Jayesh Patel (jay.net.in@gmail.com)

This Malware Analysis project as a research project written in python which is automatically investigate any file and generate the report with results of file like (Submitted file was Malware or Clean) , we have client/server application for malware analysis. Using client application you can submit file on server and get back results and report. This project is developed on python. In this project we used many open source tools and also developed some parser for analyse malware file. Here we cover both static analysis and dynamic analysis. In static analysis we use some parser and open source tools to analyse file. In dynamic analysis we use virtual operating system to run file and geared memory dump. we analyse memory dump and find some malware activity.

Following application which is use in this project,

Application :

1. Python

2. Celery

3. Celery is a task queue that is built on an asynchronous message passing system. It can be used as a bucket where programming tasks can be dumped. The program that passed the task can continue to execute and function responsively, and then later on, it can poll celery to see if the computation is complete and retrieve the data.

4. RabbitMQ RabbitMQ is a message-queueing software called a message broker or queue manager. Simply said; It is a software where queues can be defined, applications may connect to the queue and transfer a message onto it.

5. Redis Regis is Light weight database.

6. Virtual box Virtual Box is provide the virtual environment to run operating system (windows and linux).

Requirement :

-> Ubuntu 14.04 -> RAM 4 to 8 GB (Depend on how many virtual instances running) -> HDD 1TB (Depend on virtual instances)

Installation :

1. Download source file “malware-analysis.tar.gz” file
2. Extract source “tar -xvf malware-analysis.tar.gz”
3. cd malware-analysis

Open “INSTALL.txt” File and follow the installation step.

Malware Analysis Operation on Server/Client Side :

This Malware Analysis module is client server application. we start server on server system with following command. And Use the client python script to submit file on server. you can use this python scrip into any platform. When we submit file using client script, server start analysis (static / dynamic) and get back results with “3” “2” “1” numbers and also send report file with “filename.json” format. (Note : In result 3 = Malware, 2 = Suspicious, 1 = Clean)

1. start celery task module
2. python server_file.py (for File Analysis Server) python server_mac.py (for Mac based analysis server)
3. /etc/init.d/apache2 start

In Server we have two type, file analysis server and mac analysis server. Both server has two individual client. In File Analysis server we submit and file and in mac analysis server we submit mac address.

Open URL for check all submitted file report in details

http://server-ip/

Now server is ready for request

Upload file using following client file with required arguments.

python static_client_file.py 192.168.1.32 60001 sample.pdf XP

Argument Details :

python static_client_file.py -h

usage: static_client_file.py [-h] sip port file_name source_type

positional arguments: sip Enter File IP Address port Enter Port Number file_name Enter File Name source_type Enter Source Type (Which type of OS use used XP/Linux/WIN7)

Here client upload file and wait for result.

In Result, server send value like 3 it’s means malware , 1 It’s means clean, and 2 It’s means suspicious. Server also send son format report file with name of submit file. The report file available on same directory where you run client command.