File hunting

Creating rules based on file metadata

The vt.metadata module exposes all the metadata that Google Threat Intelligence has about a file to YARA, so that you can create Livehunt rules based on that metadata. Let's see some examples:

import "vt"
rule infected_pe {
  condition:
    vt.metadata.analysis_stats.malicious > 1 and vt.metadata.file_type == vt.FileType.PE_EXE
}
import "vt"
rule new_file_from_china {
  condition:
    vt.metadata.new_file and vt.metadata.submitter.country == "CN"
}
import "vt"
rule zbot {
  condition:
    for any engine, signature in vt.metadata.signatures : (
      signature contains "zbot"
    )
}

Using file's metadata in your rules

Most YARA rules are based in patterns found inside the files themselves, however this is not always enough. Sometimes you may need to create rules that leverage additional information that Google Threat Intelligence has about the file. For example, you may want to create a rule that only applies to a certain file type, or files that are detected by at least one antivirus, or perhaps you are only interested in files that are submitted to Google Threat Intelligence for the first time or from a given country. All these cases, and many more, can be expressed in your YARA rules.

Fields

Characteristics

FieldTypeDescriptionExample
vt.metadata.exiftooldictionaryDictionary that contains the information generated by ExifTool for the file being scanned. Both keys and values are strings. ExifTool generates numeric values for some properties, but values in YARA dictionaries must have the same time, therefore they are converted to strings.vt.metadata.exiftool["MIMEType"] == "application/pdf" andvt.metadata.exiftool["PageCount"] == "37"
vt.metadata.file_namestringFile's name as it was last submitted to Google Threat Intelligence.vt.metadata.file_name contains "foobar"
vt.metadata.file_sizeintegerFile size in bytes.vt.metadata.file_size > 100KB
vt.metadata.file_typeintegerOne of the types listed in the file types table.vt.metadata.file_type == vt.FileType.PE_DLL
vt.metadata.file_type_tagsarray of stringsTags associated to the file's type, as listed in the file types tablefor any tag in vt.metadata.file_type_tags : ( tag == "pedll")
vt.metadata.imphashstringFile's import hash.vt.metadata.imphash == "9129bdbc18cfd1aba498c94e809567d5"
vt.metadata.magicstringFile's type as returned by Linux's file_ command.vt.metadata.magic contains "Audio"
vt.metadata.main_icon.dhashstringHash that clusters together files with similar icons or thumbnails.vt.metadata.main_icon.dhash == "00ccc4d0c4fc7c02"
vt.metadata.main_icon.raw_md5stringMD5 of the icon associated to the file.vt.metadata.main_icon.raw_md5 == "997382cd5338048b70dbfbcd9b125552"
vt.metadata.md5stringFile's MD5.vt.metadata.md5 == "44d88612fea8a8f36de82e1278abb02f"
vt.metadata.sha256stringFile's SHA-256.vt.metadata.sha256 == "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
vt.metadata.sha1stringFile's SHA-1.vt.metadata.sha1 == "3395856ce81f2b7382dee72602f798b642f14140"
vt.metadata.signaturesdictionaryDictionary where keys are antivirus names and values are malware signatures. The casing for both antivirus names and signatures is exactly as they appear in the web reports or API responses.for any engine, signature in vt.metadata.signatures : ( engine == "Kaspersky" and signature contains "")
vt.metadata.ssdeepstringFile's ssdeep hash.vt.metadata.ssdeep == "3:a+JraNvsgzsVqSwHq9:tJuOgzsko"
vt.metadata.subfilebooleanTrue if the file being scanned is not the one submitted to Google Threat Intelligence but one derived from it. For example, when a PE file packed with UPX is submitted to Google Threat Intelligence, both the original file and the unpacked file are scanned. This is true for the unpacked file and false for the original packed one.
vt.metadata.tagsarray of stringsFile's tags.for any tag in vt.metadata.tags : ( tag == "signed" )
vt.metadata.telfhashstringFile's telfhash.vt.metadata.telfhash == "t1992121a2ba6509a0f1fbf561b304d0450d200a1416fa36f2c275b9fadba5b820f78c37"
vt.metadata.tlshstringFile's tlsh hash.vt.metadata.tlsh == "T1BA45332537E1A552EB728E3053E65759CDB8B2379D66C32F3E5A100E1F72BA07D32A10"
vt.metadata.vhashstringFile's vhash.

File analysis

FieldTypeDescriptionExample
vt.metadata.analysis_stats.maliciousintegerNumber of antivirus engines that detected the file as malicious.vt.metadata.analysis_stats.malicious < 10
vt.metadata.analysis_stats.undetectedintegerNumber of antivirus engines that didn't detected the file.vt.metadata.analysis_stats.undetected > 20
vt.metadata.analysis_stats.failureintegerNumber of antivirus engines that failed scanning the file.vt.metadata.analysis_stats.failure > 0
vt.metadata.analysis_stats.type_unsupportedintegerNumber of antivirus engines that don't support the file's type.vt.metadata.analysis_stats.type_unsupported > 0
vt.metadata.malware_familiesarray of stringsList of family names produced from a malware config extraction process. Samples with malware configs can be obtained searching have:malware_config, family names will be displayed in the detections tab under "Malware config detection" or in the details tab under "Malware configuration file" where there is the full report.for any family_name in vt.metadata.malware_families : ( family_name == "redline")

GOresym

FieldTypeDescriptionExample
vt.metadata.goresym.versionstringVersion of the Golang compiler usedvt.metadata.goresym.version == "1.18.7"
vt.metadata.goresym.archstringTarget architecture for a Golang binaryvt.metadata.goresym.arch == "386"
vt.metadata.goresym.osstringTarget OS for a Golang binaryvt.metadata.goresym.os == "windows"
vt.metadata.goresym.build_idstringBuild ID of Golang binaryvt.metadata.goresym.build_id == "A_l09FDsHNuaJaKZ8MRU/H38D...HwLHCg-V/oTM-3A-yDyJSq4LWt0fu"
vt.metadata.goresym.build_info.depsarray of structsGolang binary's dependenciesfor any dep in vt.metadata.goresym.build_info.deps : ( dep.path == "github.com/mattn/go-isatty" and dep.version == "v0.0.14")
vt.metadata.goresym.build_info.pathstringGolang package pathvt.metadata.goresym.build_info.path == "github.com/portapps/discord-portable"
vt.metadata.goresym.build_info.settingsdictionaryDictionary where keys are setting names and values are the setting value.vt.metadata.goresym.build_info.settings["vcs.revision"] startswith "2f0e4453eec4"
vt.metadata.goresym.summary.num_dependenciesintegerTotal number of dependencies for a Golang binary
vt.metadata.goresym.summary.num_interfacesintegerTotal number of interfaces in a Golang binary
vt.metadata.goresym.summary.num_typesintegerTotal number of types in a Golang binary
vt.metadata.goresym.summary.num_std_functionsintegerNumber of functions from standard library used by a Golang binary.
vt.metadata.goresym.summary.num_user_functionsintegerNumber of user-defined functions in a Golang binary.

GTI assesment

FieldTypeDescriptionExample
vt.metadata.gti_assessment.severity.valuestringSeverity of the file provided by Google Threat Intelligence. One of the values defined on the Google TI assessment severity types table.vt.metadata.gti_assessment.severity.value == vt.GtiSeverity.SEVERITY_MEDIUM
vt.metadata.gti_assessment.threat_score.valueintegerThreat score of the file provided by Google Threat Intelligence. This is a value between 1 and 100.vt.metadata.gti_assessment.threat_score.value > 0
vt.metadata.gti_assessment.verdict.valuestringVerdict of the file provided by Google Threat Intelligence. One of the values defined on the Google TI assessment verdicts table.vt.metadata.gti_assessment.verdict.value == vt.GtiVerdict.VERDICT_SUSPICIOUS

Submissions

FieldTypeDescriptionExample
vt.metadata.first_submission_dateintegerDate on which the file was submitted to Google Threat Intelligence for the first time, as a UNIX timestamp.vt.metadata.first_submission_date < 1582934400 // 2020-02-29
vt.metadata.new_filebooleanTrue if the file is being submitted to Google Threat Intelligence for the first time.not vt.metadata.new_file
vt.metadata.submitter.citystringCity from where the file was submitted, referred to the last submission. All lowercases.vt.metadata.submitter.city == "madrid"
vt.metadata.submitter.countrystringCountry from where the file was submitted, referred to the last submission. This is a two-letter ISO 3166 country code, in uppercase.vt.metadata.submitter.country == "ES"
vt.metadata.times_submittedintegerNumber of times the file has been submitted to Google Threat Intelligence. This is 1 for the first submission.vt.metadata.times_submitted > 5
vt.metadata.unique_sourcesintegerNumber of unique sources that have submitted this file.vt.metadata.unique_sources > 3

Back to top