Malice ShadowServer Hash Lookup Plugin
This repository contains a Dockerfile of the ShadowServer malice plugin malice/shadow-server.
- Install Docker.
- Download trusted build from public DockerHub:
docker pull malice/shadow-server
$ docker run --rm malice/shadow-server --help
Usage: shadow-server [OPTIONS] COMMAND [arg...]
Malice ShadowServer Hash Lookup Plugin
Version: v0.1.0, BuildTime: 20180902
Author:
blacktop - <https://github.com/blacktop>
Options:
--verbose, -V verbose output
--help, -h show help
--version, -v print the version
Commands:
web Create a ShadowServer lookup web service
lookup Query ShadowServer for hash
help Shows a list of commands or help for one command
Run 'shadow-server COMMAND --help' for more information on a command.$ docker run --rm malice/shadow-server lookup MD5|SHA1
NAME:
shadow-server lookup - Query ShadowServer for hash
USAGE:
shadow-server lookup [command options] MD5/SHA1 hash of file
OPTIONS:
--elasticsearch value elasticsearch url for Malice to storeresults [$MALICE_ELASTICSEARCH_URL]
--post, -p POST results to Malice webhook [$MALICE_ENDPOINT]
--proxy, -x proxy settings for Malice webhook endpoint [$MALICE_PROXY]
--timeout value malice plugin timeout (in seconds) (default: 10) [$MALICE_TIMEOUT]
--table, -t output as Markdown tableThis will output to stdout and POST to malice results API webhook endpoint.
sandbox JSON
{
"shadow-server": {
"found": true,
"sandbox": {
"md5": "aca4aad254280d25e74c82d440b76f79",
"sha1": "6fe80e56ad4de610304bab1675ce84d16ab6988e",
"first_seen": "2010-06-15 03:09:41",
"last_seen": "2010-06-15 03:09:41",
"type": "exe",
"ssdeep": "12288:gOqOB0v2eZJys73dOvXDpNjNe8NuMpX4aBaa48L/93zKnP6ppgg2HFZlxVPbZX:sOA2eZJ8NI8Nah8L/4PqmTVPlX",
"antivirus": {
"AVG7": "Downloader.Generic9.URM",
"AntiVir": "WORM/VB.NVA",
"Avast-Commercial": "Win32:Zbot-LRA",
"Clam": "Trojan.Downloader-50691",
"DrWeb": "Win32.HLLW.Autoruner.6014",
"F-Prot6": "W32/Worm.BAOX",
"F-Secure": "Worm:W32/Revois.gen!A",
"G-Data": "Trojan.Generic.2609117",
"Ikarus": "Trojan-Downloader.Win32.VB",
"Kaspersky": "Trojan.Win32.Cosmu.nyl",
"McAfee": "Generic",
"NOD32": "Win32/AutoRun.VB.JP",
"Norman": "Suspicious_Gen2.SKLJ",
"Panda": "W32/OverDoom.A",
"QuickHeal": "Worm.VB.at",
"Sophos": "Troj/DwnLdr-HQY",
"TrendMicro": "TROJ_DLOADR.SMM",
"VBA32": "Trojan.VBO.011858",
"Vexira": "Trojan.DL.VB.EEDT",
"VirusBuster": "Worm.VB.FMYJ"
}
},
"whitelist": null
}
}whitelist JSON
{
"shadow-server": {
"found": true,
"sandbox": {
"md5": "5e28284f9b5f9097640d58a73d38ad4c",
"sha1": "7a90f8b051bc82cc9cadbcc9ba345ced02891a6c",
"first_seen": "2009-07-24 02:09:53",
"last_seen": "2009-07-24 02:09:53",
"type": "exe",
"ssdeep": "1536:bwOnbNQKLjWDyy1o5I0foMJUEbooPRrKKReFX3:RNQKPWDyDI0fFJltZrpReFX3",
"antivirus": {}
},
"whitelist": {
"application_type": "exe",
"binary": "1",
"bit": "32",
"crc32": "877EA041",
"description": "Notepad",
"dirname": "c:\\WINDOWS\\system32",
"filename": "notepad.exe",
"filesize": "69120",
"filetimestamp": "04/14/2008 12:00:00",
"fileversion": "5.1.2600.5512",
"language": "English",
"language_code": "1033",
"md5": "5E28284F9B5F9097640D58A73D38AD4C",
"media_source": "http://www.microsoft.com/",
"mfg_name": "Microsoft Corporation",
"os_mfg": "Microsoft Corporation",
"os_name": "Microsoft Windows XP Professional Service Pack 3 (build 2600)",
"os_version": "5.1",
"product_name": "Microsoft Windows Operating System",
"product_version": "5.1.2600.5512",
"reference": "os_patches_all",
"sha1": "7A90F8B051BC82CC9CADBCC9BA345CED02891A6C",
"sha256": "865F34FE7BA81E9622DDBDFC511547D190367BBF3DAD21CEB6DA3EEC621044F5",
"sha512": "CB7218CFEA8813AE8C7ACF6F7511AECBEB9D697986E0EB8538065BF9E3E9C6CED9C29270EB677F5ACF08D2E94B21018D8C4A376AA646FA73CE831FC87D448934",
"sig_timestamp": "04/14/2008 02:07:47",
"sig_trustfile": "C:\\WINDOWS\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\NT5.CAT",
"signer": "Microsoft Windows Component Publisher",
"source": "AppInfo",
"source_version": "1.8",
"strongname_signed": "0",
"trusted_signature": "1"
}
}
}| Found | Filename | Description | ProductName |
|---|---|---|---|
| true | notepad.exe | Notepad | Microsoft Windows Operating System |
- FirstSeen: 6/15/2010 3:09AM
- LastSeen: 6/15/2010 3:09AM
| Vendor | Signature |
|---|---|
| F-Prot6 | W32/Worm.BAOX |
| G-Data | Trojan.Generic.2609117 |
| NOD32 | Win32/AutoRun.VB.JP |
| Avast-Commercial | Win32:Zbot-LRA |
| DrWeb | Win32.HLLW.Autoruner.6014 |
| Norman | Suspicious_Gen2.SKLJ |
| Panda | W32/OverDoom.A |
| Vexira | Trojan.DL.VB.EEDT |
| VirusBuster | Worm.VB.FMYJ |
| AntiVir | WORM/VB.NVA |
| Clam | Trojan.Downloader-50691 |
| Ikarus | Trojan-Downloader.Win32.VB |
| Kaspersky | Trojan.Win32.Cosmu.nyl |
| QuickHeal | Worm.VB.at |
| VBA32 | Trojan.VBO.011858 |
| AVG7 | Downloader.Generic9.URM |
| McAfee | Generic |
| Sophos | Troj/DwnLdr-HQY |
| TrendMicro | TROJ_DLOADR.SMM |
| F-Secure | Worm:W32/Revois.gen!A |
- To write results to ElasticSearch
- To create a shadow-server lookup micro-service
- To post results to a webhook
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.
See CHANGELOG.md
See all contributors on GitHub.
Please update the CHANGELOG.md and submit a Pull Request on GitHub.
MIT Copyright (c) 2016 blacktop