A python threat-hunting malware scanning tool by inputting SHA256 file hash
🔎 Table of Content
This tool is designed to hunt for specific malware dropped by an attacker or spawned by a malicious payload. These threats often attempt to establish persistence on a system to reconnect to the attacker's Command and Control (C2) server upon reboot. By inputting the target malware's SHA-256 hash value, the script scans the entire file system to locate the file. Once a match is found, the script outputs the exact file path so the incident responder can take immediate remediation action.
1. System Update and Installation of Python
sudo apt update && sudo apt install -y python3.12-venv 1. Clone the Repo
git clone https://github.com/abc1230940/malware_scanner.git 2. Navigate into the folder
cd malware_scanner 3. Set up the virtual environment
python3 -m venv env 4. Activate the virtual environment
source env/bin/activate 5. Deactivate the virtual environment when finished
deactivate 1. Edit the python script and then save
The script was designed to scan the root directory ("/"), and we need to exclude the scanner from searching the directories /proc, /sys, /dev, /snap and /run because they contain virtual, dynamic kernel processes and hardware streams that do not exist on the physical disk, which would otherwise cause the program to hang, freeze, or crash.
You can also scan the targeted directories which attacker may drop the malware:
- /tmp
- /var/tmp
- /dev/shm
- /etc/cron.*
- /etc/bin
2. Launch the malware scanner script
python3 malware_scanner.py 3. Input SHA-256 hash value and press Enter
I inputted the SHA-256 of "Malware": a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
4. Result
The targeted "malware" was found! The path is "/tmp/malware/real_malware/hello_world.txt"
LetsDefend - Python for Blue Team
