Last active
February 1, 2023 05:29
-
-
Save aaaddress1/20148c440c47a404b8d6e90a0f42e3ab to your computer and use it in GitHub Desktop.
Real-Time Parse VirusTotal's Cuckoo Reports for the specific Sample by Hash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # can search sample's hash on virustotal by the following query: | |
| # >>> {RANSOMWARE_FAMILY} and sandbox_name:virustotal_cuckoofork and engines:ransom | |
| import sys | |
| import requests | |
| if len(sys.argv) != 2: | |
| print(f"usage: {sys.argv[0]} <sample-hash> by aaaddress1.\n") | |
| sys.exit(-1) | |
| url = 'https://www.virustotal.com/vtapi/v2/file/behaviour' | |
| params = { 'apikey':'{YOUR_VT_KEY}','hash': sys.argv[1] } | |
| response = requests.get(url, params=params) | |
| jSandbox = response.json() | |
| try: | |
| for currProcInfo in jSandbox['behavior']['processes']: | |
| for eCall in currProcInfo['calls']: | |
| type, ret, szApi, args = eCall['category'], eCall['return'], eCall['api'], eCall['arguments'] | |
| args = [a['value'] for a in args] | |
| if type == 'filesystem': | |
| print( f"{szApi}({', '.join(args)})" ) | |
| except: | |
| print(jSandbox) |
Author
aaaddress1
commented
Feb 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment