Static analysis of malware using Docker. This software allows you to scan a file with different antivirus engines. Also, it allows obtaining information from a file; such as imported libraries, PE, hashes, etc.
usage: thor.py [-h] [-d] [-j] [-s [FILE] | -p | -l | -u | -i [FILE]]
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable debug mode
-j, --json Retrive response in JSON format
-s [FILE], --scan-file [FILE]
Scan a specific file
-p, --pull-dockers Pull all the images from the configuration file
-l, --list-avs List of available antivirus engines
-u, --update-avs Update antivirus databases
-i [FILE], --file-info [FILE]
Retrieve file information (File info, Portable Executable Info, Imported DLLs)
$ thor.py -s ../sample_files/bb7425b82141a1c0f7d60e5106676bb1
------------------------------------------------
AV Engine Detections (6/11)
------------------------------------------------
AVG AntiVirus: Trojan horse Agent5.CDE
Avira: HEUR/AGEN.1022518
ClamAV: Win.Malware.Agent-6342616-0
Comodo Internet Security: Malware
eScan Antivirus: Undetected
Dr. Web: Undetected
F-PROT Antivirus: Undetected
McAfee: RDN/Generic.grp
Sophos: Undetected
Windows Defender: Trojan:Win32/Aenjaris.CT!bit
ZONER AntiVirus: Undetected
$ python3 thor.py -i sample_files/file1.random
------------------------------
File info
------------------------------
Size: 16.0 KB
MD5: bb7425b82141a1c0f7d60e5106676bb1
SHA-1: 9dce39ac1bd36d877fdb0025ee88fdaff0627cdb
SHA-256: 58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47
Extension: exe
Mime: application/vnd.microsoft.portable-executable
File Type: executable
--------------------------------------------------
Portable Executable Info (PE)
--------------------------------------------------
Target Machine: Intel 386 or later processors and compatible processors
Compilation Timestamp: 2010-12-19 11:16:19
Entry Point: 6176
SECTIONS:
.text:
Virtual Address: 4096
Virtual Size: 2416
Raw Size: 4096
Characteristics: 1610612768
Entropy: 4.451
MD5: 7e39ebe7cdeda4c636d513a0fe140ff4
SHA-1: 150d709dcae7e0ae30ac6e5c76fda74ce168a62b
SHA-256: 44ab4d055abe09f315f217245f131fa4b9c162ffc992034b28ada7d2e8e8c87f
.rdata:
Virtual Address: 8192
Virtual Size: 690
Raw Size: 4096
Characteristics: 1073741888
Entropy: 1.132
MD5: 2de0f3a50219cb3d0dc891c4fbf6f02a
SHA-1: 9a80eabe5c64342b6bc9f4f31212ceb37b014055
SHA-256: c6c6d685937af139911a720a86a1d901e30d015c8bc4a0d27756141e231df5eb
.data:
Virtual Address: 12288
Virtual Size: 252
Raw Size: 4096
Characteristics: 3221225536
Entropy: 0.439
MD5: f5e2ba1465f131f57b0629e96bbe107e
SHA-1: 129de8d9c6bbe1ba01c6b0d5ce5781c61eb042dc
SHA-256: 86aa10f4f5e696b8953e0a639a9725869803d85c1642d3e86e9fc7574d2eedb3
----------------------------
Imports
----------------------------
- KERNEL32.dll
- MSVCRT.dll
- kerne132.dll
- C:\windows\system32\kerne132.dll
- Lab01-01.dll
- C:\Windows\System32\Kernel32.dll
$ python3 thor.py -i sample_files/file1.random -j
{
"file_info":{
"size":{
"size":16.0,
"unit":"KB"
},
"hashes":{
"MD5":"bb7425b82141a1c0f7d60e5106676bb1",
"SHA-1":"9dce39ac1bd36d877fdb0025ee88fdaff0627cdb",
"SHA-256":"58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47"
},
"magic_number":{
"type":[
"executable",
"system"
],
"extension":[
"exe",
"dll",
"drv",
"sys",
"com"
],
"mime":[
"application/vnd.microsoft.portable-executable",
"application/x-msdownload"
]
}
},
"pe_info":{
"sections":{
".text":{
"virtual_address":4096,
"virtual_size":2416,
"raw_size":4096,
"characteristics":1610612768,
"hashes":{
"MD5":"7e39ebe7cdeda4c636d513a0fe140ff4",
"SHA-1":"150d709dcae7e0ae30ac6e5c76fda74ce168a62b",
"SHA-256":"44ab4d055abe09f315f217245f131fa4b9c162ffc992034b28ada7d2e8e8c87f"
},
"entropy":4.451
},
".rdata":{
"virtual_address":8192,
"virtual_size":690,
"raw_size":4096,
"characteristics":1073741888,
"hashes":{
"MD5":"2de0f3a50219cb3d0dc891c4fbf6f02a",
"SHA-1":"9a80eabe5c64342b6bc9f4f31212ceb37b014055",
"SHA-256":"c6c6d685937af139911a720a86a1d901e30d015c8bc4a0d27756141e231df5eb"
},
"entropy":1.132
},
".data":{
"virtual_address":12288,
"virtual_size":252,
"raw_size":4096,
"characteristics":3221225536,
"hashes":{
"MD5":"f5e2ba1465f131f57b0629e96bbe107e",
"SHA-1":"129de8d9c6bbe1ba01c6b0d5ce5781c61eb042dc",
"SHA-256":"86aa10f4f5e696b8953e0a639a9725869803d85c1642d3e86e9fc7574d2eedb3"
},
"entropy":0.439
}
},
"entry_point":6176,
"target_machine":"Intel 386 or later processors and compatible processors",
"compilation_timestamp":"2010-12-19 11:16:19"
},
"imports":[
"KERNEL32.dll",
"MSVCRT.dll",
"kerne132.dll",
"C:\\windows\\system32\\kerne132.dll",
"Lab01-01.dll",
"C:\\Windows\\System32\\Kernel32.dll"
]
}
The web application will allow you to perform the same operations as the CLI, but with a friendlier interface. As a difference, it has a cache that will avoid having to scan the same file several times.
Run web application:
$ cd app
$ python3 index.py -h
usage: index.py [-h] [-d] [-i] [-p]
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable debug mode
-i, --host Set host on which the web application runs. Default: 127.0.0.1.
-p, --port Set port on which the web application runs. Default: 5000.
$ python3 index.py
At the moment, the application uses Malice dockers images. But it can be configured to use any other image, as long as it returns the result in a similar JSON format.
This application uses a file in JSON format that indicates the Docker commands to be used for operations with each of the antivirus engines. Each object in the list represents an antivirus configured in a Docker container.
{
"name":"McAfee",
"image": "malice/mcafee"
}
The mandatory parameters are:
name: Antivirus name.image: Docker image to be used.
Optional parameters:
scan_command: Command to be used to scan a file.update_command: Command to be used to update the engine.license_command: Command to set license during a scan.license: License.
{
"name":"AVG AntiVirus",
"image": "malice/avg",
"scan_command": "--rm -v \"{File_path}:/malware/{File_name}\" {Image} {File_name} --timeout 150",
"update_command": "{Image} update",
"license": "\"`pwd`/../licenses/avg/hbedv.key:/opt/avg/hbedv.key\""
}
The commands are parameterized, you can use the following tokens:
File_path: This token will be replaced by the absolute path of the file to analyze.File_name: This token will be replaced by the name of the file to analyze.License: This token will be replaced by the license include in the configuration.
Defaults commands:
DEFAULT_UPDATE_COMMAND = "{Image} update"
DEFAULT_SCAN_COMMAND = "--rm -v \"{File_path}:/malware/{File_name}\" {Image} {File_name}"
DEFAULT_LICENSE_COMMAND = "-v {License}"
Antivirus included at the moment:
$ python3 thor.py -l
-------------------------------------------------------
List of available antivirus engines
-------------------------------------------------------
AVG AntiVirus
Avira
ClamAV
Comodo Internet Security
eScan Antivirus
Dr. Web
F-PROT Antivirus
McAfee
Sophos
Windows Defender
ZONER AntiVirus
View docker_configuration.json.
This project was carried out for a Master's Degree in Cyber Security at the University of Granada. Using Python 3 and Javascript, in addition to Quart, jQuery, and Bootstrap. Including some external libraries like Dropzone and fleep, and borrowing Malice's Docker images.
© 2020 Copyright: javierizquierdovera.com.
This program is free software, you can redistribute it and/or modify it under the terms of GPLv2.