Hunting maliciousness

A lot of times, during the installation phase of malware and later dropping/downloading the subsequent stage malicious code from the internet, the malicious code is placed in the downloads or the users/<userid>/appdata/* folders and executed from there.

Lets say you get hold of the MD5s of all binaries either located in these locations or the ones which have executed from these locations using tools like GRR or using some live forensic collection tool or using your custom script to fetch these MD5s. You might want to perform some initial triage on these MD5s using VT scores etc.

You can place these MD5 hashes in a text file and use the following python script to iterate through MD5 hashes and check the VT score for it. This script basically use the VT API 2.0 and would require you to sign up for a free public API access account, which allows 4 queries in a minute. That is why I am using the time.sleep(15) to limit the queries to 4 a minute.

The response from VT is documented here and you can parse any information you want from the JSON response using this script and display/store/analyze further.

VT public API doc link: "https://www.virustotal.com/en/documentation/public-api/"

--------------------------------Script start-------------------------------------

import requests
import json
import time
headers = {
  "Accept-Encoding": "gzip, deflate",
  "User-Agent" : "gzip,  My Python requests library example client or username"
  }
hashfile=open('hashes.txt')
for line in hashfile:
        try:
                time.sleep(15)
                params = {'apikey': '<your VT API Key Goes here>', 'resource': line}
                response = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params, headers=headers)
                json_response = json.loads(response.text)
#               print json_response
                if json_response["positives"] > 0:
                        print json_response["md5"] + "-" + str(json_response["positives"])
        except KeyError:
                print line + "-" + "No info found on VT"
        except:
                print "some other error happened"
hashfile.close()

--------------------------------Script ends-------------------------------------

Comments