connectors icon indicating copy to clipboard operation
connectors copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

[Hybrid Analysis Feed] Create the connector

Open IOTech17 opened this issue 3 years ago • 3 comments

Hi,

Could you please add a connector for the Hybrid Analysis feed : https://www.hybrid-analysis.com/feed?json

This will need to import the items tagged as malicious, compromised host, files de

example :

{
            "md5": "26f35208bcf56323c400a9f2724025bb",
            "sha1": "7037e7f3c83bfe84d40019c3e593cca72ea76e0b",
            "sha256": "8029da7105229f3a9624a0b3d68345a5ab419c306f5f4942a294559e499dab52",
            "isinteresting": true,
            "analysis_start_time": "2021-03-22 13:57:04",
            "threatscore": 76,
            "threatlevel": 2,
            "threatlevel_human": "malicious",
            "avdetect": 1,
            "isunknown": false,
            "vxfamily": "Phishing site",
            "submitname": "https:\/\/ainsactasadores.com\/wp-admin\/Office\/office\/voicemail\/",
            "isurlanalysis": true,
            "domains": [
                "ainsactasadores.com",
                "ajax.googleapis.com",
                "crl.identrust.com",
                "fonts.googleapis.com",
                "fonts.gstatic.com",
                "maxcdn.bootstrapcdn.com",
                "ocsp.pki.goog",
                "r3.o.lencr.org",
                "www.gstatic.com"
            ],
            "hosts": [
                "179.61.12.106",
                "104.18.10.207",
                "216.58.217.42",
                "142.250.69.202",
                "142.251.33.100",
                "172.217.3.163",
                "142.250.69.195",
                "216.58.193.67"
            ],
            "hosts_geo": [
                {
                    "ip": "179.61.12.106",
                    "lat": "25.7743",
                    "lon": "-80.1937",
                    "cc": "CHL"
                },
                {
                    "ip": "104.18.10.207",
                    "lat": "37.7621",
                    "lon": "-122.3971",
                    "cc": "USA"
                },
                {
                    "ip": "216.58.217.42",
                    "lat": "47.2343",
                    "lon": "-119.8525",
                    "cc": "USA"
                },
                {
                    "ip": "142.250.69.202",
                    "lat": "47.6062",
                    "lon": "-122.3321",
                    "cc": "USA"
                },
                {
                    "ip": "142.251.33.100",
                    "lat": "47.6062",
                    "lon": "-122.3321",
                    "cc": "USA"
                },
                {
                    "ip": "172.217.3.163",
                    "lat": "47.2529",
                    "lon": "-122.4443",
                    "cc": "USA"
                },
                {
                    "ip": "142.250.69.195",
                    "lat": "47.6062",
                    "lon": "-122.3321",
                    "cc": "USA"
                },
                {
                    "ip": "216.58.193.67",
                    "lat": "47.6062",
                    "lon": "-122.3321",
                    "cc": "USA"
                }
            ],
            "compromised_hosts": [
                "179.61.12.106"

In the item above we want to IP of the compromised host

Example 2 :

{
            "md5": "919b465fc22d5919842c3a0eba650ef8",
            "sha1": "54609ae85d8893606b8c55cd2a1af9e89495efc9",
            "sha256": "bf3106984b3fd928c8a66fcc4dd7123a6709d6645253141db635a1cce62a8940",
            "isinteresting": false,
            "analysis_start_time": "2021-03-21 21:04:58",
            "threatscore": 70,
            "threatlevel": 0,
            "threatlevel_human": "no specific threat",
            "avdetect": 1,
            "isunknown": false,
            "vxfamily": "Trojan.Reconyc",
            "submitname": "setup_timeshift_2.0.0.3.exe",
            "isurlanalysis": false,
            "size": 29396528,
            "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
            "environmentId": "100",
            "environmentDescription": "Windows 7 32 bit",
            "sharedanalysis": false,
            "isreliable": true,
            "reporturl": "\/sample\/bf3106984b3fd928c8a66fcc4dd7123a6709d6645253141db635a1cce62a8940\/6057b4f3cb528c14c76b9fad",
            "vt_detect": 1,
            "ms_detect": 1,
            "process_list": [
                {
                    "uid": "00064666-00001924",
                    "name": "setup_timeshift_2.0.0.3.exe",
                    "normalizedpath": "C:\\setup_timeshift_2.0.0.3.exe",
                    "commandline": "",
                    "sha256": "bf3106984b3fd928c8a66fcc4dd7123a6709d6645253141db635a1cce62a8940",
                    "av_label": "Trojan.Reconyc",
                    "av_matched": 1,
                    "av_total": 68
                },
                {
                    "uid": "00064795-00003404",
                    "parentuid": "00064666-00001924",
                    "name": "setup_timeshift_2.0.0.3.tmp",
                    "normalizedpath": "%TEMP%\\is-HMICI.tmp\\setup_timeshift_2.0.0.3.tmp",
                    "commandline": "\/SL5=\"$500AA,28779505,242688,C:\\setup_timeshift_2.0.0.3.exe\"",
                    "sha256": "c086095ee4a93413b393c407a1c968e3ff03b911c1dc0039f50c9cdbb0efc89b",
                    "av_matched": 0,
                    "av_total": 57
                }
            ],
            "extracted_files": [
                {
                    "name": "unrar.dll",
                    "file_path": "%TEMP%\\is-HMMFD.tmp\\unrar.dll",
                    "file_size": "238592",
                    "sha1": "b8b8d6b66311eabd05dac2f0ff1f65819b2749d5",
                    "sha256": "3ac26f9079294522e89abca4efe3a3e84fd8fdad664eceb689d17d4615f3b0f1",
                    "md5": "aefa8492ed2130b050482d0febc39a86",
                    "type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
                    "type_tags": [
                        "pedll",
                        "executable"
                    ],
                    "threatlevel": 2,
                    "threatlevel_readable": "malicious",
                    "av_label": "Malware.Generic",
                    "av_matched": "1",
                    "av_total": "70",
                    "targetname": "setup_timeshift_2.0.0.3.tmp",
                    "targetpid": 3404
                },

The file sha256 of the file with "threatlevel_readable": "malicious" should be send to openCTI alon with the label : av_label": "Malware.Generic

IOTech17 avatar Mar 22 '21 15:03 IOTech17

@SamuelHassine I've made considerable efforts to develop the feed ingestion connector. Currently, it doesn't comply to the standards of other connectors but I can showcase my efforts in a PR if something similar would be welcome.

SyeedHasan avatar Mar 30 '21 10:03 SyeedHasan

Hello @SyeedHasan,

Please do so! It will speed-up the development of the connector!

SamuelHassine avatar Mar 30 '21 11:03 SamuelHassine

Sounds good, @SamuelHassine.

Let me give it a proper shape and pull a PR as soon as it's done.

Currently, it is also built to use the pycti library and doesn't go through the queues, would that be a problem? I can fix this via bundling but would require a bit more time.

SyeedHasan avatar Mar 30 '21 11:03 SyeedHasan