def submit_file(self, file: File): self.api_subf.data = self.get_apikey() self.api_subf.file = {"file": (file.name, file.fd())} if file.len > 32 * 1024 * 1024: api_subfl = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/file/scan/upload_url") api_subfl.param = {**self.get_apikey()} data, _ = request(api_subfl) data = frmt.jsontree(data) self.api_subf.fulluri = data["upload_url"] self.api_subf.data = None else: self.api_subf.default() data, _ = request(self.api_subf) data = frmt.jsontree(data) # web.openurl(data["permalink"]) data = frmt.jsonvert(data) # return out.pformat(data) return data
class PDFExaminer(Service): name = "PDF Examiner" sname = "pe" api_keyl = 32 desc = f"{name} is an in-depth, automated PDF analysis service with\n" \ f"obfuscation, encryption and stream analysis and exploit detection" subs = "public/private" url = "https://www.pdfexaminer.com/" api_dowf = APISpec() api_repf = APISpec("POST", "https://www.pdfexaminer.com", "/pdfapirep.php") api_subf = APISpec("POST", "https://www.pdfexaminer.com", "/pdfapi.php") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://www.pdfexaminer.com/ # https://github.com/mwtracker/pdfexaminer_tools @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.data = {"type": "json", hash.alg: hash.hash} data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.file = {"sample[]": file.fd()} self.api_subf.data = {"type": "json", "message": "", "email": ""} data, _ = request(self.api_subf) if " is not a PDF file. Not processed." in data: return f"{file} is not a PDF file" data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class VxStream(Service): name = "VxStream" sname = "vs" api_keyl = 25 desc = f"{name} features in-depth static and dynamic analysis techniques\n" \ f"within sanboxed environments and is a malware repository created by\n" \ f"Payload Security" subs = "private" url = "https://www.vxstream-sandbox.com/" api_stat = APISpec("GET", "https://demo11.vxstream-sandbox.com", "/api/state/%s") api_dowf = APISpec("GET", "https://demo11.vxstream-sandbox.com", "/api/result/%s") api_repf = APISpec("GET", "https://demo11.vxstream-sandbox.com", "/api/scan/%s") api_subf = APISpec("POST", "https://demo11.vxstream-sandbox.com", "/api/submit") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/result/%s") api_subu = APISpec("POST", "https://demo12.vxstream-sandbox.com", "/api/submiturl") api_srch = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/search") api_quot = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/quota") # https://www.vxstream-sandbox.com/apikeys/info # 1: Windows 7 32 bit - Usermode Monitor # 2: Windows 7 64 bit - Usermode Monitor # 3: Windows 8.1 32 bit - Usermode Monitor # 4: Windows 7 32 bit - Kernelmode Monitor # 5: unused # 6: Windows XP (Only PE/Scripts) # 7: Windows XP Kernelmode Monitor (Only PE/Scripts) # 8: unused # 9: Windows 8.1 32 bit - Kernelmode Monitor # 10: Android Static Analysis # 100: Windows 7 32 bit (Kernelmode Monitor) # 110: Windows 7 64 bit (Kernelmode Monitor, cloud service only) # 200: Android Static Analysis def state(self, hash: Hash): if hash.alg == HASH_SHA256: self.api_stat.fulluri = self.api_stat.fullurl % hash.hash self.api_stat.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_stat, json=True) if data["response_code"] == 0 and \ data["response"]["state"] == "SUCCESS": return data, True else: return data, False else: return False def download_file(self, hash: Hash): if hash.alg == HASH_SHA256: data, flag = self.state(hash) if flag: self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash self.api_dowf.param = { "environmentId": 100, "type": "bin", **self.get_apikey() } filename = hash.hash + ".gz" data, _ = request(self.api_dowf, bin=True) rw.writef(filename, data) return f"downloaded \"{filename}\"" else: return f"sample \"{hash}\" private or not found" else: return f"{hash.alg} is not SHA-256" def report_file(self, hash: Hash): if hash.alg == HASH_SHA256: data, flag = self.state(hash) if flag: self.api_repf.fulluri = self.api_repf.fullurl % hash.hash self.api_repf.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_repf) return data else: return f"{hash.alg} is not SHA-256" def submit_file(self, file: File): self.api_subf.auth = self.get_apikey(key=True, user=True) self.api_subf.data = { "environmentId": 100 # "nosharevt": "true" } self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_subf) return data @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): # VxStream URL reports are based on the SHA256 values # provided upon submission hash = Hash(url) if hash.alg == HASH_SHA256: self.api_stat.fulluri = self.api_stat.fullurl % hash.hash self.api_stat.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_stat, json=True) if data["response_code"] == 0 and \ data["response"]["state"] == "SUCCESS": self.api_repu.fulluri = self.api_repu.fullurl % hash.hash self.api_repu.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_repu) return data else: return f"{hash.alg} is not SHA-256" def submit_url(self, url: str): self.api_subu.auth = self.get_apikey(key=True, user=True) self.api_subu.data = {"analyzeurl": url, "environmentId": 100} self.api_subu.param = self.get_apikey() data, _ = request(self.api_subu) return data def search(self, srch: str): self.api_srch.param = {"query": srch, **self.get_apikey()} data, _ = request(self.api_srch) return data def quota(self): self.api_quot.param = self.get_apikey() data, _ = request(self.api_quot) return data
class Metadefender(Service): name = "Metadefender" sname = "md" api_keyl = 32 desc = f"{name} is a proprietary multi-scanning engine for malware,\n" \ f"applications and IP addresses belonging to OPSWAT" subs = "public/private" url = "https://www.metadefender.com/" api_dowf = APISpec() # api_repf = APISpec("GET", "https://api.metadefender.com", "/v2/file/") api_repf = APISpec("GET", "https://api.metadefender.com", "/v2/hash/") api_subf = APISpec("POST", "https://scan.metadefender.com", "/v2/file") api_repa = APISpec("GET", "https://api.metadefender.com", "/v3/appinfo/") api_repd = APISpec() api_repi = APISpec("GET", "https://api.metadefender.com", "/v3/ip/") api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://www.metadefender.com/public-api @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.header = self.get_apikey() self.api_repf.fulluri = self.api_repf.fullurl + hash.hash data, _ = request(self.api_repf) # data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.header = self.get_apikey() self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) def report_app(self, hash: Hash): self.api_repa.header = \ {"Authorization": " ".join(f"{kn} {k}" for kn, k in self.get_apikey().items())} self.api_repa.fulluri = self.api_repa.fullurl + hash.hash data, _ = request(self.api_repa) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_dom(self, dom: str): pass def report_ip(self, ip: str): self.api_repi.header = { "Authorization": " ".join(f"{kn} {k}" for kn, k in self.get_apikey().items()) } self.api_repi.fulluri = self.api_repi.fullurl + ip data, _ = request(self.api_repi) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class SafeBrowsing(Service): name = "Safe Browsing" sname = "sb" api_keyl = 39 desc = f"{name} is an online database of malicious URLs updated in real-time\n" \ f"by Google" subs = "public" url = "https://safebrowsing.google.com/" api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec("POST", "https://safebrowsing.googleapis.com", "/v4/threatMatches:find") api_subu = APISpec() api_srch = APISpec("GET", "https://safebrowsing.googleapis.com", "/v4/threatLists") api_quot = APISpec() # https://developers.google.com/safe-browsing/ @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): self.api_repu.param = self.get_apikey() self.api_repu.header = {'Content-Type': 'application/json'} self.api_repu.json = { "client": { "clientId": MALSUB_NAME, "clientVersion": MALSUB_VERSION }, "threatInfo": { # "POTENTIALLY_HARMFUL_APPLICATION" # "THREAT_TYPE_UNSPECIFIED" # "UNWANTED_SOFTWARE" "threatTypes": ["MALWARE", "SOCIAL_ENGINEERING"], "platformTypes": ["ALL_PLATFORMS"], "threatEntryTypes": ["URL"], "threatEntries": [{ "url": url }] } } data, _ = request(self.api_repu) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_srch.param = self.get_apikey() self.api_srch.header = {'Content-Type': 'application/json'} data, _ = request(self.api_srch) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class QuickSand(Service): name = "QuickSand" sname = "qs" api_keyl = 32 api_dowf = APISpec() api_repf = APISpec("POST", "https://www.quicksand.io", "/api.php") api_subf = APISpec("POST", "https://www.quicksand.io", "/upload.php") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://www.quicksand.io/ # https://github.com/tylabs/quicksand_tools @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.data = {**self.get_apikey(), "query": hash.hash} data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.file = {"file[]": file.fd()} self.api_subf.data = {**self.get_apikey(), "QUICKSAND_RERUN": 1} # {"QUICKSAND_BRUTE": 1, "QUICKSAND_LOOKAHEAD": 1} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class VirusTotal(Service): name = "VirusTotal" sname = "vt" api_keyl = 64 api_dowf = APISpec() api_repf = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/file/report") api_subf = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/file/scan") api_repa = APISpec() api_repd = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/domain/report") api_repi = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/ip-address/report") api_repu = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/url/report") api_subu = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/url/scan") api_srch = APISpec() api_quot = APISpec() # https://www.virustotal.com/en/documentation/public-api/ # https://www.virustotal.com/en/documentation/private-api/ @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.data = {**self.get_apikey(), "resource": hash.hash} data, _ = request(self.api_repf) # data = frmt.jsontree(data, depth=1) # data = frmt.jsonvert(data["scans"]) # openurl(data["permalink"]) return out.pformat(data) def submit_file(self, file: File): self.api_subf.data = self.get_apikey() self.api_subf.file = {"file": (file.name, file.fd())} data, _ = request(self.api_subf) data = frmt.jsontree(data) # web.openurl(data["permalink"]) data = frmt.jsonvert(data) # return out.pformat(data) return data @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.param = {**self.get_apikey(), "domain": dom} data, _ = request(self.api_repd) data = frmt.jsontree(data) return out.pformat(data) def report_ip(self, ip: str): self.api_repi.param = {**self.get_apikey(), "ip": ip} data, _ = request(self.api_repi) data = frmt.jsontree(data) return out.pformat(data) def report_url(self, url: str): self.api_repu.data = {**self.get_apikey(), "resource": url} data, _ = request(self.api_repu) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) def submit_url(self, url: str): self.api_subu.data = {**self.get_apikey(), "url": url} data, _ = request(self.api_subu) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class AVCaesar(Service): name = "AVCaesar" sname = "avc" api_keyl = 64 desc = f"{name} is an online sandbox and malware repository developed under\n" \ f"a project from European Comission and maintained by a CERT in\n" \ f"Luxembourg" subs = "public" url = "https://avcaesar.malware.lu/" api_dowf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/%s/download") api_repf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/") api_subf = APISpec("POST", "https://avcaesar.malware.lu", "/api/v1/sample/upload") api_repa = APISpec() api_repi = APISpec() api_repd = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/user/quota") # https://avcaesar.malware.lu/docs/api def download_file(self, hash: Hash): self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash self.api_dowf.cookie = self.get_apikey() data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if filename: rw.writef(filename, data) return f"downloaded \"{filename}\"" else: return "unsuccess" def report_file(self, hash: Hash): # hash.hash + "?overview=false§ion=pe" self.api_repf.fulluri = self.api_repf.fullurl + hash.hash self.api_repf.cookie = self.get_apikey() data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.cookie = self.get_apikey() self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass def quota(self): self.api_quot.cookie = self.get_apikey() res, _ = request(self.api_quot) res = frmt.jsontree(res) return out.pformat(res)
class MalShare(Service): name = "MalShare" sname = "ms" api_keyl = 64 # api_dowf = APISpec("GET", "https://malshare.com", "/api.php", "malshare-bundle.pem") api_dowf = APISpec("GET", "https://malshare.com", "/api.php", cert=False) api_repf = APISpec("GET", "https://malshare.com", "/api.php", cert=False) api_subf = APISpec() api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://malshare.com/doc.php def download_file(self, hash: Hash): self.api_dowf.param = { **self.get_apikey(), "action": "getfile", "hash": hash.hash } data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if data.startswith(b"Sample not found by hash"): return f"sample \"{hash.hash}\" not found" if not filename: filename = hash.hash rw.writef(filename, data) return f"downloaded \"{filename}\"" def report_file(self, hash: Hash): self.api_repf.param = { **self.get_apikey(), "action": "details", "hash": hash.hash } data, _ = request(self.api_repf) # data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class Malwr(Service): name = "malwr" sname = "mw" api_keyl = 32 api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec("POST", "https://malwr.com", "/api/analysis/add") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://malwr.com/ # https://www.malwareviz.com/ @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass def submit_file(self, file: File): # HTTP 405 Method Not Allowed self.api_subf.data = {**self.get_apikey(), "shared": "yes"} self.api_subf.file = {"file": (file.name, file.fd())} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class HybridAnalysis(Service): name = "Hybrid Analysis" sname = "ha" api_keyl = 25 api_dowf = APISpec() api_repf = APISpec("GET", "https://www.hybrid-analysis.com", "/api/scan/%s") api_subf = APISpec("POST", "https://www.hybrid-analysis.com", "/api/submit") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("GET", "https://www.hybrid-analysis.com", "/api/search") api_quot = APISpec("GET", "https://www.hybrid-analysis.com", "/api/quota") # https://www.hybrid-analysis.com/apikeys/info @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.fulluri = self.api_repf.fullurl % hash.hash self.api_repf.param = self.get_apikey() data, _ = request(self.api_repf) return data @Service.unsupported def submit_file(self, file: File): self.api_subf.data = {"file": file.fd(), **self.get_apikey()} data, _ = request(self.api_subf) return data @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_srch.param = {"query": srch, **self.get_apikey()} data, _ = request(self.api_srch) return data def quota(self): self.api_quot.param = self.get_apikey() data, _ = request(self.api_quot) return data
class ThreatStream(Service): name = "ThreatStream" sname = "ts" api_keyl = 40 desc = f"Anomali {name} is a threat intelligence platform that aggregates\n" \ f"several threat feeds" subs = "private" url = "https://www.anomali.com/platform/threatstream" api_stat = APISpec() api_dowf = APISpec() api_repf = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence") api_subf = APISpec() api_repa = APISpec() api_repd = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence") api_repi = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence") api_repu = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence") api_subu = APISpec() api_srch = APISpec("GET", "https://api.threatstream.com", "/api/v2/intelligence") api_quot = APISpec() # https://github.com/threatstream/threatstream-api limit = 0 # '0' means 1000 @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): if hash.alg == HASH_MD5 or hash.alg == HASH_SHA1: self.api_repf.param = {**self.get_apikey(), "type": "md5", # MD5 or SHA-1 "value": hash.hash, "limit": self.limit} data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) else: return f"{hash.alg} is not MD5 or SHA1" @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.param = {**self.get_apikey(), "limit": self.limit, "type": "domain", "value": dom} data, _ = request(self.api_repd) data = frmt.jsontree(data) return out.pformat(data) def report_ip(self, ip: str): self.api_repi.param = {**self.get_apikey(), "ip": ip, "limit": self.limit} data, _ = request(self.api_repi) data = frmt.jsontree(data) return out.pformat(data) def report_url(self, url: str): self.api_repu.param = {**self.get_apikey(), "limit": self.limit, "type": "url", "value": url} data, _ = request(self.api_repu) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_url(self, url: str): self.api_subu.data = {**self.get_apikey(), "report_radio-platform": "WINDOWS7", "report_radio-url": url} data, _ = request(self.api_subu) data = frmt.jsontree(data) return out.pformat(data) def search(self, srch: str): from re import escape srch = escape(srch) self.api_srch.param = {**self.get_apikey(), "limit": self.limit, "value__regexp": f".*{srch}.*"} # self.api_srch.param = {**self.get_apikey(), "value": srch} data, _ = request(self.api_srch) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class VxStream(Service): name = "VxStream" sname = "vs" api_keyl = 25 api_stat = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/state/%s") api_dowf = APISpec() api_repf = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/scan/%s") api_subf = APISpec("POST", "https://demo12.vxstream-sandbox.com", "/api/submit") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/result/%s") api_subu = APISpec("POST", "https://demo12.vxstream-sandbox.com", "/api/submiturl") api_srch = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/search") api_quot = APISpec("GET", "https://demo12.vxstream-sandbox.com", "/api/quota") # https://www.vxstream-sandbox.com/apikeys/info # 1: Windows 7 32 bit - Usermode Monitor # 2: Windows 7 64 bit - Usermode Monitor # 3: Windows 8.1 32 bit - Usermode Monitor # 4: Windows 7 32 bit - Kernelmode Monitor # 5: unused # 6: Windows XP (Only PE/Scripts) # 7: Windows XP Kernelmode Monitor (Only PE/Scripts) # 8: unused # 9: Windows 8.1 32 bit - Kernelmode Monitor # 10: Android Static Analysis # 100: Windows 7 32 bit (Kernelmode Monitor) # 110: Windows 7 64 bit (Kernelmode Monitor, cloud service only) # 200: Android Static Analysis @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): if hash.alg == HASH_SHA256: self.api_stat.fulluri = self.api_stat.fullurl % hash.hash self.api_stat.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_stat, json=True) if data["response_code"] == 0 and \ data["response"]["state"] == "SUCCESS": self.api_repf.fulluri = self.api_repf.fullurl % hash.hash self.api_repf.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_repf) return data else: return f"{hash.alg} is not SHA-256" def submit_file(self, file: File): self.api_subf.auth = self.get_apikey(key=True, user=True) self.api_subf.data = {"environmentId": 100} self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_subf) return data @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): # VxStream URL reports are based on the SHA256 values # provided upon submission hash = Hash(url) if hash.alg == HASH_SHA256: self.api_stat.fulluri = self.api_stat.fullurl % hash.hash self.api_stat.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_stat, json=True) if data["response_code"] == 0 and \ data["response"]["state"] == "SUCCESS": self.api_repu.fulluri = self.api_repu.fullurl % hash.hash self.api_repu.param = { "environmentId": 100, "type": "json", **self.get_apikey() } data, _ = request(self.api_repu) return data else: return f"{hash.alg} is not SHA-256" def submit_url(self, url: str): self.api_subu.auth = self.get_apikey(key=True, user=True) self.api_subu.data = {"analyzeurl": url, "environmentId": 100} self.api_subu.param = self.get_apikey() data, _ = request(self.api_subu) return data def search(self, srch: str): self.api_srch.param = {"query": srch, **self.get_apikey()} data, _ = request(self.api_srch) return data def quota(self): self.api_quot.param = self.get_apikey() data, _ = request(self.api_quot) return data
class QuickSand(Service): name = "QuickSand" sname = "qs" api_keyl = 32 desc = f"{name} is a dynamic and static analysis framework for office\n" \ f"documents with obfuscation and encryption analysis" subs = "public/private" url = "https://quicksand.io/" api_dowf = APISpec() api_repf = APISpec("POST", "https://www.quicksand.io", "/api.php") api_subf = APISpec("POST", "https://www.quicksand.io", "/upload.php") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://www.quicksand.io/ # https://github.com/tylabs/quicksand_tools @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.data = {**self.get_apikey(), "query": hash.hash} data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.file = {"file[]": file.fd()} self.api_subf.data = {**self.get_apikey(), "QUICKSAND_RERUN": 1} # {"QUICKSAND_BRUTE": 1, "QUICKSAND_LOOKAHEAD": 1} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class APIVoid(Service): name = "APIVoid" sname = "av" api_keyl = 40 desc = f"{name} is a pay-as-you-go blacklist and reputation-based scanning engine\n" \ f"for URLs" subs = "private" url = "https://www.apivoid.com/" api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec("GET", "https://endpoint.apivoid.com", "/domainbl/v1/pay-as-you-go/?key=%s&host=%s") api_repi = APISpec("GET", "https://endpoint.apivoid.com", "/domainbl/v1/pay-as-you-go/?key=%s&ip=%s") api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec("GET", "https://endpoint.apivoid.com", "/domainbl/v1/pay-as-you-go/?key=%s&stats") @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.fulluri = self.api_repd.fullurl % (self.get_apikey( key=True), dom) data, _ = request(self.api_repd) data = frmt.jsondump(data) return data def report_ip(self, ip: str): self.api_repi.fulluri = self.api_repd.fullurl % (self.get_apikey( key=True), ip) data, _ = request(self.api_repi) data = frmt.jsondump(data) return data @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass def quota(self): self.api_quot.fulluri = self.api_quot.fullurl % (self.get_apikey( key=True)) data, _ = request(self.api_quot) data = frmt.jsondump(data) return data
class URLVoid(Service): name = "URLVoid" sname = "uv" api_keyl = 40 desc = f"{name} is a free blacklist- and reputation-based scanning engine\n" \ f"for URLs" subs = "public" url = "http://www.urlvoid.com/" api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/") api_repi = APISpec() api_repu = APISpec() api_subu = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/scan/") # api_subu = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/host/%s/rescan/") api_srch = APISpec() api_quot = APISpec("GET", "http://api.urlvoid.com", "/%s/%s/stats/remained/") # http://www.urlvoid.com/ # http://www.urlvoid.com/api/ # http://api.urlvoid.com/ @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.fulluri = self.api_repd.fullurl % \ (self.get_apikey()["identifier"], self.get_apikey()["apikey"], dom) data, _ = request(self.api_repd) return frmt.xmlparse(data) @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass def submit_url(self, url: str): if url.startswith("http://"): url = url[7:] elif url.startswith("https://"): url = url[8:] self.api_subu.fulluri = self.api_subu.fullurl % \ (self.get_apikey()["identifier"], self.get_apikey()["apikey"], url) data, _ = request(self.api_subu) return frmt.xmlparse(data) @Service.unsupported def search(self, srch: str): pass def quota(self): self.api_quot.fulluri = self.api_quot.fullurl % ( self.get_apikey()["identifier"], self.get_apikey()["apikey"]) data, _ = request(self.api_quot) return frmt.xmlparse(data)
class AVCaesar(Service): name = "AVCaesar" sname = "avc" api_keyl = 64 api_dowf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/%s/download") api_repf = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/sample/") api_subf = APISpec("POST", "https://avcaesar.malware.lu", "/api/v1/upload") api_repa = APISpec() api_repi = APISpec() api_repd = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec("GET", "https://avcaesar.malware.lu", "/api/v1/user/quota") # https://avcaesar.malware.lu/docs/api def download_file(self, hash: Hash): self.api_dowf.fulluri = self.api_dowf.fullurl % hash.hash self.api_dowf.cookie = self.get_apikey() print(self.api_dowf.cookie) data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if filename: rw.writef(filename, data) return f"downloaded \"{filename}\"" else: return "unsuccess" def report_file(self, hash: Hash): # hash.hash + "?overview=false§ion=pe" self.api_repf.fulluri = self.api_repf.fullurl + hash.hash self.api_repf.cookie = self.get_apikey() data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_file(self, file: File): # HTTP 404 Not Found self.api_subf.cookie = self.get_apikey() self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_subf) data = frmt.jsonvert(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass def quota(self): self.api_quot.cookie = self.get_apikey() res, _ = request(self.api_quot) res = frmt.jsontree(res) return out.pformat(res)
class VirusTotal(Service): name = "VirusTotal" sname = "vt" api_keyl = [32, 48, 64] desc = f"{name} is a well-known online repository by Google of malware and\n" \ f"malicious URLs with on-demand scanning features using a number of\n" \ f"selected antivirus engines" subs = "public/private" # frmt = "closed" url = "https://www.virustotal.com" api_dowf = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/file/download") api_repf = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/file/report") api_subf = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/file/scan") api_repa = APISpec() api_repd = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/domain/report") api_repi = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/ip-address/report") api_repu = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/url/report") api_subu = APISpec("POST", "https://www.virustotal.com", "/vtapi/v2/url/scan") api_srch = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/file/search") api_quot = APISpec() # https://developers.virustotal.com/v2.0/ # https://www.virustotal.com/en/documentation/public-api/ # https://www.virustotal.com/en/documentation/private-api/ def download_file(self, hash: Hash): from requests.exceptions import HTTPError self.api_dowf.param = {**self.get_apikey(), "hash": hash.hash} try: data, filename = request(self.api_dowf, bin=True) except HTTPError as e: if e.response.status_code == 404: return f"sample \"{hash}\" not found" raise HTTPError(e) if not filename: filename = hash.hash rw.writef(filename, data) return f"downloaded \"{filename}\"" def report_file(self, hash: Hash): self.api_repf.param = { **self.get_apikey(), "allinfo": "true", "resource": hash.hash } data, _ = request(self.api_repf) data = frmt.jsontree(data, depth=1) # data = frmt.jsonvert(data["scans"]) # openurl(data["permalink"]) return out.pformat(data) def submit_file(self, file: File): self.api_subf.data = self.get_apikey() self.api_subf.file = {"file": (file.name, file.fd())} if file.len > 32 * 1024 * 1024: api_subfl = APISpec("GET", "https://www.virustotal.com", "/vtapi/v2/file/scan/upload_url") api_subfl.param = {**self.get_apikey()} data, _ = request(api_subfl) data = frmt.jsontree(data) self.api_subf.fulluri = data["upload_url"] self.api_subf.data = None else: self.api_subf.default() data, _ = request(self.api_subf) data = frmt.jsontree(data) # web.openurl(data["permalink"]) data = frmt.jsonvert(data) # return out.pformat(data) return data @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.param = {**self.get_apikey(), "domain": dom} data, _ = request(self.api_repd) data = frmt.jsontree(data) return out.pformat(data) def report_ip(self, ip: str): self.api_repi.param = {**self.get_apikey(), "ip": ip} data, _ = request(self.api_repi) data = frmt.jsontree(data) return out.pformat(data) def report_url(self, url: str): self.api_repu.data = {**self.get_apikey(), "resource": url} data, _ = request(self.api_repu) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) def submit_url(self, url: str): self.api_subu.data = {**self.get_apikey(), "url": url} data, _ = request(self.api_subu) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) def search(self, srch: str): self.api_srch.param = {**self.get_apikey(), "query": srch} data, _ = request(self.api_srch) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class HaveIbeenpwned(Service): name = "Have I been pwned?" sname = "pwn" api_keyl = 0 desc = f"{name} is a repository of database dumps created by Troy Hunt" subs = "public" url = "https://haveibeenpwned.com/" api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec("GET", "https://haveibeenpwned.com", "/api/v2/breaches") api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("GET", "https://haveibeenpwned.com", "/api/v2/%s/%s") api_quot = APISpec() # https://haveibeenpwned.com/API/v2 # ?truncateResponse=true @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.param = {"domain": dom} data, _ = request(self.api_repd) data = frmt.jsontree(data) if data == []: return f"domain \"{dom}\" not found" return out.pformat(data) @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): from requests.exceptions import HTTPError self.api_srch.fulluri = self.api_srch.fullurl % \ ("breachedaccount", srch) try: data, _ = request(self.api_srch) except HTTPError as e: if e.response.status_code == 404: return f"account \"{srch}\" not found" raise HTTPError(e) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class Deepviz(Service): name = "deepviz" sname = "dv" api_keyl = 64 desc = f"{name}" subs = "private" url = "" api_dowf = APISpec("POST", "https://api.deepviz.com", "/sandbox/sample") api_repf = APISpec("POST", "https://api.deepviz.com", "/general/report") api_subf = APISpec("POST", "https://api.deepviz.com", "/sandbox/submit") api_repa = APISpec() api_repd = APISpec("POST", "https://api.deepviz.com", "/intel/network/domain") api_repi = APISpec("POST", "https://api.deepviz.com", "/intel/network/ip") api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("POST", "https://api.deepviz.com", "/intel/search") api_quot = APISpec() # https://api.deepviz.com/ # https://www.deepviz.com/apidocs # https://github.com/saferbytes/python-deepviz def download_file(self, hash: Hash): self.api_dowf.data = {hash.alg: hash.hash, **self.get_apikey()} data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if filename: rw.writef(filename, data) return f"downloaded \"{filename}\"" else: return "unsuccess" def report_file(self, hash: Hash): self.api_repf.data = {hash.alg: hash.hash, **self.get_apikey()} data, _ = request(self.api_repf) # data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_file(self, file: File): self.api_subf.data = self.get_apikey() self.api_subf.file = {"file": file.fd()} data, _ = request(self.api_repf) # data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.data = {"domain": dom, **self.get_apikey()} data, _ = request(self.api_repd) # data = frmt.jsontree(data) return out.pformat(data) def report_ip(self, ip: str): self.api_repd.data = {"ip": ip, **self.get_apikey()} data, _ = request(self.api_repd) # data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_repd.data = {"string": srch, **self.get_apikey()} data, _ = request(self.api_repd) # data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class Malwr(Service): name = "malwr" sname = "mw" api_keyl = 32 api_dowf = APISpec() api_repf = APISpec("POST", "https://malwr.com", "/api/analysis/status") api_subf = APISpec("POST", "https://malwr.com", "/api/analysis/add") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://malwr.com/ # waiting to come back from maintenance @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): # https://www.malwareviz.com/ pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class HybridAnalysis(Service): name = "Hybrid Analysis" sname = "ha" api_keyl = 25 desc = f"{name} features in-depth static and dynamic analysis techniques\n" \ f"within sanboxed environments and is a malware repository created by\n" \ f"Payload Security" subs = "public/private" url = "https://www.hybrid-analysis.com/" api_dowf = APISpec() api_repf = APISpec("GET", "https://www.hybrid-analysis.com", "/api/scan/%s") api_subf = APISpec("POST", "https://www.hybrid-analysis.com", "/api/submit") api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("GET", "https://www.hybrid-analysis.com", "/api/search") api_quot = APISpec("GET", "https://www.hybrid-analysis.com", "/api/quota") # https://www.hybrid-analysis.com/apikeys/info @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): self.api_repf.fulluri = self.api_repf.fullurl % hash.hash self.api_repf.param = self.get_apikey() data, _ = request(self.api_repf) return data @Service.unsupported def submit_file(self, file: File): self.api_subf.data = {"file": file.fd(), **self.get_apikey()} data, _ = request(self.api_subf) return data @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_srch.param = {"query": srch, **self.get_apikey()} data, _ = request(self.api_srch) return data def quota(self): self.api_quot.param = self.get_apikey() data, _ = request(self.api_quot) return data
class Maltracker(Service): name = "maltracker" sname = "mt" api_keyl = 64 desc = f"{name} is a proprietary sanboxed environment created by\n" \ f"AnubisNetworks for dynamic analysis incorporating threat\n" \ f"intelligence" subs = "public" url = "https://maltracker.net/" api_dowf = APISpec("GET", "http://api.maltracker.net:4700", "/sample/get/") # /report/min/get/ # /sample/info/ api_repf = APISpec("GET", "http://api.maltracker.net:4700", "/report/get/") api_subf = APISpec("POST", "http://api.maltracker.net:4700", "/task/submit/file/") api_repa = APISpec() api_repd = APISpec("GET", "http://api.maltracker.net:4700", "/c2/domain/") api_repi = APISpec("GET", "http://api.maltracker.net:4700", "/c2/ip/") api_repu = APISpec("GET", "http://api.maltracker.net:4700", "/report/get/") api_subu = APISpec("POST", "http://api.maltracker.net:4700", "/task/submit/url/") api_srch = APISpec() api_quot = APISpec() # https://maltracker.net/static/docs/usage/api.html def download_file(self, hash: Hash): self.api_dowf.fulluri = self.api_dowf.fullurl + hash.hash self.api_dowf.param = self.get_apikey() try: data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if not filename: filename = hash.hash rw.writef(filename, data) return f"downloaded \"{filename}\"" except Exception as e: return f"sample not found: {e}" def report_file(self, hash: Hash): self.api_repf.fulluri = self.api_repf.fullurl + hash.hash self.api_repf.param = self.get_apikey() data, _ = request(self.api_repf) data = frmt.jsontree(data) return out.pformat(data) def submit_file(self, file: File): self.api_subf.data = self.get_apikey() self.api_subf.file = {"file": (file.name, file.fd())} data, _ = request(self.api_subf) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.fulluri = self.api_repd.fullurl + dom self.api_repd.param = self.get_apikey() data, _ = request(self.api_repd) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) def report_ip(self, ip: str): self.api_repi.fulluri = self.api_repi.fullurl + ip self.api_repi.param = self.get_apikey() data, _ = request(self.api_repi) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) @Service.unsupported def report_url(self, url: str): # URL report works with hash values # use 'report_file' # or... compute the hash value of the URL here # and make the request pass def submit_url(self, url: str): self.api_subu.data = {"url": url, **self.get_apikey()} data, _ = request(self.api_subu) data = frmt.jsontree(data) # web.openurl(data["permalink"]) return out.pformat(data) @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class JoeSandbox(Service): name = "Joe Sandbox" sname = "js" api_keyl = 64 desc = f"{name} is an advanced sandbox for analyzing executables, files and URLs." subs = "private" url = "https://www.joesecurity.org/" api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec("POST", "https://jbxcloud.joesecurity.org", "/api/v2/submission/new") api_repa = APISpec("POST", "https://jbxcloud.joesecurity.org", "/api/v2/analysis/download") api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec("POST", "https://jbxcloud.joesecurity.org", "/api/v2/submission/new") api_srch = APISpec("POST", "https://jbxcloud.joesecurity.org", "/api/v2/analysis/search") api_quot = APISpec("POST", "https://jbxcloud.joesecurity.org", "/api/v2/account/info") @Service.unsupported def download_file(self, hash: Hash): pass def report_file(self, hash: Hash): matches = self.search(hash.hash) if not matches: return None # pick one of the analyses webid = matches[-1]["webid"] self.api_repa.data = { "webid": webid, "type": "irjsonfixed", **self.get_apikey() } data, _ = request(self.api_repa, json=True) return out.pformat(data["analysis"]) def submit_file(self, file: File): self.api_subf.data = { "accept-tac": "1" if self._accept_tac else "0", **self.get_apikey() } self.api_subf.file = {"sample": file.fd()} data, _ = request(self.api_subf, json=True) return data["data"] def submit_url(self, url: str): self.api_subu.data = { "url": url, "accept-tac": "1" if self._accept_tac else "0", **self.get_apikey() } data, _ = request(self.api_subu, json=True) return data["data"] @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass def search(self, srch: str): self.api_srch.data = {"q": srch, **self.get_apikey()} data, _ = request(self.api_srch, json=True) return data["data"] def quota(self): self.api_quot.data = self.get_apikey() data, _ = request(self.api_quot, json=True) return data["data"]["quota"]
class OpenPhish(Service): name = "OpenPhish" sname = "op" api_keyl = 0 desc = f"{name} is a proprietary phishing threat intelligence source that\n" \ f"uses artificial intelligence for automated classification" subs = "public/private" url = "https://openphish.com/" # api_dowf = APISpec("GET", "https://openphish.com", "/prvt-intell/") api_dowf = APISpec("GET", "https://openphish.com", "/feed.txt") api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://openphish.com/ def download_file(self, hash: Hash): # self.api_dowf.fulluri = self.api_dowf.url + "/feed.txt" data, filename = request(self.api_dowf) rw.writef("openphish-community.txt", data) return "downloaded \"openphish-community.txt\"" @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class MalShare(Service): name = "MalShare" sname = "ms" api_keyl = 64 desc = f"{name} is a community-driven malware repository" subs = "public" url = "http://malshare.com/" # api_dowf = APISpec("GET", "https://malshare.com", "/api.php", "malshare-bundle.pem") api_dowf = APISpec("GET", "https://malshare.com", "/api.php", cert=True) api_repf = APISpec("GET", "https://malshare.com", "/api.php", cert=True) api_subf = APISpec("POST", "https://malshare.com", "/api.php?action=upload&api_key=%s", cert=True) api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("GET", "https://malshare.com", "/api.php?api_key=%s&action=details&hash=%s", cert=True) api_quot = APISpec() # https://malshare.com/doc.php def download_file(self, hash: Hash): self.api_dowf.param = {**self.get_apikey(), "action": "getfile", "hash": hash.hash} data, filename = request(self.api_dowf, bin=True) # out.debug(util.hexdump(data)) if data.startswith(b"Sample not found by hash"): return f"sample \"{hash}\" not found" if not filename: filename = hash.hash rw.writef(filename, data) return f"downloaded \"{filename}\"" def report_file(self, hash: Hash): self.api_repf.param = {**self.get_apikey(), "action": "details", "hash": hash.hash} data, _ = request(self.api_repf) #data = frmt.jsontree(data) data = frmt.jsondump(data) return data def submit_file(self, file: File): self.api_subf.fulluri = self.api_subf.fullurl % (self.get_apikey(key=True)) self.api_subf.file = { "upload": file.fd() } data, _ = request(self.api_subf) return data @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_srch.fulluri = self.api_srch.fullurl % (self.get_apikey(key=True), srch) data, _ = request(self.api_srch) #data = frmt.jsontree(data) data = frmt.jsondump(data) return data @Service.unsupported def quota(self): pass
class PhishTank(Service): name = "PhishTank" sname = "pt" api_keyl = 64 desc = f"{name} is a community-based phishing database" subs = "public" url = "https://www.phishtank.com/" api_dowf = APISpec("GET", "http://data.phishtank.com", "/data/%s/online-valid.json.gz") api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec("POST", "http://checkurl.phishtank.com", "/checkurl/") api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # http://www.phishtank.com/developer_info.php def download_file(self, hash: Hash): self.api_dowf.fulluri = self.api_dowf.fullurl % self.get_apikey( key=True) data, filename = request(self.api_dowf, bin=True) if filename: rw.writef("phishtank-" + filename, data) return f"downloaded \"phishtank-{filename}\"" else: return "unsuccess" @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): self.api_repu.data = { "url": quoteurl(url), "format": "json", **self.get_apikey() } data, _ = request(self.api_repu) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass
class ThreatCrowd(Service): name = "Threat Crowd" sname = "tc" api_keyl = 32 api_dowf = APISpec() api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec("GET", "http://www.threatcrowd.org", "/searchApi/v2/domain/report/") api_repi = APISpec("GET", "http://www.threatcrowd.org", "/searchApi/v2/ip/report/") api_repu = APISpec() api_subu = APISpec() api_srch = APISpec("GET", "http://www.threatcrowd.org", "/searchApi/v2/antivirus/report/") api_quot = APISpec() # https://www.threatcrowd.org/ # https://github.com/AlienVault-OTX/ApiV2 @Service.unsupported def download_file(self, hash: Hash): pass @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass def report_dom(self, dom: str): self.api_repd.param = {"domain": dom} data, _ = request(self.api_repd) data = frmt.jsontree(data) return out.pformat(data) def report_ip(self, ip: str): self.api_repi.param = {"ip": ip} data, _ = request(self.api_repi) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass def search(self, srch: str): self.api_srch.param = {"antivirus": srch} data, _ = request(self.api_srch) data = frmt.jsontree(data) return out.pformat(data) @Service.unsupported def quota(self): pass
class OpenPhish(Service): name = "OpenPhish" sname = "op" api_keyl = 15 # api_dowf = APISpec("GET", "https://openphish.com", "/prvt-intell/") api_dowf = APISpec("GET", "https://openphish.com", "/feed.txt") api_repf = APISpec() api_subf = APISpec() api_repa = APISpec() api_repd = APISpec() api_repi = APISpec() api_repu = APISpec() api_subu = APISpec() api_srch = APISpec() api_quot = APISpec() # https://openphish.com/ def download_file(self, hash: Hash): # self.api_dowf.fulluri = self.api_dowf.url + "/feed.txt" data, filename = request(self.api_dowf) rw.writef("openphish-community.txt", data) return "downloaded \"openphish-community.txt\"" @Service.unsupported def report_file(self, hash: Hash): pass @Service.unsupported def submit_file(self, file: File): pass @Service.unsupported def report_app(self, hash: Hash): pass @Service.unsupported def report_dom(self, dom: str): pass @Service.unsupported def report_ip(self, ip: str): pass def report_url(self, url: str): pass @Service.unsupported def submit_url(self, url: str): pass @Service.unsupported def search(self, srch: str): pass @Service.unsupported def quota(self): pass