From 1745d33ee42b37ff52477262588c50a765f52b29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Georg=20Sch=C3=B6lly?= <georg.schoelly@joesecurity.org>
Date: Tue, 21 May 2019 21:14:21 +0200
Subject: [PATCH] add expansion for joe sandbox

---
 REQUIREMENTS                                  |   1 +
 misp_modules/modules/expansion/__init__.py    |   2 +-
 .../modules/expansion/joesandbox_submit.py    | 140 ++++++++++++++++++
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 misp_modules/modules/expansion/joesandbox_submit.py

diff --git a/REQUIREMENTS b/REQUIREMENTS
index 9447c47..1d17946 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -30,6 +30,7 @@ httplib2==0.12.3
 idna-ssl==1.1.0 ; python_version < '3.7'
 idna==2.8
 isodate==0.6.0
+jbxapi==3.1.3
 jsonschema==3.0.1
 lxml==4.3.3
 maclookup==1.0.3
diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py
index 70aca68..e5d17c1 100644
--- a/misp_modules/modules/expansion/__init__.py
+++ b/misp_modules/modules/expansion/__init__.py
@@ -10,4 +10,4 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
            'intel471', 'backscatter_io', 'btc_scam_check', 'hibp', 'greynoise', 'macvendors',
            'qrcode', 'ocr-enrich', 'pdf-enrich', 'docx-enrich', 'xlsx-enrich', 'pptx-enrich',
-           'ods-enrich', 'odt-enrich']
+           'ods-enrich', 'odt-enrich', 'joesandbox_submit']
diff --git a/misp_modules/modules/expansion/joesandbox_submit.py b/misp_modules/modules/expansion/joesandbox_submit.py
new file mode 100644
index 0000000..39b140e
--- /dev/null
+++ b/misp_modules/modules/expansion/joesandbox_submit.py
@@ -0,0 +1,140 @@
+import jbxapi
+import base64
+import io
+import json
+import logging
+import sys
+import zipfile
+import re
+
+from urllib.parse import urljoin
+
+
+log = logging.getLogger(__name__)
+log.setLevel(logging.DEBUG)
+sh = logging.StreamHandler(sys.stdout)
+sh.setLevel(logging.DEBUG)
+fmt = logging.Formatter(
+    "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+)
+sh.setFormatter(fmt)
+log.addHandler(sh)
+
+moduleinfo = {
+    "version": "1.0",
+    "author": "Joe Security LLC",
+    "description": "Submit files and URLs to Joe Sandbox",
+    "module-type": ["expansion", "hover"]
+}
+moduleconfig = [
+    "apiurl",
+    "apikey",
+    "accept-tac",
+    "report-cache",
+    "systems",
+]
+
+mispattributes = {
+    "input": ["attachment", "malware-sample", "url", "domain"],
+    "output": ["link"],
+}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+
+    request = json.loads(q)
+
+    apiurl = request["config"].get("apiurl") or "https://jbxcloud.joesecurity.org/api"
+    apikey = request["config"].get("apikey")
+
+    # systems
+    systems = request["config"].get("systems") or ""
+    systems = [s.strip() for s in re.split(r"[\s,;]", systems) if s.strip()]
+
+    try:
+        accept_tac = _parse_bool(request["config"].get("accept-tac"), "accept-tac")
+        report_cache = _parse_bool(request["config"].get("report-cache"), "report-cache")
+    except _ParseError as e:
+        return {"error": str(e)}
+
+    params = {
+        "report-cache": report_cache,
+        "systems": systems,
+    }
+
+    if not apikey:
+        return {"error": "No API key provided"}
+
+    joe = jbxapi.JoeSandbox(apiurl=apiurl, apikey=apikey, user_agent="MISP joesandbox_submit", accept_tac=accept_tac)
+
+    try:
+        is_url_submission = "url" in request or "domain" in request
+
+        if is_url_submission:
+            url = request.get("url") or request.get("domain")
+
+            log.info("Submitting URL: %s", url)
+            result = joe.submit_url(url, params=params)
+        else:
+            if "malware-sample" in request:
+                filename = request.get("malware-sample").split("|", 1)[0]
+                data = _decode_malware(request["data"], True)
+            elif "attachment" in request:
+                filename = request["attachment"]
+                data = _decode_malware(request["data"], False)
+
+            data_fp = io.BytesIO(data)
+            log.info("Submitting sample: %s", filename)
+            result = joe.submit_sample((filename, data_fp), params=params)
+
+        assert "submission_id" in result
+    except jbxapi.JoeException as e:
+        return {"error": str(e)}
+
+    link_to_analysis = urljoin(apiurl, "../submissions/{}".format(result["submission_id"]))
+
+    return {
+        "results": [{
+            "types": "link",
+            "categories": "External analysis",
+            "values": link_to_analysis,
+        }]
+    }
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo
+
+
+def _decode_malware(data, is_encrypted):
+    data = base64.b64decode(data)
+
+    if is_encrypted:
+        with zipfile.ZipFile(io.BytesIO(data)) as zipf:
+            data = zipf.read(zipf.namelist()[0], pwd=b"infected")
+
+    return data
+
+
+class _ParseError(Exception):
+    pass
+
+
+def _parse_bool(value, name="bool"):
+    if value is None or value == "":
+        return None
+
+    if value == "true":
+        return True
+
+    if value == "false":
+        return False
+
+    raise _ParseError("Cannot parse {}. Must be 'true' or 'false'".format(name))