def submit_file(self, file: File):
self.api_subf.data = self.get_apikey()
self.api_subf.file = {"file": (file.name, file.fd())}
if file.len > 32 * 1024 * 1024:
api_subfl = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/file/scan/upload_url")
api_subfl.param = {**self.get_apikey()}
data, _ = request(api_subfl)
data = frmt.jsontree(data)
self.api_subf.fulluri = data["upload_url"]
self.api_subf.data = None
else:
self.api_subf.default()
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
data = frmt.jsonvert(data)
# return out.pformat(data)
return data
class PDFExaminer(Service):
name = "PDF Examiner"
sname = "pe"
api_keyl = 32
desc = f"{name} is an in-depth, automated PDF analysis service with\n" \
f"obfuscation, encryption and stream analysis and exploit detection"
subs = "public/private"
url = "https://www.pdfexaminer.com/"
api_dowf = APISpec()
api_repf = APISpec("POST", "https://www.pdfexaminer.com", "/pdfapirep.php")
api_subf = APISpec("POST", "https://www.pdfexaminer.com", "/pdfapi.php")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://www.pdfexaminer.com/
# https://github.com/mwtracker/pdfexaminer_tools
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.data = {"type": "json", hash.alg: hash.hash}
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.file = {"sample[]": file.fd()}
self.api_subf.data = {"type": "json", "message": "", "email": ""}
data, _ = request(self.api_subf)
if " is not a PDF file. Not processed." in data:
return f"{file} is not a PDF file"
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class VxStream(Service):
name = "VxStream"
sname = "vs"
api_keyl = 25
desc = f"{name} features in-depth static and dynamic analysis techniques\n" \
f"within sanboxed environments and is a malware repository created by\n" \
f"Payload Security"
subs = "private"
url = "https://www.vxstream-sandbox.com/"
api_stat = APISpec("GET", "https://demo11.vxstream-sandbox.com",
"/api/state/%s")
api_dowf = APISpec("GET", "https://demo11.vxstream-sandbox.com",
"/api/result/%s")
api_repf = APISpec("GET", "https://demo11.vxstream-sandbox.com",
"/api/scan/%s")
api_subf = APISpec("POST", "https://demo11.vxstream-sandbox.com",
"/api/submit")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/result/%s")
api_subu = APISpec("POST", "https://demo12.vxstream-sandbox.com",
"/api/submiturl")
api_srch = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/search")
api_quot = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/quota")
# https://www.vxstream-sandbox.com/apikeys/info
# 1: Windows 7 32 bit - Usermode Monitor
# 2: Windows 7 64 bit - Usermode Monitor
# 3: Windows 8.1 32 bit - Usermode Monitor
# 4: Windows 7 32 bit - Kernelmode Monitor
# 5: unused
# 6: Windows XP (Only PE/Scripts)
# 7: Windows XP Kernelmode Monitor (Only PE/Scripts)
# 8: unused
# 9: Windows 8.1 32 bit - Kernelmode Monitor
# 10: Android Static Analysis
# 100: Windows 7 32 bit (Kernelmode Monitor)
# 110: Windows 7 64 bit (Kernelmode Monitor, cloud service only)
# 200: Android Static Analysis
def state(self, hash: Hash):
if hash.alg == HASH_SHA256:
self.api_stat.fulluri = self.api_stat.fullurl % hash.hash
self.api_stat.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_stat, json=True)
if data["response_code"] == 0 and \
data["response"]["state"] == "SUCCESS":
return data, True
else:
return data, False
else:
return False
def download_file(self, hash: Hash):
if hash.alg == HASH_SHA256:
data, flag = self.state(hash)
if flag:
self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash
self.api_dowf.param = {
"environmentId": 100,
"type": "bin",
**self.get_apikey()
}
filename = hash.hash + ".gz"
data, _ = request(self.api_dowf, bin=True)
rw.writef(filename, data)
return f"downloaded \"{filename}\""
else:
return f"sample \"{hash}\" private or not found"
else:
return f"{hash.alg} is not SHA-256"
def report_file(self, hash: Hash):
if hash.alg == HASH_SHA256:
data, flag = self.state(hash)
if flag:
self.api_repf.fulluri = self.api_repf.fullurl % hash.hash
self.api_repf.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_repf)
return data
else:
return f"{hash.alg} is not SHA-256"
def submit_file(self, file: File):
self.api_subf.auth = self.get_apikey(key=True, user=True)
self.api_subf.data = {
"environmentId": 100
# "nosharevt": "true"
}
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_subf)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
# VxStream URL reports are based on the SHA256 values
# provided upon submission
hash = Hash(url)
if hash.alg == HASH_SHA256:
self.api_stat.fulluri = self.api_stat.fullurl % hash.hash
self.api_stat.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_stat, json=True)
if data["response_code"] == 0 and \
data["response"]["state"] == "SUCCESS":
self.api_repu.fulluri = self.api_repu.fullurl % hash.hash
self.api_repu.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_repu)
return data
else:
return f"{hash.alg} is not SHA-256"
def submit_url(self, url: str):
self.api_subu.auth = self.get_apikey(key=True, user=True)
self.api_subu.data = {"analyzeurl": url, "environmentId": 100}
self.api_subu.param = self.get_apikey()
data, _ = request(self.api_subu)
return data
def search(self, srch: str):
self.api_srch.param = {"query": srch, **self.get_apikey()}
data, _ = request(self.api_srch)
return data
def quota(self):
self.api_quot.param = self.get_apikey()
data, _ = request(self.api_quot)
return data
class Metadefender(Service):
name = "Metadefender"
sname = "md"
api_keyl = 32
desc = f"{name} is a proprietary multi-scanning engine for malware,\n" \
f"applications and IP addresses belonging to OPSWAT"
subs = "public/private"
url = "https://www.metadefender.com/"
api_dowf = APISpec()
# api_repf = APISpec("GET", "https://api.metadefender.com", "/v2/file/")
api_repf = APISpec("GET", "https://api.metadefender.com", "/v2/hash/")
api_subf = APISpec("POST", "https://scan.metadefender.com", "/v2/file")
api_repa = APISpec("GET", "https://api.metadefender.com", "/v3/appinfo/")
api_repd = APISpec()
api_repi = APISpec("GET", "https://api.metadefender.com", "/v3/ip/")
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://www.metadefender.com/public-api
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.header = self.get_apikey()
self.api_repf.fulluri = self.api_repf.fullurl + hash.hash
data, _ = request(self.api_repf)
# data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.header = self.get_apikey()
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
def report_app(self, hash: Hash):
self.api_repa.header = \
{"Authorization":
" ".join(f"{kn} {k}" for kn, k in self.get_apikey().items())}
self.api_repa.fulluri = self.api_repa.fullurl + hash.hash
data, _ = request(self.api_repa)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_dom(self, dom: str):
pass
def report_ip(self, ip: str):
self.api_repi.header = {
"Authorization":
" ".join(f"{kn} {k}" for kn, k in self.get_apikey().items())
}
self.api_repi.fulluri = self.api_repi.fullurl + ip
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class SafeBrowsing(Service):
name = "Safe Browsing"
sname = "sb"
api_keyl = 39
desc = f"{name} is an online database of malicious URLs updated in real-time\n" \
f"by Google"
subs = "public"
url = "https://safebrowsing.google.com/"
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec("POST", "https://safebrowsing.googleapis.com",
"/v4/threatMatches:find")
api_subu = APISpec()
api_srch = APISpec("GET", "https://safebrowsing.googleapis.com",
"/v4/threatLists")
api_quot = APISpec()
# https://developers.google.com/safe-browsing/
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
self.api_repu.param = self.get_apikey()
self.api_repu.header = {'Content-Type': 'application/json'}
self.api_repu.json = {
"client": {
"clientId": MALSUB_NAME,
"clientVersion": MALSUB_VERSION
},
"threatInfo": {
# "POTENTIALLY_HARMFUL_APPLICATION"
# "THREAT_TYPE_UNSPECIFIED"
# "UNWANTED_SOFTWARE"
"threatTypes": ["MALWARE", "SOCIAL_ENGINEERING"],
"platformTypes": ["ALL_PLATFORMS"],
"threatEntryTypes": ["URL"],
"threatEntries": [{
"url": url
}]
}
}
data, _ = request(self.api_repu)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.param = self.get_apikey()
self.api_srch.header = {'Content-Type': 'application/json'}
data, _ = request(self.api_srch)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class QuickSand(Service):
name = "QuickSand"
sname = "qs"
api_keyl = 32
api_dowf = APISpec()
api_repf = APISpec("POST", "https://www.quicksand.io", "/api.php")
api_subf = APISpec("POST", "https://www.quicksand.io", "/upload.php")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://www.quicksand.io/
# https://github.com/tylabs/quicksand_tools
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.data = {**self.get_apikey(), "query": hash.hash}
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.file = {"file[]": file.fd()}
self.api_subf.data = {**self.get_apikey(), "QUICKSAND_RERUN": 1}
# {"QUICKSAND_BRUTE": 1, "QUICKSAND_LOOKAHEAD": 1}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class VirusTotal(Service):
name = "VirusTotal"
sname = "vt"
api_keyl = 64
api_dowf = APISpec()
api_repf = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/file/report")
api_subf = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/file/scan")
api_repa = APISpec()
api_repd = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/domain/report")
api_repi = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/ip-address/report")
api_repu = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/url/report")
api_subu = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/url/scan")
api_srch = APISpec()
api_quot = APISpec()
# https://www.virustotal.com/en/documentation/public-api/
# https://www.virustotal.com/en/documentation/private-api/
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.data = {**self.get_apikey(), "resource": hash.hash}
data, _ = request(self.api_repf)
# data = frmt.jsontree(data, depth=1)
# data = frmt.jsonvert(data["scans"])
# openurl(data["permalink"])
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.data = self.get_apikey()
self.api_subf.file = {"file": (file.name, file.fd())}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
data = frmt.jsonvert(data)
# return out.pformat(data)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.param = {**self.get_apikey(), "domain": dom}
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repi.param = {**self.get_apikey(), "ip": ip}
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
return out.pformat(data)
def report_url(self, url: str):
self.api_repu.data = {**self.get_apikey(), "resource": url}
data, _ = request(self.api_repu)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
def submit_url(self, url: str):
self.api_subu.data = {**self.get_apikey(), "url": url}
data, _ = request(self.api_subu)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class AVCaesar(Service):
name = "AVCaesar"
sname = "avc"
api_keyl = 64
desc = f"{name} is an online sandbox and malware repository developed under\n" \
f"a project from European Comission and maintained by a CERT in\n" \
f"Luxembourg"
subs = "public"
url = "https://avcaesar.malware.lu/"
api_dowf = APISpec("GET", "https://avcaesar.malware.lu",
"/api/v1/sample/%s/download")
api_repf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/")
api_subf = APISpec("POST", "https://avcaesar.malware.lu",
"/api/v1/sample/upload")
api_repa = APISpec()
api_repi = APISpec()
api_repd = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec("GET", "https://avcaesar.malware.lu",
"/api/v1/user/quota")
# https://avcaesar.malware.lu/docs/api
def download_file(self, hash: Hash):
self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash
self.api_dowf.cookie = self.get_apikey()
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if filename:
rw.writef(filename, data)
return f"downloaded \"{filename}\""
else:
return "unsuccess"
def report_file(self, hash: Hash):
# hash.hash + "?overview=false§ion=pe"
self.api_repf.fulluri = self.api_repf.fullurl + hash.hash
self.api_repf.cookie = self.get_apikey()
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.cookie = self.get_apikey()
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
def quota(self):
self.api_quot.cookie = self.get_apikey()
res, _ = request(self.api_quot)
res = frmt.jsontree(res)
return out.pformat(res)
class MalShare(Service):
name = "MalShare"
sname = "ms"
api_keyl = 64
# api_dowf = APISpec("GET", "https://malshare.com", "/api.php", "malshare-bundle.pem")
api_dowf = APISpec("GET", "https://malshare.com", "/api.php", cert=False)
api_repf = APISpec("GET", "https://malshare.com", "/api.php", cert=False)
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://malshare.com/doc.php
def download_file(self, hash: Hash):
self.api_dowf.param = {
**self.get_apikey(), "action": "getfile",
"hash": hash.hash
}
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if data.startswith(b"Sample not found by hash"):
return f"sample \"{hash.hash}\" not found"
if not filename:
filename = hash.hash
rw.writef(filename, data)
return f"downloaded \"{filename}\""
def report_file(self, hash: Hash):
self.api_repf.param = {
**self.get_apikey(), "action": "details",
"hash": hash.hash
}
data, _ = request(self.api_repf)
# data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class Malwr(Service):
name = "malwr"
sname = "mw"
api_keyl = 32
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec("POST", "https://malwr.com", "/api/analysis/add")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://malwr.com/
# https://www.malwareviz.com/
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
def submit_file(self, file: File):
# HTTP 405 Method Not Allowed
self.api_subf.data = {**self.get_apikey(), "shared": "yes"}
self.api_subf.file = {"file": (file.name, file.fd())}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class HybridAnalysis(Service):
name = "Hybrid Analysis"
sname = "ha"
api_keyl = 25
api_dowf = APISpec()
api_repf = APISpec("GET", "https://www.hybrid-analysis.com",
"/api/scan/%s")
api_subf = APISpec("POST", "https://www.hybrid-analysis.com",
"/api/submit")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("GET", "https://www.hybrid-analysis.com", "/api/search")
api_quot = APISpec("GET", "https://www.hybrid-analysis.com", "/api/quota")
# https://www.hybrid-analysis.com/apikeys/info
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.fulluri = self.api_repf.fullurl % hash.hash
self.api_repf.param = self.get_apikey()
data, _ = request(self.api_repf)
return data
@Service.unsupported
def submit_file(self, file: File):
self.api_subf.data = {"file": file.fd(), **self.get_apikey()}
data, _ = request(self.api_subf)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.param = {"query": srch, **self.get_apikey()}
data, _ = request(self.api_srch)
return data
def quota(self):
self.api_quot.param = self.get_apikey()
data, _ = request(self.api_quot)
return data
class ThreatStream(Service):
name = "ThreatStream"
sname = "ts"
api_keyl = 40
desc = f"Anomali {name} is a threat intelligence platform that aggregates\n" \
f"several threat feeds"
subs = "private"
url = "https://www.anomali.com/platform/threatstream"
api_stat = APISpec()
api_dowf = APISpec()
api_repf = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence")
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence")
api_repi = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence")
api_repu = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence")
api_subu = APISpec()
api_srch = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence")
api_quot = APISpec()
# https://github.com/threatstream/threatstream-api
limit = 0 # '0' means 1000
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
if hash.alg == HASH_MD5 or hash.alg == HASH_SHA1:
self.api_repf.param = {**self.get_apikey(),
"type": "md5", # MD5 or SHA-1
"value": hash.hash,
"limit": self.limit}
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
else:
return f"{hash.alg} is not MD5 or SHA1"
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.param = {**self.get_apikey(),
"limit": self.limit,
"type": "domain",
"value": dom}
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repi.param = {**self.get_apikey(),
"ip": ip,
"limit": self.limit}
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
return out.pformat(data)
def report_url(self, url: str):
self.api_repu.param = {**self.get_apikey(),
"limit": self.limit,
"type": "url",
"value": url}
data, _ = request(self.api_repu)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_url(self, url: str):
self.api_subu.data = {**self.get_apikey(),
"report_radio-platform": "WINDOWS7",
"report_radio-url": url}
data, _ = request(self.api_subu)
data = frmt.jsontree(data)
return out.pformat(data)
def search(self, srch: str):
from re import escape
srch = escape(srch)
self.api_srch.param = {**self.get_apikey(),
"limit": self.limit,
"value__regexp": f".*{srch}.*"}
# self.api_srch.param = {**self.get_apikey(), "value": srch}
data, _ = request(self.api_srch)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class VxStream(Service):
name = "VxStream"
sname = "vs"
api_keyl = 25
api_stat = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/state/%s")
api_dowf = APISpec()
api_repf = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/scan/%s")
api_subf = APISpec("POST", "https://demo12.vxstream-sandbox.com",
"/api/submit")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/result/%s")
api_subu = APISpec("POST", "https://demo12.vxstream-sandbox.com",
"/api/submiturl")
api_srch = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/search")
api_quot = APISpec("GET", "https://demo12.vxstream-sandbox.com",
"/api/quota")
# https://www.vxstream-sandbox.com/apikeys/info
# 1: Windows 7 32 bit - Usermode Monitor
# 2: Windows 7 64 bit - Usermode Monitor
# 3: Windows 8.1 32 bit - Usermode Monitor
# 4: Windows 7 32 bit - Kernelmode Monitor
# 5: unused
# 6: Windows XP (Only PE/Scripts)
# 7: Windows XP Kernelmode Monitor (Only PE/Scripts)
# 8: unused
# 9: Windows 8.1 32 bit - Kernelmode Monitor
# 10: Android Static Analysis
# 100: Windows 7 32 bit (Kernelmode Monitor)
# 110: Windows 7 64 bit (Kernelmode Monitor, cloud service only)
# 200: Android Static Analysis
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
if hash.alg == HASH_SHA256:
self.api_stat.fulluri = self.api_stat.fullurl % hash.hash
self.api_stat.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_stat, json=True)
if data["response_code"] == 0 and \
data["response"]["state"] == "SUCCESS":
self.api_repf.fulluri = self.api_repf.fullurl % hash.hash
self.api_repf.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_repf)
return data
else:
return f"{hash.alg} is not SHA-256"
def submit_file(self, file: File):
self.api_subf.auth = self.get_apikey(key=True, user=True)
self.api_subf.data = {"environmentId": 100}
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_subf)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
# VxStream URL reports are based on the SHA256 values
# provided upon submission
hash = Hash(url)
if hash.alg == HASH_SHA256:
self.api_stat.fulluri = self.api_stat.fullurl % hash.hash
self.api_stat.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_stat, json=True)
if data["response_code"] == 0 and \
data["response"]["state"] == "SUCCESS":
self.api_repu.fulluri = self.api_repu.fullurl % hash.hash
self.api_repu.param = {
"environmentId": 100,
"type": "json",
**self.get_apikey()
}
data, _ = request(self.api_repu)
return data
else:
return f"{hash.alg} is not SHA-256"
def submit_url(self, url: str):
self.api_subu.auth = self.get_apikey(key=True, user=True)
self.api_subu.data = {"analyzeurl": url, "environmentId": 100}
self.api_subu.param = self.get_apikey()
data, _ = request(self.api_subu)
return data
def search(self, srch: str):
self.api_srch.param = {"query": srch, **self.get_apikey()}
data, _ = request(self.api_srch)
return data
def quota(self):
self.api_quot.param = self.get_apikey()
data, _ = request(self.api_quot)
return data
class QuickSand(Service):
name = "QuickSand"
sname = "qs"
api_keyl = 32
desc = f"{name} is a dynamic and static analysis framework for office\n" \
f"documents with obfuscation and encryption analysis"
subs = "public/private"
url = "https://quicksand.io/"
api_dowf = APISpec()
api_repf = APISpec("POST", "https://www.quicksand.io", "/api.php")
api_subf = APISpec("POST", "https://www.quicksand.io", "/upload.php")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://www.quicksand.io/
# https://github.com/tylabs/quicksand_tools
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.data = {**self.get_apikey(), "query": hash.hash}
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.file = {"file[]": file.fd()}
self.api_subf.data = {**self.get_apikey(), "QUICKSAND_RERUN": 1}
# {"QUICKSAND_BRUTE": 1, "QUICKSAND_LOOKAHEAD": 1}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class APIVoid(Service):
name = "APIVoid"
sname = "av"
api_keyl = 40
desc = f"{name} is a pay-as-you-go blacklist and reputation-based scanning engine\n" \
f"for URLs"
subs = "private"
url = "https://www.apivoid.com/"
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec("GET", "https://endpoint.apivoid.com",
"/domainbl/v1/pay-as-you-go/?key=%s&host=%s")
api_repi = APISpec("GET", "https://endpoint.apivoid.com",
"/domainbl/v1/pay-as-you-go/?key=%s&ip=%s")
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec("GET", "https://endpoint.apivoid.com",
"/domainbl/v1/pay-as-you-go/?key=%s&stats")
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.fulluri = self.api_repd.fullurl % (self.get_apikey(
key=True), dom)
data, _ = request(self.api_repd)
data = frmt.jsondump(data)
return data
def report_ip(self, ip: str):
self.api_repi.fulluri = self.api_repd.fullurl % (self.get_apikey(
key=True), ip)
data, _ = request(self.api_repi)
data = frmt.jsondump(data)
return data
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
def quota(self):
self.api_quot.fulluri = self.api_quot.fullurl % (self.get_apikey(
key=True))
data, _ = request(self.api_quot)
data = frmt.jsondump(data)
return data
class URLVoid(Service):
name = "URLVoid"
sname = "uv"
api_keyl = 40
desc = f"{name} is a free blacklist- and reputation-based scanning engine\n" \
f"for URLs"
subs = "public"
url = "http://www.urlvoid.com/"
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/")
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/scan/")
# api_subu = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/rescan/")
api_srch = APISpec()
api_quot = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/stats/remained/")
# http://www.urlvoid.com/
# http://www.urlvoid.com/api/
# http://api.urlvoid.com/
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.fulluri = self.api_repd.fullurl % \
(self.get_apikey()["identifier"],
self.get_apikey()["apikey"], dom)
data, _ = request(self.api_repd)
return frmt.xmlparse(data)
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
def submit_url(self, url: str):
if url.startswith("http://"):
url = url[7:]
elif url.startswith("https://"):
url = url[8:]
self.api_subu.fulluri = self.api_subu.fullurl % \
(self.get_apikey()["identifier"],
self.get_apikey()["apikey"], url)
data, _ = request(self.api_subu)
return frmt.xmlparse(data)
@Service.unsupported
def search(self, srch: str):
pass
def quota(self):
self.api_quot.fulluri = self.api_quot.fullurl % (
self.get_apikey()["identifier"], self.get_apikey()["apikey"])
data, _ = request(self.api_quot)
return frmt.xmlparse(data)
class AVCaesar(Service):
name = "AVCaesar"
sname = "avc"
api_keyl = 64
api_dowf = APISpec("GET", "https://avcaesar.malware.lu",
"/api/v1/sample/%s/download")
api_repf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/")
api_subf = APISpec("POST", "https://avcaesar.malware.lu", "/api/v1/upload")
api_repa = APISpec()
api_repi = APISpec()
api_repd = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec("GET", "https://avcaesar.malware.lu",
"/api/v1/user/quota")
# https://avcaesar.malware.lu/docs/api
def download_file(self, hash: Hash):
self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash
self.api_dowf.cookie = self.get_apikey()
print(self.api_dowf.cookie)
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if filename:
rw.writef(filename, data)
return f"downloaded \"{filename}\""
else:
return "unsuccess"
def report_file(self, hash: Hash):
# hash.hash + "?overview=false§ion=pe"
self.api_repf.fulluri = self.api_repf.fullurl + hash.hash
self.api_repf.cookie = self.get_apikey()
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_file(self, file: File):
# HTTP 404 Not Found
self.api_subf.cookie = self.get_apikey()
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_subf)
data = frmt.jsonvert(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
def quota(self):
self.api_quot.cookie = self.get_apikey()
res, _ = request(self.api_quot)
res = frmt.jsontree(res)
return out.pformat(res)
class VirusTotal(Service):
name = "VirusTotal"
sname = "vt"
api_keyl = [32, 48, 64]
desc = f"{name} is a well-known online repository by Google of malware and\n" \
f"malicious URLs with on-demand scanning features using a number of\n" \
f"selected antivirus engines"
subs = "public/private"
# frmt = "closed"
url = "https://www.virustotal.com"
api_dowf = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/file/download")
api_repf = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/file/report")
api_subf = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/file/scan")
api_repa = APISpec()
api_repd = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/domain/report")
api_repi = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/ip-address/report")
api_repu = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/url/report")
api_subu = APISpec("POST", "https://www.virustotal.com",
"/vtapi/v2/url/scan")
api_srch = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/file/search")
api_quot = APISpec()
# https://developers.virustotal.com/v2.0/
# https://www.virustotal.com/en/documentation/public-api/
# https://www.virustotal.com/en/documentation/private-api/
def download_file(self, hash: Hash):
from requests.exceptions import HTTPError
self.api_dowf.param = {**self.get_apikey(), "hash": hash.hash}
try:
data, filename = request(self.api_dowf, bin=True)
except HTTPError as e:
if e.response.status_code == 404:
return f"sample \"{hash}\" not found"
raise HTTPError(e)
if not filename:
filename = hash.hash
rw.writef(filename, data)
return f"downloaded \"{filename}\""
def report_file(self, hash: Hash):
self.api_repf.param = {
**self.get_apikey(), "allinfo": "true",
"resource": hash.hash
}
data, _ = request(self.api_repf)
data = frmt.jsontree(data, depth=1)
# data = frmt.jsonvert(data["scans"])
# openurl(data["permalink"])
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.data = self.get_apikey()
self.api_subf.file = {"file": (file.name, file.fd())}
if file.len > 32 * 1024 * 1024:
api_subfl = APISpec("GET", "https://www.virustotal.com",
"/vtapi/v2/file/scan/upload_url")
api_subfl.param = {**self.get_apikey()}
data, _ = request(api_subfl)
data = frmt.jsontree(data)
self.api_subf.fulluri = data["upload_url"]
self.api_subf.data = None
else:
self.api_subf.default()
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
data = frmt.jsonvert(data)
# return out.pformat(data)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.param = {**self.get_apikey(), "domain": dom}
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repi.param = {**self.get_apikey(), "ip": ip}
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
return out.pformat(data)
def report_url(self, url: str):
self.api_repu.data = {**self.get_apikey(), "resource": url}
data, _ = request(self.api_repu)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
def submit_url(self, url: str):
self.api_subu.data = {**self.get_apikey(), "url": url}
data, _ = request(self.api_subu)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
def search(self, srch: str):
self.api_srch.param = {**self.get_apikey(), "query": srch}
data, _ = request(self.api_srch)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class HaveIbeenpwned(Service):
name = "Have I been pwned?"
sname = "pwn"
api_keyl = 0
desc = f"{name} is a repository of database dumps created by Troy Hunt"
subs = "public"
url = "https://haveibeenpwned.com/"
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec("GET", "https://haveibeenpwned.com", "/api/v2/breaches")
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("GET", "https://haveibeenpwned.com", "/api/v2/%s/%s")
api_quot = APISpec()
# https://haveibeenpwned.com/API/v2
# ?truncateResponse=true
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.param = {"domain": dom}
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
if data == []:
return f"domain \"{dom}\" not found"
return out.pformat(data)
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
from requests.exceptions import HTTPError
self.api_srch.fulluri = self.api_srch.fullurl % \
("breachedaccount", srch)
try:
data, _ = request(self.api_srch)
except HTTPError as e:
if e.response.status_code == 404:
return f"account \"{srch}\" not found"
raise HTTPError(e)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class Deepviz(Service):
name = "deepviz"
sname = "dv"
api_keyl = 64
desc = f"{name}"
subs = "private"
url = ""
api_dowf = APISpec("POST", "https://api.deepviz.com", "/sandbox/sample")
api_repf = APISpec("POST", "https://api.deepviz.com", "/general/report")
api_subf = APISpec("POST", "https://api.deepviz.com", "/sandbox/submit")
api_repa = APISpec()
api_repd = APISpec("POST", "https://api.deepviz.com", "/intel/network/domain")
api_repi = APISpec("POST", "https://api.deepviz.com", "/intel/network/ip")
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("POST", "https://api.deepviz.com", "/intel/search")
api_quot = APISpec()
# https://api.deepviz.com/
# https://www.deepviz.com/apidocs
# https://github.com/saferbytes/python-deepviz
def download_file(self, hash: Hash):
self.api_dowf.data = {hash.alg: hash.hash, **self.get_apikey()}
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if filename:
rw.writef(filename, data)
return f"downloaded \"{filename}\""
else:
return "unsuccess"
def report_file(self, hash: Hash):
self.api_repf.data = {hash.alg: hash.hash, **self.get_apikey()}
data, _ = request(self.api_repf)
# data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_file(self, file: File):
self.api_subf.data = self.get_apikey()
self.api_subf.file = {"file": file.fd()}
data, _ = request(self.api_repf)
# data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.data = {"domain": dom, **self.get_apikey()}
data, _ = request(self.api_repd)
# data = frmt.jsontree(data)
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repd.data = {"ip": ip, **self.get_apikey()}
data, _ = request(self.api_repd)
# data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_repd.data = {"string": srch, **self.get_apikey()}
data, _ = request(self.api_repd)
# data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class Malwr(Service):
name = "malwr"
sname = "mw"
api_keyl = 32
api_dowf = APISpec()
api_repf = APISpec("POST", "https://malwr.com", "/api/analysis/status")
api_subf = APISpec("POST", "https://malwr.com", "/api/analysis/add")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://malwr.com/
# waiting to come back from maintenance
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
# https://www.malwareviz.com/
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class HybridAnalysis(Service):
name = "Hybrid Analysis"
sname = "ha"
api_keyl = 25
desc = f"{name} features in-depth static and dynamic analysis techniques\n" \
f"within sanboxed environments and is a malware repository created by\n" \
f"Payload Security"
subs = "public/private"
url = "https://www.hybrid-analysis.com/"
api_dowf = APISpec()
api_repf = APISpec("GET", "https://www.hybrid-analysis.com",
"/api/scan/%s")
api_subf = APISpec("POST", "https://www.hybrid-analysis.com",
"/api/submit")
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("GET", "https://www.hybrid-analysis.com", "/api/search")
api_quot = APISpec("GET", "https://www.hybrid-analysis.com", "/api/quota")
# https://www.hybrid-analysis.com/apikeys/info
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
self.api_repf.fulluri = self.api_repf.fullurl % hash.hash
self.api_repf.param = self.get_apikey()
data, _ = request(self.api_repf)
return data
@Service.unsupported
def submit_file(self, file: File):
self.api_subf.data = {"file": file.fd(), **self.get_apikey()}
data, _ = request(self.api_subf)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.param = {"query": srch, **self.get_apikey()}
data, _ = request(self.api_srch)
return data
def quota(self):
self.api_quot.param = self.get_apikey()
data, _ = request(self.api_quot)
return data
class Maltracker(Service):
name = "maltracker"
sname = "mt"
api_keyl = 64
desc = f"{name} is a proprietary sanboxed environment created by\n" \
f"AnubisNetworks for dynamic analysis incorporating threat\n" \
f"intelligence"
subs = "public"
url = "https://maltracker.net/"
api_dowf = APISpec("GET", "http://api.maltracker.net:4700", "/sample/get/")
# /report/min/get/ # /sample/info/
api_repf = APISpec("GET", "http://api.maltracker.net:4700", "/report/get/")
api_subf = APISpec("POST", "http://api.maltracker.net:4700",
"/task/submit/file/")
api_repa = APISpec()
api_repd = APISpec("GET", "http://api.maltracker.net:4700", "/c2/domain/")
api_repi = APISpec("GET", "http://api.maltracker.net:4700", "/c2/ip/")
api_repu = APISpec("GET", "http://api.maltracker.net:4700", "/report/get/")
api_subu = APISpec("POST", "http://api.maltracker.net:4700",
"/task/submit/url/")
api_srch = APISpec()
api_quot = APISpec()
# https://maltracker.net/static/docs/usage/api.html
def download_file(self, hash: Hash):
self.api_dowf.fulluri = self.api_dowf.fullurl + hash.hash
self.api_dowf.param = self.get_apikey()
try:
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if not filename:
filename = hash.hash
rw.writef(filename, data)
return f"downloaded \"{filename}\""
except Exception as e:
return f"sample not found: {e}"
def report_file(self, hash: Hash):
self.api_repf.fulluri = self.api_repf.fullurl + hash.hash
self.api_repf.param = self.get_apikey()
data, _ = request(self.api_repf)
data = frmt.jsontree(data)
return out.pformat(data)
def submit_file(self, file: File):
self.api_subf.data = self.get_apikey()
self.api_subf.file = {"file": (file.name, file.fd())}
data, _ = request(self.api_subf)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.fulluri = self.api_repd.fullurl + dom
self.api_repd.param = self.get_apikey()
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repi.fulluri = self.api_repi.fullurl + ip
self.api_repi.param = self.get_apikey()
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
@Service.unsupported
def report_url(self, url: str):
# URL report works with hash values
# use 'report_file'
# or... compute the hash value of the URL here
# and make the request
pass
def submit_url(self, url: str):
self.api_subu.data = {"url": url, **self.get_apikey()}
data, _ = request(self.api_subu)
data = frmt.jsontree(data)
# web.openurl(data["permalink"])
return out.pformat(data)
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class JoeSandbox(Service):
name = "Joe Sandbox"
sname = "js"
api_keyl = 64
desc = f"{name} is an advanced sandbox for analyzing executables, files and URLs."
subs = "private"
url = "https://www.joesecurity.org/"
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec("POST", "https://jbxcloud.joesecurity.org",
"/api/v2/submission/new")
api_repa = APISpec("POST", "https://jbxcloud.joesecurity.org",
"/api/v2/analysis/download")
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec("POST", "https://jbxcloud.joesecurity.org",
"/api/v2/submission/new")
api_srch = APISpec("POST", "https://jbxcloud.joesecurity.org",
"/api/v2/analysis/search")
api_quot = APISpec("POST", "https://jbxcloud.joesecurity.org",
"/api/v2/account/info")
@Service.unsupported
def download_file(self, hash: Hash):
pass
def report_file(self, hash: Hash):
matches = self.search(hash.hash)
if not matches:
return None
# pick one of the analyses
webid = matches[-1]["webid"]
self.api_repa.data = {
"webid": webid,
"type": "irjsonfixed",
**self.get_apikey()
}
data, _ = request(self.api_repa, json=True)
return out.pformat(data["analysis"])
def submit_file(self, file: File):
self.api_subf.data = {
"accept-tac": "1" if self._accept_tac else "0",
**self.get_apikey()
}
self.api_subf.file = {"sample": file.fd()}
data, _ = request(self.api_subf, json=True)
return data["data"]
def submit_url(self, url: str):
self.api_subu.data = {
"url": url,
"accept-tac": "1" if self._accept_tac else "0",
**self.get_apikey()
}
data, _ = request(self.api_subu, json=True)
return data["data"]
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.data = {"q": srch, **self.get_apikey()}
data, _ = request(self.api_srch, json=True)
return data["data"]
def quota(self):
self.api_quot.data = self.get_apikey()
data, _ = request(self.api_quot, json=True)
return data["data"]["quota"]
class OpenPhish(Service):
name = "OpenPhish"
sname = "op"
api_keyl = 0
desc = f"{name} is a proprietary phishing threat intelligence source that\n" \
f"uses artificial intelligence for automated classification"
subs = "public/private"
url = "https://openphish.com/"
# api_dowf = APISpec("GET", "https://openphish.com", "/prvt-intell/")
api_dowf = APISpec("GET", "https://openphish.com", "/feed.txt")
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://openphish.com/
def download_file(self, hash: Hash):
# self.api_dowf.fulluri = self.api_dowf.url + "/feed.txt"
data, filename = request(self.api_dowf)
rw.writef("openphish-community.txt", data)
return "downloaded \"openphish-community.txt\""
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class MalShare(Service):
name = "MalShare"
sname = "ms"
api_keyl = 64
desc = f"{name} is a community-driven malware repository"
subs = "public"
url = "http://malshare.com/"
# api_dowf = APISpec("GET", "https://malshare.com", "/api.php", "malshare-bundle.pem")
api_dowf = APISpec("GET", "https://malshare.com", "/api.php", cert=True)
api_repf = APISpec("GET", "https://malshare.com", "/api.php", cert=True)
api_subf = APISpec("POST", "https://malshare.com", "/api.php?action=upload&api_key=%s", cert=True)
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("GET", "https://malshare.com", "/api.php?api_key=%s&action=details&hash=%s", cert=True)
api_quot = APISpec()
# https://malshare.com/doc.php
def download_file(self, hash: Hash):
self.api_dowf.param = {**self.get_apikey(), "action": "getfile",
"hash": hash.hash}
data, filename = request(self.api_dowf, bin=True)
# out.debug(util.hexdump(data))
if data.startswith(b"Sample not found by hash"):
return f"sample \"{hash}\" not found"
if not filename:
filename = hash.hash
rw.writef(filename, data)
return f"downloaded \"{filename}\""
def report_file(self, hash: Hash):
self.api_repf.param = {**self.get_apikey(), "action": "details",
"hash": hash.hash}
data, _ = request(self.api_repf)
#data = frmt.jsontree(data)
data = frmt.jsondump(data)
return data
def submit_file(self, file: File):
self.api_subf.fulluri = self.api_subf.fullurl % (self.get_apikey(key=True))
self.api_subf.file = {
"upload": file.fd()
}
data, _ = request(self.api_subf)
return data
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.fulluri = self.api_srch.fullurl % (self.get_apikey(key=True), srch)
data, _ = request(self.api_srch)
#data = frmt.jsontree(data)
data = frmt.jsondump(data)
return data
@Service.unsupported
def quota(self):
pass
class PhishTank(Service):
name = "PhishTank"
sname = "pt"
api_keyl = 64
desc = f"{name} is a community-based phishing database"
subs = "public"
url = "https://www.phishtank.com/"
api_dowf = APISpec("GET", "http://data.phishtank.com",
"/data/%s/online-valid.json.gz")
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec("POST", "http://checkurl.phishtank.com", "/checkurl/")
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# http://www.phishtank.com/developer_info.php
def download_file(self, hash: Hash):
self.api_dowf.fulluri = self.api_dowf.fullurl % self.get_apikey(
key=True)
data, filename = request(self.api_dowf, bin=True)
if filename:
rw.writef("phishtank-" + filename, data)
return f"downloaded \"phishtank-{filename}\""
else:
return "unsuccess"
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
self.api_repu.data = {
"url": quoteurl(url),
"format": "json",
**self.get_apikey()
}
data, _ = request(self.api_repu)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
class ThreatCrowd(Service):
name = "Threat Crowd"
sname = "tc"
api_keyl = 32
api_dowf = APISpec()
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec("GET", "http://www.threatcrowd.org",
"/searchApi/v2/domain/report/")
api_repi = APISpec("GET", "http://www.threatcrowd.org",
"/searchApi/v2/ip/report/")
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec("GET", "http://www.threatcrowd.org",
"/searchApi/v2/antivirus/report/")
api_quot = APISpec()
# https://www.threatcrowd.org/
# https://github.com/AlienVault-OTX/ApiV2
@Service.unsupported
def download_file(self, hash: Hash):
pass
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
def report_dom(self, dom: str):
self.api_repd.param = {"domain": dom}
data, _ = request(self.api_repd)
data = frmt.jsontree(data)
return out.pformat(data)
def report_ip(self, ip: str):
self.api_repi.param = {"ip": ip}
data, _ = request(self.api_repi)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
def search(self, srch: str):
self.api_srch.param = {"antivirus": srch}
data, _ = request(self.api_srch)
data = frmt.jsontree(data)
return out.pformat(data)
@Service.unsupported
def quota(self):
pass
class OpenPhish(Service):
name = "OpenPhish"
sname = "op"
api_keyl = 15
# api_dowf = APISpec("GET", "https://openphish.com", "/prvt-intell/")
api_dowf = APISpec("GET", "https://openphish.com", "/feed.txt")
api_repf = APISpec()
api_subf = APISpec()
api_repa = APISpec()
api_repd = APISpec()
api_repi = APISpec()
api_repu = APISpec()
api_subu = APISpec()
api_srch = APISpec()
api_quot = APISpec()
# https://openphish.com/
def download_file(self, hash: Hash):
# self.api_dowf.fulluri = self.api_dowf.url + "/feed.txt"
data, filename = request(self.api_dowf)
rw.writef("openphish-community.txt", data)
return "downloaded \"openphish-community.txt\""
@Service.unsupported
def report_file(self, hash: Hash):
pass
@Service.unsupported
def submit_file(self, file: File):
pass
@Service.unsupported
def report_app(self, hash: Hash):
pass
@Service.unsupported
def report_dom(self, dom: str):
pass
@Service.unsupported
def report_ip(self, ip: str):
pass
def report_url(self, url: str):
pass
@Service.unsupported
def submit_url(self, url: str):
pass
@Service.unsupported
def search(self, srch: str):
pass
@Service.unsupported
def quota(self):
pass
