From 0671f93724e75d584a1ac9ca94f6e272663e5cd3 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Wed, 18 Mar 2020 18:05:57 +0100
Subject: [PATCH 1/3] new: Expansion module to query MALWAREbazaar API with
 some hash attribute

---
 misp_modules/modules/expansion/__init__.py    |  2 +-
 .../modules/expansion/malwarebazaar.py        | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 misp_modules/modules/expansion/malwarebazaar.py

diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py
index 2a99050..a8e35db 100644
--- a/misp_modules/modules/expansion/__init__.py
+++ b/misp_modules/modules/expansion/__init__.py
@@ -15,5 +15,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
            'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
            'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
-           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
+           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
            'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion']
diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py
new file mode 100644
index 0000000..4930fd6
--- /dev/null
+++ b/misp_modules/modules/expansion/malwarebazaar.py
@@ -0,0 +1,53 @@
+import json
+import requests
+from pymisp import MISPEvent, MISPObject
+
+mispattributes = {'input': ['md5', 'sha1', 'sha256'],
+                  'format': 'misp_standard'}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Query Malware Bazaar to get additional information about the input hash.',
+              'module-type': ['expansion', 'hover']}
+moduleconfig = []
+
+
+
+def parse_response(response):
+    mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
+               'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},
+               'file_type_mime': {'type': 'mime-type', 'object_relation': 'mimetype'},
+               'md5_hash': {'type': 'md5', 'object_relation': 'md5'},
+               'sha1_hash': {'type': 'sha1', 'object_relation': 'sha1'},
+               'sha256_hash': {'type': 'sha256', 'object_relation': 'sha256'},
+               'ssdeep': {'type': 'ssdeep', 'object_relation': 'ssdeep'}}
+    misp_event = MISPEvent()
+    for data in response:
+        misp_object = MISPObject('file')
+        for feature, attribute in mapping.items():
+            if feature in data:
+                misp_attribute = {'value': data[feature]}
+                misp_attribute.update(attribute)
+                misp_object.add_attribute(**misp_attribute)
+        misp_event.add_object(**misp_object)
+    return {'results': {'Object': [json.loads(misp_object.to_json()) for misp_object in misp_event.objects]}}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    attribute = request['attribute']
+    url = 'https://mb-api.abuse.ch/api/v1/'
+    response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json()
+    query_status = response['query_status']
+    if query_status == 'ok':
+        return parse_response(response['data'])
+    return {'error': 'Hash not found on MALWAREbazzar' if query_status == 'hash_not_found' else f'Problem encountered during the query: {query_status}'}
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

From 8805bd86492aac6531fe64610e7d7706c2b632c1 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Wed, 18 Mar 2020 18:42:26 +0100
Subject: [PATCH 2/3] add: Added documentation for the latest new modules

---
 README.md                        |  1 +
 doc/README.md                    | 34 ++++++++++++++++++++++++++++++++
 doc/expansion/malwarebazaar.json |  8 ++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 doc/expansion/malwarebazaar.json

diff --git a/README.md b/README.md
index fe37cd5..165f3c5 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [Lastline query](misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
 * [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
 * [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
+* [MALWAREbazaar](misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload.
 * [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
 * [ods-enrich](misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
 * [odt-enrich](misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
diff --git a/doc/README.md b/doc/README.md
index 7e6bee3..9f221bd 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -295,6 +295,24 @@ An expansion hover module to expand information about CVE id.
 
 -----
 
+#### [cytomic_orion.py](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cytomic_orion.py.py)
+
+<img src=logos/cytomic_orion.png height=60>
+
+An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
+- **features**:
+>This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines.
+- **input**:
+>MD5, hash of the sample / malware to search for.
+- **output**:
+>MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines.
+- **references**:
+>https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/, https://www.cytomicmodel.com/solutions/
+- **requirements**:
+>Access (license) to Cytomic Orion
+
+-----
+
 #### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dbl_spamhaus.py)
 
 <img src=logos/spamhaus.jpg height=60>
@@ -681,6 +699,22 @@ Module to access Macvendors API.
 
 -----
 
+#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/malwarebazaar.py)
+
+Query the MALWAREbazaar API to get additional information about the input hash attribute.
+- **features**:
+>The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.
+>
+>The module is using the new format of modules able to return object since the result is one or multiple MISP object(s).
+- **input**:
+>A hash attribute (md5, sha1 or sha256).
+- **output**:
+>File object(s) related to the input attribute found on MALWAREbazaar databases.
+- **references**:
+>https://bazaar.abuse.ch/
+
+-----
+
 #### [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py)
 
 Module to process some optical character recognition on pictures.
diff --git a/doc/expansion/malwarebazaar.json b/doc/expansion/malwarebazaar.json
new file mode 100644
index 0000000..2db6ad5
--- /dev/null
+++ b/doc/expansion/malwarebazaar.json
@@ -0,0 +1,8 @@
+{
+    "description": "Query the MALWAREbazaar API to get additional information about the input hash attribute.",
+    "requirements": [],
+    "input": "A hash attribute (md5, sha1 or sha256).",
+    "output": "File object(s) related to the input attribute found on MALWAREbazaar databases.",
+    "references": ["https://bazaar.abuse.ch/"],
+    "features": "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s)."
+}

From 48b381d704ac9c1a1efcaccd9d8758f715d771dd Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Wed, 18 Mar 2020 18:58:11 +0100
Subject: [PATCH 3/3] fix: Making pep8 happy

---
 misp_modules/modules/expansion/malwarebazaar.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py
index 4930fd6..4574b75 100644
--- a/misp_modules/modules/expansion/malwarebazaar.py
+++ b/misp_modules/modules/expansion/malwarebazaar.py
@@ -10,7 +10,6 @@ moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
 moduleconfig = []
 
 
-
 def parse_response(response):
     mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
                'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},