Skip to content
Performs shared code analysis on malware samples and outputs a graph.
Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
apt28_graph.png
mal_sim_graph.py

README.md

MalwareSimilarityGraph

Performs shared code analysis on malware samples and outputs a graph.

USAGE:

usage: mal_sim_graph.py [-h] [--jaccard_index_threshold THRESHOLD]
                   target_directory output_dot_file

Find similarity between malware and graph it.

positional arguments:
  target_directory      Directory containing malware
  output_dot_file       Where to save the output graph DOT file

optional arguments:
  -h, --help            show this help message and exit
  --jaccard_index_threshold THRESHOLD, -j THRESHOLD
                        Threshold above which to create an 'edge' between
                        samples

OUTPUT (after conversion to png) alt text APT28 Malware samples

How's it work?

  • Takes in directory
  • finds PE files
  • Extracts Import Address Table from samples (Fails over to pe strings if no imports)
  • Calculates Jaccard index of two malware samples
  • creates .dot file (similarity graph)
    • Convert .dot to png using:
      fdp -Tpng simgraph.dot -o simgraph.png
      
      

Requirements:

You can’t perform that action at this time.