From 917c95cad5a7b5b1c1e42113e8e6f4a8cd3bcf93 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 17:40:00 +0100
Subject: [PATCH] Added countrycode, working on virustotal

---
 misp_modules/modules/expansion/countrycode.py |   3 +-
 misp_modules/modules/expansion/virustotal.py  | 125 ++++++++++++++++++
 2 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100755 misp_modules/modules/expansion/virustotal.py

diff --git a/misp_modules/modules/expansion/countrycode.py b/misp_modules/modules/expansion/countrycode.py
index 9fc0bfd..df43a88 100755
--- a/misp_modules/modules/expansion/countrycode.py
+++ b/misp_modules/modules/expansion/countrycode.py
@@ -2,8 +2,7 @@ import json
 import requests
 
 misperrors = {'error': 'Error'}
-mispattributes = {'input': ['hostname', 'domain'], 'output': ['ip-src',
-                                                              'ip-dst']}
+mispattributes = {'input': ['hostname', 'domain']}
 
 # possible module-types: 'expansion', 'hover' or both
 moduleinfo = {'version': '1', 'author': 'Hannah Ward',
diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py
new file mode 100755
index 0000000..fcbf4f6
--- /dev/null
+++ b/misp_modules/modules/expansion/virustotal.py
@@ -0,0 +1,125 @@
+import json
+import requests
+import hashlib
+import re
+import base64
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['domain', "ip-src", "ip-dst"],
+                  'output':['domain', "ip-src", "ip-dst", "text"]
+                  }
+
+# possible module-types: 'expansion', 'hover' or both
+moduleinfo = {'version': '1', 'author': 'Hannah Ward',
+              'description': 'Get information from virustotal',
+              'module-type': ['expansion', 'hover']}
+
+# config fields that your code expects from the site admin
+moduleconfig = ["apikey"]
+
+
+def handler(q=False):
+    if q is False:
+        return False
+
+    q = json.loads(q)
+
+    key = q["config"]["apikey"]
+
+    r = {"results": []}
+    
+    if "ip-src" in q:
+      r["results"] += getIP(q["ip-src"], key)
+    if "ip-dst" in q:
+      r["results"] += getIP(q["ip-dst"], key)
+    if "domain" in q:
+      r["results"] += getDomain(q["domain"], key)
+
+  
+    return r
+
+def getIP(ip, key):
+    toReturn = []
+    req = requests.get("https://www.virustotal.com/vtapi/v2/ip-address/report", 
+                       params = {"ip":ip, "apikey":key}
+                      ).json()
+    if req["response_code"] == 0:
+      #Nothing found
+      return []
+    
+    if "resolutions" in req:
+      for res in req["resolutions"]:
+        toReturn.append( {"types":["domain"], "values":[res["hostname"]]})
+
+    toReturn += getMoreInfo(req, key)
+    return toReturn
+    
+def getDomain(ip, key):
+    toReturn = []
+    req = requests.get("https://www.virustotal.com/vtapi/v2/domain/report", 
+                       params = {"domain":ip, "apikey":key}
+                      ).json()
+    if req["response_code"] == 0:
+      #Nothing found
+      return []
+    
+    if "resolutions" in req:
+      for res in req["resolutions"]:
+        toReturn.append( {"types":["ip-dst", "ip-src"], "values":[res["ip_address"]]})
+
+    toReturn += getMoreInfo(req, key)
+
+    return toReturn
+
+def findAll(data, keys):
+  a = []
+  if isinstance(data, dict):
+    for key in data.keys():
+      if key in keys:
+        a.append(data[key])
+      else:
+        if isinstance(data[key], (dict, list)):
+          a += findAll(data[key], keys)
+  if isinstance(data, list):
+    for i in data:
+      a += findAll(i, keys)  
+    
+  return a 
+
+def getMoreInfo(req, key):
+    r = []
+    #Get all hashes first
+    hashes = []
+    hashes = findAll(req, ["md5", "sha1", "sha256", "sha512"])
+    r.append({"types":["md5", "sha1", "sha256", "sha512"], "values":hashes})
+    for hsh in hashes:
+      #Search VT for some juicy info
+      data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
+                          params={"allinfo":1, "apikey":key, "resource":hsh}
+                         ).json()
+      if "submission_names" in data:
+        r.append({'types':["filename"], "values":data["submission_names"]})
+
+      if "ssdeep" in data:
+        r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})
+
+      if "authentihash" in data:
+        r.append({"types":["authentihash"], "values":[data["authentihash"]]})
+
+      if "ITW_urls" in data:
+        r.append({"types":["url"], "values":data["ITW_urls"]})
+
+      #Get the malware sample
+      sample = requests.get("https://www.virustotal.com/vtapi/v2/file/download",
+                            params = {"hash":hsh, "apikey":key})
+      r.append({'types':['malware-sample'], 'values':[str(base64.b64encode(sample.content), 'utf-8')]})
+    return r
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
+