Introduction

By using this python script, you can observe the commands of the latest malware instances executed on hybrid-analysis.com sandbox. In a nutshell, it downloads the HA feed and then retrieves commands of unseen instances; the ones that did not appear in the previous feeds.

Requirements

You need Python 3 on your system. To install all required python libraries on your system, run the following command:

pip install -r requirements.txt

Running the script

To run the script

python  hybrid_analysis.py

However, if you want to run the script on a regular basis, you can use --daemon (or -d for short) switch.

python  hybrid_analysis.py --daemon

Running the above command results in getting the feed every hour. To change the interval, you can use --cycle (or -c) and specify the number of minutes the script must wait before retrieving the feed again.

python  hybrid_analysis.py --daemon --cycle 120

In the above example, the script sleeps for 2 hours between each feed retrieval. Moreover, you can use --outputdir (or -o) to specify the outputdir that you want to store the results; output.log will be generated in that directory. By default, the output is written on the console.

python  hybrid_analysis.py --daemon --cycle 120 --outputdir "c:\test"

To save the output as html document:

python  hybrid_analysis.py --type html --outputdir test

The generated html documents and all related files will be stored in the specified output dir. Last but not least, you can see all the switches by using --help (or -h)

python hybrid_analysis.py -h