bamfdetect 0,0 python

Identifies and extracts information from bots and other malware

2 years after

bamfdetect

Identifies and extracts information from bots and other malware. Information is returned in a readable json format. bamfdetect works by reading files into RAM, applying any applicable preprocessors, then applying Yara signatures from modules to determine which module it matches. After a match is located, the module can then extract the configuration from the file.

Currently, only a preprocess for UPX files is supported. This preprocessor writes the file data to a temporary file, then calls upx -d on the temporary file, and rereads the data from that temporary file.

Currently Supported Malware

  • Abaddon
  • Alina
  • Andromeda
  • Backoff
  • BlackShades
  • BlackWorm
  • Bozok
  • CyberGate
  • Cythosia
  • DarkComet
  • Dendroid
  • Dexter
  • DiamondFox
  • Easter JackPOS
  • Elise
  • Evora
  • Genome
  • GlassRAT
  • Herpesnet
  • JackPOS
  • Maazben
  • MadnessPro
  • Nanocore
  • njRat
  • pBot
  • PoisonIvy
  • Pony
  • ProjectHook
  • Solar
  • VertexNet
  • vSkimmer
  • XtremeRAT

Module Development

Until I have time to write a guide for writing modules, please use existing modules as a means of writing your own.

Usage

[email protected]:~$ bamfdetect -h
usage: bamfdetect [-h] [-v] [-d] [-r] [-l] [-m MODULE] [-t THREADS]
                  [path [path ...]]

Identifies and extracts information from bots

positional arguments:
  path                  Paths to files or directories to scan

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -d, --detect          Only detect files
  -r, --recursive       Scan paths recursively
  -l, --list            List available modules
  -m MODULE, --module MODULE
                        Modules to use, if not definedall modules are used
  -t THREADS, --threads THREADS
                        Number of threads to use

bamfdetect v1.6.15 by Brian Wallace (@botnet_hunter)

Requirements

  • pefile (python module)
  • yara (python module)
  • rarfile
  • upx (binary)
  • pycrypto
  • pbkdf2

Notes

PE files will be checked if they are UPX compressed before being scanned. If they are, they will be written to a temporary file, then decompressed with the UPX utility. Yara rules and extraction will then be applied to the resulting data.

This project has been moved from https://github.com/bwall/bamf

Related Repositories

awesome-malware-analysis

awesome-malware-analysis

A curated list of awesome malware analysis tools and resources ...

BAMF

BAMF

Botnet Analysis Modular Framework ...

awesome-malware-analysis

awesome-malware-analysis

A curated list of awesome malware analysis tools and resources ...

awesome-malware-analysis

awesome-malware-analysis

A curated list of awesome malware analysis tools and resources ...

awesome-malware-analysis

awesome-malware-analysis

A curated list of awesome malware analysis tools and resources ...


Top Contributors

bwall bwall-slave

Releases

-   v1.6.12 zip tar
-   v1.6.11 zip tar
-   v1.6.9 zip tar
-   v1.6.8 zip tar
-   v1.6.7 zip tar
-   v1.6.4 zip tar
-   v1.6.3 zip tar
-   v1.6.2 zip tar
-   v1.5.3 zip tar
-   v1.5.1 zip tar
-   v1.4.1 zip tar
-   v1.4.0 zip tar
-   v1.3.0 zip tar
-   v1.2.0 zip tar