Fix on JSB analyzer

TheHive-Project · Aug 26, 2021 · 9933d90 · 9933d90
1 parent 86e5815
commit 9933d90
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 51 deletions.
diff --git a/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Inet.json b/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Inet.json
@@ -1,6 +1,6 @@
 {
   "name": "JoeSandbox_File_Analysis_Inet",
-  "version": "2.0",
+  "version": "3.0",
   "author": "CERT-BDF",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
@@ -41,6 +41,30 @@
       "multi": false,
       "required": true,
       "defaultValue": 30
-    }
+    },
+    {
+      "name": "HTML_report",
+      "description": "Download HTML report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+    },
+	{
+      "name": "images",
+      "description": "Allow images in the report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+    },
+	{
+	  "name": "observables",
+      "description": "Creat observables form report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+	}
   ]
 }
diff --git a/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Noinet.json b/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Noinet.json
@@ -1,6 +1,6 @@
 {
   "name": "JoeSandbox_File_Analysis_Noinet",
-  "version": "2.0",
+  "version": "3.0",
   "author": "CERT-BDF",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
@@ -41,6 +41,30 @@
       "multi": false,
       "required": true,
       "defaultValue": 30
-    }
+    },
+    {
+      "name": "HTML_report",
+      "description": "Download HTML report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+    },
+	{
+      "name": "images",
+      "description": "Allow images in the report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+    },
+	{
+	  "name": "observables",
+      "description": "Creat observables form report",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false 
+	}
   ]
 }
diff --git a/analyzers/JoeSandbox/joesandbox_analyzer.py b/analyzers/JoeSandbox/joesandbox_analyzer.py
@@ -43,6 +43,9 @@ def __init__(self):
         )
         self.analysistimeout = self.get_param("config.analysistimeout", 30 * 60, None)
         self.networktimeout = self.get_param("config.networktimeout", 30, None)
+        self.images = self.get_param("config.images", False, None)
+        self.HTML_report = self.get_param("config.HTML_report", False, None)
+        self.observables = self.get_param("config.observables", False, None)
         self.joe = JoeSandbox(apikey, self.url, verify_ssl=False, accept_tac=True)
 
     def summary(self, raw):
@@ -68,32 +71,46 @@ def summary(self, raw):
         return {"taxonomies": taxonomies}
 
     def artifacts(self, raw):
-        # this function get the html report as an observable in TH
         artifacts= []
-        myfile = [self.webid]
+
+        if self.observables:
+            #IP
+            if self.analysis['contacted']['ips']:
+                for i in self.analysis['contacted']['ips']['ip']:
+                    if(i['$']!='unknown'):
+                        #print('ip ',str(i['$']))
+                        artifacts.append(self.build_artifact('ip',str(i['$'])))       
+
+            #URL
+            if self.analysis['contacted']['domains']:
+                for i in self.analysis['contacted']['domains']['domain']:
+                    if(i['ip']!="unknown"):
+                        #print('ip ',str(i['ip']))
+                        artifacts.append(self.build_artifact('ip',str(i['ip'])))
+                    #print('url',str(i['name']))
+                    artifacts.append(self.build_artifact('url',str(i['name'])))
 
-        if self.service != "full_report_analysis_inet" and self.service != "full_report_analysis_noinet" : 
-            return 
-        if not myfile:
-            return
+        #HTML report
+        if self.HTML_report:
+            if self.webid:
+                webid = self.webid
+                response = self.joe.analysis_download(webid, "html", run=0)
+                with open('/tmp/'+str(response[0]), 'wb') as the_file:
+                    the_file.write(response[1])
+                artifacts.append(self.build_artifact('file',"/tmp/"+str(response[0])))
+                os.remove('/tmp/'+str(response[0]))
 
-        for webid in myfile:
-            response = self.joe.analysis_download(webid, "html", run=0)
-            with open('/tmp/'+str(response[0]), 'wb') as the_file:
-                the_file.write(response[1])
-            artifacts.append(self.build_artifact('file',"/tmp/"+str(response[0])))
-            os.remove('/tmp/'+str(response[0]))
         return artifacts
 
     def run(self):
         Analyzer.run(self)
 
         # file analysis with internet access
-        if self.service == "file_analysis_inet" or "full_report_analysis_inet":
+        if self.service == "file_analysis_inet":
             filename = self.get_param("filename", "")
             filepath = self.get_param("file", "")
             response = self.joe.submit_sample((filename, open(filepath, "rb")))
-        elif self.service == "file_analysis_noinet" or "full_report_analysis_noinet":
+        elif self.service == "file_analysis_noinet":
             filename = self.get_param("filename", "")
             filepath = self.get_param("file", "")
             response = self.joe.submit_sample(
@@ -123,45 +140,47 @@ def run(self):
             self.error("JoeSandbox analysis timed out")
         # Download the report
         response = self.joe.analysis_download(self.webid, "irjsonfixed", run=0)    
-        analysis = json.loads(response[1].decode("utf-8")).get("analysis", None)
-
-        # Download images
-        zip_images = self.joe.analysis_download(self.webid, "shoots", run=0)
-        zip_location = "/tmp/"+str(zip_images[0])
-        zip_folder = "/tmp/images/"+str(zip_images[0])
-        # write ziped images in /tmp
-        with open(zip_location, 'wb') as file:
-            file.write(zip_images[1])
-        if not os.path.exists("/tmp/images/"):
-            os.mkdir(path="/tmp/images/", mode = 0o744)
-        if not os.path.exists(zip_folder):
-            os.mkdir(path=zip_folder, mode = 0o744)
-        # unzip images
-        with zipfile.ZipFile(zip_location) as z:
-            z.extractall(path=zip_folder)
-        # remove ziped images (not needed anymore)
-        os.remove(zip_location) 
-        # put image in json
-        images=[]
-        for f in get_files(zip_folder):
-            with open(str(f), mode='rb') as file:
+        self.analysis = json.loads(response[1].decode("utf-8")).get("analysis", None)
+
+        if self.images: 
+            # Download images
+            zip_images = self.joe.analysis_download(self.webid, "shoots", run=0)
+            zip_location = "/tmp/"+str(zip_images[0])
+            zip_folder = "/tmp/images/"+str(zip_images[0])
+            # write ziped images in /tmp
+            with open(zip_location, 'wb') as file:
+                file.write(zip_images[1])
+            if not os.path.exists("/tmp/images/"):
+                os.mkdir(path="/tmp/images/", mode = 0o744)
+            if not os.path.exists(zip_folder):
+                os.mkdir(path=zip_folder, mode = 0o744)
+            # unzip images
+            with zipfile.ZipFile(zip_location) as z:
+                z.extractall(path=zip_folder)
+            # remove ziped images (not needed anymore)
+            os.remove(zip_location) 
+            # put image in json
+            images=[]
+            for f in get_files(zip_folder):
+                with open(str(f), mode='rb') as file:
                     images.append( base64.encodebytes(file.read()).decode('utf-8') )
-            os.remove(f) 
-        analysis["images"] = images
-        # remove not needed files
-        os.rmdir(zip_folder) 
-
-        if analysis:
-            analysis["htmlreport"] = (
-                self.url + "analysis/" + str(analysis["id"]) + "/0/html"
+                os.remove(f) 
+            self.analysis["images"] = images
+            # remove not needed files
+            os.rmdir(zip_folder) 
+
+        if self.analysis:
+            self.analysis["htmlreport"] = (
+                self.url + "analysis/" + str(self.analysis["id"]) + "/0/html"
             )
-            analysis["pdfreport"] = (
-                self.url + "analysis/" + str(analysis["id"]) + "/0/pdf"
+            self.analysis["pdfreport"] = (
+                self.url + "analysis/" + str(self.analysis["id"]) + "/0/pdf"
             )
-            self.report(analysis)
+            self.report(self.analysis)
         else:
             self.error("Invalid output")
 
 
 if __name__ == "__main__":
     JoeSandboxAnalyzer().run()
+