snake: malware storage zoo

by do son · June 6, 2018

Introduction

Snake is a malware storage zoo that was built out of the need for a centralized and unified storage solution for malicious samples that could seamlessly integrate into the investigation pipeline.

Snake is designed to provide just enough information to allow analysts to quickly and efficiently pivot to the most suitable tools for the task at hand. That being said there will be times where the information provided by Snake is more than sufficient. It is a Python-based application built on top of Tornado and MongoDB. Scales provide Snake with a variety of functionality from static analysis through to interact with external services.

Scales are a core part of Snake and are used to extend and enrich Snake’s capability. For these reasons, a careful amount of time and consideration have been invested to ensure that scales are easy to write while also being powerful. This page explains how each of the components works and provides examples. The folder and file structure for a feature complete scale are shown below:

<SCALE_ROOT>

|- <SCALE_NAME>

|  |- __init__.py

|  |- commands.py

|  |- interface.py

|  |- upload.py

|  `- <SCALE_NAME>.conf

`- setup.py

A brief description for each of the above is as follows:

scale_root – contains everything required to create a scale and install it, but should not include 3rd party data such as binaries.
- scale_name – the name of the scale and the actual scale module.
  - __init__.py – the metadata for the scale and used to instantiate it.
  - commands.py – the command component used to execute commands on a sample.
  - interface.py – the interface component used to interact with external services in accordance with the sample in question.
- upload.py – the upload component used to extend the supported upload methods provided by Snake.
- scale_name.conf – the scale’s configuration file used to provide the scale with configurable settings.
setup.py – part of setuptools used to enable easy installation of the scale.