Published on August 28th, 2015 📆 | 5304 Views ⚑
0Maltelligence — Malware Threat Analyst Desktop
https://www.ispeech.org
Maltelligence is a tool developed by Maltelligence Research Group to automatically collect malicious network infrastructure information and malware samples RECURSIVELY from various open source intelligence (OSINT) sources including virustotal, whois, passive DNS, IP subnets, AS number and Geolocation information.
You may run Maltelligence PERIODICALLY to capture and profile the behaviour of malicious group of domain, IP, whois and html content along different stage/time of APT attacks.
Malware Threat Analyst Desktop: Maltelligence is a project from the insight of MalProfile
Installation
If you want to run your instance of Maltelligence locally on your machine, be sure you have the following requirements installed:
[adsense size='1']
Requirements
Below procedure is tested in Ubuntu 14.04
- Mysql installationThe root password configured will be used in MalProfile.ini
sudo apt-get install mysql-client-core-5.6 sudo apt-get install mysql-server-5.6
- Install dependencies
sudo apt-get install git sudo apt-get install python-setuptools sudo apt-get install build-essential python-dev libmysqlclient-dev sudo apt-get install libfuzzy-dev sudo easy_install pip mkdir download cd download wget https://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download tar xvfz download cd ssdeep-2.13/ ./configure make make check sudo make install cd.. git clone https://github.com/kbandla/pydeep.git cd pydeep python setup.py build sudo python setup.py install
- Install python modules
sudo pip install MySQL-python sudo pip install ipaddress sudo pip install pyprind sudo pip install mechanize sudo pip install dnspython sudo pip install pythonwhois sudo pip install ipwhois sudo pip install beautifulsoup4 sudo pip install simplejson sudo pip install prettytable sudo pip install geoip2 sudo pip install wget
Installation
Assume you use ~/Malyzer/maltelligence as the program folder
mkdir Malyzer cd Malyzer git clone git://github.com/maltelligence/maltelligence.git cd maltelligence mkdir log mkdir repo cd..
Configuration
- Prepare Mysql databaseONLY drop the “maltelligence”” database if it exists
mysql -u root -p -e "drop database maltelligence"
Create the schema and import the database
mysql -u root -p -e "create schema maltelligence default character set utf8" mysql -u root -p maltelligence < ./db/maltelligence.sql
- MalProfile.iniObtain a public API key from VirusTotal and put it on (THIS IS COMPULSORY!!!)(NO single or double quotes are required!!!)
VT_APIKEY=
If you have API key in passivedns.mnemonic.no for passivedns query,
MN_APIKEY=
VTLIMIT = True means Maltelligence will stop query when VTDEPTH is reached
VTLIMIT=True
If one domain query from virustotal returns 4 IP addresses, VTDEPTH = 1(domain)+4(IP) = 5 (If VTDEPTH is too large 100 or more, the query time may be extremely long and the APIKEY may be blocked!)
VTDEPTH=15
If you have subcripitons on tcpiputils.com Premium account for AS Number query, use firefox to signin to the website with your acocunt, then copy the cookie.sqlite file from firefox under Maltelligence folder then setup the below parameter.
ASN=True
If you want to add Geolocation based on IP addresses
GEOIP=True
If you want to display the Maltelligence logo
LOGO=True
If you want to disable collection of nonroutable IP addresses (e.g. 127.0.0.1, 192.168.0.0/24)
EXCLUDE_NONROUTABLE=True
If you want to add additional Top Level Domain
TLD=
Fill in the Mysql database information under [MALTELLIGENCE] session
DB_HOST=localhost DB_ID=root DB_PW=password DB=maltelligence
- Sample MalProfile.ini config:
--------------------------------------------------------------------------------- [API_KEYS] VT_APIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX MN_APITKEY= [VT_4] VTLIMIT=True VTDEPTH=15 [MALTELLIGENCE] ASN=False GEOIP=True LOGO=True EXCLUDE_NONROUTABLE=True DB_HOST=localhost DB_ID=root DB_PW=password DB=maltelligence TLD=AC,ACADEMY,ACTOR,AD,AE,AERO,AF,AG,AGENCY,AI,AL,AM,AN,AO,AQ,AR,ARPA,AS,ASIA,... ----------------------------------------------------------------------------------
- Geolocation database setupDownload (and unzip) Geolocation data from MaxMind here:https://dev.maxmind.com/geoip/geoip2/geolite2/https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz Put it under the Maltelligence folder ~/Malyzer/Maltelligence/ as
~/Malyzer/maltelligence/GeoLite2-City.mmdb
- Setup the shell to include Maltelligence path at the bottom of .profile file
vi ~/.profile export PATH=$PATH:$HOME/Malyzer/maltelligence
- Database clean upMaltelligence comes with a sample case from Xecure incident, if you want to remove this case or start from scratch
./utils/clean_up.sh
[adsense size='1']
Usage
Maltelligence composes of two main python script: Maltelligence.py and report.py
Maltelligence.py – script for OSINT collection report.py – script for basic reporting
Maltelligence group all data in a case as tag For each case, you need to provide at least one sample, one domain and one IP addresses If you don’t have a sample, you could still collect the domains and IP addresses information
Maltelligence.py
- To get help
python Maltelligence.py -h python report.py -h
Gloss