FAME: Automates Malware Evaluation
FAME is a recursive acronym meaning “FAME Automates Malware Evaluation”.
It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
Best case scenario: the analyst drops a sample, waits for a few minutes, and FAME is able to determine the malware family and extract its configuration and IOCs.
FAME should be seen as a framework that will empower your malware analysis development efforts.
FAME also relies on MongoDB as a database. You should not install MongoDB using apt because it is using an old version that will not work. Instead, follow installation guidelines available on MongoDB’s website: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-ubuntu/
Note: MongoDB does not have to be on the same system as FAME’s web server.
If needed, you should make sure to make MongoDB start when the system boots:
Make sure that MongoDB is started:
By default, MongoDB only listens on localhost. If your MongoDB instance is on a different server than FAME, or if you plan to use remote workers, you should change this setting in the configuration file (/etc/mongod.conf) by commenting the bindIp directive:
It is also recommended to enable authentication on the MongoDB server. In order to do this, start by creating an admin user, as well as a user of FAME:
Then, you have to enable RBAC in the configuration file (/etc/mongod.conf):
All these modifications will only be effective once mongod is restarted:
Start by cloning the repository:
Run the install script, and answer the questions (choose ‘1’ for installation type):
Every FAME command has to be run with utils/run.sh. This makes sure that everything takes place in FAME’s virtualenv and will create it if it does not exists.On Windows, you have to use utils/run.cmd.