Skip to content

abdesslem/malwareHunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits

modules

modules

 
 

web

web

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

analysis.py

analysis.py

 
 

config.ini

config.ini

 
 

dynamic.py

dynamic.py

 
 

main.py

main.py

 
 

mainGui.py

mainGui.py

 
 

parser.py

parser.py

 
 

peframe.py

peframe.py

 
 

utils.py

utils.py

 
 

Repository files navigation

MalwareHunter

What is MalwareHunter

In three words, MalwareHunter is a malware analysis application. What does that mean? It simply means that you can throw any suspicious file at it and it will provide you back some static information as well as a detailed results outlining what such file did when executed inside an isolated environment..

Install Requirements

  • Install the latest version of VirtualBox
$ sudo apt-get install virtualbox virtualbox-guest-additions
  • Create a VM running Windows, named 'winxp'
  • Create a read-only shared folder (You can do this using the VirtualBox GUI interface).
$ VBoxManage sharedfolder add “winxp” \
--name “malware” \
--hostpath “/Users/<user>/Desktop/vbox/malware” \
--readonly
  • Map the shared folder to a drive, Log on to the VM and add a static mapping to associate the shared folder with a drive letter.
C:\> net use X: \\vboxsvr\malware /PERSISTENT:YES
  • Take a snapshot
$ VBoxManage snapshot “winxp” take “cleanimg”
  • Install Volatility
$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility
  • Install Snort, Inetsim and tshark
$ apt-get install snort inetsim tshark

Install and Run

$ git clone https://github.com/abdesslem/malwareHunter.git
$ cd malwareHunter

Run the tools in command line or web application

$ python main.py or python mainGui.py

Purpose

The purpose of the malwareHunter is to determine:

  • Static information (packers, strings, URL,...)
  • The nature and purpose of the malware
  • Interaction with file system
  • Interaction with the registry
  • Interaction with the network

And these functionalities are achieved as follow:

  • Takes sample as input
  • Perform statis analysis
  • Reverts VM to clean snapshot
  • Starts the VM
  • Transfers the malware to VM
  • Runs the monitorings tools
  • Executes the malware for the specified time
  • Stops the monitorings tools
  • Suspends The VM
  • Acquires the memory image
  • Performs memory analysis using Volatility framework
  • Stores the results (Final reports, pcaps and malicious artifacts for later analysis)

Components

Modules

To get some information about the file, such as URL, strings, packers, anti-debug ... we used the peframe modules. This directory contain the code responsible for the static analysis.

Web

The project's web interface is built with Bottle. Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It isdistributed as a single file module and has no dependencies other than the Python Standard Library.

Sandbox

To be able to collect valuable data, it's important to run the sample in an isolated environement and automate the process of dynamic analysis.

Bitdeli Badge

About

Static and automated/dynamic malware analysis

abdesslem.github.io/malwareHunter/

Resources

Readme

License

GPL-2.0 license
Activity

Stars

47 stars

Watchers

11 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages