Created
January 31, 2019 10:10
-
-
Save albertzsigovits/9301a8287dc12042f1e61ba2fdb41764 to your computer and use it in GitHub Desktop.
VirusTotal Warzone solutions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# VirusTotal Warzone challenge solutions: | |
# Additional help on VTi queries: https://www.virustotal.com/intelligence/help/ | |
############################################################################### | |
- Search files uploaded through the web portal between the following dates from Brazil: | |
======================================================================================= | |
submitter:BR submitter:web fs:2018-12-30+ fs:2019-01-30- | |
- Search for PE files with subspan 5mins uploaded from Brazil in the last month through the web portal: | |
======================================================================================================= | |
type:peexe subspan:300- submitter:BR submitter:web fs:2018-12-30+ fs:2019-01-30- | |
- Search for Mutex 8765-123rvr4: | |
================================ | |
behaviour:"8765-123rvr4" | |
- Ahnlab hits on Trojan/Win32.Teslacrypt with more than 30 vendor detections: | |
============================================================================= | |
ahnlab_v3:"Trojan/Win32.Teslacrypt" p:30+ | |
- Any vendor detections for KeRangerRansom with dmg filetype: | |
============================================================= | |
engines:"KeRangerRansom" type:dmg | |
- Any docx file with the following e-mail address: | |
================================================== | |
type:docx metadata:"ant1freezze@yandex.ru" | |
- Office documents that contain macros and may try to run other files, shell commands or applications: | |
====================================================================================================== | |
type:doc tag:macros tag:run-file | |
- RTF files with tag CVE-2012-0158 with more than 20 detections: | |
================================================================ | |
type:rtf tag:cve-2012-0158 p:20+ | |
- Google drive URLs with more than 20 detections: | |
================================================= | |
p:20+ itw:"drive.google.com" | |
- PCAPs with more than 5 detections tagged with exploit-kit: | |
============================================================ | |
type:pcap tag:"exploit-kit" p:5+ | |
- PCAPs with IDS tags exploit-kit: | |
================================== | |
type:pcap AND (snort:"exploit-kit" OR suricata:"exploit-kit") | |
- PDFs that contain exploit with Javascript and AutoAction function: | |
==================================================================== | |
type:pdf tag:exploit tag:autoaction tag:js-embedded | |
- Using VT proprietary hashing method to find similar samples: | |
============================================================== | |
similar-to:[HASH] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A couple of new modifiers as per the update on 2019/03/05:
https://blog.virustotal.com/2019/03/time-for-vt-enterprise-to-step-up.html
Use case examples:
behavior_network:"gate.php" - initiates search in HTTP communication
behavior_files:"Windows\svhost.exe" - changes related to the filesystem, svchost impersonation in C:\Windows
behavior_files:"wscript.exe" behavior_files:".vbs" - observations related to execution of processes, wscript executing .vbs files
behavior_registry:"Software\Microsoft\Windows\CurrentVersion\Run" - sample modifies Run key
behavior_services:"com.demo.malware/com.xdkj.demo.malware.MalService" - specific service was started
main_icon_dhash:e0dcc694d4e8f0b2 - file icon similarity search