Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Storing your Collection of Malware Samples with Malwarehouse

Published: 2012-09-21
Last Updated: 2012-09-22 10:05:58 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

Scott Roberts released a simple yet easy to use Python script to store and query your collection of malware samples into a SQLite database. The process is simple; it allows storage (indexing basic sample metadata) and retrieval of your samples. The database allows for query by filename, MD5 and SHA256 hashes. The malwarehouse package can be downloaded here.

I changed my database location from the malwarehouse.py script option_base_dir = os.path.expanduser("~/Desktop/malwarehouse/") to option_base_dir = os.path.expanduser("~/malwarehouse/") because this server doesn't have X-Windows running.

  • First a simple menu:

  • Entering a malware sample into the SQLite database:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe

  • Result when malware sample 1.exe is processed:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe
Parsing Malware
Analysis complete. Loading.
Sample 1.exe loaded...
Loading Malware 1.exe
Creating /home/guy/malwarehouse/41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8

  • Reviewing the last record with the 3 available methods:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 4f871a6b9f17c0923963e7dfc73efa58
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 1.exe

  • Reviewing the last 3 recorded inserted into the malwarehouse database:

If you are looking for a simple and yet effective way of tracking your malware samples, malwarehouse is probably for you. I'm sure Scott Robert is open to suggestions to improve this project . His contact information is listed on the Github download page.


[1] blog.thevigilant.com
[2] https://github.com/sroberts/malwarehouse

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

3 comment(s)
Diary Archives