Pentest Tools

Published on August 28th, 2015 📆 | 5304 Views ⚑

0

Maltelligence — Malware Threat Analyst Desktop

https://www.ispeech.org
Maltelligence is a tool developed by Maltelligence Research Group to automatically collect malicious network infrastructure information and malware samples RECURSIVELY from various open source intelligence (OSINT) sources including virustotal, whois, passive DNS, IP subnets, AS number and Geolocation information.

You may run Maltelligence PERIODICALLY to capture and profile the behaviour of malicious group of domain, IP, whois and html content along different stage/time of APT attacks.

Installation

If you want to run your instance of Maltelligence locally on your machine, be sure you have the following requirements installed:

[adsense size='1']

Requirements

Below procedure is tested in Ubuntu 14.04

• Mysql installationThe root password configured will be used in MalProfile.ini

  sudo apt-get install mysql-client-core-5.6
  sudo apt-get install mysql-server-5.6

• Install dependencies

   sudo apt-get install git
   sudo apt-get install python-setuptools
   sudo apt-get install build-essential python-dev libmysqlclient-dev
   sudo apt-get install libfuzzy-dev
   sudo easy_install pip

   mkdir download
   cd download

   wget https://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download 
   tar xvfz download
   cd ssdeep-2.13/
   ./configure
   make
   make check
   sudo make install

   cd..
   git clone https://github.com/kbandla/pydeep.git
   cd pydeep
   python setup.py build
   sudo python setup.py install

• Install python modules

   sudo pip install MySQL-python
   sudo pip install ipaddress
   sudo pip install pyprind
   sudo pip install mechanize
   sudo pip install dnspython
   sudo pip install pythonwhois
   sudo pip install ipwhois
   sudo pip install beautifulsoup4
   sudo pip install simplejson
   sudo pip install prettytable
   sudo pip install geoip2
   sudo pip install wget

Installation

Assume you use ~/Malyzer/maltelligence as the program folder

   mkdir Malyzer
   cd Malyzer
   git clone git://github.com/maltelligence/maltelligence.git
   cd maltelligence
   mkdir log
   mkdir repo
   cd..

Configuration

• Prepare Mysql databaseONLY drop the “maltelligence”” database if it exists

   mysql -u root -p -e "drop database maltelligence"

Create the schema and import the database

   mysql -u root -p -e "create schema maltelligence default character set utf8"
   mysql -u root -p maltelligence < ./db/maltelligence.sql

• MalProfile.iniObtain a public API key from VirusTotal and put it on (THIS IS COMPULSORY!!!)(NO single or double quotes are required!!!)

   VT_APIKEY=

If you have API key in passivedns.mnemonic.no for passivedns query,

   MN_APIKEY=

VTLIMIT = True means Maltelligence will stop query when VTDEPTH is reached

   VTLIMIT=True

If one domain query from virustotal returns 4 IP addresses, VTDEPTH = 1(domain)+4(IP) = 5 (If VTDEPTH is too large 100 or more, the query time may be extremely long and the APIKEY may be blocked!)

   VTDEPTH=15

If you have subcripitons on tcpiputils.com Premium account for AS Number query, use firefox to signin to the website with your acocunt, then copy the cookie.sqlite file from firefox under Maltelligence folder then setup the below parameter.

   ASN=True

If you want to add Geolocation based on IP addresses

   GEOIP=True

If you want to display the Maltelligence logo

   LOGO=True

If you want to disable collection of nonroutable IP addresses (e.g. 127.0.0.1, 192.168.0.0/24)

   EXCLUDE_NONROUTABLE=True

If you want to add additional Top Level Domain

   TLD=

Fill in the Mysql database information under [MALTELLIGENCE] session

   DB_HOST=localhost
   DB_ID=root
   DB_PW=password
   DB=maltelligence

• Sample MalProfile.ini config:

---------------------------------------------------------------------------------   
[API_KEYS]
VT_APIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MN_APITKEY=

[VT_4]
VTLIMIT=True
VTDEPTH=15

[MALTELLIGENCE]
ASN=False
GEOIP=True
LOGO=True
EXCLUDE_NONROUTABLE=True
DB_HOST=localhost
DB_ID=root
DB_PW=password
DB=maltelligence
TLD=AC,ACADEMY,ACTOR,AD,AE,AERO,AF,AG,AGENCY,AI,AL,AM,AN,AO,AQ,AR,ARPA,AS,ASIA,...
----------------------------------------------------------------------------------

• Geolocation database setupDownload (and unzip) Geolocation data from MaxMind here:https://dev.maxmind.com/geoip/geoip2/geolite2/https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz Put it under the Maltelligence folder ~/Malyzer/Maltelligence/ as

   ~/Malyzer/maltelligence/GeoLite2-City.mmdb

• Setup the shell to include Maltelligence path at the bottom of .profile file

   vi ~/.profile
   export PATH=$PATH:$HOME/Malyzer/maltelligence

• Database clean upMaltelligence comes with a sample case from Xecure incident, if you want to remove this case or start from scratch

   ./utils/clean_up.sh

[adsense size='1']

Usage

Maltelligence composes of two main python script: Maltelligence.py and report.py

Maltelligence.py – script for OSINT collection report.py – script for basic reporting

Maltelligence group all data in a case as tag For each case, you need to provide at least one sample, one domain and one IP addresses If you don’t have a sample, you could still collect the domains and IP addresses information

Maltelligence.py

• To get help

   python Maltelligence.py -h
   python report.py -h

Source && Download