analyzer: Offline Threat Intelligence Analyzer for extracting artifacts and IoCs

by do son · September 14, 2020

analyzer

Offline Threat Intelligence Analyzer for extracting artifacts and IoCs from file/dump into a readable format

General Features

Runs locally (Offline)
Analyze buffer, file, or full folder
Intime analysis (Session is saved)
2 modes (Interactive and silent)
Generates HTML or JSON as output
Dump output file with details to mongodb
Save raw json result to mongodb
Basic file information MD5, charset, mime, ssdeep
Different string/patterns analysis methods
NL English words detection
OCR words detection
IPS hints and countries description
Ports hints
World IPS world image and flags
DNS servers description (Top servers)
Websites similarity detection (Top 10000)
Artifacts force directed image
Cross references force directed image and table
MITRE att&ck tools and patterns detection (could be FP)
Similarity image divided to classes
YARA module and YARA rules included (Downloaded a copy from yara-rules-github)
YARA module includes conditions
Yara tags by index
URL/EMAIL/TEL/Tags patterns extraction
Credit Cards patterns extraction
Credential patterns extraction
Encryption patterns (base64, md5, sha1..) extraction
DGA (Domain Generation Algorithm) patterns extraction
BOM (Byte Order Mark) detection
URL shorteners extraction
ASCII extraction from UNICODE
Whitelist implemented (Windows7, 8 and 10 files)
Check WAF and bypass proxy
Free/Fake email extraction
Spelling and punctuation check
Top phishing words included
Snort support
Web interface
Supports threat intelligence platform feeds

Other Features

Linux (wrapper)
- ELF information
- API functions descriptions
- System commands descriptions
- Sections descriptions
- Lib descriptions
- Encrypted section detection
- Symbols extraction
- MITRE artifacts mapped to detection
- Cross references detection
- Behavior detection
macOS (wrapper)
- DMG extraction
- Shell code detection
- PLIST information
- MITRE artifacts mapped to detection
- macOS information
Windows (wrapper)
- PE information
- Encrypted section detection
- Sections descriptions
- DLL descriptions
- Symbols extraction
- Signature extraction and validation
- API descriptions
- PE ASLR, DEP, SEH and CFG detection
- MITRE artifacts mapped to detection
- API Behavior detection (DLL injection, Process Hollowing, Process Doppelganging etc..)
- Cross references detection
- Icon extraction
- Extract String file info (FileDescription, FileDescription etc..)
Android (wrapper)
- APK information
- DEX information
- Manifest descriptions
- Intent descriptions
- Resources extraction
- Symbols extraction
- Classes extraction
- Big functions identification
- Cross references detection
- API Behavior detection
IPhone (built-in)
- IPA information
BlackBerry (COD) (built-in)
- COD information
- Functions extraction
- Strings extraction
PCAP (wrapper)
- Frame filter
- HTTP filter
- DNS filter
- ARP filter
- WAF detection
- DGA detection
- Snort parsing
PDF (built-in)
- Objects enumeration
- Keys (javascript, js, OpenAction) extraction
- Streams parsing
- String analysis
Office (built-in and wrapper)
- Meta info extraction
- Hyper and target links extraction
- Bin printable parser
- Extract Text
- Extract DDE
- Macros extraction
OLE (wrapper)
- Number of objects
- Object extraction
- Macros extraction
EMAIL (built-in and wrapper)
- Header information
- Attachment extraction and parsing
- Extract body
- Phishing patterns check
Archives (wrapper)
- Extract mimes and guess by extensions
- Finding patterns in all unpacked files
- Encrypted archives detection
HTML (wrapper)
- Extract scripts, iframes, links, and forms
- Decode/analyze links
- Script entropy
Online TIPs (Required tokens, Moving to a different project)
- HybridAnalysis
- MalShare
- MetaDefender
- VirusTotal
- AlienVault
- PulseDive