Merge branch 'master' of https://github.com/MISP/misp-galaxy

2024-11-22 23:07:19 +00:00 · 2018-10-05 16:06:25 +02:00 · 2018-10-05 16:06:25 +02:00 · 655b1619e4
commit 655b1619e4
parent 58a86e4e26 8149960aa3
4 changed files with 13397 additions and 0 deletions
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -4209,6 +4209,16 @@
      "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd",
      "value": "KONNI"
    },
+    {
+      "value": "NOKKI",
+      "uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80",
+      "description": "Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.  Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/"
+        ]
+      }
+    },
    {
      "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.",
      "meta": {
--- a/galaxies/malpedia.json
+++ b/galaxies/malpedia.json
@ -0,0 +1,9 @@
+{
+  "description": "Malware galaxy based on Malpedia archive.",
+  "type": "malpedia",
+  "version": 1,
+  "name": "Malpedia",
+  "icon": "shield",
+  "uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a",
+  "namespace": "misp"
+}
--- a/tools/gen_malpedia.py
+++ b/tools/gen_malpedia.py
@ -0,0 +1,78 @@
+import os
+import json
+import sys
+import fnmatch
+import uuid
+import inspect
+
+class ObjectEncoder(json.JSONEncoder):
+
+    def default(self, obj):
+        if hasattr(obj, "to_json"):
+            return self.default(obj.to_json())
+        elif hasattr(obj, "__dict__"):
+            d = dict(
+                (key, value)
+                for key, value in inspect.getmembers(obj)
+                if not key.startswith("__")
+                and not inspect.isabstract(value)
+                and not inspect.isbuiltin(value)
+                and not inspect.isfunction(value)
+                and not inspect.isgenerator(value)
+                and not inspect.isgeneratorfunction(value)
+                and not inspect.ismethod(value)
+                and not inspect.ismethoddescriptor(value)
+                and not inspect.isroutine(value)
+            )
+            return self.default(d)
+        return obj
+
+class Malpedia(object):
+
+    def __init__(self, authors, description, name, source, type, folder_path, version=1):
+        self.authors = authors
+        self.description = description
+        self.name = name
+        self.source = source
+        self.type = type
+        self.uuid = str(uuid.uuid4())
+        self.version = version
+        self.values = self.get_files(folder_path)
+
+    def get_files(self, folder_path):
+        galaxies = []
+        for root, dirnames, filenames in os.walk(folder_path):
+            for filename in fnmatch.filter(filenames, '*.json'):
+                with open(os.path.join(root, filename), 'r') as f:
+                    json_dict = json.loads(
+                        "".join([str(x) for x in f.readlines()]))
+                    galaxies.append(
+                        Galaxy(
+                            description = json_dict.get("description", None),
+                            value = json_dict.get("common_name", None),
+                            synonyms = json_dict.get("alt_names", []),
+                            refs = json_dict.get("urls", [])
+                        ))
+        return galaxies
+
+class Galaxy(object):
+    def __init__(self, description, value, synonyms=[], refs=[], type=[]):
+        self.description = description
+        self.value = value
+        self.uuid = str(uuid.uuid4())
+        self.meta = {}
+        # duplicate item in array generate errors
+        self.meta['refs'] = list(set(refs)) 
+        self.meta['synonyms'] = list(set(synonyms))
+        self.meta['type'] = type
+
+a = Malpedia(authors=['Daniel Plohmann', 'Andrea Garavaglia', 'Davide Arcuri'], 
+    description='Malware galaxy based on Malpedia archive.', 
+    name='Malpedia', 
+    source='Malpedia', 
+    type='malpedia', 
+    folder_path=os.environ['malpedia_path'], # this require cloned malpedia repository
+    version=1) 
+
+with open('../clusters/malpedia.json', 'w') as fp:
+    json.dump(a, fp, cls=ObjectEncoder, indent=4)