Merge branch 'release/3.5.13'

Author: nusantara-self

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [3.5.12](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.12) (2025-05-07)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.11...3.5.12)
+
+**Merged pull requests:**
+
+- New Analyzer & Responders Watcher [\#1353](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1353) ([ygalnezri](https://github.com/ygalnezri))
+
 ## [3.5.11](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.11) (2025-04-17)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.10...3.5.11)

analyzers/Malwares/Malwares_Scan.json

@@ -5,7 +5,7 @@
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Use Malwares' API to scan a file or URL.",
-  "dataTypeList": ["file", "url"],
+  "dataTypeList": ["file"],
   "baseConfig": "Malwares",
   "config": {
     "check_tlp": true,

analyzers/Malwares/malwares.py

@@ -1,160 +1,109 @@
 #!/usr/bin/env python3
 # encoding: utf-8
+
 import time
 import hashlib
 
 from malwares_api import Api
 from cortexutils.analyzer import Analyzer
 
-from io import StringIO
-
 
 class MalwaresAnalyzer(Analyzer):
-
     def __init__(self):
         Analyzer.__init__(self)
-        self.service = self.get_param('config.service', None, 'Service parameter is missing')
-        self.key = self.get_param('config.key', None, 'Missing Malware API key')
-        self.polling_interval = self.get_param('config.polling_interval', 60)
+        self.service = self.get_param(
+            "config.service", None, "Service parameter is missing"
+        )
+        self.key = self.get_param("config.key", None, "Missing Malware API key")
+        self.polling_interval = self.get_param("config.polling_interval", 60)
         self.m_api = Api(self.key)
 
+    def check_response(self, response):
+        if type(response) is not dict:
+            self.error("Bad response : " + str(response))
+        status = response.get("response_code", 500)
+        if status == 429:
+            self.error("Malwares api rate limit exceeded.")
+        elif status >= 400:
+            self.error("Bad status : " + str(status))
+        return response.get("results", {})
+
     def wait_file_report(self, id):
-        results = self.check_response(self.m_api.get_file_report(id))
-        code = results.get('result_code', None)
-        if code == 1:
+        response = self.m_api.get_file_report(id)
+        results = self.check_response(response)
+        status = response.get("response_code", 500)
+        if status == 200:
             self.report(results)
         else:
             time.sleep(self.polling_interval)
             self.wait_file_report(id)
 
-    def wait_url_report(self, id):
-        results = self.check_response(self.m_api.get_url_report(id))
-        code = results.get('result_code', None)
-        if code == 1:
-            self.report(results)
-        else:
-            time.sleep(self.polling_interval)
-            self.wait_url_report(id)
-
-    def check_response(self, response):
-        if type(response) is not dict:
-            self.error('Bad response : ' + str(response))
-        status = response.get('response_code', -1)
-        if status in (-14, -15):
-            self.error('Malwares api rate limit exceeded.')
-        elif int(status) < 1:
-            self.error('Bad status : ' + str(status))
-        results = response.get('results', {})
-        return results
-
-        # 0 => not found
-        # -2 => in queue
-        # 1 => ready
-
     def read_scan_response(self, response, func):
         results = self.check_response(response)
-        code = results.get('result_code', None)
-        md5 = results.get('md5', None)
-        url = results.get('url', None)
-        if code in (1, 2) and md5 is not None:
-            func(md5)
-        elif code in (1, 2) and url is not None:
-            func(url)
+        status = response.get("response_code", 500)
+        sha256 = results.get("ctx_data", {}).get("sha256", None)
+
+        if status in (200, 202) and sha256 is not None:
+            func(sha256)
         else:
-            self.error('%d %s %s - Scan not found' % (code, md5, url))
+            self.error("%d %s - Scan not found" % (status, sha256))
 
     def summary(self, raw):
         taxonomies = []
         level = "info"
         namespace = "Malwares"
-        predicate = "Score"
-        value = "No info"
-        score = -1
-
-        result = {
-            "has_result": True
-        }
-
-        if "ai_score" in raw.keys():
-            score = raw["ai_score"]
-            if score < 10:
-                level = "safe"
-            elif 10 <= score < 30:
-                level = "suspicious"
-            else:
-                level = "malicious"
-
-            result['score'] = score
 
-            value = "{}/100".format(score)
+        ctx_data = raw.get("ctx_data", {})
+        detect = ctx_data.get("detect", "malicious")
+        tags = raw.get("ctx_data", {}).get("tags", [])
 
+        if detect == "normal":
+            level = "safe"
         else:
-            if "detected_communicating_file" in raw.keys() or "detected_url" in raw.keys() or "detected_downloaded_file" in raw.keys():
-                score = max(
-                    raw.get("detected_communicating_file", {}).get("total", 0),
-                    raw.get("detected_url", {}).get("total", 0),
-                    raw.get("detected_downloaded_file", {}).get("total", 0)
-                )
-                value = "{} results".format(score)
-
-            elif "virustotal" in raw.keys():
-                score = raw.get("virustotal", {}).get("positives", 0)
-                total = raw.get("virustotal", {}).get("total", 0)
-                value = "{}/{} positives".format(score, total)
-
-            if score == 0:
-                level = "safe"
-            elif 0 < score <= 5:
-                level = "suspicious"
-            elif score > 5:
-                level = "malicious"
-
-        taxonomies.append(self.build_taxonomy(
-            level, namespace, predicate, value))
+            level = "malicious"
+
+        taxonomies.append(self.build_taxonomy(level, namespace, "Detect", detect))
+        taxonomies.append(self.build_taxonomy(level, namespace, "Tags", tags))
+
         return {"taxonomies": taxonomies}
 
     def run(self):
-        if self.service == 'scan':
-            if self.data_type == 'file':
-                filename = self.get_param('filename', 'noname.ext')
-                filepath = self.get_param('file', None, 'File is missing')
-                self.read_scan_response(self.m_api.scan_file(
-                    open(filepath, 'rb'), filename), self.wait_file_report)
-            elif self.data_type == 'url':
-                data = self.get_param('data', None, 'Data is missing')
+        if self.service == "scan":
+            if self.data_type == "file":
+                filename = self.get_param("filename", "noname.ext")
+                filepath = self.get_param("file", None, "File is missing")
                 self.read_scan_response(
-                    self.m_api.scan_url(data), self.wait_url_report)
+                    self.m_api.scan_file(filepath, filename), self.wait_file_report
+                )
             else:
-                self.error('Invalid data type')
-        elif self.service == 'get':
-            if self.data_type == 'domain':
-                data = self.get_param('data', None, 'Data is missing')
-                self.report(self.check_response(
-                    self.m_api.get_domain_report(data)))
-            elif self.data_type == 'ip':
-                data = self.get_param('data', None, 'Data is missing')
+                self.error("Invalid data type")
+
+        elif self.service == "get":
+            if self.data_type == "domain":
+                data = self.get_param("data", None, "Data is missing")
+                self.report(self.check_response(self.m_api.get_domain_report(data)))
+            elif self.data_type == "ip":
+                data = self.get_param("data", None, "Data is missing")
                 self.report(self.check_response(self.m_api.get_ip_report(data)))
-            elif self.data_type == 'file':
-
-                hashes = self.get_param('attachment.hashes',
-                                       None)
+            elif self.data_type == "file":
+                hashes = self.get_param("attachment.hashes", None)
                 if hashes is None:
-                    filepath = self.get_param('file', None, 'File is missing')
-                    hash = hashlib.sha256(open(filepath, 'rb').read()).hexdigest();
+                    filepath = self.get_param("file", None, "File is missing")
+                    hash = hashlib.sha256(open(filepath, "rb").read()).hexdigest()
                 else:
                     # find SHA256 hash
                     hash = next(h for h in hashes if len(h) == 64)
 
                 self.report(self.check_response(self.m_api.get_file_report(hash)))
 
-            elif self.data_type == 'hash':
-                data = self.get_param('data', None, 'Data is missing')
+            elif self.data_type == "hash":
+                data = self.get_param("data", None, "Data is missing")
                 self.report(self.check_response(self.m_api.get_file_report(data)))
             else:
-                self.error('Invalid data type')
+                self.error("Invalid data type")
         else:
-            self.error('Invalid service')
+            self.error("Invalid service")
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     MalwaresAnalyzer().run()