From 798966a845953f7339b2637e6d8f5b4c5a8b0694 Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Wed, 4 Apr 2018 22:27:59 +0200
Subject: [PATCH 1/6] cybercrime-tracker analyzer. TODO: tests, report
 templates.

---
 .../CyberCrimeTracker/CyberCrimeTracker.json  | 16 +++++
 analyzers/CyberCrimeTracker/cct.py            | 64 +++++++++++++++++++
 analyzers/CyberCrimeTracker/requirements.txt  |  2 +
 3 files changed, 82 insertions(+)
 create mode 100644 analyzers/CyberCrimeTracker/CyberCrimeTracker.json
 create mode 100755 analyzers/CyberCrimeTracker/cct.py
 create mode 100644 analyzers/CyberCrimeTracker/requirements.txt

diff --git a/analyzers/CyberCrimeTracker/CyberCrimeTracker.json b/analyzers/CyberCrimeTracker/CyberCrimeTracker.json
new file mode 100644
index 000000000..116c1796c
--- /dev/null
+++ b/analyzers/CyberCrimeTracker/CyberCrimeTracker.json
@@ -0,0 +1,16 @@
+{
+  "name": "CyberCrime-Tracker",
+  "author": "ph34tur3",
+  "license": "AGPL-V3",
+  "url": "https://github.com/ph34tur3/Cortex-Analyzers",
+  "version": "1.0",
+  "description": "Search cybercrime-tracker.net for c2 servers.",
+  "dataTypeList": ["domain", "fqdn", "ip", "url", "other"],
+  "command": "CyberCrimeTracker/cct.py",
+  "baseConfig": "CyberCrimeTracker",
+  "config": {
+    "check_tlp": true,
+    "max_tlp": 2
+  },
+  "configurationItems": []
+}
diff --git a/analyzers/CyberCrimeTracker/cct.py b/analyzers/CyberCrimeTracker/cct.py
new file mode 100755
index 000000000..86dc9aee8
--- /dev/null
+++ b/analyzers/CyberCrimeTracker/cct.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from cortexutils.analyzer import Analyzer
+from cybercrimetracker.cybercrimeTrackerAPI import cybercrimeTrackerAPI
+
+
+class CyberCrimeTrackerAnalyzer(Analyzer):
+    """
+    This analyzer searches 
+    http://cybercrime-tracker.net
+    for possible c2 servers.
+    """
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def summary(self, raw):
+        level = 'info'
+        namespace = 'CCT'
+        predicate = 'C2 Search'
+
+        hit_count = len(raw.get('results', []))
+        value = "\"{} hits\"".format(hit_count)
+        if hit_count == 1:
+            value = value[:-2] + "\""
+        
+        value = "\"{} hit{}\"".format(hit_count, "" if hit_count == 1 else "s")
+
+        if count > 0:
+            level = 'malicious'
+
+        taxonomies = []
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {
+            "taxonomies": taxonomies
+        }
+
+    def run(self):
+        observable = self.get_data()
+        limit = 40
+        offset = 0
+
+        results = []
+
+        try:
+            while True:
+                new_results = cybercrimeTrackerAPI.search(query=observable, offset=offset, limit=limit)
+                results.extend(new_results)
+
+                current_hit_count = len(new_results)
+                no_more_results = current_hit_count < limit
+                if no_more_results:
+                    break
+                offset += limit
+
+            self.report({
+                'results': results
+            })
+        except Exception:
+            self.error('An error occured while scraping cybercrime-tracker.')
+
+
+if __name__ == '__main__':
+    CyberCrimeTrackerAnalyzer().run()
diff --git a/analyzers/CyberCrimeTracker/requirements.txt b/analyzers/CyberCrimeTracker/requirements.txt
new file mode 100644
index 000000000..ba9686224
--- /dev/null
+++ b/analyzers/CyberCrimeTracker/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+cybercrimetracker

From a1ad216e742d9ad2ce0095b79992c441a36c3be4 Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Fri, 6 Apr 2018 08:55:21 +0200
Subject: [PATCH 2/6] typo fixed

---
 analyzers/CyberCrimeTracker/cct.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/analyzers/CyberCrimeTracker/cct.py b/analyzers/CyberCrimeTracker/cct.py
index 86dc9aee8..9a5680777 100755
--- a/analyzers/CyberCrimeTracker/cct.py
+++ b/analyzers/CyberCrimeTracker/cct.py
@@ -44,7 +44,7 @@ def run(self):
 
         try:
             while True:
-                new_results = cybercrimeTrackerAPI.search(query=observable, offset=offset, limit=limit)
+                new_results = cybercrimeTrackerAPI().search(query=observable, offset=offset, limit=limit)
                 results.extend(new_results)
 
                 current_hit_count = len(new_results)

From 4a0e9110257f55e23cb21b101271ed0722d2a72a Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Fri, 6 Apr 2018 09:03:01 +0200
Subject: [PATCH 3/6] removed redundant line

---
 analyzers/CyberCrimeTracker/cct.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/analyzers/CyberCrimeTracker/cct.py b/analyzers/CyberCrimeTracker/cct.py
index 9a5680777..e2ff4ab59 100755
--- a/analyzers/CyberCrimeTracker/cct.py
+++ b/analyzers/CyberCrimeTracker/cct.py
@@ -23,8 +23,6 @@ def summary(self, raw):
         value = "\"{} hits\"".format(hit_count)
         if hit_count == 1:
             value = value[:-2] + "\""
-        
-        value = "\"{} hit{}\"".format(hit_count, "" if hit_count == 1 else "s")
 
         if count > 0:
             level = 'malicious'

From 0ee7f415fdf360ebddd02a74d7a4b6208f22fbe1 Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Fri, 6 Apr 2018 09:04:41 +0200
Subject: [PATCH 4/6] typo fixed

---
 analyzers/CyberCrimeTracker/cct.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/analyzers/CyberCrimeTracker/cct.py b/analyzers/CyberCrimeTracker/cct.py
index e2ff4ab59..a146b7638 100755
--- a/analyzers/CyberCrimeTracker/cct.py
+++ b/analyzers/CyberCrimeTracker/cct.py
@@ -24,7 +24,7 @@ def summary(self, raw):
         if hit_count == 1:
             value = value[:-2] + "\""
 
-        if count > 0:
+        if hit_count > 0:
             level = 'malicious'
 
         taxonomies = []

From f5f8a39dc23b151803ddab0b65690ddad3b5d059 Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Fri, 6 Apr 2018 12:05:55 +0200
Subject: [PATCH 5/6] first try on report files. needs testing

---
 .../CyberCrimeTracker_1_0/long.html           | 44 +++++++++++++++++++
 .../CyberCrimeTracker_1_0/short.html          |  3 ++
 2 files changed, 47 insertions(+)
 create mode 100644 thehive-templates/CyberCrimeTracker_1_0/long.html
 create mode 100644 thehive-templates/CyberCrimeTracker_1_0/short.html

diff --git a/thehive-templates/CyberCrimeTracker_1_0/long.html b/thehive-templates/CyberCrimeTracker_1_0/long.html
new file mode 100644
index 000000000..3ef4f9fcc
--- /dev/null
+++ b/thehive-templates/CyberCrimeTracker_1_0/long.html
@@ -0,0 +1,44 @@
+<!-- Success -->
+<div class="panel panel-danger" ng-if="success && content.results.length > 0">
+    <div class="panel-heading">
+        CyberCrimeTracker C2 Search Report
+    </div>
+    <div class="panel-body" nq-repeat="r in content.results">
+        <dl class="dl-horizontal">
+            <dt>IP:</dt>
+            <dd>{{r.ip}}</dd>
+            <dt>URL:</dt>
+            <dd>{{r.url}}</dd>
+            <dt>Date:</dt>
+            <dd>{{r.date}}</dd>
+            <dt>Type:</dt>
+            <dd>{{r.type}}</dd>
+            <dt>VirusTotal (Latest Scan):</dt>
+            <dd>{{r.vt_latest_scan}}</dd>
+            <dt>VirusTotal (IP Information):</dt>
+            <dd>{{r.vt_ip}}</dd>
+        </dl>
+    </div>
+</div>
+
+<div class="panel panel-info" ng-if="success && content.results.length == 0">
+    <div class="panel-heading">
+        CyberCrimeTracker C2 Search Report
+    </div>
+    <div class="panel-body">
+        <b>No matches.</b>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i> CyberCrimeTracker: </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
diff --git a/thehive-templates/CyberCrimeTracker_1_0/short.html b/thehive-templates/CyberCrimeTracker_1_0/short.html
new file mode 100644
index 000000000..3baac6a5a
--- /dev/null
+++ b/thehive-templates/CyberCrimeTracker_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>
\ No newline at end of file

From e4ed97ec00aac978aa6a201cbf37fabeb469736b Mon Sep 17 00:00:00 2001
From: user <lb651350@fh-muenster.de>
Date: Fri, 6 Apr 2018 12:56:19 +0200
Subject: [PATCH 6/6] Reporting is ok.

---
 thehive-templates/CyberCrimeTracker_1_0/long.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/thehive-templates/CyberCrimeTracker_1_0/long.html b/thehive-templates/CyberCrimeTracker_1_0/long.html
index 3ef4f9fcc..d84f61645 100644
--- a/thehive-templates/CyberCrimeTracker_1_0/long.html
+++ b/thehive-templates/CyberCrimeTracker_1_0/long.html
@@ -3,8 +3,8 @@
     <div class="panel-heading">
         CyberCrimeTracker C2 Search Report
     </div>
-    <div class="panel-body" nq-repeat="r in content.results">
-        <dl class="dl-horizontal">
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-repeat="r in content.results">
             <dt>IP:</dt>
             <dd>{{r.ip}}</dd>
             <dt>URL:</dt>
@@ -15,7 +15,7 @@
             <dd>{{r.type}}</dd>
             <dt>VirusTotal (Latest Scan):</dt>
             <dd>{{r.vt_latest_scan}}</dd>
-            <dt>VirusTotal (IP Information):</dt>
+            <dt>VirusTotal (IP Info):</dt>
             <dd>{{r.vt_ip}}</dd>
         </dl>
     </div>