### parseVTRep2CSV Example

Given a directory having virustotal's json report
Output a CSV table of detection name (column: anti-virus engine; row: malware)

In [1]:
import os
import json
import pandas as pd
from numpy import nan as NaN

In [2]:
# input
in_directory = "C:/Users/hsiao/Dropbox/notebook/data/w32_mal_report/"
in_tag = "357"
in_first_seen = True

# output
out_tag = in_tag

# outfiles
out_csvfile = 'output/VTRepo_'+ out_tag + '.csv' # original
out_wn_csvfile = 'output/VTRepo_wn_'+ out_tag + '.csv' # winnowed

In [3]:
# iter the directory
txt_list = next(os.walk(in_directory))[2]
hash_set = set(t.split('.')[0] for t in txt_list)

print("%d TXT files" % len(txt_list))
print("%d hashes" % len(hash_set))

357 TXT files
357 hashes


In [4]:
# find all anti-virus engines and corresponding detection strings

av_set = set() # set of all anti-virus engines
csv_dict = dict()

for h in hash_set:
    # open txt file and load it as json
    with open(os.path.join(in_directory, h + '.txt')) as txt_file:    
        json_report = json.load(txt_file)
        
    # create a dictionary _dict = {engine: "detection_name"}
    _dict = dict()
    for engine in json_report['scans'].keys(): 
        scan_result = json_report['scans'].get(engine)
        if scan_result.get("detected") == True:
            result = scan_result.get("result").encode('ascii', 'ignore')
            result = result.decode("ascii").replace(',', '') # special replacement for csv
            av_set.add(engine)
            
            _dict[engine] = result
    
    # if you don't need first_seen, set in_first_seen as Fasle
    if in_first_seen:
        _dict["first_seen"] = json_report['first_seen']
    
    # attach this dictioary to csv_dict = {hash: _dict}
    csv_dict[h] = _dict

In [5]:
df = pd.DataFrame(csv_dict).T

In [6]:
# You can print the df here
df.head()
#df['AVG']

Unnamed: 0,AVG,AVware,Ad-Aware,AegisLab,Agnitum,AhnLab-V3,AntiVir,Antiy-AVL,Avast,Avira,...,TheHacker,TotalDefense,TrendMicro,TrendMicro-HouseCall,VBA32,VIPRE,ViRobot,Zillya,first_seen,nProtect
0006dfb19193ff5910b3ffc94a29a7f6,MLoader,,,,,Trojan/Win32.Zbot,APPL/Downloader.Gen7,,,,...,,,,,Downware.LMN.gen,Trojan-Downloader.Win32.LoadMoney.u (v),,,2013-11-09 09:14:15,
005528c99846dfd84e7a29ae2cf18fd8,Win32/Heur,Trojan.Win32.Generic.pak!cobra,Gen:Variant.Kazy.307598,,,Trojan/Win32.LoadMoney,,,,,...,,,,,,Trojan.Win32.Generic.pak!cobra,,,2014-07-31 15:40:42,
010ac3a6f8c7dba927a2ca5d91fe224e,,,,,,,,,,,...,,,,,,,,,2014-04-07 12:03:03,
0172fef366185da8add30d714f346a35,,Trojan.Win32.Generic!BT,,,PUA.Soft32Downloader!,,,GrayWare[AdWare:not-a-virus]/Win32.DownloadWare,,APPL/Downloader.Gen,...,,,,,AdWare.DownloadWare.mz,Trojan.Win32.Generic!BT,,,2014-10-17 05:08:22,
0278192ce1aa7f8c4ae746eae73e6475,InstallRex.2ef,WebPI,,,PUA.Downloader!,PUP/Win32.ADownloader,,Trojan[Downloader:not-a-virus]/Win32.AdLoad,Win32:InstalleRex-AI [PUP],Adware/InstallRex.S,...,,,,TROJ_GEN.R047C0FJU14,Downware.TSU,WebPI,,Downloader.Adload.Win32.16910,2014-10-17 05:09:52,Trojan-Clicker/W32.Agent.311920.B


In [7]:
# output
df.to_csv(out_csvfile)

#### Winnowing

In [8]:
# MIKE: 20170731 some hacks for winnowing

In [9]:
# delimiter is used for spliting tokens
import re
delimiter = '\,|!|\(|\)|\[|\]|@|:|/|\.| '

# general_string to remove
general_string = ['win32','trojan','adware','generic','application','variant','downloader','not-a-virus','downware',
                 'unwanted-program','heur','troj','bundler','antifw','riskware','optional','malware','behaveslike',
                 'kcloud','agent','trojandownloader','appl','trojware','installer','trojan-downloader','virus',
                 'backdoor','injector','malware-cryptor','dropper','cryptor','bundleapp','suspicious','antifwk',
                 'adinstaller','crypt','bundleinstaller','xpack', 'hacktool','patcher','troj_gen','grayware',
                 'software','install','click','heuristic','packed','unknown','applicunwnt','dropped','trojan-clicker',
                 'net-worm','monitoringtool','worm','tool','toolbar','eldorado','autorun','hw32', 'trojan-dropper']

# short family strings that should be kept
short_family_string = ['kdz', 'ipz', 'lmn']

import string
def is_hex(s):
    return all(c in string.hexdigits for c in s)

def tk_winnow(t):
    if len(t) <= 3 and t not in short_family_string:
        return None
    elif t in general_string:
        return None
    elif is_hex(t):
        return None
    
    return t

def VT_winnow(s):
    if s is NaN: return NaN
    
    tokens = re.split(delimiter, s.lower())
    ret_tokens = list(filter(lambda x : x if x is not False else True, [tk_winnow(t) for t in tokens]))
    return ret_tokens if len(ret_tokens) != 0 else NaN

In [10]:
df_nw = df.copy().applymap(VT_winnow)

In [11]:
df_nw.head()

Unnamed: 0,AVG,AVware,Ad-Aware,AegisLab,Agnitum,AhnLab-V3,AntiVir,Antiy-AVL,Avast,Avira,...,TheHacker,TotalDefense,TrendMicro,TrendMicro-HouseCall,VBA32,VIPRE,ViRobot,Zillya,first_seen,nProtect
0006dfb19193ff5910b3ffc94a29a7f6,[mloader],,,,,[zbot],[gen7],,,,...,,,,,[lmn],[loadmoney],,,[2013-11-09],
005528c99846dfd84e7a29ae2cf18fd8,,[cobra],[kazy],,,[loadmoney],,,,,...,,,,,,[cobra],,,[2014-07-31],
010ac3a6f8c7dba927a2ca5d91fe224e,,,,,,,,,,,...,,,,,,,,,[2014-04-07],
0172fef366185da8add30d714f346a35,,,,,[soft32downloader],,,[downloadware],,,...,,,,,[downloadware],,,,[2014-10-17],
0278192ce1aa7f8c4ae746eae73e6475,[installrex],[webpi],,,,[adownloader],,[adload],[installerex-ai],[installrex],...,,,,[r047c0fju14],,[webpi],,[adload],[2014-10-17],


In [12]:
# output
df_nw.to_csv(out_wn_csvfile)