This is an ongoing project, and will be divided into multiple phases. The goal of this project is to not just provide the analyst with status of either the IP/domain is malicious or not, rather I try to provide as much information as possible to build up contextual view of the threat
In this phase I write scripts to only get infomration from sources.
Sources Include:
1. whois (for meta information about IP address/domain)
2. threatminer (for APT notes)
3. botscout (Check if the IP has been associated with bot behaviour)
4. cymon (Check reputation, and threat activities through time)
5. hybrid (Check if the domain,IP or hash been associated with malware)
6. malshare (Check if the domain,IP has been used as delivery method for malware)
7. threatcrowd (check status)
8. shodan (Get information about hosts such as open ports, services etc. Also check if it has been associated with C2C)
9. urlhause (Check if the domain,IP has been attributed to malware distribution)
Obtain meaningful, relevant and useful information from the data gathered, and present it in more understandable way.
Focus on using the reports generated for various APTs and use it in this project