# can search sample's hash on virustotal by the following query:
# >>> {RANSOMWARE_FAMILY} and sandbox_name:virustotal_cuckoofork and engines:ransom
import sys
import requests

if len(sys.argv) != 2:
    print(f"usage: {sys.argv[0]} <sample-hash> by aaaddress1.\n")
    sys.exit(-1)

url = 'https://www.virustotal.com/vtapi/v2/file/behaviour'
params = { 'apikey':'{YOUR_VT_KEY}','hash': sys.argv[1] }
response = requests.get(url, params=params)
jSandbox = response.json()

try:
    for currProcInfo in jSandbox['behavior']['processes']:
        for eCall in currProcInfo['calls']:
            type, ret, szApi, args = eCall['category'], eCall['return'], eCall['api'], eCall['arguments']
            args = [a['value'] for a in args]
            if type == 'filesystem':
                print( f"{szApi}({', '.join(args)})" )
except:
    print(jSandbox)