MATHOD is a python script that aims to gather information regarding malware through searching online databases such as VirusTotal and Malware Bazaar and using libraries such as AVClass.
This project was developed during my dissertation "Behavioural Analysis of Current Evolution Ransomware Attack Exfiltration Methods" in MSc Advance Security & Digital Forencics at Edinburgh Napier University. Further Information can be found on my personal web page alessandro.ravizzotti.dev and in my dissertation listed above.
The following image shows an example of output.
- collections
- csv
- datetime
- json
- pathlib
- requests
- subprocess
- sys
The external dependencies are used by creating subprocess in the MHATOD script.
- avclass-malicialab AVClass GitHub repository
Current API required to run the script:
Future API required (it's reccomend to request the API key):
python MHATOD.py hash-list.txt -nOutputFolder
Text file which has an hash sha-256 per line, no comma or other characters needed.
All data gathered from the databases and information collected from the analysis are saved inside a folder which is divided as follows:
- A "JSON" folder containing 3 .json files relating to the fields involved in the total investigation into VirusTotal, Malware Bazaar and their results combined together.
- A "MalwareBazaar" folder and a "VirusTotal" folder which contain a list of .json files, one for each hash analysed, with the respective responses to the requests made to the online databases.
- Three .csv files relating to the analysis carried out by the script, respectively one for VirusTotal, one for Malware Bazaar and one with the combined results of the two.
The main limitation of MHATOD is that its output depends on the information found on the databases and AVClass so it is not guaranteed that the output results will be right. If no data is found per hash on from the online sources, no data will be generate for that specific hash in the output.
It is possible to find discrepancies between the different sources which is why it is important to analyse more than one database from the creation of datasets.
Based on the API-key the user has, you may be limitated on the daily number of requests.
Flags:
-b
show banner-h
help-i
developer information-l[N]
starting at line [N] of the input sha256 file-n[NAME]
[NAME] is going to be the folder's name
To run the script you need to have a list of hashes you can check. If you are doing research and want to find lists of hashes you can use the following steps, which use semi-automatic tools: retrive-hashes.js, clean.html before executing MHATOD.py script.
- Search on Triage or Malware Bazaar for the category of malware you are looking for.
- Paste retrive-hashes.js code into the browser's console.
- Paste the output into clean.html inputbox.
- Clean the text and save it into a file
All tools listed below are released under the MIT license.
- MHATOD
- retrive-hashes.js
- clean.html
Future developments concern the integration with Triage API for searching for information regarding malware. Other databases will be taken into consideration for the analysis and futher fields will be investigated. Furthermore, improvements regarding user usability will be made in the next version.
- new API
- ...