GitHub - TomYang9/analyzer: [Offline Threat Intelligence Analyzer] for extracting features, artifacts and IoCs from classified/unclassified Windows, Linux, Android, iPhone, Blackberry, macOS binaries, emails and more

Offline Threat Intelligence Analyzer for extracting features, artifacts and IoCs from data into readable and visualized format. This project was developed for analyzing classified data and training some AI locally without internet/external resources interaction

New Dark Interface

Output

APT-Malware JSON\HTML reports (+190 sample)

General Features

Runs locally (Offline)
Analyze buffer, file or full folder
Intime analysis (Session is saved)
2 modes (Interactive and silent)
Generates HTML or JSON as output
Dump output file with details to mongodb
Save raw json result to mongodb
Basic file information MD5, charset, mime, ssdeep
Different string/patterns analysis methods
NL English words detection
OCR words detection
IPS hints and countries description
Ports hints
World IPS world image and flags
DNS servers description (Top servers)
Websites similarity detection (Top 10000)
Artifacts force directed image
Cross references force directed image and table
MITRE att&ck tools and patterns detection (could be FP)
Similarity image divided to classes
YARA module and YARA rules included (Downloaded a copy from yara-rules-github)
YARA module includes conditions
Yara tags by index
URL/EMAIL/TEL/Tags patterns extraction
Credit Cards patterns extraction
Credential patterns extraction
Encryption patterns (base64, md5, sha1..) extraction
DGA (Domain Generation Algorithm) patterns extraction
BOM (Byte Order Mark) detection
URL shorteners extraction
ASCII extraction from UNICODE
Whitelist implemented (Windows7, 8 and 10 files)
Check WAF and bypass proxy
Free/Fake email extraction
Spelling and punctuation check
Top phishing words included
Snort support
Web interface
Supports threat intelligence platform feeds

Other Features

Linux (wrapper)
- ELF information
- API functions descriptions
- System commands descriptions
- Sections descriptions
- Lib descriptions
- Encrypted section detection
- Symbols extraction
- MITRE artifacts mapped to detection
- Cross references detection
- Behavior detection
macOS (wrapper)
- DMG extraction
- Shell code detection
- PLIST information
- MITRE artifacts mapped to detection
- macOS information
Windows (wrapper)
- PE information
- Encrypted section detection
- Sections descriptions
- DLL descriptions
- Symbols extraction
- Signature extraction and validation
- API descriptions
- PE ASLR, DEP, SEH and CFG detection
- MITRE artifacts mapped to detection
- API Behavior detection (DLL injection, Process Hollowing, Process Doppelganging etc..)
- Cross references detection
- Icon extraction
- Extract String file info (FileDescription, FileDescription etc..)
Android (wrapper)
- APK information
- DEX information
- Manifest descriptions
- Intent descriptions
- Resources extraction
- Symbols extraction
- Classes extraction
- Big functions identification
- Cross references detection
- API Behavior detection
IPhone (built-in)
- IPA information
BlackBerry (COD) (built-in)
- COD information
- Functions extraction
- Strings extraction
PCAP (wrapper)
- Frame filter
- HTTP filter
- DNS filter
- ARP filter
- WAF detection
- DGA detection
- Snort parsing
PDF (built-in)
- Objects enumeration
- Keys (javascript, js, OpenAction) extraction
- Streams parsing
- String analysis
Office (built-in and wrapper)
- Meta info extraction
- Hyper and target links extraction
- Bin printable parser
- Extract Text
- Extract DDE
- Macros extraction
OLE (wrapper)
- Number of objects
- Object extraction
- Macros extraction
EMAIL (built-in and wrapper)
- Header information
- Attachment extraction and parsing
- Extract body
- Phishing patterns check
Archives (wrapper)
- Extract mimes and guess by extensions
- Finding patterns in all unpacked files
- Encrypted archives detection
HTML (wrapper)
- Extract scripts, iframes, links and forms
- Decode/analyze links
- Script entropy
Online TIPs (Required tokens, Moving to different project)
- HybridAnalysis
- MalShare
- MetaDefender
- VirusTotal
- AlienVault
- PulseDive

Roadmap

☑ ~~Reduce file I/O~~
☑ ~~PDF module~~
☑ ~~RTF module~~
☑ Fix htmlmaker (return concat(self.root_render_func(self.new_context(vars))) MemoryError) due to rendering large objects.. this happened due to yara module appending too many results that caused htmlmaker to hang . Solved by grouping yara results into one
☑ ~~HTML module~~
☑ ~~Refactoring modules v2~~
☑ ~~Converting some yara rules into individual modules (Requested by users)~~
☑ ~~Whitelist (Requested by users)~~
☑ ~~Switching to mongodb (Requested by users)~~
☑ ~~Phishing module~~
☑ ~~Web service and API~~
☑ ~~Web interface (Requested by users)~~
☑ ~~Curling some TIPs (Requested by users)~~
☑ ~~MS office module~~
☑ ~~Snort wrapper (Requested by users)~~
☑ ~~Machine learning modules - Moving to different project~~
☑ ~~Offline multiscanner - Moving to different project~~
Java analysis (Requested by users)
Web detection
Adding username and password wrappers to databases
Adding more creds pattern (Requested by users)
CSS clean up

Running

One click auto-configure

git clone https://github.com/qeeqbox/analyzer.git
cd analyzer
chmod +x run.sh
./run.sh auto_configure

The project interface http://127.0.0.1:8000/login/ will open automatically after finishing the initialization process

Or, if you already have docker-compose

docker-compose -f docker-compose-dev.yml up --build

Then open http://127.0.0.1:8000/login/

Prerequisites

apt-get install -y python3 python3-pip curl libfuzzy-dev yara libmagic-dev libjansson-dev libssl-dev libffi-dev tesseract-ocr libtesseract-dev libssl-dev swig p7zip-full radare2 dmg2img mongodb redis

pip3 install pyelftools macholib python-magic nltk Pillow jinja2 ssdeep pefile scapy r2pipe pytesseract M2Crypto requests tld tldextract bs4 psutil pymongo flask pyOpenSSL oletools extract_msg

Prerequisites packages are required for some modules (If you are having issues using those packages, I might be able to share with you my own alternatives that I developed in the past in C#\C)

Resources

Linux documentation
MacOS documentation
Windows documentation
Android documentation
software77
MITRE ATT&CK™
sc0ty
hexacorn
PEID
cisco umbrella
yara rules community
TONS OF RESEARCHES.. (Please let me know if i missed a resource or dependency)

Other Licenses

By using this framework, you are accepting the license terms of each package listed below:

Disclaimer\Notes

Do not deploy without proper configuration
Setup some security group rules and remove default credentials
This project is NOT an anti malware project and does not quarantine or delete malicious files

Name		Name	Last commit message	Last commit date
Latest commit History 532 Commits
connections		connections
databases		databases
intell		intell
logger		logger
mics		mics
mitre		mitre
modules		modules
qbdetect		qbdetect
readme		readme
redisqueue		redisqueue
report		report
snort		snort
static		static
templates		templates
yara		yara
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
__init__.py		__init__.py
analyzer-Dockerfile		analyzer-Dockerfile
analyzer_.py		analyzer_.py
before_committing_to_github.sh		before_committing_to_github.sh
changes.md		changes.md
cli.py		cli.py
docker-compose-dev.yml		docker-compose-dev.yml
info		info
initdb.sh		initdb.sh
initializer.py		initializer.py
mongodb-Dockerfile		mongodb-Dockerfile
old-backup-yara-rules-github.zip		old-backup-yara-rules-github.zip
run.sh		run.sh
settings.py		settings.py
web.py		web.py
webinterface-Dockerfile		webinterface-Dockerfile

License

TomYang9/analyzer

Folders and files

Latest commit

History

Repository files navigation

New Dark Interface

Output

General Features

Other Features

Roadmap

Running

One click auto-configure

Or, if you already have docker-compose

Prerequisites

Resources

Other Licenses

Disclaimer\Notes

About

Resources

License

Stars

Watchers

Forks

Languages