search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
375 stars 408 forks source link

[Malware Bazaar] Error on some ZIP files #611

Open labtest06 opened 2 years ago

labtest06 commented 2 years ago

Description

The malware bazaar integration shows some errors while downloading the new additions.

Environment

  1. OS (where OpenCTI server runs): Ubuntu
  2. OpenCTI version: 5.1.3

Reproducible Steps

Enable malware bazaar connectors the below error gets logged:

INFO:root:Processing: {'sha256_hash': '93a23e10c740e6728c6e4b94062389b80876b69e3e005c54fefe6a74102c4132', 'sha3_384_hash': '2763ee52f47eee2565788381d847fb421598c771a67a8804c011bc4f1d8c0d7f2fb6ed437358376e07c61e41a68ec911', 'sha1_hash': 'ebc963319161f46fb1d49a5652e6310a56be45e9', 'md5_hash': '9a808944a4b050dd37748c238f63e88f', 'first_seen': '2022-02-02 16:15:05', 'last_seen': None, 'file_name': '2022-2-3-9a808944a4b050dd37748c238f63e88f.bin', 'file_size': 70572, 'file_type_mime': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'file_type': 'xlsx', 'reporter': 'Cryptolaemus1', 'origin_country': 'FR', 'anonymous': 0, 'signature': None, 'imphash': None, 'tlsh': 'T1A963BE2C9331944ED29F9939D1780BD31B7B4340D28B2679F015F6CA1BA3392378AD9D', 'telfhash': None, 'ssdeep': '1536:fkrrXjBNXcQJ7daX5Ie48VAC4JdUxVVGCp:fkHjBNJ7dapIH8GCqd4yc', 'dhash_icon': None, 'tags': ['doc', 'Emotet', 'epoch5', 'xlsx'], 'code_sign': [], 'intelligence': {'clamav': None, 'downloads': '24', 'uploads': '1', 'mail': None}}

INFO:root:Listing StixCyberObservables with filters [{"key": "hashes_SHA256", "values": ["93a23e10c740e6728c6e4b94062389b80876b69e3e005c54fefe6a74102c4132"]}].

INFO:root:Creating Stix-Cyber-Observable {artifact}} with indicator at False.

INFO:root:Creating External Reference {MalwareBazaar Recent Additions}.

INFO:root:Reading StixCyberObservable {fb08333f-b185-4045-a823-fc9829e4ea6a}.

INFO:root:Adding External-Reference {1e638a5a-5bc1-4ba6-ac85-9b36deda0a48} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {f4bc4b8e-bd1e-4b1d-8bd4-464ad3e0ec98} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {b6d9068e-5c12-4e78-b8e6-67c92072334d} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {0f7ae074-03e7-43e8-922e-8fae7bebea58} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {0ef291fb-a6f5-4d05-89b6-c240d7fdca0c} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Adding label {a3ed5122-719a-46fb-9353-01b2c4d2e9ba} to Stix-Cyber-Observable {fb08333f-b185-4045-a823-fc9829e4ea6a}

INFO:root:Processing: {'sha256_hash': 'ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540', 'sha3_384_hash': 'f9019c6c568b7ab928ec43313a5513d7203a49ad1a01988551c9f59f7537015d19a67b92e3f0ae3aca536f880a9a366b', 'sha1_hash': '01f9f83dcff81a257ca823849c8197a3aed95d13', 'md5_hash': '7d0103c1ba70c1660f898bd6cbf3b830', 'first_seen': '2022-02-02 16:14:31', 'last_seen': None, 'file_name': '2022-2-3-7d0103c1ba70c1660f898bd6cbf3b830.bin', 'file_size': 70594, 'file_type_mime': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'file_type': 'xlsx', 'reporter': 'Cryptolaemus1', 'origin_country': 'FR', 'anonymous': 0, 'signature': None, 'imphash': None, 'tlsh': 'T1B563CE2D9331944EC19F9939D1780BD31B7B4340D28B267AF015F6DA1AB3391378ADAD', 'telfhash': None, 'ssdeep': '1536:hCkrrXjpFcQJ7daX5Ie48VAC4JdUxVVG9z:hCkHjpFJ7dapIH8GCqd4yd', 'dhash_icon': None, 'tags': ['doc', 'Emotet', 'epoch5', 'xlsx'], 'code_sign': [], 'intelligence': {'clamav': None, 'downloads': '21', 'uploads': '1', 'mail': None}}

INFO:root:Listing StixCyberObservables with filters [{"key": "hashes_SHA256", "values": ["ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540"]}].

**ERROR:root:File is not a zip file

an integer is required (got type str)**

nor3th commented 2 years ago

Hey @labtest06

Thank you for raising this issue. It seems to me that the malware bazaar API responds with something else than a ZIP file here https://github.com/OpenCTI-Platform/connectors/blob/568d9263132a32cef1ebe77c968d9fcca61a8b56/external-import/malwarebazaar-recent-additions/src/malwarebazaar-recent-additions.py#L126

I did a manual check with wget --post-data "query=get_file&sha256_hash=ea8682b7592508b8050b5a23f345bf932fe18b43cec27537b97ec8f16ba70540" https://mb-api.abuse.ch/api/v1/ verifying that the reply is a ZIP file. Since the connector code doesn't do any error checking before extracting the zip file, it is possible that the reply was a temporary 503 and hence the connector didn't receive the ZIP file. Running the connector again for the selected time period might to the trick (or better error handling on the connector's side...).

Regards

SamuelHassine commented 2 years ago

Hello @nor3th,

Can you please try something to workaround this one?

Thanks a lot.

Kind regards, Samuel