Skip to content
/ malzoo_serverless Public

Serverless implementation of the Malzoo static malware analyzer

License

Apache-2.0 license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nheijmans/malzoo_serverless

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
distributor
distributor
 
 
doc_worker
doc_worker
 
 
exe_worker
exe_worker
 
 
images
images
 
 
layers
layers
 
 
other_worker
other_worker
 
 
return_analysis
return_analysis
 
 
yara_worker
yara_worker
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
automate.sh
automate.sh
 
 
sample_put.json
sample_put.json
 
 
template.yaml
template.yaml
 
 

Repository files navigation

Malzoo Serverless

Overview

Serverless implementation of the Malzoo static file analyzer project

The goal is to have a deployment-ready application template for mass static file analysis that everyone can use. The architecture is kept simple and similar to the original Malzoo project, with a distributor and workers dedicated to a certain filetype.

Malzoo Architecture

Getting started

Prerequisites

  • AWS SAM installed
  • AWS CLI configured
  • Role in AWS can create IAM roles
  • ECR repository created
  • Docker installed

Preparation and deployment

1 First create a ECR repository in AWS in case you don't have that

aws ecr create-repository --repository-name malzoo \
--image-tag-mutability IMMUTABLE --image-scanning-configuration scanOnPush=true

2 To deploy the serverless stack in your own AWS account, clone this repository and enter the folder. In the repository folder, build Malzoo Serverless locally with SAM

sam build --use-container --skip-pull-image --parallel

3 Deploy the stack, use --guided on the first time.

sam deploy --guided

Using Malzoo Serverless

Now we have Malzoo deployed, lets submit a sample to it. You will need to know the AWS account number (ARN), because this is used in the S3 bucketname. To submit a sample for analysis, simply copy or move the binary to the buckets root. Check the buckets name or copy the command below and replace YOURAWSACCOUNTARN with your ARN.

aws s3 cp binary.exe s3://malzoo-serverless-v1-YOURAWSACCOUNTARN-malware

To submit a sample for analysis with tag, copy or move the binary to the bucket with a subfolder (the subfolder becomes the label/tag in the DB)

aws s3 cp binary.exe s3://malzoo-serverless-v1-YOURAWSACCOUNTARN-malware/case-123/

To submit a folder of samples, use the following example command

cd malware_folder/

# Submission without tag
aws s3 cp --recursive * s3://malzoo-serverless-v1-YOURAWSACCOUNTARN-malware/

# Submission with tag
aws s3 cp --recursive * s3://malzoo-serverless-v1-YOURAWSACCOUNTARN-malware/case-234/

Submissions can also be done obviously via other ways, as long as you copy the binary to analyze, to the S3 bucket.

Getting analysis results is easy with the deployed API gateway, which you can find via the AWS console, or via the output when the stack is deployed with AWS SAM. With curl, getting a result is easy. Replace APIGWID, REGION, MD5HASH with the values that correlate with your environment and the sample you want to get the data from.

curl -X GET https://APIGWID.execute-api.REGION.amazonaws.com/analysis/results/MD5HASH

Credits

Thanks at @marekq for working together on the SAM deployment template!

Contribute

If you have a cool feature build for one of the workers or a new worker, feel free to submit a PR! Please include a good description on what is been added and how it benefits the platform :)

About

Serverless implementation of the Malzoo static malware analyzer

Topics

aws serverless malware malware-research aws-sam

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •  

Languages