I have the hash value information of the sample at hand, but it is too much to investigate manually, so I created a program that automatically acquires the report information from VirusTotal. The program is created and confirmed to work with Python3. There are many similar articles, but I decided to create an article because it is written in Python 2 system or it is written in a slightly different way from the sample of the official document.
As you can see in the references, Virus Total provides an API, so it is efficient to use the API to get information. You can get the Virus Total API key for free by creating an account. Be careful when publishing or sharing when hard-coding the program, as it may be misused if leaked to a third party. (If you only use it, you can hard-code it, but considering external disclosure, it may be safer to input it externally.)
I created it with the following contents according to the official document. For the apikey part, describe your own api key value. (As mentioned above, the form of external input is also acceptable.)
In addition, this program is implemented by receiving the hash value information of the sample from another text file. Please implement this in a way that is easy to do, whether to hard-code it or get it with run-time arguments.
get_vt.py
import sys
import json
import time
import requests
url = 'https://www.virustotal.com/vtapi/v2/file/report'
count = 0
file = open('hash.txt', 'r')
for hash in file:
params = {'apikey': 'your api key value', 'resource': hash}
response = requests.get(url, params=params)
print(response.json())
count = count + 1
if count % 4 == 0:
time.sleep(65)
file.close()
As I often hear, it seems that if you access the API intermittently, access restrictions may be applied, and with VirusTotal, I heard rumors that it is necessary to leave 60 seconds after 4 times. I try to stop the operation for 65 seconds once every four times, just in case.
It's just a Python script, so execute it in the following way. The result will be returned in JSON format, so output it to a json file.
get_vt.How to run py
$ python3 get_vt.py > vt_result.json
The following is the acquisition result when searching with the hash value a5a0420200af84fdb5674569f1a8eafe7ef7b41b. Following the anti-virus product name, it seems that the result of malware judgment is described as True or False in detected. It seems that you can also get the malware name, and as far as you can see, it looks like Mirai.
Acquisition result
{'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20200819'}, 'MicroWorld-eScan': {'detected': False, 'version': '14.0.409.0', 'result': None, 'update': '20200820'}, 'FireEye': {'detected': True, 'version': '32.36.1.0', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'CAT-QuickHeal': {'detected': False, 'version': '14.00', 'result': None, 'update': '20200820'}, 'McAfee': {'detected': True, 'version': '6.0.6.653', 'result': 'RDN/Generic BackDoor', 'update': '20200820'}, 'Malwarebytes': {'detected': False, 'version': '3.6.4.335', 'result': None, 'update': '20200820'}, 'Zillya': {'detected': True, 'version': '2.0.0.4158', 'result': 'Backdoor.Mirai.Linux.91998', 'update': '20200820'}, 'SUPERAntiSpyware': {'detected': False, 'version': '5.6.0.1032', 'result': None, 'update': '20200814'}, 'Sangfor': {'detected': False, 'version': '1.0', 'result': None, 'update': '20200814'}, 'K7AntiVirus': {'detected': False, 'version': '11.131.35049', 'result': None, 'update': '20200820'}, 'K7GW': {'detected': False, 'version': '11.131.35050', 'result': None, 'update': '20200820'}, 'Baidu': {'detected': False, 'version': '1.0.0.2', 'result': None, 'update': '20190318'}, 'F-Prot': {'detected': False, 'version': '4.7.1.166', 'result': None, 'update': '20200820'}, 'Symantec': {'detected': True, 'version': '1.11.0.0', 'result': 'Trojan.Gen.NPE', 'update': '20200820'}, 'ESET-NOD32': {'detected': True, 'version': '21852', 'result': 'a variant of Linux/Mirai.OX', 'update': '20200820'}, 'TrendMicro-HouseCall': {'detected': False, 'version': '10.0.0.1040', 'result': None, 'update': '20200820'}, 'Avast': {'detected': True, 'version': '18.4.3895.0', 'result': 'Other:Malware-gen [Trj]', 'update': '20200820'}, 'ClamAV': {'detected': True, 'version': '0.102.4.0', 'result': 'Unix.Dropper.Mirai-7135870-0', 'update': '20200817'}, 'Kaspersky': {'detected': True, 'version': '15.0.1.13', 'result': 'HEUR:Backdoor.Linux.Mirai.b', 'update': '20200820'}, 'BitDefender': {'detected': True, 'version': '7.2', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'NANO-Antivirus': {'detected': True, 'version': '1.0.134.25140', 'result': 'Trojan.Mirai.hrbzkk', 'update': '20200820'}, 'ViRobot': {'detected': False, 'version': '2014.3.20.0', 'result': None, 'update': '20200820'}, 'Tencent': {'detected': True, 'version': '1.0.0.1', 'result': 'Backdoor.Linux.Mirai.wao', 'update': '20200820'}, 'Ad-Aware': {'detected': False, 'version': '3.0.16.117', 'result': None, 'update': '20200820'}, 'TACHYON': {'detected': False, 'version': '2020-08-20.02', 'result': None, 'update': '20200820'}, 'Comodo': {'detected': True, 'version': '32668', 'result': '.UnclassifiedMalware@0', 'update': '20200728'}, 'F-Secure': {'detected': True, 'version': '12.0.86.52', 'result': 'Malware.LINUX/Mirai.lpnjw', 'update': '20200820'}, 'DrWeb': {'detected': True, 'version': '7.0.46.3050', 'result': 'Linux.Mirai.671', 'update': '20200820'}, 'VIPRE': {'detected': False, 'version': '86068', 'result': None, 'update': '20200820'}, 'TrendMicro': {'detected': True, 'version': '11.0.0.1006', 'result': 'Backdoor.Linux.MIRAI.USELVH120', 'update': '20200820'}, 'CMC': {'detected': False, 'version': '2.7.2019.1', 'result': None, 'update': '20200820'}, 'Sophos': {'detected': True, 'version': '4.98.0', 'result': 'Linux/DDoS-CIA', 'update': '20200819'}, 'Cyren': {'detected': False, 'version': '6.3.0.2', 'result': None, 'update': '20200820'}, 'Jiangmin': {'detected': False, 'version': '16.0.100', 'result': None, 'update': '20200820'}, 'Avira': {'detected': True, 'version': '8.3.3.8', 'result': 'LINUX/Mirai.lpnjw', 'update': '20200820'}, 'Fortinet': {'detected': True, 'version': '6.2.142.0', 'result': 'ELF/DDoS.CIA!tr', 'update': '20200820'}, 'Antiy-AVL': {'detected': False, 'version': '3.0.0.1', 'result': None, 'update': '20200820'}, 'Kingsoft': {'detected': False, 'version': '2013.8.14.323', 'result': None, 'update': '20200820'}, 'Arcabit': {'detected': True, 'version': '1.0.0.877', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'AegisLab': {'detected': True, 'version': '4.2', 'result': 'Trojan.Linux.Mirai.K!c', 'update': '20200820'}, 'AhnLab-V3': {'detected': False, 'version': '3.18.1.10026', 'result': None, 'update': '20200820'}, 'ZoneAlarm': {'detected': True, 'version': '1.0', 'result': 'HEUR:Backdoor.Linux.Mirai.b', 'update': '20200820'}, 'Avast-Mobile': {'detected': False, 'version': '200820-00', 'result': None, 'update': '20200820'}, 'Microsoft': {'detected': True, 'version': '1.1.17300.4', 'result': 'Trojan:Win32/Skeeyah.A!rfn', 'update': '20200820'}, 'Cynet': {'detected': True, 'version': '4.0.0.24', 'result': 'Malicious (score: 85)', 'update': '20200815'}, 'TotalDefense': {'detected': False, 'version': '37.1.62.1', 'result': None, 'update': '20200820'}, 'BitDefenderTheta': {'detected': False, 'version': '7.2.37796.0', 'result': None, 'update': '20200819'}, 'ALYac': {'detected': False, 'version': '1.1.1.5', 'result': None, 'update': '20200820'}, 'MAX': {'detected': True, 'version': '2019.9.16.1', 'result': 'malware (ai score=89)', 'update': '20200820'}, 'VBA32': {'detected': False, 'version': '4.4.1', 'result': None, 'update': '20200819'}, 'Zoner': {'detected': False, 'version': '0.0.0.0', 'result': None, 'update': '20200819'}, 'Rising': {'detected': True, 'version': '25.0.0.26', 'result': 'Backdoor.Mirai/Linux!1.BAF6 (CLASSIC)', 'update': '20200820'}, 'Yandex': {'detected': False, 'version': '5.5.2.24', 'result': None, 'update': '20200707'}, 'Ikarus': {'detected': True, 'version': '0.1.5.2', 'result': 'Trojan.Linux.Mirai', 'update': '20200820'}, 'MaxSecure': {'detected': False, 'version': '1.0.0.1', 'result': None, 'update': '20200819'}, 'GData': {'detected': True, 'version': 'A:25.26670B:27.19869', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'AVG': {'detected': True, 'version': '18.4.3895.0', 'result': 'Other:Malware-gen [Trj]', 'update': '20200820'}, 'Panda': {'detected': False, 'version': '4.6.4.2', 'result': None, 'update': '20200819'}, 'Qihoo-360': {'detected': True, 'version': '1.0.0.1120', 'result': 'Linux/Backdoor.6f4', 'update': '20200820'}}, 'scan_id': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c-1597909074', 'sha1': 'a5a0420200af84fdb5674569f1a8eafe7ef7b41b', 'resource': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c', 'response_code': 1, 'scan_date': '2020-08-20 07:37:54', 'permalink': 'https://www.virustotal.com/gui/file/0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c/detection/f-0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c-1597909074', 'verbose_msg': 'Scan finished, information embedded', 'total': 59, 'positives': 29, 'sha256': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c', 'md5': '1e0621f530a9f1cb000d670c54a789c9'}
I created a program to get report information from hash values using Virus Total API. In the future, we will consider how to use the obtained output information and how to use other APIs.
Recommended Posts