{ "cells": [ { "cell_type": "markdown", "source": [ "# VT Graphs in Jupyter Notebook\n", "\n", "In this notebook we will explore how to obtain attributes and relationship for different entities using VirusTotal API v3. Finally we can render all the relationships we have obtained using VTGraph." ], "metadata": {} }, { "cell_type": "markdown", "source": [ "## Import libraries" ], "metadata": {} }, { "cell_type": "code", "execution_count": 1, "source": [ "from msticpy.context.vtlookupv3 import VTLookupV3, VTEntityType\n", "\n", "import networkx as nx\n", "import matplotlib.pyplot as plt\n", "import os\n", "import pandas as pd\n", "\n", "pd.set_option('max_colwidth', 200)\n", "\n", "try:\n", " import nest_asyncio\n", "except ImportError as err:\n", " print(\"nest_asyncio is required for running VTLookup3 in notebooks.\")\n", " resp = input(\"Install now? (y/n)\")\n", " if resp.strip().lower().startswith(\"y\"):\n", " %pip install nest_asyncio\n", " import nest_asyncio\n", " else:\n", " raise err\n", "nest_asyncio.apply()" ], "outputs": [], "metadata": { "ExecuteTime": { "end_time": "2020-10-27T21:14:26.577974Z", "start_time": "2020-10-27T21:14:26.563976Z" } } }, { "cell_type": "markdown", "source": [ "## Create Lookup instance" ], "metadata": {} }, { "cell_type": "code", "execution_count": 2, "source": [ "from msticpy.common.provider_settings import get_provider_settings\r\n", "# Try to obtain key from env varaible\r\n", "vt_key = os.environ.get(\"VT_API_KEY\")\r\n", "if not vt_key:\r\n", " # if not try provider settings to get from msticpyconfig.yaml\r\n", " vt_key = get_provider_settings(\"TIProviders\")[\"VirusTotal\"].args[\"AuthKey\"]" ], "outputs": [], "metadata": { "ExecuteTime": { "end_time": "2020-10-27T21:31:33.176432Z", "start_time": "2020-10-27T21:31:33.159512Z" } } }, { "cell_type": "code", "execution_count": 3, "source": [ "# Instantiate vt_lookup object\n", "vt_lookup = VTLookupV3(vt_key)" ], "outputs": [], "metadata": { "ExecuteTime": { "end_time": "2020-10-27T21:31:46.681003Z", "start_time": "2020-10-27T21:31:46.663001Z" } } }, { "cell_type": "code", "execution_count": 5, "source": [ "# The ID (SHA256 hash) of the file to lookup\n", "FILE = 'ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa'" ], "outputs": [], "metadata": { "ExecuteTime": { "end_time": "2020-10-27T21:31:50.501013Z", "start_time": "2020-10-27T21:31:50.487012Z" } } }, { "cell_type": "code", "execution_count": 6, "source": [ "example_attribute_df = vt_lookup.lookup_ioc(observable=FILE, vt_type='file')\r\n", "example_attribute_df" ], "outputs": [ { "output_type": "execute_result", "data": { "text/plain": [ " last_submission_date \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 1605582797 \n", "\n", " size \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 3514368 \n", "\n", " times_submitted \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 1325 \n", "\n", " meaningful_name \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa diskpart.exe \n", "\n", " type_description \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa Win32 EXE \n", "\n", " first_submission_date \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 1494574270 \n", "\n", " detections \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 67 \n", "\n", " scans \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 76 \n", "\n", " first_submission \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 2017-05-12 07:31:10+00:00 \n", "\n", " last_submission \\\n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 2020-11-17 03:13:17+00:00 \n", "\n", " type \n", "id \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa file " ], "text/html": [ "
\n", " | last_submission_date | \n", "size | \n", "times_submitted | \n", "meaningful_name | \n", "type_description | \n", "first_submission_date | \n", "detections | \n", "scans | \n", "first_submission | \n", "last_submission | \n", "type | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
id | \n", "\n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " |
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa | \n", "1605582797 | \n", "3514368 | \n", "1325 | \n", "diskpart.exe | \n", "Win32 EXE | \n", "1494574270 | \n", "67 | \n", "76 | \n", "2017-05-12 07:31:10+00:00 | \n", "2020-11-17 03:13:17+00:00 | \n", "file | \n", "
\n", " | attributes | \n", "
---|---|
authentihash | \n", "4b2c4c7f06f5ffaeea6efc537f0aa66b0a30c7ccd7979c86c7f4f996002b99fd | \n", "
autostart_locations | \n", "[{'entry': ' ', 'location': ' '}, {'entry': 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\\ProviderOrder', 'location': 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order'},... | \n", "
capabilities_tags | \n", "[win_registry, str_win32_winsock2_library, win_files_operation] | \n", "
creation_date | \n", "1290243905 | \n", "
crowdsourced_yara_results | \n", "[{'author': 'ReversingLabs', 'description': 'Yara rule that detects WannaCry ransomware.', 'rule_name': 'Win32_Ransomware_WannaCry', 'ruleset_id': '005e5fc7e3', 'ruleset_name': 'Win32.Ransomware.W... | \n", "
downloadable | \n", "True | \n", "
exiftool | \n", "{'CharacterSet': 'Unicode', 'CodeSize': '28672', 'CompanyName': 'Microsoft Corporation', 'EntryPoint': '0x77ba', 'FileDescription': 'DiskPart', 'FileFlagsMask': '0x003f', 'FileOS': 'Windows NT 32-... | \n", "
first_seen_itw_date | \n", "1578568742 | \n", "
first_submission_date | \n", "1494574270 | \n", "
last_analysis_date | \n", "1605638619 | \n", "
last_analysis_results | \n", "{'ALYac': {'category': 'malicious', 'engine_name': 'ALYac', 'engine_update': '20201117', 'engine_version': '1.1.1.5', 'method': 'blacklist', 'result': 'Trojan.Ransom.WannaCryptor'}, 'APEX': {'cate... | \n", "
last_analysis_stats | \n", "{'confirmed-timeout': 0, 'failure': 0, 'harmless': 0, 'malicious': 67, 'suspicious': 0, 'timeout': 1, 'type-unsupported': 4, 'undetected': 4} | \n", "
last_modification_date | \n", "1605645885 | \n", "
last_submission_date | \n", "1605582797 | \n", "
magic | \n", "PE32 executable for MS Windows (GUI) Intel 80386 32-bit | \n", "
md5 | \n", "84c82835a5d21bbcf75a61706d8ab549 | \n", "
meaningful_name | \n", "diskpart.exe | \n", "
names | \n", "[diskpart.exe, C:\\Users\\Work PC\\Downloads\\Test\\Ransomware\\Ransomware.WannaCry\\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6... | \n", "
packers | \n", "{'PEiD': 'Microsoft Visual C++'} | \n", "
pe_info | \n", "{'compiler_product_versions': ['id: 12, version: 7291 count=2', 'id: 11, version: 8047 count=1', 'id: 14, version: 7299 count=4', 'id: 10, version: 8047 count=11', 'id: 4, version: 8047 count=4', ... | \n", "
reputation | \n", "-2633 | \n", "
sha1 | \n", "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 | \n", "
sha256 | \n", "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa | \n", "
sigma_analysis_stats | \n", "{'critical': 2, 'high': 0, 'low': 1, 'medium': 2} | \n", "
sigma_analysis_summary | \n", "{'Sigma Integrated Rule Set (GitHub)': {'critical': 2, 'high': 0, 'low': 1, 'medium': 2}} | \n", "
signature_info | \n", "{'copyright': '© Microsoft Corporation. All rights reserved.', 'description': 'DiskPart', 'file version': '6.1.7601.17514 (win7sp1_rtm.101119-1850)', 'internal name': 'diskpart.exe', 'original nam... | \n", "
size | \n", "3514368 | \n", "
ssdeep | \n", "98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB | \n", "
tags | \n", "[peexe, self-delete, overlay, runtime-modules, direct-cpu-clock-access, via-tor, executes-dropped-file] | \n", "
times_submitted | \n", "1325 | \n", "
tlsh | \n", "T173F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491 | \n", "
total_votes | \n", "{'harmless': 28, 'malicious': 292} | \n", "
trid | \n", "[{'file_type': 'Win32 Executable MS Visual C++ (generic)', 'probability': 38.5}, {'file_type': 'Microsoft Visual C++ compiled executable (generic)', 'probability': 20.4}, {'file_type': 'Win16 NE e... | \n", "
type_description | \n", "Win32 EXE | \n", "
type_extension | \n", "exe | \n", "
type_tag | \n", "peexe | \n", "
unique_sources | \n", "980 | \n", "
vhash | \n", "036046656d1570a8z3631lz1fz | \n", "
zemana_behaviour | \n", "[dll-injection] | \n", "
\n", " | \n", " | target_type | \n", "source_type | \n", "relationship_type | \n", "
---|---|---|---|---|
source | \n", "target | \n", "\n", " | \n", " | \n", " |
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa | \n", "018ac8f95d5e14b92011cdbfc8c48056ca4891161ed6bdd268770a5b56bb327f | \n", "file | \n", "file | \n", "execution_parents | \n", "
02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "file | \n", "file | \n", "execution_parents | \n", "|
06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "file | \n", "file | \n", "execution_parents | \n", "|
06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "file | \n", "file | \n", "execution_parents | \n", "|
070f603e0443b1fae57425210fb3b27c2f77d8983cfefefb0ee185de572df33d | \n", "file | \n", "file | \n", "execution_parents | \n", "|
... | \n", "... | \n", "... | \n", "... | \n", "|
f1aa23299987eed2173e83d26b6078232051f885586ebba35699143b83bc68ad | \n", "file | \n", "file | \n", "execution_parents | \n", "|
f2916486e380d0c0bbd31694b05509b91f0f622478595eba89b30031f9f64c3c | \n", "file | \n", "file | \n", "execution_parents | \n", "|
fbf74ee5d011dfb0d6c3357446ea3999ef62b088c553d665847aece28a1d3e2b | \n", "file | \n", "file | \n", "execution_parents | \n", "|
ff6af3f113f61f823e422b7eb9e379495b81bdbb66a4e4e159b4caee8a79bada | \n", "file | \n", "file | \n", "execution_parents | \n", "|
0d592a8d7e13210140f106a897a211b839608c2e9e86f20419e30d4087b7ac03 | \n", "file | \n", "file | \n", "execution_parents | \n", "
106 rows × 3 columns
\n", "\n", " | last_submission_date | \n", "size | \n", "times_submitted | \n", "meaningful_name | \n", "type_description | \n", "first_submission_date | \n", "detections | \n", "scans | \n", "first_submission | \n", "last_submission | \n", "type | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
id | \n", "\n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " |
018ac8f95d5e14b92011cdbfc8c48056ca4891161ed6bdd268770a5b56bb327f | \n", "1526215996 | \n", "3723264 | \n", "6 | \n", "8479206ff1a47362199ddabebb7358d2.virus | \n", "Win32 EXE | \n", "1495139411 | \n", "67 | \n", "74 | \n", "2017-05-18 20:30:11+00:00 | \n", "2018-05-13 12:53:16+00:00 | \n", "file | \n", "
02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "1571387079 | \n", "9164800 | \n", "4 | \n", "=?UTF-8?B?572R5piT5bel5YW3566x56uv5ZCv5YqoLmV4ZQ==?= | \n", "Win32 EXE | \n", "1570020111 | \n", "52 | \n", "75 | \n", "2019-10-02 12:41:51+00:00 | \n", "2019-10-18 08:24:39+00:00 | \n", "file | \n", "
06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "1588342161 | \n", "3991221 | \n", "1 | \n", "Tender.pdf.exe | \n", "Win32 EXE | \n", "1588342161 | \n", "55 | \n", "75 | \n", "2020-05-01 14:09:21+00:00 | \n", "2020-05-01 14:09:21+00:00 | \n", "file | \n", "
06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "1595479073 | \n", "4535704 | \n", "1 | \n", "car.exe | \n", "Win32 EXE | \n", "1595479073 | \n", "51 | \n", "76 | \n", "2020-07-23 04:37:53+00:00 | \n", "2020-07-23 04:37:53+00:00 | \n", "file | \n", "
070f603e0443b1fae57425210fb3b27c2f77d8983cfefefb0ee185de572df33d | \n", "1601363298 | \n", "3723264 | \n", "9 | \n", "lhdfrgui.exe | \n", "Win32 EXE | \n", "1504687270 | \n", "68 | \n", "74 | \n", "2017-09-06 08:41:10+00:00 | \n", "2020-09-29 07:08:18+00:00 | \n", "file | \n", "
... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "
f1aa23299987eed2173e83d26b6078232051f885586ebba35699143b83bc68ad | \n", "1563994865 | \n", "3723392 | \n", "1 | \n", "lhdfrgui.exe | \n", "Win32 EXE | \n", "1563994865 | \n", "64 | \n", "72 | \n", "2019-07-24 19:01:05+00:00 | \n", "2019-07-24 19:01:05+00:00 | \n", "file | \n", "
f2916486e380d0c0bbd31694b05509b91f0f622478595eba89b30031f9f64c3c | \n", "1518624409 | \n", "3676610 | \n", "5 | \n", "acdsee.ultimate.10.x.unipatch_WannaCry.exe | \n", "Win32 EXE | \n", "1498115823 | \n", "54 | \n", "69 | \n", "2017-06-22 07:17:03+00:00 | \n", "2018-02-14 16:06:49+00:00 | \n", "file | \n", "
fbf74ee5d011dfb0d6c3357446ea3999ef62b088c553d665847aece28a1d3e2b | \n", "1573073940 | \n", "3811580 | \n", "1 | \n", "Presentation.exe | \n", "Win32 EXE | \n", "1573073940 | \n", "28 | \n", "72 | \n", "2019-11-06 20:59:00+00:00 | \n", "2019-11-06 20:59:00+00:00 | \n", "file | \n", "
ff6af3f113f61f823e422b7eb9e379495b81bdbb66a4e4e159b4caee8a79bada | \n", "1576634480 | \n", "3597101 | \n", "1 | \n", "ShieldPassword.exe | \n", "Win32 EXE | \n", "1576634480 | \n", "22 | \n", "70 | \n", "2019-12-18 02:01:20+00:00 | \n", "2019-12-18 02:01:20+00:00 | \n", "file | \n", "
0d592a8d7e13210140f106a897a211b839608c2e9e86f20419e30d4087b7ac03 | \n", "1583318742 | \n", "3723264 | \n", "1 | \n", "lhdfrgui.exe | \n", "Win32 EXE | \n", "1583318742 | \n", "66 | \n", "75 | \n", "2020-03-04 10:45:42+00:00 | \n", "2020-03-04 10:45:42+00:00 | \n", "file | \n", "
106 rows × 11 columns
\n", "\n", " | \n", " | target_type | \n", "source_type | \n", "relationship_type | \n", "
---|---|---|---|---|
source | \n", "target | \n", "\n", " | \n", " | \n", " |
018ac8f95d5e14b92011cdbfc8c48056ca4891161ed6bdd268770a5b56bb327f | \n", "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | \n", "domain | \n", "file | \n", "contacted_domains | \n", "
02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "fkksjobnn43.org | \n", "domain | \n", "file | \n", "contacted_domains | \n", "
070f603e0443b1fae57425210fb3b27c2f77d8983cfefefb0ee185de572df33d | \n", "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | \n", "domain | \n", "file | \n", "contacted_domains | \n", "
76jdd2ir2embyv47.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "|
xxlvbrloxvriy2c5.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "|
... | \n", "... | \n", "... | \n", "... | \n", "... | \n", "
0d592a8d7e13210140f106a897a211b839608c2e9e86f20419e30d4087b7ac03 | \n", "76jdd2ir2embyv47.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "
xxlvbrloxvriy2c5.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "|
gx7ekbenv2riucmf.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "|
57g7spgrzlojinas.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "|
cwwnhwhlz52maqm7.onion | \n", "domain | \n", "file | \n", "contacted_domains | \n", "
202 rows × 3 columns
\n", "\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"