Skip to content

grepstrength/malsnitch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
detector
detector
 
 
engine
engine
 
 
input
input
 
 
output
output
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
image.png
image.png
 
 
main.go
main.go
 
 
malsnitch.png
malsnitch.png
 
 
results.csv
results.csv
 
 

Repository files navigation

alt text

malsnitch

  • Reversing some malware?
  • Tired of eyeballing string dumps for hardcoded creds?
  • Short on time?

Look no further!

malsnitch is a CLI tool meant to assist RE workflows by scanning artifacts like string dumps, FLOSS output, or Binja exports. It extracts embedded secrets malware authors put in their binaries.

  • C2 creds
  • crypto keys
  • API tokens
  • exfil channel configs
  • more!

TO BE CLEAR - this is not another developer secrets scanner. Tools like TruffleHog or Gitleaks catch API keys being committed to legitimate repos. malsnitch gets the RC4 key buried in .rdata or the SFTP password to a random C2 server.

(Also, I'm proud of myself for not shoehorning in "Go" anywhere in the title.)

Features

  • Detects embedded crypto keys (AES-128, AES-256, RC4)
  • Detects C2 infrastructure
  • Detects exfil channel creds (Discord webhooks, Telegram bot tokens)
  • Detects hardcoded credentials (SMTP, FTP, HTTP, etc)
  • Auto deduplication and substring suppression
  • Structured JSON output to stdout
  • Supports multiple input formats:
    • text: raw strings dump (e.g. strings.exe or FLOSS raw output)
    • floss: FLOSS JSON output
    • binja: Binary Ninja export JSON (via the included bn_export.py)

Usage

  1. Clone the repo:
git clone https://github.com/grepstrength/malsnitch.git
cd malsnitch
  1. Build:
go build -o malsnitch.exe .
  1. Run against a strings dump:
.\malsnitch.exe -file strings_output.txt -type text
  1. Run against FLOSS JSON output:
.\malsnitch.exe -file floss_report.json -type floss
  1. Run against a Binary Ninja export:
.\malsnitch.exe -file bn_export.json -type binja
  1. Pipe JSON output to a file:
.\malsnitch.exe -file sample_strings.txt > results.json

Example Output

alt text

Binary Ninja Plugin

A python export script is included in scripts/bn_export.py. You can run this inside Binja's script console or headless:

python bn_export.py sample.exe output.json

This produces the JSON format that malsnitch consumes with -type binja.

Exit Codes

Code Meaning
0 Secrets found
1 Error (bad input, missing file, etc.)
2 Clean scan, no secrets detected

Future Roadmap

Sooner

  1. API key detector DONE
  2. CSV output DONE

Later

  1. Memory dump scanner
  2. PCAP input
  3. MITRE ATT&CK mapping

License

MIT license. No restrictions.

About

Secrets scanner with a twist... this is for getting threat actor credentials from analyzed malware samples. Acquire threat actor credentials from Binary Ninja exports, etc. to get C2 credentials, embedded API keys, crypto material, or hardcoded passwords.

grepstrength.com

Topics

cli golang incident-response reverse-engineering cybersecurity infosec malware-analysis binary-analysis malware-research threat-intelligence secrets-scanner

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors

Languages