Ragpicker MongoDB querys
Get sha256-keys
var sha256 = []
// Unique values in an array
// Non-prototype version
function uniques(arr) {
var a = [];
for (var i=0, l=arr.length; i<l; i++)
if (a.indexOf(arr[i]) === -1 && arr[i] !== '')
a.push(arr[i]);
return a;
}
db.ragpicker.find().forEach(
function(doc) {
sha256.push(doc.Info.file.sha256);
db.families.find({"parentObjectSHA256" : doc.Info.file.sha256}).forEach(
function(doc) {
if (doc.unpackedObjectSHA256 != "")
sha256.push(doc.unpackedObjectSHA256)
for (var i = 0; i < doc.siblingObjectsSHA256.length; i++) {
sha256.push(doc.siblingObjectsSHA256[i])
}
}
);
}
);
print(uniques(sha256))
Get SHA256,SHA1,MD5 Hashset CSV
print("sha256,sha1,md5");
db.ragpicker.find().forEach(
function(doc){
print('"' + doc.Info.file.sha256 + '","' + doc.Info.file.sha1 + '","' + doc.Info.file.md5 + '"');
}); Get driver SHA256-Keys
get_driver_sha256 = function(doc) { return doc.Info.file.sha256; }
db.ragpicker.find({"Info.file.DRIVER" : true, "Info.file.DLL" : false}, { "Info.file.sha256": 1, _id:0}).map( get_driver_sha256 ); Find a file by sha256
db.ragpicker.find({'Info.file.sha256':"c029a3dc28c32075ed24ef7f441a4b33758aea4e9a2fd87afb4aee403ad404d6"}) Packer Statistics
db.ragpicker.aggregate(
{ $group : {
_id : "$PEID",
count : { $sum: 1 }
}},
{$sort:{"count": -1}}
); Digital signatures
db.ragpicker.aggregate(
{ $group : {
_id : { PublisherO: "$VerifySigs.PublisherO", Issuer: "$VerifySigs.Issuer" },
count : { $sum: 1 }
}},
{$sort:{"count": -1}}
); EXE, DLL and DRIVER
db.ragpicker.aggregate(
{ $group : {
_id : { EXE: { $ifNull: [ "$Info.file.EXE", false ] },
DLL: { $ifNull: [ "$Info.file.DLL", false ] },
DRIVER: { $ifNull: [ "$Info.file.DRIVER", false ] } },
count : { $sum: 1 },
}},
{$sort:{"count": -1}}
);