VirusTotal + Maltego = Visualizing Actionable Malware IOCs

– by Steven Weinstein

Setting up your own malware zoo and collecting all indicators of compromise related to those samples of malware can be time consuming and expensive. While there’s a long list of benefits to doing this on your own, it doesn’t make sense for every organization. All other arguments aside, some companies may decide that while it’s more expensive in the long run, it’s simpler and faster to leverage a malware repository such as VirusTotal.

Having access to the VirusTotal Private API adds immediate value to teams looking to mine data via custom scripts. With tens of millions of samples of malware and hundreds of millions of IOCs, the data a simple script can return can be vast. While incredibly useful, comprehending and making sense of this large amount of data is very difficult.

Fortunately, Maltego helps us visualize data to easily grasp correlations otherwise missed due to the flat nature of a large data set. Using Maltego also allows us to run scripts (transforms) to visualize the data that we are interested in, and then pivot to new queries and results, or even different data sets.

To better serve the threat intelligence community, we are announcing the public availability of 26 Maltego transforms that we’ve authored, designed to mine the data available from the VirusTotal Private API. These transforms enable security professionals to quickly find actionable intelligence for an incident, or find interesting overlaps or clusters while doing research. With these transforms, among a number of other capabilities, you will be able to:

  • Find hashes which have been downloaded from or have communicated with a domain or IP address
  • Get domains and IP addresses which a hash has communicated with
  • Locate hashes associated with a specific IOC (string, reg key, mutex, filename, command, etc)
  • Find IOCs (reg keys, file names, mutexes, commands run, etc) associated with a hash
  • Find hashes of which have a specific import hash or PE section hash
  • Find hashes which have been detected as a certain threat or specific CVE
  • Get scan information and detection ratios for hashes and URLs
  • Get Passive DNS for a domain or IP

These transforms don’t require any frameworks, and only need Python 2.7.x and the Requests library to run properly. Be sure to check out the documentation and download the transforms on GitHub:https://github.com/Lookingglass/Maltego

See below for some quick examples of what’s possible with these transforms:

Figure1

Example 1: Retrieve details about a hash that has communicated with a given domain, and then pivot to other hashes also communicating with the same IP addresses.

Figure2

Example 2: Retrieve details about a hash including the commands executed via the CreateProcessInternalW API call.

Please contact us if you’re interested in learning how the Lookingglass data set can enrich what you discover with these transforms.

Acknowledgement:

Thanks to Keith Gilbert for his effort on the Malformity project, which includes some great public API VirusTotal transforms. Malformity, which is a “Maltego project based on the Canari framework for malicious binary and infrastructure research”, can be found here:

https://github.com/digital4rensics/Malformity

Additional Posts

Is TrueCrypt No More?

By Robert Simmons Late Wednesday night (and as has now been reported by Brian Krebs and others), ...

No Silver Bullets: Insuring Against Cyber Threats

by Tobias Losch, GLEG The information age has long outgrown its infancy, and the widespread ...