Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/lubyruffy/malware-catalog


https://github.com/lubyruffy/malware-catalog

Last synced: 2 months ago
JSON representation

Awesome Lists containing this project

README 

        



	Set of tools that is easy to use and modify



	this repo has:

		

		setup/ (for getting all your shitware files ready!)

			sfile.sh - generate hash for versioning file

			multi-sfile.sh - my multi-infile adaptation

			sd7z.sh - autoextract archives (use this after sfile)

			sha1dir.sh - sfile for directories



		exploits/ folder -

			source files for each exploit

				(file names are referenced in the exploit yaml entries)

			

		scripts/

			makeyaml.py - establish yaml for each of the provided variants

			test.py (main) - everything else

			y2j.py - convert yaml to json



			scripts/input/

				yara.txt - output from running yara against everything

				all the exploits.yml

				exploits.txt - each exploit name 

				mirai.txt - mirai variant names

				qbot.txt - qbot variant names

			scripts/output/

				examples/

					json output example

					exploits-by-variant and vice versa - populated structure output (just print the return values)



		yara/

			template.yar

			each rule file



	script details-

	### makeyaml.py

	contains the function for establishing YAML scaffolding - uses provided variant list (.txt, one name per line)



	### test.py - main

	load_exploits: heavy lifter - reads yaml entries for all exploits (currently being used as a single sequential file)



	Functions for auto-generating lists:

		Uses yara output to scrape exploit names and the bot variant whose directory they're appearing in to map out relationships.

		

		There are two structures:

	

			Key: Exploit name

			Value: List of bot variants that use it



				and



			Key: Variant name

			Value: List of exploits it uses



		These are used for generating other aspects of the structure, and I plan to use the (key:exploit/value:variants that use it) one

		to populate the used_by field throughout my exploit yaml entries - it is currently lacking.



	Establishing these tools means every aspect of this is automated - all you need to provide is a few text files to read names from

	This makes the whole thing easy to expand to any sort of file. All that would need to be written in is consideration for any new relevant fields



	Currently perfectly easy to dump yaml then convert directly to json.



	Flow:

		Run full set of yara rules recursively in parent bot directory. Use (quite robust) output as input for this script - it scrapes

		unique pairings of exploit and variant, mapping them accurately, and leaving you with a complete set of exploits-by-variant and variants-by-exploit

		

		Use YAML auto-scaffolding functionality w/ list of variant names to auto-generate yaml structure + designated fields for each variant

		

		run function to populate "exploits" field for each variant with whatever exploits are relevant to them (again, the inverse will work for populating exploits.yaml's "used_by" field)



		the outermost data structure can be dumped directly via yaml.dump(), and even passed right into the yaml to json function - 



		run just python3 test.py, w/ resources in place as intended, and you will have console output of accurate json for all of your variants (or exploits, or anything else you've constructed.)



	Todo:

	Handling for dicts/better handling of nested data. Haven't specialized it enough for all cases.



	Write a quick loop for splitting yaml or json entries into individual files w/ hashed or timestamped name

	

	Specify outstanding fields for YAML auto-scaffolding  (identify which variants have external creds or other stuff - easy to do w/ diff)



	Finish yara rules

	

	Replace yara.txt with new output from running complete set of rules

	

	Update any other word lists