Threat intelligence framework for extracting artifacts and IoCs from file/dump into readable format
- putty-clean
- Linux-Xorddos
- Android-BrazilianRAT
- Android-Ransom
- macOS-DMG-BundloreAdware
- Windows-GoziBankerISFB
- PDF-TrojanDownloader
- PCAP-dump
- Office-JSDropper
- RTF-Downloader
- EMAIL-Shademalspam
- putty-clean
- putty-clean
- Linux-Xorddos
- Android-BrazilianRAT
- Android-Ransom
- macOS-DMG-BundloreAdware
- Windows-GoziBankerISFB
- PDF-TrojanDownloader
- PCAP-dump
- Office-JSDropper
- RTF-Downloader
- EMAIL-Shademalspam
- Runs locally (Offline)
- Analyze buffer, file or full folder
- Intime analysis (Session is saved)
- 2 modes (Interactive and silent)
- Generates HTML or JSON as output
- Dump output file with details to mongodb
- Save raw json result to mongodb
- Basic file information MD5, charset, mime, ssdeep
- Different string/patterns analysis methods
- NL English words detection
- OCR words detection
- IPS hints and countries description
- Ports hints
- World IPS world image and flags
- DNS servers description (Top servers)
- Websites similarity detection (Top 10000)
- Artifacts force directed image
- Cross references force directed image and table
- MITRE att&ck tools and patterns detection (could be FP)
- Similarity image divided to classes
- YARA module and YARA rules included
- YARA module includes conditions
- URL/EMAIL/TEL/Tags patterns extraction
- Credit Cards patterns extraction
- Credential patterns extraction
- Encryption patterns (base64, md5, sha1..) extraction
- DGA (Domain Generation Algorithm) patterns extraction
- BOM (Byte Order Mark) detection
- URL shorteners extraction
- ASCII extraction from UNICODE
- Whitelist implemented (Windows7, 8 and 10 files)
- Check WAF and bypass proxy
- Free/Fake email extraction
- Spelling and punctuation check
- Top phishing words included
- Linux (wrapper)
- ELF information
- API functions descriptions
- System commands descriptions
- Sections descriptions
- Lib descriptions
- Encrypted section detection
- Symbols extraction
- MITRE artifacts mapped to detection
- Cross references detection
- Behavior detection
- macOS (wrapper)
- DMG extraction
- Shell code detection
- PLIST information
- MITRE artifacts mapped to detection
- macOS information
- Windows (wrapper)
- PE information
- Encrypted section detection
- Sections descriptions
- DLL descriptions
- Symbols extraction
- Signature extraction and validation
- API descriptions
- PE ASLR, DEP, SEH and CFG detection
- MITRE artifacts mapped to detection
- API Behavior detection (DLL injection, Process Hollowing, Process Doppelganging etc..)
- Cross references detection
- Icon extraction
- Extract String file info (FileDescription, FileDescription etc..)
- Android (wrapper)
- APK information
- DEX information
- Manifest descriptions
- Intent descriptions
- Resources extraction
- Symbols extraction
- Classes extraction
- Big functions identification
- Cross references detection
- API Behavior detection
- IPhone (built-in)
- IPA information
- BlackBerry (COD) (built-in)
- COD information
- Functions extraction
- Strings extraction
- PCAP (wrapper)
- Frame filter
- HTTP filter
- DNS filter
- ARP filter
- WAF detection
- DGA detection
- PDF (built-in)
- Objects enumeration
- Keys (javascript, js, OpenAction) extraction
- Streams parsing
- String analysis
- Office (built-in and wrapper)
- Meta info extraction
- Hyper and target links extraction
- Bin printable parser
- Extract Text
- Extract DDE
- Macros extraction
- MS (built-in and wrapper)
- Number of objects
- Object extraction
- Macros extraction
- EMAIL (built-in)
- Header information
- Attachment extraction and parsing
- Phishing patterns check
- Archives (wrapper)
- Extract mimes and guess by extensions
- Finding patterns in all unpacked files
- Encrypted archives detection
- HTML (wrapper)
- Extract scripts, iframes, links and forms
- Decode/analyze links
- Script entropy
- Testing or researching only
- Track tasks by uuid
- https (auto generate self signed certificate)
- Dump json or html from mongodb database
Reduce file I/OPDF moduleRTF moduleFix htmlmaker (return concat(self.root_render_func(self.new_context(vars))) MemoryError) due to rendering large objects.. this happened due to yara module appending too many results that caused htmlmaker to hang . Solved by grouping yara results into oneHTML moduleRefactoring modules v2Converting some yara rules into individual modules (Requested by users)Whitelist (Requested by users)Switching to mongodb (Requested by users)Phishing moduleWeb service and APIWeb interface (Requested by users)Curling some TIPs (Requested by users)MS office module- Web detection
- Machine learning modules (maybe commercial)
apt-get install -y python3 python3-pip curl libfuzzy-dev yara libmagic-dev libjansson-dev libssl-dev libffi-dev tesseract-ocr libtesseract-dev libssl-dev swig p7zip-full radare2 dmg2img mongodb
pip3 install pyelftools macholib python-magic nltk Pillow jinja2 ssdeep pefile scapy r2pipe pytesseract M2Crypto requests tld tldextract bs4 psutil pymongo flask pyOpenSSL oletools
git clone https://github.com/qeeqbox/analyzer.git cd analyzer docker-compose up --build https://127.0.0.1:8000/login/
git clone https://github.com/qeeqbox/analyzer.git cd analyzer chmod +x initdb.sh chmod +x install.sh ./install.sh ubuntu service mongodb start ./initdb.sh cd .. python3 -m analyzer.cli --interactive --local
If you are interested in adopting some features in your project, please mention this source somewhere in your project.
Linux\MacOS\Windows\Android documentation, software77, MITRE ATT&CK™, sc0ty, hexacorn, PEID, cisco umbrella and tons of researches.. (If i missed a resource/dependency, please let me know!)
- This project is NOT an anti malware project and does not quarantine or delete malicious files
- Prerequisites packages are required for some modules (If you are having issues using those packages, I might be able to share with you my own alternatives that I developed in the past in C#\C)