-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.txt
154 lines (113 loc) · 5.78 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
## README.txt
## for MalProfile (version 1.0.0-beta)
CONTENTS OF THIS FILE
---------------------
(1) Introduction
(2) History
(3) Requirements
(4) Package Files
(5) Installation
(6) Configuration
(7) Usage
(8) License
(9) Maintainers
(1) INTRODUCTION
----------------
MalProfile is a set of tools to:
i. Fetch useful data from different sources include malware samples, suspicious IP/Domain being used, passive DNS records, md5 hash and save to a database at different time slot for behaviour and/or timeline analysis
ii. Present in Maltego the relationship of malware, current and passive domain/IP/Email/Telephone etc to get the origin of the source. And elaborate the relationship to get suspected IP/Domain for proactive prevention and detection.
(2) HISTORY
-----------
Please refer to CHANGELOG.txt
(3) REQUIREMENTS
----------------
i. Kali Linux 1.0.7 or later (for illustration purpose only, for advance users, just use the tool per your preference, in my case, I install it on my Mac)
ii. Maltego Edition 3.4.0 or later (If community version is used, only 12 records will be randomly displayed)
iii. Virustotal registration and API key
iv. Maltego Basic Python Library - https://www.paterva.com/web6/documentation/developer-local.php
(Other system with Python 2.7 and Maltego may work but never tried :) )
(4) PACKAGE FILES
-----------------
The following files are included in the MalProfile package.
MalProfile/MalProfile.py # MalProfile main script
MalProfile/MalProfile.ini # MalProfile configuration file
MalProfile/README.txt # this file
MalProfile/c2_PittyTiger # Sample database file (not included in the code email [email protected])
MalProfile/c2_Xsecu # Sample database file (not included in the code email [email protected])
MalProfile/Maltego/MyEntities.mtz # Maltego Input Entities
MalProfile/Maltego/* # Maltego Transform scripts, Refer to ReadMe/Transform_Readme for more info
MalProfile/Utils/* # Libraries and plugins for MalProfile
ReadMe/* # Documentation of MalProfile design and usage
Samples/* # Samples for demonstration (not included in the code email [email protected])
(5) INSTALLATION
----------------
MalProfile script:
1. unzip the MalProfile.zip to /Root/MalProfile
2. apt-get install python-setuptools
3. easy_install pip
4. pip install python-whois
5. pip install hashlib
6. pip install mechanize
7. pip install ConfigParser
8. pip install python-nmap
9. copy ./ReadMe/PyWhois/parser.py to /usr/local/lib/python2.7/dist-packages/whois/
10. unzip MaltegoTransform-Python and copy MaltegoTransform.py to MalProfile directory
(6) CONFIGURATION
-----------------
MalProfile script:
i. edit the MalProfile.ini file and fill in the DBNAME (Database file path) and VT_APIKEY (Virustotal API key)
ii. If you have an APT sample, put it in the ./files subdirectory (take risk to put unzipped APT sample here)
Maltego transforms (refer to screenshot for more details):
i. import the input entities MyEntities through manage -> import entities
ii. create transform sets through manage -> manage transform -> Transform Sets -> Create "MalProfile"
iii. create local transform for each Maltego Transform script,input entity base on package file description
iv. command fill in the full filename with path, working directory /root/MalProfile
v. create a new maltego graph, add a SampleDB object, change the properties to database filename and have fun! :)
(7) USAGE
---------
i. Change to directory /Root/MalProfile
ii. Run the script ./MalProfile.py
Usage: MalProfile.py [options]
Options:
-h, --help show this help message and exit
-i initialize c2 database [c2_dev.db]
-f FILENAME Provide a FILENAME of the sample to check
--md5=MD5 Provide a MD5 of the sample to check
-d DNS Provide a DNSNAME to check
-c rescanning c2 to update all subsequent tables
-o rescanning owner table to update all subsequent tables
-p rescanning passive tables to update ip table
-q rescanning ip table to update domains & whois tables
-r rescanning domains table to update passive_ip table
-s rescanning ip table to update passive_domains & passive_whois tables
-t rescanning and update domains table from malicious hostnames
from c2
-w rescanning and update domains table to update whois
-x rescanning and update whois table from passive_whois
Usage: MalProfile.py [options]
For different usage scenario:
1. Check db_ReadMe.txt to understand how to grab intelligence with different known sources
2. Check Transform_ReadMe to understand which Maltego Transform is available to analysis collected intelligence
3. Check Installation_ReadMe if you need help to setup MaltegoTransform (note: Community ver only display 12 items)
4. Check PittyTiger_ReadMe if you want to test a sample
(8) LICENSE
-----------
Copyright (C) 2014 Malware Domain Profiling Research Team
MalProfile is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3 of the License, or (at your option) any later
version.
MalProfile is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <http://www.gnu.org/licenses/>.
(9) CONTRIBUTORS
----------------
Current contributors:
* Frankie Li
* Kenneth Tse
Date: 31st Jul 2014
-----------------
End of README.txt
-----------------