def run(self, results): """Run analysis. @return: MISP results dict. """ if not PYMISP: log.error("pyMISP dependency is missing.") return url = self.options.get("url", "") apikey = self.options.get("apikey", "") if not url or not apikey: log.error("MISP URL or API key not configured.") return self.threads = self.options.get("threads", "") if not self.threads: self.threads = 5 whitelist = list() whitelist_ua = list() self.iocs = deque() self.misper = dict() threads_list = list() self.misp_full_report = dict() self.lock = threading.Lock() self.master_obj = None self.slaves_id = deque() try: # load whitelist if exists if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")): whitelist = Config("misp").whitelist.whitelist if whitelist: whitelist = [ioc.strip() for ioc in whitelist.split(",")] whitelist_ua = Config("misp").whitelist.whitelist_ua if whitelist_ua: whitelist_ua = [ioc.strip() for ioc in whitelist_ua.split(",")] self.misp = PyMISP(url, apikey, False, "json") if self.options.get("extend_context", ""): for drop in results.get("dropped", []): if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist and "PE32" in drop["type"] : self.iocs.append(drop["md5"]) if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist: self.iocs.append(results["target"]["file"]["md5"]) for block in results.get("network", {}).get("hosts", []): if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist: self.iocs.append(block["ip"]) if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist: self.iocs.append(block["hostname"]) if not self.iocs: return for thread_id in xrange(int(self.threads)): thread = threading.Thread(target=self.misper_thread, args=(url,)) thread.daemon = True thread.start() threads_list.append(thread) for thread in threads_list: thread.join() if self.misper: results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True) misp_report_path = os.path.join(self.reports_path, "misp.json") full_report = open(misp_report_path, "wb") full_report.write(json.dumps(self.misp_full_report)) full_report.close() tag_ids = self.options.get("tag", None) if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0): self.cuckoo2misp(results, whitelist, whitelist_ua, tag_ids) except Exception as e: log.error("Failed to generate JSON report: %s" % e)
ttps_json = {} mitre_json_path = os.path.join(CUCKOO_ROOT, "data", "mitre_attack.json") if os.path.exists(mitre_json_path): ttps_json = json.load(open(mitre_json_path)) malpedia_json_path = os.path.join(CUCKOO_ROOT, "data", "malpedia.json") if os.path.exists(malpedia_json_path): malpedia_json = json.load(open(os.path.join(CUCKOO_ROOT, "data", "malpedia.json"))) else: malpedia_json = False # load whitelist if exists whitelist = list() if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")): whitelist = Config("misp").whitelist.whitelist if whitelist: whitelist = [ioc.strip() for ioc in whitelist.split(",")] name_update_shema = { "Agenttesla": "Agent Tesla", "AgentTeslaV2": "Agent Tesla", "WarzoneRAT": "Ave Maria", } class MISP(Report): """MISP Analyzer.""" order = 1 def malpedia(self, results, event, malfamily): if malfamily in name_update_shema:
def run(self, results): """Run analysis. @return: MISP results dict. """ if not PYMISP: log.error("pyMISP dependency is missing.") return url = self.options.get("url", "") apikey = self.options.get("apikey", "") if not url or not apikey: log.error("MISP URL or API key not configured.") return self.threads = self.options.get("threads", "") if not self.threads: self.threads = 5 whitelist = list() self.iocs = deque() self.misper = dict() threads_list = list() self.misp_full_report = dict() self.lock = threading.Lock() try: # load whitelist if exists if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")): whitelist = Config("misp").whitelist.whitelist if whitelist: whitelist = [ioc.strip() for ioc in whitelist.split(",")] self.misp = PyMISP(url, apikey, False, "json") if self.options.get("extend_context", ""): for drop in results.get("dropped", []): if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist: self.iocs.append(drop["md5"]) if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist: self.iocs.append(results["target"]["file"]["md5"]) for block in results.get("network", {}).get("hosts", []): if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist: self.iocs.append(block["ip"]) if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist: self.iocs.append(block["hostname"]) if not self.iocs: return for thread_id in xrange(int(self.threads)): thread = threading.Thread(target=self.misper_thread, args=(url,)) thread.daemon = True thread.start() threads_list.append(thread) for thread in threads_list: thread.join() if self.misper: results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True) misp_report_path = os.path.join(self.reports_path, "misp.json") full_report = open(misp_report_path, "wb") full_report.write(json.dumps(self.misp_full_report)) full_report.close() if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0): self.cuckoo2misp(results, whitelist) except Exception as e: log.error("Failed to generate JSON report: %s" % e)
def run(self, results): """Run analysis. @return: MISP results dict. """ url = self.options.get("url", "") apikey = self.options.get("apikey", "") if not url or not apikey: log.error("MISP URL or API key not configured.") return with warnings.catch_warnings(): warnings.simplefilter("ignore") import pymisp self.misp = pymisp.PyMISP(url, apikey, False, "json") self.threads = self.options.get("threads", "") if not self.threads: self.threads = 5 whitelist = list() self.iocs = deque() self.misper = dict() self.misp_full_report = dict() self.lock = threading.Lock() try: # load whitelist if exists if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")): whitelist = Config("misp").whitelist.whitelist if whitelist: whitelist = [ioc.strip() for ioc in whitelist.split(",")] if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0): distribution = int(self.options.get("distribution", 0)) threat_level_id = int(self.options.get("threat_level_id", 4)) analysis = int(self.options.get("analysis", 0)) tag = self.options.get("tag") or "CAPEv2" info = self.options.get("title", "") upload_sample = self.options.get("upload_sample") malfamily = "" filtered_iocs = deque() if results.get("malfamily", ""): malfamily = results["malfamily"] event = self.misp.new_event( distribution=distribution, threat_level_id=threat_level_id, analysis=analysis, info="{} {} - {}".format(info, malfamily, results.get('info', {}).get('id')) ) # Add a specific tag to flag Cuckoo's event if tag: mispresult = self.misp.tag(event["Event"]["uuid"], tag) if mispresult.has_key("message"): log.debug("tag event: %s" % mispresult["message"]) #ToDo? #self.signature(results, event) self.sample_hashes(results, event) self.all_network(results, event, whitelist) self.dropped_files(results, event, whitelist) #ToDo add? upload sample """ if upload_sample: target = results.get("target", {}) f = target.get("file", {}) if target.get("category") == "file" and f: self.misp.upload_sample( filename=os.path.basename(f["name"]), filepath_or_bytes=f["path"], event_id=event["Event"]["id"], category="Payload delivery", comment="Sample run", ) """ self.misper.setdefault("iocs", list()) #if results.get("target", {}).get("url", "") and results["target"]["url"] not in whitelist: # filtered_iocs.append(results["target"]["url"]) # #parsed = urlsplit(results["target"]["url"]) # ToDo migth be outdated! #if self.options.get("ids_files", False) and "suricata" in results.keys(): # for surifile in results["suricata"]["files"]: # if "file_info" in surifile.keys(): # self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]}) # self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]}) # self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]}) if self.options.get("mutexes", False) and "behavior" in results and "summary" in results["behavior"]: if "mutexes" in results.get("behavior", {}).get("summary", {}): for mutex in results["behavior"]["summary"]["mutexes"]: if mutex not in whitelist: self.misp.add_mutex(event, mutex) if self.options.get("registry", False) and "behavior" in results and "summary" in results["behavior"]: if "read_keys" in results["behavior"].get("summary", {}): for regkey in results["behavior"]["summary"]["read_keys"]: self.misp.add_regkey(event, regkey) except Exception as e: log.error("Failed to generate JSON report: %s" % e, exc_info=True)