2019-11-25 18:52:39 +01:00
import json
2020-07-28 11:47:53 +02:00
from . import check_input_attribute , checking_error , standard_error_message
2019-11-26 01:52:31 +01:00
from . _ransomcoindb import ransomcoindb
2019-11-26 11:15:47 +01:00
from pymisp import MISPObject
2019-11-25 18:52:39 +01:00
copyright = """
Copyright 2019 ( C ) by Aaron Kaplan < aaron @lo - res . org > , all rights reserved .
This file is part of the ransomwarecoindDB project and licensed under the AGPL 3.0 license
"""
__version__ = 0.1
2019-11-26 11:15:47 +01:00
debug = False
2019-11-25 18:52:39 +01:00
misperrors = { ' error ' : ' Error ' }
# mispattributes = {'input': ['sha1', 'sha256', 'md5', 'btc', 'xmr', 'dash' ], 'output': ['btc', 'sha1', 'sha256', 'md5', 'freetext']}
2019-11-26 11:15:47 +01:00
mispattributes = { ' input ' : [ ' sha1 ' , ' sha256 ' , ' md5 ' , ' btc ' ] , ' output ' : [ ' btc ' , ' sha1 ' , ' sha256 ' , ' md5 ' , ' freetext ' ] , ' format ' : ' misp_standard ' }
2019-11-25 22:24:57 +01:00
moduleinfo = { ' version ' : __version__ , ' author ' : ' Aaron Kaplan ' , ' description ' : ' Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com) ' , ' module-type ' : [ ' expansion ' , ' hover ' ] }
2019-11-25 18:52:39 +01:00
moduleconfig = [ ' api-key ' ]
def handler ( q = False ) :
""" the main handler function which gets a JSON dict as input and returns a results dict """
if q is False :
return False
q = json . loads ( q )
2020-02-25 15:22:06 +01:00
if " config " not in q or " api-key " not in q [ " config " ] :
return { " error " : " Ransomcoindb API key is missing " }
2020-07-28 15:06:25 +02:00
if not q . get ( ' attribute ' ) or not check_input_attribute ( q [ ' attribute ' ] , requirements = ( ' type ' , ' value ' ) ) :
2020-07-28 11:47:53 +02:00
return { ' error ' : f ' { standard_error_message } , { checking_error } . ' }
if q [ ' attribute ' ] [ ' type ' ] not in mispattributes [ ' input ' ] :
return { ' error ' : ' Unsupported attribute type. ' }
2019-11-25 18:52:39 +01:00
api_key = q [ " config " ] [ " api-key " ]
r = { " results " : [ ] }
""" the " q " query coming in should look something like this:
{ ' config ' : { ' api-key ' : ' <api key here> ' } ,
' md5 ' : ' md5 or sha1 or sha256 or btc ' ,
2019-11-25 18:56:12 +01:00
' module ' : ' ransomcoindb ' ,
2019-11-25 18:52:39 +01:00
' persistent ' : 1 }
"""
2019-11-26 11:15:47 +01:00
attribute = q [ ' attribute ' ]
answer = ransomcoindb . get_data_by ( ' BTC ' , attribute [ ' type ' ] , attribute [ ' value ' ] , api_key )
""" The results data type should be:
r = { ' results ' : [ { ' types ' : ' md5 ' , ' values ' : [ a list of all md5s or all binaries related to this btc address ] } ] }
"""
if attribute [ ' type ' ] in [ ' md5 ' , ' sha1 ' , ' sha256 ' ] :
r [ ' results ' ] . append ( { ' types ' : ' btc ' , ' values ' : [ a [ ' btc ' ] for a in answer ] } )
elif attribute [ ' type ' ] == ' btc ' :
# better: create a MISP object
files = [ ]
for a in answer :
obj = MISPObject ( ' file ' )
obj . add_attribute ( ' md5 ' , a [ ' md5 ' ] )
obj . add_attribute ( ' sha1 ' , a [ ' sha1 ' ] )
obj . add_attribute ( ' sha256 ' , a [ ' sha256 ' ] )
files . append ( obj )
r [ ' results ' ] = { ' Object ' : [ json . loads ( f . to_json ( ) ) for f in files ] }
2019-11-25 18:52:39 +01:00
return r
def introspection ( ) :
return mispattributes
def version ( ) :
moduleinfo [ ' config ' ] = moduleconfig
return moduleinfo