From 10a8bd4edbfdab5bb39c46cacebb9779b0a80dfe Mon Sep 17 00:00:00 2001
From: Davide Arcuri <dadokkio@gmail.com>
Date: Tue, 24 Mar 2020 17:33:46 +0100
Subject: [PATCH 1/4] malwarebazaar hash search

---
 analyzers/MalwareBazaar/MalwareBazaar.json    | 19 ++++++
 .../MalwareBazaar/MalwareBazaar_analyzer.py   | 62 ++++++++++++++++++
 analyzers/MalwareBazaar/requirements.txt      |  2 +
 thehive-templates/MalwareBazaar_1_0/long.html | 64 +++++++++++++++++++
 .../MalwareBazaar_1_0/short.html              |  3 +
 5 files changed, 150 insertions(+)
 create mode 100644 analyzers/MalwareBazaar/MalwareBazaar.json
 create mode 100755 analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
 create mode 100644 analyzers/MalwareBazaar/requirements.txt
 create mode 100644 thehive-templates/MalwareBazaar_1_0/long.html
 create mode 100644 thehive-templates/MalwareBazaar_1_0/short.html

diff --git a/analyzers/MalwareBazaar/MalwareBazaar.json b/analyzers/MalwareBazaar/MalwareBazaar.json
new file mode 100644
index 000000000..13b4329b3
--- /dev/null
+++ b/analyzers/MalwareBazaar/MalwareBazaar.json
@@ -0,0 +1,19 @@
+{
+  "name": "MalwareBazaar",
+  "author": "Andrea Garavaglia, Davide Arcuri - LDO-CERT",
+  "license": "AGPL-V3",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0",
+  "baseConfig": "MalwareBazaar",
+  "description": "Search hashes on MalwareBazaar.",
+  "dataTypeList": ["domain", "fqdn", "url", "hash", "ip"],
+  "command": "MalwareBazaar/MalwareBazaar_analyzer.py",
+  "configurationItems": [    {
+      "name": "api_key",
+      "description": "MalwareBazaar api key",
+      "multi": false,
+      "required": true,
+      "type": "string"
+    }
+  ]
+}
diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
new file mode 100755
index 000000000..0744e61eb
--- /dev/null
+++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+import requests
+from cortexutils.analyzer import Analyzer
+
+BASEURL = 'https://mb-api.abuse.ch/api/v1/'
+
+class MalwareBazaarnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.api_key = self.get_param("config.api_key", None)
+
+    def run(self):
+        data = self.get_data()
+        if not data:
+            self.error('No observable or file given.')
+
+        results = {}
+        if self.data_type == 'hash':
+            if len(data) in [32, 40, 64]:
+                headers = { 'API-KEY': self.api_key }
+                data = {
+                    'query': 'get_info',
+                    'hash': data,
+                }
+                results = requests.post(BASEURL, data=data, timeout=15, headers=headers)
+
+                if results.status_code == 200:
+                    results = results.json()
+                    if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']:
+                        self.error('MalwareBazaar returned error: %s' % results['query_status'])
+                    else:
+                        results['data'] = results['data'][0]
+            else:
+                self.error('Only sha256, sha1 and md5 supported by MalwareBazaar.')
+        else:
+            self.error('Datatype not supported.')
+
+        self.report(results)
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = "MalwareBazaar"
+
+        if raw['query_status'] == 'hash_not_found':
+            taxonomies.append(self.build_taxonomy(
+                'info',
+                namespace,
+                'Search',
+                'No results'
+            ))
+        else:
+            taxonomies.append(self.build_taxonomy(
+                'malicious',
+                namespace,
+                'Signature',
+                raw['data'].get('signature', 'Unknown')
+            ))
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    MalwareBazaarnalyzer().run()
diff --git a/analyzers/MalwareBazaar/requirements.txt b/analyzers/MalwareBazaar/requirements.txt
new file mode 100644
index 000000000..6aabc3cfa
--- /dev/null
+++ b/analyzers/MalwareBazaar/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/thehive-templates/MalwareBazaar_1_0/long.html b/thehive-templates/MalwareBazaar_1_0/long.html
new file mode 100644
index 000000000..5f04575f0
--- /dev/null
+++ b/thehive-templates/MalwareBazaar_1_0/long.html
@@ -0,0 +1,64 @@
+<div class="panel panel-info" ng-if="success && content.query_status == 'ok'">
+    <div class="panel-heading">
+        MalwareBazaar search results for
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <div>
+            <dl class="dl-horizontal">
+                <dt>Hashes</dt>
+                <dd class="wrap">
+                    md5: {{content.data.md5_hash}}<br />
+                    sha256: {{content.data.sha256_hash}}<br />
+                    sha1: {{content.data.sha1_hash}}<br />
+                    imphash: {{content.data.imphash}}<br />
+                    ssdeep: {{content.data.ssdeep}}
+                </dd>
+                <dt>First seen (UTC)</dt>
+                <dd>{{content.data.first_seen}}</dd>
+                <dt>Last seen (UTC)</dt>
+                <dd>{{content.data.last_seen}}</dd>
+                <dt>Filename</dt>
+                <dd>{{content.data.file_name}}</dd>
+                <dt>Filetype</dt>
+                <dd>{{content.data.file_type}} {{content.data.file_type_mime}}</dd>                
+                <dt>Filetype</dt>
+                <dd>{{content.data.file_type}}</dd>
+                <dt>Signature</dt>
+                <dd><span class="label label-primary">{{content.data.signature}}</span></dd>                
+                <dt>Tags</dt>
+                <dd><span ng-repeat="tag in content.data.tags" class="label label-info">{{tag}}</span></dd>
+            </dl>
+        </div>
+    </div>
+</div>
+
+<!-- No results -->
+<div class="panel panel-danger" ng-if="content.query_status == 'hash_not_found'">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>
+                <i class="fa fa-warning"></i> MalwareBazaar:
+            </dt>
+            <dd class="wrap">No results</dd>
+        </dl>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt>
+                <i class="fa fa-warning"></i> MalwareBazaar:
+            </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
diff --git a/thehive-templates/MalwareBazaar_1_0/short.html b/thehive-templates/MalwareBazaar_1_0/short.html
new file mode 100644
index 000000000..3d711c221
--- /dev/null
+++ b/thehive-templates/MalwareBazaar_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+  {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>

From 0c3e4fc73c684830284bd0371c99ae03e01e7790 Mon Sep 17 00:00:00 2001
From: Arcuri Davide <dadokkio@gmail.com>
Date: Mon, 30 Mar 2020 19:12:32 +0200
Subject: [PATCH 2/4] Added more info in long template

---
 thehive-templates/MalwareBazaar_1_0/long.html | 65 +++++++++++++++++--
 1 file changed, 58 insertions(+), 7 deletions(-)

diff --git a/thehive-templates/MalwareBazaar_1_0/long.html b/thehive-templates/MalwareBazaar_1_0/long.html
index 5f04575f0..67bef6048 100644
--- a/thehive-templates/MalwareBazaar_1_0/long.html
+++ b/thehive-templates/MalwareBazaar_1_0/long.html
@@ -14,20 +14,71 @@
                     imphash: {{content.data.imphash}}<br />
                     ssdeep: {{content.data.ssdeep}}
                 </dd>
+                <dt>Reporter</dt>
+                <dd>{{content.data.reporter}}</dd>
                 <dt>First seen (UTC)</dt>
                 <dd>{{content.data.first_seen}}</dd>
-                <dt>Last seen (UTC)</dt>
-                <dd>{{content.data.last_seen}}</dd>
+                <dt ng-if="content.data.last_seen">Last seen (UTC)</dt>
+                <dd ng-if="content.data.last_seen">{{content.data.last_seen}}</dd>
                 <dt>Filename</dt>
                 <dd>{{content.data.file_name}}</dd>
                 <dt>Filetype</dt>
-                <dd>{{content.data.file_type}} {{content.data.file_type_mime}}</dd>                
-                <dt>Filetype</dt>
-                <dd>{{content.data.file_type}}</dd>
+                <dd>{{content.data.file_type}} {{content.data.file_type_mime}}</dd>
+                <dt ng-if="content.data.delivery_method">Delivery Method</dt>
+                <dd ng-if="content.data.delivery_method">{{content.data.delivery_method}}</dd>
                 <dt>Signature</dt>
-                <dd><span class="label label-primary">{{content.data.signature}}</span></dd>                
+                <dd><span class="label label-primary">{{content.data.signature}}</span></dd>
                 <dt>Tags</dt>
-                <dd><span ng-repeat="tag in content.data.tags" class="label label-info">{{tag}}</span></dd>
+                <dd><span ng-repeat="tag in content.data.tags" class="label label-info">{{tag}}</span></dd>               
+            </dl>
+        </div>
+    </div>
+</div>
+<div class="panel panel-info" ng-if="success && content.data.intelligence">
+    <div class="panel-heading">Intelligence</div>
+    <div class="panel-body">
+        <div>
+            <dl class="dl-horizontal">
+                <dt ng-if="content.data.intelligence.clamav">Clamav</dt>
+                <dd ng-if="content.data.intelligence.clamav">{{content.data.intelligence.clamav}}</dd>
+
+                <dt ng-if="content.data.intelligence.downloads">Downloads</dt>
+                <dd ng-if="content.data.intelligence.downloads">{{content.data.intelligence.downloads}}</dd>
+
+                <dt ng-if="content.data.intelligence.uploads">Uploads</dt>
+                <dd ng-if="content.data.intelligence.uploads">{{content.data.intelligence.uploads}}</dd>
+
+                <dt ng-if="content.data.intelligence.mail">Mail</dt>
+                <dd ng-if="content.data.intelligence.mail">
+                    <span ng-repeat="(k,v) in content.data.intelligence.mail">
+                        {{k}} > {{v}}<br/>
+                    </span>
+                </dd>
+            </dl>
+        </div>
+    </div>
+</div>
+
+<div class="panel panel-info" ng-if="success && content.data.file_information">
+    <div class="panel-heading">File Information</div>
+    <div class="panel-body">
+        <p ng-repeat="info in content.data.file_information">
+            {{info.context}}: {{info.value}}
+        </p>
+    </div>
+</div>
+
+<div class="panel panel-info" ng-if="success && content.data.comments">
+    <div class="panel-heading">Comments</div>
+    <div class="panel-body">
+        <div>
+            <dl class="dl-horizontal">
+                <dt ng-repeat-start="comment in content.data.comments">{{comment.display_name}} - {{comment.date_added}}</dt>
+                <dd ng-repeat-end>{{comment.comment}}</dd>  
+                <hr/>   
+                <hr/>   
+                <dt ng-if="content.data.comment">Comment</dt>
+                <dd ng-if="content.data.comment">{{content.data.comment}}</dd>                           
             </dl>
         </div>
     </div>

From 6d826e0d5d7bdf24433f1e8a4ff2bddbb1161b6e Mon Sep 17 00:00:00 2001
From: Arcuri Davide <dadokkio@gmail.com>
Date: Tue, 31 Mar 2020 08:31:42 +0200
Subject: [PATCH 3/4] hash_not_found error

---
 analyzers/MalwareBazaar/MalwareBazaar_analyzer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
index 0744e61eb..126e422f8 100755
--- a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
+++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
@@ -28,7 +28,7 @@ def run(self):
                     results = results.json()
                     if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']:
                         self.error('MalwareBazaar returned error: %s' % results['query_status'])
-                    else:
+                    elif results['query_status'] != 'hash_not_found':
                         results['data'] = results['data'][0]
             else:
                 self.error('Only sha256, sha1 and md5 supported by MalwareBazaar.')

From 06cf81ed79f09475d1f3261126133611e608f24e Mon Sep 17 00:00:00 2001
From: Arcuri Davide <dadokkio@gmail.com>
Date: Tue, 14 Apr 2020 15:41:31 +0200
Subject: [PATCH 4/4] fix class name

---
 analyzers/MalwareBazaar/MalwareBazaar_analyzer.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
index 126e422f8..cb6a5f307 100755
--- a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
+++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
@@ -4,7 +4,7 @@
 
 BASEURL = 'https://mb-api.abuse.ch/api/v1/'
 
-class MalwareBazaarnalyzer(Analyzer):
+class MalwareBazaarAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
         self.api_key = self.get_param("config.api_key", None)
@@ -59,4 +59,4 @@ def summary(self, raw):
 
 
 if __name__ == '__main__':
-    MalwareBazaarnalyzer().run()
+    MalwareBazaarAnalyzer().run()