Daily dose of malware
DDOM or Daily Dose of Malware allows you to gather malware and c&c from open source intelligence.
It can display info, export results to text file or download malicious software.
I want to make it as fresh as possible, that's why all malwares are dated on few days back.
Cymon displays last ten records, Google shows only first page and Malcode only main page.
Malshare API is updated, if new sample appears.
First clone this repo
For google dorks:
pip install selenium
pip install pyvirtualdisplay
and you need Mozilla Geckodriver https://github.com/mozilla/geckodriver/releases
pip install bs4
You can run the tool with
usage: ddom.py [-h] [-s [[...]]] [-cs [[...]]] [-d | -o | -e] Daily dose of malware optional arguments: -h, --help show this help message and exit -s [ [ ...]], --source [ [ ...]] source of feed. Allowed values are cymon, malshare, malcode, google -cs [ [ ...]], --cymonsource [ [ ...]] Additional source for Cymon. Allowed values are vxvault,malcode,cct,ponyc2 -d, --download download malware -o, --output print to console -e, --export export to text file
Display info from malcode and malshare
dom.py -s malcode malshare --output
++++++++++++++++++++++++++++++++++++ Brought to you by Malc0de https://twitter.com/malc0de http://malc0de.com ++++++++++++++++++++++++++++++++++++ ------------------ 2018-01-10 aba2d86ed17f587eb6d57e6c75f64f05 xxx.xxx.xxx.xxx/Photo.scr ----------------- 2018-01-10 6c29b80a61ff5ca7f5d8db8b002e9631 xxx.xxx/32nP30h187Z [...] ++++++++++++++++++++++++++++++++++++ Brought to you by Malshare A free Malware repository providing researchers access to samples, malicous feeds, and Yara results. http://malshare.com ++++++++++++++++++++++++++++++++++++ http://xxx.xxx/kjdfhg874 http://xxx.xxx/error/error/tc.exe http://xxx.xxx/images/rn.php http://xxx.xxx.xxx.xxx/bprocess.exe http://xxx.xxx.xxx.xxx/64Kilences.exe [..]
Download files from vxvault and malcode (--download works for malshare, malcode and vxvault) (it connects to malicious, be careful)
ddom.py -s cymon -cs vxvault malcode --download
Cymon is the largest open tracker of malware, phishing, botnets, spam, and more. Brought to you by eSentire. Downloading file http://xxx.xxx/rn.php Downloaded malcode2018-01-13/rn.php --------------------------- Downloading file http://xxx.xxx.xxx.xxx/32Kilences.exe Downloaded malcode2018-01-13/32Kilences.exe --------------------------- Downloading file http://xxx.xxx/dfjkgy7 Downloaded malcode2018-01-13/dfjkgy7
It creates directory named 'source + timestamp' and then download malware into it.
Export results from google dorks:
ddom.py -s google --export
++++++++++++++++++++++++++++++++++ Google dorks ++++++++++++++++++++++++++++++++++ Exported to google2018-01-13.txt
It creates text file named 'source + timestamp' with information inside.
- You are dealing with real malware, which may harm your computer badly. I'm not responsible for any caused damages. Be careful and think.
- For Google dorks please make sure to use newest firefox and geckodriver. It simulates browser, so it may not working sometimes because of google captcha. My advice is to connect and reconnect your vpn.
- To use Malshare, you have to register and obtain api key. Then paste it to modules/malshare.py - line 21
- If you know more public and open source platforms for retrieving malware, let me know.
- If this script violates terms of service from any used service, let me know and I will delete it.
- Not all of google dorks are perfect, you may encounter on some false positives.
Do whatever you want to do with this tool.
If you know how to develop or have any idea, let me know.