def get_VT_name(hashes):
try:
vt = PrivateApi(api_key = os.environ["VIRUSTOTAL_API_KEY"])
generator = ComputeVtUniqueName()
names = [generator.build_unique_name(vt.get_file_report(hash_) or "") for hash_ in hashes]
if len(names) >= 2 and all(names[0] == name for name in names[1:]):
name = names[0]
if name["pup"]:
log.error("PUA signatures are not implemented yet. Excpected name was: %s", str(name))
pass
else:
return "{}.{}.{}".format(name["platform"], name["category"], name["unique_name"])
except KeyError:
log.warn("No VIRUSTOTAL_API_KEY specified. Falling back to generic name.")
except Exception:
log.exception("White trying to compute VT name. Falling back to generic name.")
return GENERIC_CLAMAV_MALWARE_NAME
def run(self):
vt_logger = logging.getLogger('vtmonitor')
self.banner()
# Perform some sanity checks
try:
self.checkenv()
except Exception as error:
vt_logger.critical(error)
return
self.check_updates()
vt_logger.debug('==================================================')
vt_logger.debug('Application restart')
vt_logger.debug('==================================================')
if self.private_api:
vt = VirusTotalPrivateApi(self.api_key)
else:
vt = VirusTotalPublicApi(self.api_key)
# Create baseline of processes
vt_logger.info('Creating base list of allowed process')
wmic = subprocess.check_output("wmic process get ExecutablePath", shell=True)
wmic = wmic.replace('\r', '\n')
base_list = set([])
for process in wmic.split('\n'):
process = process.strip()
if not process:
continue
base_list.add(process)
vt_logger.info("Starting main loop to watch for new processes")
while True:
sleep(1)
wmic = subprocess.check_output("wmic process get ExecutablePath", shell=True)
wmic = wmic.replace('\r', '\n')
for process in wmic.split('\n'):
process = process.strip()
if not process:
continue
if process in base_list:
continue
vt_logger.debug("Unknown process %s, checking the hash on Virus Total" % process)
# New process, let's submit to VT for details
with open(process, 'rb') as handle:
data = handle.read()
signature = hashlib.md5(data).hexdigest()
response = vt.get_file_report(signature)
if response['results'].get('response_code') == 0:
vt_logger.warn("Process %s is unknown on Virus Total" % process)
else:
vt_logger.info("Process %s has a known signature on Virus Total" % process)
# and add it to the base list, otherwise it will keep pinging VT all the time
base_list.add(process)
def run(self, args):
config_path = os.path.join(os.path.expanduser("~"), ".vtapi")
if hasattr(args, 'subcommand'):
if args.subcommand in ('check', 'similar'):
if not os.path.isfile(config_path):
print(
"Invalid configuration file, please use pe vt config to configure your VT account"
)
sys.exit(1)
cf = self.read_config(config_path)
if cf['type'] == 'private':
vt = PrivateApi(cf['apikey'])
else:
vt = PublicApi(cf['apikey'])
if args.subcommand == 'check':
with open(args.PEFILE, 'rb') as f:
data = f.read()
m = hashlib.sha256()
m.update(data)
sha256 = m.hexdigest()
response = vt.get_file_report(sha256)
if args.raw:
print(json.dumps(response, sort_keys=False, indent=4))
else:
if response["response_code"] != 200:
print("Error with the request (reponse code %i)" %
response["response_code"])
sys.exit(1)
if response["results"]["response_code"] == 0:
print("File not found")
else:
print("[+] Detection: %i / %i" %
(response["results"]["positives"],
response["results"]["total"]))
print("[+] MD5: %s" % response["results"]["md5"])
print("[+] SHA1: %s" % response["results"]["sha1"])
print("[+] SHA256: %s" %
response["results"]["sha256"])
if "first_seen" in response['results']:
print("[+] First Seen: %s" %
response["results"]["first_seen"])
if "last_seen" in response['results']:
print("[+] Last Seen: %s" %
response["results"]["last_seen"])
print("[+] Link: %s" %
response["results"]["permalink"])
elif args.subcommand == 'similar':
if cf['type'] != 'private':
print(
'I am sorry, you need a private VT access to do that'
)
sys.exit(1)
with open(args.PEFILE, 'rb') as f:
data = f.read()
m = hashlib.sha256()
m.update(data)
sha256 = m.hexdigest()
# Check if this PE file is in VT first
response = vt.get_file_report(sha256)
if response["results"]["response_code"] == 0:
print("File not in VT, computing imphash, ssdeep only")
pe = pefile.PE(data=data)
imphash = pe.get_imphash()
ssd = ssdeep.hash(data)
vhash = None
authentihash = None
dbg_filename = debug_filename(pe)
dbg_guid = debug_guid(pe)
if is_dot_net_assembly(pe):
res = get_guid(pe, data)
dotnet_mvid = res["mvid"]
dotnet_typelib = res["typelib_id"]
else:
dotnet_mvid = None
dotnet_typelib = None
else:
print("File identified in VT: {}".format(
response['results']['permalink']))
vhash = response['results']['vhash']
ssd = response['results']['ssdeep']
authentihash = response['results']['authentihash']
imphash = response['results']['additional_info'][
"pe-imphash"]
dbg_guid = None
dbg_filename = None
if "pe-debug" in response['results'][
'additional_info']:
if "codeview" in response['results'][
'additional_info']["pe-debug"][0]:
if "guid" in response['results'][
'additional_info']["pe-debug"][0][
"codeview"]:
dbg_guid = response['results'][
'additional_info']["pe-debug"][0][
"codeview"]["guid"]
if "name" in response['results'][
'additional_info']["pe-debug"][0][
"codeview"]:
dbg_filename = response['results'][
'additional_info']['pe-debug'][0][
'codeview']['name']
if "netguids" in response['results'][
'additional_info']:
dotnet_mvid = response['results'][
'additional_info']['netguids']['mvid']
dotnet_typelib = response['results'][
'additional_info']['netguids']['typelib_id']
else:
dotnet_mvid = None
dotnet_typelib = None
# Start with imphash
print("# Searching for imphash: {}".format(imphash))
res = vt.file_search('imphash:"{}"'.format(imphash))
self.print_results(res, sha256)
# ssdeep
print("# Searching for ssdeep: {}".format(ssd))
res = vt.file_search('ssdeep:"{}"'.format(ssd))
self.print_results(res, sha256)
# authentihash
if authentihash:
print("# Searching for authentihash: {}".format(
authentihash))
res = vt.file_search(
'authentihash:"{}"'.format(authentihash))
self.print_results(res, sha256)
# vhash
if vhash:
print("# Searching for vhash: {}".format(vhash))
res = vt.file_search('vhash:"{}"'.format(vhash))
self.print_results(res, sha256)
# .NET GUIDs
if dotnet_mvid:
print("# Searching for .NET Module Version id: {}".
format(dotnet_mvid))
res = vt.file_search(
'netguid:"{}"'.format(dotnet_mvid))
self.print_results(res, sha256)
if dotnet_typelib:
print("# Searching for .NET TypeLib id: {}".format(
dotnet_typelib))
res = vt.file_search(
'netguid:"{}"'.format(dotnet_typelib))
self.print_results(res, sha256)
# Debug
if dbg_filename:
print("# Searching for Debug Filename: {}".format(
dbg_filename))
res = vt.file_search('"{}"'.format(dbg_filename))
self.print_results(res, sha256)
if dbg_guid:
print(
"# Searching for Debug GUID: {}".format(dbg_guid))
res = vt.file_search('"{}"'.format(dbg_guid))
self.print_results(res, sha256)
elif args.subcommand == 'config':
config = configparser.ConfigParser()
if args.type == 'public':
config['vt'] = {
'intelligence': False,
'engines': '',
'timeout': 60,
'apikey': args.APIKEY,
'type': 'public'
}
else:
config['vt'] = {
'intelligence': True,
'engines': '',
'timeout': 60,
'apikey': args.APIKEY,
'type': 'private'
}
with open(config_path, 'w') as configfile:
config.write(configfile)
print("Config file {} updated".format(config_path))
else:
self.parser.print_help()
else:
self.parser.print_help()
def intel(self, type, query, data, conf):
if type == "domain":
if conf["VirusTotal"]["type"] != "public":
print("[+] Checking VirusTotal....")
vt = PrivateApi(conf["VirusTotal"]["key"])
res = vt.get_domain_report(query)
if "results" in res:
if "resolutions" in res["results"]:
for r in res["results"]["resolutions"]:
try:
data["passive_dns"].append({
"first":
parse(r["last_resolved"]).astimezone(
pytz.utc),
"last":
parse(r["last_resolved"]).astimezone(
pytz.utc),
"ip":
r["ip_address"],
"source":
"VT",
})
except TypeError:
# Error with the date
pass
if "undetected_downloaded_samples" in res["results"]:
for r in res["results"][
"undetected_downloaded_samples"]:
data["files"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc)
if "date" in r else "",
"source":
"VT",
})
if "undetected_referrer_samples" in res["results"]:
for r in res["results"]["undetected_referrer_samples"]:
data["files"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc)
if "date" in r else "",
"source":
"VT",
})
if "undetected_communicating_samples" in res["results"]:
for r in res["results"][
"undetected_communicating_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT"
})
if "detected_communicating_samples" in res["results"]:
for r in res["results"][
"detected_communicating_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT"
})
if "detected_downloaded_samples" in res["results"]:
for r in res["results"]["detected_downloaded_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT",
})
if "detected_referrer_samples" in res["results"]:
for r in res["results"]["detected_referrer_samples"]:
if "date" in r:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT",
})
if "detected_urls" in res["results"]:
for r in res["results"]["detected_urls"]:
data["urls"].append({
"date":
parse(r["scan_date"]).astimezone(pytz.utc),
"url":
r["url"],
"ip":
"",
"source":
"VT",
})
elif type == "ip":
if conf["VirusTotal"]["type"] != "public":
print("[+] Checking VirusTotal...")
vt = PrivateApi(conf["VirusTotal"]["key"])
res = vt.get_ip_report(query)
if "results" in res:
if "resolutions" in res["results"]:
for r in res["results"]["resolutions"]:
try:
data["passive_dns"].append({
"first":
parse(r["last_resolved"]).astimezone(
pytz.utc),
"last":
parse(r["last_resolved"]).astimezone(
pytz.utc),
"domain":
r["hostname"],
"source":
"VT",
})
except TypeError:
# Error with the date
pass
if "undetected_downloaded_samples" in res["results"]:
for r in res["results"][
"undetected_downloaded_samples"]:
data["files"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc)
if "date" in r else "",
"source":
"VT",
})
if "undetected_referrer_samples" in res["results"]:
for r in res["results"]["undetected_referrer_samples"]:
data["files"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc)
if "date" in r else "",
"source":
"VT",
})
if "undetected_communicating_samples" in res["results"]:
for r in res["results"][
"undetected_communicating_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT",
})
if "detected_communicating_samples" in res["results"]:
for r in res["results"][
"detected_communicating_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT",
})
if "detected_downloaded_samples" in res["results"]:
for r in res["results"]["detected_downloaded_samples"]:
data["malware"].append({
"hash":
r["sha256"],
"date":
parse(r["date"]).astimezone(pytz.utc),
"source":
"VT"
})
if "detected_urls" in res["results"]:
for r in res["results"]["detected_urls"]:
data["urls"].append({
"date":
parse(r["scan_date"]).astimezone(pytz.utc),
"url":
r["url"],
"ip":
"",
"source":
"VT",
})
elif type == "hash":
if conf["VirusTotal"]["type"] != "public":
print("[+] Checking VirusTotal...")
vt = PrivateApi(conf["VirusTotal"]["key"])
res = vt.get_file_report(query)
if res["results"]["response_code"] == 1:
# Found
data["samples"].append({
"date":
parse(res['results']['scan_date']).astimezone(
pytz.utc),
"source":
"VT",
"url":
res['results']['permalink'],
"infos": {
"AV Result":
"{} / {}".format(res['results']['positives'],
res['results']['total']),
"First Seen":
res['results']["first_seen"],
"File Names":
", ".join(res['results']["submission_names"][:5])
}
})
if "ITW_urls" in res["results"]:
for url in res['results']["ITW_urls"]:
data["urls"].append({
"url":
url,
"source":
"VT",
"link":
res['results']['permalink']
})
if "additional_info" in res["results"]:
if "behaviour-v1" in res["results"]["additional_info"]:
if "network" in res['results']['additional_info'][
'behaviour-v1']:
for d in res['results']['additional_info'][
'behaviour-v1']["network"]["dns"]:
data["network"].append({
"source":
"VT",
"url":
res['results']['permalink'],
"host":
d["hostname"],
"ip":
d["ip"]
})
def run(self, conf, args, plugins):
if 'subcommand' in args:
if conf["VirusTotal"]["type"] != "public":
vt = PrivateApi(conf["VirusTotal"]["key"])
if args.subcommand == "hash":
response = vt.get_file_report(args.HASH)
if args.raw:
print(json.dumps(response, sort_keys=False, indent=4))
if args.extended:
response = vt.get_network_traffic(args.HASH)
print(
json.dumps(response, sort_keys=False,
indent=4))
response = vt.get_file_behaviour(args.HASH)
print(
json.dumps(response, sort_keys=False,
indent=4))
else:
self.print_file(response)
elif args.subcommand == "dl":
if os.path.isfile(args.HASH):
print("File %s already exists" % args.HASH)
sys.exit(0)
data = vt.get_file(args.HASH)
if isinstance(data, dict):
if 'results' in data:
with open(args.HASH, "wb") as f:
f.write(data['results'])
print("File downloaded as %s" % args.HASH)
else:
print('Invalid answer format')
sys.exit(1)
else:
with open(args.HASH, "wb") as f:
f.write(data)
print("File downloaded as %s" % args.HASH)
elif args.subcommand == "file":
with open(args.FILE, "rb") as f:
# FIXME : could be more efficient
data = f.read()
m = hashlib.sha256()
m.update(data)
h = m.hexdigest()
response = vt.get_file_report(h)
if args.raw:
print(json.dumps(response, sort_keys=False, indent=4))
else:
self.print_file(response)
elif args.subcommand == "hashlist":
with open(args.FILE, 'r') as infile:
data = infile.read().split()
hash_list = list(set([a.strip() for a in data]))
print(
"Hash;Found;Detection;Total AV;First Seen;Last Seen;Link"
)
for h in hash_list:
response = vt.get_file_report(h)
if response["response_code"] != 200:
print("Error with the request (reponse code %i)" %
response["response_code"])
print(
json.dumps(response, sort_keys=False,
indent=4))
print("Quitting...")
sys.exit(1)
if "response_code" in response["results"]:
if response["results"]["response_code"] == 0:
print("%s;Not found;;;;;" % h)
else:
print("%s;Found;%i;%i;%s;%s;%s" %
(h, response["results"]["positives"],
response["results"]["total"],
response["results"]["first_seen"],
response["results"]["last_seen"],
response["results"]["permalink"]))
else:
print("%s;Not found;;;;;" % h)
elif args.subcommand == "domainlist":
with open(args.FILE, 'r') as infile:
data = infile.read().split()
for d in data:
print("################ Domain %s" % d.strip())
res = vt.get_domain_report(d.strip())
self.print_domaininfo(res)
elif args.subcommand == "iplist":
with open(args.FILE, 'r') as infile:
data = infile.read().split()
for d in data:
print("################ IP %s" % d.strip())
res = vt.get_ip_report(unbracket(d.strip()))
print(json.dumps(res, sort_keys=False, indent=4))
elif args.subcommand == "domain":
res = vt.get_domain_report(unbracket(args.DOMAIN))
if args.json:
print(json.dumps(res, sort_keys=False, indent=4))
else:
self.print_domaininfo(res)
elif args.subcommand == "ip":
res = vt.get_ip_report(unbracket(args.IP))
print(json.dumps(res, sort_keys=False, indent=4))
elif args.subcommand == "url":
res = vt.get_url_report(args.URL)
print(json.dumps(res, sort_keys=False, indent=4))
else:
self.parser.print_help()
else:
vt = PublicApi(conf["VirusTotal"]["key"])
if args.subcommand == "hash":
response = vt.get_file_report(args.HASH)
if args.raw:
print(json.dumps(response, sort_keys=False, indent=4))
else:
self.print_file(response)
elif args.subcommand == "file":
with open(args.FILE, "rb") as f:
# FIXME : could be more efficient
data = f.read()
m = hashlib.sha256()
m.update(data)
response = vt.get_file_report(m.hexdigest())
if args.raw:
print(json.dumps(response, sort_keys=False, indent=4))
else:
self.print_file(response)
elif args.subcommand == "hashlist":
with open(args.FILE, 'r') as infile:
data = infile.read().split()
hash_list = list(set([a.strip() for a in data]))
print("Hash;Found;Detection;Total AV;Link")
for h in hash_list:
response = vt.get_file_report(h)
if response["response_code"] != 200:
print("Error with the request (reponse code %i)" %
response["response_code"])
print(
json.dumps(response, sort_keys=False,
indent=4))
print("Quitting...")
sys.exit(1)
if "response_code" in response["results"]:
if response["results"]["response_code"] == 0:
print("%s;Not found;;;" % h)
else:
print("%s;Found;%i;%i;%s" %
(h, response["results"]["positives"],
response["results"]["total"],
response["results"]["permalink"]))
else:
print("%s;Not found;;;" % h)
elif args.subcommand == "domain":
res = vt.get_domain_report(unbracket(args.DOMAIN))
if args.json:
print(json.dumps(res, sort_keys=False, indent=4))
else:
self.print_domaininfo(res)
elif args.subcommand == "ip":
res = vt.get_ip_report(unbracket(args.IP))
print(json.dumps(res, sort_keys=False, indent=4))
elif args.subcommand == "url":
res = vt.get_url_report(args.URL)
print(json.dumps(res, sort_keys=False, indent=4))
elif args.subcommand == "domainlist":
print(
"Not implemented yet with public access, please propose PR if you need it"
)
elif args.subcommand == "dl":
print(
"VirusTotal does not allow downloading files with a public feed, sorry"
)
sys.exit(0)
else:
self.parser.print_help()
else:
self.parser.print_help()
while True:
data = f.read(8192)
if not data:
break
m.update(data)
return m.hexdigest()
API_KEY = '0d8a7ee919ee20042cc31d7565986da4b995703d4089f2cee967ae10a5462b91'
file = "/srv/jathushan/data/apk/top1000/upload_manual/za.co.vodacom.android.app.apk"
EICAR_MD5 = "671793b66a4d6130e22c9fd101b122ea2b55ecb423bf061ddc91e65be51ffc0d"
vt = VirusTotalPrivateApi(API_KEY)
response = vt.get_file_report(EICAR_MD5)
# print(json.dumps(response, sort_keys=False, indent=4))
s = int(sys.argv[1])
# aa = np.load("/home/jathushan/2018/app_analysis/data/uploaded.npy")
# c = 0
aa = os.listdir("/srv/jathushan/data/apk/top1000/main/top1000/")
c = 0
if ((s + 1) * 100 > 950):
aa = aa[s * 100:-1]
else:
aa = aa[s * 100:(s + 1) * 100]
for i in aa:
from __future__ import print_function
import json
import hashlib
import pymysql
from virus_total_apis import PrivateApi as VirusTotalPrivateApi
from datetime import datetime
API_KEY = 'APIKEY'
vt = VirusTotalPrivateApi(API_KEY)
resobj = []
with open ('sha.txt', 'r', encoding='utf-8') as istr:
for line in istr:
mysha = line
print(line)
response = vt.get_file_report(mysha)
resobj.append(response)
timestamp=datetime.now()
variable="C:\\VT_Query_Automation\\data_"
cur_day_format = timestamp.strftime("%Y-%m-%d_%H")
with open(variable+cur_day_format+".json", "w", encoding='utf-8') as write_file:
json.dump(resobj, write_file, ensure_ascii=False)
class VirusTotal(Processor):
name = "virustotal"
category = "sandbox"
default_options = {
"report_sleep": 60,
"retry_count": 10,
"send_files": True,
"enabled": False,
}
required_options = ["api_key"]
filetypes_exclude = FILETYPES_ARCHIVE + ["text/url"]
def setup(self):
self.vt_key = self.options.get("api_key")
self.vt_type = self.options.get("key_type", "")
if self.vt_type == "public":
self.vt = PublicApi(key=self.vt_key)
elif self.vt_type == "":
self.vt = PublicApi(key=self.vt_key)
elif self.vt_type == "private":
self.vt = PrivateApi(key=self.vt_key)
def get(self, file_hash):
result = self.vt.get_file_report(file_hash)
if result["response_code"] is not VT_RESPONSE_OK:
return None
report = result["results"]
if report["response_code"] is not VT_SCAN_OK:
return None
return report
def scan(self, sample_data):
retry_count = 0
scan_request = self.vt.scan_file(sample_data, from_disk=False)
file_hash = scan_request["results"]["sha256"]
while retry_count <= self.options.get("retry_count"):
sleep(self.options.get("report_sleep"))
report = self.get(file_hash)
if report:
return report
retry_count += 1
raise RuntimeError("Maximum retries waiting for scan result for %s" %
file_hash)
def process(self, sample):
file_hash = hash_data(sample["data"])
report = self.get(file_hash)
if not report:
self.logger.info("Sample %s not found on VirusTotal" % file_hash)
if not self.options.get("send_files"):
return {"scan_id": "not found"}
self.logger.info("Sending %s to VirusTotal" % file_hash)
report = self.scan(sample["data"])
detections = []
for av, res in report["scans"].items():
if res["detected"]:
self.parse_av_tags(res["result"])
detections.append({
"av": av,
"version": res["version"],
"result": res["result"]
})
if report["positives"] > 0:
self.add_tag("malware")
if self.key_type == "private":
if len(report["tags"]) > 1:
self.parse_tags(report["tags"])
if len(report["ITW_urls"]):
# add ITW urls as URL indicator
for url in report["ITW_urls"]:
self.add_ioc("urls", url)
return {
"scan_id": report["scan_id"],
"positives": report["positives"],
"scan_date": report["scan_date"],
"detections": sorted(detections, key=itemgetter("av")),
}
def parse_av_tags(self, malware_name):
if in_string(["banker", "banload"], malware_name):
self.add_tag("malware-banker")
if in_string(["trojan"], malware_name):
self.add_tag("malware-trojan")
if in_string(["bot"], malware_name):
self.add_tag("malware-botnet")
if in_string(["rat"], malware_name):
self.add_tag("malware-rat")
def parse_tags_malware(self, tag):
if tag in ["upx", "asprox", "themida"]:
self.add_tag("malware-packed")
def parse_tags_documents(self, tag):
if tag == "macros":
self.add_tag("document-contains-macros")
if tag.startswith("auto-"):
self.add_tag("document-contains-{0}".format(tag))
if tag.endswith("-file"):
self.add_tag("document-contains-{0}".format(tag))
if tag == "powershell":
self.add_tag("document-contains-powershell")
def parse_tags_pdf(self, tag):
if tag == "js-embedded":
self.add_tag("pdf-contains-javascript")
if tag == "flash-embedded":
self.add_tag("pdf-contains-flash")
if tag == "autoaction":
self.add_tag("pdf-contains-autoaction")
if tag == "acroform":
self.add_tag("pdf-contains-acroform")
if tag == "launch-action":
self.add_tag("pdf-contains-launchaction")
if tag == "file-embedded":
self.add_tag("pdf-contains-embeddedfiles")
def parse_tags_flash(self, tag):
if tag == "obfuscated":
self.add_tag("flash-obfuscated")
if tag == "javascript":
self.add_tag("flash-contains-javascript")
ignore_tags = ["flash-embedded", "js-embedded", "file-embedded"]
if tag.endswith("-embedded") and tag not in ignore_tags:
# swap $type-embedded. i.e., converts to 'flash-contains-embedded-exe', etc.
tag = tag.split("-")
self.add_tag("flash-contains-{0}-".format(tag[1], tag[0]))
def parse_tags(self, sample_tags):
for tag in sample_tags:
# malware packer specific
self.parse_tags_malware(tag)
# osx specific
if tag == "dropper":
self.add_tag("malware-dropper")
# Tags to be captured as-is
as_is_tags = ["encrypted", "exploit"]
if tag in as_is_tags:
self.add_tag(tag)
# cves
if "cve" in tag:
self.add_tag(tag.lower())
# document specific tags
self.parse_tags_documents(tag)
# pdf specific tags
self.parse_tags_pdf(tag)
# flash specific tags
self.parse_tags_flash(tag)
val2 = 'fs:' + cur_day_format
url = 'https://www.virustotal.com/vtapi/v2/file/search'
params = {
'apikey': 'APIKEY',
'query': val2 + '+'
' engines:lnk tag:lnk avira:clean'
}
response = requests.get(url, params=params)
data = response.json()
with open(val1 + cur_day_format + '.json', 'w', encoding='utf-8') as outfile:
json.dump(data, outfile, ensure_ascii=False)
### file read ###
with open(val1 + cur_day_format + ".json", "rb") as myfile:
data1 = myfile.read()
obj = json.loads(data1)
### full report generate ###
API_KEY = 'APIKEY'
vt = VirusTotalPrivateApi(API_KEY)
resobj = []
if 'hashes' in obj:
sha256_hash = obj['hashes']
for x in sha256_hash:
response = vt.get_file_report(x)
resobj.append(response)
with open("data_" + cur_day_format + ".json", "w",
encoding='utf-8') as write_file:
json.dump(resobj, write_file, ensure_ascii=False)
