I’ve been reading the Malware Analyst’s Cookbook for the past few days and I got inspired by the programming recipes shown in the book to create an integrated malware analysis framework. I’ve created a bare bone version of it and I intend to add more functionality to it. My intention was to create a program that would allow an analyst to obtain all the information about a file on one screen instead of using multiple tools and pooling the data. As of now only static analysis and signature generation for Yara and ClamAV is implemented. I hope to add dynamic analysis and some disassembly functionality later on.
You can get PyTriage from:
There are some dependencies that you will need to satisfy first: Simplejson, magic and pefile.
For simplejson refer to my earlier post. For python magic
sudo apt-get install python-magic
and pefile can be obtained by:
sudo pip install pefile
Once you have the requirements for the script satisfied, you might need to install clamAV and Yara for trying out the signatures that are automatically generated by the application:
sudo apt-get install clamav
Yara can be downloaded from https://code.google.com/p/yara-project/.
The program has a curses GUI and can be launched by typing:
The initial screen that you get should look something like this:
and then O.
A listing of the files in the current folder will appear. Type the number of the file that you want to analyse and press Enter.
To see a basic overview of the files properties press I. The info tab will open up:
As you can see, it has important information like the MD5 and SHA1 hashes of the file, what all sections are there in the PE alongside their hashes and their sizes and the type of file present.
To see the imported DLLs as well as the exported function can be seen by pressing A. This switches over to Advanced tab showing:
The program has functionality that allows you to upload the hashes of the file to VirusTotal and check if it’s malicious. To use this, press S. The script will switch to the Submit tab. You have to wait a few seconds as it is querying the database of VirusTotal. Since I was using the Stuxnet sample, the following will be the result.
Now that we know that file is malicious, we can generate signatures for it in the Generate tab. Press G:
PyTriage will allow you to generate signatures for Yara and ClamAV. To generate for Yara, press Y or for ClamAV press C.
The Clam signature will be written to clam.hdb and Yara signature to sig.yara.