chrisdoman

from OTXv2 import OTXv2

# API key for the user api_example
# Pulses will appear at https://otx.alienvault.com/user/api_example/pulses
otx = OTXv2("766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad")
name = 'Test Pulse'
indicators = [
    {'indicator': '69.73.130.198', 'type': 'IPv4'},
    {'indicator': 'aoldaily.com', 'type': 'Domain'}
]

chrisdoman

= Examples of how OTX API calls relate different indicator types =
Official documentation is available at https://otx.alienvault.com/api but may be missing a couple of the newer calls
These are some unofficial notes
The API key below is for a dummy demo account. It should work but I would suggest using your own.
Some of the JSON responses are quite nested, and editor such as http://jsoneditoronline.org/ may be useful

== Input: Hostname / Domain ==

The following calls can be made for both domains and hostname, ie you can swap 'hostname' with 'domain' below.

chrisdoman

# Script to enumerate bit.ly data - suffers from strict rate limits

import requests, base62

#start = "1dstjX5"
start = 93340621247

def getUrl(url):
    try:
        r = requests.get(url)

chrisdoman

#Trojan:Win32/AgentBypass,92bc9fe6a053916317d1ea78aa342265e32c0c8e70f51e9af0028e6fcc7f917a|,Trojan.Win32.Demp.cxoswz|TrojanDropper.Demp.aao|Trojan[Dropper]/Win32.Injector|
:FileSizeLE10000,34575189df0d1e5a1c7f1d505cc6eb0c41ac9e8a7edcb72eae2298d25cb4e6f2|,Android.Shedun.E|Android.Trojan-Dropper.Shedun.b|Other:Android.Reputation.2|A.L.Rog.SexVideo.EI|Trojan.Android.MLW.ebzlbe|Android.DownLoader.329.origin|Trojan[Dropper]/Android.Shedun.v|Android-PUP/SmsPay.72a8b|a.gray.tatic|Trojan-Dropper.AndroidOS.Shedun|Android/Piom.JO!tr|Win32/Trojan.ecf|
Backdoor:MSIL/Lizarbot,fb3a52e70eedcc6cab0ddde2fe47b5729a6c96f83fecf0b06b3b8ee9942eef2f|40c95b2afb8d7e4e4252968d5234f24c71181c0252819d850694b4489a43ca28|c80d3e483e423b271a2fd7dc89ffa7612409f13ed66dc3faa5b40d0bcf725f72|177cd95dcc500338d433455461d8ce0a2c159657a287baae01de8ffc77155291|,Backdoor.Lizarbot.FC.2716|Backdoor.IRCBot|BKDR_LIZARBOT.SMVJ18|Win32.Trojan.WisdomEyes.16070401.9500.9998|W32/Trojan.QJOG-5659|Backdoor.IRC.Bot|BKDR_LIZARBOT.SMVJ18|Win.Trojan.Lizarbot-1|MSIL.T

chrisdoman

# Script to convert openioc to csv
# Forked from PyMisp
# -*- coding: utf-8 -*-

import os

try:
    from bs4 import BeautifulSoup
    has_bs4 = True
except ImportError:

chrisdoman

'''
 Quick example to pull reports with tagged Adversaries (i.e. probably APT)

'''

from OTXv2 import OTXv2, IndicatorTypes

# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
pulses = otx.getall()

chrisdoman

title,reference,created
Continued PassCV Malware,https://drive.google.com/file/d/1pzZT7Stig6i8hTqjxUUgxDSmGEJ7W9ak/view,2018-08-06
Blackgear Cyberespionage Campaign Resurfaces Abuses Social Media for C and C Communication,https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/,2018-07-18
Golden Rat long-term espionage campaign in Syria is still ongoing,http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf,2018-07-23
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally,https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html,2018-07-11
Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign,https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/,2018-07-09
NavRAT Uses US-North Korea Summit As Decoy

chrisdoman

/*

    Yara rules to identify malware families, made by Yabin
    Auto-generated - plenty of these rules won't work as they rely on looking for compiled code

*/

rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 {
 strings:

chrisdoman

'''
 Gets possible Great Cannon injections from UrlScan
'''


import requests
import json

# Insert your urlscan API Key
api_key = ''

chrisdoman

var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88]