def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
if not PYMISP:
log.error("pyMISP dependency is missing.")
return
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
whitelist_ua = list()
self.iocs = deque()
self.misper = dict()
threads_list = list()
self.misp_full_report = dict()
self.lock = threading.Lock()
self.master_obj = None
self.slaves_id = deque()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
whitelist_ua = Config("misp").whitelist.whitelist_ua
if whitelist_ua:
whitelist_ua = [ioc.strip() for ioc in whitelist_ua.split(",")]
self.misp = PyMISP(url, apikey, False, "json")
if self.options.get("extend_context", ""):
for drop in results.get("dropped", []):
if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist and "PE32" in drop["type"] :
self.iocs.append(drop["md5"])
if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist:
self.iocs.append(results["target"]["file"]["md5"])
for block in results.get("network", {}).get("hosts", []):
if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist:
self.iocs.append(block["ip"])
if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist:
self.iocs.append(block["hostname"])
if not self.iocs:
return
for thread_id in xrange(int(self.threads)):
thread = threading.Thread(target=self.misper_thread, args=(url,))
thread.daemon = True
thread.start()
threads_list.append(thread)
for thread in threads_list:
thread.join()
if self.misper:
results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True)
misp_report_path = os.path.join(self.reports_path, "misp.json")
full_report = open(misp_report_path, "wb")
full_report.write(json.dumps(self.misp_full_report))
full_report.close()
tag_ids = self.options.get("tag", None)
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
self.cuckoo2misp(results, whitelist, whitelist_ua, tag_ids)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e)
ttps_json = {}
mitre_json_path = os.path.join(CUCKOO_ROOT, "data", "mitre_attack.json")
if os.path.exists(mitre_json_path):
ttps_json = json.load(open(mitre_json_path))
malpedia_json_path = os.path.join(CUCKOO_ROOT, "data", "malpedia.json")
if os.path.exists(malpedia_json_path):
malpedia_json = json.load(open(os.path.join(CUCKOO_ROOT, "data", "malpedia.json")))
else:
malpedia_json = False
# load whitelist if exists
whitelist = list()
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
name_update_shema = {
"Agenttesla": "Agent Tesla",
"AgentTeslaV2": "Agent Tesla",
"WarzoneRAT": "Ave Maria",
}
class MISP(Report):
"""MISP Analyzer."""
order = 1
def malpedia(self, results, event, malfamily):
if malfamily in name_update_shema:
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
if not PYMISP:
log.error("pyMISP dependency is missing.")
return
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
self.iocs = deque()
self.misper = dict()
threads_list = list()
self.misp_full_report = dict()
self.lock = threading.Lock()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
self.misp = PyMISP(url, apikey, False, "json")
if self.options.get("extend_context", ""):
for drop in results.get("dropped", []):
if drop.get("md5", "") and drop["md5"] not in self.iocs and drop["md5"] not in whitelist:
self.iocs.append(drop["md5"])
if results.get("target", {}).get("file", {}).get("md5", "") and results["target"]["file"]["md5"] not in whitelist:
self.iocs.append(results["target"]["file"]["md5"])
for block in results.get("network", {}).get("hosts", []):
if block.get("ip", "") and block["ip"] not in self.iocs and block["ip"] not in whitelist:
self.iocs.append(block["ip"])
if block.get("hostname", "") and block["hostname"] not in self.iocs and block["hostname"] not in whitelist:
self.iocs.append(block["hostname"])
if not self.iocs:
return
for thread_id in xrange(int(self.threads)):
thread = threading.Thread(target=self.misper_thread, args=(url,))
thread.daemon = True
thread.start()
threads_list.append(thread)
for thread in threads_list:
thread.join()
if self.misper:
results["misp"] = sorted(self.misper.values(), key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"), reverse=True)
misp_report_path = os.path.join(self.reports_path, "misp.json")
full_report = open(misp_report_path, "wb")
full_report.write(json.dumps(self.misp_full_report))
full_report.close()
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
self.cuckoo2misp(results, whitelist)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e)
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
with warnings.catch_warnings():
warnings.simplefilter("ignore")
import pymisp
self.misp = pymisp.PyMISP(url, apikey, False, "json")
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
self.iocs = deque()
self.misper = dict()
self.misp_full_report = dict()
self.lock = threading.Lock()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
distribution = int(self.options.get("distribution", 0))
threat_level_id = int(self.options.get("threat_level_id", 4))
analysis = int(self.options.get("analysis", 0))
tag = self.options.get("tag") or "CAPEv2"
info = self.options.get("title", "")
upload_sample = self.options.get("upload_sample")
malfamily = ""
filtered_iocs = deque()
if results.get("malfamily", ""):
malfamily = results["malfamily"]
event = self.misp.new_event(
distribution=distribution,
threat_level_id=threat_level_id,
analysis=analysis,
info="{} {} - {}".format(info, malfamily, results.get('info', {}).get('id'))
)
# Add a specific tag to flag Cuckoo's event
if tag:
mispresult = self.misp.tag(event["Event"]["uuid"], tag)
if mispresult.has_key("message"):
log.debug("tag event: %s" % mispresult["message"])
#ToDo?
#self.signature(results, event)
self.sample_hashes(results, event)
self.all_network(results, event, whitelist)
self.dropped_files(results, event, whitelist)
#ToDo add? upload sample
"""
if upload_sample:
target = results.get("target", {})
f = target.get("file", {})
if target.get("category") == "file" and f:
self.misp.upload_sample(
filename=os.path.basename(f["name"]),
filepath_or_bytes=f["path"],
event_id=event["Event"]["id"],
category="Payload delivery",
comment="Sample run",
)
"""
self.misper.setdefault("iocs", list())
#if results.get("target", {}).get("url", "") and results["target"]["url"] not in whitelist:
# filtered_iocs.append(results["target"]["url"])
# #parsed = urlsplit(results["target"]["url"])
# ToDo migth be outdated!
#if self.options.get("ids_files", False) and "suricata" in results.keys():
# for surifile in results["suricata"]["files"]:
# if "file_info" in surifile.keys():
# self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]})
# self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]})
# self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]})
if self.options.get("mutexes", False) and "behavior" in results and "summary" in results["behavior"]:
if "mutexes" in results.get("behavior", {}).get("summary", {}):
for mutex in results["behavior"]["summary"]["mutexes"]:
if mutex not in whitelist:
self.misp.add_mutex(event, mutex)
if self.options.get("registry", False) and "behavior" in results and "summary" in results["behavior"]:
if "read_keys" in results["behavior"].get("summary", {}):
for regkey in results["behavior"]["summary"]["read_keys"]:
self.misp.add_regkey(event, regkey)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e, exc_info=True)
