Merge pull request #766 from hariomenkel/master

jeromeleonard · web-flow · commit c2c993713d48 · 2020-06-26T17:31:41.000+02:00
Add new responder VirustotalDownloader #765
diff --git a/responders/VirustotalDownloader/VirustotalDownloader.json b/responders/VirustotalDownloader/VirustotalDownloader.json
@@ -0,0 +1,34 @@
+{
+  "name": "Virustotal Downloader",
+  "version": "0.1",
+  "author": "Mario Henkel @hariomenkel",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Download a file from Virustotal by its hash",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "VirustotalDownloader/VirustotalDownloader.py",
+  "baseConfig": "VirustotalDownloader",
+  "configurationItems": [
+    {
+      "name": "virustotal_apikey",
+      "description": "Virustotal API key which should be used to download files",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "thehive_url",
+      "description": "URL pointing to your TheHive installation, e.g. 'http://127.0.0.1:9000'",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "thehive_apikey",
+      "description": "TheHive API key which is used to add the downloaded file back to the alert/case",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/responders/VirustotalDownloader/VirustotalDownloader.py b/responders/VirustotalDownloader/VirustotalDownloader.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+import os
+import magic
+import tempfile
+import mimetypes
+import filetype
+from thehive4py.api import TheHiveApi
+from thehive4py.models import Case, CaseObservable
+
+class VirustotalDownloader(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.virustotal_apikey = self.get_param('config.virustotal_apikey', None, "Virustotal API key missing!")
+        self.thehive_url = self.get_param('config.thehive_url', None, "TheHive URL missing!")
+        self.thehive_apikey = self.get_param('config.thehive_apikey', None, "TheHive API key missing!")
+
+    def run(self):
+        Responder.run(self)
+
+        data_type = self.get_param('data.dataType')
+        case_id = self.get_param('data._parent')
+        ioc_types = ["hash"]
+
+        if data_type in ioc_types:
+            url = 'https://www.virustotal.com/vtapi/v2/file/download'
+            params = {'apikey': self.virustotal_apikey, 'hash': self.get_param('data.data')}
+
+            response = requests.get(url, params=params)
+
+            if response.status_code == 200:
+                filename = ""
+                downloaded_file = response.content
+
+                tempdir = tempfile.gettempdir()
+                f = open(tempdir + "/" +  self.get_param('data.data'), 'wb')
+                f.write(downloaded_file)
+                f.close()
+                filename = f.name
+
+                kind = filetype.guess(f.name)
+
+                if kind.extension != None:
+                    os.rename(f.name, f.name + "." + kind.extension)
+                    filename = f.name + "." + kind.extension
+
+                api = TheHiveApi(self.thehive_url, self.thehive_apikey)
+
+                file_observable = CaseObservable(dataType='file',
+                        data=[filename],
+                        tlp=self.get_param('data.tlp'),
+                        ioc=True,
+                        tags=['src:VirusTotal', str(kind.mime), str(kind.extension), 'parent:' + self.get_param('data.data')],
+                        message=''
+                        )
+
+                response = api.create_case_observable(case_id, file_observable)
+
+                self.report({'message': str(response.status_code) + " " + response.text})
+            else:
+               self.report({'message': 'Virustotal returned the following error code: ' + str(response.status_code) + ". If you receive 403 this means that you are using a public API key but this responder needs a private Virustotal API key!"})
+        else:
+            self.error('Incorrect dataType. "Hash" expected.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Virustotal:Downloaded')]
+
+
+if __name__ == '__main__':
+    VirustotalDownloader().run()
diff --git a/responders/VirustotalDownloader/requirements.txt b/responders/VirustotalDownloader/requirements.txt
@@ -0,0 +1,6 @@
+cortexutils
+datetime
+requests
+thehive4py
+python-magic
+filetype
