 +115,7 @@ def module_summary(self):
         self.summary['taxonomies'] = taxonomies
         self.summary['Olevba'] = olevba_version
         self.summary['Msodde'] = msodde_version
-        self.summary['encrypted_file'] = self.encypted
-
+        self.summary['encrypted_file'] = self.encrypted
         return self.summary
 
     def analyze_vba(self, path):

diff --git a/thehive-templates/FileInfo_7_0/long.html b/thehive-templates/FileInfo_7_0/long.html
@@ -68,13 +68,23 @@ <h4 class="panel-title">Summary</h4>
                                     <dt>Encrypted document</dt>
                                     <dd class="wrap">
                                         <span class="label mr-xxxs"
-                                                  ng-class="{false: 'label-info', true: 'label-warning'}[result['summary']['encrypted_file']]">
-                                                {{result['summary']['encrypted_file']}}
+                                                  ng-class="{false: 'label-info', true: 'label-warning'}[result['summary']['encrypted_file']['encrypted']]">
+                                                {{result['summary']['encrypted_file']['encrypted']}}
                                         </span>
                                     </dd>
-
+                                    <dt ng-if="result['summary']['encrypted_file']['encrypted']"></dt>
+                                    <dd ng-if="result['summary']['encrypted_file']['encrypted']">
+                                        <b>Decrypted file information</b>
+                                        <dl>
+                                            <dt>SHA256</dt>
+                                            <dd>{{result['summary']['encrypted_file']['sha256']}}</dd>
+                                            <dt>SHA1</dt>
+                                            <dd>{{result['summary']['encrypted_file']['sha1']}}</dd>
+                                            <dt>MD5</dt>
+                                            <dd>{{result['summary']['encrypted_file']['md5']}}</dd>
+                                        </dl>
+                                    </dd>
                                 </dl>
-
                             </div>
 
                         </div>