PyTriage

I’ve been reading the Malware Analyst’s Cookbook for the past few days and I got inspired by the programming recipes shown in the book to create an integrated malware analysis framework. I’ve created a bare bone version of it and I intend to add more functionality to it. My intention was to create a program that would allow an analyst to obtain all the information about a file on one screen instead of using multiple tools and pooling the data. As of now only static analysis and signature generation for Yara and ClamAV is implemented. I hope to add dynamic analysis and some disassembly functionality later on.

You can get PyTriage from:

https://github.com/Sp3ctr3/PyTriage

There are some dependencies that you will need to satisfy first: Simplejson, magic and pefile.

For simplejson refer to my earlier post. For python magic
sudo apt-get install python-magic

and pefile can be obtained by:
sudo pip install pefile

Once you have the requirements for the script satisfied, you might need to install clamAV and Yara for trying out the signatures that are automatically generated by the application:
sudo apt-get install clamav

Yara can be downloaded fromĀ https://code.google.com/p/yara-project/.

The program has a curses GUI and can be launched by typing:
python pytriage.py

The initial screen that you get should look something like this:

pytriage1
Each of the red letters are hotkeys. We have to choose a file first, so we press F:

pytriage2

and then O.

pytriage3

 

A listing of the files in the current folder will appear. Type the number of the file that you want to analyse and press Enter.

pytriage4

To see a basic overview of the files properties press I. The info tab will open up:

pytriage5

 

As you can see, it has important information like the MD5 and SHA1 hashes of the file, what all sections are there in the PE alongside their hashes and their sizes and the type of file present.

To see the imported DLLs as well as the exported function can be seen by pressing A. This switches over to Advanced tab showing:

pytriage6

The program has functionality that allows you to upload the hashes of the file to VirusTotal and check if it’s malicious. To use this, press S. The script will switch to the Submit tab. You have to wait a few seconds as it is querying the database of VirusTotal. Since I was using the Stuxnet sample, the following will be the result.

pytriage7

Now that we know that file is malicious, we can generate signatures for it in the Generate tab. Press G:

pytriage8

PyTriage will allow you to generate signatures for Yara and ClamAV. To generate for Yara, press Y or for ClamAV press C.

The Clam signature will be written to clam.hdb and Yara signature to sig.yara.

 

Yashin Mehaboobe

 

Leave a Reply

Your email address will not be published. Required fields are marked *