Skip to content

Xen0ph0n/malwarehouse

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malwarehouse is a warehouse for your malware. Malwarehouse is a useful command line utility for storing, tagging, storing, and searching for malware. This is intended to help analyst manage their workflow by conducting basic triage and making it easy to look up past samples.

Requirements

  • Python 2.7

Authors

License

See LICENSE for more information

Thanks

  • Jonathan Hencinski
  • Chris St.Myers

Xen0ph0ns Fork of Malwarehouse below this point: Let me know if stuff is broken chris@xenosec.org

New Requirements (Each Optional and Can Be Disabled)

  • ssdeep / pydeep
  • exiftool / pyexiftool
  • yara / python yara
  • VirusTotal API (Free is fine)

New Features

  • Moved directory settings / VT API Key / Yara Rule File Settings to malwarehouse.cfg
  • Added SSdeep Fuzzy Hashing
  • Added Extraction and Search Feature for Metadata
  • Added Full File Yara Scanning and Search Feature
  • Added VirusTotal Hit Ratio / Scan Date Lookup (can do much better stuff with a paid API)
  • Increased breadth of sample search to cover Tags / Source / Name (No longer needs exact match)
  • Redid other various things to make the above happy...

Instructions for set up

Install the prereqs.. then edit the following to the malwarehouse.cfg file:

#Config File for Malwarehouse
#Turn on or off options here
[options]
vtcheck: Off
metadata: On
yara: On
ssdeep: On

[settings]
#This is where you want the malware and DB to live
basedir: /Path/to/Malwarehouse/MWH/
#This is the path to your yara rules file full path please.
yararules: /Path/To/yararules/yararules.yar
#This is your free virus total API, max lookups is 4 per minute IIRC. Make a VT Account then click Profile API in the upper right corner, it's free. 
vtapikey: VTAPI KEY GOES HERE

Usage

Usage: malwarehouse.py [options] filepath

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -s SOURCE, --source=SOURCE
                        Source of file
  -t TAGS, --tags=TAGS  Any characteristics of the malware
  -n NOTES, --notes=NOTES
                        Notes about file
  -f FIND, --find=FIND  Find a sample by name, tags, source, md5, or sha256
  -m MFIND, --metadata=MFIND
                        Find a sample by searching Extracted Metadata
  -y YFIND, --yara=YFIND
                        Find a sample by searching Yara Matches
  -r QUANTITY, --recent=QUANTITY
                        Find the most recent # samples

Example Query Result

Results for "Virus Total Intel API":

-> record.doc (2568615875525003688839cb8950aeae) Source: Virus Total Intel API 
   VirusTotal: 25/45 on 2013-02-13 01:25:41  Tags: Document Carrier File, Flash 0 Day, poop 
   Notes: Found on OSI, targeted defense first, january 
   Yara: [TestYara_Hit, TestYara_HitNumber2, More_Of_Yara]
   -> Sample Location: /Users/cclark/Desktop/MWH/26fae6918bb8c9e48fda95b96accf3fb0145183055dfba917bb3b6de84c7f7a7

-> 3a861b8526e397b3684a99f363ec145b-cupsd (3a861b8526e397b3684a99f363ec145b) Source: Virus Total Intel API 
   VirusTotal: 10/46 on 2013-02-21 06:22:37  Tags: OSX, Plist, Facebook, WateringHole 
   Notes: OSX Malware from FB/Twitter/Apple Pop referenced on PasteBin
   Yara: [TestYara_Hit] 
   -> Sample Location: /Users/cclark/Desktop/MWH/a610bb3396a2eb6186a135de5d0a5d29e16525fb7c069e853d0ce2bb90ca4921 

Example Output Per File

datetime:      2013-02-24 14:49:30.553211
name:          record.doc
source:        Virus Total Intel API
tags:          Document Carrier File, Flash 0 Day
notes:         Published on Contagio, targeted DIB first, january
mimetype:      application/msword
size:          563200
md5:           2568615875525003688839cb8950aeae
sha256:        26fae6918bb8c9e48fda95b96accf3fb0145183055dfba917bb3b6de84c7f7a7
ssdeep:        3072:jXkvs80OQiRNfzaR8Yun8ZzTVedcnR6BY2LT+MAAKxrYzaR8Yun8ZzTVedcn9VW1:jks8vzaRLaod0Y2LTpAazaRLaodDV0
virustotal:    25/45 on 2013-02-13 01:25:41
yara:          [TestYara_Hit, TestYara_HitNumber2, More_Of_Yara]
metadata:            
		Subject: 
		ScaleCrop: 0
		FileAccessDate: 2013:02:24 16:59:17-05:00
		CompObjUserTypeLen: 35
		Words: 821
		FileModifyDate: 2013:02:24 16:59:17-05:00
		TotalEditTime: 0
		Security: 0
		Characters: 4683
		HyperlinksChanged: 0
		FileSize: 563200
		Template: Normal.dotm
		Hyperlinks: [u'https://portal.adp.com/']
		AppVersion: 12.0
		Paragraphs: 10
		Lines: 39
		FileType: DOC
		FileName: record.doc
		Keywords: 
		SharedDoc: 0
		CharCountWithSpaces: 5494
		CreateDate: 2013:02:05 09:36:00
		Pages: 1
		RevisionNumber: 2
		Author: Admin
		Company:  
		CodePage: 936
		FileInodeChangeDate: 2013:02:24 16:59:17-05:00
		Software: Microsoft Office Word
		LinksUpToDate: 0
		ModifyDate: 2013:02:05 09:36:00
		Title: 
		LastModifiedBy: smith

About

A warehouse for your malware

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%