Cuckoo sandbox modules

VXvault module some love and bugfix
conix-security · Mar 3, 2017 · f870dbb · f870dbb
1 parent 1f56f14
commit f870dbb
Show file tree

Hide file tree

Showing 7 changed files with 186 additions and 37 deletions.
diff --git a/BTG.py b/BTG.py
@@ -1,6 +1,7 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright (c) 2016-2017 Conix Cybersecurity
+# Copyright (c) 2016-2017 Lancelot Bogard
 # Copyright (c) 2016-2017 Robin Marsollier
 #
 # This file is part of BTG.
@@ -19,7 +20,7 @@
 # along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 
-version = "1.0" # BTG version
+version = "1.1" # BTG version
 
 # Import python modules
 try:

diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ Thus CERT-Conix created a tool allowing analysts to qualify such elements search
 
 
 #### Module list:
+    Cuckoo sandbox
     DShield
     Lehigh
     Malekal
@@ -29,6 +30,7 @@ Thus CERT-Conix created a tool allowing analysts to qualify such elements search
     OpenPhish
     Palevo
     VirusTotal
+    Vxvault
     ZeusTracker
 
 #### Installation

diff --git a/config.py.editme b/config.py.editme
@@ -6,13 +6,22 @@
 # BTG CONFIGURATION PARAMETERS
 ################################################################
 
+# Display output as debug
 debug = False
+
+# Disable motd without using --silent option
 display_motd = True
-offline = False # Force to use offline modules
+
+# Force to use offline modules
+offline = False
+
+# Enable or disable color in terminal output
+terminal_color = True
 
 # Specify modules folder
 modules_folder = "./modules/"
 
+# Output logs file
 log_found_file = "./log.txt"
 log_search_file = "./search.txt"
 
@@ -35,6 +44,36 @@ sqlite_path = "/tmp/"
 # Specify maximum child process for BTG
 max_process = 4
 
+################################################################
+# Malekal - MD5/SHA1/SHA256/SHA512/URL/IPv4/IPv6/domain
+################################################################
+malekal_enabled = False
+malekal_local = False
+malekal_remote = False
+malekal_files_path = ""
+
+################################################################
+# MISP - MD5/SHA1/SHA256/URL/IPv4/domain/IPv6/SHA512
+################################################################
+misp_enabled = False
+misp_url = ""
+misp_key = ""
+misp_verifycert = False
+#this settings allows to display tags from the tlp namespace
+misp_tag_display = "tlp"
+
+################################################################
+# VirusTotal - MD5/SHA1/SHA256/URL/IPv4/domain
+################################################################
+virustotal_enabled = False
+virustotal_API_keys = [
+        ''
+]
+
+################################################################
+# TOR exits nodes - 
+################################################################
+tor_enabled = False
 
 ################################################################
 # Dshield - domains
@@ -47,17 +86,19 @@ dshield_enabled = False
 lehigh_enabled = False
 
 ################################################################
-# Malekal - MD5/SHA1/SHA256/SHA512/URL/IPv4/IPv6/domain
+# Malwaredomains - domains
 ################################################################
-malekal_enabled = False
-malekal_local = False
-malekal_remote = False
-malekal_files_path = ""
+malwaredomains_enabled = False
 
 ################################################################
-# Malwaredomains - domains
+# Palevo - domains
 ################################################################
-malwaredomains_enabled = False
+palevo_enabled = False
+
+################################################################
+# Zeustracker - domains
+################################################################
+zeustracker_enabled = False
 
 ################################################################
 # Malwaredomainlist - domains
@@ -71,39 +112,23 @@ malwaredomainlist_enabled = False
 malwareteks_enabled = False
 
 ################################################################
-# MISP - MD5/SHA1/SHA256/URL/IPv4/domain/IPv6/SHA512
+# Cybercrimetracker - domains/URL/domains
 ################################################################
-misp_enabled = False
-misp_url = ""
-misp_key = ""
-misp_verifycert = True
-#this settings allows to display tags from the tlp namespace
-misp_tag_display = "tlp"  
-
-################################################################
-# TOR exits nodes - 
-################################################################
-tor_enabled = False
+cybercrimetracker_enabled = False
 
 ################################################################
 # Openphish - URL
 ################################################################
 openphish_enabled = False
 
 ################################################################
-# Palevo - domains
+# CuckooSandbox - MD5/SHA256
 ################################################################
-palevo_enabled = False
+cuckoosandbox_enabled = False
+cuckoosandbox_API_url = "" # Example: http://127.0.0.1:8090
+cuckoosandbox_WEB_url = ""
 
 ################################################################
-# VirusTotal - MD5/SHA1/SHA256/URL/IPv4/domain
-################################################################
-virustotal_enabled = False
-virustotal_API_keys = [
-        ''
-]
-
-################################################################
-# Zeustracker - domains
-################################################################
-zeustracker_enabled = False
+# vxvault
+###############################################################
+vxvault_enabled = False
diff --git a/lib/io.py b/lib/io.py
@@ -62,7 +62,7 @@ def __init__(self, iocs):
 
 
 class colors:
-    if system() == "Windows":
+    if system() == "Windows" or config.terminal_color == False:
         DEBUG = ''
         INFO = ''
         FOUND = ''

diff --git a/modules/cuckoosandbox.py b/modules/cuckoosandbox.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2016-2017 Conix Cybersecurity
+#
+# This file is part of BTG.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+from BTG import BTG
+from lib.io import display
+from requests import get
+from re import findall
+import json
+import config
+from platform import system
+if system() != "Windows":
+    import requests_cache 
+    requests_cache.install_cache('%sBTG'%config.sqlite_path)
+
+class Cuckoosandbox:
+    """
+        This module allow you to search IOC in CuckooSandbox database
+    """
+    def __init__(self, ioc, type):
+        if config.cuckoosandbox_enabled:
+            self.module_name = __name__.split(".")[1]
+            self.types = [
+                "MD5", "SHA256"
+            ]
+            self.search_method = "Online"
+            self.description = "Search IOC in CuckooSandbox database"
+            self.author = "Conix"
+            self.creation_date = "02-03-2017"
+            self.type = type
+            self.ioc = ioc
+            if type in self.types:
+                self.search()
+
+    def search(self):
+        display(self.module_name, self.ioc, "INFO", "Searching...")
+        if BTG.allowedToSearch(self.search_method):
+	        if self.type in ["MD5"]:
+	            url = "%s/files/view/md5/%s"%(config.cuckoosandbox_API_url, self.ioc)
+	        elif self.type in ["SHA256"]:
+	            url = "%s/files/view/sha256/%s"%(config.cuckoosandbox_API_url, self.ioc)
+	        page = get(
+	            url, 
+	            headers=config.user_agent,
+	            proxies=config.proxy_host,
+	            timeout=config.requests_timeout
+	        ).text
+	        if not "Error: 404 Not Found" in page:
+	        	id_analysis = json.loads(page)["sample"]["id"]
+	        	display("%s_remote"%self.module_name, self.ioc, "FOUND", "%s/view/%s"%(config.cuckoosandbox_WEB_url, id_analysis))
+	        #except:
+	        #    display("%s"%self.module_name, self.ioc, "INFO", "MalekalTimeout")
+
diff --git a/modules/virustotal.py b/modules/virustotal.py
@@ -62,11 +62,15 @@ def __init__(self, ioc, type):
     def searchReport(self):
         self.url = "https://www.virustotal.com/vtapi/v2/file/report"
         parameters = {"resource": self.ioc,
-                      "apikey": self.key}
+                      "apikey": self.key,
+                      "allinfo":1}
         data = urllib.urlencode(parameters)
         req = urllib2.Request(self.url, data)
         response = urllib2.urlopen(req)
-        json_content = loads(response.read())
+        try:
+            json_content = loads(response.read())
+        except:
+            display(self.module_name, self.ioc, "ERROR", "VirusTotal API seems to be down.")
         try:
             display(self.module_name, self.ioc, "FOUND", json_content["permalink"])
         except:

diff --git a/modules/vxvault.py b/modules/vxvault.py
@@ -0,0 +1,49 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2016-2017 Conix Cybersecurity
+#
+# This file is part of BTG.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+import config
+from lib.cache import Cache
+from lib.io import display
+
+class Vxvault:
+    def __init__(self, ioc, type):
+        if config.vxvault_enabled:
+            self.module_name = __name__.split(".")[1]
+            self.types = ["IPv4", "domain", "URL"]
+            self.search_method = "Offline"
+            self.description = "Search domain in Dshield feeds"
+            self.author = "Conix"
+            self.creation_date = "15-09-2016"
+            self.type = type
+            self.ioc = ioc
+            if type in self.types:
+                self.search()
+
+    def search(self):
+        display(self.module_name, self.ioc, "INFO", "Searching...")
+        url = "http://vxvault.net/"
+        paths = [
+            "URL_List.php"
+        ]
+        for path in paths:
+            content = Cache(self.module_name, url, path, self.search_method).content
+            for line in content.split("\n"):
+                if self.ioc in  line:
+                    display(self.module_name, self.ioc, "FOUND", "%s%s"%(url, path))
+                    return