In three words, MalwareHunter is a malware analysis application. What does that mean? It simply means that you can throw any suspicious file at it and it will provide you back some static information as well as a detailed results outlining what such file did when executed inside an isolated environment..
- Install the latest version of VirtualBox
$ sudo apt-get install virtualbox virtualbox-guest-additions
- Create a VM running Windows, named 'winxp'
- Create a read-only shared folder (You can do this using the VirtualBox GUI interface).
$ VBoxManage sharedfolder add “winxp” \
--name “malware” \
--hostpath “/Users/<user>/Desktop/vbox/malware” \
--readonly
- Map the shared folder to a drive, Log on to the VM and add a static mapping to associate the shared folder with a drive letter.
C:\> net use X: \\vboxsvr\malware /PERSISTENT:YES
- Take a snapshot
$ VBoxManage snapshot “winxp” take “cleanimg”
- Install Volatility
$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility
- Install Snort, Inetsim and tshark
$ apt-get install snort inetsim tshark
$ git clone https://github.com/abdesslem/malwareHunter.git
$ cd malwareHunter
Run the tools in command line or web application
$ python main.py or python mainGui.py
The purpose of the malwareHunter is to determine:
- Static information (packers, strings, URL,...)
- The nature and purpose of the malware
- Interaction with file system
- Interaction with the registry
- Interaction with the network
And these functionalities are achieved as follow:
- Takes sample as input
- Perform statis analysis
- Reverts VM to clean snapshot
- Starts the VM
- Transfers the malware to VM
- Runs the monitorings tools
- Executes the malware for the specified time
- Stops the monitorings tools
- Suspends The VM
- Acquires the memory image
- Performs memory analysis using Volatility framework
- Stores the results (Final reports, pcaps and malicious artifacts for later analysis)
To get some information about the file, such as URL, strings, packers, anti-debug ... we used the peframe modules. This directory contain the code responsible for the static analysis.
The project's web interface is built with Bottle. Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It isdistributed as a single file module and has no dependencies other than the Python Standard Library.
To be able to collect valuable data, it's important to run the sample in an isolated environement and automate the process of dynamic analysis.