-
Notifications
You must be signed in to change notification settings - Fork 10
API: Malware Research
elsif2 edited this page Jun 9, 2023
·
4 revisions
These methods are here to allow trusted partners to query information about malware, networks, and trusted programs.
The following are enabled with research group access:
- research/asn
- research/malware-download
- research/malware-info
- research/tagging
- research/tagging-source
- research/trusted-program
The following require additional group membership:
- research/cidr-to-range
- research/geo-asn
- research/gethostbyaddr
- research/gethostbyname
- research/location
- research/malware-domain
- research/regex-query
- research/reverse-ip
- research/rpz-export
- research/rule-query
- research/rule-download
- research/sandbox-dns-anomaly
- research/site-ranking
- research/site-ranking-export
- research/tno-export
- research/whois
- research/whois-record
Returns a JSON response containing static details about the requested sample as well as antivirus vendor and signature details.
Fields:
apikey : string : your api key
sample : string : MD5, SHA1, SHA256, and SHA512 hash
Response:
JSON object
Sample query:
freed0@pit:~$ ./call-api.py research/malware-info '{"sample":"dfe1832e02888422f48d6896dc8e8f73"}' pretty
Up to 1,000 samples can be queried in a single call:
freed0@pit:~$ ./call-api.py research/malware-info '{"sample":["dfe1832e02888422f48d6896dc8e8f73","d41d8cd98f00b204e9800998ecf8427e"]}' pretty
Example:
freed0@pit:~$ ./call-api.py research/malware-info '{"sample":"dfe1832e02888422f48d6896dc8e8f73"}' pretty
[
{
"sha1": "c56ba498d41caa7be3c1eb5588cec27c413eb208",
"last_seen": "2016-08-25 02:44:39",
"tlsh": "c1b52a5273fa0254f2f35f75a8b7a3944939fea11d22e08e1164314d88b6f808e75bb7",
"sha256": "d8d395f8744335fba53b0a4308e7b380a0aca86bfc8939ded9f4c8c5cb1e838a",
"md5": "dfe1832e02888422f48d6896dc8e8f73",
"filesize": "2438340",
"magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
"first_seen": "2016-08-25 02:44:39",
"sha512": "7ca1fdfe537913b8854227efc1f11b00d405f2d21e416e7023c4ebed2bfa887d2bc4d4d553ce41667c99def47ea05e6ce4a773c4ee7173927f1d263e724c16c2",
"timestamp": "2016-08-25 02:44:39",
"anti_virus": [
{
"md5": "dfe1832e02888422f48d6896dc8e8f73",
"signature": "W32/Lamer.CQ",
"vendor": "Fortinet",
"timestamp": "2017-04-11 03:14:49Z"
},
{
"vendor": "Avast",
"signature": "Win32:Lamer-A",
"timestamp": "2018-07-05 00:01:07Z",
"md5": "dfe1832e02888422f48d6896dc8e8f73"
},
{
"md5": "dfe1832e02888422f48d6896dc8e8f73",
"timestamp": "2018-10-17 20:33:19Z",
"signature": "Win32/Zatoxp.C",
"vendor": "Eset"
},
{
"timestamp": "2016-08-25 07:45:52Z",
"signature": "Virus ( 004d554e1 )",
"vendor": "K7",
"md5": "dfe1832e02888422f48d6896dc8e8f73"
},
{
"md5": "dfe1832e02888422f48d6896dc8e8f73",
"signature": "PUA.Win.Packer.Purebasic-2",
"vendor": "Clam",
"timestamp": "2017-01-14 06:23:13Z"
},
}
],
"adobe_malware_classifier": "malicious",
"type": "exe",
"import_hash": "33f98db5bdb6a7013d52f0120248df35",
"entropic": "5.952427",
"pehash": "243c35935ecc9829f30b30c45839cbf6"
}
]
Downloads the requested binary
Fields:
apikey : string : your api key
sample : string : hash
Response:
binary file contents
Example:
freed0@pit:~$ ./call-api.py research/malware-download '{"sample":"dfe1832e02888422f48d6896dc8e8f73"}' binary > /tmp/dfe1832e02888422f48d6896dc8e8f73
freed0@pit:~$ ls -la /tmp/dfe1832e02888422f48d6896dc8e8f73
-rw-rw-r-- 1 freed0 freed0 2438340 Mar 12 00:24 /tmp/dfe1832e02888422f48d6896dc8e8f73
Query different aspects of ASN information.
Fields:
apikey : string : your api key
one of the following:
- query : integer : ASN
- peer : ip : IP address
- origin : integer : ASN
- prefix : integer : ASN
Response:
JSON object
Report back any information about the ASN
Example:
freed0@pit:~$ ./call-api.py research/asn '{"query":109}' pretty
{
"nic": "arin",
"asn": "109",
"date": "19870506",
"asname_long": "CISCOSYSTEMS",
"geo": "US",
"asname_short": "CISCOSYSTEMS"
}
Report back all the BGP peers for a specific CIDR
Example:
freed0@pit:~$ ./call-api.py research/asn '{ "peer": "8.8.8.8" }' pretty
[
{
"geo": "US",
"asn": "15169",
"prefix": "8.8.8.0/24",
"asname_long": "GOOGLE",
"asname_short": "GOOGLE",
"peer": "1101 6696 47605 51088"
}
]
Up to 1,000 items can be queried in one call:
freed0@pit:~$ ./call-api.py research/asn '{ "peer": [ "8.8.8.8", "8.8.4.4" ] }' pretty
Report back the originating ASN and ASN name for the specific CIDR.
Example:
freed0@pit:~$ ./call-api.py research/asn '{ "origin": "8.8.8.8" }' pretty
[
{
"geo": "US",
"prefix": "8.8.8.0/24",
"asn": "15169",
"asname_long": "GOOGLE",
"asname_short": "GOOGLE"
}
]
Up to 1,000 items can be queried in one call:
freed0@pit:~$ ./call-api.py research/asn '{ "origin": [ "8.8.8.8", "8.8.4.4" ] }' pretty
Given an ASN report back all the routed CIDR's.
Example:
freed0@pit:~$ ./call-api.py research/asn '{ "prefix": 22414 }' pretty
[
"208.82.236.0/22"
]
Returns a list of ASNs by geographic registration.
Requires research and research_net group access.
Fields:
apikey : string : your api key
geo : string or list : country code
Response:
JSON list
Example request:
{ "apikey": "0123456789", "geo": "gb", "limit": 3 }
Example response:
[
{
"asname_long" : "Jisc Services Limited",
"geo" : "GB",
"asname_short" : "JANET",
"asn" : 786
},
{
"asname_long" : "T",
"geo" : "GB",
"asname_short" : "CELLNE",
"asn" : 2113
},
{
"asname_long" : "HP-EUROPE-AS-TRADE",
"geo" : "GB",
"asname_short" : "HP-EUROPE-AS-TRADE",
"asn" : 2129
}
]
Returns the geographic location details for an IP address.
Requires research and research_net group access.
Fields:
apikey : string : your api key
query : string : ip address
Response:
JSON object
Example request:
{ "apikey": "0123456789", "query": "8.8.8.8" }
Example response:
{"longitude":"-122.082","geo":"US","ip":"8.8.8.8","ip4":134744072,"naics":"516110","region":"CALIFORNIA","sic":"737418","asn_name":"GOOGLE INC.","asn":"15169","city":"MOUNTAIN VIEW","latitude":"37.3805"}Query the reverse IP DNS scan dataset.
Requires research and research_net group access.
Fields:
apikey : string : your api key
query : dictionary : search fields
Response:
JSON object
Example Request:
{ "apikey": "0123456789", "query": {"ip": "8.8.8.8"} }
Example Response:
[
{
"tld" : "google",
"domain" : "dns.google",
"timestamp" : "2021-02-04 10:38:57Z",
"ip" : "8.8.8.8",
"tag" : []
}
]
Perform a WHOIS query.
Requires research and research_net group access.
Fields:
apikey : string : your api key
query : dictionary : search fields [ domain, nameserver, email, phone, fax, ip ]
sort : string : ascending | descending | none (default is descending)
date : string : date (YYYY-MM-DD) or range (YYYY-MM-DD:YYYY-MM-DD)
page : number : default is 1; used to obtain additional pages of results
limit : number : limit number of results (1 - 1000) default is 1000
Response:
array of up to 1,000 matching records
Example request data:
{ "apikey": "0123456789", "email": "*@google.com" }
Example response:
[{"domain":"togetherforgirls.org","revision":"2013-03-12 00:13:12"},{"domain":"apps-jp.com","revision":"2013-03-12 00:00:00"},{"domain":"attorneymaier.com","revision":"2013-03-12 00:00:00"},{"domain":"my-deja.net","revision":"2013-03-12 00:00:00"},{"domain":"videostitial.net","revision":"2013-03-12 00:00:00"},{"domain":"answers-google.com","revision":"2013-03-12 00:00:00"},{"domain":"calendargoogle.net","revision":"2013-03-12 00:00:00"},{"domain":"gserviceaccounts.com","revision":"2013-03-12 00:00:00"},{"domain":"sb-consulting.net","revision":"2013-03-12 00:00:00"},{"domain":"djflahko.com","revision":"2013-03-12 00:00:00"},{"domain":"google-server01.com","revision":"2013-03-12 00:00:00"},{"domain":"solarongrid.net","revision":"2013-03-12 00:00:00"},{"domain":"barbieoyunlari.net","revision":"2013-03-12 00:00:00"},{"domain":"answer-google.com","revision":"2013-03-12 00:00:00"},{"domain":"blancdenoirsilver.info","revision":"2013-03-11 22:18:56"},...] Obtain details of a specific WHOIS record.
Requires research and research_net group access.
Fields:
apikey : string : your api key
domain : string : domain name
timestamp : string : timestamp of record to return (optional)
Response:
whois record object
Example request data:
{ "apikey": "0123456789", "domain": "apple.com", "timestamp": "2013-11-27 09:36:25" }
Example response:
{"Domain": {"Status": "clientTransferProhibited", "Handle": "1225976_DOMAIN_COM-VRSN", "Name": "apple.com", "DatabaseUpdatedDate": "2013-11-27 04:36:25 -0500", "ExpiresDate": "2021-02-20 00:00:00 -0500", "UpdatedDate": "2013-11-27 04:36:25 -0500", "CreatedDate": "1987-02-19 00:00:00 -0500", "NameServer": ["nserver5.apple.com", "ADNS1.APPLE.COM", "nserver3.apple.com", "nserver4.apple.com", "ADNS2.APPLE.COM", "nserver2.apple.com", "nserver6.apple.com", "nserver.apple.com"]}, "DatabaseUpdatedDate": "2013-11-27T09:36:25Z", "AdminContact": {"City": "Cupertino", "Fax": "+1.4089741560", "Name": "Domain Administrator", "CountryCode": "US", "Country": "US", "StateProvince": "CA", "Phone": "+1.4089961010", "Address": "1 Infinite Loop", "PostalCode": "95014", "Organization": "Apple Inc.", "Email": "[email protected]"}, "ExpiresDate": "2021-02-20T05:00:00Z", "TechContact": {"City": "Cupertino", "Fax": "+1.4089741560", "Name": "Domain Administrator", "CountryCode": "US", "Country": "US", "StateProvince": "CA", "Phone": "+1.4089961010", "Address": "1 Infinite Loop", "PostalCode": "95014", "Organization": "Apple Inc.", "Email": "[email protected]"}, "UpdatedDate": "2013-11-27T09:36:25Z", "Registrar": {"WhoisServer": "whois.corporatedomains.com", "Handle": "299", "Name": "CSC CORPORATE DOMAINS, INC.", "Phone": "+1.8887802723", "HomePage": "www.cscprotectsbrands.com", "Email": "[email protected]"}, "CreatedDate": "1987-02-19T05:00:00Z", "Registrant": {"City": "Cupertino", "Fax": "+1.4089741560", "Name": "Domain Administrator", "CountryCode": "US", "Country": "US", "StateProvince": "CA", "Phone": "+1.4089961010", "Address": "1 Infinite Loop", "PostalCode": "95014", "Organization": "Apple Inc.", "Email": "[email protected]"}}Returns the starting and ending addresses for a CIDR block.
Requires research and research_net group access.
Fields:
apikey : string : your api key
query : cidr
Response:
JSON object
Example request:
{ "apikey": "0123456789", "query": "192.168.1.0/24" }
Example response:
{"last_address":"192.168.1.255","first_address":"192.168.1.0"}Perform a DNS lookup by name.
Requires research and research_net group access.
Fields:
apikey : string : your api key
name : string : hostname
version : string : { ipv4, ipv6, all } default is ipv4
Response:
JSON object
Example request:
{ "apikey": "0123456789", "name": "apple.com" }
Example response:
{"ip":["17.178.96.59","17.172.224.47","17.142.160.59"],"name":"apple.com"}
Perform a DNS lookup by address.
Requires research and research_net group access.
Fields:
apikey : string : your api key
ip : string : IPv4 or IPv6 address
Response:
JSON object
Example request:
{ "apikey": "0123456789", "ip": "8.8.8.8" }
Example response:
{"ip":"8.8.8.8","name":"google-public-dns-a.google.com"}
Obtain the site ranking of a given domain name.
Requires research and research_net group access.
Fields:
apikey : string : your api key
domain : string : domain name
date : string : date (YYYY-MM-DD) or range (YYYY-MM-DD:YYYY-MM-DD) 'now' may be used in place of a date
Response:
array containing one entry per ranking source
Example request:
{ "apikey": "0123456789", "domain": "facebook.com" }Example response:
[
{
"source" : "quantcast",
"domain" : "facebook.com",
"timestamp" : "2016-03-01 00:00:00",
"position" : "3"
},
{
"source" : "alexa",
"domain" : "facebook.com",
"timestamp" : "2016-03-01 00:00:00",
"position" : "2"
}
]Returns a JSON response containing the details for the requested program.
Fields:
apikey : string : your api key
sample : string : MD5, SHA1, SHA256, or SHA512 hash
Help:
freed0@pit:~$ ./call-api.py research/trusted-program '{"help":true}' pretty
[
"application_type",
"binary",
"bit",
"crc32",
"description",
"dirname",
"filename",
"filesize",
"filetimestamp",
"fileversion",
"language",
"language_code",
"md5",
"media_source",
"mfg_name",
"os_mfg",
"os_name",
"os_version",
"product_name",
"product_version",
"reference",
"scan_time",
"sha1",
"sha256",
"sha512",
"sig_timestamp",
"sig_trustfile",
"signer",
"source",
"source_version",
"ssdeep",
"strongname_signed",
"trusted_signature"
]
Response:
JSON object
Example:
freed0@pit:~$ ./call-api.py research/trusted-program '{ "sample": "7fe2248de77813ce850053ed0ce8a474" }' pretty
{
"filetimestamp": "07/14/2009 01:14:16",
"reference": "os_patches_wsus",
"sha256": "289691E10A1564DD515CD128A9BCFD3AEF32E6BF4E5A1E3B1673026E1346283B",
"bit": "32",
"signer": "Microsoft Windows",
"crc32": "23897C4C",
"sha1": "E6927051249E27AD5D1F5F2F52B1CAF8A1605AE2",
"binary": "1",
"language": "Portuguese",
"source_version": "1.8",
"fileversion": "6.1.7600.16385",
"source": "AppInfo",
"os_version": "6.1",
"product_version": "6.1.7600.16385",
"trusted_signature": "1",
"product_name": "Microsoft Windows Operating System",
"os_name": "Microsoft Windows Server 2008 R2 Standard Service Pack 1 (build 7601), 64-bit",
"language_code": "1046",
"md5": "7FE2248DE77813CE850053ED0CE8A474",
"scan_time": "2020-06-18 22:56:14",
"filename": "ddodiag.exe",
"dirname": "c:\\Windows\\winsxs\\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b",
"strongname_signed": "0",
"filesize": "36864",
"description": "DDODiag is a tool that collects Device Display Object (DDO) information from the system and logs it",
"os_mfg": "Microsoft Corporation",
"media_source": "http://www.microsoft.com/",
"application_type": "exe",
"sha512": "F61BEA0DC281B56B563ED32331938EFC9BF6D7A3C9CAB3273103D2FD95A73C2492E31F2C64119651E5ABFE8F3A881317C3D3B81BAA2229B3CF01E4991EBFE8FC",
"ssdeep": "768:09iqlZu4aMwcWrkZKXshfN469R9B3DpWNsZSs:09iqlZu4aMwcWrkZKXshfNT9RZBSs",
"sig_timestamp": "07/14/2009 03:17:39",
"mfg_name": "Microsoft Corporation",
"sig_trustfile": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\ntexe.cat"
}
Returns a JSON response containing static details about matching samples as well as antivirus vendor and signature details.
Requires research and research_malware-domain group access.
Due to the recursive nature of this method, the number of responses provided will be limited by maximum response time.
Required Fields:
apikey : string : your api key
domain : string or list : domain to query
Optional Fields:
limit : integer : maximum number of samples to return per domain (1..1000); default 100
Response:
JSON object
Example request:
{ "domain": "nhnrqmpwnr.us" }
Example response:
{
"nhnrqmpwnr.us": {
"family": "mydoom",
"tag": "tno-dga-tagged",
"samples": [
{
"md5": "fda0344324c77ea2c2c954489de3e0e4",
"sha1": "6ded10575668deee9b79a2777346b7c7597db7d0",
"sha256": "78e9f9133488c96c2933fea15e04a4c981c957029dfa7e5f9bce214a843624a2",
"anti-virus": [
{
"vendor": "Avast",
"signature": "Win32:Mydoom-BJ"
}
]
},
{
"md5": "e62bf32812837d88e465d8ec69f5999d",
"sha1": "820176d8d38369b4b903ebeca08287179c7c6de8",
"sha256": "5d1a2b219abbcd0fbff629979c7f15d4688bb7a7211e0e1bfdbe6ce0d650831f",
"anti-virus": [
{
"vendor": "Avast",
"signature": "Win32:Mydoom-BJ"
}
]
},
{
"md5": "6d4a323ef1a1519d816d445ae478cb29",
"sha1": "fb4b3c46e2c829cb326f7d43b09a2f1a28c92f4d",
"sha256": "782ab8682dfdc432064523e36d2f731ec92f7758f5ee677926b27cd2b9822fce",
"anti-virus": [
{
"vendor": "Avast",
"signature": "Win32:Mydoom-BJ"
}
]
}
]
}
}
List all domains classified as DGAs by the TNO classifier from Sandbox events in the past day.
Requires research and research_tno-export group access.
Required Field:
apikey : string : your api key
Optional Field:
tld : string : top level domain filter
family : string : family filter ; when supported by TNO
limit : integer : maximum number of responses to return
skip : string : exclude results with a matching tag
format : string : set to "snort" for snort rules
Skip options:
rpz-dga : domains from the RPZ-DGA feed
noise : domains like /^www\.[a-z0-9]{10}\.com$/
family : domains that have a known family
Response:
JSON lines
Example response:
{ "domain": "nhnrqmpwnr.us" }
{ "domain": "mmnewhaarn.in" }
{ "domain": "grhjgewfewf.com" }
Returns the list of active RPZ domains valid for the next five days.
Requires research and research_rpz-export group access.
Required Field:
apikey : string : your api key
Optional Fields:
date : string : date or date range ; must begin within the past 10 days
tld : string : top level domain filter
family : string : family filter
limit : integer : maximum number of responses to return
Response:
JSON lines
Example response:
{"tag":["rpz-dga"],"timestamp":"2021-04-20 00:00:00","family":"bazarloader","tld":"bazar","timeend":"2021-04-20 00:00:00","domain":"cabaudwy.bazar","rule":"bazarloader_dga_3","source":"Fraunhofer FKIE DGArchive"}
{"source":"Fraunhofer FKIE DGArchive","rule":"bazarloader_dga_3","timeend":"2021-04-20 00:00:00","domain":"caeqtoek.bazar","tld":"bazar","family":"bazarloader","timestamp":"2021-04-20 00:00:00","tag":["rpz-dga"]}
{"timestamp":"2021-04-20 00:00:00","family":"bazarloader","tag":["rpz-dga"],"timeend":"2021-04-20 00:00:00","domain":"caynibwy.bazar","rule":"bazarloader_dga_3","source":"Fraunhofer FKIE DGArchive","tld":"bazar"}
{"tag":["rpz-dga"],"timestamp":"2021-04-20 00:00:00","family":"bazarloader","tld":"bazar","rule":"bazarloader_dga_3","source":"Fraunhofer FKIE DGArchive","timeend":"2021-04-20 00:00:00","domain":"cakitoid.bazar"}
Provides domain name ranking details compiled from a number of public sources.
Requires research and research_site-ranking-export group access.
Required Field:
apikey : string : your api key
Optional Fields:
tld : string : top level domain filter
source : string : source filter
position : integer : minimum position filter
limit : integer : maximum number of responses to return
Response:
JSON lines
Example response:
{ "domain": "window2baku.com", "source": "domcop", "position": 209119 }
{ "domain": "lexique-du-net.com", "source": "domcop", "position": 209182 }
{ "domain": "dashboards.trefis.com", "source": "domcop", "position": 209207 }
Provides sandbox DNS alert details for one or more types.
Requires research and research_sandbox-dns-anomaly group access.
Required Field:
apikey : string : your api key
type : string or list : [ "crypto", "registrar", "tld" ]
Optional Fields:
limit : integer : maximum number of responses to return
date : string : date or date range
Response:
JSON object
Example Request:
{ "type": [ "tld", "registrar" ] }
Example Response:
{
"tld": [
{ "timestamp": "2021-05-02", "tld": "ua", "resolv": "no", "type": "ccTLD", "queries": 6, "avg7", 2, "percent": 272, "avg14": 1, "avg30": 1, "avg90": 2, "avg120": 2, "avg180": 2, "avg365": 2 }
],
"registrar": [
{ "timestamp": "2021-05-02", "registrar": "Akamai Technologies, Inc.", "queries": 547, "avg7", 233, "percent": 234, "avg14": 202, "avg30": 287, "avg90": 1472, "avg120": 1472, "avg180": 1472, "avg365": 1472 }
]
}
Obtain details about a family or tag. Each query field can be a single string or a list of up to 100 entries.
Required Fields:
apikey : string : your api key
query : string or list : [ "family", "tag" ]
Response:
JSON list
Sample request:
{ "query": { "tag": "10kblaze" } }
Sample response:
[
{
"aliases" : [],
"description" : "\"10KBLAZE is the name that Onapsis uses to refer to a set of publicly-released SAP exploits. The name was chosen given the high risk that these exploits carry to potentially affect critical business information and processes. The criticality of these business risks can lead to disclosure requirements to the U.S. Securities and Exchange Commission (SEC) in the annual financial reporting: the Form 10-K\" [[1]](https://www.onapsis.com/resources/10kblaze)\r\n\r\nReferences:\r\n\r\n[[1] https://www.onapsis.com/resources/10kblaze](https://www.onapsis.com/resources/10kblaze)",
"tag" : "10kblaze"
}
]
Obtain source details for a family or tag.
Required Fields:
apikey : string : your api key
query : string : [ "family", "tag" ]
Optional Fields:
page : integer : page of results to return
limit : integer : number of results per page (maximum 100)
Response:
JSON object
Sample request:
{ "family": "aes-ni", "page": 1 }
Sample response:
{
"count" : 2,
"sources" : [
{
"data" : "83e824c998f321a9179efc5c2cd0a118",
"family" : "aes-ni",
"source_date" : "2017-04-23",
"source_name" : "@PolarToffee",
"source_url" : "https://twitter.com/PolarToffee/status/856209014828531713",
"tag" : "ransomware"
},
{
"data" : "[email protected]\r\[email protected]\r\[email protected]",
"family" : "aes-ni",
"source_date" : "2017-04-23",
"source_name" : "@PolarToffee",
"source_url" : "https://twitter.com/PolarToffee/status/856209014828531713",
"tag" : "ransomware"
}
]
}
Returns details about rules of a specified type.
Requires research and research_rule group access.
Fields:
type | string | required, one of [ yara, snort, suricata, sigma, zeek ]
family | string | optional
tag | list | optional
Response:
JSON list of up to 10,000 matching records
Example request:
python3 call-api.py research/rule-query '{"type":"snort","limit":3,"family":"3cx-backdoor"}' pretty
Example response:
[
{
"create_date" : "2023-05-26 02:15:46",
"description" : "Possible malicious 3CXDesktopApp Identified",
"family" : "3cx-backdoor",
"id," : "912",
"name" : "Possible malicious 3CXDesktopApp Identified",
"source_date" : "2023-05-26 00:00:00",
"source_url" : "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
"tag" : "3cx-campaign,lazarus-group"
},
{
"create_date" : "2023-05-26 02:15:46",
"description" : "Possible malicious 3CXDesktopApp Identified",
"family" : "3cx-backdoor",
"id," : "913",
"name" : "Possible malicious 3CXDesktopApp Identified",
"source_date" : "2023-05-26 00:00:00",
"source_url" : "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
"tag" : "3cx-campaign,lazarus-group"
},
{
"create_date" : "2023-05-26 02:15:46",
"description" : "Possible malicious 3CXDesktopApp Identified",
"family" : "3cx-backdoor",
"id," : "914",
"name" : "Possible malicious 3CXDesktopApp Identified",
"source_date" : "2023-05-26 00:00:00",
"source_url" : "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
"tag" : "3cx-campaign,lazarus-group"
}
]
Download the contents of a rule.
Requires research and research_rule group access.
Fields:
type | string | required, one of [ yara, snort, suricata, sigma, zeek ]
id | integer | required
Response:
JSON object
Example request:
python3 call-api.py research/rule-download '{"type":"snort","id":914}' pretty
Example response:
{
"id" : "914",
"name" : "Possible malicious 3CXDesktopApp Identified",
"rule" : "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 1000279; rev:1;)"
}
Returns details about regular expressions of a specified type.
Requires research and research_regex group access.
Fields:
type | string | required, one of [ anti-virus, domain, file system, http, mutex, registry, semaphore ]
family | string | optional
tag | list | optional
name | string | optional
Response:
JSON list of up to 10,000 matching records
Example request:
python3 call-api.py research/regex-query '{"type":"anti-virus","limit":3,"family":"mirai"}' pretty
Example response:
[
{
"create_date" : "2018-12-20 19:32:06",
"description" : "Mirai Antivirus Signature Regular Expression",
"family" : "mirai",
"name" : "mirai-av-regex",
"regex" : "/Backdoor\\.Linux\\.MIRAI\\.[A-Z]/",
"source_url" : "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/",
"tag" : "iot",
"vendor" : "TrendMicro"
}
]