# Malware Analysis & Triage Kit
This notebook performs the initial stages of immediate malware triage.

## How To
Take your malware specimen and drop it into the `dropbox` directory. The notebook will walk you through the stages of initial analysis.

At the end of this process, you will have a triage report in the `saved-specimens` diretory. This report includes findings from initial triage, including the defanged specimen in a password-proteced Zip file and static analysis artifacts.

# Imports and Setup

In [None]:
# Imports
from hashlib import *
import sys
import os
from getpass import getpass
from virus_total_apis import PublicApi as VirusTotalPublicApi
import json
from MalwareSample import *
from pprint import pprint
import os.path
from time import sleep

import pefile
import requests
import bs4

### Check Dropbox and Saved-Specimens

In [None]:
MalwareSample.check_dir("dropbox")
MalwareSample.check_dir("saved-specimens")
empty = MalwareSample.is_dir_empty("dropbox")
if empty:
    print(r"  \\--> " + recc + "Put some samples in the dropbox!")

### Enumerate Samples in the Dropbox

In [None]:
samples=!ls dropbox/*
for s in samples:
    print(info + "Sample: " + s)

In [None]:
sample_obj = [MalwareSample(s) for s in samples]

### Create a Saved Specimen directory for the specimen(s)

In [None]:
for obj in sample_obj:
    saved_sample_name = MalwareSample.create_specimen_dirs(obj.sample_name)
    obj.saved_sample_name = saved_sample_name

### Defang Sample

In [None]:
for obj in sample_obj:
    sample_path = MalwareSample.move_and_defang(obj.sample_name, obj.saved_sample_name)
    obj.sample_path = sample_path

---

## File Hashes

### SHA256 Sum

In [None]:
for obj in sample_obj:
    hash = MalwareSample.get_sha256sum(obj.sample_path, obj.saved_sample_name)
    obj.sha256sum = hash
    print(info + obj.sample_name + ": " + obj.sha256sum)

---

## String Analysis

### StringSifter
StringSifter is a FLARE developed tool that uses an ML model to rank a binary's strings by relevance to malware analysis.

In [None]:
length = int(input(recc + "Input your desired minimum string length [default is 4, 6-8 is recommended] > "))

In [None]:
for obj in sample_obj:
    MalwareSample.pull_strings(length, obj.saved_sample_name, obj.sample_path)

## VT Analysis
Submit samples to Virus Total and generate a malicious confidence level.

In [None]:
VT_API_KEY = getpass("Enter VirusTotal API Key (blank if none): ")

In [None]:
if VT_API_KEY:
    vt = VirusTotalPublicApi(VT_API_KEY)
else:
    print(info + "No VT API Key. Skipping...")

Note: If there are more than 4 samples in the dropbox, hashes are submitted with a sleep of 16 seconds to remain under the public API rate limit. So hit go, grab a beverage of choice, stretch out and relax. This could be a while depending on how many samples you're submitting.

In [None]:
if VT_API_KEY:
    for obj in sample_obj:
        print(info + obj.sample_name + ":")
        print(r"  \\--> " + info + "SHA256sum: " + obj.sha256sum)
        res = vt.get_file_report(obj.sha256sum)
        conf = malicious_confidence(res)
        print(r"  \\--> " + info + "Confidence level: " + str(conf))
        crit_level =  determine_criticality(conf)
        obj.criticality = crit_level
        

        if len(sample_obj) >= 5:
            sleep(16)
        
else:
    print(info + "No VT API Key. Skipping...")

## Identify PE Sample and Parse IAT
Original Code: Squiblydoo [MalAPIReader](https://github.com/Squiblydoo/MalAPIReader)

In [None]:
# MalAPI.io currently does not have an actual API
def apiCheck(api):
    APItoCheck = api
    APICheck = requests.get("https://malapi.io/winapi/" + APItoCheck)
    APICheck.raise_for_status()
    APISoup = bs4.BeautifulSoup(APICheck.text, 'html.parser')
    
    details = APISoup.select('.detail-container .content')
    ApiInfo = details[1].getText().lstrip().rstrip()
    return ApiInfo

In [None]:
for obj in sample_obj:
    try:
        # If not a valid PE file, line below should throw a PEFormatError
        pe = pefile.PE("./dropbox/"+obj.sample_name, fast_load=True)

        print(good + f"{obj.sample_name} is a valid PE file. Examining...")
        pe.parse_data_directories()
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            for imp in entry.imports:
                api = imp.name.decode("utf-8") # Not necessarily an API call
                try:
                    details = apiCheck(api)
                    # Replacement is necessary to allow the csv to be functional
                    obj.winapi_imports.append((api, details.replace(",",""), True))
                except:
                    if api[0] != "_": # Primitive way to filter out non-API strings
                        obj.winapi_imports.append((api, None, False))

        MalwareSample.save_imports(obj.sample_path, obj.saved_sample_name, obj.winapi_imports)

    except pefile.PEFormatError:
        print(info + f"{obj.sample_name} is not a valid PE file. Skipping...")

    except Exception as err:
        print(printError + f"Something went wrong, skipping {obj.sample_name}. Error: {err}")
    
print(important + "If a WINAPI was used maliciously, consider contributing information to MalAPI.io.")
print(r"  \\--> " + info + "Note that an API will be marked as \"True\" (malicious) only if it is an exact match to MalAPI\'s table")
    

## Zip and Password Protect

In [None]:
for obj in sample_obj:
    zip_file = MalwareSample.zip_and_password_protect(obj.sample_path, obj.saved_sample_name)
    MalwareSample.delete_unzipped_sample(obj.sample_path, zip_file)

---

### Debug Object Vars

In [None]:
for obj in sample_obj:
    pprint(vars(obj))