We have noticed the following tweet from malwr:
We enabled the API to submit files to everyone, you can find it documented in you profile page. Let the madness begin.
— malwr (@malwr) April 16, 2014
As we use Dionaea Honeypot as our sensors, we decided to make it easy for our analyst to work with. So, we have created a module to automate the malware submission to malwr.
The following code is for malwr module and step-by-step installation.
Create file modules/python/scripts/malwr.py with the following code
Available on gist
from dionaea.core import ihandler, incident, g_dionaea import logging import json import uuid import time import sqlite3 logger = logging.getLogger('malwr') logger.setLevel(logging.DEBUG) class malwrreport: def __init__(self, md5, path, timestamp): self.md5 = md5 self.path = path self.ts = timestamp class handler(ihandler): def __init__(self, path): logger.info("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.vconfig = g_dionaea.config()['modules']['python']['malwr'] self.submit_url = self.vconfig['submit_url'] self.api_key = self.vconfig['apikey'] self.share = self.vconfig['shared'] self.cookies = {} dbpath = self.vconfig['dbfile'] self.dbh = sqlite3.connect(dbpath) self.cursor = self.dbh.cursor() self.cursor.execute(""" CREATE TABLE IF NOT EXISTS submit ( id INTEGER PRIMARY KEY, uuid TEXT NOT NULL, path TEXT NOT NULL, md5 TEXT NOT NULL, sha256 TEXT NOT NULL, submit_time TEXT NOT NULL );""") def handle_incident(self, icd): pass def handle_incident_dionaea_download_complete_unique(self, icd): cookie = str(uuid.uuid4()) self.cookies[cookie] = malwrreport(icd.md5hash, icd.path, str(time.strftime("%Y-%m-%d :%H:%M:%S", time.localtime()))) i = incident('dionaea.upload.request') i._url = self.submit_url i.shared = self.share i.api_key = self.api_key i.set('file://file', icd.path) i._callback = "dionaea.modules.python.malwr.file_submitted" i._userdata = cookie i.report() def handle_incident_dionaea_modules_python_malwr_file_submitted(self, icd): f = open(icd.path, mode='r') j = json.load(f) cookie = icd._userdata mreport = self.cookies[cookie] self.cursor.execute("""INSERT INTO submit (uuid, path, md5, sha256, submit_time) VALUES (?, ?, ?, ?, ?);""", (j['uuid'], mreport.path, mreport.md5, j['sha256'], mreport.ts)) self.dbh.commit() i = incident("dionaea.modules.python.malwr.uuid") i.md5hash = mreport.md5 i.uuid = j['uuid'] i.report() del self.cookies[cookie]
Open file modules/python/scripts/ihandler.py and find the following code:
if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']: import dionaea.fail2ban g_handlers.append(dionaea.fail2ban.fail2banhandler())
Then Add this code:
if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']: import dionaea.malwr g_handlers.append(dionaea.malwr.handler('*'))
and it should looks like the following:
if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']: import dionaea.fail2ban g_handlers.append(dionaea.fail2ban.fail2banhandler()) if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']: import dionaea.malwr g_handlers.append(dionaea.malwr.handler('*'))
Open file conf/dionaea.conf and find following code:
imports = [ "log", "services", "ihandlers"]
Add malwr configuration after the above code and it will look like below:
imports = [ "log", "services", "ihandlers"] malwr = { submit_url = "https://malwr.com/api/analysis/add/" apikey = "..." // get yours @ https://malwr.com/account/profile/ shared = "yes" dbfile = "var/dionaea/malwr.sqlite" }
within same file as above, find following code
ihandlers = { handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", "logsql", // "virustotal", // "mwserv", // "submit_http", // "logxmpp", // "nfq", // "p0f", // "surfids", // "fail2ban" ] }
add “malwr” after “logsql” and it will look like below, and save 😀
ihandlers = { handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", "logsql", // "malwr", // "virustotal", // "mwserv", // "submit_http", // "logxmpp", // "nfq", // "p0f", // "surfids", // "fail2ban" ] }
This is interesting. Thanks.