mirror of https://github.com/MISP/misp-modules
new: Expansion module to query MALWAREbazaar API with some hash attribute
parent
6417421d76
commit
0671f93724
|
@ -15,5 +15,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
|
|||
'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
|
||||
'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
|
||||
'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
|
||||
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
|
||||
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
|
||||
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion']
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
import json
|
||||
import requests
|
||||
from pymisp import MISPEvent, MISPObject
|
||||
|
||||
mispattributes = {'input': ['md5', 'sha1', 'sha256'],
|
||||
'format': 'misp_standard'}
|
||||
moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
|
||||
'description': 'Query Malware Bazaar to get additional information about the input hash.',
|
||||
'module-type': ['expansion', 'hover']}
|
||||
moduleconfig = []
|
||||
|
||||
|
||||
|
||||
def parse_response(response):
|
||||
mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
|
||||
'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},
|
||||
'file_type_mime': {'type': 'mime-type', 'object_relation': 'mimetype'},
|
||||
'md5_hash': {'type': 'md5', 'object_relation': 'md5'},
|
||||
'sha1_hash': {'type': 'sha1', 'object_relation': 'sha1'},
|
||||
'sha256_hash': {'type': 'sha256', 'object_relation': 'sha256'},
|
||||
'ssdeep': {'type': 'ssdeep', 'object_relation': 'ssdeep'}}
|
||||
misp_event = MISPEvent()
|
||||
for data in response:
|
||||
misp_object = MISPObject('file')
|
||||
for feature, attribute in mapping.items():
|
||||
if feature in data:
|
||||
misp_attribute = {'value': data[feature]}
|
||||
misp_attribute.update(attribute)
|
||||
misp_object.add_attribute(**misp_attribute)
|
||||
misp_event.add_object(**misp_object)
|
||||
return {'results': {'Object': [json.loads(misp_object.to_json()) for misp_object in misp_event.objects]}}
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q)
|
||||
attribute = request['attribute']
|
||||
url = 'https://mb-api.abuse.ch/api/v1/'
|
||||
response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json()
|
||||
query_status = response['query_status']
|
||||
if query_status == 'ok':
|
||||
return parse_response(response['data'])
|
||||
return {'error': 'Hash not found on MALWAREbazzar' if query_status == 'hash_not_found' else f'Problem encountered during the query: {query_status}'}
|
||||
|
||||
|
||||
def introspection():
|
||||
return mispattributes
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
Loading…
Reference in New Issue