def _malwarebazaar(self, sha256_digest, cache=True): params = {'query': 'get_info', 'hash': sha256_digest} document = db.file_collection.select(sha256_digest) if 'malwarebazaar' not in document or not cache: try: response = requests.post(API_ENDPOINT, data=params, headers=HEADERS, proxies=PROXIES, timeout=10) except Exception: raise error.InterfaceWarning( 'failed to connect to MalwareBazaar') if 'application/json' not in response.headers.get('content-type'): raise error.InterfaceWarning( 'invalid response received from MalwareBazaar') data = {'malwarebazaar': response.json()} db.file_collection.update(sha256_digest, data) document = db.file_collection.select(sha256_digest) if not document or 'malwarebazaar' not in document: raise error.MongoError( 'error adding malwarebazaar into file document %s' % sha256_digest) if str(document['malwarebazaar']['query_status']) == 'hash_not_found': raise error.InterfaceWarning('File not present in MalwareBazaar') if str(document['malwarebazaar']['query_status']) != 'ok': raise error.InterfaceWarning('An unexpected error occured') return document['malwarebazaar']
def info(self, args, file, opts): try: j = requests.get(CUCKOO_API + '/files/view/sha256/' + file.sha256_digest, verify=VERIFY).json() except requests.exceptions.RequestException: raise error.InterfaceError("failed to connect to Cuckoo") if 'sample' not in j: raise error.InterfaceWarning( "file has never been submitted to Cuckoo") s_id = j['sample']['id'] r = requests.get(CUCKOO_API + '/tasks/list', verify=VERIFY) if not r.status_code == requests.codes.ok: # pylint: disable=no-member return "No reports, sample must be pending/running", "pending" j = r.json() output = [] for t in j['tasks']: if t['sample_id'] == s_id: r = requests.get(CUCKOO_API + '/tasks/report/' + str(t['id']), verify=VERIFY) if r.status_code == requests.codes.ok: # pylint: disable=no-member j = r.json() output += [{ 'score': j['info']['score'], 'name': j['info']['machine']['name'] }] if not output: return error.InterfaceWarning("no information available!") return {'info': output}
def _vt_scan(self, sha256_digest, cache=True): params = { 'apikey': API_KEY, 'resource': sha256_digest, 'allinfo': 1 } document = db.file_collection.select(sha256_digest) if 'vt' not in document or not cache: try: response = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params, headers=HEADERS, proxies=PROXIES, timeout=10) except Exception: raise error.InterfaceWarning("failed to connect to VirusTotal") if 'application/json' not in response.headers.get('content-type'): raise error.InterfaceWarning("invalid response received from VirusTotal") if 'response_code' not in response.json(): raise error.InterfaceWarning("unknown response from VirusTotal") data = {'vt': response.json()} db.file_collection.update(sha256_digest, data) document = db.file_collection.select(sha256_digest) if not document or 'vt' not in document: raise error.MongoError('error adding vt into file document %s' % sha256_digest) if document['vt']["response_code"] is 0: raise error.InterfaceWarning("file is not present on VirusTotal") # Check if we had public key but now its private, if so warn that cache is out of date # NOTE: we just check for missing info variable if IS_PRIVATE and 'first_seen' not in document['vt']: raise error.InterfaceWarning("private key specified but no private api data in cache, please flush vt cache for sample") return document['vt']
def reports(self, args, file, opts): try: j = requests.get(CUCKOO_API + '/files/view/sha256/' + file.sha256_digest, verify=VERIFY).json() except requests.exceptions.RequestException: raise error.InterfaceError("failed to connect to Cuckoo") if 'sample' not in j: raise error.InterfaceWarning( "file has never been submitted to Cuckoo") s_id = j['sample']['id'] r = requests.get(CUCKOO_API + '/tasks/list', verify=VERIFY) if not r.status_code == requests.codes.ok: # pylint: disable=no-member return "No reports, sample must be pending/running", "pending" j = r.json() output = {'reports': []} for t in j['tasks']: if t['sample_id'] == s_id: output['reports'] += [{ 'id': str(t['id']), 'url': config.scale_configs['cuckoo']['cuckoo_url'] + str(t['id']), 'timestamp': str(t['added_on']), 'status': str(t['status']) }] return output