diff --git a/doc/README.md b/doc/README.md
index c32a8c4..02506ab 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -178,6 +178,25 @@ Module to query Crowdstrike Falcon.
-----
+#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cuckoo_submit.py)
+
+
+
+An expansion module to submit files and URLs to Cuckoo Sandbox.
+- **features**:
+>The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.
+> The returned task id can be used to retrieve results when the analysis completed.
+- **input**:
+>A malware-sample or attachment for files. A url or domain for URLs.
+- **output**:
+>A text field containing 'Cuckoo task id: '
+- **references**:
+>https://cuckoosandbox.org/, https://cuckoo.sh/docs/
+- **requirements**:
+>Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)
+
+-----
+
#### [cve](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve.py)
@@ -1081,7 +1100,13 @@ OSQuery export of a MISP event.
Simple export of a MISP event to PDF.
- **features**:
->The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of asciidoctor, used to create the file, there is no special feature concerning the Event.
+>The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.
+> 'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata
+> 'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event
+> 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.
+> 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !
+> 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.
+> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option
- **input**:
>MISP Event
- **output**:
@@ -1089,7 +1114,7 @@ Simple export of a MISP event to PDF.
- **references**:
>https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html
- **requirements**:
->PyMISP, asciidoctor
+>PyMISP, reportlab
-----
diff --git a/doc/expansion/cuckoo_submit.json b/doc/expansion/cuckoo_submit.json
new file mode 100644
index 0000000..7fe8067
--- /dev/null
+++ b/doc/expansion/cuckoo_submit.json
@@ -0,0 +1,9 @@
+{
+ "description": "An expansion module to submit files and URLs to Cuckoo Sandbox.",
+ "logo": "logos/cuckoo.png",
+ "requirements": ["Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)"],
+ "input": "A malware-sample or attachment for files. A url or domain for URLs.",
+ "output": "A text field containing 'Cuckoo task id: '",
+ "references": ["https://cuckoosandbox.org/", "https://cuckoo.sh/docs/"],
+ "features": "The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.\n The returned task id can be used to retrieve results when the analysis completed."
+}
diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py
index ff847a4..994b289 100644
--- a/misp_modules/modules/expansion/__init__.py
+++ b/misp_modules/modules/expansion/__init__.py
@@ -1,6 +1,6 @@
from . import _vmray # noqa
-__all__ = ['vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
+__all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
'countrycode', 'cve', 'dns', 'btc_steroids', 'domaintools', 'eupi',
'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep',
diff --git a/misp_modules/modules/expansion/cuckoo_submit.py b/misp_modules/modules/expansion/cuckoo_submit.py
new file mode 100644
index 0000000..c1ded90
--- /dev/null
+++ b/misp_modules/modules/expansion/cuckoo_submit.py
@@ -0,0 +1,153 @@
+import base64
+import io
+import json
+import logging
+import requests
+import sys
+import urllib.parse
+import zipfile
+
+from requests.exceptions import RequestException
+
+log = logging.getLogger("cuckoo_submit")
+log.setLevel(logging.DEBUG)
+sh = logging.StreamHandler(sys.stdout)
+sh.setLevel(logging.DEBUG)
+fmt = logging.Formatter(
+ "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+)
+sh.setFormatter(fmt)
+log.addHandler(sh)
+
+moduleinfo = {
+ "version": "0.1", "author": "Evert Kors",
+ "description": "Submit files and URLs to Cuckoo Sandbox",
+ "module-type": ["expansion", "hover"]
+}
+misperrors = {"error": "Error"}
+moduleconfig = ["api_url", "api_key"]
+mispattributes = {
+ "input": ["attachment", "malware-sample", "url", "domain"],
+ "output": ["text"]
+}
+
+
+class APIKeyError(RequestException):
+ """Raised if the Cuckoo API returns a 401. This means no or an invalid
+ bearer token was supplied."""
+ pass
+
+
+class CuckooAPI(object):
+
+ def __init__(self, api_url, api_key=""):
+ self.api_key = api_key
+ if not api_url.startswith("http"):
+ api_url = "https://{}".format(api_url)
+
+ self.api_url = api_url
+
+ def _post_api(self, endpoint, files=None, data={}):
+ data.update({
+ "owner": "MISP"
+ })
+
+ try:
+ response = requests.post(
+ urllib.parse.urljoin(self.api_url, endpoint),
+ files=files, data=data,
+ headers={"Authorization": "Bearer {}".format(self.api_key)}
+ )
+ except RequestException as e:
+ log.error("Failed to submit sample to Cuckoo Sandbox. %s", e)
+ return None
+
+ if response.status_code == 401:
+ raise APIKeyError("Invalid or no Cuckoo Sandbox API key provided")
+
+ if response.status_code != 200:
+ log.error("Invalid Cuckoo API response")
+ return None
+
+ return response.json()
+
+ def create_task(self, filename, fp):
+ response = self._post_api(
+ "/tasks/create/file", files={"file": (filename, fp)}
+ )
+ if not response:
+ return False
+
+ return response["task_id"]
+
+ def create_url(self, url):
+ response = self._post_api(
+ "/tasks/create/url", data={"url": url}
+ )
+ if not response:
+ return False
+
+ return response["task_id"]
+
+
+def handler(q=False):
+ if q is False:
+ return False
+
+ request = json.loads(q)
+
+ # See if the API URL was provided. The API key is optional, as it can
+ # be disabled in the Cuckoo API settings.
+ api_url = request["config"].get("api_url")
+ api_key = request["config"].get("api_key", "")
+ if not api_url:
+ misperrors["error"] = "No Cuckoo API URL provided"
+ return misperrors
+
+ url = request.get("url") or request.get("domain")
+ data = request.get("data")
+ filename = None
+ if data:
+ data = base64.b64decode(data)
+
+ if "malware-sample" in request:
+ filename = request.get("malware-sample").split("|", 1)[0]
+ with zipfile.ZipFile(io.BytesIO(data)) as zipf:
+ data = zipf.read(zipf.namelist()[0], pwd=b"infected")
+
+ elif "attachment" in request:
+ filename = request.get("attachment")
+
+ cuckoo_api = CuckooAPI(api_url=api_url, api_key=api_key)
+ task_id = None
+ try:
+ if url:
+ log.debug("Submitting URL to Cuckoo Sandbox %s", api_url)
+ task_id = cuckoo_api.create_url(url)
+ elif data and filename:
+ log.debug("Submitting file to Cuckoo Sandbox %s", api_url)
+ task_id = cuckoo_api.create_task(
+ filename=filename, fp=io.BytesIO(data)
+ )
+ except APIKeyError as e:
+ misperrors["error"] = "Failed to submit to Cuckoo: {}".format(e)
+ return misperrors
+
+ if not task_id:
+ misperrors["error"] = "File or URL submission failed"
+ return misperrors
+
+ return {
+ "results": [
+ {"types": "text", "values": "Cuckoo task id: {}".format(task_id)}
+ ]
+ }
+
+
+def introspection():
+ return mispattributes
+
+
+def version():
+ moduleinfo["config"] = moduleconfig
+ return moduleinfo