mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules
commit
fdbbd0e138
|
@ -22,6 +22,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
||||||
* [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
|
* [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
|
||||||
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
|
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
|
||||||
* [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
|
* [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
|
||||||
|
* [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
|
||||||
* [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
|
* [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
|
||||||
* [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
|
* [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
|
||||||
* [passivetotal](misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
|
* [passivetotal](misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
from . import _vmray
|
from . import _vmray
|
||||||
|
|
||||||
__all__ = ['vmray_import', 'testimport', 'ocr', 'stiximport']
|
__all__ = ['vmray_import', 'testimport', 'ocr', 'stiximport', 'cuckooimport']
|
||||||
|
|
|
@ -0,0 +1,196 @@
|
||||||
|
import json
|
||||||
|
import logging
|
||||||
|
import sys
|
||||||
|
import base64
|
||||||
|
|
||||||
|
misperrors = {'error': 'Error'}
|
||||||
|
userConfig = {}
|
||||||
|
inputSource = ['file']
|
||||||
|
|
||||||
|
moduleinfo = {'version': '0.1', 'author': 'Victor van der Stoep',
|
||||||
|
'description': 'Cuckoo JSON import',
|
||||||
|
'module-type': ['import']}
|
||||||
|
|
||||||
|
moduleconfig = []
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
# Just in case we have no data
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
# The return value
|
||||||
|
r = {'results': []}
|
||||||
|
|
||||||
|
# Load up that JSON
|
||||||
|
q = json.loads(q)
|
||||||
|
data = base64.b64decode(q.get("data")).decode('utf-8')
|
||||||
|
|
||||||
|
# If something really weird happened
|
||||||
|
if not data:
|
||||||
|
return json.dumps({"success": 0})
|
||||||
|
|
||||||
|
data = json.loads(data)
|
||||||
|
|
||||||
|
# Get characteristics of file
|
||||||
|
targetFile = data['target']['file']
|
||||||
|
|
||||||
|
# Process the inital binary
|
||||||
|
processBinary(r, targetFile, initial = True)
|
||||||
|
|
||||||
|
# Get binary information for dropped files
|
||||||
|
if(data.get('dropped')):
|
||||||
|
for droppedFile in data['dropped']:
|
||||||
|
processBinary(r, droppedFile, dropped = True)
|
||||||
|
|
||||||
|
# Add malscore to results
|
||||||
|
r["results"].append({
|
||||||
|
"values": "Malscore: {} ".format(data['malscore']),
|
||||||
|
"types": "comment",
|
||||||
|
"categories": "Payload delivery",
|
||||||
|
"comment": "Cuckoo analysis: MalScore"
|
||||||
|
})
|
||||||
|
|
||||||
|
# Add virustotal data, if exists
|
||||||
|
if(data.get('virustotal')):
|
||||||
|
processVT(r, data['virustotal'])
|
||||||
|
|
||||||
|
# Add network information, should be improved
|
||||||
|
processNetwork(r, data['network'])
|
||||||
|
|
||||||
|
# Add behavioral information
|
||||||
|
processSummary(r, data['behavior']['summary'])
|
||||||
|
|
||||||
|
# Return
|
||||||
|
return r
|
||||||
|
|
||||||
|
def processSummary(r, summary):
|
||||||
|
r["results"].append({
|
||||||
|
"values": summary['mutexes'],
|
||||||
|
"types": "mutex",
|
||||||
|
"categories": "Artifacts dropped",
|
||||||
|
"comment": "Cuckoo analysis: Observed mutexes"
|
||||||
|
})
|
||||||
|
|
||||||
|
def processVT(r, virustotal):
|
||||||
|
category = "Antivirus detection"
|
||||||
|
comment = "VirusTotal analysis"
|
||||||
|
|
||||||
|
if(virustotal.get('permalink')):
|
||||||
|
r["results"].append({
|
||||||
|
"values": virustotal['permalink'],
|
||||||
|
"types": "link",
|
||||||
|
"categories": category,
|
||||||
|
"comments": comment + " - Permalink"
|
||||||
|
})
|
||||||
|
|
||||||
|
if(virustotal.get('total')):
|
||||||
|
r["results"].append({
|
||||||
|
"values": "VirusTotal detection rate {}/{}".format(
|
||||||
|
virustotal['positives'],
|
||||||
|
virustotal['total']
|
||||||
|
),
|
||||||
|
"types": "comment",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
else:
|
||||||
|
r["results"].append({
|
||||||
|
"values": "Sample not detected on VirusTotal",
|
||||||
|
"types": "comment",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
|
def processNetwork(r, network):
|
||||||
|
category = "Network activity"
|
||||||
|
|
||||||
|
for host in network['hosts']:
|
||||||
|
r["results"].append({
|
||||||
|
"values": host['ip'],
|
||||||
|
"types": "ip-dst",
|
||||||
|
"categories": category,
|
||||||
|
"comment": "Cuckoo analysis: Observed network traffic"
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
|
def processBinary(r, target, initial = False, dropped = False):
|
||||||
|
if(initial):
|
||||||
|
comment = "Cuckoo analysis: Initial file"
|
||||||
|
category = "Payload delivery"
|
||||||
|
elif(dropped):
|
||||||
|
category = "Artifacts dropped"
|
||||||
|
comment = "Cuckoo analysis: Dropped file"
|
||||||
|
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['name'],
|
||||||
|
"types": "filename",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['md5'],
|
||||||
|
"types": "md5",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['sha1'],
|
||||||
|
"types": "sha1",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['sha256'],
|
||||||
|
"types": "sha256",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['sha512'],
|
||||||
|
"types": "sha512",
|
||||||
|
"categories": category,
|
||||||
|
"comment": comment
|
||||||
|
})
|
||||||
|
|
||||||
|
# todo : add file size?
|
||||||
|
|
||||||
|
if(target.get('guest_paths')):
|
||||||
|
r["results"].append({
|
||||||
|
"values": target['guest_paths'],
|
||||||
|
"types": "filename",
|
||||||
|
"categories": "Payload installation",
|
||||||
|
"comment": comment + " - Path"
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
modulesetup = {}
|
||||||
|
try:
|
||||||
|
userConfig
|
||||||
|
modulesetup['userConfig'] = userConfig
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
try:
|
||||||
|
inputSource
|
||||||
|
modulesetup['inputSource'] = inputSource
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
return modulesetup
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo['config'] = moduleconfig
|
||||||
|
return moduleinfo
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
x = open('test.json', 'r')
|
||||||
|
q = []
|
||||||
|
q['data'] = x.read()
|
||||||
|
q = base64.base64encode(q)
|
||||||
|
|
||||||
|
handler(q)
|
Loading…
Reference in New Issue