MalwareSimilarityGraph

Performs shared code analysis on malware samples and outputs a graph.

USAGE:

usage: mal_sim_graph.py [-h] [--jaccard_index_threshold THRESHOLD]
                   target_directory output_dot_file

Find similarity between malware and graph it.

positional arguments:
  target_directory      Directory containing malware
  output_dot_file       Where to save the output graph DOT file

optional arguments:
  -h, --help            show this help message and exit
  --jaccard_index_threshold THRESHOLD, -j THRESHOLD
                        Threshold above which to create an 'edge' between
                        samples

OUTPUT (after conversion to png) APT28 Malware samples

How's it work?

• Takes in directory
• finds PE files
• Extracts Import Address Table from samples (Fails over to pe strings if no imports)
• Calculates Jaccard index of two malware samples
• creates .dot file (similarity graph)
  • Convert .dot to png using:

    fdp -Tpng simgraph.dot -o simgraph.png
    
    

Requirements:

• pefile - https://github.com/erocarrera/pefile
• networkx == 2.0
• pydot == 1.2.4