In [46]:
api_token = ''

# Using Malpedia REST API
- The goal of this repo is describe an easy way to retrive Malpedia data.
- [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) is "a collaborative platform for curating a malware corpus". "The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research."
- List of API calls: https://malpedia.caad.fkie.fraunhofer.de/usage/api

In [100]:
import urllib.parse
import json
import pandas as pd 
pd.set_option('display.max_colwidth', None)
pd.set_option('display.max_columns', None)

In [115]:
def malpedia_api (api_token, api_call, paramether):
    url = "https://malpedia.caad.fkie.fraunhofer.de/api/" + api_call + urllib.parse.quote(paramether)
    try:
        req = urllib.request.Request(url, headers={'Authorization' : "apitoken " + api_token},)
        response = urllib.request.urlopen(req)
        jsonResponse = json.loads(response.read())
        df = pd.json_normalize(jsonResponse)
        return df
    except:
        print("error")

## Note: after playing with the API, I recommend to first "find/actor" and then "get/actor". The reason is that an actor may have multiple synonyms! When you "find/actor" you will find the main name used for an actor. Then "get/actor" will show the actual information of an actor (including it's synonyms).

### Find/actor

In [116]:
api_call = "find/actor/"
paramether = "fancy BEAR" #NOT case sensitive
malpedia_api (api_token, api_call, paramether)

Unnamed: 0,name,common_name,synonyms
0,apt28,APT28,"[Pawn Storm, FANCY BEAR, Sednit, SNAKEMACKEREL, Tsar Team, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, T-APT-12, APT-C-20, UAC-0028]"


### Get/actor is the most interesting API call 

In [118]:
api_call = "get/actor/"
paramether = "apt28"
malpedia_api (api_token, api_call, paramether)

Unnamed: 0,description,related,uuid,value,families.win.arguepatch.alt_names,families.win.arguepatch.attribution,families.win.arguepatch.common_name,families.win.arguepatch.description,families.win.arguepatch.library_entries,families.win.arguepatch.notes,families.win.arguepatch.sources,families.win.arguepatch.updated,families.win.arguepatch.urls,families.win.arguepatch.uuid,families.win.caddywiper.alt_names,families.win.caddywiper.attribution,families.win.caddywiper.common_name,families.win.caddywiper.description,families.win.caddywiper.library_entries,families.win.caddywiper.notes,families.win.caddywiper.sources,families.win.caddywiper.updated,families.win.caddywiper.urls,families.win.caddywiper.uuid,meta.attribution-confidence,meta.cfr-suspected-state-sponsor,meta.cfr-suspected-victims,meta.cfr-target-category,meta.cfr-type-of-incident,meta.country,meta.refs,meta.synonyms
0,"The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.","[{'dest-uuid': 'bef4c620-0787-42a8-a96d-b7eb6e85917c', 'tags': ['estimative-language:likelihood-probability=""likely""'], 'type': 'similar'}, {'dest-uuid': '213cdde9-c11a-4ea9-8ce0-c868e9826fec', 'tags': ['estimative-language:likelihood-probability=""likely""'], 'type': 'similar'}]",5b4ee3ea-eee3-4c8e-8323-85ae32658754,APT28,[],"[APT28, Sandworm]",ArguePatch,"During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called ""ArguePatch"" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray's Remote Debugger Server (win32_remote.exe).\r\nArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.","[intelligence:20220923:gru:511ea47, research:20220412:industroyer2:4d6c5f8]",[],[],2022-09-26,"[https://www.mandiant.com/resources/blog/gru-rise-telegram-minions, https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/]",e9b4bec3-ad18-49cc-b6af-c0ffcc283153,[KillDisk.NCX],[APT28],CaddyWiper,"CaddyWiper is another destructive malware believed to be deployed to target Ukraine.\r\n\r\nCaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.\r\n\r\nIt also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.","[certua:20220412:cyberattack:5f28c75, cip:20220325:who:e75f0ac, cutler:20220412:analysis:561c2a2, dereviashkin:20220405:new:2f2f8a9, dsu:20220427:special:f1a2031, fierro:20220315:caddywiper:6504bd2, gatlan:20220314:new:b53c7a5, gurubaran:20220316:destructive:f915ddf, hacknpatch:20220315:exploring:5399622, iacob:20220812:anatomy:b13ce32, iacob:20220926:anatomy:248e6ff, intelligence:20220923:gru:511ea47, ireland:20220412:industroyer2:aa61be3, keijser:20220315:analysis:648df73, kersten:20220412:ghidra:4afe367, knapczyk:20220818:overview:a12950c, knapczyk:20220818:overview:bf3eca2, lab:20220317:analysis:90c9558, lakshmanan:20220315:caddywiper:f70771d, lapienyt:20220314:new:965eae1, martinez:20220502:analysis:e5d626b, mosajjal:20220326:analysis:b94c029, paganini:20220315:caddywiper:13b5403, research:20220314:caddywiper:ac25105, research:20220315:caddywiper:0edb827, research:20220412:industroyer2:4d6c5f8, revay:20220428:overview:0ac963f, talos:20220315:threat:67922cf, team:20220228:cyber:69efe8b, team:20220318:double:fde615f, team:20220401:threat:1955941, tru:20220331:esentire:287e4dd, vincent:20220324:ukrainian:74b1566, watts:20221203:preparing:139621a]",[],[],2022-12-05,"[https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/, https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/, https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine, https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html, https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/, https://cert.gov.ua/article/39518, https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya, https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/, https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works, https://cybersecuritynews.com/destructive-data-wiper-malware/, https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/, https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/, https://n0p.me/2022/03/2022-03-26-caddywiper/, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd, https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html, https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/, https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html, https://twitter.com/ESETresearch/status/1503436420886712321, https://twitter.com/HackPatch/status/1503538555611607042, https://twitter.com/silascutler/status/1513870210398363651, https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/, https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/, https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/, https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper, https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat, https://www.mandiant.com/resources/blog/gru-rise-telegram-minions, https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/, https://www.nioguard.com/2022/03/analysis-of-caddywiper.html, https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html, https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/, https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/, https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/]",c6053700-5f3b-48cc-8176-191393522fc3,50,Russian Federation,"[Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO, Ukraine, Belgium, Pakistan, Asia Pacific Economic Cooperation, International Association of Athletics Federations, Turkey, Mongolia, OSCE, United Kingdom, Germany, Poland, European Commission, Afghanistan, Kazakhstan, China]","[Government, Military]",Espionage,RU,"[https://attack.mitre.org/groups/G0007/, https://en.wikipedia.org/wiki/Fancy_Bear, https://en.wikipedia.org/wiki/Sofacy_Group, https://www.bbc.com/news/technology-37590375, https://www.bbc.co.uk/news/technology-45257081, https://www.cfr.org/interactive/cyber-operations/apt-28, https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f, https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html, https://securelist.com/a-slice-of-2017-sofacy-activity/83930/, https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630, https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/, https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/, https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html, https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf, https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff, https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf, https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware, https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/, https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/, https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/, https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/, https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny, https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/, https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/, https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/, https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/, https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/, https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/, https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/, https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf, https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/, https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/, https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament, https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/, https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508, https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/, https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected, https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf, https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN, https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/, https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/, https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae, https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1, https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf, https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/, https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/, https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/, https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/, https://unit42.paloaltonetworks.com/atoms/fighting-ursa/, https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag]","[Pawn Storm, FANCY BEAR, Sednit, SNAKEMACKEREL, Tsar Team, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, T-APT-12, APT-C-20, UAC-0028]"
