From 0671f93724e75d584a1ac9ca94f6e272663e5cd3 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Wed, 18 Mar 2020 18:05:57 +0100
Subject: [PATCH] new: Expansion module to query MALWAREbazaar API with some
 hash attribute

---
 misp_modules/modules/expansion/__init__.py    |  2 +-
 .../modules/expansion/malwarebazaar.py        | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 misp_modules/modules/expansion/malwarebazaar.py

diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py
index 2a99050..a8e35db 100644
--- a/misp_modules/modules/expansion/__init__.py
+++ b/misp_modules/modules/expansion/__init__.py
@@ -15,5 +15,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
            'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
            'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
-           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
+           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
            'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion']
diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py
new file mode 100644
index 0000000..4930fd6
--- /dev/null
+++ b/misp_modules/modules/expansion/malwarebazaar.py
@@ -0,0 +1,53 @@
+import json
+import requests
+from pymisp import MISPEvent, MISPObject
+
+mispattributes = {'input': ['md5', 'sha1', 'sha256'],
+                  'format': 'misp_standard'}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Query Malware Bazaar to get additional information about the input hash.',
+              'module-type': ['expansion', 'hover']}
+moduleconfig = []
+
+
+
+def parse_response(response):
+    mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
+               'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},
+               'file_type_mime': {'type': 'mime-type', 'object_relation': 'mimetype'},
+               'md5_hash': {'type': 'md5', 'object_relation': 'md5'},
+               'sha1_hash': {'type': 'sha1', 'object_relation': 'sha1'},
+               'sha256_hash': {'type': 'sha256', 'object_relation': 'sha256'},
+               'ssdeep': {'type': 'ssdeep', 'object_relation': 'ssdeep'}}
+    misp_event = MISPEvent()
+    for data in response:
+        misp_object = MISPObject('file')
+        for feature, attribute in mapping.items():
+            if feature in data:
+                misp_attribute = {'value': data[feature]}
+                misp_attribute.update(attribute)
+                misp_object.add_attribute(**misp_attribute)
+        misp_event.add_object(**misp_object)
+    return {'results': {'Object': [json.loads(misp_object.to_json()) for misp_object in misp_event.objects]}}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    attribute = request['attribute']
+    url = 'https://mb-api.abuse.ch/api/v1/'
+    response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json()
+    query_status = response['query_status']
+    if query_status == 'ok':
+        return parse_response(response['data'])
+    return {'error': 'Hash not found on MALWAREbazzar' if query_status == 'hash_not_found' else f'Problem encountered during the query: {query_status}'}
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo