Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master'
Browse files Browse the repository at this point in the history
# Conflicts:
#	README.md
#	loki.py
  • Loading branch information
Florian Roth committed Dec 10, 2016
2 parents 04c7cd0 + 57eb2b5 commit 11b4401
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
42 changes: 42 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,48 @@ The Windows binary is compiled with PyInstaller 2.1 and should run as x86 applic

## Included IOCs

Loki currently includes the following IOCs:

- Equation Group Malware (Hashes, Yara Rules [by Kaspersky](http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) and [10 custom rules](http://pastebin.com/P0Fb9DPb) generated by us)
- Carbanak APT - [Kaspersky Report](http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) (Hashes, Filename IOCs - no service detection and Yara rules)
- Arid Viper APT - [Trendmicro](http://blog.trendmicro.com/trendlabs-security-intelligence/arid-viper-gaza-vs-israel-cyber-conflict/) (Hashes)
- Anthem APT Deep Panda Signatures (not officialy confirmed) (krebsonsecurity.com - see [Blog Post](http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/))
- Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
- Five Eyes QUERTY Malware (Regin Keylogger Module - see: [Kaspesky Report](https://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/))
- Skeleton Key Malware (other state-sponsored Malware) - Source: [Dell SecureWorks Counter Threat Unit(TM)](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/)
- WoolenGoldfish - (SHA1 hashes, Yara rules) [Trendmicro Report](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-woolen-goldfish-when-kittens-go-phishing/)
- OpCleaver (Iranian APT campaign) - Source: [Cylance](http://www.cylance.com/operation-cleaver/)
- More than 180 hack tool Yara rules - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
- More than 600 web shell Yara rules - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
- Numerous suspicious file name regex signatures - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
- Much more ... (cannot update the list as fast as I include new signatures)

=======
### Download

You find precompiled versions of LOKI in the [releases](https://github.com/Neo23x0/loki/releases) section.

## How-To Run LOKI and Analyse the Reports

### Run

- Download the latest release from the [releases](https://github.com/Neo23x0/loki/releases) section
- Run it once to download and initialize the signature-base repository
- Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
- Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

### Reports

- The resulting report will show a GREEN, YELLOW or RED result line.
- Please analyse the findings yourself by:
1. uploading non-confidential samples to Virustotal.com
2. Search the web for the filename
3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
4. Search the web for the MD5 hash of the sample
- Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

## Included IOCs

Loki currently includes the following IOCs:

- Equation Group Malware (Hashes, Yara Rules [by Kaspersky](http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) and [10 custom rules](http://pastebin.com/P0Fb9DPb) generated by us)
Expand Down
1 change: 1 addition & 0 deletions loki.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
DISCLAIMER - USE AT YOUR OWN RISK.
"""

__version__ = '0.18.1'

import os
Expand Down

0 comments on commit 11b4401

Please sign in to comment.