File hunting: Writing YARA rules for Livehunt

Livehunt uses an up-to-date version of YARA, which means that the latest YARA documentation is usually the place to go for a detailed description of the language and its features. However, there are a few things that you need to know while creating YARA rules specifically tailored for Livehunt.

  • Rules for which YARA raise performance warnings are not accepted by Livehunt. Such rules are usually very slow and degrade the service both for you and the rest of the users.

  • You can not use include statements in your rules.

  • Standard modules currently supported are: pe, elf, math, magic, hash, cuckoo, and dotnet.

  • In addition to the standard modules enumerated above, you can also the vt module, which was specifically created for Livehunt and exposes additional information about the file being scanned. Keep reading for more information about this module.

Using file's metadata in your rules

The vt module

Creating rules based on file behavior

HTTP Methods

Network Protocols

Behaviour traits

Behaviour verdicts

File types

Legacy variables

Using file's metadata in your rules

Most YARA rules are based in patterns found inside the files themselves, however this is not always enough. Sometimes you may need to create rules that leverage additional information that Google Threat Intelligence has about the file. For example, you may want to create a rule that only applies to a certain file type, or files that are detected by at least one antivirus, or perhaps you are only interested in files that are submitted to Google Threat Intelligence for the first time or from a given country. All these cases, and many more, can be expressed in your YARA rules.

In order to expose all the information that Google Threat Intelligence have about the file being scanned we have created a custom YARA module named vt. This module contains metadata like antivirus signatures, file type, file behavior, submitter, etc. The vt module replaces the previous mechanism for exposing file's metadata based in custom variables like signatures, positives, file_name, and so on. These variables have been deprecated, but they will continue to work and are still documented in the Legacy variables section.

The vt module

⚠️

The vt module always matches the last submission, i.e. the one that generated the YARA matching event.

The vt module exposes all the metadata that Google Threat Intelligence has about a file to YARA, so that you can create Livehunt rules based on that metadata. Let's see some examples:

import "vt"  
  
rule infected_pe {  
  condition:  
    vt.metadata.analysis_stats.malicious > 1 and vt.metadata.file_type == vt.FileType.PE_EXE  
}
import "vt"  
  
rule new_file_from_china {  
  condition:  
    vt.metadata.new_file and vt.metadata.submitter.country == "CN"  
}
import "vt"  
  
rule zbot {  
  condition:  
    for any engine, signature in vt.metadata.signatures : (  
      signature contains "zbot"  
    )  
}

From the examples above you probably already got the idea. The vt module has a lot of information about the file being scanned, and that information can be used in your Livehunt rules for filtering unwanted files and focusing in what you are really looking for. You are not limited to creating rules based on file content alone, there is a lot of metadata at your disposal as you can see in the table below.

FieldTypeDescriptionExample
vt.metadata.analysis_stats.maliciousintegerNumber of antivirus engines that detected the file as malicious.vt.metadata.analysis_stats.malicious < 10
vt.metadata.analysis_stats.undetectedintegerNumber of antivirus engines that didn't detected the file.vt.metadata.analysis_stats.undetected > 20
vt.metadata.analysis_stats.failureintegerNumber of antivirus engines that failed scanning the file.vt.metadata.analysis_stats.failure > 0
vt.metadata.analysis_stats.type_unsupportedintegerNumber of antivirus engines that don't support the file's type.vt.metadata.analysis_stats.type_unsupported > 0
vt.metadata.exiftooldictionaryDictionary that contains the information generated by ExifTool for the file being scanned. Both keys and values are strings. ExifTool generates numeric values for some properties, but values in YARA dictionaries must have the same time, therefore they are converted to strings.vt.metadata.exiftool["MIMEType"] == "application/pdf" andvt.metadata.exiftool["PageCount"] == "37"
vt.metadata.first_submission_dateintegerDate on which the file was submitted to Google Threat Intelligence for the first time, as a UNIX timestamp.vt.metadata.first_submission_date < 1582934400 // 2020-02-29
vt.metadata.file_namestringFile's name as it was last submitted to Google Threat Intelligence.vt.metadata.file_name contains "foobar"
vt.metadata.file_sizeintegerFile size in bytes.vt.metadata.file_size > 100KB
vt.metadata.file_typeintegerOne of the types listed in the file types table.vt.metadata.file_type == vt.FileType.PE_DLL
vt.metadata.file_type_tagsarray of stringsTags associated to the file's type, as listed in the file types tablefor any tag in vt.metadata.file_type_tags : ( tag == "pedll")
vt.metadata.goresym.versionstringVersion of the Golang compiler usedvt.metadata.goresym.version == "1.18.7"
vt.metadata.goresym.archstringTarget architecture for a Golang binaryvt.metadata.goresym.arch == "386"
vt.metadata.goresym.osstringTarget OS for a Golang binaryvt.metadata.goresym.os == "windows"
vt.metadata.goresym.build_idstringBuild ID of Golang binaryvt.metadata.goresym.build_id == "A_l09FDsHNuaJaKZ8MRU/H38D...HwLHCg-V/oTM-3A-yDyJSq4LWt0fu"
vt.metadata.goresym.build_info.depsarray of structsGolang binary's dependenciesfor any dep in vt.metadata.goresym.build_info.deps : ( dep.path == "github.com/mattn/go-isatty" and dep.version == "v0.0.14")
vt.metadata.goresym.build_info.pathstringGolang package pathvt.metadata.goresym.build_info.path == "github.com/portapps/discord-portable"
vt.metadata.goresym.build_info.settingsdictionaryDictionary where keys are setting names and values are the setting value.vt.metadata.goresym.build_info.settings["vcs.revision"] startswith "2f0e4453eec4"
vt.metadata.goresym.summary.num_dependenciesintegerTotal number of dependencies for a Golang binary
vt.metadata.goresym.summary.num_interfacesintegerTotal number of interfaces in a Golang binary
vt.metadata.goresym.summary.num_typesintegerTotal number of types in a Golang binary
vt.metadata.goresym.summary.num_std_functionsintegerNumber of functions from standard library used by a Golang binary.
vt.metadata.goresym.summary.num_user_functionsintegerNumber of user-defined functions in a Golang binary.
vt.metadata.gti_assessment.severity.valuestringSeverity of the file provided by Google Threat Intelligence. One of the values defined on the Google TI assessment severity types table.vt.metadata.gti_assessment.severity.value == vt.GtiSeverity.SEVERITY_MEDIUM
vt.metadata.gti_assessment.threat_score.valueintegerThreat score of the file provided by Google Threat Intelligence. This is a value between 1 and 100.vt.metadata.gti_assessment.threat_score.value > 0
vt.metadata.gti_assessment.verdict.valuestringVerdict of the file provided by Google Threat Intelligence. One of the values defined on the Google TI assessment verdicts table.vt.metadata.gti_assessment.verdict.value == vt.GtiVerdict.VERDICT_SUSPICIOUS
vt.metadata.imphashstringFile's import hash.vt.metadata.imphash == "9129bdbc18cfd1aba498c94e809567d5"
vt.metadata.new_filebooleanTrue if the file is being submitted to Google Threat Intelligence for the first time.not vt.metadata.new_file
vt.metadata.magicstringFile's type as returned by Linux's file_ command.vt.metadata.magic contains "Audio"
vt.metadata.main_icon.dhashstringHash that clusters together files with similar icons or thumbnails.vt.metadata.main_icon.dhash == "00ccc4d0c4fc7c02"
vt.metadata.main_icon.raw_md5stringMD5 of the icon associated to the file.vt.metadata.main_icon.raw_md5 == "997382cd5338048b70dbfbcd9b125552"
vt.metadata.malware_familiesarray of stringsList of family names produced from a malware config extraction process. Samples with malware configs can be obtained searching have:malware_config, family names will be displayed in the detections tab under "Malware config detection" or in the details tab under "Malware configuration file" where there is the full report.for any family_name in vt.metadata.malware_families : ( family_name == "redline")
vt.metadata.md5stringFile's MD5.vt.metadata.md5 == "44d88612fea8a8f36de82e1278abb02f"
vt.metadata.sha256stringFile's SHA-256.vt.metadata.sha256 == "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
vt.metadata.sha1stringFile's SHA-1.vt.metadata.sha1 == "3395856ce81f2b7382dee72602f798b642f14140"
vt.metadata.signaturesdictionaryDictionary where keys are antivirus names and values are malware signatures. The casing for both antivirus names and signatures is exactly as they appear in the web reports or API responses.for any engine, signature in vt.metadata.signatures : ( engine == "Kaspersky" and signature contains "")
vt.metadata.ssdeepstringFile's ssdeep hash.vt.metadata.ssdeep == "3:a+JraNvsgzsVqSwHq9:tJuOgzsko"
vt.metadata.subfilebooleanTrue if the file being scanned is not the one submitted to Google Threat Intelligence but one derived from it. For example, when a PE file packed with UPX is submitted to Google Threat Intelligence, both the original file and the unpacked file are scanned. This is true for the unpacked file and false for the original packed one.
vt.metadata.submitter.citystringCity from where the file was submitted, referred to the last submission. All lowercases.vt.metadata.submitter.city == "madrid"
vt.metadata.submitter.countrystringCountry from where the file was submitted, referred to the last submission. This is a two-letter ISO 3166 country code, in uppercase.vt.metadata.submitter.country == "ES"
vt.metadata.tagsarray of stringsFile's tags.for any tag in vt.metadata.tags : ( tag == "signed" )
vt.metadata.telfhashstringFile's telfhash.vt.metadata.telfhash == "t1992121a2ba6509a0f1fbf561b304d0450d200a1416fa36f2c275b9fadba5b820f78c37"
vt.metadata.tlshstringFile's tlsh hash.vt.metadata.tlsh == "T1BA45332537E1A552EB728E3053E65759CDB8B2379D66C32F3E5A100E1F72BA07D32A10"
vt.metadata.times_submittedintegerNumber of times the file has been submitted to Google Threat Intelligence. This is 1 for the first submission.vt.metadata.times_submitted > 5
vt.metadata.unique_sourcesintegerNumber of unique sources that have submitted this file.vt.metadata.unique_sources > 3
vt.metadata.vhashstringFile's vhash.

Back to top

Creating rules based on file behavior

The vt module not only exposes information about the file itself and how it was detected by antivirus engines, it also exposes information about how the file behaves. In Google Threat Intelligence we run executable files through multiple sandboxes, which include our own in-house developed sandbox called Jujubox, and some third-party sandboxes. The behavioral information generated by all those sandboxes is normalized into a common format, and mixed together as if it was generated by a single sandbox. This aggregated behavior report is what the vt module exposes to your rule. Here you have a few examples:

import "vt"  
  
rule drops_foo_exe {  
  condition:  
    for any file_dropped in vt.behaviour.files_dropped : (  
      file_dropped.path contains "foo.exe"  
    )  
}
import "vt"  
  
rule mutex_hgl345 {  
  condition:  
    for any mutex in vt.behaviour.mutexes_created : (  
       mutex == "HGL345"  
    )  
}
import "vt"  
  
rule persistence_and_self_deletion {  
  condition:  
    for any trait in vt.behaviour.traits : ( trait == vt.BehaviourTrait.PERSISTENCE ) and  
    for any trait in vt.behaviour.traits : ( trait == vt.BehaviourTrait.SELF_DELETE )  
}

The list below describes all the existing behaviour-related fields:

VariableTypeDescriptionExample
vt.behaviour.calls_highlightedarray of stringsAPI calls that are worth remarking because they are suspicious (e.g. "android.media.AudioRecord.startRecording", "GetTickCount"
vt.behaviour.text_highlightedarray of stringsText that can provide further context about the file, this might be windows titles, dialogs, outputs streams, etc.
vt.behaviour.text_decodedarray of stringsStrings that are either encoded or decoded during the observed time frame, we just record the decoded strings in plain form.
vt.behaviour.traitsarray of integersList that contains a subset of the values listed in the behaviour traits table.for any t in vt.behaviour.traits : ( t == vt.BehaviourTrait.LONG_SLEEPS)
vt.behaviour.invokesarray of strings
vt.behaviour.verdictsarray of integersSome sandboxes produce a verdict based on the file behaviour. This list contains one or more of the values listed in the behaviour verdicts table.for any t in vt.behaviour.verdicts : ( t == vt.BehaviourVerdict.RANSOM)
vt.behaviour.verdicts_labelsstringList that contains the verdicts labels based on the file behaviour sandboxes.for any lable in vt.behaviour.verdicts_lables : ( label contains "PDFPhish")
vt.behaviour.mitre_attack_techniquesstringString containing the mitre attack techniques.for any technique in vt.behaviour.mitre_attack_techniques : ( technique.id == "t1012")
Files
vt.behaviour.files_attribute_changedarray of stringsPaths of the files whose attributes have changed.for any f in vt.behaviour.files_attribute_changed : ( f contains ".exe")
vt.behaviour.files_copiedarray of structsStructures with information about files that have been copied.for any f in vt.behaviours.files_copied : ( f.source contains ".exe" and f.destination contains "system32")
vt.behaviour.files_copied[x].sourcestringPath where the file was copied from.
vt.behaviour.files_copied[x].destinationstringPath where the file was copied to.
vt.behaviour.files_deletedarray of stringsPaths of the files that have been deleted.
vt.behaviour.files_droppedarray of structsStructures with information about files that have been dropped.
vt.behaviour.files_dropped[x].pathstringPath of the dropped file.
vt.behaviour.files_dropped[x].sha256stringSHA-256 of the dropped file.
vt.behaviour.files_dropped[x].typeintegerType of the dropped file.
vt.behaviour.files_openedarray of stringsPaths of the files that have been opened.
vt.behaviour.files_writtenarray of stringsPaths of the files that have been written.
Network
vt.behaviour.dns_lookupsarray of structsList of DNS resolutions performed.
vt.behaviour.dns_lookups[x].hostnamestringHostname in the DNS lookup request.
vt.behaviour.dns_lookups[x].resolved_ipsarray of stringsList of IP address returned for the requested hostname.
vt.behaviour.hosts_filestringContent of the "hosts" file.
vt.behaviour.ip_trafficarray of structsList of established IP connections.
vt.behaviour.ip_traffic[x].destination_ipstringDestination IP address.
vt.behaviour.ip_traffic[x].destination_ip_as_intintegerDestination IP address dotless decimal number notation.for any t in vt.behaviour.ip_traffic : ( t.destination_ip_as_int == 3941835776)
vt.behaviour.ip_traffic[x].destination_ip_asnintegerDestination IP Autonomous System Number.for any t in vt.behaviour.ip_traffic : ( t.destination_ip_asn == 74838)
vt.behaviour.ip_traffic[x].destination_portintegerDestination port.
vt.behaviour.ip_traffic[x].transport_layer_protocolintegerOne of the constants listed in network protocols
vt.behaviour.http_conversationsarray of structsList of HTTP requests performed.
vt.behaviour.http_conversations[x].urlstringRequested URL.
vt.behaviour.http_conversations[x].request_methodintegerOne of the constants listed in HTTP methodsfor any c in vt.behaviour.http_conversations : ( c.request_method == vt.Http.Method.GET)
vt.behaviour.http_conversations[x].request_headersdictionaryHTTP request headers. Notice that dictionary keys are case-sensitive and therefore request_headers["user-agent"] is not the same than request_headers["User-Agent"]. The header name appears as reported by the sandbox.for any c in vt.behaviour.http_conversations : ( c.request_headers["user-agent"] == "Moxilla")
vt.behaviour.http_conversations[x].response_headersdictionaryHTTP response headers.
vt.behaviour.http_conversations[x].response_status_codeintegerHTTP status code returned by the server.
vt.behaviour.http_conversations[x].response_body_filetypeintegerType of the response's body, if it was one of the recognizable file types.
vt.behaviour.smtp_conversations[x].hostnamestringHost name of the SMTP server
vt.behaviour.smtp_conversations[x].destination_ipintegerIP address of the SMTP server
vt.behaviour.smtp_conversations[x].destination_portintegerPort number of the SMTP server (usually 25)
vt.behaviour.smtp_conversations[x].smtp_fromstringMAIL FROM: field in the SMTP protocol
vt.behaviour.smtp_conversations[x].smtp_toarray of stringsMAIL TO: field in the SMTP protocol
vt.behaviour.smtp_conversations[x].message_fromarray of strings"from" field in message header
vt.behaviour.smtp_conversations[x].message_toarray of strings"to" field in message header
vt.behaviour.smtp_conversations[x].message_ccarray of strings"cc" field in message header
vt.behaviour.smtp_conversations[x].message_bccarray of strings"bcc" field in message header
vt.behaviour.smtp_conversations[x].timestampstringMessage timestamp. Example: "Thu, 16 Jul 2020 6:1:58 GMT"
vt.behaviour.smtp_conversations[x].subjectstringMessage subject
vt.behaviour.smtp_conversations[x].html_bodystringMessage body in HTML form
vt.behaviour.smtp_conversations[x].txt_bodystringMessage body in text form
vt.behaviour.smtp_conversations[x].x_mailerstringProgram used for sending the email. Same than "X-Mailer" header.
vt.behaviour.tlsarray of stringsTLS attributes
Permissions
vt.behaviour.permissions_checkedarray of structsPermissions checked by the application.
vt.behaviour.permissions_checked[x].permissionstringPermission checked, example: "android.permission.INTERNET"
vt.behaviour.permissions_checked[x].ownerstring
vt.behaviour.permissions_requestedarray of stringsPermissions requested by the application.for any p in vt.behaviour.permissions_requested : ( p == "android.permission.BLUETOOTH")
Processes
vt.behaviour.command_executionsarray of stringsCommands executed, including their command-line arguments.for any cmd in vt.behaviour.command_executions : ( cmd contains "cmd.exe /Q /c")
vt.behaviour.modules_loadedarray of stringsModules or libraries dynamically loaded (e.g. DLLs loaded with LoadLibrary in Windows, DEX and .class files dynamically loaded in Android)
for any lib in vt.behaviour.modules_loaded : ( lib == "zlib.dll")
vt.behaviour.mutexes_createdarray of stringsMutexes created.for any mutex in vt.behaviour.mutexes_created : ( mutex contains "HGL345")
vt.behaviour.mutexes_openedarray of stringsMutexes opened.
vt.behaviour.processes_createdarray of stringsProcesses created.
vt.behaviour.processes_injectedarray of stringsProcesses in which some kind of code was injected. For instance, in Window this is commonly done using CreateRemoteThread.
vt.behaviour.processes_killedarray of stringsProcesses that were explicitly killed.
vt.behaviour.processes_terminatedarray of stringsProcesses that terminated during the observed time, not necessarily killed.
vt.behaviour.signals_hookedarray of stringsSignals hooked. In Windows this includes the windows messages hooked with SetWindowsHook and the string contains both the hook type and the function used (i.e "WH_KEYBOARD - SetWindowsHook")
In Android registered receivers are considered hooks.Windows: for any s in vt.behaviour.signals_hooked : ( s contains "WH_KEYBOARD") Android: for any s in vt.behaviour.signals_hooked : ( s == "android.intent.action.PROXY_CHANGE")
vt.behaviour.signals_observedarray of stringsFrom the signals hooked which were actually observed.
Services
vt.behaviour.services_boundarray of stringsService binding applies only to Android. A bind operation takes a component, an action, and potentially multiple extras. These are represented as: \n\nfor any svc in vt.behaviour.services_bound : ( svc contains "gms.analytics.service.START")
vt.behaviour.services_createdarray of stringsServices created. In some OSes services are simply any program that runs in the background without user interaction.for any svc in vt.behaviour.services_created : ( svc == "eckwIIMB")
vt.behaviour.services_openedarray of stringsServices opened.
vt.behaviour.services_startedarray of stringsServices started.
vt.behaviour.services_stoppedarray of stringsServices stopped.
Registry
vt.behaviour.registry_keys_deletedarray of stringsDeleted registry keys.for any key in vt.behaviour.registry_key_deleted : ( key contains "")
vt.behaviour.registry_keys_openedarray of stringsOpened registry keys.
vt.behaviour.registry_keys_setarray of structsModified registry keys and their new values.for any r in vt.behaviour.registry_keys_set : ( r.key matches /\windows\currentversion\run/i and r.value contains "VMIntel386.exe")
vt.behaviour.registry_keys_set[x].keystringRegistry key.
vt.behaviour.registry_keys_set[x].valuestringNew value for registry key.
Android-specific
vt.behaviour.shared_preferences_lookupsarray of stringsShared preferences that have been read.
vt.behaviour.shared_preferences_setsarray of structsShared preferences that have been modified.
vt.behaviour.shared_preferences_sets[x].keystringShared preference key.
vt.behaviour.shared_preferences_sets[x].valuestringNew value for preference.
vt.behaviour.system_property_lookupsarray of stringsSystem properties that have been read.
vt.behaviour.system_property_setsarray of structsSystem properties that have been modified.
vt.behaviour.system_property_sets[x].keystringProperty key.
vt.behaviour.system_property_sets[x].valuestringNew value for property.
Windows
vt.behaviour.windows_hiddenarray of stringsInformation about windows that have been hidden. The string contains the caption of the hidden Window and the name of the process owning the window.for any w in vt.behaviour.windows_hidden : ( w contains "cmd.exe /C")
vt.behaviour.windows_searchedarray of stringsWindows that have been searched for (e.g. using FindWindow). The strings can contain the window's name, the window's class name, or both.for any w in vt.behaviour.windows_searched : ( w contains "BANCO REAL")

Back to top

HTTP methods

vt.Http.Method.GET
vt.Http.Method.HEAD
vt.Http.Method.PATCH
vt.Http.Method.POST
vt.Http.Method.PUT
vt.Http.Method.DELETE
vt.Http.Method.TRACE
vt.Http.Method.OPTIONS
vt.Http.Method.CONNECT

Network protocols

vt.Net.Protocol.ICMP
vt.Net.Protocol.IGMP
vt.Net.Protocol.TCP
vt.Net.Protocol.UDP
vt.Net.Protocol.ESP
vt.Net.Protocol.AH
vt.Net.Protocol.L2TP
vt.Net.Protoco.SCTP

Behaviour traits

vt.BehaviourTrait.BIG_UPSTREAM
vt.BehaviourTrait.CHECKS_BIOS
vt.BehaviourTrait.CHECKS_CPU_NAME
vt.BehaviourTrait.CHECKS_DISK_SPACE
vt.BehaviourTrait.CHECKS_GPS
vt.BehaviourTrait.CHECKS_HOSTNAME
vt.BehaviourTrait.CHECKS_MEMORY_AVAILABLE
vt.BehaviourTrait.CHECKS_NETWORK_ADAPTERS
vt.BehaviourTrait.CHECKS_PCI_BUS
vt.BehaviourTrait.CHECKS_USB_BUS
vt.BehaviourTrait.CLIPBOARD
vt.BehaviourTrait.CRYPTO
vt.BehaviourTrait.DECRYPTS_EXE
vt.BehaviourTrait.DETECT_DEBUG_ENVIRONMENT
vt.BehaviourTrait.DIRECT_CPU_CLOCK_ACCESS
vt.BehaviourTrait.EXECUTES_DROPPED_FILE
vt.BehaviourTrait.FTP_COMMUNICATION
vt.BehaviourTrait.HOSTS_MODIFIER
vt.BehaviourTrait.INSTALLS_BROWSER_EXTENSION
vt.BehaviourTrait.IRC_COMMUNICATION
vt.BehaviourTrait.LONG_SLEEPS
vt.BehaviourTrait.MACRO_ANTI_ANALYSIS
vt.BehaviourTrait.MACRO_COPY_FILE
vt.BehaviourTrait.MACRO_CREATE_DIR
vt.BehaviourTrait.MACRO_CREATE_FILE
vt.BehaviourTrait.MACRO_CREATE_OLE
vt.BehaviourTrait.MACRO_DOWNLOAD_URL
vt.BehaviourTrait.MACRO_ENUM_WINDOWS
vt.BehaviourTrait.MACRO_ENVIRON
vt.BehaviourTrait.MACRO_HANDLE_FILE
vt.BehaviourTrait.MACRO_HIDE_APP
vt.BehaviourTrait.MACRO_OPEN_FILE
vt.BehaviourTrait.MACRO_POWERSHELL
vt.BehaviourTrait.MACRO_REGISTRY
vt.BehaviourTrait.MACRO_RUN_DLL
vt.BehaviourTrait.MACRO_RUN_FILE
vt.BehaviourTrait.MACRO_SAVE_WORKBOOK
vt.BehaviourTrait.MACRO_SEND_KEYS
vt.BehaviourTrait.MACRO_WRITE_FILE
vt.BehaviourTrait.MYSQL_COMMUNICATION
vt.BehaviourTrait.OBFUSCATED
vt.BehaviourTrait.PASSWORD_DIALOG
vt.BehaviourTrait.PERSISTENCE
vt.BehaviourTrait.REFLECTION
vt.BehaviourTrait.RUNTIME_MODULES
vt.BehaviourTrait.SELF_DELETE
vt.BehaviourTrait.SENDS_SMS
vt.BehaviourTrait.SMTP_COMMUNICATION
vt.BehaviourTrait.SSH_COMMUNICATION
vt.BehaviourTrait.SUDO
vt.BehaviourTrait.SUSPICIOUS_DNS
vt.BehaviourTrait.SUSPICIOUS_UDP
vt.BehaviourTrait.TELEPHONY
vt.BehaviourTrait.TELNET_COMMUNICATION
vt.BehaviourTrait.TUNNELING

Behaviour verdicts

vt.BehaviourVerdict.ADWARE
vt.BehaviourVerdict.BANKER
vt.BehaviourVerdict.CLEAN
vt.BehaviourVerdict.EVADER
vt.BehaviourVerdict.EXPLOIT
vt.BehaviourVerdict.GREYWARE
vt.BehaviourVerdict.MALWARE
vt.BehaviourVerdict.PHISHING
vt.BehaviourVerdict.RANSOM
vt.BehaviourVerdict.RAT
vt.BehaviourVerdict.SPREADER
vt.BehaviourVerdict.TROJAN
vt.BehaviourVerdict.UNKNOWN_VERDICT

Back to top

File types

TypeType tags
vt.FileType.ACEcompressed ace
vt.FileType.ANDROIDexecutable mobile android apk
vt.FileType.APPLEapple apple-gen
vt.FileType.APPLE_PLISTapple appleplist
vt.FileType.APPLEDOUBLEapple appledouble
vt.FileType.APPLESINGLEapple applesingle
vt.FileType.ARCcompressed arc
vt.FileType.ARJcompressed arj
vt.FileType.ASDcompressed asd
vt.FileType.ASFmultimedia video asf
vt.FileType.AVImultimedia video avi
vt.FileType.AWKsource awk
vt.FileType.BMPmultimedia image bmp
vt.FileType.BZIPcompressed bzip
vt.FileType.Csource c
vt.FileType.CABcompressed cab
vt.FileType.CAPinternet cap pcap
vt.FileType.CHMhelp chm
vt.FileType.COFFexecutable coff
vt.FileType.COOKIEinternet iecookie
vt.FileType.CPPsource cpp
vt.FileType.CRXcrx chrome extension browser
vt.FileType.DEBexecutable linux deb
vt.FileType.DIBmultimedia image dib
vt.FileType.DIVXmultimedia video divx
vt.FileType.DMGexecutable mac dmg
vt.FileType.DOCdocument msoffice text word doc
vt.FileType.DOCXdocument msoffice text word docx
vt.FileType.DOS_COMexecutable dos com
vt.FileType.DOS_EXEexecutable dos mz
vt.FileType.DYALOGsource dyalog
vt.FileType.DZIPcompressed dzip
vt.FileType.EBOOKdocument ebook epub
vt.FileType.ELFexecutable linux elf
vt.FileType.EMAILinternet email
vt.FileType.EMFmultimedia image emf
vt.FileType.EOTfont opentype eof
vt.FileType.FLACmultimedia audio flac
vt.FileType.FLCmultimedia animation flc
vt.FileType.FLImultimedia animation fli
vt.FileType.FLVmultimedia video flv
vt.FileType.FORTRANsource fortran
vt.FileType.FPXmultimedia image fpx
vt.FileType.GIFmultimedia image gif
vt.FileType.GIMPmultimedia image gimp
vt.FileType.GULdocument samsungdoc text gul
vt.FileType.GZIPcompressed gzip
vt.FileType.HTMLinternet html
vt.FileType.HWPdocument hangul text hwp
vt.FileType.ICOmultimedia image ico
vt.FileType.IN_DESIGNmultimedia image indesign
vt.FileType.IPHONEexecutable mobile iphone ios
vt.FileType.ISOIMAGEcompressed isoimage
vt.FileType.JARcompressed jar
vt.FileType.JAVAsource java
vt.FileType.JAVA_BYTECODEexecutable java-bytecode class
vt.FileType.JAVASCRIPTsource javascript
vt.FileType.JNGmultimedia image jng
vt.FileType.JPEGmultimedia image jpeg jpg
vt.FileType.KGBcompressed kgb
vt.FileType.LATEXdocument latex
vt.FileType.LINUXlinux
vt.FileType.LINUX_KERNELlinux
vt.FileType.LNKwindows lnk
vt.FileType.MACH_Oexecutable mac macho
vt.FileType.MACINTOSHapple macintosh mac macintosh-gen
vt.FileType.MACINTOSH_HFSapple macintosh mac machfs
vt.FileType.MACINTOSH_LIBapple mac maclib
vt.FileType.MIDImultimedia audio midi
vt.FileType.MOVmultimedia video mov
vt.FileType.MP3multimedia audio mp3
vt.FileType.MP4multimedia audio mp4
vt.FileType.MPEGmultimedia video mpeg
vt.FileType.MSCOMPRESScompressed mscompress
vt.FileType.MSIinstaller windows msi
vt.FileType.NE_DLLexecutable windows win16 ne nedll
vt.FileType.NE_EXEexecutable windows win16 ne neexe
vt.FileType.ODFdocument openoffice math odf
vt.FileType.ODGdocument openoffice draw odg
vt.FileType.ODPdocument openoffice presentation odp
vt.FileType.ODSdocument openoffice spreadsheet ods
vt.FileType.ODTdocument openoffice text odt
vt.FileType.OGGmultimedia video ogg
vt.FileType.OUTLOOKinternet email outlook
vt.FileType.PALMOSexecutable mobile palmos
vt.FileType.PASCALsource pascal
vt.FileType.PDFdocument pdf
vt.FileType.PE_DLLexecutable windows win32 pe pedll
vt.FileType.PE_EXEexecutable windows win32 pe peexe
vt.FileType.PERLsource perl
vt.FileType.PHPsource php
vt.FileType.PKGexecutable mac pkg
vt.FileType.PNGmultimedia image png
vt.FileType.PPSXdocument msoffice presentation powerpoint slideshow ppsx
vt.FileType.PPTdocument msoffice presentation powerpoint ppt
vt.FileType.PPTXdocument msoffice presentation powerpoint pptx
vt.FileType.PSdocument ps postscript
vt.FileType.PSDmultimedia image photoshop psd
vt.FileType.PYTHONsource python
vt.FileType.QUICKTIMEmultimedia video quicktime qt
vt.FileType.RARcompressed rar
vt.FileType.RMmultimedia video realmedia rm
vt.FileType.ROMrom bios firmware
vt.FileType.RPMlinux rpm
vt.FileType.RTFdocument msoffice text word rtf
vt.FileType.RUBYsource ruby
vt.FileType.RZIPcompressed rzip
vt.FileType.SCRIPTscript
vt.FileType.SEVENZIPcompressed 7zip
vt.FileType.SHELLSCRIPTscript shell
vt.FileType.SVGmultimedia image svg
vt.FileType.SWFinternet flash swf
vt.FileType.SYMBIANexecutable mobile symbian
vt.FileType.T3GPmultimedia video 3gp
vt.FileType.TARcompressed tar
vt.FileType.TARGAmultimedia image targa
vt.FileType.TEXTtext
vt.FileType.TIFFmultimedia image tiff
vt.FileType.TORRENTlink internet bittorrent
vt.FileType.TTFfont truetype ttf
vt.FileType.WAVmultimedia audio wav
vt.FileType.WINCEexecutable mobile wince
vt.FileType.WMAmultimedia audio wma
vt.FileType.WMVmultimedia video wmv
vt.FileType.WOFFfont openfont woff
vt.FileType.XLSdocument msoffice spreadsheet excel xls
vt.FileType.XLSXdocument msoffice spreadsheet excel xlsx
vt.FileType.XMLinternet xml
vt.FileType.XPIbrowser extension firefox xpi
vt.FileType.XWDmultimedia image xwd
vt.FileType.ZIPcompressed zip
vt.FileType.ZLIBcompressed zlib

Back to top

Legacy variables

YARA offers a mechanism for defining custom variables that has been used in Livehunt for providing additional information about the file being scanned. These variables are now deprecated in favor of our vt module, but they will continue to work as always for backward compatibility. You can find list of variables defined by Livehunt below, but we highly encourage you to start using the vt module instead.

VariableTypeDescription
file_namestringFile's name as it was last submitted to Google Threat Intelligence.
file_typestringString that contains information about the file type. The string contains a serie of type tags as described in the Type tags column in File types
imphashstringFile's import hash
md5stringFile's MD5
new_filebooleanTrue if this is the first time the file is submitted to Google Threat Intelligence.
positivesintegerNumber of antivirus engines detecting the file
sha256stringFile's SHA-256
sha1stringFile's SHA-1
signaturesstringDetection signatures from all antivirus engines concatenated together and separated by spaces. This variable is normally used with contains or matches operators
submissionsintegerNumber of times the file has been submitted to Google Threat Intelligence. The value is 1 for the first submission.
ssdeepstringFile's ssdeep hash
tagsstringFile's tags concatenated together and separated by spaces.
vhashstringFile's vhash

Back to top

Google TI assessment severity types

vt.GtiSeverity.SEVERITY_UNKNOWN
vt.GtiSeverity.SEVERITY_NONE
vt.GtiSeverity.SEVERITY_LOW
vt.GtiSeverity.SEVERITY_MEDIUM
vt.GtiSeverity.SEVERITY_HIGH

Back to top

Google TI assessment verdicts

vt.GtiVerdict.VERDICT_UNKNOWN
vt.GtiVerdict.VERDICT_BENIGN
vt.GtiVerdict.VERDICT_UNDETECTED
vt.GtiVerdict.VERDICT_SUSPICIOUS
vt.GtiVerdict.VERDICT_MALICIOUS

Back to top