def virus_total_obj(api_key, indicators):
'''Build our VirusTotal report object, File object, and AV signature objects
and link them appropriately.
indicator: Indicator hash to search in VT for
'''
vtr_report = VTReportObject(api_key["virustotal"]["key"], indicators)
report_objects = []
report_objects.append(vtr_report)
av_report = vtr_report._report
if vtr_report._resource_type == 'file':
file_object = pymisp.MISPObject(name="file")
file_object.add_attribute("md5", value=raw_report["md5"])
file_object.add_attribute("sha1", value=raw_report["sha1"])
file_object.add_attribute("sha256", value=raw_report["sha256"])
vtr_report.add_reference(referenced_uuid=file_object.uuid, relationship_type="report of")
report_objects.append(file_object)
elif vtr_report._resource_type == "url":
parsed = urlsplit(indicator)
url_object = pymisp.MISPObject(name="url")
url_object.add_attribute("url", value=parsed.geturl())
url_object.add_attribute("host", value=parsed.hostname)
url_object.add_attribute("scheme", value=parsed.scheme)
url_object.add_attribute("port", value=parsed.port)
vtr_report.add_reference(referenced_uuid=url_object.uuid, relationship_type="report of")
report_objects.append(url_object)
for antivirus in av_report["scans"]:
if av_report["scans"][antivirus]["detected"]:
av_object = pymisp.MISPObject(name="av-signature")
av_object.add_attribute("software", value=antivirus)
signature_name = raw_report["scans"][antivirus]["result"]
av_object.add_attribute("signature", value=signature_name, disable_correlation=True)
vtr_report.add_reference(referenced_uuid=av_object.uuid, relationship_type="included-in")
report_objects.append(av_object)
def _make_VT_object(self, to_search, default_attributes_paramaters):
try:
vt_object = VTReportObject(cfg.virustotal.virustotal_key, to_search,
vt_proxies=cfg.virustotal.proxies, standalone=False,
default_attributes_paramaters=default_attributes_paramaters)
if self.args.populate:
vt_object.distribution = default_attributes_paramaters.distribution
return vt_object
except requests.exceptions.ConnectionError:
self.log('error', 'Failed to connect to VT for {}'.format(to_search))
return
except InvalidMISPObject as e:
self.log('error', e)
return None
def generate_report(indicator, apikey):
report_objects = []
vt_report = VTReportObject(apikey, indicator)
report_objects.append(vt_report)
raw_report = vt_report._report
file_object = MISPObject(name="file")
file_object.add_attribute("md5", value=raw_report["md5"])
file_object.add_attribute("sha1", value=raw_report["sha1"])
file_object.add_attribute("sha256", value=raw_report["sha256"])
vt_report.add_reference(referenced_uuid=file_object.uuid,
relationship_type="report of")
report_objects.append(file_object)
return report_objects
def _make_VT_object(self, to_search, default_attributes_parameters):
try:
vt_object = VTReportObject(
cfg.virustotal.virustotal_key,
to_search,
vt_proxies=cfg.virustotal.proxies,
standalone=False,
default_attributes_parameters=default_attributes_parameters)
if self.args.populate:
vt_object.distribution = default_attributes_parameters.distribution
return vt_object
except requests.exceptions.ConnectionError:
self.log('error', 'Failed to connect to VT for {}'.format(to_search))
return
except InvalidMISPObject as e:
self.log('error', e)
return None
def forwarded_email(self, pseudofile: BytesIO):
'''Extracts all possible indicators out of an email and create a MISP event out of it.
* Gets all relevant Headers
* Attach the body
* Create MISP file objects (uses lief if possible)
* Set all references
'''
email_object = EMailObject(pseudofile=pseudofile,
attach_original_mail=True,
standalone=False)
if email_object.attachments:
# Create file objects for the attachments
for attachment_name, attachment in email_object.attachments:
if not (self.ignore_nullsize_attachments
and attachment.getbuffer().nbytes == 0):
if not attachment_name:
attachment_name = 'NameMissing.txt'
if self.config_from_email_body.get(
'attachment'
) == self.config.m2m_benign_attachment_keyword:
a = self.misp_event.add_attribute(
'attachment',
value=attachment_name,
data=attachment)
email_object.add_reference(a.uuid, 'related-to',
'Email attachment')
else:
f_object, main_object, sections = make_binary_objects(
pseudofile=attachment,
filename=attachment_name,
standalone=False)
if self.config.vt_key:
try:
vt_object = VTReportObject(
self.config.vt_key,
f_object.get_attributes_by_relation(
'sha256')[0].value,
standalone=False)
self.misp_event.add_object(vt_object)
f_object.add_reference(vt_object.uuid,
'analysed-with')
except InvalidMISPObject as e:
print(e)
pass
self.misp_event.add_object(f_object)
if main_object:
self.misp_event.add_object(main_object)
for section in sections:
self.misp_event.add_object(section)
email_object.add_reference(f_object.uuid, 'related-to',
'Email attachment')
self.process_body_iocs(email_object)
if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get(
'attach_original_mail'):
self.misp_event.add_object(email_object)
return email_object
def generate_report(indicator, apikey):
'''
Build our VirusTotal report object, File object, and AV signature objects
and link them appropriately
:indicator: Indicator hash to search in VT for
'''
report_objects = []
vt_report = VTReportObject(apikey, indicator)
report_objects.append(vt_report)
raw_report = vt_report._report
if vt_report._resource_type == "file":
file_object = pymisp.MISPObject(name="file")
file_object.add_attribute("md5", value=raw_report["md5"])
file_object.add_attribute("sha1", value=raw_report["sha1"])
file_object.add_attribute("sha256", value=raw_report["sha256"])
vt_report.add_reference(referenced_uuid=file_object.uuid, relationship_type="report of")
report_objects.append(file_object)
elif vt_report._resource_type == "url":
parsed = urlsplit(indicator)
url_object = pymisp.MISPObject(name="url")
url_object.add_attribute("url", value=parsed.geturl())
url_object.add_attribute("host", value=parsed.hostname)
url_object.add_attribute("scheme", value=parsed.scheme)
url_object.add_attribute("port", value=parsed.port)
vt_report.add_reference(referenced_uuid=url_object.uuid, relationship_type="report of")
report_objects.append(url_object)
for antivirus in raw_report["scans"]:
if raw_report["scans"][antivirus]["detected"]:
av_object = pymisp.MISPObject(name="av-signature")
av_object.add_attribute("software", value=antivirus)
signature_name = raw_report["scans"][antivirus]["result"]
av_object.add_attribute("signature", value=signature_name, disable_correlation=True)
vt_report.add_reference(referenced_uuid=av_object.uuid, relationship_type="included-in")
report_objects.append(av_object)
return report_objects