VirusTotal Graph is a visualization tool built on top of VirusTotal data set. It understands the relationship between files, urls, domains and ip addresses and it provides an easy interface to pivot and navigate over them.
Files Tutorial 1 - https://youtu.be/QEqHXU04IkI
Domain Tutorial 2 - https://youtu.be/xe2busIlkP4
Here are the key elements of the VirusTotal Graph UI
1) Search box. VirusTotal Graph allows you to initiate an investigation using a file/url/domain/ip address as a starting point. If you have more than one IOC and you wish to perform an investigation using all of them you can also do so by pasting them in the search box, check "Multi-entity search" section for more information.
2) Node summary section. It summarizes the more relevant information about a particular entity.
3) Node expansion section. Graph investigations are useful because it allows to correlate information from more than one entity. We expand the graph by adding new nodes that are connected to the nodes/entities we know. This section shows the available expansions for the selected node; by clicking on them, it will expand the connections. In the case of the screenshot, we could expand the "Network location" of the url that is currently selected and it will generate "1" new node.
4) Node action menu. It contains the actions that can be perform on a node. A detailed description of each of them can be found in the "Action" section.
5) Detection dropdown. It shows the number of AV detections versus total number of engines. The individual detections per engine are available after clicking in the arrow.
6) Zoom in/out buttons.
7) Node list. It shows the list of all nodes in the panel. It also allows to center the graph to any given node or to delete it.
8) Save the graph. It saves the current representation of the graph, maintaining also the position of the nodes. The generated permalink can be shared publicly and it will be immutable. If somebody access the tool and it modifies it, the modifications will not be visible in the original graph. The modified graph can be saved and a new permalink will be generated.
The information of the nodes in the graph will be fetched live every time the graph is loaded. This assures that we display the latest information for the entities in the graph.
The tab url also gets updated when clicking in the save button.
9) Help. It opens this documentation.
10) API requests counter. It displays the number of API requests that were sent in the current investigation.
Each node in the graph represents an entity. There are 5 entity types.
- Files are represented as a rectangular shape with a representation of the file type inside.
- Domains are represented by this icon.
- Urls are represented by this icon.
- Ip Addresses are represented using the flag for its country. If we can't detect the country from which the ip address is from, we'll represent it as a black rectangle.
- Relationship nodes are represented with a circle containing a representative icon inside. For example if there is a connection of contacted ip between hash abcde1234 and ip address 188.8.131.52 the representation will be this.
If a more than one ip address was related to "abcde1234" file, it'll be represented as this:
Color coding of nodes and edges
We use color coding to represent extra information about the nodes and their connections. VirusTotal contains verdicts for files and urls, we use the color red to represent files/urls which have more than 3 detections. We use the color black otherwise (less than 3 detections). We use the color blue to represent when a node is selected, the edges of their direct connections are also represented in blue.
Nodes that has not been expanded yet are represented with a grey circle as background.
Double clicking on the "Unexpanded node" will automatically trigger an auto-expansion on that node.
These are the actions which can be perform in the node of type file/url/domain/ip address.
- Add new node: it opens a new panel which guides you to add a node connected to the selected node:
Links connecting nodes that have been manually added are represented with a dotted line.
- Add/Del label: it allows to add a label next to the node in the graph. This is particularly useful for big graphs. By default the initial node will be labelled as "Root node". To delete the label simply leave the text box empty.
- Full expansion: it expands by all the available expansions for the selected node. It performs the same action as clicking individually in each expansion in the expansion section. By default the first node in the investigation will be expanded using all their available expansions.
- Delete node: it removes the node and their edges from the graph.
- Pin node: it removes the animation or gravity from the graph. By defaults the nodes can be dragged but they'll return to an stable graph representation after the click. When we pin the node, it will stick to the position where we drag it. If we want the node to recover their default behavior we can "remove pin" from the node.
- Highlight: big graphs contains a lot of nodes and edges and they are complicated to understand. To help with this problem we can highlight a node, this will hide the nodes that are not directly connected to the highlighted node. You can remove the highlight by clicking somewhere else in the graph.
- Public report: it opens VirusTotal public report for the selected entity.
- VT Intelligence: it opens VirusTotal Intelligence report for the selected entity.
These are the actions that can be performed in the relationship nodes.
- Download CSV. It opens a menu with all the entity ids of the children of this relationship node.
- Expand 5 child nodes. Sometimes we'll want to quickly expand the graph in each possible expansion. We can go one node at a time and "Full expand" it. If we want to move faster we can use this action in the relationship node. It will "Full expand" 5 child nodes at a time. We only expand 5 at a time because some expansions will generate dozens of new nodes and it will be complicated to keep track of where the new nodes are coming from.
- More XXX. Each relationship node represents the connection between the root node and the children of that relations. We only explore up to 20 child nodes at a time, to get more child nodes you can double click on the relationship node or you can click on the "More XXX" button in the side panel.
- Delete nodes deletes all the child nodes that don't have any other connection to another node and the relationship node itself.
When right clicking over a node the context menu shows up. You get quick access to the actions that can be performed in a node.
You can close the context menu by clicking outside the menu.
By hovering over the nodes in the graph we can see a snippet with relevant information about a each node.
For more detailed information you can click in the node, this will trigger the left side panel to display extra information for it.
You can select multiple nodes at the same time to perform an action on them like remove the nodes, pin the nodes, download CSV, …
There are two ways you can select multiple nodes, the first one is by clicking and pressing the Shift key in your keyboard. The selected nodes will appear in blue color.
As you can see in the previous image, a few domain nodes are selected and the left panel gets updated with their information.
The second way to select multiple items is by using the drag select functionality, to enable drag select right click somewhere in the graph to get the following context menu:
Now click and drag the mouse to select multiple nodes at the same time. The left menu also gets updated in real time with the information of the selected nodes.
When you want to perform a search for multiple items (e.g. to see if they are connected through some intermediate node), add the entities one by one and click in the plus button so they are added to the search box.
And click on the magnifying glass button when you are done.
Alternatively, add all the entity ids to the search box (in CSV format) and click on the magnifying glass button.
The entities for which VirusTotal have information will be added to the graph along with a label with the node number. Example searching for "https://virustotal.com" and "80.190.148[.]70":
You can see the node with label "Node 0" this correspond to "https://virustotal.com", "Node 1" correspond to the ip "80.190.148[.]70". If we expand a few nodes in each side we come to this graph.
- Node 0 (https://virustotal.com) is connected to Hop 1
- Hop 1 is connected to Hop 2
- Hop 2 is connected to Node 1 ("80.190.148[.]70")
We have found the connection through two intermediate nodes.