MalwareSimilarityGraph
Performs shared code analysis on malware samples and outputs a graph.
USAGE:
usage: mal_sim_graph.py [-h] [--jaccard_index_threshold THRESHOLD]
target_directory output_dot_file
Find similarity between malware and graph it.
positional arguments:
target_directory Directory containing malware
output_dot_file Where to save the output graph DOT file
optional arguments:
-h, --help show this help message and exit
--jaccard_index_threshold THRESHOLD, -j THRESHOLD
Threshold above which to create an 'edge' between
samples
OUTPUT (after conversion to png)
APT28 Malware samples
How's it work?
- Takes in directory
- finds PE files
- Extracts Import Address Table from samples (Fails over to pe strings if no imports)
- Calculates Jaccard index of two malware samples
- creates .dot file (similarity graph)
- Convert .dot to png using:
fdp -Tpng simgraph.dot -o simgraph.png
- Convert .dot to png using:
Requirements:
- pefile - https://github.com/erocarrera/pefile
- networkx == 2.0
- pydot == 1.2.4