/malwaredetection

Primary LanguageYARA

DYSC

Docker YARA Signature Checker

Disclaimer

This is a research application that works on live malware, so use caution when running it.

We are not responsible for any damages that occur when using this program.

Installing

  1. Requires Python 3 and Docker
  2. Download and extract the zip, or git clone it to your testing environment
  3. Run python3 run.py build in the directory to build the scanner image

How to use

Run python3 run.py run <file> to start the scanner on the specified file. This file can be a local filepath, directory, or a url.

Arguments:

-h, --help        Shows argparse help menu
-p, --password    Password for password-protected archives
-l=, --level=     Control the level of information printed
                  One of {debug,info,quiet}
                  quiet will only return a json object

Examples

$ python3 run.py run https://secure.eicar.org/eicar.com --level=quiet
{"file": "eicar.com", "matches": ["EicarTest"]}
$ python3 run.py run '~/samples/l4j_pw.zip' -p infected
2023-04-12 03:32:59 11fbc6b3ec51 root[1] INFO Starting malware scanner
2023-04-12 03:32:59 11fbc6b3ec51 root[1] INFO Opening /app/mount/l4j_pw.zip
2023-04-12 03:32:59 11fbc6b3ec51 root[1] INFO Scanning /app/extracted/8abaa521a014cdbda2afe77042f21947b147197d274bf801de2df55b1e01c904.exe
2023-04-12 03:32:59 11fbc6b3ec51 root[1] INFO Scan complete
2023-04-12 03:32:59 11fbc6b3ec51 root[1] INFO Results:
{"file": "/app/extracted/8abaa521a014cdbda2afe77042f21947b147197d274bf801de2df55b1e01c904.exe", "matches": ["tellyouthepass_log4j"]}
$ python3 run.py run '~/samples/safe.txt' -l=debug
2023-04-12 03:35:18 850f84b7f94a root[1] INFO Starting malware scanner
2023-04-12 03:35:18 850f84b7f94a root[1] DEBUG Compiled rules
2023-04-12 03:35:18 850f84b7f94a root[1] DEBUG checking if /app/mount/safe.txt is an archive
2023-04-12 03:35:18 850f84b7f94a root[1] DEBUG txt
2023-04-12 03:35:18 850f84b7f94a root[1] INFO Scanning /app/mount/safe.txt
2023-04-12 03:35:18 850f84b7f94a root[1] INFO Scan complete
2023-04-12 03:35:18 850f84b7f94a root[1] INFO Results:
{"file": "/app/mount/safe.txt", "matches": []}

Notes

  • The runner will copy the given malware sample in to the Docker container and analyze it in there. This prevents the sample from interacting with the host, allowing you to safely and locally analyze it.
  • If you want to add or modify any rules, you will need to rebuild the container to update them

Credits