The original code of a malware must be scanned using YARA rules after processing with a debugger (or other means) to account for obfuscated malware binaries. This is a complicated process and requires an extensive malware analysis environment. The tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware. The original malware code can be scanned with with your own YARA rules by submitting the malware in PE format to the scanner. tknk_scanner can thus support surface analysis performed by SOC operators, CSIRT members, and malware analysts.
- Automatic identification and classification of malware
- Scan the original code of malware with yara.
- Dumps original code of malware
- You can easily get the original code.
- Integrates multiple Open Source Software and free tools
- User-friendly Web-UI
- Users can submit malware and check scan results using the Web-UI.
- Ubuntu 18.04 (Host OS)
- Windows10 (Guest OS)
- python 3.5 or later
- yara-python 3.7.0
Preparing the Host
- git clone --recursive repository_url
- Edit tknk.conf
- Virtual Machine name
- URL of
- URL of
- If VT use, set to 1
- Your VT API KEY
- Download Malware characterization tools
$ git submodule update
- Detect It Easy
- Download zip from https://ntinfo.biz/
- Extract zip(Linux Ubuntu 64-bit(x64)) to
- Rename folder name
- Download and copy dump tools to
- Set yara rules
Save yara rules in "rules" folder. You need to add the rule to index.yar.
Preparing the Guest
- Install Windows on
- Turn off
- Install Python 3.6
- Set to the IP address described in
- Copy and run
xmlrpc_server.py(Recommend run script as Administrator)
- Make snapshot
$ cd frontend/ $ npm install $ npm run generate $ mkdir /usr/share/nginx/tknk/ $ sudo cp -rf dist/* /usr/share/nginx/tknk/ $ cd ../ $ sudo cp -f tknk-scanner.nginx.conf /etc/nginx/sites-available/default $ sudo systemctl restart nginx
$ cd tknk_scanner/ $ ./tknk.py
At another terminal
$ cd tknk_scanner/ $ rq worker
Upload the file to be scanned.
Sets the time to start runing dump tools. The default is 120 seconds.
Dump the newly created process while running with procdump.
tknk_scanner is open-sourced software licensed under the MIT License