In [2]:
import pandas as pd
import pandasql as pdsql
from datetime import datetime
import matplotlib
import matplotlib.pyplot as plt

pysql = lambda q: pdsql.sqldf(q, globals())

data = pd.read_csv('data/amico-export.csv.gz', compression='gzip')
data['date'] = pd.to_datetime(data['date'])
data['vt_query'] = pd.to_datetime(data['vt_query'])

In [3]:
sql_query = """
    SELECT *
    FROM data 
    WHERE host LIKE 'com.%.app' 
        AND type = 'DMG'
    ORDER BY date;
    """

genieo = pysql(sql_query)
print "Number of malicious downloads =", len(genieo)
print "MIN(date) =", min(genieo['date'])
print "MAX(date) =", max(genieo['date'])

Number of malicious downloads = 370
MIN(date) = 2017-01-02 00:00:00.000000
MAX(date) = 2017-12-12 00:00:00.000000


In [4]:
sql_query = """
    SELECT host,
           COUNT(*) AS downloads, 
           COUNT(DISTINCT md5) AS md5s,
           COUNT(DISTINCT server) AS server_IPs
    FROM genieo 
    GROUP BY host
    ORDER BY downloads DESC, md5s DESC;
    """

genieo_stats = pysql(sql_query)
print "Number of host names =", len(genieo_stats)
genieo_stats[:20]

Number of host names = 54


Unnamed: 0,host,downloads,md5s,server_IPs
0,com.smokyashan.app,108,6,3
1,com.javeview.app,28,3,3
2,com.shroomcourt.app,19,11,1
3,com.epolife.app,15,11,3
4,com.manroling.app,14,4,3
5,com.kuklorest.app,13,10,2
6,com.arcahol.app,12,6,1
7,com.jangoram.app,12,6,1
8,com.progressgar.app,10,4,1
9,com.wharkike.app,8,4,1


In [5]:
sql_query = """
    SELECT server,
           COUNT(*) AS downloads, 
           COUNT(DISTINCT md5) AS md5s,
           COUNT(DISTINCT host) AS hosts
    FROM genieo 
    GROUP BY server
    ORDER BY downloads DESC, md5s DESC;
    """

genieo_stats = pysql(sql_query)
genieo_stats

Unnamed: 0,server,downloads,md5s,hosts
0,192.155.106.117,279,135,49
1,45.55.48.222,72,21,18
2,78.138.126.75,19,12,6


In [6]:
sql_query = """
    SELECT max_tavs AS tavs, 
           COUNT(*) AS downloads,
           COUNT(DISTINCT md5) AS md5s,
           AVG(score), MAX(score)
    FROM genieo 
    GROUP BY max_tavs
    ORDER BY max_tavs DESC;
    """

genieo_stats = pysql(sql_query)
genieo_stats

Unnamed: 0,tavs,downloads,md5s,AVG(score),MAX(score)
0,7.0,79,2,0.712291,0.961
1,6.0,20,1,0.755474,0.867
2,5.0,48,12,0.741936,0.983
3,4.0,13,8,0.752923,0.818
4,3.0,43,18,0.623116,0.847
5,2.0,11,4,0.647273,0.864
6,1.0,15,5,0.697667,0.867
7,0.0,5,1,0.4232,0.711
8,,136,113,0.629154,0.923


In [7]:
sql_query = """
    SELECT max_avs AS avs, 
           COUNT(*) AS downloads,
           COUNT(DISTINCT md5) AS md5s,
           AVG(score), MAX(score)
    FROM genieo 
    GROUP BY max_avs
    ORDER BY max_avs DESC;
    """

genieo_stats = pysql(sql_query)
genieo_stats

Unnamed: 0,avs,downloads,md5s,AVG(score),MAX(score)
0,22.0,28,1,0.773714,0.961
1,19.0,51,1,0.678569,0.828
2,17.0,1,1,0.761,0.761
3,16.0,24,4,0.74413,0.867
4,15.0,1,1,0.712,0.712
5,14.0,13,5,0.840538,0.983
6,13.0,5,4,0.639,0.678
7,12.0,5,3,0.681,0.776
8,11.0,27,6,0.722778,0.895
9,10.0,42,12,0.639439,0.878


In [8]:
sql_query = """
    SELECT *
    FROM genieo 
    WHERE max_tavs = 0
    ORDER BY date;
    """

genieo_stats = pysql(sql_query)
genieo_stats

Unnamed: 0,dump_id,date,md5,host,server,type,max_tavs,max_avs,score,vt_query
0,1527097,2017-10-18 00:00:00.000000,f15861f2bf56ce3285ad92ca2875eeed,com.progressgar.app,192.155.106.117,DMG,0.0,0.0,0.711,2017-10-19 00:00:00.000000
1,1532695,2017-10-19 00:00:00.000000,f15861f2bf56ce3285ad92ca2875eeed,com.progressgar.app,192.155.106.117,DMG,0.0,0.0,0.281,2017-10-19 00:00:00.000000
2,1532631,2017-10-19 00:00:00.000000,f15861f2bf56ce3285ad92ca2875eeed,com.progressgar.app,192.155.106.117,DMG,0.0,0.0,0.341,2017-10-19 00:00:00.000000
3,1529739,2017-10-19 00:00:00.000000,f15861f2bf56ce3285ad92ca2875eeed,com.progressgar.app,192.155.106.117,DMG,0.0,0.0,0.582,2017-10-19 00:00:00.000000
4,1533353,2017-10-20 00:00:00.000000,f15861f2bf56ce3285ad92ca2875eeed,com.progressgar.app,192.155.106.117,DMG,0.0,0.0,0.201,2017-10-19 00:00:00.000000


In [9]:
sql_query = """
    SELECT md5, COUNT(*) AS count
    FROM genieo 
    WHERE max_tavs IS NULL
    GROUP BY md5
    ORDER BY count DESC
    """

genieo_stats = pysql(sql_query)
genieo_stats[:10]

Unnamed: 0,md5,count
0,58fe8420f7bd0814f259f34fffa4eabb,4
1,b534bfc11469e3d6e4119fee8bf424b6,4
2,3a6b9d786be810a872eca8142c5238b6,3
3,e8b2192a87966290928bf502d8ede1a6,3
4,0a2ec5928edf4f6f2ec27cfb17fddd77,2
5,1341c8016f10b757c91df16747eb46e6,2
6,24c1ab4d85bf15c0dddf9ba7c4e967d5,2
7,4a9aa73b8bafe0a7f095ad253c9787b0,2
8,4ef73043c9d94f6a7c226801844f2138,2
9,5670e0ebb064ab598baa3d6a32f668e0,2


In [10]:
sql_query = """
    SELECT COUNT(*) AS detected_downloads, 
           COUNT(DISTINCT md5) AS detected_md5s
    FROM genieo 
    WHERE max_tavs IS NULL
        AND score > 0.5
    """

genieo_stats = pysql(sql_query)
genieo_stats

Unnamed: 0,detected_downloads,detected_md5s
0,115,98
