Merge pull request #197 from intelowlproject/develop

v1.7.1

Author: mlodic

.env

@@ -5,7 +5,7 @@
 ### the COMPOSE_FILE variable each separated with ':'. If you are on windows, replace all ':' with ';'.
 ### Reference to Docker's official Docs: https://docs.docker.com/compose/reference/envvars/#compose_file#compose_file
 
-INTELOWL_TAG_VERSION=v1.7.0
+INTELOWL_TAG_VERSION=v1.7.1
 
 ###### Default (Production) ######
 

README.md

@@ -74,7 +74,7 @@ license terms.
 [APKiD](https://github.com/rednaga/APKiD/blob/master/LICENSE.COMMERCIAL),
 [Box-JS](https://github.com/CapacitorSet/box-js/blob/master/LICENSE),
 [Capa](https://github.com/fireeye/capa/blob/master/LICENSE.txt),
-[Quark-Engine](https://github.com/quark-engine/quark-engine)
+[Quark-Engine](https://github.com/quark-engine/quark-engine),
 [IntelX](https://intelx.io/terms-of-service)
 
 ## Acknowledgments

api_app/admin.py

@@ -51,7 +51,10 @@ class CustomOutstandingTokenAdmin(OutstandingTokenAdmin):
         (
             "Create API Token For",
             {
-                "fields": ("user", "token",),
+                "fields": (
+                    "user",
+                    "token",
+                ),
                 "description": f"""
                     <h3>Token will be auto-generated on save.</h3>
                     <h5>Please note that this token,</h5>

api_app/models.py

@@ -30,7 +30,12 @@ def __str__(self):
 class Job(models.Model):
     class Meta:
         indexes = [
-            models.Index(fields=["md5", "status",]),
+            models.Index(
+                fields=[
+                    "md5",
+                    "status",
+                ]
+            ),
         ]
 
     source = models.CharField(max_length=50, blank=False, default="none")

api_app/script_analyzers/file_analyzers/vt3_scan.py

@@ -40,7 +40,12 @@ def run(self):
 
 
 def vt_scan_file(
-    api_key, md5, job_id, rescan_instead=False, max_tries=100, poll_distance=5,
+    api_key,
+    md5,
+    job_id,
+    rescan_instead=False,
+    max_tries=100,
+    poll_distance=5,
 ):
     try:
         binary = get_binary(job_id)

api_app/script_analyzers/file_analyzers/xlm_macro_deobfuscator.py

@@ -0,0 +1,50 @@
+import logging
+from XLMMacroDeobfuscator.deobfuscator import process_file
+from api_app.script_analyzers.classes import FileAnalyzer
+from celery.exceptions import SoftTimeLimitExceeded
+
+logger = logging.getLogger(__name__)
+
+
+class XlmMacroDeobfuscator(FileAnalyzer):
+    def set_config(self, additional_config_params):
+        self.passwords_to_check = [""]
+        additional_passwords_to_check = additional_config_params.get(
+            "passwords_to_check", []
+        )
+        if isinstance(additional_passwords_to_check, list):
+            self.passwords_to_check.extend(additional_passwords_to_check)
+        elif isinstance(additional_passwords_to_check, str):
+            self.passwords_to_check.append(additional_passwords_to_check)
+
+    def run(self):
+        results = {}
+        try:
+            for password in self.passwords_to_check:
+                results = self.decrypt(password)
+                if results:
+                    break
+            if not results:
+                results["error"] = "Can't decrypt with current passwords"
+        except SoftTimeLimitExceeded:
+            self._handle_base_exception("Soft Time Limit Exceeded")
+        return results
+
+    def decrypt(self, xlmpassword=""):
+        args = {
+            "file": self.filepath,
+            "noindent": True,
+            "nointeractive": True,
+            "return_deobfuscated": True,
+            "output_level": 3,
+        }
+        if xlmpassword:
+            args["password"] = xlmpassword
+        try:
+            results = {"output": process_file(**args), "correct_password": xlmpassword}
+
+            return results
+        except Exception as e:
+            if "Failed to decrypt" in str(e):
+                return {}
+            return {"errors": str(e)}

api_app/script_analyzers/observable_analyzers/vt3_get.py

@@ -39,7 +39,11 @@ def run(self):
 
 
 def vt_get_report(
-    api_key, observable_name, obs_clfn, additional_config_params, job_id,
+    api_key,
+    observable_name,
+    obs_clfn,
+    additional_config_params,
+    job_id,
 ):
     headers = {"x-apikey": api_key}
 

configuration/analyzer_config.json

@@ -165,7 +165,8 @@
       "text/x-ms-iqy",
       "application/excel",
       "text/xml",
-      "application/xml"
+      "application/xml",
+      "application/zip"
     ],
     "decription": "static generic document analysis",
     "python_module": "docinfo_run"
@@ -938,6 +939,23 @@
       "directories_with_rules": ["/opt/deploy/yara/rules"]
     }
   },
+  "Xlm_Macro_Deobfuscator": {
+    "type": "file",
+    "supported_filetypes": [
+      "application/vnd.ms-excel.addin.macroEnabled",
+      "application/x-mspublisher",
+      "application/vnd.ms-excel",
+      "application/vnd.ms-excel.sheet.macroEnabled.12",
+      "application/excel",
+      "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+      "application/zip"
+    ],
+    "decription": "Xlm macro deobfuscator",
+    "python_module": "xlm_deobfuscator_run",
+    "additional_config_params": {
+        "passwords_to_check": ["agenzia", "inps", "coronavirus"]
+    }
+  },
   "Yara_Scan_Florian": {
     "type": "file",
     "description": "scan a file with Neo23x0 yara rules",

configuration/ldap_config.py

@@ -11,7 +11,9 @@
 AUTH_LDAP_BIND_DN = "cn=django-agent,dc=example,dc=com"
 AUTH_LDAP_BIND_PASSWORD = ""
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
-    "ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)",
+    "ou=users,dc=example,dc=com",
+    ldap.SCOPE_SUBTREE,
+    "(uid=%(user)s)",
 )
 # Or:
 # AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=example,dc=com'

docs/source/Contribute.md

@@ -83,7 +83,7 @@ $ flake8 . --show-source --statistics
 
 ```bash
 $ docker-compose -f docker-compose-for-tests.yml build
-$ docker-compose -f docker-compose-for-tests.yml up`
+$ docker-compose -f docker-compose-for-tests.yml up
 ```
 
 3. Here, we simulate the travis CI tests locally by running the following 3 tests,