curlでVirusTotal APIを操作する

ArchLinuxにVirusTotal/c-vtapiをインストールする の続きです。
前回はVirusTotal/c-vtapiを使ってファイルのスキャンを行いましたが、今回は普通にcurlでやってみます。c-vtapiを使う場合、進捗状況を非表示にするやり方が分からなかったので、スクリプト等で使う場合は無難にcurlのほうが扱いやすいなと思いました。

file scan

  • cowrie内にダウンロードされたファイルをVirusToalにアップロードする。
# curl --silent --form "file=@/home/cowrie/cowrie/dl/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8" --form apikey=<My API Key> https://www.virustotal.com/vtapi/v2/file/scan | jq
{
  "scan_id": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8-1522555488",
  "sha1": "692e7dd86b8c6cce57cca220bcaa2b9cd80bb9a3",
  "resource": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
  "response_code": 1,
  "sha256": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
  "permalink": "https://www.virustotal.com/file/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8/analysis/1522555488/",
  "md5": "859f5a1e2713594d670888852dd15123",
  "verbose_msg": "Scan request successfully queued, come back later for the report"
}

report

  • アップロードしたファイルの分析結果を確認する。
# curl --silent --form resource=05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8 --form apikey=<My API Key> https://www.virustotal.com/vtapi/v2/file/report | jq
{
  "scans": {
    "Bkav": {
      "detected": false,
      "version": "1.3.0.9466",
      "result": null,
      "update": "20180331"
    },
    "MicroWorld-eScan": {
      "detected": true,
      "version": "14.0.297.0",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "nProtect": {
      "detected": false,
      "version": "2018-03-31.02",
      "result": null,
      "update": "20180331"
    },
    "CMC": {
      "detected": false,
      "version": "1.1.0.977",
      "result": null,
      "update": "20180331"
    },
    "CAT-QuickHeal": {
      "detected": false,
      "version": "14.00",
      "result": null,
      "update": "20180331"
    },
    "McAfee": {
      "detected": false,
      "version": "6.0.6.653",
      "result": null,
      "update": "20180401"
    },
    "Malwarebytes": {
      "detected": false,
      "version": "2.1.1.1115",
      "result": null,
      "update": "20180401"
    },
    "Zillya": {
      "detected": false,
      "version": "2.0.0.3525",
      "result": null,
      "update": "20180330"
    },
    "SUPERAntiSpyware": {
      "detected": false,
      "version": "5.6.0.1032",
      "result": null,
      "update": "20180331"
    },
    "TheHacker": {
      "detected": false,
      "version": "6.8.0.5.2591",
      "result": null,
      "update": "20180330"
    },
    "K7GW": {
      "detected": false,
      "version": "10.43.26677",
      "result": null,
      "update": "20180401"
    },
    "K7AntiVirus": {
      "detected": false,
      "version": "10.43.26678",
      "result": null,
      "update": "20180401"
    },
    "Arcabit": {
      "detected": true,
      "version": "1.0.0.831",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "Baidu": {
      "detected": false,
      "version": "1.0.0.2",
      "result": null,
      "update": "20180330"
    },
    "Cyren": {
      "detected": true,
      "version": "5.4.30.7",
      "result": "Trojan.CSPG-6",
      "update": "20180401"
    },
    "Symantec": {
      "detected": false,
      "version": "1.5.0.0",
      "result": null,
      "update": "20180331"
    },
    "ESET-NOD32": {
      "detected": false,
      "version": "17148",
      "result": null,
      "update": "20180401"
    },
    "TrendMicro-HouseCall": {
      "detected": true,
      "version": "9.950.0.1006",
      "result": "Suspicious_GEN.F47V0329",
      "update": "20180401"
    },
    "Avast": {
      "detected": true,
      "version": "18.2.3827.0",
      "result": "BV:Downloader-KB [Drp]",
      "update": "20180401"
    },
    "ClamAV": {
      "detected": false,
      "version": "0.99.2.0",
      "result": null,
      "update": "20180331"
    },
    "Kaspersky": {
      "detected": false,
      "version": "15.0.1.13",
      "result": null,
      "update": "20180401"
    },
    "BitDefender": {
      "detected": true,
      "version": "7.2",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "NANO-Antivirus": {
      "detected": true,
      "version": "1.0.100.22043",
      "result": "Trojan.Script.Agent.ekbkzw",
      "update": "20180401"
    },
    "AegisLab": {
      "detected": true,
      "version": "4.2",
      "result": "Bv.Downloader.Kb!c",
      "update": "20180331"
    },
    "Tencent": {
      "detected": false,
      "version": "1.0.0.1",
      "result": null,
      "update": "20180401"
    },
    "Ad-Aware": {
      "detected": true,
      "version": "3.0.5.370",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "Emsisoft": {
      "detected": true,
      "version": "4.0.2.899",
      "result": "Trojan.Downloader.BashAgent.159 (B)",
      "update": "20180401"
    },
    "Comodo": {
      "detected": false,
      "version": "28783",
      "result": null,
      "update": "20180401"
    },
    "F-Secure": {
      "detected": true,
      "version": "11.0.19100.45",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "DrWeb": {
      "detected": true,
      "version": "7.0.28.2020",
      "result": "Linux.DownLoader.320",
      "update": "20180401"
    },
    "VIPRE": {
      "detected": false,
      "version": "65666",
      "result": null,
      "update": "20180401"
    },
    "TrendMicro": {
      "detected": false,
      "version": "9.862.0.1074",
      "result": null,
      "update": "20180401"
    },
    "McAfee-GW-Edition": {
      "detected": false,
      "version": "v2015",
      "result": null,
      "update": "20180401"
    },
    "Sophos": {
      "detected": false,
      "version": "4.98.0",
      "result": null,
      "update": "20180401"
    },
    "F-Prot": {
      "detected": false,
      "version": "4.7.1.166",
      "result": null,
      "update": "20180401"
    },
    "Jiangmin": {
      "detected": false,
      "version": "16.0.100",
      "result": null,
      "update": "20180401"
    },
    "Avira": {
      "detected": true,
      "version": "8.3.3.6",
      "result": "HTML/ExpKit.Gen2",
      "update": "20180331"
    },
    "Fortinet": {
      "detected": false,
      "version": "5.4.247.0",
      "result": null,
      "update": "20180401"
    },
    "Antiy-AVL": {
      "detected": false,
      "version": "3.0.0.1",
      "result": null,
      "update": "20180331"
    },
    "Kingsoft": {
      "detected": false,
      "version": "2013.8.14.323",
      "result": null,
      "update": "20180401"
    },
    "Microsoft": {
      "detected": false,
      "version": "1.1.14600.4",
      "result": null,
      "update": "20180401"
    },
    "ViRobot": {
      "detected": false,
      "version": "2014.3.20.0",
      "result": null,
      "update": "20180331"
    },
    "AhnLab-V3": {
      "detected": false,
      "version": "3.12.0.20130",
      "result": null,
      "update": "20180331"
    },
    "ZoneAlarm": {
      "detected": false,
      "version": "1.0",
      "result": null,
      "update": "20180401"
    },
    "Avast-Mobile": {
      "detected": false,
      "version": "180331-00",
      "result": null,
      "update": "20180331"
    },
    "TotalDefense": {
      "detected": false,
      "version": "37.1.62.1",
      "result": null,
      "update": "20180331"
    },
    "ALYac": {
      "detected": true,
      "version": "1.1.1.5",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "AVware": {
      "detected": false,
      "version": "1.5.0.42",
      "result": null,
      "update": "20180401"
    },
    "MAX": {
      "detected": true,
      "version": "2017.11.15.1",
      "result": "malware (ai score=80)",
      "update": "20180401"
    },
    "VBA32": {
      "detected": false,
      "version": "3.12.28.0",
      "result": null,
      "update": "20180330"
    },
    "WhiteArmor": {
      "detected": false,
      "version": null,
      "result": null,
      "update": "20180324"
    },
    "Zoner": {
      "detected": false,
      "version": "1.0",
      "result": null,
      "update": "20180331"
    },
    "Rising": {
      "detected": true,
      "version": "25.0.0.1",
      "result": "Trojan.Mirai!1.AD2B (CLASSIC)",
      "update": "20180401"
    },
    "Yandex": {
      "detected": false,
      "version": "5.5.1.3",
      "result": null,
      "update": "20180331"
    },
    "Ikarus": {
      "detected": true,
      "version": "0.1.5.2",
      "result": "HTML.ExploitKit",
      "update": "20180331"
    },
    "GData": {
      "detected": true,
      "version": "A:25.16570B:25.11926",
      "result": "Trojan.Downloader.BashAgent.159",
      "update": "20180401"
    },
    "AVG": {
      "detected": true,
      "version": "18.2.3827.0",
      "result": "BV:Downloader-KB [Drp]",
      "update": "20180401"
    },
    "Panda": {
      "detected": false,
      "version": "4.6.4.2",
      "result": null,
      "update": "20180331"
    },
    "Qihoo-360": {
      "detected": true,
      "version": "1.0.0.1120",
      "result": "virus.js.qexvmc.1",
      "update": "20180401"
    }
  },
  "scan_id": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8-1522555488",
  "sha1": "692e7dd86b8c6cce57cca220bcaa2b9cd80bb9a3",
  "resource": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
  "response_code": 1,
  "scan_date": "2018-04-01 04:04:48",
  "permalink": "https://www.virustotal.com/file/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8/analysis/1522555488/",
  "verbose_msg": "Scan finished, information embedded",
  "total": 59,
  "positives": 20,
  "sha256": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
  "md5": "859f5a1e2713594d670888852dd15123"
}

comments

  • アップロードしたファイルにコメントを追加する。
# curl --silent --form resource=05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8 --form apikey=<My API Key> --form "comment=captured by SSH honeypots(Cowrie)" https://www.virustotal.com/vtapi/v2/comments/put | jq
{
  "response_code": 1,
  "verbose_msg": "Your comment was successfully posted"
}

Ref.

Env.

$ inxi -SM
System:    Host: pisces.blackle0pard.net Kernel: 4.15.12-1-ARCH x86_64 bits: 64 Console: tty 1
           Distro: Arch Linux
Machine:   Type: Kvm System: QEMU product: Standard PC (i440FX + PIIX, 1996) v: pc-i440fx-2.11 serial: N/A
           Mobo: N/A model: N/A serial: N/A BIOS: SeaBIOS v: rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org
           date: 04/01/2014
# curl --version
curl 7.59.0 (x86_64-pc-linux-gnu) libcurl/7.59.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.20.1 (+libidn2/2.0.4) nghttp2/1.31.0
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL