The original code of a malware must be scanned using YARA rules after processing with a debugger (or other means) to account for obfuscated malware binaries. This is a complicated process and requires an extensive malware analysis environment. The tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware. The original malware code can be scanned with your own YARA rules by submitting the malware in PE format to the scanner. tknk_scanner can thus support surface analysis performed by SOC operators, CSIRT members, and malware analysts.
- Automatic identification and classification of malware
- Scan the original code of malware with yara.
- Dumps original code of malware
- You can easily get the original code.
- Integrates multiple Open Source Software and free tools
- User-friendly Web-UI
- Users can submit malware and check scan results using the Web-UI.
- add swagger
Preparing the Host
- git clone –recursive https://github.com/nao-sec/tknk_scanner.git
- sudo setup/setup.sh
- Edit tknk.conf
- Virtual Machine name
- URL of xmlrpc_server.py
- e.g. http://192.168.122.2:8000/
- If VT use, set to 1
- Your VT API KEY
- Download Malware characterization tools
$ git submodule update
- Detect It Easy
- Download zip from https://ntinfo.biz/
- Extract zip(Linux Ubuntu 64-bit(x64)) to tknk_scanner/
- Rename folder name die
- Download and copy dump tools to tools/
- Set yara rules
Save yara rules in “rules” folder. You need to add the rule to index.yar.
Preparing the Guest
- Install Windows on KVM
- Turn off Windows Defender and Windows SmartScreen
- Install Python 3.6
- Set to the IP address described in vm_url.
- Copy and run xmlrpc_server.py
- Make snapshot
Access to http://localhost:80
- File upload
Upload the file to be scanned.
Sets the time to start running dump tools. The default is 120 seconds.
Copyright (c) 2018 nao-sec