GithubHelp home page GithubHelp logo

pombredanne / malice-shadow-server Goto Github PK

View Code? Open in Web Editor NEW

This project forked from malice-plugins/shadow-server

0.0 1.0 0.0 43 KB

Malice ShadowServer Hash Lookup Plugin

License: MIT License

Go 100.00%

malice-shadow-server's Introduction

SS logo

malice-shadow-server

License Docker Stars Docker Pulls

Malice ShadowServer Hash Lookup Plugin

This repository contains a Dockerfile of the ShadowServer malice plugin malice/shadow-server.

Dependencies

Installation

  1. Install Docker.
  2. Download trusted build from public DockerHub: docker pull malice/shadow-server

Usage

docker run --rm malice/shadow-server MD5/SHA1

Usage: shadow-server [OPTIONS] COMMAND [arg...]

Malice ShadowServer Hash Lookup Plugin

Version: v0.1.0, BuildTime: 20160219

Author:
  blacktop - <https://github.com/blacktop>

Options:
  --verbose, -V      verbose output
  --rethinkdb value  rethinkdb address for Malice to store results [$MALICE_RETHINKDB]
  --post, -p         POST results to Malice webhook [$MALICE_ENDPOINT]
  --proxy, -x        proxy settings for Malice webhook endpoint [$MALICE_PROXY]
  --table, -t        output as Markdown table
  --help, -h         show help
  --version, -v      print the version

Commands:
  help	Shows a list of commands or help for one command

Run 'shadow-server COMMAND --help' for more information on a command.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output sandbox JSON:

{
  "shadow-server": {
    "found": true,
    "sandbox": {
      "md5": "aca4aad254280d25e74c82d440b76f79",
      "sha1": "6fe80e56ad4de610304bab1675ce84d16ab6988e",
      "first_seen": "2010-06-15 03:09:41",
      "last_seen": "2010-06-15 03:09:41",
      "type": "exe",
      "ssdeep": "12288:gOqOB0v2eZJys73dOvXDpNjNe8NuMpX4aBaa48L/93zKnP6ppgg2HFZlxVPbZX:sOA2eZJ8NI8Nah8L/4PqmTVPlX",
      "antivirus": {
        "AVG7": "Downloader.Generic9.URM",
        "AntiVir": "WORM/VB.NVA",
        "Avast-Commercial": "Win32:Zbot-LRA",
        "Clam": "Trojan.Downloader-50691",
        "DrWeb": "Win32.HLLW.Autoruner.6014",
        "F-Prot6": "W32/Worm.BAOX",
        "F-Secure": "Worm:W32/Revois.gen!A",
        "G-Data": "Trojan.Generic.2609117",
        "Ikarus": "Trojan-Downloader.Win32.VB",
        "Kaspersky": "Trojan.Win32.Cosmu.nyl",
        "McAfee": "Generic",
        "NOD32": "Win32/AutoRun.VB.JP",
        "Norman": "Suspicious_Gen2.SKLJ",
        "Panda": "W32/OverDoom.A",
        "QuickHeal": "Worm.VB.at",
        "Sophos": "Troj/DwnLdr-HQY",
        "TrendMicro": "TROJ_DLOADR.SMM",
        "VBA32": "Trojan.VBO.011858",
        "Vexira": "Trojan.DL.VB.EEDT",
        "VirusBuster": "Worm.VB.FMYJ"
      }
    },
    "whitelist": null
  }
}

Sample Output whitelist JSON:

{
  "shadow-server": {
    "found": true,
    "sandbox": {
      "md5": "5e28284f9b5f9097640d58a73d38ad4c",
      "sha1": "7a90f8b051bc82cc9cadbcc9ba345ced02891a6c",
      "first_seen": "2009-07-24 02:09:53",
      "last_seen": "2009-07-24 02:09:53",
      "type": "exe",
      "ssdeep": "1536:bwOnbNQKLjWDyy1o5I0foMJUEbooPRrKKReFX3:RNQKPWDyDI0fFJltZrpReFX3",
      "antivirus": {}
    },
    "whitelist": {
      "application_type": "exe",
      "binary": "1",
      "bit": "32",
      "crc32": "877EA041",
      "description": "Notepad",
      "dirname": "c:\\WINDOWS\\system32",
      "filename": "notepad.exe",
      "filesize": "69120",
      "filetimestamp": "04/14/2008 12:00:00",
      "fileversion": "5.1.2600.5512",
      "language": "English",
      "language_code": "1033",
      "md5": "5E28284F9B5F9097640D58A73D38AD4C",
      "media_source": "http://www.microsoft.com/",
      "mfg_name": "Microsoft Corporation",
      "os_mfg": "Microsoft Corporation",
      "os_name": "Microsoft Windows XP Professional Service Pack 3 (build 2600)",
      "os_version": "5.1",
      "product_name": "Microsoft Windows Operating System",
      "product_version": "5.1.2600.5512",
      "reference": "os_patches_all",
      "sha1": "7A90F8B051BC82CC9CADBCC9BA345CED02891A6C",
      "sha256": "865F34FE7BA81E9622DDBDFC511547D190367BBF3DAD21CEB6DA3EEC621044F5",
      "sha512": "CB7218CFEA8813AE8C7ACF6F7511AECBEB9D697986E0EB8538065BF9E3E9C6CED9C29270EB677F5ACF08D2E94B21018D8C4A376AA646FA73CE831FC87D448934",
      "sig_timestamp": "04/14/2008 02:07:47",
      "sig_trustfile": "C:\\WINDOWS\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\NT5.CAT",
      "signer": "Microsoft Windows Component Publisher",
      "source": "AppInfo",
      "source_version": "1.8",
      "strongname_signed": "0",
      "trusted_signature": "1"
    }
  }
}

Sample Output whitelist (Markdown Table):

shadow-server

WhiteList
Found Filename Description ProductName
true notepad.exe Notepad Microsoft Windows Operating System

Sample Output sandbox (Markdown Table):

shadow-server

AntiVirus
  • FirstSeen: 6/15/2010 3:09AM
  • LastSeen: 6/15/2010 3:09AM
Vendor Signature
F-Prot6 W32/Worm.BAOX
G-Data Trojan.Generic.2609117
NOD32 Win32/AutoRun.VB.JP
Avast-Commercial Win32:Zbot-LRA
DrWeb Win32.HLLW.Autoruner.6014
Norman Suspicious_Gen2.SKLJ
Panda W32/OverDoom.A
Vexira Trojan.DL.VB.EEDT
VirusBuster Worm.VB.FMYJ
AntiVir WORM/VB.NVA
Clam Trojan.Downloader-50691
Ikarus Trojan-Downloader.Win32.VB
Kaspersky Trojan.Win32.Cosmu.nyl
QuickHeal Worm.VB.at
VBA32 Trojan.VBO.011858
AVG7 Downloader.Generic9.URM
McAfee Generic
Sophos Troj/DwnLdr-HQY
TrendMicro TROJ_DLOADR.SMM
F-Secure Worm:W32/Revois.gen!A

To write results to RethinkDB

$ docker volume create --name malice
$ docker run -d -p 28015:28015 -p 8080:8080 -v malice:/data --name rethink rethinkdb
$ docker run --rm -v /path/to/malware:/malware:ro --link rethink:rethink malice/shadow-server -t MD5/SHA1

To Run on OSX

$ brew install caskroom/cask/brew-cask
$ brew cask install virtualbox
$ brew install docker
$ brew install docker-machine
$ docker-machine create --driver virtualbox malice
$ eval $(docker-machine env malice)

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

Credits

License

MIT Copyright (c) 2016 blacktop

malice-shadow-server's People

Contributors

blacktop avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.