misp-modules/misp_modules/modules/expansion/vmray_submit.py

#!/usr/bin/env python3

'''
Submit sample to VMRay.

Requires "vmray_rest_api"

The expansion module vmray_submit and import module vmray_import are a two step
process to import data from VMRay.
You can automate this by setting the PyMISP example script 'vmray_automation'
as a cron job

'''

import json
import base64
from distutils.util import strtobool

import io
import zipfile

from _vmray.rest_api import VMRayRESTAPI

misperrors = {'error': 'Error'}
mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']}
moduleinfo = {
    'version': '0.3',
    'author': 'Koen Van Impe',
    'description': 'Module to submit a sample to VMRay.',
    'module-type': ['expansion'],
    'name': 'VMRay Submit',
    'logo': 'vmray.png',
    'requirements': ['An access to the VMRay API (apikey & url)'],
    'features': 'This module takes an attachment or malware-sample attribute as input to query the VMRay API.\n\nThe sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes.',
    'references': ['https://www.vmray.com/'],
    'input': 'An attachment or malware-sample attribute.',
    'output': 'MISP attributes mapped from the result of the query on VMRay API, included in the following list:\n- text\n- sha1\n- sha256\n- md5\n- link',
}
moduleconfig = ['apikey', 'url', 'shareable', 'do_not_reanalyze', 'do_not_include_vmrayjobids']


include_vmrayjobids = False


def handler(q=False):
    global include_vmrayjobids

    if q is False:
        return False
    request = json.loads(q)

    try:
        data = request.get("data")
        if 'malware-sample' in request:
            # malicious samples are encrypted with zip (password infected) and then base64 encoded
            sample_filename = request.get("malware-sample").split("|", 1)[0]
            data = base64.b64decode(data)
            fl = io.BytesIO(data)
            zf = zipfile.ZipFile(fl)
            sample_hashname = zf.namelist()[0]
            data = zf.read(sample_hashname, b"infected")
            zf.close()
        elif 'attachment' in request:
            # All attachments get base64 encoded
            sample_filename = request.get("attachment")
            data = base64.b64decode(data)

        else:
            misperrors['error'] = "No malware sample or attachment supplied"
            return misperrors
    except Exception:
        misperrors['error'] = "Unable to process submited sample data"
        return misperrors

    if (request["config"].get("apikey") is None) or (request["config"].get("url") is None):
        misperrors["error"] = "Missing API key or server URL (hint: try cloud.vmray.com)"
        return misperrors

    api = VMRayRESTAPI(request["config"].get("url"), request["config"].get("apikey"), False)

    shareable = request["config"].get("shareable")
    do_not_reanalyze = request["config"].get("do_not_reanalyze")
    do_not_include_vmrayjobids = request["config"].get("do_not_include_vmrayjobids")

    try:
        shareable = bool(strtobool(shareable))                                 # Do we want the sample to be shared?
        reanalyze = not bool(strtobool(do_not_reanalyze))                      # Always reanalyze the sample?
        include_vmrayjobids = not bool(strtobool(do_not_include_vmrayjobids))  # Include the references to VMRay job IDs
    except ValueError:
        misperrors["error"] = "Error while processing settings. Please double-check your values."
        return misperrors

    if data and sample_filename:
        args = {}
        args["shareable"] = shareable
        args["sample_file"] = {'data': io.BytesIO(data), 'filename': sample_filename}
        args["reanalyze"] = reanalyze

        try:
            vmraydata = vmraySubmit(api, args)
            if vmraydata["errors"] and "Submission not stored" not in vmraydata["errors"][0]["error_msg"]:
                misperrors['error'] = "VMRay: %s" % vmraydata["errors"][0]["error_msg"]
                return misperrors
            else:
                return vmrayProcess(vmraydata)
        except Exception:
            misperrors['error'] = "Problem when calling API."
            return misperrors
    else:
        misperrors['error'] = "No sample data or filename."
        return misperrors


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo


def vmrayProcess(vmraydata):
    ''' Process the JSON file returned by vmray'''
    if vmraydata:
        try:
            sample = vmraydata["samples"][0]
            jobs = vmraydata["jobs"]

            # Result received?
            if sample:
                r = {'results': []}
                r['results'].append({'types': 'md5', 'values': sample['sample_md5hash']})
                r['results'].append({'types': 'sha1', 'values': sample['sample_sha1hash']})
                r['results'].append({'types': 'sha256', 'values': sample['sample_sha256hash']})
                r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % sample['sample_id'], 'tags': 'workflow:state="incomplete"'})
                r['results'].append({'types': 'link', 'values': sample['sample_webif_url']})

                # Include data from different jobs
                if include_vmrayjobids and len(jobs) > 0:
                    for job in jobs:
                        job_id = job["job_id"]
                        job_vm_name = job["job_vm_name"]
                        job_configuration_name = job["job_configuration_name"]
                        r["results"].append({"types": "text", "values": "VMRay Job ID %s (%s - %s)" % (job_id, job_vm_name, job_configuration_name)})
                return r
            else:
                misperrors['error'] = "No valid results returned."
                return misperrors
        except Exception:
            misperrors['error'] = "No valid submission data returned."
            return misperrors
    else:
        misperrors['error'] = "Unable to parse results."
        return misperrors


def vmraySubmit(api, args):
    ''' Submit the sample to VMRay'''
    vmraydata = api.call("POST", "/rest/sample/submit", args)
    return vmraydata
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`#!/usr/bin/env python3`

			`'''`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`Submit sample to VMRay.`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
New VMRay modules New JSON output format of VMRay Prepare for automation (via PyMISP) with workflow taxonomy tags 2019-05-01 22:44:24 +02:00			`Requires "vmray_rest_api"`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
New VMRay modules New JSON output format of VMRay Prepare for automation (via PyMISP) with workflow taxonomy tags 2019-05-01 22:44:24 +02:00			`The expansion module vmray_submit and import module vmray_import are a two step`
			`process to import data from VMRay.`
			`You can automate this by setting the PyMISP example script 'vmray_automation'`
			`as a cron job`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
			`'''`

			`import json`
			`import base64`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`from distutils.util import strtobool`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
			`import io`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`import zipfile`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
Corrected VMray rest API import When loading misp-modules, the VMray module ```modules/expansion/vmray_submit.py ``` incorrectly imports the library. VMray's documentation and examples here: https://pypi.org/project/vmray-rest-api/#history also reflect this change as the correct import. 2021-01-04 22:27:47 +01:00			`from _vmray.rest_api import VMRayRESTAPI`
Multiple clanges in the vmray modules. * Generic fix to load modules requiring a local library * Fix python3 support * PEP8 related cleanups 2016-11-15 16:43:11 +01:00
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`misperrors = {'error': 'Error'}`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '0.3',`
			`'author': 'Koen Van Impe',`
			`'description': 'Module to submit a sample to VMRay.',`
			`'module-type': ['expansion'],`
			`'name': 'VMRay Submit',`
			`'logo': 'vmray.png',`
			`'requirements': ['An access to the VMRay API (apikey & url)'],`
			`'features': 'This module takes an attachment or malware-sample attribute as input to query the VMRay API.\n\nThe sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes.',`
			`'references': ['https://www.vmray.com/'],`
			`'input': 'An attachment or malware-sample attribute.',`
			`'output': 'MISP attributes mapped from the result of the query on VMRay API, included in the following list:\n- text\n- sha1\n- sha256\n- md5\n- link',`
			`}`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`moduleconfig = ['apikey', 'url', 'shareable', 'do_not_reanalyze', 'do_not_include_vmrayjobids']`


			`include_vmrayjobids = False`


			`def handler(q=False):`
			`global include_vmrayjobids`

			`if q is False:`
			`return False`
			`request = json.loads(q)`

			`try:`
			`data = request.get("data")`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`if 'malware-sample' in request:`
			`# malicious samples are encrypted with zip (password infected) and then base64 encoded`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`sample_filename = request.get("malware-sample").split("\|", 1)[0]`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`data = base64.b64decode(data)`
			`fl = io.BytesIO(data)`
			`zf = zipfile.ZipFile(fl)`
			`sample_hashname = zf.namelist()[0]`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`data = zf.read(sample_hashname, b"infected")`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`zf.close()`
			`elif 'attachment' in request:`
			`# All attachments get base64 encoded`
			`sample_filename = request.get("attachment")`
			`data = base64.b64decode(data)`

			`else:`
			`misperrors['error'] = "No malware sample or attachment supplied"`
			`return misperrors`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`except Exception:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`misperrors['error'] = "Unable to process submited sample data"`
			`return misperrors`

			`if (request["config"].get("apikey") is None) or (request["config"].get("url") is None):`
			`misperrors["error"] = "Missing API key or server URL (hint: try cloud.vmray.com)"`
			`return misperrors`

			`api = VMRayRESTAPI(request["config"].get("url"), request["config"].get("apikey"), False)`

			`shareable = request["config"].get("shareable")`
			`do_not_reanalyze = request["config"].get("do_not_reanalyze")`
			`do_not_include_vmrayjobids = request["config"].get("do_not_include_vmrayjobids")`

Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`try:`
fix: [pep] Comply to PEP E261 2020-05-01 05:12:33 +02:00			`shareable = bool(strtobool(shareable)) # Do we want the sample to be shared?`
			`reanalyze = not bool(strtobool(do_not_reanalyze)) # Always reanalyze the sample?`
			`include_vmrayjobids = not bool(strtobool(do_not_include_vmrayjobids)) # Include the references to VMRay job IDs`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`except ValueError:`
			`misperrors["error"] = "Error while processing settings. Please double-check your values."`
			`return misperrors`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`if data and sample_filename:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`args = {}`
			`args["shareable"] = shareable`
Submit malware samples _submit now includes malware samples (zipped content from misp) _import checks when no vti_results are returned + bugfix 2016-11-18 18:23:52 +01:00			`args["sample_file"] = {'data': io.BytesIO(data), 'filename': sample_filename}`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`args["reanalyze"] = reanalyze`

			`try:`
			`vmraydata = vmraySubmit(api, args)`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`if vmraydata["errors"] and "Submission not stored" not in vmraydata["errors"][0]["error_msg"]:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`misperrors['error'] = "VMRay: %s" % vmraydata["errors"][0]["error_msg"]`
			`return misperrors`
			`else:`
			`return vmrayProcess(vmraydata)`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`except Exception:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`misperrors['error'] = "Problem when calling API."`
			`return misperrors`
			`else:`
			`misperrors['error'] = "No sample data or filename."`
			`return misperrors`


			`def introspection():`
			`return mispattributes`


			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`


			`def vmrayProcess(vmraydata):`
			`''' Process the JSON file returned by vmray'''`
			`if vmraydata:`
			`try:`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`sample = vmraydata["samples"][0]`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`jobs = vmraydata["jobs"]`

			`# Result received?`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`if sample:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`r = {'results': []}`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`r['results'].append({'types': 'md5', 'values': sample['sample_md5hash']})`
			`r['results'].append({'types': 'sha1', 'values': sample['sample_sha1hash']})`
			`r['results'].append({'types': 'sha256', 'values': sample['sample_sha256hash']})`
			`r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % sample['sample_id'], 'tags': 'workflow:state="incomplete"'})`
			`r['results'].append({'types': 'link', 'values': sample['sample_webif_url']})`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00
			`# Include data from different jobs`
Update vmray_submit The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved. 2020-04-23 14:47:48 +02:00			`if include_vmrayjobids and len(jobs) > 0:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`for job in jobs:`
			`job_id = job["job_id"]`
			`job_vm_name = job["job_vm_name"]`
			`job_configuration_name = job["job_configuration_name"]`
Multiple clanges in the vmray modules. * Generic fix to load modules requiring a local library * Fix python3 support * PEP8 related cleanups 2016-11-15 16:43:11 +01:00			`r["results"].append({"types": "text", "values": "VMRay Job ID %s (%s - %s)" % (job_id, job_vm_name, job_configuration_name)})`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`return r`
			`else:`
			`misperrors['error'] = "No valid results returned."`
			`return misperrors`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`except Exception:`
VMRay Import & Submit module * First commit * No support for archives (yet) submit 2016-11-13 21:43:59 +01:00			`misperrors['error'] = "No valid submission data returned."`
			`return misperrors`
			`else:`
			`misperrors['error'] = "Unable to parse results."`
			`return misperrors`


			`def vmraySubmit(api, args):`
			`''' Submit the sample to VMRay'''`
			`vmraydata = api.call("POST", "/rest/sample/submit", args)`
			`return vmraydata`