Deepviz += python | Deepviz SDK lands on PyPI

Today is another wonderful day here at our office, as it’s finally time to release our Python SDK library to provide users with a quick way to include our Deepviz technologies into already existing projects and platforms.

Since we went live in public beta with Deepviz in the last November, we mainly focused on the infrastructure to make it stable and able to handle peak loads. We are now able to successfully process 150.000 samples / day and the infrastructure is designed to scale as needed – the sky is the limit!

But this is not the only thing we worked on. We have now experimental support for 64bit PE files! You can upload 64bit PE files and they will be processed along with 32bit PE files.

One more thing: we worked hard to cleanup, refactor, optimize our set of REST APIs which allow everyone to quickly interact with Deepviz services and integrate our Threat Intelligence and Malware Analyzer services into existing platforms. Yet it is not enough, we want to make Deepviz integration as straightforward and painless as possible. Today we’re landing on the Python world with our python-deepviz library.

Python-deepviz is a free library released under MIT license and hosted on the PyPi repository. The library is still in beta – more functionalities will be added soon – but it will allow you to easily upload and download samples as well as retrieve analysis reports and, last but not least, play with our threat intelligence platform!

It is as simple as registering a free Deepviz account and installing the library using pip:

 

pip install python-deepviz

 

Once done, and once you have retrieved your API key from your account profile, you’re ready to go! While we’re in beta, all API keys have unlimited access to Threat Intel APIs, unlimited access to Sandbox analysis reports APIs, 500 sample submissions and 20 sample downloads per month.

Below are some examples of what you can do with our python SDK.

  • Upload a sample and wait for the scan to complete, then retrieve the report analysis:

from deepviz import sandbox
import hashlib
import time

API = "0000000000000";
sbx = sandbox.Sandbox()

_hash = hashlib.md5(open("malware.exe", 'rb').read()).hexdigest()

sbx.upload_sample(path="malware.exe", api_key=API)
result = sbx.sample_result(md5=_hash, api_key=API)

if result.status != 'success':
    print result.msg
else:
    while "No result found" in result.msg:
        print "not ready"
        time.sleep(30)
        result = sbx.sample_result(md5=_hash, api_key=API)

    print "Detection: %s" % result.msg['classification']['result']
    print "Accuracy:  %s" % result.msg['classification']['accuracy']

 

  • Or you may want to retrieve our full scan report:

from deepviz import sandbox

API = "0000000000000"

sbx = sandbox.Sandbox()
result = sbx.sample_report(md5="00000000000000000000000000000000",
                           api_key=API)
f = open("report.txt", "wb")
f.write(str(result.msg))
f.close()

 

  • But you can also download parts of the report, in this case you can use our filters:
"network_ip",
"network_ip_tcp",
"network_ip_udp",
"rules",
"classification",
"created_process",
"hook_usermode",
"strings",
"created_files",
"hash",
"info",
"code_injection"

And run the following query (just an example if we want to retrieve rules matched, network connections and classification):


API = "0000000000000"
sbx = sandbox.Sandbox()

_hash = "00000000000000000000000000"
result = sbx.sample_report(md5=_hash,
                           api_key=API,
                           filters=["rules", "network_ip", "classification"])
print result.msg

returning

{
	u'rules': [u'dropExe',
	u'badConnection',
	u'badIpUrlInStrings',
	u'dropDll',
	u'runDroppedExe',
	u'loadDll',
	u'loadImage',
	u'invalidPEChecksum',
	u'IESettings'],
	u'network_ip': {
		u'UDP': [],
		u'TCP': [u'183.61.19.194',
		u'42.120.226.92']
	},
	u'classification': {
		u'result': u'Malware',
		u'accuracy': 95.5
	}
}

About our Threat Intelligence SDK, you can query our database for domains, IP data as well as run generic and more detailed searches.

  • Let’s retrieve details for a specific IP and a specific domain:

 


from deepviz import intel
ThreatIntel = intel.Intel()
result = ThreatIntel.ip_info(api_key=API, ip=["1.22.28.94", "1.23.214.1"])
print result.msg


from deepviz import intel
ThreatIntel = intel.Intel()
result = ThreatIntel.domain_info(api_key=API, domain=["google.com"])
print result

 

  • However you can also retrieve the new domains registered in a specific time window and used by malware (in the last 3 days, in the following scenario):

from deepviz import intel
ThreatIntel = intel.Intel()
result = ThreatIntel.domain_info(api_key=API, time_delta="3d")

for domain in result.msg:
    print domain

giving back the following result:

avsystemcare.com
nlj.vc
ypx.uz
xgrhuccfyyyv.com
qbc.vc

 

  • You can also run a generic search based on strings, to retrieve all samples, IPs, domains related to a specific keyword:

from deepviz import intel
ThreatIntel = intel.Intel()
# Let's retrieve only 5 elements per category instead of all of them
result = ThreatIntel.search(api_key=API,
                            search_string="justfacebook.net",
                            start_offset=0, elements=5)
print result.msg

This results in:

{
	u'IP': [],
	u'MD5': [u'de14ac3e52078cc63d0cf565eda8e9ef',
	u'b1300a5a9967a36e33642be94a907679',
	u'4989f1a03b87890ac9378453cae841cb',
	u'8cc5eec871cf13ff815c9e6731b16874',
	u'a2a848fe914fd99b5d4da9cd5fed6b5f'],
	u'TLD': [u'net.net',
	u'thoughtarticle.net',
	u'justfacebook.net',
	u'memberarticle.net',
	u'stickagree.net']
}

 

  • Or let’s run an advanced search using parameters! Let’s search all samples connecting to the domain justfacebook[.]net and determined by our Malware Analyzer as malicious:

from deepviz import intel
ThreatIntel = intel.Intel()
ThreatIntel.advanced_search(api_key=API,
                            domain=["justfacebook.net"],
                            classification="M")
print result.msg

These are just quick examples about how you can use our Deepviz APIs. A more complete and complex example is the following:

  • let’s retrieve all domains registered in the last 7 days, then for each one of them let’s retrieve all the samples’s MD5s connecting to them and for each sample retrieve the matched behavioral rules:

from deepviz import intel, sandbox
API="0000000000"
ThreatIntel = intel.Intel()
ThreatSbx = sandbox.Sandbox()
result_domains = ThreatIntel.domain_info(api_key=API, time_delta="7d")
domains = result_domains.msg
for domain in domains.keys():
    result_listsamples = ThreatIntel.advanced_search(api_key=API, domain=[domain], classification="M")
    if isinstance(result_listsamples.msg, list):
        if len(domains[domain]['tag']):
            print "DOMAIN: %s ==> %s samples [TAG: %s]" % (domain, len(result_listsamples.msg), ", ".join((tag['key'] for tag in domains[domain]['tag'])))
        else:
            print "DOMAIN: %s ==> %s samples" % (domain, len(result_listsamples.msg))
        for sample in result_listsamples.msg:
            result_report = ThreatSbx.sample_report(md5=sample, api_key=API, filters=["rules"])
            print "%s => [%s]" % (sample, ", ".join((rule for rule in result_report.msg['rules'])))
    else:
        print "DOMAIN: %s ==> No samples found" % domain

this will return:

DOMAIN: ypx.uz ==> 1 samples [TAG: adware.downware, kazy]
a971afcbb74c30dd2d5832523c9d795f => [recentlyRegisteredDomainStrings, unknownHook, loadDll, dropDll, suspiciousSectionName, highEntropy, antiDebugging, invalidSizeOfCode, antiVM, invalidPEChecksum, sleep, IESettings]

DOMAIN: qbc.vc ==> 1 samples
2d711a1d8f25fb40120ceb38f4d41a98 => [recentlyRegisteredDomainStrings, suspiciousSectionName, highEntropy, antiDebugging, invalidSizeOfCode, antiVM, epLastSection, writeExeSections]

DOMAIN: avsystemcare.com ==> 8 samples [TAG: trojan.qhost, trojan.rbot, trojan.noupd]
000dde6029443950c8553469887eef9e => [badIpUrlInStrings, suspiciousSectionName, highEntropy, invalidSizeOfCode, invalidPEChecksum, writeExeSections]
aba074b2373e8ea5661fdafb159c263a => [epOutOfSections, badIpUrlInStrings, invalidSizeOfCode, invalidPEChecksum, epLastSection, writeExeSections]

With this blog post we wanted to provide you with some introduction to the library, so that you can start playing with it and transform your Deepviz experience in a yet more productive and efficient experience. Please note that the Python SDK as well as the APIs are still in beta and we’re working hard to make them even better and with better performance.

Now it’s up to you: try it out, play around and let us know your feedback through our Support PageAnd, of course, keep an eye open here on our blog post and our Twitter channel …more cool stuff is on its way 🙂