Static analysis of malware can now be easily automated and scaled with Inhale. This tool allows the user to automatically separate malware into different categories depending on their characteristics and see the different properties of the malware being analyzed.
Inhale: Malware Inhaler
Inhale allows the user to rapidly find, classify and store information of a large number of malware files. The user can setup a custom database of malware and add to it easily while also giving them different classifications depending on their properties. Malware can easily be downloaded from internet directories and be included in the database. Inhale extracts a large information from the malware resulting in more than 30 unique properties such as binary format, target OS and the language of the source code.
- Collect malware from diverse sources
- Analyze malware and extract more than 30 unique properties
- Easy to set up and use on a range of systems from research servers to Raspberry Pi
- Currently the beta version is available
– Additional binary analysis features – pulling import/export tables, hashing of specific structures in the header, logging all strings etc.
– Checking if the file is the database before adding. This feature was removed previously due to specific issues with older versions of ES.
– Configuration options for requests such as: user agent, timeout, proxy etc.
– Dockerization of this entire project.
- Python 3+
Install ElasticSearch (Debian)
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - $ sudo apt-get install apt-transport-https $ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list $ sudo apt-get update && sudo apt-get install elasticsearch $ sudo service elasticsearch start
$ git clone https://github.com/radare/radare2 $ cd radare2 $ sys/install.sh
binwalk basic installation
$ git clone https://github.com/ReFirmLabs/binwalk $ cd binwalk $ sudo python3 setup.py install
$ sudo apt-get install automake libtool make gcc $ wget https://github.com/VirusTotal/yara/archive/v3.10.0.tar.gz $ tar xvzf v3.10.0.tar.gz $ cd yara-3.10.0/ $ ./bootstrap.sh $ ./configure $ make $ sudo make install
After installing the prerequisites tools/software, clone the GitHub repo:
$ git clone https://github.com/netspooky/inhale.git
Navigate to the working directory and install the requirements:
$ cd inhale
$ python3 -m pip install -r requirements.txt
Enter the following command:
$ python3 inhale.py
-f infile -d directory -u url -r recursive url -t TAGS Additional Tags -b Turn off binwalk signatures with this flag -y YARARULES Custom Yara Rules -o OUTDIR Store scraped files in specific output dir (default:./files//) -i Just print info, don't add files to database
Click on the “documentation” button below for more information on usage examples.