Digital Forensics & Incident Response
Search
⌃K

VirusTotal & hash lists

We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.
If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1
Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).
  1. 1.
    Download VirusTotal search from Didier Stevens' website (https://blog.didierstevens.com/programs/virustotal-tools/)
  2. 2.
    Fetch an API key from VirusTotal (free for small volume queries)
  3. 3.
    Make sure you have Python2.7 installed
  4. 4.
    Execute the following command
$ python2.7 virustotal-search.py -k APIKEY hashes.md5
This will display the results via the console, as well as save it as a CSV file.
Previous
Linux / AVML
Next - Incident Response
Unix-like Artifacts Collector (UAC)
Last modified 1yr ago