• Stars
    star
    137
  • Rank 266,121 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 7 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Minimal, consistent Python API for building integrations with malware sandboxes.

sandboxapi

Developed by InQuest Build Status Build Status (GitHub Workflow) Build Status - Dev (GitHub Workflow) Documentation Status Code Health Test Coverage PyPi Version

A minimal, consistent API for building integrations with malware sandboxes.

This library currently supports the following sandbox systems:

It provides at least the following methods for each sandbox:

  • is_available(): Check if the sandbox is operable and reachable; returns a boolean
  • analyze(handle, filename): Submit a file for analysis; returns an item_id
  • check(item_id): Check if analysis has completed for a file; returns a boolean
  • report(item_id, report_format='json'): Retrieve the report for a submitted file
  • score(report): Parse out and return an integer score from the report object

Some sandbox classes may have additional methods implemented. See inline documentation for more details.

Note that the value returned from the score method may be on the range 0-10, or 0-100, depending on the sandbox in question, so you should refer to the specific sandbox's documentation when interpreting this value.

Installation

Install through pip:

pip install sandboxapi

Supports Python 2.7+.

Usage

Basic usage is as follows:

import sys
import time
import pprint

from sandboxapi import cuckoo

# connect to the sandbox
sandbox = cuckoo.CuckooAPI('http://192.168.0.20:8090/')

# verify connectivity
if not sandbox.is_available():
    print("sandbox is down, exiting")
    sys.exit(1)

# submit a file
with open('myfile.exe', "rb") as handle:
    file_id = sandbox.analyze(handle, 'myfile.exe')
    print("file {f} submitted for analysis, id {i}".format(f=filename, i=file_id))

# wait for the analysis to complete
while not sandbox.check(file_id):
    print("not done yet, sleeping 10 seconds...")
    time.sleep(10)

# print the report
print("analysis complete. fetching report...")
report = sandbox.report(file_id)
pprint.pprint(report)
print("Score: {score}".format(score=sandbox.score(report)))

Since the library provides a consistent API, you can treat all sandoxes the same way:

import sys
import time
import pprint

from sandboxapi import cuckoo, fireeye, joe

# connect to the sandbox
sandboxes = [
    cuckoo.CuckooAPI('http://192.168.0.20:8090/'),
    fireeye.FireEyeAPI('myusername', 'mypassword', 'https://192.168.0.21', 'winxp-sp3'),
    joe.JoeAPI('mykey', 'https://jbxcloud.joesecurity.org/api', True)
]

for sandbox in sandboxes:
    # verify connectivity
    if not sandbox.is_available():
        print("sandbox is down, exiting")
        sys.exit(1)

    # submit a file
    with open('myfile.exe', "rb") as handle:
        file_id = sandbox.analyze(handle, 'myfile.exe')
        print("file {f} submitted for analysis, id {i}".format(f=filename, i=file_id))

    # wait for the analysis to complete
    while not sandbox.check(file_id):
        print("not done yet, sleeping 10 seconds...")
        time.sleep(10)

    # print the report
    print("analysis complete. fetching report...")
    report = sandbox.report(file_id)
    pprint.pprint(report)
    print("Score: {score}".format(score=sandbox.score(report)))

Cuckoo Sandbox

Constructor signature:

CuckooAPI(url, verify_ssl=False)

Example:

CuckooAPI('http://192.168.0.20:8090/')

This library attempts to support any Cuckoo-like API, including older 1.x installations (though those without a score won't be able to use the .score method), compatible forks like spender-sandbox and CAPE, and the latest 2.x Cuckoo releases. If you find a version that doesn't work, let us know.

There is an unofficial Cuckoo library written by @keithjjones with much more functionality. For more information on the Cuckoo API, see the Cuckoo API documentation.

FireEye AX

Constructor signature:

FireEyeAPI(username, password, url, profile, legacy_api=False, verify_ssl=True)

Example:

FireEyeAPI('myusername', 'mypassword', 'https://192.168.0.20', 'winxp-sp3')

By default, the FireEyeAPI class uses v1.2.0 of the FireEye API, which is available on v8.x FireEye AX series appliances. The v1.1.0 API, which is available on v7.x appliances, is also supported - just set legacy_api=True to use the older version.

There is some limited FireEye API documentation on their blog. For more information on FireEye's sandbox systems, see the AX Series product page. FireEye customers have access to more API documentation.

Joe Sandbox

Constructor signature:

JoeAPI(apikey, apiurl, accept_tac, timeout=None, verify_ssl=True, retries=3)

Example:

JoeAPI('mykey', 'https://jbxcloud.joesecurity.org/api', True)

There is an official Joe Sandbox library with much more functionality. This library is installed as a dependency of sandboxapi, and wrapped by the sandboxapi.joe.JoeSandbox class.

VMRay Analyzer

Constructor signature:

VMRayAPI(api_key, url='https://cloud.vmray.com', verify_ssl=True)

Example:

VMRayAPI('mykey')

VMRay customers have access to a Python library with much more functionality. Check your VMRay documentation for more details.

Falcon Sandbox

Constructor signature:

FalconAPI(key, url='https://www.reverse.it/api/v2', env=100)

Example:

FalconAPI('mykey')

This class only supports version 2.0+ of the Falcon API, which is available in version 8.0.0+ of the Falcon Sandbox.

There is an official Falcon library with much more functionality, that supports the current and older versions of the Falcon API. Note that the official library only supports Python 3.4+.

WildFire Sandbox

Constructor signature:

WildFireAPI(api_key, url='https://wildfire.paloaltonetworks.com/publicapi')

Example:

WildFireAPI('mykey')

Currently, only the WildFire cloud sandbox is supported and not the WildFire appliance.

OPSWAT Sandbox

Constructor signature:

OpswatAPI(apikey, profile, verify_ssl=True)

Example:

OpswatAPI(apikey, 'windows7')

OPSWAT sandbox on MetaDefender Cloud. Please create an account on OPSWAT portal to receive a free MetaDefender Cloud apikey.

More details in the OPSWAT API documentation.

Hatching Triage

Constructor signature:

TriageAPI(api_key, url='https://api.tria.ge', api_path='/v0')

Example:

TriageAPI("ApiKeyHere")

You're able to use this class with both the Triage public cloud and the private Triage instances. Look up the documentation for the right host and api path for your specific instance.

For more information on what is returned from the API you can look up the official Triage API documentation.

Notes

You may also be interested in malsub, a similar project with support for a number of online analysis services.

More Repositories

1

awesome-yara

A curated list of awesome YARA rules, tools, and people.
3,504
star
2

malware-samples

A collection of malware samples and relevant dissection information, most probably referenced from http://blog.inquest.net
ActionScript
882
star
3

ThreatIngestor

Extract and aggregate threat intelligence.
Python
823
star
4

iocextract

Defanged Indicator of Compromise (IOC) Extractor.
Python
498
star
5

yara-rules

A collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net.
Python
363
star
6

omnibus

The OSINT Omnibus (beta release)
Python
327
star
7

ThreatKB

Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)
JavaScript
95
star
8

yara-rules-vt

Collection of YARA rules designed for usage through VirusTotal.com.
YARA
64
star
9

python-inquestlabs

A Pythonic interface and command line tool for interacting with the InQuest Labs API.
Python
34
star
10

microsoft-office-macro-clustering

Jupyter Notebook
17
star
11

labs-experiments

A collection of experiments overtop the InQuest Labs open data portal (https://labs.inquest.net).
Python
3
star
12

splunk-inquest

Splunk Addon for InQuest.
Python
3
star
13

iqui-icons

2
star
14

iqui-ngx

Angular CDK based, Bootstrap styled components library
TypeScript
2
star
15

python-threatkb

Python library and command-line tool for InQuest ThreatKB. (pre-release)
Python
2
star
16

iq-cli

InQuest Platform v3 CLI and Python Library
Python
1
star
17

ipython-notebooks

A collection of iPython notebooks probably referenced from https://inquest.net/blog
Jupyter Notebook
1
star
18

RFIQ-Card

Recorded Future InQuest Labs Integration
Python
1
star