Created
June 15, 2021 19:04
-
-
Save peasead/5a9f846384ac2421e61f32b3bef1d80a to your computer and use it in GitHub Desktop.
Download samples from Malware Bazaar based on tag.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Bash script to download Malware Bazaar based on tag | |
# Define tag and number of samples to download | |
TAG=insert-malware-bazaar-tag | |
DOWNLOAD_LIMIT=100 | |
# Determin OS | |
OS=$(uname -s) | |
# Download hash values from tag, save the SHA256 hashes | |
curl -XPOST -d "query=get_taginfo&tag=${TAG}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TAG}.raw | |
# OS Loop | |
# If macOS, clean up the download to remove "'s and ,'s | |
if [ ${OS} == Darwin ] | |
then | |
sed -i.bak 's/\"//g' ${TAG}.raw | |
rm ${TAG}.raw.bak | |
sed -i.bak 's/\,//' ${TAG}.raw | |
rm ${TAG}.raw.bak | |
# If Linux, clean up the download to remove "'s and ,'s | |
else | |
if [ ${OS} == Linux ] | |
then | |
sed 's/\"//g' ${TAG}.raw | |
sed 's/\,//' ${TAG}.raw | |
# Exiting OS loop | |
fi | |
fi | |
# Create the hash file from the raw file | |
mv ${TAG}.raw ${TAG}.hash | |
# Download the samples using their hash vaules | |
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TAG}.hash | |
# Unarchive the malware samples | |
while read h; do 7z e ${h} -p"infected"; done < ${TAG}.hash | |
# Clean up by removing the hash lists and compressed archives files | |
while read h; do rm ${h}; done < ${TAG}.hash | |
rm ${TAG}.raw.bak | |
rm ${TAG}.hash |
If you wanted to ONLY get .bat
files, you could use the file_type
API endpoint instead of the tag
API endpoint.
# Bash script to download Malware Bazaar based on tag
# Define tag and number of samples to download
TYPE=Bat
DOWNLOAD_LIMIT=100
# Determin OS
OS=$(uname -s)
# Download hash values from tag, save the SHA256 hashes
curl -XPOST -d "query=get_file_type&file_type=${TYPE}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TYPE}.raw
# OS Loop
# If macOS, clean up the download to remove "'s and ,'s
if [ ${OS} == Darwin ]
then
sed -i.bak 's/\"//g' ${TYPE}.raw
rm ${TYPE}.raw.bak
sed -i.bak 's/\,//' ${TYPE}.raw
rm ${TYPE}.raw.bak
# If Linux, clean up the download to remove "'s and ,'s
else
if [ ${OS} == Linux ]
then
sed 's/\"//g' ${TYPE}.raw
sed 's/\,//' ${TYPE}.raw
# Exiting OS loop
fi
fi
# Create the hash file from the raw file
mv ${TYPE}.raw ${TYPE}.hash
# Download the samples using their hash vaules
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TYPE}.hash
# Unarchive the malware samples
while read h; do 7zz e ${h} -p"infected"; done < ${TYPE}.hash
# Clean up by removing the hash lists and compressed archives files
while read h; do rm ${h}; done < ${TYPE}.hash
rm ${TYPE}.raw.bak
rm ${TYPE}.hash
I got problems getting this script to work, but I just modified the two "sed" lines, and now it works perfectly 👍
sed -i 's/,//g' ${TAG}.raw
sed -i 's/"//g' ${TAG}.raw
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how to download .bat files?