Dionaea: Malwr Module

We have noticed the following tweet from malwr:

As we use Dionaea Honeypot as our sensors, we decided to make it easy for our analyst to work with.  So, we have created a module to automate the malware submission to malwr.

The following code is for malwr module and step-by-step installation.

Create file modules/python/scripts/malwr.py with the following code

Available on gist

from dionaea.core import ihandler, incident, g_dionaea
import logging
import json
import uuid
import time
import sqlite3

logger 	= logging.getLogger('malwr')
logger.setLevel(logging.DEBUG)

class malwrreport:
	def __init__(self, md5, path, timestamp):
		self.md5 = md5
		self.path = path
		self.ts = timestamp

class handler(ihandler):
	def __init__(self, path):
		logger.info("%s ready!" % (self.__class__.__name__))
		ihandler.__init__(self, path)
		self.vconfig = g_dionaea.config()['modules']['python']['malwr']
		self.submit_url = self.vconfig['submit_url']
		self.api_key = self.vconfig['apikey']
		self.share = self.vconfig['shared']
		self.cookies = {}
		dbpath = self.vconfig['dbfile']
		self.dbh = sqlite3.connect(dbpath)
		self.cursor = self.dbh.cursor()
		self.cursor.execute("""
			CREATE TABLE IF NOT EXISTS submit (
				id INTEGER PRIMARY KEY,
				uuid TEXT NOT NULL,
				path TEXT NOT NULL,
				md5 TEXT NOT NULL,
				sha256 TEXT NOT NULL,
				submit_time TEXT NOT NULL
			);""")

	def handle_incident(self, icd):
		pass

	def handle_incident_dionaea_download_complete_unique(self, icd):
		cookie = str(uuid.uuid4())
		self.cookies[cookie] = malwrreport(icd.md5hash, icd.path, str(time.strftime("%Y-%m-%d :%H:%M:%S", time.localtime())))

		i = incident('dionaea.upload.request')
		i._url = self.submit_url
		i.shared = self.share
		i.api_key = self.api_key
		i.set('file://file', icd.path)
		i._callback = "dionaea.modules.python.malwr.file_submitted"
		i._userdata = cookie
		i.report()

	def handle_incident_dionaea_modules_python_malwr_file_submitted(self, icd):
		f = open(icd.path, mode='r')
		j = json.load(f)
		cookie = icd._userdata
		mreport = self.cookies[cookie]
		self.cursor.execute("""INSERT INTO submit (uuid, path, md5, sha256, submit_time) VALUES (?, ?, ?, ?, ?);""", (j['uuid'], mreport.path, mreport.md5, j['sha256'], mreport.ts))
		self.dbh.commit()

		i = incident("dionaea.modules.python.malwr.uuid")
		i.md5hash = mreport.md5
		i.uuid = j['uuid']
		i.report()
		
		del self.cookies[cookie]

Open file modules/python/scripts/ihandler.py and find the following code:

	if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.fail2ban
		g_handlers.append(dionaea.fail2ban.fail2banhandler())

Then Add this code:

	if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.malwr
		g_handlers.append(dionaea.malwr.handler('*'))

and it should looks like the following:

	if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.fail2ban
		g_handlers.append(dionaea.fail2ban.fail2banhandler())

	if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.malwr
		g_handlers.append(dionaea.malwr.handler('*'))

Open file conf/dionaea.conf and find following code:

		imports	= [	"log",
					"services",
					"ihandlers"]

Add malwr configuration after the above code and it will look like below:

		imports	= [	"log",
					"services",
					"ihandlers"]
		malwr = {
			submit_url = "https://malwr.com/api/analysis/add/"
			apikey = "..." // get yours @ https://malwr.com/account/profile/
			shared = "yes"
			dbfile = "var/dionaea/malwr.sqlite"
		}

within same file as above, find following code

		ihandlers = {
			handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", 
			"logsql",
//			"virustotal",
//			"mwserv",
//			"submit_http",
//			"logxmpp",
//			"nfq",
//			"p0f",
//			"surfids",
//			"fail2ban"
			]
		}

add “malwr” after “logsql” and it will look like below, and save 😀

		ihandlers = {
			handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", 
			"logsql",
//			"malwr",
//			"virustotal",
//			"mwserv",
//			"submit_http",
//			"logxmpp",
//			"nfq",
//			"p0f",
//			"surfids",
//			"fail2ban"
			]
		}

One thought on “Dionaea: Malwr Module

  1. Fikri Fadzil says:

    This is interesting. Thanks.

Leave a Reply