mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,196 @@
|
||||
---
|
||||
name: detecting-mobile-malware-behavior
|
||||
description: >
|
||||
Detects and analyzes malicious behavior in mobile applications through behavioral analysis,
|
||||
permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when
|
||||
analyzing suspicious mobile applications for data exfiltration, command-and-control communication,
|
||||
credential stealing, SMS interception, or other malware indicators. Activates for requests involving
|
||||
mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.
|
||||
domain: cybersecurity
|
||||
subdomain: mobile-security
|
||||
author: mahipal
|
||||
tags: [mobile-security, android, ios, malware-analysis, owasp-mobile, penetration-testing]
|
||||
version: 1.0.0
|
||||
license: MIT
|
||||
---
|
||||
# Detecting Mobile Malware Behavior
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when:
|
||||
- Analyzing suspicious mobile applications submitted by users or discovered during incident response
|
||||
- Monitoring enterprise mobile fleet for malicious app indicators
|
||||
- Performing malware triage on APK/IPA samples
|
||||
- Investigating data exfiltration or unauthorized device access from mobile apps
|
||||
|
||||
**Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Isolated analysis environment (dedicated device or emulator, not connected to production networks)
|
||||
- MobSF for automated static+dynamic analysis
|
||||
- Frida/Objection for runtime behavior monitoring
|
||||
- Wireshark/tcpdump for network traffic capture
|
||||
- Android emulator (AVD) or Genymotion for safe execution
|
||||
- VirusTotal API key for hash lookups
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Static Indicator Analysis
|
||||
|
||||
```bash
|
||||
# Hash the sample
|
||||
sha256sum suspicious.apk
|
||||
|
||||
# Check VirusTotal
|
||||
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
|
||||
-H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
|
||||
|
||||
# Extract permissions from AndroidManifest.xml
|
||||
aapt dump permissions suspicious.apk
|
||||
|
||||
# High-risk permission combinations:
|
||||
# READ_SMS + INTERNET = SMS stealer
|
||||
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
|
||||
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
|
||||
# CAMERA + RECORD_AUDIO + INTERNET = spyware
|
||||
# DEVICE_ADMIN + INTERNET = ransomware capability
|
||||
# READ_CONTACTS + INTERNET = contact exfiltration
|
||||
```
|
||||
|
||||
### Step 2: MobSF Automated Malware Scan
|
||||
|
||||
```bash
|
||||
# Upload to MobSF
|
||||
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
|
||||
-H "Authorization: <API_KEY>"
|
||||
|
||||
# Review malware indicators in report:
|
||||
# - Hardcoded C2 server addresses
|
||||
# - Dynamic code loading (DexClassLoader)
|
||||
# - Reflection-based API calls (to evade static analysis)
|
||||
# - Encrypted/obfuscated payloads
|
||||
# - Root detection (malware often checks for root)
|
||||
# - Anti-emulator checks (malware evades sandbox)
|
||||
```
|
||||
|
||||
### Step 3: Network Behavior Monitoring
|
||||
|
||||
```bash
|
||||
# Start packet capture on emulator
|
||||
tcpdump -i any -w malware_traffic.pcap
|
||||
|
||||
# Or use mitmproxy for HTTP/HTTPS
|
||||
mitmproxy --mode transparent
|
||||
|
||||
# Monitor for:
|
||||
# - DNS lookups to suspicious/newly registered domains
|
||||
# - Connections to known C2 infrastructure
|
||||
# - Data exfiltration patterns (large POST requests)
|
||||
# - Beaconing behavior (regular interval connections)
|
||||
# - Non-standard ports and protocols
|
||||
# - Domain Generation Algorithm (DGA) patterns
|
||||
```
|
||||
|
||||
### Step 4: Runtime Behavior Monitoring with Frida
|
||||
|
||||
```javascript
|
||||
// monitor_malware.js - Comprehensive behavior monitoring
|
||||
Java.perform(function() {
|
||||
// Monitor SMS access
|
||||
var SmsManager = Java.use("android.telephony.SmsManager");
|
||||
SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
|
||||
"java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
|
||||
.implementation = function(dest, sc, text, sent, delivery) {
|
||||
console.log("[SMS] Sending to: " + dest + " Text: " + text);
|
||||
// Allow or block based on analysis needs
|
||||
return this.sendTextMessage(dest, sc, text, sent, delivery);
|
||||
};
|
||||
|
||||
// Monitor file operations
|
||||
var FileOutputStream = Java.use("java.io.FileOutputStream");
|
||||
FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
|
||||
console.log("[FILE-WRITE] " + path);
|
||||
return this.$init(path);
|
||||
};
|
||||
|
||||
// Monitor network connections
|
||||
var URL = Java.use("java.net.URL");
|
||||
URL.openConnection.overload().implementation = function() {
|
||||
console.log("[NET] " + this.toString());
|
||||
return this.openConnection();
|
||||
};
|
||||
|
||||
// Monitor dynamic code loading
|
||||
var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
|
||||
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
|
||||
console.log("[DEX-LOAD] Loading: " + dexPath);
|
||||
return this.$init(dexPath, optDir, libPath, parent);
|
||||
};
|
||||
|
||||
// Monitor command execution
|
||||
var Runtime = Java.use("java.lang.Runtime");
|
||||
Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
|
||||
console.log("[EXEC] " + cmd);
|
||||
return this.exec(cmd);
|
||||
};
|
||||
|
||||
// Monitor camera/audio access
|
||||
var Camera = Java.use("android.hardware.Camera");
|
||||
Camera.open.overload("int").implementation = function(id) {
|
||||
console.log("[CAMERA] Camera opened: " + id);
|
||||
return this.open(id);
|
||||
};
|
||||
|
||||
// Monitor content provider access (contacts, call log)
|
||||
var ContentResolver = Java.use("android.content.ContentResolver");
|
||||
ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
|
||||
"java.lang.String", "[Ljava.lang.String;", "java.lang.String")
|
||||
.implementation = function(uri, proj, sel, selArgs, sort) {
|
||||
console.log("[QUERY] " + uri.toString());
|
||||
return this.query(uri, proj, sel, selArgs, sort);
|
||||
};
|
||||
|
||||
console.log("[*] Malware behavior monitor active");
|
||||
});
|
||||
```
|
||||
|
||||
### Step 5: Classify Malware Type
|
||||
|
||||
Based on observed behaviors, classify the sample:
|
||||
|
||||
| Behavior Pattern | Malware Type |
|
||||
|-----------------|-------------|
|
||||
| SMS interception + C2 communication | Banking Trojan |
|
||||
| Camera/mic access + data upload | Spyware/Stalkerware |
|
||||
| File encryption + ransom note display | Mobile Ransomware |
|
||||
| Ad injection + click fraud traffic | Adware |
|
||||
| Root exploit + persistence | Rootkit |
|
||||
| Contact harvesting + SMS spam | Worm/SMS Spammer |
|
||||
| Overlay attacks + credential capture | Credential Stealer |
|
||||
| Crypto mining network activity | Cryptojacker |
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|-----------|
|
||||
| **Dynamic Code Loading** | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis |
|
||||
| **C2 Beacon** | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns |
|
||||
| **DGA** | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure |
|
||||
| **Overlay Attack** | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission |
|
||||
| **Anti-Emulator** | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
- **MobSF**: Automated static and dynamic analysis for initial malware triage
|
||||
- **VirusTotal**: Multi-engine malware scanning and hash reputation lookup
|
||||
- **Frida**: Runtime behavior monitoring through method hooking
|
||||
- **Wireshark**: Network traffic analysis for C2 communication patterns
|
||||
- **Cuckoo Sandbox / CuckooDroid**: Automated malware analysis sandbox for Android samples
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Anti-analysis evasion**: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
|
||||
- **Time-delayed payloads**: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
|
||||
- **Encrypted C2**: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
|
||||
- **Multi-stage payloads**: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
|
||||
@@ -0,0 +1,35 @@
|
||||
# Mobile Malware Analysis Report
|
||||
|
||||
## Sample Information
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| File Name | [NAME] |
|
||||
| SHA256 | [HASH] |
|
||||
| File Size | [SIZE] |
|
||||
| Package Name | [PACKAGE] |
|
||||
| VirusTotal Detection | [N]/[TOTAL] engines |
|
||||
| Risk Level | [CRITICAL/HIGH/MEDIUM/LOW] |
|
||||
|
||||
## Permission Analysis
|
||||
| Permission | Risk | Malware Indicator |
|
||||
|-----------|------|-------------------|
|
||||
| [PERMISSION] | [LEVEL] | [DESCRIPTION] |
|
||||
|
||||
## Behavioral Indicators
|
||||
| Behavior | Detected | Malware Type |
|
||||
|----------|----------|-------------|
|
||||
| SMS Interception | [YES/NO] | Banking Trojan |
|
||||
| Camera/Audio | [YES/NO] | Spyware |
|
||||
| Dynamic DEX Loading | [YES/NO] | Dropper |
|
||||
| C2 Communication | [YES/NO] | General Malware |
|
||||
| File Encryption | [YES/NO] | Ransomware |
|
||||
|
||||
## IOCs
|
||||
| Type | Value | Context |
|
||||
|------|-------|---------|
|
||||
| Domain | [DOMAIN] | C2 Server |
|
||||
| IP | [IP] | C2 Infrastructure |
|
||||
| Hash | [HASH] | Payload |
|
||||
|
||||
## Recommendations
|
||||
1. [RECOMMENDATION]
|
||||
@@ -0,0 +1,20 @@
|
||||
# Standards Reference: Mobile Malware Detection
|
||||
|
||||
## OWASP Mobile Top 10 2024
|
||||
| ID | Risk | Malware Relevance |
|
||||
|----|------|-------------------|
|
||||
| M2 | Inadequate Supply Chain Security | Trojanized apps, repackaged malware |
|
||||
| M8 | Security Misconfiguration | Excessive permissions enabling malware |
|
||||
|
||||
## NIST SP 800-163 Rev 1
|
||||
- Section 5: Mobile app vetting for malware indicators
|
||||
- Section 6: Enterprise mobile device management for malware prevention
|
||||
|
||||
## MITRE ATT&CK Mobile Matrix
|
||||
| Tactic | Technique | Indicator |
|
||||
|--------|-----------|-----------|
|
||||
| Initial Access | T1444: Masquerade as Legitimate App | App name/icon spoofing |
|
||||
| Collection | T1412: Capture SMS Messages | SMS permission + network |
|
||||
| Exfiltration | T1437: Standard Application Layer Protocol | HTTP POST to C2 |
|
||||
| Command and Control | T1437.001: Web Protocols | HTTPS beaconing |
|
||||
| Impact | T1471: Data Encrypted for Impact | File encryption + ransom |
|
||||
@@ -0,0 +1,18 @@
|
||||
# Workflows: Mobile Malware Detection
|
||||
|
||||
## Workflow 1: Malware Triage Pipeline
|
||||
```
|
||||
[Receive sample] --> [Hash & VirusTotal check] --> [Known malware?]
|
||||
/ \
|
||||
[Yes: Report] [No: Continue]
|
||||
|
|
||||
[MobSF static scan] --> [Permission analysis]
|
||||
|
|
||||
[Dynamic execution in sandbox]
|
||||
[Network monitoring]
|
||||
[Behavior monitoring with Frida]
|
||||
|
|
||||
[Classify malware type]
|
||||
[Extract IOCs (domains, IPs, hashes)]
|
||||
[Generate report]
|
||||
```
|
||||
@@ -0,0 +1,235 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Mobile Malware Behavior Analyzer
|
||||
|
||||
Performs static indicator analysis on Android APK files to detect malware behaviors.
|
||||
Checks permissions, code patterns, and VirusTotal reputation.
|
||||
|
||||
Usage:
|
||||
python process.py --apk suspicious.apk [--vt-key API_KEY] [--output report.json]
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import hashlib
|
||||
import json
|
||||
import subprocess
|
||||
import sys
|
||||
import zipfile
|
||||
import re
|
||||
from datetime import datetime
|
||||
from pathlib import Path
|
||||
|
||||
try:
|
||||
import requests
|
||||
except ImportError:
|
||||
requests = None
|
||||
|
||||
DANGEROUS_PERMISSIONS = {
|
||||
"android.permission.READ_SMS": "SMS access - banking trojan indicator",
|
||||
"android.permission.RECEIVE_SMS": "SMS interception - banking trojan indicator",
|
||||
"android.permission.SEND_SMS": "SMS sending - premium SMS fraud indicator",
|
||||
"android.permission.CAMERA": "Camera access - spyware indicator",
|
||||
"android.permission.RECORD_AUDIO": "Microphone access - spyware indicator",
|
||||
"android.permission.READ_CONTACTS": "Contact harvesting - worm/spyware indicator",
|
||||
"android.permission.READ_CALL_LOG": "Call log access - spyware indicator",
|
||||
"android.permission.ACCESS_FINE_LOCATION": "Location tracking - stalkerware indicator",
|
||||
"android.permission.SYSTEM_ALERT_WINDOW": "Overlay capability - credential stealer indicator",
|
||||
"android.permission.BIND_DEVICE_ADMIN": "Device admin - ransomware indicator",
|
||||
"android.permission.BIND_ACCESSIBILITY_SERVICE": "Accessibility abuse - overlay attacks",
|
||||
"android.permission.REQUEST_INSTALL_PACKAGES": "Silent app installation capability",
|
||||
"android.permission.WRITE_EXTERNAL_STORAGE": "External storage write - data staging",
|
||||
}
|
||||
|
||||
MALWARE_CODE_PATTERNS = {
|
||||
"dynamic_dex_loading": r"DexClassLoader|InMemoryDexClassLoader|PathClassLoader",
|
||||
"reflection": r"java\.lang\.reflect|Method\.invoke|Class\.forName",
|
||||
"native_code_loading": r"System\.loadLibrary|System\.load\(",
|
||||
"command_execution": r"Runtime\.getRuntime\(\)\.exec|ProcessBuilder",
|
||||
"crypto_operations": r"javax\.crypto\.Cipher|javax\.crypto\.spec",
|
||||
"base64_encoding": r"android\.util\.Base64|java\.util\.Base64",
|
||||
"root_detection": r"\/system\/xbin\/su|\/system\/app\/Superuser|isRooted|RootBeer",
|
||||
"emulator_detection": r"Build\.FINGERPRINT.*generic|goldfish|ranchu|sdk_gphone",
|
||||
"keylogger": r"AccessibilityService|onAccessibilityEvent|TYPE_VIEW_TEXT_CHANGED",
|
||||
"screen_capture": r"MediaProjection|createVirtualDisplay|CAPTURE_SECURE",
|
||||
}
|
||||
|
||||
|
||||
def compute_hashes(file_path: str) -> dict:
|
||||
"""Compute file hashes."""
|
||||
with open(file_path, "rb") as f:
|
||||
data = f.read()
|
||||
return {
|
||||
"md5": hashlib.md5(data).hexdigest(),
|
||||
"sha1": hashlib.sha1(data).hexdigest(),
|
||||
"sha256": hashlib.sha256(data).hexdigest(),
|
||||
"size": len(data),
|
||||
}
|
||||
|
||||
|
||||
def extract_permissions(apk_path: str) -> list:
|
||||
"""Extract permissions from APK using aapt."""
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["aapt", "dump", "permissions", apk_path],
|
||||
capture_output=True, text=True, timeout=30
|
||||
)
|
||||
perms = []
|
||||
for line in result.stdout.split("\n"):
|
||||
if "uses-permission:" in line:
|
||||
perm = line.split("name='")[1].split("'")[0] if "name='" in line else line.strip()
|
||||
perms.append(perm)
|
||||
return perms
|
||||
except (subprocess.TimeoutExpired, FileNotFoundError, IndexError):
|
||||
return []
|
||||
|
||||
|
||||
def scan_code_patterns(apk_path: str) -> dict:
|
||||
"""Scan DEX code for malware patterns."""
|
||||
findings = {}
|
||||
try:
|
||||
with zipfile.ZipFile(apk_path, "r") as z:
|
||||
for name in z.namelist():
|
||||
if name.endswith(".dex"):
|
||||
dex_data = z.read(name).decode("utf-8", errors="replace")
|
||||
for pattern_name, pattern in MALWARE_CODE_PATTERNS.items():
|
||||
matches = re.findall(pattern, dex_data)
|
||||
if matches:
|
||||
findings[pattern_name] = {
|
||||
"count": len(matches),
|
||||
"samples": list(set(matches))[:3],
|
||||
}
|
||||
except zipfile.BadZipFile:
|
||||
findings["error"] = "Invalid ZIP/APK file"
|
||||
return findings
|
||||
|
||||
|
||||
def check_virustotal(sha256: str, api_key: str) -> dict:
|
||||
"""Query VirusTotal for file reputation."""
|
||||
if not requests or not api_key:
|
||||
return {"skipped": True}
|
||||
try:
|
||||
resp = requests.get(
|
||||
f"https://www.virustotal.com/api/v3/files/{sha256}",
|
||||
headers={"x-apikey": api_key},
|
||||
timeout=15
|
||||
)
|
||||
if resp.status_code == 200:
|
||||
data = resp.json().get("data", {}).get("attributes", {})
|
||||
stats = data.get("last_analysis_stats", {})
|
||||
return {
|
||||
"malicious": stats.get("malicious", 0),
|
||||
"suspicious": stats.get("suspicious", 0),
|
||||
"undetected": stats.get("undetected", 0),
|
||||
"total_engines": sum(stats.values()),
|
||||
"detection_names": [
|
||||
f"{engine}: {result.get('result')}"
|
||||
for engine, result in data.get("last_analysis_results", {}).items()
|
||||
if result.get("category") == "malicious"
|
||||
][:10],
|
||||
}
|
||||
return {"status_code": resp.status_code}
|
||||
except Exception as e:
|
||||
return {"error": str(e)}
|
||||
|
||||
|
||||
def assess_risk(permissions: list, code_patterns: dict, vt_result: dict) -> dict:
|
||||
"""Calculate overall malware risk assessment."""
|
||||
risk_score = 0
|
||||
indicators = []
|
||||
|
||||
# Permission-based risk
|
||||
dangerous_found = [p for p in permissions if p in DANGEROUS_PERMISSIONS]
|
||||
risk_score += len(dangerous_found) * 10
|
||||
|
||||
# High-risk combinations
|
||||
perm_set = set(permissions)
|
||||
if {"android.permission.READ_SMS", "android.permission.INTERNET"} <= perm_set:
|
||||
indicators.append("SMS stealer pattern (READ_SMS + INTERNET)")
|
||||
risk_score += 30
|
||||
if {"android.permission.CAMERA", "android.permission.RECORD_AUDIO", "android.permission.INTERNET"} <= perm_set:
|
||||
indicators.append("Spyware pattern (CAMERA + AUDIO + INTERNET)")
|
||||
risk_score += 40
|
||||
if "android.permission.BIND_DEVICE_ADMIN" in perm_set:
|
||||
indicators.append("Device admin capability (ransomware indicator)")
|
||||
risk_score += 25
|
||||
|
||||
# Code pattern risk
|
||||
if "dynamic_dex_loading" in code_patterns:
|
||||
indicators.append("Dynamic DEX loading detected")
|
||||
risk_score += 20
|
||||
if "command_execution" in code_patterns:
|
||||
indicators.append("Command execution capability")
|
||||
risk_score += 15
|
||||
if "emulator_detection" in code_patterns:
|
||||
indicators.append("Anti-emulator checks (sandbox evasion)")
|
||||
risk_score += 15
|
||||
if "keylogger" in code_patterns:
|
||||
indicators.append("Accessibility service abuse (keylogger)")
|
||||
risk_score += 30
|
||||
|
||||
# VirusTotal
|
||||
if vt_result.get("malicious", 0) > 0:
|
||||
risk_score += min(vt_result["malicious"] * 5, 50)
|
||||
indicators.append(f"VirusTotal: {vt_result['malicious']} engines detected as malicious")
|
||||
|
||||
risk_level = "CRITICAL" if risk_score >= 80 else "HIGH" if risk_score >= 50 else "MEDIUM" if risk_score >= 25 else "LOW"
|
||||
|
||||
return {
|
||||
"risk_score": min(risk_score, 100),
|
||||
"risk_level": risk_level,
|
||||
"indicators": indicators,
|
||||
}
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Mobile Malware Behavior Analyzer")
|
||||
parser.add_argument("--apk", required=True, help="Path to APK file")
|
||||
parser.add_argument("--vt-key", help="VirusTotal API key")
|
||||
parser.add_argument("--output", default="malware_report.json", help="Output report")
|
||||
args = parser.parse_args()
|
||||
|
||||
if not Path(args.apk).exists():
|
||||
print(f"[-] File not found: {args.apk}")
|
||||
sys.exit(1)
|
||||
|
||||
print("[*] Computing hashes...")
|
||||
hashes = compute_hashes(args.apk)
|
||||
|
||||
print("[*] Extracting permissions...")
|
||||
permissions = extract_permissions(args.apk)
|
||||
|
||||
print("[*] Scanning code patterns...")
|
||||
code_patterns = scan_code_patterns(args.apk)
|
||||
|
||||
print("[*] Checking VirusTotal...")
|
||||
vt_result = check_virustotal(hashes["sha256"], args.vt_key)
|
||||
|
||||
print("[*] Assessing risk...")
|
||||
risk = assess_risk(permissions, code_patterns, vt_result)
|
||||
|
||||
report = {
|
||||
"analysis": {
|
||||
"file": args.apk,
|
||||
"date": datetime.now().isoformat(),
|
||||
"hashes": hashes,
|
||||
},
|
||||
"permissions": {
|
||||
"total": len(permissions),
|
||||
"dangerous": {p: DANGEROUS_PERMISSIONS[p] for p in permissions if p in DANGEROUS_PERMISSIONS},
|
||||
},
|
||||
"code_patterns": code_patterns,
|
||||
"virustotal": vt_result,
|
||||
"risk_assessment": risk,
|
||||
}
|
||||
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
|
||||
print(f"\n[+] Report saved: {args.output}")
|
||||
print(f"[!] Risk Level: {risk['risk_level']} (Score: {risk['risk_score']}/100)")
|
||||
for ind in risk["indicators"]:
|
||||
print(f" - {ind}")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user