-
Notifications
You must be signed in to change notification settings - Fork 0
/
VT_Reports.py
116 lines (84 loc) · 3.79 KB
/
VT_Reports.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!/usr/bin/env python3
import os
import requests
import json
def get_reports(file_name, API_KEY):
safe_samples = []
with open("/home/cape/Desktop/Malware-Early-Detection/safe.txt", "r") as file:
safe_samples.extend(line.strip("\n") for line in file)
if file_name in safe_samples:
print(f"The sample {file_name} is safe")
else:
url = "https://www.virustotal.com/api/v3/files/"
url = url+file_name
headers = {
"accept": "application/json",
"x-apikey": API_KEY
}
if requests.get(url, headers=headers).status_code == 404:
print("This file doesn't exists on VirusTotal Database; so it will be uploaded for analysis...")
with open("/home/cape/Desktop/Malware-Early-Detection/Uploads.txt", "a") as file:
file.write(f"{file_name}\n")
with open("/home/cape/Desktop/Malware-Early-Detection/Links.txt", "a") as file:
file.write(f"{post_sample(file_name, API_KEY)}\n")
else:
json_report = json.loads(requests.get(url, headers=headers).text)
stats = json_report['data']['attributes']['last_analysis_stats']
if is_sus_greater(stats):
try:
print(f"Removing {file_name} because it can't be considered safe.")
os.remove(os.path.join("/media/cape/Malware/Nico/Safe_Binaries/", file_name+".exe"))
except Exception as ex:
print(str(ex))
else:
with open("/home/cape/Desktop/Malware-Early-Detection/safe.txt", "a") as file:
file.write(f"{file_name}\n")
# Returns true if the value of suspicious activities detected are 5% more than safe activities detected.
def is_sus_greater(stats):
THRESHOLD = 5
safe_value = stats.get('undetected', 0) + stats.get('harmless', 0)
sus_value = stats.get('suspicious', 0) + stats.get('malicious', 0)
return sus_value > (THRESHOLD / 100) * safe_value
# Returns the link of the analyzed file.
def post_sample(file_name, API_KEY):
SAMPLE = os.path.join("/media/cape/Malware/Nico/Safe_Binaries/", file_name+".exe")
print(SAMPLE)
if get_file_size_mb(SAMPLE) < 32:
url = "https://www.virustotal.com/api/v3/files"
files = { "file": (SAMPLE, open(SAMPLE, "rb"), "application/x-ms-dos-executable") }
headers = {
"accept": "application/json",
"x-apikey": API_KEY
}
response = requests.post(url, headers=headers, files=files)
return json.loads(response.text)['data']['links']['self']
else:
url = get_large_url(API_KEY)
files = { "file": (SAMPLE, open(SAMPLE, "rb"), "application/x-ms-dos-executable") }
headers = {
"accept": "application/json",
"x-apikey": API_KEY
}
response = requests.post(url, headers=headers, files=files)
return json.loads(response.text)['data']['links']['self']
# Returns a custom URL since some executables are larger than 32 Mb
def get_large_url(API_KEY):
url = "https://www.virustotal.com/api/v3/files/upload_url"
headers = {
"accept": "application/json",
"x-apikey": API_KEY
}
response = requests.get(url, headers=headers)
return json.loads(response.text)['data']
# Returns the size of the file in megabytes.
def get_file_size_mb(file_path):
file_size_bytes = os.path.getsize(file_path)
file_size_mb = file_size_bytes / (1024 * 1024)
return file_size_mb
import sys
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python VT_Analyzer.py <API_KEY>")
sys.exit(1)
for file_name in os.listdir("/media/cape/Malware/Nico/Safe_Binaries"):
get_reports(os.path.splitext(file_name)[0], sys.argv[1])