├── FileLookup.py ├── Readme.md ├── av_multiscan.py └── example_output.txt /FileLookup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # FileLookup.py was created by Glenn P. Edwards Jr. 4 | # http://hiddenillusion.blogspot.com 5 | # @hiddenillusion 6 | # Date: 10-23-2012 7 | # version = 0.3.1 8 | 9 | # Requirements: 10 | # - Internet Access :) 11 | # - VirusTotal API key if you want prettier reports with more information from the JSON object 12 | # Optional: 13 | # - SimpleJson module to print the pretty reports (optional but is nicer) 14 | # To-Do: 15 | # - Bit9 File Advisor 16 | # - OpenMalware (http://oc.gtisc.gatech.edu:8080/search.cgi?search=) 17 | # - Threading 18 | # - Pretty up the code 19 | # - This really would be easier if I used BS4 in the beginning :/ 20 | 21 | import os 22 | import sys 23 | from datetime import datetime 24 | import argparse 25 | import binascii 26 | import re 27 | import hashlib 28 | import socket 29 | import urllib 30 | import urllib2 31 | from time import localtime, strftime 32 | try : 33 | import simplejson 34 | sjson = True 35 | except ImportError: 36 | sjson = False 37 | pass 38 | 39 | # Configure some user-specific info 40 | vt_key = "" 41 | if not re.match('\d+', vt_key): 42 | print "[!] You must configure your VirusTotal API key" 43 | sys.exit() 44 | 45 | def main(): 46 | # Get program args 47 | parser = argparse.ArgumentParser(description='Searches various online resources to try and get as much info about a file as possible without submitting it, requiring third party modules or performing any analysis on the file.') 48 | parser.add_argument('-f', '--file', help='Path to directory/file(s) to be scanned') 49 | parser.add_argument('-H', '--hash', help='MD5 hash to be queried') 50 | 51 | args = vars(parser.parse_args()) 52 | 53 | md5 = '' 54 | 55 | def doWork(obj): 56 | if args['hash']: 57 | md5 = args['hash'] 58 | else: 59 | md5 = md5sum(file) 60 | results = [] 61 | results.append(("#" * 80) + "\nFile:\t %s\n" % obj + ("#" * 80)) 62 | results.append("MD5:\t\t\t%s" % md5) 63 | if args['file']: 64 | results.append("Sha256:\t\t\t%s" % sha256sum(file)) 65 | results.append("VirusTotal:\t\t%s" % virustotal(md5)) 66 | results.append("Cymru:\t\t\t%s" % cymru(md5)) 67 | results.append("ShadowServer A/V:\t%s" % ss_av(md5)) 68 | results.append("ShadowServer Known:\t%s" % ss_known(md5)) 69 | results.append("ThreatExpert Known:\t%s" % threatexpert(md5)) 70 | results.append("") 71 | 72 | print '\n'.join(results) 73 | 74 | # Verify we have something to do 75 | if not args['file'] and not args['hash']: 76 | print "[!] I need something to do" 77 | sys.exit() 78 | 79 | # Verify supplied path exists or die 80 | if args['file']: 81 | if not os.path.exists(args['file']): 82 | print "[!] The supplied path does not exist" 83 | sys.exit() 84 | else: 85 | # Set the path to file(s) 86 | file = args['file'] 87 | if os.path.isdir(file): 88 | # Recursivly walk the supplied path and process files accordingly 89 | for root, dirs, files in os.walk(file): 90 | for name in files: 91 | f = os.path.join(root, name) 92 | doWork(f) 93 | elif os.path.isfile(file): 94 | doWork(file) 95 | 96 | # Verify the hash is legit 97 | if args['hash']: 98 | if not re.findall(r"([a-fA-F\d]{32})", args['hash']): 99 | print "[!] The supplied path does not exist" 100 | sys.exit() 101 | else: 102 | doWork(args['hash']) 103 | 104 | def md5sum(file): 105 | try: 106 | f = open(file, "rb") 107 | data = f.read() 108 | md5 = hashlib.md5(data).hexdigest() 109 | f.close() 110 | except Exception, msg: 111 | print msg 112 | 113 | return md5 114 | 115 | def sha256sum(file): 116 | try: 117 | f = open(file, "rb") 118 | data = f.read() 119 | sha256 = hashlib.sha256(data).hexdigest() 120 | f.close() 121 | except Exception, msg: 122 | print msg 123 | 124 | return sha256 125 | 126 | def virustotal(hash): 127 | """ 128 | Return percent of A/V hits from VirusTotal scan report of the file if one exists. 129 | """ 130 | url = "https://www.virustotal.com/vtapi/v2/file/report" 131 | parameters = {"resource": hash, "apikey": vt_key} 132 | data = urllib.urlencode(parameters) 133 | req = urllib2.Request(url, data) 134 | response = urllib2.urlopen(req) 135 | result = response.read() 136 | out = [] 137 | out.append('') 138 | 139 | try: 140 | if not sjson == False: 141 | rpt = simplejson.loads(result) 142 | date = rpt["scan_date"].split(' ')[0] 143 | new_date = datetime.strptime(date, "%Y-%m-%d").strftime("%b %d %Y") 144 | out.append("\tScan Date:\t %s" % new_date) 145 | out.append("\tTotal Engines:\t %s" % rpt["total"]) 146 | out.append("\tDetected:\t %s" % rpt["positives"]) 147 | out.append('') 148 | out.append("\tA/V Results:") 149 | out.append("\t\t\tClamAV:\t\t %s" % rpt["scans"]["Microsoft"]["result"]) 150 | out.append("\t\t\tKaspersky:\t %s" % rpt["scans"]["Kaspersky"]["result"]) 151 | out.append("\t\t\tMcAfee:\t\t %s" % rpt["scans"]["McAfee"]["result"]) 152 | out.append("\t\t\tMicrosoft:\t %s" % rpt["scans"]["Microsoft"]["result"]) 153 | out.append("\t\t\tSophos:\t\t %s" % rpt["scans"]["Sophos"]["result"]) 154 | out.append("\t\t\tSymantec:\t %s" % rpt["scans"]["Symantec"]["result"]) 155 | out.append("\tLink: %s" % rpt["permalink"]) 156 | else: 157 | # Still return VT results, just not as pretty without SimpleJson 158 | col = result.split(',') 159 | for line in col: 160 | l = line.replace('\"', '') 161 | if "scan_date:" in l: 162 | date = l.replace('\"', '').replace(' scan_date: ', '').split(' ')[0] 163 | new_date = datetime.strptime(date, "%Y-%m-%d").strftime("%b %d %Y") 164 | out.append("\tScan Date:\t%s" % new_date) 165 | elif "positives:" in l: 166 | out.append("\tDetected:\t%s" % l.replace('\"', '').replace(' positives: ', '')) 167 | elif "total:" in l: 168 | out.append("\tTotal Engines:\t%s" % l.replace('\"', '').replace(' total: ', '')) 169 | 170 | result = '\n'.join(out) 171 | if result == None: 172 | result = "No Match" 173 | return result 174 | except Exception: 175 | result = "No Match" 176 | return result 177 | 178 | def ss_known(hash): 179 | """ 180 | Based off original by: Jose Nazario (jose@arbor.net) 181 | site : http://bin-test.shadowserver.org 182 | """ 183 | url = "http://bin-test.shadowserver.org/api" 184 | data = {} 185 | data['md5'] = hash 186 | url_vals = urllib.urlencode(data) 187 | req = urllib2.Request(url, data) 188 | full_url = url + '?' + url_vals 189 | response = urllib2.urlopen(full_url) 190 | result = response.read() 191 | 192 | count = 0 193 | for line in result.split('\n'): 194 | count += 1 195 | if count < 2 : 196 | result = "No Match" 197 | else: 198 | l = line.split(' ', 1) 199 | if len(l) == 2: 200 | try: res[l[0]] = simplejson.loads(l[1]) 201 | except: pass 202 | 203 | return result 204 | 205 | def ss_av(hash): 206 | """ 207 | Based off original by: Jose Nazario (jose@arbor.net) 208 | site : http://innocuous.shadowserver.org/api/?query=#md5-or-sha1# 209 | """ 210 | url = "http://innocuous.shadowserver.org/api/" 211 | data = {} 212 | data['query'] = hash 213 | url_vals = urllib.urlencode(data) 214 | req = urllib2.Request(url, data) 215 | full_url = url + '?' + url_vals 216 | response = urllib2.urlopen(full_url) 217 | result = response.read() 218 | 219 | if "No match" in result: 220 | result = "No Match" 221 | elif "Whitlisted" in result: 222 | result = "Whitelisted" 223 | else: 224 | lines = result.split('\n') 225 | out = [] 226 | col = lines[0].split(',') 227 | av = lines[1].split(',') 228 | out.append('') 229 | fdate = col[2].replace('\"', '').split(' ')[0] 230 | fnew_date = datetime.strptime(fdate, "%Y-%m-%d").strftime("%b %d %Y") 231 | out.append("\tFirst Seen:\t%s" % fnew_date) 232 | ldate = col[2].replace('\"', '').split(' ')[0] 233 | lnew_date = datetime.strptime(ldate, "%Y-%m-%d").strftime("%b %d %Y") 234 | out.append("\tLast Seen:\t%s" % lnew_date) 235 | out.append('') 236 | out.append("\tA/V Results:") 237 | if len(av) > 1: 238 | for i in av: 239 | out.append("\t\t\t%s" % i.replace('\"','').replace('{', '').replace('}', '')) 240 | else: 241 | out.append("\t\t\tN/A") 242 | 243 | result = '\n'.join(out) 244 | 245 | return result 246 | 247 | def cymru(hash): 248 | """ 249 | Return Team Cymru Malware Hash Database results. 250 | source: http://code.google.com/p/malwarecookbook/ 251 | site : http://www.team-cymru.org/Services/MHR/ 252 | """ 253 | request = '%s\r\n' % hash 254 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 255 | try: 256 | s.connect(('hash.cymru.com', 43)) 257 | s.send('begin\r\n') 258 | s.recv(1024) 259 | s.send(request) 260 | response = s.recv(1024) 261 | s.send('end\r\n') 262 | s.close() 263 | if len(response) > 0: 264 | resp_re = re.compile('\S+ (\d+) (\S+)') 265 | match = resp_re.match(response) 266 | result = "\n\tLast Seen:\t%s\n\tDetected:\t%s" % (strftime("%b %d %Y", localtime(int(match.group(1)))), match.group(2)) 267 | except socket.error: 268 | result = "Error" 269 | 270 | return result 271 | 272 | def threatexpert(hash): 273 | """ 274 | Return existence of report in ThreatExpert database. 275 | site : http://www.threatexpert.com 276 | credit : Added 11/29/2012 by Keith Gilbert - @digital4rensics 277 | note : Greatly increases time required 278 | """ 279 | result = [] 280 | url = 'http://threatexpert.com/report.aspx?md5=' + hash 281 | try: 282 | page = urllib2.urlopen(url).read() 283 | for line in page.split('\n'): 284 | if line.find('Submission Summary:'): 285 | result.append("Report Found") 286 | result.append("\tLink: %s" % url) 287 | return '\n'.join(result) 288 | else: 289 | return "No Match" 290 | except Exception: 291 | return "Error" 292 | 293 | if __name__ == "__main__": 294 | main() 295 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | FileLookup.py 2 | ============= 3 | 4 | Searches various online resources to try and get as much info about a file as possible without submitting it, requiring third party modules or performing any analysis on the file. 5 | 6 | Requirements 7 | ------------ 8 | * Internet Access :) 9 | * VirusTotal API key if you want prettier reports with more information from the JSON object 10 | 11 | Optional 12 | -------- 13 | * SimpleJson module to print the pretty reports (optional but is nicer) 14 | 15 | Usage 16 | ----- 17 | usage: FileLookup.py [-h] [-f FILE] [-H HASH] 18 | 19 | Searches various online resources to try and get as much info about a file as 20 | possible without submitting it, requiring third party modules or performing 21 | any analysis on the file. 22 | 23 | optional arguments: 24 | -h, --help show this help message and exit 25 | -f FILE, --file FILE Path to directory/file(s) to be scanned 26 | -H HASH, --hash HASH MD5 hash to be queried -------------------------------------------------------------------------------- /av_multiscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | # 4 | # This program is intended to run on a Linux machine, but you could 5 | # easily use it on Windows (remove the Wine stuff and run exe's directly) 6 | # 7 | """ 8 | av_multi_scanner.py 9 | 10 | Created by Matthew Richard on 2010-01-1. 11 | Copyright (c) 2010. All rights reserved. 12 | 13 | original source: http://malwarecookbook.googlecode.com/svn/trunk/3/7/av_multiscan.py 14 | """ 15 | 16 | # Modified by Glenn P. Edwards Jr. 17 | # http://hiddenillusion.blogspot.com 18 | # @hiddenillusion 19 | # Changelog: 20 | # ========= 21 | # Date: 12-05-2012 22 | # - changed some formatting 23 | # - added McAfee local scan (http://malware-hunters.net/2011/06/23/mcafee-command-line-scanner-project-mclsp-v-1-2-released/) 24 | # - added the ability to import some functions from my FileLookup script 25 | # - added 'online' switch to enable this 26 | # - https://github.com/hiddenillusion/FileLookup 27 | # 28 | # To-do: 29 | # ===== 30 | # - add AVG & suppress AVG out of date engine warning 31 | # - suppress f-prot's scanning bar 32 | # - suppress ssdeep's too short of file warning 33 | # - add option to update sigs/dats? 34 | # - add engine/DAT info since sometimes different sources show different sig names based on when they were scanned? 35 | # - something better than subprocess & wine? 36 | # - eicar test: ~16/17 seconds 37 | # - eicar test w/ online: ~17/20 seconds 38 | 39 | import sys 40 | import os 41 | import yara 42 | from hashlib import md5, sha1, sha256 43 | import subprocess 44 | import socket 45 | from time import localtime, strftime 46 | import re 47 | from optparse import OptionParser 48 | try: 49 | # To find other REMnux scripts to import, you can disregard otherwise 50 | sys.path.insert(0, '/usr/local/bin') 51 | import FileLookup 52 | looky = True 53 | except ImportError: 54 | print "Couln't import FileLookup" 55 | looky = False 56 | 57 | """ 58 | configuration information to use when processing the various AV products 59 | mentioned files are available at: 60 | http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara 61 | http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara 62 | http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/2/clam_shellcode.ndb 63 | http://www.f-prot.com/download/home_user/download_fplinux.html 64 | http://www.reconstructer.org/code.html 65 | http://free.avg.com/us-en/download.prd-alf 66 | ftp://ftp.mcafee.com/commonupdater/ 67 | """ 68 | 69 | yara_include_file = "/path/to/include.yara" # I use this as an index to 'include' other rule files 70 | yara_magic_file = "/path/to/magic.yara" 71 | yara_packer_file = "/path/to/packer.yara" 72 | clam_conf_file = "/path/to/clam_shellcode.ndb" 73 | path_to_ssdeep = "/path/to/ssdeep" 74 | path_to_clamscan = "/path/to/clamscan" 75 | path_to_fpscan = "/path/to/fpscan" 76 | path_to_officemalscanner = "/path/to/OfficeMalScanner.exe" 77 | path_to_avg = "/path/to/avgscan" 78 | path_to_mcafee = "/path/to/scan.exe" 79 | 80 | # add new functions by invoking the scanner 81 | # and returning a dictionary that contains 82 | # the keys 'name' and 'result' 83 | # where 'name' is the name of the scanner 84 | # and 'result' contains a string representing the results 85 | 86 | def md5sum(data): 87 | m = md5() 88 | m.update(data) 89 | return ('md5:\t\t\t%s' % m.hexdigest()) 90 | 91 | def sha1sum(data): 92 | m = sha1() 93 | m.update(data) 94 | return ('sha1:\t\t\t%s' % m.hexdigest()) 95 | 96 | def sha256sum(data): 97 | m = sha256() 98 | m.update(data) 99 | return ('sha256:\t\t\t%s' % m.hexdigest()) 100 | 101 | def ssdeep(fname): 102 | if os.path.isfile(path_to_ssdeep): 103 | output = subprocess.Popen([path_to_ssdeep, "-l", fname], stdout=subprocess.PIPE).communicate()[0] 104 | response = output.split()[1].split(',')[0] 105 | else: 106 | response = 'ERROR - SSDEEP NOT FOUND' 107 | return ('ssdeep:\t\t\t%s' % response) 108 | 109 | def yarascan(data2): 110 | if os.path.isfile(yara_include_file): 111 | rules = yara.compile(yara_include_file) 112 | result = rules.match(data=data2) 113 | out = '' 114 | if len(result): 115 | for m in result: 116 | out += "'%s' " % m 117 | response = out 118 | else: response = "No Match" 119 | else: 120 | response = "ERROR - YARA Config Missing" 121 | return ('yara:\t\t\t%s' % response) 122 | 123 | def yara_magic(data2): 124 | if os.path.isfile(yara_magic_file): 125 | rules = yara.compile(yara_magic_file) 126 | result = rules.match(data=data2) 127 | out = '' 128 | if len(result): 129 | for m in result: 130 | out += "'%s' " % m 131 | response = out 132 | else: response = "No Match" 133 | else: 134 | response = "ERROR - YARA Config Missing" 135 | return ('yara_magic:\t\t%s' % response) 136 | 137 | def yara_packer(data2): 138 | if os.path.isfile(yara_packer_file): 139 | rules = yara.compile(yara_packer_file) 140 | result = rules.match(data=data2) 141 | out = '' 142 | if len(result): 143 | for m in result: 144 | out += "'%s' " % m 145 | response = out 146 | else: response = "No Match" 147 | else: 148 | response = "ERROR - YARA Config Missing" 149 | return ('yara_packer:\t\t%s' % response) 150 | 151 | def clam_custom(fname): 152 | if os.path.isfile(path_to_clamscan) and os.path.isfile(clam_conf_file): 153 | output = subprocess.Popen([path_to_clamscan, "-d",clam_conf_file, fname], stdout = subprocess.PIPE).communicate()[0] 154 | result = output.split('\n')[0].split(': ')[1] 155 | else: 156 | result = 'ERROR - %s not found' % path_to_clamscan 157 | return ('clam_custom:\t\t%s' % result) 158 | 159 | def clamscan(fname): 160 | if os.path.isfile(path_to_clamscan): 161 | output = subprocess.Popen([path_to_clamscan, fname], stdout = subprocess.PIPE).communicate()[0] 162 | result = output.split('\n')[0].split(': ')[1] 163 | else: 164 | result = 'ERROR - %s not found' % path_to_clamscan 165 | return ('clamav:\t\t\t%s' % result) 166 | 167 | def fpscan(fname): 168 | """ Depending on the version of FPROT you use, you may need 169 | to adjust the RESULTLINE number. """ 170 | RESULTLINE = 10 171 | if os.path.isfile(path_to_fpscan): 172 | output = subprocess.Popen([path_to_fpscan,"--report",fname], stdout = subprocess.PIPE, stderr = None).communicate()[0] 173 | result = output.split('\n')[RESULTLINE].split('\t')[0] 174 | if not len(result): result = "No Match" 175 | else: 176 | result = 'ERROR - %s not found' % path_to_fpscan 177 | return ('f-prot:\t\t\t%s' % result) 178 | 179 | def mcafee(fname): 180 | if os.path.isfile(path_to_mcafee): 181 | output = subprocess.Popen(["wine",path_to_mcafee,fname], stdout = subprocess.PIPE, stderr = None).communicate()[0] 182 | result = output.split('\n')[11] 183 | if "Found: " in result: 184 | result = result.split('Found: ')[1] 185 | else: 186 | result = "No Match" 187 | else: 188 | result = 'ERROR - %s not found' % path_to_mcafee 189 | return ('mcafee:\t\t\t%s' % result) 190 | 191 | def officemalscanner(fname): 192 | if os.path.isfile(path_to_officemalscanner): 193 | env = os.environ.copy() 194 | env['WINEDEBUG'] = '-all' 195 | output = subprocess.Popen(["wine", path_to_officemalscanner, 196 | fname, "scan", "brute"], stdout = subprocess.PIPE, stderr = None, env=env).communicate()[0] 197 | if "Analysis finished" in output: 198 | output = output.split('\r\n') 199 | while "Analysis finished" not in output[0]: 200 | output = output[1:] 201 | result = output[3] 202 | else: 203 | result = "Not an MS Office file" 204 | else: 205 | result = 'ERROR - %s not found' % path_to_officemalscanner 206 | return ('officemalscanner:\t%s' % result) 207 | 208 | def avg(fname): 209 | if os.path.isfile(path_to_avg): 210 | output = subprocess.Popen([path_to_avg, fname], stdout = subprocess.PIPE).communicate()[0] 211 | result = output.split('\n')[0].split(': ')[1] 212 | else: 213 | result = 'ERROR - %s not found' % path_to_avg 214 | return ('avg\t\t: %s' % result) 215 | 216 | def filesize(data): 217 | return ('filesize:\t\t%s bytes' % str(len(data))) 218 | 219 | def filename(filename): 220 | return ('filename:\t%s'% filename) 221 | 222 | def lookup(filename): 223 | #return ({'name': 'ss_av:', 'result': FileLookup.ss_av(md5sum(data)['result'])}) 224 | ret = [] 225 | ret.append('ShadowServer AV:\t%s' % FileLookup.ss_av(filename)) 226 | ret.append('ShadowServer Known:\t%s' % FileLookup.ss_known(filename)) 227 | ret.append('Cymru: %s' % FileLookup.cymru(filename)) 228 | ret.append('VirusTotal: %s' % FileLookup.virustotal(filename)) 229 | 230 | return '\n'.join(ret) 231 | 232 | def main(): 233 | parser = OptionParser() 234 | parser.add_option("-f", "--file", action="store", dest="filename", 235 | type="string", help="scanned FILENAME") 236 | parser.add_option("-o", "--online", action="store_true", dest="online", 237 | help="Enable querying the file(s) hash to online resourses") 238 | 239 | (opts, args) = parser.parse_args() 240 | 241 | if opts.filename == None: 242 | parser.print_help() 243 | parser.error("You must supply a filename!") 244 | if not os.path.isfile(opts.filename): 245 | parser.error("%s does not exist" % opts.filename) 246 | 247 | data = open(opts.filename, 'rb').read() 248 | results = [] 249 | results.append(("#" * 80) + "\nFile:\t %s\n" % opts.filename + ("#" * 80)) 250 | results.append(filesize(data)) 251 | results.append(md5sum(data)) 252 | results.append(sha1sum(data)) 253 | results.append(sha256sum(data)) 254 | results.append(ssdeep(opts.filename)) 255 | results.append(clamscan(opts.filename)) 256 | results.append(clam_custom(opts.filename)) 257 | results.append(yarascan(data)) 258 | results.append(yara_magic(data)) 259 | results.append(yara_packer(data)) 260 | results.append(officemalscanner(opts.filename)) 261 | results.append(fpscan(opts.filename)) 262 | #results.append(avg(opts.filename)) 263 | results.append(mcafee(opts.filename)) 264 | 265 | print '\n'.join(results) 266 | if opts.online == True and looky == True: 267 | print lookup(opts.filename) 268 | 269 | if __name__ == '__main__': 270 | main() 271 | -------------------------------------------------------------------------------- /example_output.txt: -------------------------------------------------------------------------------- 1 | (1) SimpleJson installed, VT results but no Cymru or SS results 2 | --------------------------------------------------------------- 3 | 4 | remnux@remnux:~/Desktop$ python FileLookup.py 8d1243db6fedbebf96cf446e278e5c155e8d57c98f213f5cd5e5629841178037 5 | ################################################################################ 6 | File: 8d1243db6fedbebf96cf446e278e5c155e8d57c98f213f5cd5e5629841178037 7 | ################################################################################ 8 | MD5: 6c81e843b52181a05cf5639dc42ddaf3 9 | Sha256: 8d1243db6fedbebf96cf446e278e5c155e8d57c98f213f5cd5e5629841178037 10 | VirusTotal: 11 | Scan Date: Nov 19 2012 12 | Total Engines: 43 13 | Detected: 15 14 | 15 | A/V Results: 16 | ClamAV: TrojanDownloader:Java/Agent.J 17 | Kaspersky: None 18 | McAfee: Generic Downloader.x!gm3 19 | Microsoft: TrojanDownloader:Java/Agent.J 20 | Sophos: Troj/JavaDl-SI 21 | Symantec: Trojan.Maljava 22 | Link: https://www.virustotal.com/file/8d1243db6fedbebf96cf446e278e5c155e8d57c98f213f5cd5e5629841178037/analysis/1353343783/ 23 | Cymru: 24 | Last Seen: Nov 20 2012 25 | Detected: NO_DATA 26 | ShadowServer A/V: No Match 27 | ShadowServer Known: No Match 28 | 29 | ------------------------------------------------ 30 | (2) SimpleJson installed, VT, Cymru & SS results 31 | ------------------------------------------------ 32 | 33 | remnux@remnux:~/Desktop$ python FileLookup.py 7E3770351AED43FD6C5CAB8E06DC0300_doc 34 | ################################################################################ 35 | File: 7E3770351AED43FD6C5CAB8E06DC0300_doc 36 | ################################################################################ 37 | MD5: 7e3770351aed43fd6c5cab8e06dc0300 38 | Sha256: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3 39 | VirusTotal: 40 | Scan Date: Oct 21 2012 41 | Total Engines: 44 42 | Detected: 29 43 | 44 | A/V Results: 45 | ClamAV: Exploit:SWF/CVE-2012-1535.A 46 | Kaspersky: Exploit.SWF.Agent.gq 47 | McAfee: Exploit-CVE2012-1535 48 | Microsoft: Exploit:SWF/CVE-2012-1535.A 49 | Sophos: Troj/SwfExp-BB 50 | Symantec: Trojan.Mdropper 51 | Link: https://www.virustotal.com/file/742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3/analysis/1350797932/ 52 | Cymru: 53 | Last Seen: Aug 16 2012 54 | Detected: 27 55 | ShadowServer A/V: 56 | First Seen: Aug 18 2012 57 | Last Seen: Aug 18 2012 58 | 59 | A/V Results: 60 | N/A 61 | ShadowServer Known: No Match 62 | 63 | --------------------------------------------------- 64 | (3) No SimpleJson installed, VT, Cymru & SS results 65 | --------------------------------------------------- 66 | C:\tools\>python FileLookup.py 3770351AED43FD6C5CAB8E06DC0300_doc 67 | ################################################################################ 68 | File: 7E3770351AED43FD6C5CAB8E06DC0300_doc 69 | ################################################################################ 70 | MD5: 7e3770351aed43fd6c5cab8e06dc0300 71 | Sha256: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3 72 | VirusTotal: 73 | Scan Date: Oct 21 2012 74 | Total Engines: 44 75 | Detected: 29 76 | Cymru: 77 | Last Seen: Aug 16 2012 78 | Detected: 27 79 | ShadowServer A/V: 80 | First Seen: Aug 18 2012 81 | Last Seen: Aug 18 2012 82 | 83 | A/V Results: 84 | N/A 85 | ShadowServer Known: No Match 86 | 87 | ------------------------------------------------------------- 88 | (4) av_mutliscan with out lookup integration of FileLookup 89 | ------------------------------------------------------------- 90 | 91 | remnux@remnux:~/Desktop$ av_multiscan.py -f file.exe 92 | Scanning: / 93 | ################################################################################ 94 | File: file.exe 95 | ################################################################################ 96 | filesize: 91296 bytes 97 | md5: 2d29ce731221bedfebc9f352b7bb7c5d 98 | sha1: 6fd78a30ecff3b7198352cfd0ed6943c64de6bce 99 | sha256: 9f1e0410f3bcc260cbc4bcbd9c9b4c8268181e81b7a1a34973f013cf3cd92800 100 | ssdeep: 1536:6CxUICz7AzOPArbISP7l7VIMRm4Oh+ljTzjLjTzjsjTzj1jTzjDEKQWCqT:f60SPArbDPxqMRbOhGTfXTfATfhTfDEW 101 | clamav: OK 102 | clam_custom: OK 103 | yara: 'suspicious' 'Keylogger' 'shellcode_at_EP' 104 | yara_magic: 'mz_executable' 105 | yara_packer: No Match 106 | officemalscanner: Not an MS Office file 107 | f-prot: No Match 108 | mcafee: No Match 109 | 110 | ------------------------------------------------------------- 111 | (5) av_mutliscan with online lookup integration of FileLookup 112 | ------------------------------------------------------------- 113 | remnux@remnux:~/Desktop$ av_multiscan.py -o -f file.exe 114 | Scanning: / 115 | ################################################################################ 116 | File: file.exe 117 | ################################################################################ 118 | filesize: 91296 bytes 119 | md5: 2d29ce731221bedfebc9f352b7bb7c5d 120 | sha1: 6fd78a30ecff3b7198352cfd0ed6943c64de6bce 121 | sha256: 9f1e0410f3bcc260cbc4bcbd9c9b4c8268181e81b7a1a34973f013cf3cd92800 122 | ssdeep: 1536:6CxUICz7AzOPArbISP7l7VIMRm4Oh+ljTzjLjTzjsjTzj1jTzjDEKQWCqT:f60SPArbDPxqMRbOhGTfXTfATfhTfDEW 123 | clamav: OK 124 | clam_custom: OK 125 | yara: 'suspicious' 'Keylogger' 'shellcode_at_EP' 126 | yara_magic: 'mz_executable' 127 | yara_packer: No Match 128 | officemalscanner: Not an MS Office file 129 | f-prot: No Match 130 | mcafee: No Match 131 | ShadowServer AV: No Match 132 | ShadowServer Known: No Match 133 | Cymru: 134 | Last Seen: Dec 28 2012 135 | Detected: NO_DATA 136 | VirusTotal: 137 | Scan Date: Dec 20 2012 138 | Total Engines: 43 139 | Detected: 3 140 | 141 | A/V Results: 142 | ClamAV: None 143 | Kaspersky: None 144 | McAfee: None 145 | Microsoft: None 146 | Sophos: None 147 | Symantec: None 148 | Link: https://www.virustotal.com/file/9f1e0410f3bcc260cbc4bcbd9c9b4c8268181e81b7a1a34973f013cf3cd92800/analysis/1356010834/ 149 | --------------------------------------------------------------------------------