def _malwarebazaar(self, sha256_digest, cache=True):
params = {'query': 'get_info', 'hash': sha256_digest}
document = db.file_collection.select(sha256_digest)
if 'malwarebazaar' not in document or not cache:
try:
response = requests.post(API_ENDPOINT,
data=params,
headers=HEADERS,
proxies=PROXIES,
timeout=10)
except Exception:
raise error.InterfaceWarning(
'failed to connect to MalwareBazaar')
if 'application/json' not in response.headers.get('content-type'):
raise error.InterfaceWarning(
'invalid response received from MalwareBazaar')
data = {'malwarebazaar': response.json()}
db.file_collection.update(sha256_digest, data)
document = db.file_collection.select(sha256_digest)
if not document or 'malwarebazaar' not in document:
raise error.MongoError(
'error adding malwarebazaar into file document %s' %
sha256_digest)
if str(document['malwarebazaar']['query_status']) == 'hash_not_found':
raise error.InterfaceWarning('File not present in MalwareBazaar')
if str(document['malwarebazaar']['query_status']) != 'ok':
raise error.InterfaceWarning('An unexpected error occured')
return document['malwarebazaar']
def info(self, args, file, opts):
try:
j = requests.get(CUCKOO_API + '/files/view/sha256/' +
file.sha256_digest,
verify=VERIFY).json()
except requests.exceptions.RequestException:
raise error.InterfaceError("failed to connect to Cuckoo")
if 'sample' not in j:
raise error.InterfaceWarning(
"file has never been submitted to Cuckoo")
s_id = j['sample']['id']
r = requests.get(CUCKOO_API + '/tasks/list', verify=VERIFY)
if not r.status_code == requests.codes.ok: # pylint: disable=no-member
return "No reports, sample must be pending/running", "pending"
j = r.json()
output = []
for t in j['tasks']:
if t['sample_id'] == s_id:
r = requests.get(CUCKOO_API + '/tasks/report/' + str(t['id']),
verify=VERIFY)
if r.status_code == requests.codes.ok: # pylint: disable=no-member
j = r.json()
output += [{
'score': j['info']['score'],
'name': j['info']['machine']['name']
}]
if not output:
return error.InterfaceWarning("no information available!")
return {'info': output}
def _vt_scan(self, sha256_digest, cache=True):
params = {
'apikey': API_KEY,
'resource': sha256_digest,
'allinfo': 1
}
document = db.file_collection.select(sha256_digest)
if 'vt' not in document or not cache:
try:
response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',
params=params,
headers=HEADERS,
proxies=PROXIES,
timeout=10)
except Exception:
raise error.InterfaceWarning("failed to connect to VirusTotal")
if 'application/json' not in response.headers.get('content-type'):
raise error.InterfaceWarning("invalid response received from VirusTotal")
if 'response_code' not in response.json():
raise error.InterfaceWarning("unknown response from VirusTotal")
data = {'vt': response.json()}
db.file_collection.update(sha256_digest, data)
document = db.file_collection.select(sha256_digest)
if not document or 'vt' not in document:
raise error.MongoError('error adding vt into file document %s' % sha256_digest)
if document['vt']["response_code"] is 0:
raise error.InterfaceWarning("file is not present on VirusTotal")
# Check if we had public key but now its private, if so warn that cache is out of date
# NOTE: we just check for missing info variable
if IS_PRIVATE and 'first_seen' not in document['vt']:
raise error.InterfaceWarning("private key specified but no private api data in cache, please flush vt cache for sample")
return document['vt']
def reports(self, args, file, opts):
try:
j = requests.get(CUCKOO_API + '/files/view/sha256/' +
file.sha256_digest,
verify=VERIFY).json()
except requests.exceptions.RequestException:
raise error.InterfaceError("failed to connect to Cuckoo")
if 'sample' not in j:
raise error.InterfaceWarning(
"file has never been submitted to Cuckoo")
s_id = j['sample']['id']
r = requests.get(CUCKOO_API + '/tasks/list', verify=VERIFY)
if not r.status_code == requests.codes.ok: # pylint: disable=no-member
return "No reports, sample must be pending/running", "pending"
j = r.json()
output = {'reports': []}
for t in j['tasks']:
if t['sample_id'] == s_id:
output['reports'] += [{
'id':
str(t['id']),
'url':
config.scale_configs['cuckoo']['cuckoo_url'] +
str(t['id']),
'timestamp':
str(t['added_on']),
'status':
str(t['status'])
}]
return output