connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

[Malware Bazaar] Error on some ZIP files

Open labtest06 opened this issue 3 years ago • 2 comments

Description

The malware bazaar integration shows some errors while downloading the new additions.

Environment

  1. OS (where OpenCTI server runs): Ubuntu
  2. OpenCTI version: 5.1.3

Reproducible Steps

Enable malware bazaar connectors the below error gets logged:

INFO:root:Processing: {'sha256_hash': '93a23e10c740e6728c6e4b94062389b80876b69e3e005c54fefe6a74102c4132', 'sha3_384_hash': '2763ee52f47eee2565788381d847fb421598c771a67a8804c011bc4f1d8c0d7f2fb6ed437358376e07c61e41a68ec911', 'sha1_hash': 'ebc963319161f46fb1d49a5652e6310a56be45e9', 'md5_hash': '9a808944a4b050dd37748c238f63e88f', 'first_seen': '2022-02-02 16:15:05', 'last_seen': None, 'file_name': '2022-2-3-9a808944a4b050dd37748c238f63e88f.bin', 'file_size': 70572, 'file_type_mime': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'file_type': 'xlsx', 'reporter': 'Cryptolaemus1', 'origin_country': 'FR', 'anonymous': 0, 'signature': None, 'imphash': None, 'tlsh': 'T1A963BE2C9331944ED29F9939D1780BD31B7B4340D28B2679F015F6CA1BA3392378AD9D', 'telfhash': None, 'ssdeep': '1536:fkrrXjBNXcQJ7daX5Ie48VAC4JdUxVVGCp:fkHjBNJ7dapIH8GCqd4yc', 'dhash_icon': None, 'tags': ['doc', 'Emotet', 'epoch5', 'xlsx'], 'code_sign': [], 'intelligence': {'clamav': None, 'downloads': '24', 'uploads': '1', 'mail': None}}

INFO:root:Listing StixCyberObservables with filters [{"key": "hashes_SHA256", "values": ["93a23e10c740e6728c6e4b94062389b80876b69e3e005c54fefe6a74102c4132"]}].

INFO:root:Creating Stix-Cyber-Observable {artifact}} with indicator at False.

INFO:root:Creating External Reference {MalwareBazaar Recent Additions}.

INFO:root:Reading StixCyberObservable {fb08333f-b185-4045-a823-fc9829e4ea6a}.

INFO:root:Adding External-Reference {1e638a5a-5bc1-4ba6-ac85-9b36deda0a48} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {f4bc4b8e-bd1e-4b1d-8bd4-464ad3e0ec98} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {b6d9068e-5c12-4e78-b8e6-67c92072334d} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {0f7ae074-03e7-43e8-922e-8fae7bebea58} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {0ef291fb-a6f5-4d05-89b6-c240d7fdca0c} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {a3ed5122-719a-46fb-9353-01b2c4d2e9ba} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Processing: {'sha256_hash': 'ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540', 'sha3_384_hash': 'f9019c6c568b7ab928ec43313a5513d7203a49ad1a01988551c9f59f7537015d19a67b92e3f0ae3aca536f880a9a366b', 'sha1_hash': '01f9f83dcff81a257ca823849c8197a3aed95d13', 'md5_hash': '7d0103c1ba70c1660f898bd6cbf3b830', 'first_seen': '2022-02-02 16:14:31', 'last_seen': None, 'file_name': '2022-2-3-7d0103c1ba70c1660f898bd6cbf3b830.bin', 'file_size': 70594, 'file_type_mime': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'file_type': 'xlsx', 'reporter': 'Cryptolaemus1', 'origin_country': 'FR', 'anonymous': 0, 'signature': None, 'imphash': None, 'tlsh': 'T1B563CE2D9331944EC19F9939D1780BD31B7B4340D28B267AF015F6DA1AB3391378ADAD', 'telfhash': None, 'ssdeep': '1536:hCkrrXjpFcQJ7daX5Ie48VAC4JdUxVVG9z:hCkHjpFJ7dapIH8GCqd4yd', 'dhash_icon': None, 'tags': ['doc', 'Emotet', 'epoch5', 'xlsx'], 'code_sign': [], 'intelligence': {'clamav': None, 'downloads': '21', 'uploads': '1', 'mail': None}}

INFO:root:Listing StixCyberObservables with filters [{"key": "hashes_SHA256", "values": ["ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540"]}].

**ERROR:root:File is not a zip file

an integer is required (got type str)**

labtest06 avatar Feb 02 '22 16:02 labtest06

Hey @labtest06

Thank you for raising this issue. It seems to me that the malware bazaar API responds with something else than a ZIP file here https://github.com/OpenCTI-Platform/connectors/blob/568d9263132a32cef1ebe77c968d9fcca61a8b56/external-import/malwarebazaar-recent-additions/src/malwarebazaar-recent-additions.py#L126

I did a manual check with wget --post-data "query=get_file&sha256_hash=ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540" https://mb-api.abuse.ch/api/v1/ verifying that the reply is a ZIP file. Since the connector code doesn't do any error checking before extracting the zip file, it is possible that the reply was a temporary 503 and hence the connector didn't receive the ZIP file. Running the connector again for the selected time period might to the trick (or better error handling on the connector's side...).

Regards

nor3th avatar Feb 12 '22 20:02 nor3th

Hello @nor3th,

Can you please try something to workaround this one?

Thanks a lot.

Kind regards, Samuel

SamuelHassine avatar Aug 26 '22 14:08 SamuelHassine