TheHive-Project#26 added VxStream Sandbox (Hybrid Analysis) Analyzer

According to data from official site [1], VxStream Sandbox Public API
allows you to analyze:

- hash (OK, it works)
- filename (OK, it works)
- host / ip (some problems on API side for now)
- domain / fqdn (some problems on API side for now)

[1] https://www.hybrid-analysis.com/apikeys/info

analyzers/VxStreamSandbox/VxStreamSandbox_Hash_Report_Publuc_API.json

@@ -0,0 +1,17 @@
+{
+    "name": "VxStreamSandbox_Hash_Report_Publuc_API",
+    "version": "1.0",
+    "author": "Daniil Yugoslavskiy, Tieto",
+    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "dataTypeList": ["hash", "file", "filename"],
+    "description": "VxStream Sandbox (Hybrid-Analysis) report for a Hash",
+    "baseConfig": "VxStreamSandbox_Public_API",
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 1,
+        "api_key": "2vvp0uyg8vcwokwws0ows8cgo",
+        "secret": "cc8c097e86f4d8d2b36278cfee56ebc46515993168babe61"
+    },
+    "command": "VxStreamSandbox/vxstreamsandbox_analyzer.py"
+}

analyzers/VxStreamSandbox/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

analyzers/VxStreamSandbox/vxstreamsandbox_analyzer.py

@@ -0,0 +1,113 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+"""
+According to data from official site [1], VxStream Sandbox Public API allows you to analyze:
+
+- hash
+- filename
+- host / ip (some problems on API side for now)
+- domain / fqdn (some problems on API side for now)
+
+[1] https://www.hybrid-analysis.com/apikeys/info
+"""
+
+import io
+import hashlib
+import requests
+import json
+import time
+
+from requests.auth import HTTPBasicAuth
+from cortexutils.analyzer import Analyzer
+
+
+class VxStreamSandboxAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.basic_url = 'https://www.hybrid-analysis.com/api/'
+        self.headers = {'User-Agent': 'VxStream'}
+
+        self.secret = self.getParam('config.secret', None, 'VxStream Sandbox secret key is missing')
+        self.api_key = self.getParam('config.api_key', None, 'VxStream Sandbox API key is missing')
+
+    def summary(self, raw_report):
+        taxonomies = []
+
+        # default values
+        level = "info"
+        namespace = "VxStreamSB"
+        predicate = "Threat level"
+        value = "\"No verdict\""
+
+        # define json keys to loop
+        if (self.data_type == 'hash') or (self.data_type == 'file'):
+            minireports = raw_report[u'results'][u'response']
+        elif self.data_type == 'filename':
+            minireports = raw_report[u'results'][u'response'][u'result']
+
+        # get first report with not Null verdict
+        for minireport in minireports:
+            if minireport[u'verdict'] is not None:
+                report_verdict = minireport[u'verdict']
+                break
+
+        # create shield badge for short.html
+        if report_verdict == 'malicious':
+            level = 'malicious'
+            value = "\"Malicious\""
+        elif report_verdict == 'suspicious':
+            level = 'suspicious'
+            value = "\"Suspicious\""
+        elif report_verdict == 'whitelisted':
+            level = 'safe'
+            value = "\"Whitelisted\""
+        elif report_verdict == 'no specific threat':
+            level = 'info'
+            value = "\"No Specific Threat\""
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+
+        try:
+            if self.data_type == 'hash':
+                query_url = 'scan/'
+                query_data = self.getParam('data', None, 'Hash is missing')
+
+            elif self.data_type == 'file':
+                query_url = 'scan/'
+                hashes = self.getParam('attachment.hashes', None)
+
+                if hashes is None:
+                    filepath = self.getParam('file', None, 'File is missing')
+                    query_data = hashlib.sha256(open(filepath, 'r').read()).hexdigest()
+                else:
+                    # find SHA256 hash
+                    query_data = next(h for h in hashes if len(h) == 64)
+
+            elif self.data_type == 'filename':
+                query_url = 'search?query=filename:'
+                query_data = self.getParam('data', None, 'Filename is missing')
+            else:
+                self.notSupported()
+
+            url = str(self.basic_url) + str(query_url) + str(query_data)
+
+            error = True
+            while error:
+                r = requests.get(url, headers=self.headers, auth=HTTPBasicAuth(self.api_key, self.secret))
+                if r.json()[u'response'][
+                    u'error'] == "Exceeded maximum API requests per minute(5). Please try again later.":
+                    time.sleep(60)
+                else:
+                    error = False
+
+            self.report({'results': r.json()})
+
+        except ValueError as e:
+            self.unexpectedError(e)
+
+
+if __name__ == '__main__':
+    VxStreamSandboxAnalyzer().run()

thehive-templates/VxStreamSandbox_Hash_Report_Publuc_API_1_0/long.html

@@ -0,0 +1,101 @@
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+  <div class="panel-heading">
+    <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+  </div>
+  <div class="panel-body">
+    {{results.errorMessage}}
+  </div>
+</div>
+
+<div class="panel panel-info" ng-if="success">
+  <div class="panel-heading">
+    <!-- VxStream Sandbox Hash Report Publuc API: Related Reports -->
+    Related Reports
+  </div>
+  <!-- Hash and File (also hash) -->
+  <div class="panel-body">
+    <div ng-repeat="r in ::content.results.response">
+      <dl class="dl-horizontal" ng-if="r.submitname">
+        <strong>Submitted filename: </strong> {{r.submitname}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.analysis_start_time">
+        <strong>Analysis Start Time: </strong> {{r.analysis_start_time}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.md5">
+        <strong>MD5: </strong> {{r.md5}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.sha1">
+        <strong>SHA1: </strong> {{r.sha1}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.sha256">
+        <strong>SHA256: </strong> {{r.sha256}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.type">
+        <strong>File Description: </strong> {{r.type}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.threatscore">
+        <strong>Threat Score: </strong> {{r.threatscore}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.avdetect">
+        <strong>AVdetect Score: </strong> {{r.avdetect}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.vxfamily">
+        <strong>VxFamily: </strong> {{r.vxfamily}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.total_signatures">
+        <strong>Total Signatures: </strong> {{r.total_signatures}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.environmentDescription">
+        <strong>Environment Description: </strong> {{r.environmentDescription}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.verdict">
+        <strong>Verdict: </strong>{{r.verdict}} <br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.domains.length > 0">
+        <strong>DNS requests:</strong><ul><li ng-repeat="domain in ::r.domains">{{domain}}</li></ul>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.hosts.length > 0">
+        <strong>Contacted Hosts:</strong><ul><li ng-repeat="host in ::r.hosts">{{host}}</li></ul>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.classification_tags.length > 0">
+        <strong>Tagged as:</strong><ul><li ng-repeat="tag in ::r.classification_tags">{{tag}}</li></ul>
+      </dl>
+      <hr>
+    </div>
+  </div>
+  <!-- Filename -->
+  <div class="panel-body">
+    <div ng-repeat="r in ::content.results.response.result">
+      <dl class="dl-horizontal" ng-if="r.submitname">
+        <strong>Submitted filename: </strong> {{r.submitname}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.sha256">
+        <strong>SHA256: </strong> {{r.sha256}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.type_short">
+        <strong>File type: </strong>{{r.type_short}} <br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.type">
+        <strong>File Description: </strong> {{r.type}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.threatscore">
+        <strong>Threat Score: </strong> {{r.threatscore}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.avdetect">
+        <strong>AVdetect Score: </strong> {{r.avdetect}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.vxfamily">
+        <strong>VxFamily: </strong> {{r.vxfamily}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.environmentDescription">
+        <strong>Environment Description: </strong> {{r.environmentDescription}}<br/>
+      </dl>
+      <dl class="dl-horizontal" ng-if="r.verdict">
+        <strong>Verdict: </strong>{{r.verdict}} <br/>
+      </dl>
+      <hr>
+    </div>
+  </div>
+
+</div>

thehive-templates/VxStreamSandbox_Hash_Report_Publuc_API_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>