def init(self, parameters, resources): self.deploymentManager = CreateOnAccess(self.getActorHandle, resources['deployment'], nRetries=3, timeout=30) self.key = parameters.get('_key', None) # Maximum number of queries per minute self.qpm = parameters.get('qpm', 4) self.ttl = parameters.get('ttl', (60 * 60 * 24 * 7)) if self.key is None: self.schedule(60, self.refreshCredentials) self.log('got virustotal key from deployment manager') else: self.log('got virustotal key from parameters') self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm) if self.key is None: self.logCritical('missing API key') self.vtMutex = Mutex() self.Model = self.getActorHandle(resources['modeling'], timeout=10, nRetries=5) # Cache size self.cache_size = parameters.get('cache_size', 5000) self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False) self.handle('get_report', self.getReport)
def scan_files(filelist, apikey): """ Send files for scanning. WIll return immediately if file hash matches previous run file hash with a report for that previous file. Uses default timeout of 1200 secs or whatever was passed in with the -t option. Compiles a list of reports to print later""" log.info("Sending files and retrieving reports...") v = virustotal.VirusTotal(apikey) startscantime = time.time() reports = [] log.info("Sending files to be scanned...\n") for zfile in filelist: # submit the files basename = os.path.basename(zfile.filename) log.debug("Sending %s for scan...", basename) report = v.scan(zfile.filename) log.debug("File sent. Report pending: %r", report) log.info(" Waiting for report...") timedelta = time.time() - startscantime while not report.done: if timedelta <= options.TIME_OUT: log.info(".") report.join(60) else: log.warn("Timeout reached in vtscanner.scan_files.") log.warn("VIRUS SCAN NOT COMPLETE.") sys.exit(0) log.info("Report recieved for %s\n", basename) reports.append(report) log.info("All reports recieved.\n") return reports
def each(self, target): v = virustotal.VirusTotal( "572739f1adea8d064a8e7c6ca63a3d0bd53e9b65894b2817f164da15a81a7cef") vt_report = v.scan(target) vt_report.join() assert vt_report.done is True results = {} results["sha256"] = vt_report.sha256 results["hit_ratio"] = vt_report.positives / vt_report.total results["vt_scan_uid"] = vt_report.scan_id print() positive_avs = [] negative_avs = [] for antivirus, malware in vt_report: antivirus = map( lambda x: x.encode("ascii", "ignore") if x is not None else None, antivirus) details = {"av_name": antivirus[0], "version": antivirus[1]} if malware is not None: details["malware_name"] = malware.encode("ascii") positive_avs.append(details) self.add_ioc(malware.encode("ascii"), "Malware") else: negative_avs.append(details) results["avs_reporting_positive"] = positive_avs results["avs_reporting_negative"] = negative_avs if HAVE_PPRINT: pprint(results) else: print(results) self.results = results return True
def main(): if debug: print("\nMODULE TANFIRE") if debug: print("FUNCTION main") stats = { 'computers_total': 0, 'computers_hashes': 0, 'total': 0, 'excluded': 0, 'unique': 0, 'wf_cache': 0, 'wf_new': 0, 'wf_uploaded': 0, 'vt_cache': 0, 'vt_new': 0, 'vt_uploaded': 0, 'malware': 0 } hashes_list = [] hashes_unique = {} wf_hashes = {} wf_stats = {} vt_hashes = {} vt_stats = {} #Connect to Tanium and import list of new hashes in the environment user, password = Credentials() tanium_handler = Tanium_Connect(user, password) hashes_list, hashes_unique, stats = Import_Index(tanium_handler, stats) print 'computers total: ' + str(stats['computers_total']) print 'computers hashes: ' + str(stats['computers_hashes']) print 'hashes total: ' + str(stats['total']) print 'hashes excluded: ' + str(stats['excluded']) print 'hashes unique: ' + str(stats['unique']) #Check dictionary of all the unique hashes with WildFire cache, directly, and upload if necessary. if config.get('config', 'wildfire') == 'yes': wf_hashes, wf_stats = wildfire.WildFire(hashes_list, hashes_unique, tanium_handler) stats.update(wf_stats) #Check dictionary of all the unique hashes with VirusTotal cache and directly if necessary. if config.get('config', 'virustotal') == 'yes': vt_hashes, vt_stats = virustotal.VirusTotal(hashes_list, hashes_unique) stats.update(vt_stats) #Update list of hashes with results of WildFire and VirusTotal checks hashes_list = Check(hashes_list, wf_hashes, vt_hashes) #Output results output.Output(hashes_list, stats) if debug: print( "\n----------------------------------END----------------------------------------------\n\n\n" )
def refreshCredentials(self): resp = self.deploymentManager.request('get_global_config', {}) if resp.isSuccess: oldKey = self.key self.key = resp.data['global/virustotalkey'] if '' == self.key: self.key = None elif oldKey != self.key: self.log('new credentials') self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
def test_vt_api(apikey): """Send up a test "scan" request to the VT api to make sure it's listening""" log.debug("Testing VirusTotal API server...") v = virustotal.VirusTotal(apikey) try: report = v.get(StringIO.StringIO("X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")) if report.positives: log.debug("VirusTotal API seems alive. LET'S DO THIS!") else: raise except Exception as e: log.error("VirustTotal API is not repsonding. Virus scan cannot be completed:\n %s", e) sys.exit(1)
def main(): start = time.time() try: db = DB() except: logging.error("DB error") raise number_of_key = 8 #get all data whitch including sacn :False doc = db.get_all_vt_False() lock = threading.Lock()#thread lock thread_data = spilt(doc,doc.count(),number_of_key) # api_key =['51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf', # '20f0728b711931ef2f60c8c403e83c20b600a902a12293a7d1fe566f85ca22dd', # '7ec895bab30a273bf6df3e211105f5f2ee45a96ddea57f53d6e4fe2b98f0c7c1', # 'd0fe387a075ca62d0336485641912f1b318240f6132c576fa96dbf81b242da71', # '29b45a9dc40737a7bc894cbacc3da603044e7f3a2651606dfca89de9accab80a', # '51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf', # '60473b7caf108d05a5f51b9fd7544f6bb7bd0a4d966ca58d0c7b65e43611abc9', # '860011e025932bd8ad550e3174b75ee1c686134543a4635a4e37fef038c0fbec'] thread_pool = [] #deal apk with md5 for i in range(0,number_of_key): p = Thread_mongo(lock,api_key[i],thread_data[i]) thread_pool.append(p) for i in thread_pool: i.start() for i in thread_pool: i.join() # get the remaining data doc = db.get_all_vt_False() v = virustotal.VirusTotal('51d63dc8b2860fbd889ea73d564e361e1ec795ce2daadb1046771272336cdadf') #send apk data by one process for i in doc: print i['name'] time.sleep(20) filename = '/tmp/'+i['pgname']+'.apk'#write down the apk file in the disk with open(filename, 'wb') as f: f.write(db.get_apk_file(i['apkdata'])) av_result = submit_sample(v,filename) os.remove(filename) db.update_av_report(i['_id'], av_result) end = time.time() print 'total used:', end - start,' s'
def main(): logging.basicConfig(filename=settings.LOG_FILE_NAME, level=logging.INFO, format='%(levelname)s %(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p') start_time = time.time() logging.info('Started') urls = get_urls_from_file(settings.URL_FILE_NAME) list_report = virustotal.VirusTotal().retrive_url_reports(urls) for x in list_report: log_and_report(x) logging.info('Finished: ' + 'Time spent: ' + str(round(time.time() - start_time,2))) input('Press ENTER to exit') os.startfile(settings.LOG_FILE_NAME)
def scan(fname): print("[" + fname + "] Scanning.") v = virustotal.VirusTotal( '8488f4b84e9c2010c95b17df236466a42f46e6762a2739da4caa6cf1c9178ad3') report = None attempts = 0 while report is None and attempts < 5: try: report = v.scan(args.directory + "/" + fname) report.join() except: print("[" + fname + "] Limit reached (or other error). Waiting 15s.") time.sleep(15) # Seconds. attempts = attempts + 1 report = None pass if report: classifications = {} for antivirus, malware in report: classifications[antivirus[0]] = [ antivirus[1], antivirus[2], malware ] jsonStr = json.dumps({ "total": report.total, "malware-positives": report.positives, "uid": report.id, "scan uid": report.scan_id, "md5": report.md5, "status": report.status, "classifications": classifications }) while True: # Connection errs when the database is locked. # Keep trying until we get the lock. try: con = lite.connect(args.directory + '.db3', timeout=15) with con: cur = con.cursor() cur.execute("INSERT INTO Apps VALUES(?, ?)", (fname, jsonStr)) con.commit() return except: pass
def main(directory): v = virustotal.VirusTotal( '2309e69bc73268e3d124e2168c639033a818ff05d36f8593c52b811ebb6ea1fe') results = load_results() num = 0 for i in os.listdir(directory): num += 1 filename = directory + '/' + i # If we already have results for this, skip it if i in results: print "skipping", i continue print "scanning", i report = v.scan(filename) if 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' in report.scan_id: print "EMPTY WTF!" import pdb pdb.set_trace() if not report.done: report.join() print report.permalink to_save = { 'id': report.id, 'scan_id': report.scan_id, 'permalink': report.permalink, 'status': report.status, 'total': report.total, 'positives': report.positives, 'avs': [] } num_malware = 0 for av, malware in report: to_save['avs'].append({ 'name': av[0], 'version': av[1], 'update': av[2], 'malware': malware }) if malware: num_malware += 1 print "num_malware", num_malware results[i] = to_save if num % 10 == 0: save_results(results)
def retrieve_report(task): try: v = virustotal.VirusTotal(API_KEY) report = v.get(task['scan_id']) if report.done: if report.positives == 0: task['ismalware'] = MALWARE_NEGATIVE else: task['ismalware'] = MALWARE_POSITIVE else: task['ismalware'] = MALWARE_PENDING except: task['error'] = ERROR_VIRUSTOTAL_REPORT return task
def init(self, parameters): self.key = parameters.get('_key', None) if self.key is None: self.logCritical('missing API key') # Maximum number of queries per minute self.qpm = parameters.get('qpm', 4) if self.key is not None: self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm) # Cache size self.cache_size = parameters.get('cache_size', 1000) self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False) self.handle('get_report', self.getReport)
def buildResult(apkFingerprint, db, apkPath): #permission list from user userPreferenceArr = ["android.permission.INTERNET"] # API KEY for virus total #1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584 #Mongo db connection #client = MongoClient("mongodb://*****:*****@ds013971.mlab.com:13971/secure-vault-db?authMechanism=SCRAM-SHA-1") #db = client["secure-vault-db"] coll = db["AnalyzeSuccessResults"] #APK to be scanned #apkFingerprint = '2fd01b373e6ea2e151fdc44be369999c4483e5248cd733f617313f0eba7cbaf2' #Get scan results from Virus total public API v = virustotal.VirusTotal( '1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584') #virusTotalReportJSON = v.scan(apkFingerprint) #virusTotalReportJSON = v.scan("/home/voldy/Desktop/transit.apk") virusTotalReportJSON = v.scan(apkPath) scanCompareResults = virusTotalReportJSON._report['scans'] #update the virus total scan results in database updateResult = db.AnalyzeSuccessResults.update_one( {"file_sha256": apkFingerprint}, {"$set": { "scanCompareResults": scanCompareResults }}) #fetch scan result from mongoDB analyzeSuccessResultsCollection = db.AnalyzeSuccessResults.find( {'file_sha256': apkFingerprint}) json_docs = [ json.dumps(doc, default=json_util.default) for doc in analyzeSuccessResultsCollection ] tempJson = json_docs[0] jsonObject = json.loads(tempJson) #add scanCompare results to main result object #jsonObject['scanCompareResults'] = scanCompareResults threatQ = calculateThreatQ(jsonObject, userPreferenceArr) jsonObject['threatQ'] = threatQ return jsonObject
def upload_to_scan(task): try: v = virustotal.VirusTotal(API_KEY) report = v.scan(task['name']) task['scan_id'] = report.scan_id if report.done: if report.positives == 0: task['ismalware'] = MALWARE_NEGATIVE else: task['ismalware'] = MALWARE_POSITIVE else: task['ismalware'] = MALWARE_PENDING except: task['error'] = ERROR_VIRUSTOTAL_SCAN return task
def _main(): dir = "./samples/malfind/be2/" a = os.listdir(dir) for i in a: count = 0 c = dir + i v = virustotal.VirusTotal(key) report = v.scan(c) try: for antivirus, malware in report: if malware is not None: count = count + 1 except TypeError: print "Program is going to sleep for two minutes" time.sleep(120) ratio_dict[c] = count c = ""
def get_report(self, in_file): """ Submit dumped PE to VT and return report object :param in_file: Path to dumped PE :return: VT report object """ if self._config.APIKEY is None: debug.error('Please provide a VirusTotal API Key') vt = virustotal.VirusTotal(self._config.APIKEY) try: report = vt.scan(in_file) except Exception as e: debug.error(e) else: # wait for VT to scan the file report.join() assert report.done is True return report
def init(self, parameters): super(VirusTotal, self).init(parameters) self.key = parameters.get('key', None) if self.key is None: raise Exception('missing API key') # Maximum number of queries per minute self.qpm = parameters.get('qpm', 4) self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm) # Minimum number of AVs saying it's a hit before we flag it self.threshold = parameters.get('min_av', 5) # Cache size self.cache_size = parameters.get('cache_size', 200) self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False)
def virus_total_report(md5): v = virustotal.VirusTotal(VT_API_KEY) report = v.get(md5) print "Report" print "- Resource's UID:", report.id print "- Scan's UID:", report.scan_id print "- Permalink:", report.permalink print "- Resource's SHA1:", report.sha1 print "- Resource's SHA256:", report.sha256 print "- Resource's MD5:", report.md5 print "- Resource's status:", report.status print "- Antivirus' total:", report.total print "- Antivirus's positives:", report.positives for antivirus, malware in report: if malware is not None: print print "Antivirus:", antivirus[0] print "Antivirus' version:", antivirus[1] print "Antivirus' update:", antivirus[2] print "Malware:", malware
def init(self, parameters, resources): self.key = parameters.get('_key', None) if self.key is None: self.logCritical('missing API key') # Maximum number of queries per minute self.qpm = parameters.get('qpm', 4) self.ttl = parameters.get('ttl', (60 * 60 * 24 * 7)) if self.key is not None: self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm) self.Model = self.getActorHandle(resources['modeling'], timeout=3, nRetries=0) # Cache size self.cache_size = parameters.get('cache_size', 5000) self.cache = RingCache(maxEntries=self.cache_size, isAutoAdd=False) self.handle('get_report', self.getReport)
def checkSavedListOnVT(VTAPIToken, unknownList): newCheckedHashList = list() printLog("Updating Unknown list to see if Virus Total has their hash now...") v = virustotal.VirusTotal(VTAPIToken) for i in unknownList: try: #Read id report = v.get(i) #wait for report to finish report.join() assert report.done == True printWarning('Hash: ' + i + ' is now in VirusTotal and will be removed from unknownlist.txt') except: newCheckedHashList.append(i) continue newUnknownTextFile = open("unknownlist.txt", "w") for j in newCheckedHashList: newUnknownTextFile.write(j + '\n') newUnknownTextFile.close() printSuccess("unknownlist.txt has been successfully updated!")
#!/usr/bin/env python import os import json import sys import virustotal import ConfigParser import sqlite3 conf = ConfigParser.ConfigParser() conf.read(sys.argv[1]) vt = virustotal.VirusTotal( '798e91925a52e4f2c16a5a4e83337a0ff392c8f44d4d1bde9824e2dc4a378af3') database = conf.get('Main', 'db') conn = sqlite3.connect(database) cur = conn.cursor() basedir = conf.get('Main', 'basedir') logdir = os.path.join(basedir, 'logs') cur.execute('SELECT uuid,md5 FROM samples') for uuid, md5 in cur.fetchall()[-100:]: print uuid, md5 rep = vt.get(md5) fname = os.path.join(logdir, 'vt', uuid + '.json') f = open(fname, 'w') if rep: rep.join()
__author__ = "Raoul Endresl" __copyright__ = "Copyright 2016" __license__ = "BSD" __version__ = "0.1" __status__ = "Prototype" # Get of my damn API_KEY. Free API, register at virustotal.com API_KEY = "[KEY GOES HERE]" parser = argparse.ArgumentParser(description='Searches a given file for hashes and checks these against VirusTotal.') parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true", default=False) parser.add_argument("filename", type=argparse.FileType('r'), help="file to search for MD5 hashes") args = parser.parse_args() v = virustotal.VirusTotal(API_KEY,0) if args.verbose: print """ _ _ ________ __ __| || |_\_____ \___ ___/ |_ \ __ // ____/\ \/ /\ __\\ | || |/ \ \ / | | /_ ~~ _\_______ \ \_/ |__| |_||_| \/ """ print "[+] parsing " + args.filename.name data = args.filename.read()
VIRUSTOTALKEY = '' EMAIL = '' #------------------------------------------------------------------------------------------- # Variables #------------------------------------------------------------------------------------------- buffer = 65536 localfile = None check = False notify = False md5 = hashlib.md5() sha1 = hashlib.sha1() sha256 = hashlib.sha256() sha512 = hashlib.sha512() v = virustotal.VirusTotal(VIRUSTOTALKEY) def checkFile(): try: if os.path.isfile(localfile) is False: print bcolors.WARNING, '[?] Does: ' + file + ' Exist?', bcolors.ENDC print bcolors.FAIL, '[!] Error: File not found...\n', bcolors.ENDC exit(0) print bcolors.OKBLUE, ('[+] Checking File: ' + localfile + '\n'), bcolors.ENDC with open(localfile, 'rb') as f: while True: data = f.read(buffer) if not data: break
#!/usr/bin/python # This is a simple python script writtern to find the reputation of files on virustotal,this script will help us in scanning all the files # in a directory and its subdirectories,we can also scan single files and hashes # Sign into VirusTotal,you will be provided with an api_key,paste the api_key between the double quotes in the field mentioned below and you are good to go # this script is a property of Arnold Anthony import os import virustotal import sys import argparse virus = virustotal.VirusTotal( "Paste your API_KEY here") # <--------paste your api_key upload = sys.argv parser = argparse.ArgumentParser( description= 'Virustotal is a great source to find the reputation of suspicious files.We generally upload a single file and check for its reputation,Assume if we have a Directory having many subdirectories and files,it would be difficult to upload files one by one and check for its reputation.Hence to overcome this issue i have writtern a small python script that will give the reputation of all the files in a directory.We can also upload a single file or a hash.This script is cross platform it can run on both windows and linux. ' ) parser.add_argument("-d", "--directory", help="Scan files in a directory ") parser.add_argument("-f", "--file", help="Scan a file or a hash") args = parser.parse_args() def directory(): path = upload[2] for root, dirs, files in os.walk(path): for filename in files:
import virustotal #Importing the VirusTotal API module scanner = virustotal.VirusTotal("ae67d0d09984da22e86e5df95e4a9c183b9db2ae3b52a07a37e556b3161074c5") #Initializing the VirusTotal API Key def banner(): print "\n\n" print "\t\t _ ___ _ _ _ _ " print "\t\t | |/ _ \| | | | \ | |" print "\t\t _ | | | | | |_| | \| |" print "\t\t| |_| | |_| | _ | |\ |" print "\t\t \___/ \___/|_| |_|_| \_|" print "\t\t " print "\t\tAutomated VirusTotal-powered Malware Scanner\n\n" print "[#] Developed By John Chakauya" banner() def malware_scan(scan_file): scan_report = scanner.scan(scan_file) #Scanning the user entered file if scan_report.done: print(scan_report) print "\nFULL SCAN REPORT:" for av, malware in scan_report: #Output full scan report print "- %s (%s, %s):\t%s" % (av[0], av[1], av[2], malware, ) print print("\n*** REPORT SUMMARY ***:")
import sys import virustotal v = virustotal.VirusTotal("a264d77db499762fa7de5cf0372c2129a288ff38e02a81e8a4a736ec3667f214") # report = v.get("downloaded_apks/2016-01-06_TOOLS_2_com.cleanmaster.mguard.apk") report = v.scan(sys.argv[1]) print "Report" print "- Resource's UID:", report.id print "- Scan's UID:", report.scan_id print "- Permalink:", report.permalink print "- Resource's SHA1:", report.sha1 print "- Resource's SHA256:", report.sha256 print "- Resource's MD5:", report.md5 print "- Resource's status:", report.status print "- Antivirus' total:", report.total print "- Antivirus's positives:", report.positives for antivirus, malware in report: if malware is not None: print print "Antivirus:", antivirus[0] print "Antivirus' version:", antivirus[1] print "Antivirus' update:", antivirus[2] print "Malware:", malware
#!/usr/bin/env python2 import argparse import json import time import virustotal import os v = virustotal.VirusTotal( '8488f4b84e9c2010c95b17df236466a42f46e6762a2739da4caa6cf1c9178ad3') parser = argparse.ArgumentParser( description='Scan a directory with VirusTotal.') parser.add_argument('directory', type=str) parser.add_argument('output_json', type=str) args = parser.parse_args() if not os.path.isfile(args.output_json): db = {} else: f = open(args.output_json) db = json.load(f) f.close() for fname in os.listdir(args.directory): if os.path.getsize(args.directory + "/" + fname) > 32000000: continue if fname not in db: print(" + Scanning: '" + args.directory + "/" + fname + "'.") report = None attempts = 0
import virustotal v = virustotal.VirusTotal("Enter your API key") report = v.get("path for suspicious files") print "Report" print "- Resource's UID:" + report.id print "- Scan's UID:" + report.scan_id print "- Permalink:" + report.permalink print "- Resource's SHA1:" + report.sha1 print "- Resource's SHA256:" + report.sha256 print "- Resource's MD5:" + report.md5 print "- Resource's status:" + report.status print "- Antivirus' total:" + str(report.total) print "- Antivirus's positives:" + str(report.positives) for antivirus, malware in report: if malware is not None: print print "Antivirus:" + antivirus[0] print "Antivirus' version:" + antivirus[1] print "Antivirus' update:" + antivirus[2] print "Malware:" + malware
def buildResult(apkFingerprint, db, apkPath, preference): #permission list from user userPreferences = preference userPreferenceArr = ["android.permission.INTERNET"] # API KEY for virus total #1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584 #Mongo db connection #client = MongoClient("mongodb://*****:*****@ds013971.mlab.com:13971/secure-vault-db?authMechanism=SCRAM-SHA-1") #db = client["secure-vault-db"] coll = db["AnalyzeSuccessResults"] #APK to be scanned #apkFingerprint = '2fd01b373e6ea2e151fdc44be369999c4483e5248cd733f617313f0eba7cbaf2' #Get scan results from Virus total public API statinfo = os.stat(apkPath) statinfo = statinfo.st_size is_file_virus_scan_enable = statinfo < 25165824 logging.info("File enabled for virus scan", is_file_virus_scan_enable) if is_file_virus_scan_enable: v = virustotal.VirusTotal( '1adad59c01c25eaf3b3f2435c09c3ae253c9b81f2f156682c1fe81790223c584') #virusTotalReportJSON = v.scan(apkFingerprint) #virusTotalReportJSON = v.scan("/home/voldy/Desktop/transit.apk") logging.info("Getting virus total information of apk from apk path" + apkPath) print apkPath virusTotalReportJSON = v.scan(apkPath) scanCompareResults = virusTotalReportJSON._report['scans'] #update the virus total scan results in database updateResult = db.AnalyzeSuccessResults.update_one( {"file_sha256": apkFingerprint}, {"$set": { "scanCompareResults": scanCompareResults }}) #fetch scan result from mongoDB logging.info("Fetch results from mongoDB with fingerprint" + apkFingerprint) analyzeSuccessResultsCollection = db.AnalyzeSuccessResults.find( {'file_sha256': apkFingerprint}) logging.info("Count of result retrieved from mongodb is: ", analyzeSuccessResultsCollection.count()) json_docs = [ json.dumps(doc, default=json_util.default) for doc in analyzeSuccessResultsCollection ] #logging.info( "Json docs count: "+json_docs.count()) tempJson = json_docs[0] jsonObject = json.loads(tempJson) #add scanCompare results to main result object #jsonObject['scanCompareResults'] = scanCompareResults #jsonObject = addPreferenceResults(jsonObject,userPreferences) jsonObject = addPreferenceResults(jsonObject, userPreferences) threatQ = calculateThreatQ(jsonObject, userPreferenceArr) jsonObject['threatQ'] = threatQ return jsonObject
def scan_vt(): # Give the user of choosing to submit the suspicious files or simply their hashes user_selection = raw_input( "You indicated to submit suspicious files to VirusTotal, do you wish to send" " the hash or actual file? \nNote: Submitting the file may reveal sensitive information to the VirusTotal service " " and can take considerable time if a large number of files are submitted.\nPlease enter 'hash' or 'file':" ) # Have the user input their VirusTotal API key and initiate a session to VirusTotal api_key = raw_input("Please enter your VirusTotal API key:") vt_handler = virustotal.VirusTotal(api_key) if not os.path.exists(os.getcwd() + "/reports"): os.makedirs(os.getcwd() + "/reports") # Create a CSV which will serve as a consolidated report of VirusTotal results consolidated_report = csv.writer(open( os.getcwd() + "/reports/virustotal_consolidated_report.csv", 'w'), dialect=csv.excel, delimiter=',') headers = [ "Filename", "MD5 Hash", "SHA1 Hash", "SHA256 Hash", "Total A/V", "Positive Hits" ] consolidated_report.writerow(headers) # For each file in the carved_files directory if the user selected to submit hashes # then get the MD5 hash of the file and attempt to get the results of the hash # search. If the search fails let the user know there was a problem and re-attempt # submission. for file in os.listdir(os.getcwd() + "/carved_files/"): if user_selection == 'hash': file_hash = hashlib.md5() with open(os.getcwd() + "/carved_files/%s" % file, "rb") as open_file: file_hash.update(open_file.read()) try: report = vt_handler.get(str(file_hash.hexdigest())) except HTTPError as error: print "Unable to obtain successful connection to VirusTotal API.\n%s " % error print "Service may be down or perhaps you entered the wrong API key." scan_vt() print "Waiting for VirusTotal results of %s to return..." % file # If the hash returns no results inform the user and continue searching # the remaining hashes. if report is None: print "No report based on hash of %s is available." % file break # Check if the VirusTotal search is done, if not wait and try again. If done, # grab and compile the report. while True and report is not None: try: report.join() assert report.done == True break except: print "Still waiting for VirusTotal results to return..." time.sleep(3) continue # Submit the suspicious files to VirusTotal. As with the hash search # let the user know if there were problems connecting to VirusTotal. elif user_selection == 'file': try: report = vt_handler.scan(os.getcwd() + "/carved_files/%s" % file, reanalyze=True) print "Waiting for VirusTotal results of %s to return..." % file except HTTPError as error: print "Unable to obtain successful connection to VirusTotal API. %s " % error print "Service may be down or perhaps you entered the wrong API key." scan_vt() # Check if the VirusTotal submission is done, if not wait and try again. If done, # grab and compile the report. while True: try: report.join() assert report.done == True break except: print "Still waiting for VirusTotal results to return..." time.sleep(3) continue # Make sure the user is inputting the correct option else: print "Incorrect input, please enter 'hash' or 'file' without quotations." scan_vt() # Write the pertinent information to the file's individual report. Will include all # antivirus vendors that reported positive for malicious activity and # what type of malware the file may have been as well as basic analysis # to include hashes and a link to the report on the VirusTotal website. outfile = open( os.getcwd() + '/reports/%s_virustotal_report.txt' % file, 'w') outfile.write("File ID: " + report.id + "\n") outfile.write("Scan ID: " + report.scan_id + "\n") outfile.write("Permalink: " + report.permalink + "\n") outfile.write("SHA1 Hash: " + report.sha1 + "\n") outfile.write("SHA256 Hash: " + report.sha256 + "\n") outfile.write("MD5 Hash: " + report.md5 + "\n") outfile.write("Total antivirus products which scanned the file: " + str(report.total) + "\n") outfile.write("Total positive malicious/malware hits by antivirus: " + str(report.positives) + "\n") for antivirus, malware in report: if malware is not None: outfile.write("Antivirus: " + antivirus[0] + "\n") outfile.write("Antivirus version: " + antivirus[1] + "\n") outfile.write("Antivirus update: " + antivirus[2] + "\n") outfile.write("Malware: " + malware + "\n") outfile.close() # Write the consolidated information to the overall VirusTotal CSV report row = [ file, report.md5, report.sha1, report.sha256, report.total, report.positives ] consolidated_report.writerow(row)