Malwarehouse is a warehouse for your malware. Malwarehouse is a useful command line utility for storing, tagging, storing, and searching for malware. This is intended to help analyst manage their workflow by conducting basic triage and making it easy to look up past samples.
- Python 2.7
- Scott J Roberts - @sroberts
See LICENSE for more information
- Jonathan Hencinski
- Chris St.Myers
Xen0ph0ns Fork of Malwarehouse below this point: Let me know if stuff is broken chris@xenosec.org
- ssdeep / pydeep
- exiftool / pyexiftool
- yara / python yara
- VirusTotal API (Free is fine)
- Moved directory settings / VT API Key / Yara Rule File Settings to malwarehouse.cfg
- Added SSdeep Fuzzy Hashing
- Added Extraction and Search Feature for Metadata
- Added Full File Yara Scanning and Search Feature
- Added VirusTotal Hit Ratio / Scan Date Lookup (can do much better stuff with a paid API)
- Increased breadth of sample search to cover Tags / Source / Name (No longer needs exact match)
- Redid other various things to make the above happy...
Install the prereqs.. then edit the following to the malwarehouse.cfg file:
#Config File for Malwarehouse
#Turn on or off options here
[options]
vtcheck: Off
metadata: On
yara: On
ssdeep: On
[settings]
#This is where you want the malware and DB to live
basedir: /Path/to/Malwarehouse/MWH/
#This is the path to your yara rules file full path please.
yararules: /Path/To/yararules/yararules.yar
#This is your free virus total API, max lookups is 4 per minute IIRC. Make a VT Account then click Profile API in the upper right corner, it's free.
vtapikey: VTAPI KEY GOES HERE
Usage: malwarehouse.py [options] filepath
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s SOURCE, --source=SOURCE
Source of file
-t TAGS, --tags=TAGS Any characteristics of the malware
-n NOTES, --notes=NOTES
Notes about file
-f FIND, --find=FIND Find a sample by name, tags, source, md5, or sha256
-m MFIND, --metadata=MFIND
Find a sample by searching Extracted Metadata
-y YFIND, --yara=YFIND
Find a sample by searching Yara Matches
-r QUANTITY, --recent=QUANTITY
Find the most recent # samples
Results for "Virus Total Intel API":
-> record.doc (2568615875525003688839cb8950aeae) Source: Virus Total Intel API
VirusTotal: 25/45 on 2013-02-13 01:25:41 Tags: Document Carrier File, Flash 0 Day, poop
Notes: Found on OSI, targeted defense first, january
Yara: [TestYara_Hit, TestYara_HitNumber2, More_Of_Yara]
-> Sample Location: /Users/cclark/Desktop/MWH/26fae6918bb8c9e48fda95b96accf3fb0145183055dfba917bb3b6de84c7f7a7
-> 3a861b8526e397b3684a99f363ec145b-cupsd (3a861b8526e397b3684a99f363ec145b) Source: Virus Total Intel API
VirusTotal: 10/46 on 2013-02-21 06:22:37 Tags: OSX, Plist, Facebook, WateringHole
Notes: OSX Malware from FB/Twitter/Apple Pop referenced on PasteBin
Yara: [TestYara_Hit]
-> Sample Location: /Users/cclark/Desktop/MWH/a610bb3396a2eb6186a135de5d0a5d29e16525fb7c069e853d0ce2bb90ca4921
datetime: 2013-02-24 14:49:30.553211
name: record.doc
source: Virus Total Intel API
tags: Document Carrier File, Flash 0 Day
notes: Published on Contagio, targeted DIB first, january
mimetype: application/msword
size: 563200
md5: 2568615875525003688839cb8950aeae
sha256: 26fae6918bb8c9e48fda95b96accf3fb0145183055dfba917bb3b6de84c7f7a7
ssdeep: 3072:jXkvs80OQiRNfzaR8Yun8ZzTVedcnR6BY2LT+MAAKxrYzaR8Yun8ZzTVedcn9VW1:jks8vzaRLaod0Y2LTpAazaRLaodDV0
virustotal: 25/45 on 2013-02-13 01:25:41
yara: [TestYara_Hit, TestYara_HitNumber2, More_Of_Yara]
metadata:
Subject:
ScaleCrop: 0
FileAccessDate: 2013:02:24 16:59:17-05:00
CompObjUserTypeLen: 35
Words: 821
FileModifyDate: 2013:02:24 16:59:17-05:00
TotalEditTime: 0
Security: 0
Characters: 4683
HyperlinksChanged: 0
FileSize: 563200
Template: Normal.dotm
Hyperlinks: [u'https://portal.adp.com/']
AppVersion: 12.0
Paragraphs: 10
Lines: 39
FileType: DOC
FileName: record.doc
Keywords:
SharedDoc: 0
CharCountWithSpaces: 5494
CreateDate: 2013:02:05 09:36:00
Pages: 1
RevisionNumber: 2
Author: Admin
Company:
CodePage: 936
FileInodeChangeDate: 2013:02:24 16:59:17-05:00
Software: Microsoft Office Word
LinksUpToDate: 0
ModifyDate: 2013:02:05 09:36:00
Title:
LastModifiedBy: smith