def main():
parser = argparse.ArgumentParser(
description="Test of adding event to MISP")
parser.add_argument("mwdb_user", help="Mwdb username")
parser.add_argument("mwdb_pass", help="Mwdb password")
parser.add_argument("config", help="Config")
parser.add_argument("misp_url", help="Misp url")
parser.add_argument("misp_key", help="Misp key")
args = parser.parse_args()
mwdb = Malwarecage()
mwdb.login(args.mwdb_user, args.mwdb_pass)
try:
cfg = mwdb.query_config(args.config)
iocs = parse(cfg.family, cfg.cfg)
except FamilyNotSupportedYetError:
logging.info("Family %s not supported yet...", cfg.family)
return
if not iocs:
# Nothing actionable found - skip the config
return
event = MISPEvent()
event.add_tag(f"mwdb:family:{cfg.family}")
event.info = f"Malware configuration ({cfg.family})"
for o in iocs.to_misp():
event.add_object(o)
misp = PyMISP(args.misp_url, args.misp_key, False)
misp.add_event(event)
def main():
parser = argparse.ArgumentParser(
description="Test parser on the top mwdb configs")
parser.add_argument("mwdb_user", help="Mwdb username")
parser.add_argument("mwdb_pass", help="Mwdb password")
args = parser.parse_args()
mwdb = Malwarecage()
mwdb.login(args.mwdb_user, args.mwdb_pass)
for cfg in mwdb.recent_configs():
if cfg.type != "static":
continue
print(cfg.id)
iocs = parse(cfg.family, cfg.cfg)
print(iocs.prettyprint())
continue
class MalwarecageUploadsMetadata(Metadata):
"""
:param mwdb_api_token: API key for 'mquery' user in Malwarecage
:param mwdb_api_url: API URL accessible from mquery daemon
:param mwdb_url: Malwarecage URL accessible for mquery users
"""
__depends_on__: List[Any] = []
def __init__(
self, mwdb_api_token: str, mwdb_api_url: str, mwdb_url: str
) -> None:
super().__init__()
self.mwdb = Malwarecage(api_url=mwdb_api_url, api_key=mwdb_api_token)
self.mwdb_url = mwdb_url
def extract(self, matched_fname, current_meta):
# '/uploads' Malwarecage directory format
# /mnt/samples/9/d/c/5/9dc571ae13a62954155999cae9cecc4f0689e2ba9a8940f81d1e564271507a3e
m = re.search(
r"/([a-f0-9])/([a-f0-9])/([a-f0-9])/([a-f0-9])/(\1\2\3\4[a-f0-9]+)$",
matched_fname,
)
if not m:
return {}
binary_hash = m.group(5)
cached = self.cache_fetch(binary_hash)
if cached:
return cached
metadata = {}
sample = self.mwdb.query(binary_hash, raise_not_found=False)
if sample:
for tag in sample.tags:
query = urllib.parse.urlencode({"q": f'tag:"{tag}"'})
# Add queryable metadata for each tag from Malwarecage
metadata[f"mwdb_tag_{tag}"] = {
"display_text": tag,
"url": f"{self.mwdb_url}/?{query}",
}
# Add metadata with link to sample in Malwarecage instance
metadata[f"mwdb_analysis"] = {
"display_text": "mwdb",
"url": f"{self.mwdb_url}/sample/{binary_hash}",
}
job_id = current_meta["job"]
# Add metakey with job identifier
sample.add_metakey("mquery", job_id)
self.cache_store(binary_hash, metadata)
return metadata
class MalwarecageUploadsMetadata(MetadataPlugin):
cacheable = False
is_extractor = True
config_fields = {
"mwdb_url":
"URL to the Malwarecage instance (e.g. https://mwdb.cert.pl/)",
"mwdb_api_url":
"API URL to the Malwarecage instance (e.g. https://mwdb.cert.pl/api/)",
"mwdb_api_token":
"API key for 'mquery' user in Malwarecage (base64-encoded, starts with ey...)",
}
def __init__(self, db: Database, config: MetadataPluginConfig) -> None:
super().__init__(db, config)
self.mwdb = Malwarecage(api_url=config["mwdb_api_url"],
api_key=config["mwdb_api_token"])
self.mwdb_url = config["mwdb_url"]
def identify(self, matched_fname: str) -> Optional[str]:
m = re.search(
r"/([a-f0-9])/([a-f0-9])/([a-f0-9])/([a-f0-9])/(\1\2\3\4[a-f0-9]+)$",
matched_fname,
)
if not m:
return None
return m.group(5)
def extract(self, identifier: str, matched_fname: str,
current_meta: Metadata) -> Metadata:
# '/uploads' Malwarecage directory format
# /mnt/samples/9/d/c/5/9dc571ae13a62954155999cae9cecc4f0689e2ba9a8940f81d1e564271507a3e
metadata = {}
sample = self.mwdb.query(identifier, raise_not_found=False)
if sample:
for tag in sample.tags:
query = urllib.parse.urlencode({"q": f'tag:"{tag}"'})
# Add queryable metadata for each tag from Malwarecage
metadata[f"mwdb_tag_{tag}"] = {
"display_text": tag,
"url": f"{self.mwdb_url}?{query}",
}
# Add metadata with link to sample in Malwarecage instance
metadata[f"mwdb_analysis"] = {
"display_text": "mwdb",
"url": f"{self.mwdb_url}sample/{identifier}",
}
job_id = current_meta["job"]
# Add metakey with job identifier
sample.add_metakey("mquery", job_id)
return metadata
def main():
parser = argparse.ArgumentParser(
description="Test parser on the top mwdb configs")
parser.add_argument("mwdb_user", help="Mwdb username")
parser.add_argument("mwdb_pass", help="Mwdb password")
parser.add_argument("config_id",
help="Config to parse",
default=None,
nargs="?")
args = parser.parse_args()
mwdb = Malwarecage()
mwdb.login(args.mwdb_user, args.mwdb_pass)
if args.config_id is not None:
cfg = mwdb.query_config(args.config_id)
iocs = parse(cfg.family, cfg.cfg)
print(iocs.prettyprint())
return
for cfg in mwdb.recent_configs():
if cfg.type != "static":
continue
print(cfg.id)
iocs = parse(cfg.family, cfg.cfg)
print(iocs.prettyprint())
continue
def main() -> None:
parser = argparse.ArgumentParser(
description="Downloading test data from MWDB"
)
parser.add_argument("mwdb_user", help="Mwdb username")
parser.add_argument("mwdb_pass", help="Mwdb password")
parser.add_argument(
"mwdb_config_id", nargs="?", help="Config Id", default=""
)
args = parser.parse_args()
current_path = os.path.abspath(os.path.dirname(__file__))
testdir = current_path + "/testdata/"
mwdb = Malwarecage()
mwdb.login(args.mwdb_user, args.mwdb_pass)
if args.mwdb_config_id:
mwdb_config = mwdb.query_config(args.mwdb_config_id)
json_file_name = (
mwdb_config.family + "_" + args.mwdb_config_id + ".json"
)
generate_config_json_file(testdir, json_file_name, mwdb_config)
else:
families_parsed = set()
for cfg in mwdb.recent_configs():
if cfg.type != "static":
continue
if cfg.family not in families_parsed:
json_file_name = cfg.family + "_" + cfg.id + ".json"
generate_config_json_file(testdir, json_file_name, cfg)
families_parsed.add(cfg.family)
def __init__(self, db: Database, config: MetadataPluginConfig) -> None:
super().__init__(db, config)
self.mwdb = Malwarecage(api_url=config["mwdb_api_url"],
api_key=config["mwdb_api_token"])
self.mwdb_url = config["mwdb_url"]
def __init__(
self, mwdb_api_token: str, mwdb_api_url: str, mwdb_url: str
) -> None:
super().__init__()
self.mwdb = Malwarecage(api_url=mwdb_api_url, api_key=mwdb_api_token)
self.mwdb_url = mwdb_url