Yeti and Pandas love VirusTotal Hunting

This article is a bit different of the others. The goal is to show how to follow your virustotal hunting with Yeti and Pandas.

With Virustotal Hunting, you can follow samples submitted by the users with yara rules. If a sample matches with a rule, you receive a notification and you can follow the notifications in the virus total console.

For this example, i use a rule to catch backdoor Chinoxy. In a first post, I have linked this backdoor with WINNTI.

and a second post, I have link this backdoor with Vicious Panda. https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746

and I have done a chronology of this backdoor.

The first step, it’s to configure yeti to have to the notification in the application.

In the yeti.conf file, set the key.

After, in setting/dataflow, the feed has to be launched.

The rule yara name is “Backdoor_Winnti”. So now in the console yeti, the notifications can be viewed.

Now we can make a timeline of the backdoor chinoxy.

Pyeti, pandas, jupyter lab and matplotlib must be installed.

The first step is to import libraries.

import pyeti
import pandas as pd
import json
from matplotlib import pyplot

In the second step, it’s the connection to the API.

api = pyeti.YetiApi(“https://yourserv:5000/api/", api_key=“<your_key>”)

now, it’s possible to search the observables with the tag “ Backdoor_Winnti”

r=api.observable_search(tags=’backdoor_winnti’)

the result is the list with all observable.

{'description': None,
'created': '2020-04-10T02:50:50.929000',
'last_analyses': {},
'tags': [{'fresh': True,
'first_seen': '2020-04-10T02:50:51.049000',
'name': 'backdoor_winnti',
'last_seen': '2020-04-14T14:07:33.175000'},
{'fresh': True,
'first_seen': '2020-04-10T02:50:51.070000',
'name': 'win32_dll',
'last_seen': '2020-04-14T14:07:33.190000'}],
'value': 'FILE:a6255e42640aac5d24f96bb7169cffcd6f0af8c90348dd1978c101459ff2ca3a',
'filenames': [],
'human_url': 'http://51.15.205.170:5000/observable/5e8fdf0a081a5f5dfcdd2552',
'sources': [],
'url': 'http://51.15.205.170:5000/api/observable/5e8fdf0a081a5f5dfcdd2552',
'context': [{'raw': '{"size": 1140992, "sha256": "a6255e42640aac5d24f96bb7169cffcd6f0af8c90348dd1978c101459ff2ca3a", "ruleset_name": "Backdoor_Winnti", "subject": "Backdoor_Winnti", "last_seen": "2020-04-10 01:45:33", "sha1": "56ca949480c39401efc108a687c8af05126c02b5", "match": "10 8B 44 24 38 85 C0 8B 44 24 28 0F 84 04 01 00 ..D$8...D$(.....\\n00 83 F8 01 0F 85 8D 00 00 00 *begin_highlight*56 E8 30 02 00 00*end_highlight* ..........*begin_highlight*V.0...*end_highlight*\\n*begin_highlight*50 FF 15 48 B1 01 10 8B 4C 24 24 8B 54 24 22 50*end_highlight* *begin_highlight*P..H....L$$.T$\\"P*end_highlight*\\n*begin_highlight*8B 44 24 24 81 E1 FF FF 00 00 81 E2 FF FF 00 00*end_highlight* *begin_highlight*.D$$............*end_highlight*\\n*begin_highlight*51 8B 4C 24 26 25 FF FF 00 00 52 8B 54 24 26 50*end_highlight* *begin_highlight*Q.L$&%....R.T$&P*end_highlight*\\n*begin_highlight*8B 44 24 28 81 E1 FF FF 00 00 81 E2 FF FF 00 00*end_highlight* *begin_highlight*.D$(............*end_highlight*\\n*begin_highlight*51 25 FF FF 00 00 52 50 FF 15 04 B1 01 10 50 FF*end_highlight* *begin_highlight*Q%....RP......P.*end_highlight*\\n*begin_highlight*15 44 B1 01 10 50 53 56 68 98 17 02 10 68 58 17*end_highlight* *begin_highlight*.D...PSVh....hX.*end_highlight*\\n*begin_highlight*02 10 68 70 C6 01 10 57 FF 15 E8 B1 01 10 8B 4C*end_highlight* *begin_highlight*..hp...W.......L*end_highlight*\\n*begin_highlight*24 68 83 C4 44 8B F0 56 E8 83 E7 FF FF 8B C6 5F*end_highlight* *begin_highlight*$h..D..V......._*end_highlight*\\n*begin_highlight*5E 5D 5B 83 C4 10 *end_highlight*C3 8B 4C 24 34 55 51 56 E8 9D *begin_highlight*^][...*end_highlight*..L$4UQV..", "date": "2020-04-10 02:47:23", "positives": 34, "first_seen": "2020-04-10 01:45:33", "total": 71, "type": "Win32 DLL", "id": "1101102217065565-6004783127658496-772358537ab6f13823d1b62bc2e0a24b", "md5": "e0fe9e5fce336462d408537bda56acd4", "scans": {"Bkav": null, "DrWeb": null, "MicroWorld-eScan": "Generic.Trojan.Chinoxy.AD3F79C0", "FireEye": "Generic.mg.e0fe9e5fce336462", "CAT-QuickHeal": null, "McAfee": "Artemis!E0FE9E5FCE33", "Cylance": "Unsafe", "VIPRE": null, "AegisLab": null, "K7AntiVirus": null, "BitDefender": "Generic.Trojan.Chinoxy.AD3F79C0", "K7GW": "Trojan ( 00562eca1 )", "CrowdStrike": "win/malicious_confidence_100% (D)", "TrendMicro": null, "BitDefenderTheta": "Gen:NN.ZedlaF.34106.f9@@auJu3Bhb", "F-Prot": null, "Symantec": "Trojan.Shannel", "TotalDefense": null, "Zoner": null, "TrendMicro-HouseCall": null, "Avast": "Win32:CrypterX-gen [Trj]", "ClamAV": null, "GData": "Generic.Trojan.Chinoxy.AD3F79C0", "Kaspersky": "UDS:DangerousObject.Multi.Generic", "Alibaba": null, "NANO-Antivirus": null, "ViRobot": null, "Rising": "Backdoor.Gh0st!1.C40A (CLASSIC)", "Endgame": "malicious (high confidence)", "Emsisoft": "Generic.Trojan.Chinoxy.AD3F79C0 (B)", "Comodo": null, "F-Secure": null, "Baidu": null, "Zillya": null, "Invincea": "heuristic", "McAfee-GW-Edition": "BehavesLike.Win32.Obfuscated.tc", "Trapmine": "malicious.high.ml.score", "CMC": null, "Sophos": "Mal/Generic-S", "Ikarus": "Backdoor.Win32.Inject", "Cyren": null, "Jiangmin": "TrojanSpy.Agent.aduw", "MaxSecure": null, "Avira": null, "MAX": "malware (ai score=81)", "Antiy-AVL": null, "Kingsoft": null, "Microsoft": null, "Arcabit": "Generic.Trojan.Chinoxy.AD3F79C0", "SUPERAntiSpyware": null, "ZoneAlarm": "UDS:DangerousObject.Multi.Generic", "Avast-Mobile": null, "AhnLab-V3": null, "Acronis": "suspicious", "VBA32": null, "ALYac": "Generic.Trojan.Chinoxy.AD3F79C0", "TACHYON": null, "Ad-Aware": "Generic.Trojan.Chinoxy.AD3F79C0", "Malwarebytes": null, "Panda": "Trj/GdSda.A", "APEX": "Malicious", "ESET-NOD32": "a variant of Win32/Chinoxy.AO", "Tencent": null, "Yandex": null, "SentinelOne": "DFI - Malicious PE", "eGambit": "PE.Heur.InvalidSig", "Fortinet": null, "Webroot": null, "AVG": "Win32:CrypterX-gen [Trj]", "Paloalto": null, "Qihoo-360": "Win32/Trojan.cfe"}}',
'size': 1140992,
'score vt': '34/71',
'source': 'VirusTotalHunting'}],
'hashes': [],
'type': 'File',
'id': '5e8fdf0a081a5f5dfcdd2552',
'mime_type': None}

We filter of the field of first_seen of the tags.

tags = [ (tag[‘first_seen’],t[‘value’]) for t in r for tag in t[‘tags’] if tag[‘name’]==’backdoor_winnti’]

And we put this in a dataframe.

pd.DataFrame(tags, columns=[‘first_seen’,’hash’])

We transform the dates in other format.

pd.to_datetime(_[‘first_seen’])

_.dt.strftime(‘%Y-%m-%d’)

And now we can draw the histogram.

You can download the notebook here.

Links:

https://pandas.pydata.org/

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher