Last active
July 2, 2024 05:30
-
-
Save peasead/5a9f846384ac2421e61f32b3bef1d80a to your computer and use it in GitHub Desktop.
Download samples from Malware Bazaar based on tag.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Bash script to download Malware Bazaar based on tag | |
| # Define tag and number of samples to download | |
| TAG=insert-malware-bazaar-tag | |
| DOWNLOAD_LIMIT=100 | |
| # Determin OS | |
| OS=$(uname -s) | |
| # Download hash values from tag, save the SHA256 hashes | |
| curl -XPOST -d "query=get_taginfo&tag=${TAG}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TAG}.raw | |
| # OS Loop | |
| # If macOS, clean up the download to remove "'s and ,'s | |
| if [ ${OS} == Darwin ] | |
| then | |
| sed -i.bak 's/\"//g' ${TAG}.raw | |
| rm ${TAG}.raw.bak | |
| sed -i.bak 's/\,//' ${TAG}.raw | |
| rm ${TAG}.raw.bak | |
| # If Linux, clean up the download to remove "'s and ,'s | |
| else | |
| if [ ${OS} == Linux ] | |
| then | |
| sed -i 's/\"//g' ${TAG}.raw | |
| sed -i 's/\,//' ${TAG}.raw | |
| # Exiting OS loop | |
| fi | |
| fi | |
| # Create the hash file from the raw file | |
| mv ${TAG}.raw ${TAG}.hash | |
| # Download the samples using their hash vaules | |
| while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TAG}.hash | |
| # Unarchive the malware samples | |
| while read h; do 7z e ${h} -p"infected"; done < ${TAG}.hash | |
| # Clean up by removing the hash lists and compressed archives files | |
| while read h; do rm ${h}; done < ${TAG}.hash | |
| rm ${TAG}.raw.bak | |
| rm ${TAG}.hash |
If you wanted to ONLY get .bat files, you could use the file_type API endpoint instead of the tag API endpoint.
# Bash script to download Malware Bazaar based on tag
# Define tag and number of samples to download
TYPE=Bat
DOWNLOAD_LIMIT=100
# Determin OS
OS=$(uname -s)
# Download hash values from tag, save the SHA256 hashes
curl -XPOST -d "query=get_file_type&file_type=${TYPE}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TYPE}.raw
# OS Loop
# If macOS, clean up the download to remove "'s and ,'s
if [ ${OS} == Darwin ]
then
sed -i.bak 's/\"//g' ${TYPE}.raw
rm ${TYPE}.raw.bak
sed -i.bak 's/\,//' ${TYPE}.raw
rm ${TYPE}.raw.bak
# If Linux, clean up the download to remove "'s and ,'s
else
if [ ${OS} == Linux ]
then
sed 's/\"//g' ${TYPE}.raw
sed 's/\,//' ${TYPE}.raw
# Exiting OS loop
fi
fi
# Create the hash file from the raw file
mv ${TYPE}.raw ${TYPE}.hash
# Download the samples using their hash vaules
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TYPE}.hash
# Unarchive the malware samples
while read h; do 7zz e ${h} -p"infected"; done < ${TYPE}.hash
# Clean up by removing the hash lists and compressed archives files
while read h; do rm ${h}; done < ${TYPE}.hash
rm ${TYPE}.raw.bak
rm ${TYPE}.hash
I got problems getting this script to work, but I just modified the two "sed" lines, and now it works perfectly 👍
sed -i 's/,//g' ${TAG}.raw
sed -i 's/"//g' ${TAG}.raw
Ah, yes. Sorry. I didn't test on Linux...just tried to do from memory.
Yeah, -i is needed for inline replacement.
Thanks for the find, the comment, and the patience.
how to download .bat files?
I would assume you could use bat when defining the tag here:
[...]
TAG=bat
[...]
This is a valid tag, is it not working?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how to download .bat files?