malwarehunter's Introduction

MalwareHunter

What is MalwareHunter

In three words, MalwareHunter is a malware analysis application. What does that mean? It simply means that you can throw any suspicious file at it and it will provide you back some static information as well as a detailed results outlining what such file did when executed inside an isolated environment..

Install Requirements

Install the latest version of VirtualBox

$ sudo apt-get install virtualbox virtualbox-guest-additions

Create a VM running Windows, named 'winxp'
Create a read-only shared folder (You can do this using the VirtualBox GUI interface).

$ VBoxManage sharedfolder add “winxp” \
--name “malware” \
--hostpath “/Users/<user>/Desktop/vbox/malware” \
--readonly

Map the shared folder to a drive, Log on to the VM and add a static mapping to associate the shared folder with a drive letter.

C:\> net use X: \\vboxsvr\malware /PERSISTENT:YES

Take a snapshot

$ VBoxManage snapshot “winxp” take “cleanimg”

Install Volatility

$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility

Install Snort, Inetsim and tshark

$ apt-get install snort inetsim tshark

Install and Run

$ git clone https://github.com/abdesslem/malwareHunter.git
$ cd malwareHunter

Run the tools in command line or web application

$ python main.py or python mainGui.py

Purpose

The purpose of the malwareHunter is to determine:

Static information (packers, strings, URL,...)
The nature and purpose of the malware
Interaction with file system
Interaction with the registry
Interaction with the network

And these functionalities are achieved as follow:

Takes sample as input
Perform statis analysis
Reverts VM to clean snapshot
Starts the VM
Transfers the malware to VM
Runs the monitorings tools
Executes the malware for the specified time
Stops the monitorings tools
Suspends The VM
Acquires the memory image
Performs memory analysis using Volatility framework
Stores the results (Final reports, pcaps and malicious artifacts for later analysis)

Components

Modules

To get some information about the file, such as URL, strings, packers, anti-debug ... we used the peframe modules. This directory contain the code responsible for the static analysis.

Web

The project's web interface is built with Bottle. Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It isdistributed as a single file module and has no dependencies other than the Python Standard Library.

Sandbox

To be able to collect valuable data, it's important to run the sample in an isolated environement and automate the process of dynamic analysis.

malwarehunter's People

Contributors

Stargazers

Watchers

malwarehunter's Issues

Not able to run automated dynamic analysis.

I am getting this error whenever I am trying to run the sandbox.

Executing '\vboxsvr\malware\lsmkk2.exe' with args ''
[INFO] If this set fails, set up autologin for your user.
XPCOM component '' has no attribute 'executeProcess'

Can you help me with this issue?

Thanks in advance.

Check the file format ( PE )

Static>> peid
Traceback (most recent call last):
File "main.py", line 75, in
static(filename)
File "main.py", line 56, in static
peframe.analyse(filename,"--peid")
File "/home/ask3m/malwareAnalysis/malwareHunter/peframe.py", line 388, in analyse
show_packer(filename)
File "/home/ask3m/malwareAnalysis/malwareHunter/peframe.py", line 73, in show_packer
peid = pecore.check_peid(filename)
File "modules/pecore.py", line 168, in check_peid
pe = pefile.PE(filename)
File "modules/pefile.py", line 1754, in init
self.parse(name, data, fast_load)
File "modules/pefile.py", line 1826, in parse
raise PEFormatError('DOS Header magic not found.')
pefile.PEFormatError: 'DOS Header magic not found.'

abdesslem / malwarehunter Goto Github PK