Open in app

Sign in

Write

Sign in

Yeti and Pandas love VirusTotal Hunting

Sebdraven
5 min readApr 14, 2020

This article is a bit different of the others. The goal is to show how to follow your virustotal hunting with Yeti and Pandas.

With Virustotal Hunting, you can follow samples submitted by the users with yara rules. If a sample matches with a rule, you receive a notification and you can follow the notifications in the virus total console.

For this example, i use a rule to catch backdoor Chinoxy. In a first post, I have linked this backdoor with WINNTI.

Winnti uses the rtf exploit 8.t too targets Vietnam

The stages of installation of the backoor

medium.com

and a second post, I have link this backdoor with Vicious Panda. https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746

and I have done a chronology of this backdoor.

The first step, it’s to configure yeti to have to the notification in the application.

In the yeti.conf file, set the key.

After, in setting/dataflow, the feed has to be launched.

The rule yara name is “Backdoor_Winnti”. So now in the console yeti, the notifications can be viewed.

Now we can make a timeline of the backdoor chinoxy.

Pyeti, pandas, jupyter lab and matplotlib must be installed.

The first step is to import libraries.

import pyeti
import pandas as pd
import json
from matplotlib import pyplot

In the second step, it’s the connection to the API.

api = pyeti.YetiApi(“https://yourserv:5000/api/", api_key=“<your_key>”)

now, it’s possible to search the observables with the tag “ Backdoor_Winnti”

r=api.observable_search(tags=’backdoor_winnti’)

the result is the list with all observable.

{'description': None,
 'created': '2020-04-10T02:50:50.929000',
 'last_analyses': {},
 'tags': [{'fresh': True,
   'first_seen': '2020-04-10T02:50:51.049000',
   'name': 'backdoor_winnti',
   'last_seen': '2020-04-14T14:07:33.175000'},
  {'fresh': True,
   'first_seen': '2020-04-10T02:50:51.070000',
   'name': 'win32_dll',
   'last_seen': '2020-04-14T14:07:33.190000'}],
 'value': 'FILE:a6255e42640aac5d24f96bb7169cffcd6f0af8c90348dd1978c101459ff2ca3a',
 'filenames': [],
 'human_url': 'http://51.15.205.170:5000/observable/5e8fdf0a081a5f5dfcdd2552',
 'sources': [],
 'url': 'http://51.15.205.170:5000/api/observable/5e8fdf0a081a5f5dfcdd2552',
 'context': [{'raw': '{"size": 1140992, "sha256": "a6255e42640aac5d24f96bb7169cffcd6f0af8c90348dd1978c101459ff2ca3a", "ruleset_name": "Backdoor_Winnti", "subject": "Backdoor_Winnti", "last_seen": "2020-04-10 01:45:33", "sha1": "56ca949480c39401efc108a687c8af05126c02b5", "match": "10 8B 44 24 38 85 C0 8B 44 24 28 0F 84 04 01 00  ..D$8...D$(.....\\n00 83 F8 01 0F 85 8D 00 00 00 *begin_highlight*56 E8 30 02 00 00*end_highlight*  ..........*begin_highlight*V.0...*end_highlight*\\n*begin_highlight*50 FF 15 48 B1 01 10 8B 4C 24 24 8B 54 24 22 50*end_highlight*  *begin_highlight*P..H....L$$.T$\\"P*end_highlight*\\n*begin_highlight*8B 44 24 24 81 E1 FF FF 00 00 81 E2 FF FF 00 00*end_highlight*  *begin_highlight*.D$$............*end_highlight*\\n*begin_highlight*51 8B 4C 24 26 25 FF FF 00 00 52 8B 54 24 26 50*end_highlight*  *begin_highlight*Q.L$&%....R.T$&P*end_highlight*\\n*begin_highlight*8B 44 24 28 81 E1 FF FF 00 00 81 E2 FF FF 00 00*end_highlight*  *begin_highlight*.D$(............*end_highlight*\\n*begin_highlight*51 25 FF FF 00 00 52 50 FF 15 04 B1 01 10 50 FF*end_highlight*  *begin_highlight*Q%....RP......P.*end_highlight*\\n*begin_highlight*15 44 B1 01 10 50 53 56 68 98 17 02 10 68 58 17*end_highlight*  *begin_highlight*.D...PSVh....hX.*end_highlight*\\n*begin_highlight*02 10 68 70 C6 01 10 57 FF 15 E8 B1 01 10 8B 4C*end_highlight*  *begin_highlight*..hp...W.......L*end_highlight*\\n*begin_highlight*24 68 83 C4 44 8B F0 56 E8 83 E7 FF FF 8B C6 5F*end_highlight*  *begin_highlight*$h..D..V......._*end_highlight*\\n*begin_highlight*5E 5D 5B 83 C4 10 *end_highlight*C3 8B 4C 24 34 55 51 56 E8 9D  *begin_highlight*^][...*end_highlight*..L$4UQV..", "date": "2020-04-10 02:47:23", "positives": 34, "first_seen": "2020-04-10 01:45:33", "total": 71, "type": "Win32 DLL", "id": "1101102217065565-6004783127658496-772358537ab6f13823d1b62bc2e0a24b", "md5": "e0fe9e5fce336462d408537bda56acd4", "scans": {"Bkav": null, "DrWeb": null, "MicroWorld-eScan": "Generic.Trojan.Chinoxy.AD3F79C0", "FireEye": "Generic.mg.e0fe9e5fce336462", "CAT-QuickHeal": null, "McAfee": "Artemis!E0FE9E5FCE33", "Cylance": "Unsafe", "VIPRE": null, "AegisLab": null, "K7AntiVirus": null, "BitDefender": "Generic.Trojan.Chinoxy.AD3F79C0", "K7GW": "Trojan ( 00562eca1 )", "CrowdStrike": "win/malicious_confidence_100% (D)", "TrendMicro": null, "BitDefenderTheta": "Gen:NN.ZedlaF.34106.f9@@auJu3Bhb", "F-Prot": null, "Symantec": "Trojan.Shannel", "TotalDefense": null, "Zoner": null, "TrendMicro-HouseCall": null, "Avast": "Win32:CrypterX-gen [Trj]", "ClamAV": null, "GData": "Generic.Trojan.Chinoxy.AD3F79C0", "Kaspersky": "UDS:DangerousObject.Multi.Generic", "Alibaba": null, "NANO-Antivirus": null, "ViRobot": null, "Rising": "Backdoor.Gh0st!1.C40A (CLASSIC)", "Endgame": "malicious (high confidence)", "Emsisoft": "Generic.Trojan.Chinoxy.AD3F79C0 (B)", "Comodo": null, "F-Secure": null, "Baidu": null, "Zillya": null, "Invincea": "heuristic", "McAfee-GW-Edition": "BehavesLike.Win32.Obfuscated.tc", "Trapmine": "malicious.high.ml.score", "CMC": null, "Sophos": "Mal/Generic-S", "Ikarus": "Backdoor.Win32.Inject", "Cyren": null, "Jiangmin": "TrojanSpy.Agent.aduw", "MaxSecure": null, "Avira": null, "MAX": "malware (ai score=81)", "Antiy-AVL": null, "Kingsoft": null, "Microsoft": null, "Arcabit": "Generic.Trojan.Chinoxy.AD3F79C0", "SUPERAntiSpyware": null, "ZoneAlarm": "UDS:DangerousObject.Multi.Generic", "Avast-Mobile": null, "AhnLab-V3": null, "Acronis": "suspicious", "VBA32": null, "ALYac": "Generic.Trojan.Chinoxy.AD3F79C0", "TACHYON": null, "Ad-Aware": "Generic.Trojan.Chinoxy.AD3F79C0", "Malwarebytes": null, "Panda": "Trj/GdSda.A", "APEX": "Malicious", "ESET-NOD32": "a variant of Win32/Chinoxy.AO", "Tencent": null, "Yandex": null, "SentinelOne": "DFI - Malicious PE", "eGambit": "PE.Heur.InvalidSig", "Fortinet": null, "Webroot": null, "AVG": "Win32:CrypterX-gen [Trj]", "Paloalto": null, "Qihoo-360": "Win32/Trojan.cfe"}}',
   'size': 1140992,
   'score vt': '34/71',
   'source': 'VirusTotalHunting'}],
 'hashes': [],
 'type': 'File',
 'id': '5e8fdf0a081a5f5dfcdd2552',
 'mime_type': None}

We filter of the field of first_seen of the tags.

tags = [ (tag[‘first_seen’],t[‘value’]) for t in r for tag in t[‘tags’] if tag[‘name’]==’backdoor_winnti’]

And we put this in a dataframe.

pd.DataFrame(tags, columns=[‘first_seen’,’hash’])

We transform the dates in other format.

pd.to_datetime(_[‘first_seen’])

_.dt.strftime(‘%Y-%m-%d’)

And now we can draw the histogram.

You can download the notebook here.

Series to Virustotal Hunting.ipynb - Shared with pCloud

Keep all your files safe, access them on any device you own and share with just the right people. Create a free pCloud…

my.pcloud.com

Links:

yeti-platform/yeti

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single…

github.com

yeti-platform/pyeti

Python bindings for Yeti's API $ python3 setup.py install should get you started. After this gets a little more…

github.com

https://pandas.pydata.org/

--

--

Sebdraven

Written by Sebdraven

529 Followers

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams