def malware_samples(self, indicator, source):
if source == "VTO":
scraper = VirusTotalScraper()
malware = scraper.get_malware(indicator) #
elif source == "TEX":
scraper = ThreatExpertScraper()
malware = scraper.run(indicator)
else:
malware = []
for entry in malware:
try:
record_entry = IndicatorRecord(record_type="MR",
info_source=source,
info_date=entry['date'],
info=OrderedDict({"md5": entry['md5'],
"sha1": entry['sha1'],
"sha256": entry['sha256'],
"indicator": entry['C2'],
"link": entry['link']}))
record_entry.save()
except Exception as e:
print(e)
def malware_samples(indicator, record_source):
record_type = RecordType.MR
if record_source is RecordSource.VTO:
scraper = VirusTotalScraper()
malware = scraper.get_malware(indicator)
elif record_source is RecordSource.TEX:
scraper = ThreatExpertScraper()
malware = scraper.run(indicator)
else:
malware = []
for entry in malware:
try:
date = entry['date']
info = OrderedDict({"md5": entry['md5'],
"sha1": entry['sha1'],
"sha256": entry['sha256'],
"indicator": entry['C2'],
"link": entry['link']})
save_record(record_type, record_source, info, date=date)
except Exception:
logger.exception("Error saving %s (%s) record from %s",
record_type.name,
record_type.title,
record_source.title)
def virustotal_passive(self, indicator, indicator_type):
current_time = datetime.datetime.utcnow()
scraper = VirusTotalScraper()
scraper.run(indicator)
passive = scraper.parse_passive()
source = "VirusTotal"
if passive:
# Delete old entries before inserting new ones - not ideal solution but will work for now
HostRecord.objects.filter(query_keyword=indicator, resolution_source=source).delete()
if indicator_type == "ip":
ip_location = geolocate_ip(indicator)
HostRecord.objects.bulk_create([
HostRecord(domain_name=record[1],
ip_address=indicator,
ip_location=ip_location,
resolution_date=record[0],
resolution_source=source,
query_keyword=indicator,
query_date=current_time) for record in passive
])
elif indicator_type == "domain":
HostRecord.objects.bulk_create([
HostRecord(domain_name=indicator,
ip_address=record[1],
ip_location=geolocate_ip(record[1]),
resolution_date=record[0],
resolution_source=source,
query_keyword=indicator,
query_date=current_time) for record in passive
])
def passive_hosts(indicator, record_source):
record_type = RecordType.HR
if record_source is RecordSource.IID:
scraper = InternetIdentityScraper()
passive = scraper.run(indicator) # returns table of data rows {ip, domain, date, ip_location}
elif record_source is RecordSource.PTO:
api_key = settings.PASSIVE_TOTAL_API
collector = PassiveTotal(api_key, api_version="v1")
passive = collector.retrieve_data(indicator, "passive")
elif record_source is RecordSource.VTO:
scraper = VirusTotalScraper()
passive = scraper.get_passive(indicator) # returns table of data rows {ip, domain, date, ip_location}
else:
passive = {}
for entry in passive:
try:
date = entry['date']
info = OrderedDict({"geo_location": entry['ip_location'],
"ip": entry['ip'],
"domain": entry['domain']})
save_record(record_type, record_source, info, date=date)
except Exception:
logger.exception("Error saving %s (%s) record from %s",
record_type.name,
record_type.title,
record_source.title)
def virustotal_malware(self, indicator):
current_time = datetime.datetime.utcnow()
base_url = "https://www.virustotal.com/en/file/"
scraper = VirusTotalScraper()
scraper.run(indicator)
malware = scraper.parse_malware()
source = "VirusTotal"
if malware:
# Delete old entries before inserting new ones - not ideal solution but will work for now
MalwareRecord.objects.filter(query_keyword=indicator, report_source=source).delete()
MalwareRecord.objects.bulk_create([
MalwareRecord(submission_date=record[0],
SHA256_value=record[1],
report_link=base_url + str(record[1] + "/analysis"),
report_source=source,
query_keyword=indicator,
query_date=current_time) for record in malware
])
