Skip to content

/ MalwareSimilarityGraph

Performs shared code analysis on malware samples and outputs a graph.
malware data-science malware-research malware-analysis
Python
  1. Python 100.0%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
apt28_graph.png
mal_sim_graph.py

README.md

MalwareSimilarityGraph

Performs shared code analysis on malware samples and outputs a graph.

USAGE:

usage: mal_sim_graph.py [-h] [--jaccard_index_threshold THRESHOLD]
                   target_directory output_dot_file

Find similarity between malware and graph it.

positional arguments:
  target_directory      Directory containing malware
  output_dot_file       Where to save the output graph DOT file

optional arguments:
  -h, --help            show this help message and exit
  --jaccard_index_threshold THRESHOLD, -j THRESHOLD
                        Threshold above which to create an 'edge' between
                        samples

OUTPUT (after conversion to png) alt text APT28 Malware samples

How's it work?

  • Takes in directory
  • finds PE files
  • Extracts Import Address Table from samples (Fails over to pe strings if no imports)
  • Calculates Jaccard index of two malware samples
  • creates .dot file (similarity graph)
    • Convert .dot to png using: 
      fdp -Tpng simgraph.dot -o simgraph.png

Requirements:

You can’t perform that action at this time.