Merge pull request #381 from MISP/new_module

New module for MALWAREbazaar
pull/411/head
Christian Studer 2020-06-30 17:39:47 +02:00 committed by GitHub
commit 9c55495e19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 78 additions and 1 deletions

View File

@ -57,6 +57,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [Lastline query](misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
* [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
* [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
* [MALWAREbazaar](misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload.
* [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
* [ods-enrich](misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
* [odt-enrich](misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).

View File

@ -715,6 +715,22 @@ Module to access Macvendors API.
-----
#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/malwarebazaar.py)
Query the MALWAREbazaar API to get additional information about the input hash attribute.
- **features**:
>The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.
>
>The module is using the new format of modules able to return object since the result is one or multiple MISP object(s).
- **input**:
>A hash attribute (md5, sha1 or sha256).
- **output**:
>File object(s) related to the input attribute found on MALWAREbazaar databases.
- **references**:
>https://bazaar.abuse.ch/
-----
#### [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py)
Module to process some optical character recognition on pictures.

View File

@ -0,0 +1,8 @@
{
"description": "Query the MALWAREbazaar API to get additional information about the input hash attribute.",
"requirements": [],
"input": "A hash attribute (md5, sha1 or sha256).",
"output": "File object(s) related to the input attribute found on MALWAREbazaar databases.",
"references": ["https://bazaar.abuse.ch/"],
"features": "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s)."
}

View File

@ -15,5 +15,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich']

View File

@ -0,0 +1,52 @@
import json
import requests
from pymisp import MISPEvent, MISPObject
mispattributes = {'input': ['md5', 'sha1', 'sha256'],
'format': 'misp_standard'}
moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
'description': 'Query Malware Bazaar to get additional information about the input hash.',
'module-type': ['expansion', 'hover']}
moduleconfig = []
def parse_response(response):
mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},
'file_type_mime': {'type': 'mime-type', 'object_relation': 'mimetype'},
'md5_hash': {'type': 'md5', 'object_relation': 'md5'},
'sha1_hash': {'type': 'sha1', 'object_relation': 'sha1'},
'sha256_hash': {'type': 'sha256', 'object_relation': 'sha256'},
'ssdeep': {'type': 'ssdeep', 'object_relation': 'ssdeep'}}
misp_event = MISPEvent()
for data in response:
misp_object = MISPObject('file')
for feature, attribute in mapping.items():
if feature in data:
misp_attribute = {'value': data[feature]}
misp_attribute.update(attribute)
misp_object.add_attribute(**misp_attribute)
misp_event.add_object(**misp_object)
return {'results': {'Object': [json.loads(misp_object.to_json()) for misp_object in misp_event.objects]}}
def handler(q=False):
if q is False:
return False
request = json.loads(q)
attribute = request['attribute']
url = 'https://mb-api.abuse.ch/api/v1/'
response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json()
query_status = response['query_status']
if query_status == 'ok':
return parse_response(response['data'])
return {'error': 'Hash not found on MALWAREbazzar' if query_status == 'hash_not_found' else f'Problem encountered during the query: {query_status}'}
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo