def remoteSearch(self):
"""
Search IOC with HTTP request
"""
mod.display("%s_remote" % self.module_name,
self.ioc,
"INFO",
string="Browsing in remote http")
url = "http://malwaredb.malekal.com/index.php?"
if self.type in ["MD5", "SHA1", "SHA256", "SHA512"]:
base = "hash="
elif self.type in ["URL", "domain"]:
base = "url="
elif self.type in ["IPv4", "IPv6"]:
base = "domaine="
self.url = url + base + self.ioc
request = {
'url': self.url,
'headers': self.headers,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
def search(self):
mod.display(self.module_name, "", "INFO", "Search in VirusTotal ...")
try:
if "virustotal_api_keys" in self.config:
try:
self.key = random.Random(self.ioc).choice(
self.config["virustotal_api_keys"])
except:
mod.display(
self.module_name,
message_type="ERROR",
string=
"Check if you have filled virustotal_api_keys in btg.cfg"
)
return None
else:
mod.display(
self.module_name,
message_type="ERROR",
string=
"Check if you have virustotal_api_keys field in btg.cfg")
return None
except:
mod.display(self.module_name, self.ioc, "ERROR",
"Please provide your authkey.")
return None
if self.type in ["URL", "domain", "IPv4"]:
request = self.searchURL()
else:
request = self.searchReport()
store_request(self.queues, request)
def search(self, api_url, web_url, indice):
mod.display(self.module_name, "", "INFO", "Searching...")
if ("cuckoosandbox_api_url" in self.config
and "user_agent" in self.config and "proxy_host" in self.config
and "requests_timeout" in self.config):
if self.type in ["MD5"]:
url = "%s/files/view/md5/%s" % (api_url, self.ioc)
elif self.type in ["SHA256"]:
url = "%s/files/view/sha256/%s" % (api_url, self.ioc)
request = {
'url': url,
'headers': self.headers,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy,
'server_id': indice
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
else:
mod.display(
self.module, self.ioc, "ERROR",
"Check if you have filled cuckoosandbox fields in btg.cfg")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
self.url = "https://iris-h.services/api/search?hash=" + self.ioc
request = {'url': self.url,
'headers': self.headers,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
def Search(self):
mod.display(self.module_name, "", "INFO", "Search in MetaDefender ...")
try:
if 'metadefender_api_keys' in self.config:
try:
api_key = random.Random(self.ioc).choice(
self.config['metadefender_api_keys'])
self.headers['apikey'] = api_key
except:
mod.display(
self.module_name,
self.ioc,
message_type="ERROR",
string=
"Check if you have filled metadefender_api_keys in btg.cfg"
)
return None
else:
mod.display(
self.module_name,
self.ioc,
message_type="ERROR",
string=
"Check if you have metadefender_api_keys field in btg.cfg")
return None
except:
mod.display(self.module_name, self.ioc, "ERROR",
"Please provide your MetaDefender key")
return None
# URL building
self.url = "https://api.metadefender.com/v2/hash/" + self.ioc
request = {
'url': self.url,
'headers': self.headers,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
def vxstream_api(self):
"""
VXstream API Connection
"""
if 'vxstream_api_keys' in self.config:
try:
self.headers['api-key'] = random.Random(self.ioc).choice(
self.config['vxstream_api_keys'])
except:
mod.display(
self.module_name, self.ioc, "ERROR",
"Check if you have filled vxstream_api_keys_secret in btg.cfg"
)
return None
else:
mod.display(
self.module_name, self.ioc, "ERROR",
"Check if you have vxstream_api_keys_secret field in btg.cfg")
return None
if self.type in ["MD5", "SHA1", "SHA256"]:
self.url = "https://www.hybrid-analysis.com/api/v2/search/hash"
self.data = "hash=" + self.ioc
else:
self.url = "https://www.hybrid-analysis.com/api/v2/search/terms"
if self.type in ["IPv4", "IPv6"]:
self.data = "host=" + self.ioc
elif self.type == "URL":
self.data = "url=" + self.ioc
else:
self.data = "domain=" + self.ioc
request = {
'url': self.url,
'headers': self.headers,
'data': self.data,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
def Search(self, misp_url, misp_key, indice):
mod.display(self.module_name, "", "INFO", "Search in misp...")
url = '%sattributes/restSearch/json' % (misp_url)
self.headers['Authorization'] = misp_key
payload = {'value': self.ioc, 'searchall': 1}
data = json.dumps(payload)
request = {'url': url,
'headers': self.headers,
'data': data,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy,
'verify': self.verify,
'server_id': indice
}
json_request = json.dumps(request)
store_request(self.queues, json_request)
def lookup_API(self):
mod.display(self.module_name, "", "INFO",
"Search in Google Safe Browsing ...")
if 'googlesb_api_keys' in self.config:
try:
api_key = random.Random(self.ioc).choice(
self.config['googlesb_api_keys'])
except:
mod.display(
self.module_name,
self.ioc,
message_type="ERROR",
string=
"Check if you have filled googlesb_api_keys in btg.cfg")
return None
else:
mod.display(
self.module_name,
self.ioc,
message_type="ERROR",
string="Check if you have googlesb_api_keys field in btg.cfg")
return None
self.url = "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=" + api_key
# TODO
# Does not work 400 status_code
if self.type == "SHA256":
threatType = "EXECUTABLE"
threatTypeEntry = "hash"
# Does not work 400 status_code
elif self.type in ["IPv4", "IPv6"]:
threatType = "IP_RANGE"
threatTypeEntry = "ip"
else:
threatType = "URL"
payload = {
"threatInfo": {
"threatTypes": [
"MALWARE", "SOCIAL_ENGINEERING", "UNWANTED_SOFTWARE",
"POTENTIALLY_HARMFUL_APPLICATION"
],
"platformTypes": [
"ANY_PLATFORM", "ALL_PLATFORMS", "WINDOWS", "LINUX", "OSX",
"ANDROID", "IOS"
],
"threatEntryTypes": [threatType],
"threatEntries": [{
threatType.lower(): str(self.ioc)
}]
}
}
self.data = json.dumps(payload)
request = {
'url': self.url,
'headers': self.headers,
'data': self.data,
'module': self.module_name,
'ioc': self.ioc,
'verbose': self.verbose,
'proxy': self.proxy
}
json_request = json.dumps(request)
store_request(self.queues, json_request)