def init(self, parameters, resources):
self.deploymentManager = CreateOnAccess(self.getActorHandle,
resources['deployment'],
nRetries=3,
timeout=30)
self.key = parameters.get('_key', None)
# Maximum number of queries per minute
self.qpm = parameters.get('qpm', 4)
self.ttl = parameters.get('ttl', (60 * 60 * 24 * 7))
if self.key is None:
self.schedule(60, self.refreshCredentials)
self.log('got virustotal key from deployment manager')
else:
self.log('got virustotal key from parameters')
self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
if self.key is None: self.logCritical('missing API key')
self.vtMutex = Mutex()
self.Model = self.getActorHandle(resources['modeling'],
timeout=10,
nRetries=5)
# Cache size
self.cache_size = parameters.get('cache_size', 5000)
self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False)
self.handle('get_report', self.getReport)
def scan_files(filelist, apikey):
""" Send files for scanning. WIll return immediately if file hash matches
previous run file hash with a report for that previous file. Uses default
timeout of 1200 secs or whatever was passed in with the -t option. Compiles
a list of reports to print later"""
log.info("Sending files and retrieving reports...")
v = virustotal.VirusTotal(apikey)
startscantime = time.time()
reports = []
log.info("Sending files to be scanned...\n")
for zfile in filelist:
# submit the files
basename = os.path.basename(zfile.filename)
log.debug("Sending %s for scan...", basename)
report = v.scan(zfile.filename)
log.debug("File sent. Report pending: %r", report)
log.info(" Waiting for report...")
timedelta = time.time() - startscantime
while not report.done:
if timedelta <= options.TIME_OUT:
log.info(".")
report.join(60)
else:
log.warn("Timeout reached in vtscanner.scan_files.")
log.warn("VIRUS SCAN NOT COMPLETE.")
sys.exit(0)
log.info("Report recieved for %s\n", basename)
reports.append(report)
log.info("All reports recieved.\n")
return reports
def each(self, target):
v = virustotal.VirusTotal(
"572739f1adea8d064a8e7c6ca63a3d0bd53e9b65894b2817f164da15a81a7cef")
vt_report = v.scan(target)
vt_report.join()
assert vt_report.done is True
results = {}
results["sha256"] = vt_report.sha256
results["hit_ratio"] = vt_report.positives / vt_report.total
results["vt_scan_uid"] = vt_report.scan_id
print()
positive_avs = []
negative_avs = []
for antivirus, malware in vt_report:
antivirus = map(
lambda x: x.encode("ascii", "ignore")
if x is not None else None, antivirus)
details = {"av_name": antivirus[0], "version": antivirus[1]}
if malware is not None:
details["malware_name"] = malware.encode("ascii")
positive_avs.append(details)
self.add_ioc(malware.encode("ascii"), "Malware")
else:
negative_avs.append(details)
results["avs_reporting_positive"] = positive_avs
results["avs_reporting_negative"] = negative_avs
if HAVE_PPRINT:
pprint(results)
else:
print(results)
self.results = results
return True
def main():
if debug: print("\nMODULE TANFIRE")
if debug: print("FUNCTION main")
stats = {
'computers_total': 0,
'computers_hashes': 0,
'total': 0,
'excluded': 0,
'unique': 0,
'wf_cache': 0,
'wf_new': 0,
'wf_uploaded': 0,
'vt_cache': 0,
'vt_new': 0,
'vt_uploaded': 0,
'malware': 0
}
hashes_list = []
hashes_unique = {}
wf_hashes = {}
wf_stats = {}
vt_hashes = {}
vt_stats = {}
#Connect to Tanium and import list of new hashes in the environment
user, password = Credentials()
tanium_handler = Tanium_Connect(user, password)
hashes_list, hashes_unique, stats = Import_Index(tanium_handler, stats)
print 'computers total: ' + str(stats['computers_total'])
print 'computers hashes: ' + str(stats['computers_hashes'])
print 'hashes total: ' + str(stats['total'])
print 'hashes excluded: ' + str(stats['excluded'])
print 'hashes unique: ' + str(stats['unique'])
#Check dictionary of all the unique hashes with WildFire cache, directly, and upload if necessary.
if config.get('config', 'wildfire') == 'yes':
wf_hashes, wf_stats = wildfire.WildFire(hashes_list, hashes_unique,
tanium_handler)
stats.update(wf_stats)
#Check dictionary of all the unique hashes with VirusTotal cache and directly if necessary.
if config.get('config', 'virustotal') == 'yes':
vt_hashes, vt_stats = virustotal.VirusTotal(hashes_list, hashes_unique)
stats.update(vt_stats)
#Update list of hashes with results of WildFire and VirusTotal checks
hashes_list = Check(hashes_list, wf_hashes, vt_hashes)
#Output results
output.Output(hashes_list, stats)
if debug:
print(
"\n----------------------------------END----------------------------------------------\n\n\n"
)
def refreshCredentials(self):
resp = self.deploymentManager.request('get_global_config', {})
if resp.isSuccess:
oldKey = self.key
self.key = resp.data['global/virustotalkey']
if '' == self.key:
self.key = None
elif oldKey != self.key:
self.log('new credentials')
self.vt = virustotal.VirusTotal(self.key,
limit_per_min=self.qpm)
def test_vt_api(apikey):
"""Send up a test "scan" request to the VT api to make sure it's listening"""
log.debug("Testing VirusTotal API server...")
v = virustotal.VirusTotal(apikey)
try:
report = v.get(StringIO.StringIO("X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"))
if report.positives:
log.debug("VirusTotal API seems alive. LET'S DO THIS!")
else:
raise
except Exception as e:
log.error("VirustTotal API is not repsonding. Virus scan cannot be completed:\n %s", e)
sys.exit(1)
def main():
start = time.time()
try:
db = DB()
except:
logging.error("DB error")
raise
number_of_key = 8
#get all data whitch including sacn :False
doc = db.get_all_vt_False()
lock = threading.Lock()#thread lock
thread_data = spilt(doc,doc.count(),number_of_key)
# api_key =['51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf',
# '20f0728b711931ef2f60c8c403e83c20b600a902a12293a7d1fe566f85ca22dd',
# '7ec895bab30a273bf6df3e211105f5f2ee45a96ddea57f53d6e4fe2b98f0c7c1',
# 'd0fe387a075ca62d0336485641912f1b318240f6132c576fa96dbf81b242da71',
# '29b45a9dc40737a7bc894cbacc3da603044e7f3a2651606dfca89de9accab80a',
# '51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf',
# '60473b7caf108d05a5f51b9fd7544f6bb7bd0a4d966ca58d0c7b65e43611abc9',
# '860011e025932bd8ad550e3174b75ee1c686134543a4635a4e37fef038c0fbec']
thread_pool = []
#deal apk with md5
for i in range(0,number_of_key):
p = Thread_mongo(lock,api_key[i],thread_data[i])
thread_pool.append(p)
for i in thread_pool:
i.start()
for i in thread_pool:
i.join()
# get the remaining data
doc = db.get_all_vt_False()
v = virustotal.VirusTotal('51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf')
#send apk data by one process
for i in doc:
print i['name']
time.sleep(20)
filename = '/tmp/'+i['pgname']+'.apk'#write down the apk file in the disk
with open(filename, 'wb') as f:
f.write(db.get_apk_file(i['apkdata']))
av_result = submit_sample(v,filename)
os.remove(filename)
db.update_av_report(i['_id'], av_result)
end = time.time()
print 'total used:', end - start,' s'
def main():
logging.basicConfig(filename=settings.LOG_FILE_NAME, level=logging.INFO, format='%(levelname)s %(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
start_time = time.time()
logging.info('Started')
urls = get_urls_from_file(settings.URL_FILE_NAME)
list_report = virustotal.VirusTotal().retrive_url_reports(urls)
for x in list_report:
log_and_report(x)
logging.info('Finished: ' + 'Time spent: ' + str(round(time.time() - start_time,2)))
input('Press ENTER to exit')
os.startfile(settings.LOG_FILE_NAME)
def scan(fname):
print("[" + fname + "] Scanning.")
v = virustotal.VirusTotal(
'8488f4b84e9c2010c95b17df236466a42f46e6762a2739da4caa6cf1c9178ad3')
report = None
attempts = 0
while report is None and attempts < 5:
try:
report = v.scan(args.directory + "/" + fname)
report.join()
except:
print("[" + fname +
"] Limit reached (or other error). Waiting 15s.")
time.sleep(15) # Seconds.
attempts = attempts + 1
report = None
pass
if report:
classifications = {}
for antivirus, malware in report:
classifications[antivirus[0]] = [
antivirus[1], antivirus[2], malware
]
jsonStr = json.dumps({
"total": report.total,
"malware-positives": report.positives,
"uid": report.id,
"scan uid": report.scan_id,
"md5": report.md5,
"status": report.status,
"classifications": classifications
})
while True:
# Connection errs when the database is locked.
# Keep trying until we get the lock.
try:
con = lite.connect(args.directory + '.db3', timeout=15)
with con:
cur = con.cursor()
cur.execute("INSERT INTO Apps VALUES(?, ?)",
(fname, jsonStr))
con.commit()
return
except:
pass
def main(directory):
v = virustotal.VirusTotal(
'2309e69bc73268e3d124e2168c639033a818ff05d36f8593c52b811ebb6ea1fe')
results = load_results()
num = 0
for i in os.listdir(directory):
num += 1
filename = directory + '/' + i
# If we already have results for this, skip it
if i in results:
print "skipping", i
continue
print "scanning", i
report = v.scan(filename)
if 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' in report.scan_id:
print "EMPTY WTF!"
import pdb
pdb.set_trace()
if not report.done:
report.join()
print report.permalink
to_save = {
'id': report.id,
'scan_id': report.scan_id,
'permalink': report.permalink,
'status': report.status,
'total': report.total,
'positives': report.positives,
'avs': []
}
num_malware = 0
for av, malware in report:
to_save['avs'].append({
'name': av[0],
'version': av[1],
'update': av[2],
'malware': malware
})
if malware:
num_malware += 1
print "num_malware", num_malware
results[i] = to_save
if num % 10 == 0:
save_results(results)
def retrieve_report(task):
try:
v = virustotal.VirusTotal(API_KEY)
report = v.get(task['scan_id'])
if report.done:
if report.positives == 0:
task['ismalware'] = MALWARE_NEGATIVE
else:
task['ismalware'] = MALWARE_POSITIVE
else:
task['ismalware'] = MALWARE_PENDING
except:
task['error'] = ERROR_VIRUSTOTAL_REPORT
return task
def init(self, parameters):
self.key = parameters.get('_key', None)
if self.key is None: self.logCritical('missing API key')
# Maximum number of queries per minute
self.qpm = parameters.get('qpm', 4)
if self.key is not None:
self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
# Cache size
self.cache_size = parameters.get('cache_size', 1000)
self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False)
self.handle('get_report', self.getReport)
def buildResult(apkFingerprint, db, apkPath):
#permission list from user
userPreferenceArr = ["android.permission.INTERNET"]
# API KEY for virus total
#1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584
#Mongo db connection
#client = MongoClient("mongodb://*****:*****@ds013971.mlab.com:13971/secure-vault-db?authMechanism=SCRAM-SHA-1")
#db = client["secure-vault-db"]
coll = db["AnalyzeSuccessResults"]
#APK to be scanned
#apkFingerprint = '2fd01b373e6ea2e151fdc44be369999c4483e5248cd733f617313f0eba7cbaf2'
#Get scan results from Virus total public API
v = virustotal.VirusTotal(
'1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584')
#virusTotalReportJSON = v.scan(apkFingerprint)
#virusTotalReportJSON = v.scan("/home/voldy/Desktop/transit.apk")
virusTotalReportJSON = v.scan(apkPath)
scanCompareResults = virusTotalReportJSON._report['scans']
#update the virus total scan results in database
updateResult = db.AnalyzeSuccessResults.update_one(
{"file_sha256": apkFingerprint},
{"$set": {
"scanCompareResults": scanCompareResults
}})
#fetch scan result from mongoDB
analyzeSuccessResultsCollection = db.AnalyzeSuccessResults.find(
{'file_sha256': apkFingerprint})
json_docs = [
json.dumps(doc, default=json_util.default)
for doc in analyzeSuccessResultsCollection
]
tempJson = json_docs[0]
jsonObject = json.loads(tempJson)
#add scanCompare results to main result object
#jsonObject['scanCompareResults'] = scanCompareResults
threatQ = calculateThreatQ(jsonObject, userPreferenceArr)
jsonObject['threatQ'] = threatQ
return jsonObject
def upload_to_scan(task):
try:
v = virustotal.VirusTotal(API_KEY)
report = v.scan(task['name'])
task['scan_id'] = report.scan_id
if report.done:
if report.positives == 0:
task['ismalware'] = MALWARE_NEGATIVE
else:
task['ismalware'] = MALWARE_POSITIVE
else:
task['ismalware'] = MALWARE_PENDING
except:
task['error'] = ERROR_VIRUSTOTAL_SCAN
return task
def _main():
dir = "./samples/malfind/be2/"
a = os.listdir(dir)
for i in a:
count = 0
c = dir + i
v = virustotal.VirusTotal(key)
report = v.scan(c)
try:
for antivirus, malware in report:
if malware is not None:
count = count + 1
except TypeError:
print "Program is going to sleep for two minutes"
time.sleep(120)
ratio_dict[c] = count
c = ""
def get_report(self, in_file):
"""
Submit dumped PE to VT and return report object
:param in_file: Path to dumped PE
:return: VT report object
"""
if self._config.APIKEY is None:
debug.error('Please provide a VirusTotal API Key')
vt = virustotal.VirusTotal(self._config.APIKEY)
try:
report = vt.scan(in_file)
except Exception as e:
debug.error(e)
else:
# wait for VT to scan the file
report.join()
assert report.done is True
return report
def init(self, parameters):
super(VirusTotal, self).init(parameters)
self.key = parameters.get('key', None)
if self.key is None: raise Exception('missing API key')
# Maximum number of queries per minute
self.qpm = parameters.get('qpm', 4)
self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
# Minimum number of AVs saying it's a hit before we flag it
self.threshold = parameters.get('min_av', 5)
# Cache size
self.cache_size = parameters.get('cache_size', 200)
self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False)
def virus_total_report(md5): v = virustotal.VirusTotal(VT_API_KEY) report = v.get(md5) print "Report" print "- Resource's UID:", report.id print "- Scan's UID:", report.scan_id print "- Permalink:", report.permalink print "- Resource's SHA1:", report.sha1 print "- Resource's SHA256:", report.sha256 print "- Resource's MD5:", report.md5 print "- Resource's status:", report.status print "- Antivirus' total:", report.total print "- Antivirus's positives:", report.positives for antivirus, malware in report: if malware is not None: print print "Antivirus:", antivirus[0] print "Antivirus' version:", antivirus[1] print "Antivirus' update:", antivirus[2] print "Malware:", malware
def init(self, parameters, resources):
self.key = parameters.get('_key', None)
if self.key is None: self.logCritical('missing API key')
# Maximum number of queries per minute
self.qpm = parameters.get('qpm', 4)
self.ttl = parameters.get('ttl', (60 * 60 * 24 * 7))
if self.key is not None:
self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
self.Model = self.getActorHandle(resources['modeling'],
timeout=3,
nRetries=0)
# Cache size
self.cache_size = parameters.get('cache_size', 5000)
self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False)
self.handle('get_report', self.getReport)
def checkSavedListOnVT(VTAPIToken, unknownList):
newCheckedHashList = list()
printLog("Updating Unknown list to see if Virus Total has their hash now...")
v = virustotal.VirusTotal(VTAPIToken)
for i in unknownList:
try:
#Read id
report = v.get(i)
#wait for report to finish
report.join()
assert report.done == True
printWarning('Hash: ' + i + ' is now in VirusTotal and will be removed from unknownlist.txt')
except:
newCheckedHashList.append(i)
continue
newUnknownTextFile = open("unknownlist.txt", "w")
for j in newCheckedHashList:
newUnknownTextFile.write(j + '\n')
newUnknownTextFile.close()
printSuccess("unknownlist.txt has been successfully updated!")
#!/usr/bin/env python
import os
import json
import sys
import virustotal
import ConfigParser
import sqlite3
conf = ConfigParser.ConfigParser()
conf.read(sys.argv[1])
vt = virustotal.VirusTotal(
'798e91925a52e4f2c16a5a4e83337a0ff392c8f44d4d1bde9824e2dc4a378af3')
database = conf.get('Main', 'db')
conn = sqlite3.connect(database)
cur = conn.cursor()
basedir = conf.get('Main', 'basedir')
logdir = os.path.join(basedir, 'logs')
cur.execute('SELECT uuid,md5 FROM samples')
for uuid, md5 in cur.fetchall()[-100:]:
print uuid, md5
rep = vt.get(md5)
fname = os.path.join(logdir, 'vt', uuid + '.json')
f = open(fname, 'w')
if rep:
rep.join()
__author__ = "Raoul Endresl"
__copyright__ = "Copyright 2016"
__license__ = "BSD"
__version__ = "0.1"
__status__ = "Prototype"
# Get of my damn API_KEY. Free API, register at virustotal.com
API_KEY = "[KEY GOES HERE]"
parser = argparse.ArgumentParser(description='Searches a given file for hashes and checks these against VirusTotal.')
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true", default=False)
parser.add_argument("filename", type=argparse.FileType('r'), help="file to search for MD5 hashes")
args = parser.parse_args()
v = virustotal.VirusTotal(API_KEY,0)
if args.verbose:
print """
_ _ ________ __
__| || |_\_____ \___ ___/ |_
\ __ // ____/\ \/ /\ __\\
| || |/ \ \ / | |
/_ ~~ _\_______ \ \_/ |__|
|_||_| \/
"""
print "[+] parsing " + args.filename.name
data = args.filename.read()
VIRUSTOTALKEY = ''
EMAIL = ''
#-------------------------------------------------------------------------------------------
# Variables
#-------------------------------------------------------------------------------------------
buffer = 65536
localfile = None
check = False
notify = False
md5 = hashlib.md5()
sha1 = hashlib.sha1()
sha256 = hashlib.sha256()
sha512 = hashlib.sha512()
v = virustotal.VirusTotal(VIRUSTOTALKEY)
def checkFile():
try:
if os.path.isfile(localfile) is False:
print bcolors.WARNING, '[?] Does: ' + file + ' Exist?', bcolors.ENDC
print bcolors.FAIL, '[!] Error: File not found...\n', bcolors.ENDC
exit(0)
print bcolors.OKBLUE, ('[+] Checking File: ' + localfile +
'\n'), bcolors.ENDC
with open(localfile, 'rb') as f:
while True:
data = f.read(buffer)
if not data:
break
#!/usr/bin/python
# This is a simple python script writtern to find the reputation of files on virustotal,this script will help us in scanning all the files
# in a directory and its subdirectories,we can also scan single files and hashes
# Sign into VirusTotal,you will be provided with an api_key,paste the api_key between the double quotes in the field mentioned below and you are good to go
# this script is a property of Arnold Anthony
import os
import virustotal
import sys
import argparse
virus = virustotal.VirusTotal(
"Paste your API_KEY here") # <--------paste your api_key
upload = sys.argv
parser = argparse.ArgumentParser(
description=
'Virustotal is a great source to find the reputation of suspicious files.We generally upload a single file and check for its reputation,Assume if we have a Directory having many subdirectories and files,it would be difficult to upload files one by one and check for its reputation.Hence to overcome this issue i have writtern a small python script that will give the reputation of all the files in a directory.We can also upload a single file or a hash.This script is cross platform it can run on both windows and linux. '
)
parser.add_argument("-d", "--directory", help="Scan files in a directory ")
parser.add_argument("-f", "--file", help="Scan a file or a hash")
args = parser.parse_args()
def directory():
path = upload[2]
for root, dirs, files in os.walk(path):
for filename in files:
import virustotal #Importing the VirusTotal API module
scanner = virustotal.VirusTotal("ae67d0d09984da22e86e5df95e4a9c183b9db2ae3b52a07a37e556b3161074c5") #Initializing the VirusTotal API Key
def banner():
print "\n\n"
print "\t\t _ ___ _ _ _ _ "
print "\t\t | |/ _ \| | | | \ | |"
print "\t\t _ | | | | | |_| | \| |"
print "\t\t| |_| | |_| | _ | |\ |"
print "\t\t \___/ \___/|_| |_|_| \_|"
print "\t\t "
print "\t\tAutomated VirusTotal-powered Malware Scanner\n\n"
print "[#] Developed By John Chakauya"
banner()
def malware_scan(scan_file):
scan_report = scanner.scan(scan_file) #Scanning the user entered file
if scan_report.done:
print(scan_report)
print "\nFULL SCAN REPORT:"
for av, malware in scan_report: #Output full scan report
print "- %s (%s, %s):\t%s" % (av[0], av[1], av[2], malware, )
print
print("\n*** REPORT SUMMARY ***:")
import sys
import virustotal
v = virustotal.VirusTotal("a264d77db499762fa7de5cf0372c2129a288ff38e02a81e8a4a736ec3667f214")
# report = v.get("downloaded_apks/2016-01-06_TOOLS_2_com.cleanmaster.mguard.apk")
report = v.scan(sys.argv[1])
print "Report"
print "- Resource's UID:", report.id
print "- Scan's UID:", report.scan_id
print "- Permalink:", report.permalink
print "- Resource's SHA1:", report.sha1
print "- Resource's SHA256:", report.sha256
print "- Resource's MD5:", report.md5
print "- Resource's status:", report.status
print "- Antivirus' total:", report.total
print "- Antivirus's positives:", report.positives
for antivirus, malware in report:
if malware is not None:
print
print "Antivirus:", antivirus[0]
print "Antivirus' version:", antivirus[1]
print "Antivirus' update:", antivirus[2]
print "Malware:", malware
#!/usr/bin/env python2
import argparse
import json
import time
import virustotal
import os
v = virustotal.VirusTotal(
'8488f4b84e9c2010c95b17df236466a42f46e6762a2739da4caa6cf1c9178ad3')
parser = argparse.ArgumentParser(
description='Scan a directory with VirusTotal.')
parser.add_argument('directory', type=str)
parser.add_argument('output_json', type=str)
args = parser.parse_args()
if not os.path.isfile(args.output_json):
db = {}
else:
f = open(args.output_json)
db = json.load(f)
f.close()
for fname in os.listdir(args.directory):
if os.path.getsize(args.directory + "/" + fname) > 32000000:
continue
if fname not in db:
print(" + Scanning: '" + args.directory + "/" + fname + "'.")
report = None
attempts = 0
import virustotal
v = virustotal.VirusTotal("Enter your API key")
report = v.get("path for suspicious files")
print "Report"
print "- Resource's UID:" + report.id
print "- Scan's UID:" + report.scan_id
print "- Permalink:" + report.permalink
print "- Resource's SHA1:" + report.sha1
print "- Resource's SHA256:" + report.sha256
print "- Resource's MD5:" + report.md5
print "- Resource's status:" + report.status
print "- Antivirus' total:" + str(report.total)
print "- Antivirus's positives:" + str(report.positives)
for antivirus, malware in report:
if malware is not None:
print
print "Antivirus:" + antivirus[0]
print "Antivirus' version:" + antivirus[1]
print "Antivirus' update:" + antivirus[2]
print "Malware:" + malware
def buildResult(apkFingerprint, db, apkPath, preference):
#permission list from user
userPreferences = preference
userPreferenceArr = ["android.permission.INTERNET"]
# API KEY for virus total
#1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584
#Mongo db connection
#client = MongoClient("mongodb://*****:*****@ds013971.mlab.com:13971/secure-vault-db?authMechanism=SCRAM-SHA-1")
#db = client["secure-vault-db"]
coll = db["AnalyzeSuccessResults"]
#APK to be scanned
#apkFingerprint = '2fd01b373e6ea2e151fdc44be369999c4483e5248cd733f617313f0eba7cbaf2'
#Get scan results from Virus total public API
statinfo = os.stat(apkPath)
statinfo = statinfo.st_size
is_file_virus_scan_enable = statinfo < 25165824
logging.info("File enabled for virus scan", is_file_virus_scan_enable)
if is_file_virus_scan_enable:
v = virustotal.VirusTotal(
'1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584')
#virusTotalReportJSON = v.scan(apkFingerprint)
#virusTotalReportJSON = v.scan("/home/voldy/Desktop/transit.apk")
logging.info("Getting virus total information of apk from apk path" +
apkPath)
print apkPath
virusTotalReportJSON = v.scan(apkPath)
scanCompareResults = virusTotalReportJSON._report['scans']
#update the virus total scan results in database
updateResult = db.AnalyzeSuccessResults.update_one(
{"file_sha256": apkFingerprint},
{"$set": {
"scanCompareResults": scanCompareResults
}})
#fetch scan result from mongoDB
logging.info("Fetch results from mongoDB with fingerprint" +
apkFingerprint)
analyzeSuccessResultsCollection = db.AnalyzeSuccessResults.find(
{'file_sha256': apkFingerprint})
logging.info("Count of result retrieved from mongodb is: ",
analyzeSuccessResultsCollection.count())
json_docs = [
json.dumps(doc, default=json_util.default)
for doc in analyzeSuccessResultsCollection
]
#logging.info( "Json docs count: "+json_docs.count())
tempJson = json_docs[0]
jsonObject = json.loads(tempJson)
#add scanCompare results to main result object
#jsonObject['scanCompareResults'] = scanCompareResults
#jsonObject = addPreferenceResults(jsonObject,userPreferences)
jsonObject = addPreferenceResults(jsonObject, userPreferences)
threatQ = calculateThreatQ(jsonObject, userPreferenceArr)
jsonObject['threatQ'] = threatQ
return jsonObject
def scan_vt():
# Give the user of choosing to submit the suspicious files or simply their hashes
user_selection = raw_input(
"You indicated to submit suspicious files to VirusTotal, do you wish to send"
" the hash or actual file? \nNote: Submitting the file may reveal sensitive information to the VirusTotal service "
" and can take considerable time if a large number of files are submitted.\nPlease enter 'hash' or 'file':"
)
# Have the user input their VirusTotal API key and initiate a session to VirusTotal
api_key = raw_input("Please enter your VirusTotal API key:")
vt_handler = virustotal.VirusTotal(api_key)
if not os.path.exists(os.getcwd() + "/reports"):
os.makedirs(os.getcwd() + "/reports")
# Create a CSV which will serve as a consolidated report of VirusTotal results
consolidated_report = csv.writer(open(
os.getcwd() + "/reports/virustotal_consolidated_report.csv", 'w'),
dialect=csv.excel,
delimiter=',')
headers = [
"Filename", "MD5 Hash", "SHA1 Hash", "SHA256 Hash", "Total A/V",
"Positive Hits"
]
consolidated_report.writerow(headers)
# For each file in the carved_files directory if the user selected to submit hashes
# then get the MD5 hash of the file and attempt to get the results of the hash
# search. If the search fails let the user know there was a problem and re-attempt
# submission.
for file in os.listdir(os.getcwd() + "/carved_files/"):
if user_selection == 'hash':
file_hash = hashlib.md5()
with open(os.getcwd() + "/carved_files/%s" % file,
"rb") as open_file:
file_hash.update(open_file.read())
try:
report = vt_handler.get(str(file_hash.hexdigest()))
except HTTPError as error:
print "Unable to obtain successful connection to VirusTotal API.\n%s " % error
print "Service may be down or perhaps you entered the wrong API key."
scan_vt()
print "Waiting for VirusTotal results of %s to return..." % file
# If the hash returns no results inform the user and continue searching
# the remaining hashes.
if report is None:
print "No report based on hash of %s is available." % file
break
# Check if the VirusTotal search is done, if not wait and try again. If done,
# grab and compile the report.
while True and report is not None:
try:
report.join()
assert report.done == True
break
except:
print "Still waiting for VirusTotal results to return..."
time.sleep(3)
continue
# Submit the suspicious files to VirusTotal. As with the hash search
# let the user know if there were problems connecting to VirusTotal.
elif user_selection == 'file':
try:
report = vt_handler.scan(os.getcwd() +
"/carved_files/%s" % file,
reanalyze=True)
print "Waiting for VirusTotal results of %s to return..." % file
except HTTPError as error:
print "Unable to obtain successful connection to VirusTotal API. %s " % error
print "Service may be down or perhaps you entered the wrong API key."
scan_vt()
# Check if the VirusTotal submission is done, if not wait and try again. If done,
# grab and compile the report.
while True:
try:
report.join()
assert report.done == True
break
except:
print "Still waiting for VirusTotal results to return..."
time.sleep(3)
continue
# Make sure the user is inputting the correct option
else:
print "Incorrect input, please enter 'hash' or 'file' without quotations."
scan_vt()
# Write the pertinent information to the file's individual report. Will include all
# antivirus vendors that reported positive for malicious activity and
# what type of malware the file may have been as well as basic analysis
# to include hashes and a link to the report on the VirusTotal website.
outfile = open(
os.getcwd() + '/reports/%s_virustotal_report.txt' % file, 'w')
outfile.write("File ID: " + report.id + "\n")
outfile.write("Scan ID: " + report.scan_id + "\n")
outfile.write("Permalink: " + report.permalink + "\n")
outfile.write("SHA1 Hash: " + report.sha1 + "\n")
outfile.write("SHA256 Hash: " + report.sha256 + "\n")
outfile.write("MD5 Hash: " + report.md5 + "\n")
outfile.write("Total antivirus products which scanned the file: " +
str(report.total) + "\n")
outfile.write("Total positive malicious/malware hits by antivirus: " +
str(report.positives) + "\n")
for antivirus, malware in report:
if malware is not None:
outfile.write("Antivirus: " + antivirus[0] + "\n")
outfile.write("Antivirus version: " + antivirus[1] + "\n")
outfile.write("Antivirus update: " + antivirus[2] + "\n")
outfile.write("Malware: " + malware + "\n")
outfile.close()
# Write the consolidated information to the overall VirusTotal CSV report
row = [
file, report.md5, report.sha1, report.sha256, report.total,
report.positives
]
consolidated_report.writerow(row)
