tknk_scanner v1.2 BHEU Edition Releases: Community-based integrated malware identification system


The original code of a malware must be scanned using YARA rules after processing with a debugger (or other means) to account for obfuscated malware binaries. This is a complicated process and requires an extensive malware analysis environment. The tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware. The original malware code can be scanned with your own YARA rules by submitting the malware in PE format to the scanner. tknk_scanner can thus support surface analysis performed by SOC operators, CSIRT members, and malware analysts.



  • Automatic identification and classification of malware
    • Scan the original code of malware with yara.
  • Dumps original code of malware
    • You can easily get the original code.
  • Community-based
    • Integrates multiple Open Source Software and free tools
  • User-friendly Web-UI
    • Users can submit malware and check scan results using the Web-UI.

Changelog v1.2.0

  • add swagger


Preparing the Host

  1. git clone –recursive
  2. sudo setup/
  3. Edit tknk.conf
  • vm_name
    • Virtual Machine name
  • vm_url
    • URL of
    • e.g.
  • virus_total
    • If VT use, set to 1
  • vt_key
    • Your VT API KEY
  1. Download Malware characterization tools
  • avclass
$ git submodule update
  • Detect It Easy
    • Download zip from
    • Extract zip(Linux Ubuntu 64-bit(x64)) to tknk_scanner/
    • Rename folder name die
  1. Download and copy dump tools to tools/
  2. Set yara rules
    Save yara rules in “rules” folder. You need to add the rule to index.yar.

Preparing the Guest

  1. Install Windows on KVM
  2. Turn off Windows Defender and Windows SmartScreen
  3. Install Python 3.6
  4. Set to the IP address described in vm_url.
  5. Copy and run
  6. Make snapshot

Setting Web-UI

cd frontend/
npm install
npm run generate
sudo cp -rf dist/* /usr/share/nginx/html/
cd ../
sudo cp -f tknk-scanner.nginx.conf /etc/nginx/sites-available/default
sudo systemctl restart nginx





Run ./
Access to http://localhost:80

  • File upload
    Upload the file to be scanned.
  • time
    Sets the time to start running dump tools. The default is 120 seconds.
  • mode
    • hollows_hunter
      Using hollows_hunter.
    • prodump
      Using procdump.
    • scylla
      Using Scylla.
    • diff(procdump)

Copyright (c) 2018 nao-sec