debster9755/malwareguard

# MalwareGuard **AI-Powered Malware Detection & Threat Hunting for Financial Services** Classify malware families targeting banking and fintech, map them to MITRE ATT&CK techniques, extract IOCs, and execute containment playbooks — all from a single dashboard built for financial services security teams. ## Why This Matters ### The Problem Banking malware is the #1 malware category by financial impact. Financial services firms face a relentless wave of banking trojans (TrickBot, Emotet, Dridex), credential stealers (RedLine, Raccoon), and ransomware (LockBit, BlackCat, Cl0p) specifically designed to steal credentials, hijack transactions, and encrypt critical infrastructure. **71% of all malware attacks target financial services** (Akamai). Yet SOC teams lack a unified view that connects malware classification with actionable threat intelligence specifically tuned for financial sector threats. ### Risk of NOT Solving | Risk | Impact | |---|---| | **Undetected banking trojans** | Credential theft leading to unauthorised fund transfers (avg $1.1M per incident) | | **Ransomware dwell time** | Average 21 days from initial compromise to deployment — early classification reduces this | | **95%+ false positive rate in AML** | Without malware-level context, transaction alerts lack the threat intelligence to prioritise | | **DORA non-compliance** | EU Digital Operational Resilience Act requires financial entities to detect and classify ICT threats | | **Incident response delays** | Without malware family identification, IR teams cannot apply the correct containment playbook | ### Business Impact - **$485B** global fraud losses in 2023 (Juniper Research) - **$4.88M** average cost of a data breach (IBM 2024) - **64% YoY increase** in ransomware targeting financial infrastructure (Chainalysis) - **EU AI Act (Aug 2026)** requires explainability for AI-based security decisions ## System Architecture ``` graph TB subgraph Frontend["MalwareGuard Dashboard"] A[Dashboard Tab] --> |Stats & Feed| B[Threat Data] C[Classifier Tab] --> |Query| D[Classification Engine] E[MITRE ATT&CK Tab] --> |Mapping| F[ATT&CK Database] G[IOC Analysis Tab] --> |Search| H[IOC Database] I[Containment Tab] --> |Actions| J[Playbook Engine] end subgraph Data["Threat Intelligence Layer"] B D F H J end subgraph Sources["Intelligence Sources"] K[abuse.ch URLhaus] L[MalwareBazaar] M[PhishTank] N[MITRE ATT&CK] O[Internal Sandbox] end Sources --> Data Data --> Frontend ``` ## Workflow Diagram ``` sequenceDiagram participant Analyst as SOC Analyst participant MG as MalwareGuard participant TI as Threat Intel participant MITRE as ATT&CK DB Analyst->>MG: Enter suspicious hash/domain/IP MG->>TI: Cross-reference threat feeds TI-->>MG: Match found: TrickBot (98% confidence) MG->>MITRE: Map to ATT&CK techniques MITRE-->>MG: 10 techniques across 8 tactics MG-->>Analyst: Classification + IOCs + MITRE mapping Analyst->>MG: View containment actions MG-->>Analyst: Prioritised playbook (Network → Endpoint → Identity → Communication) Analyst->>MG: Mark actions complete MG-->>Analyst: Generate incident report (copy-to-clipboard) ``` ## Component Architecture ``` graph LR subgraph Page["page.tsx (App Shell)"] Nav[Tab Navigation] end subgraph Tabs["5 Tab Components"] D[DashboardTab] CL[ClassifierTab] MA[MitreAttackTab] IOC[IocAnalysisTab] CT[ContainmentTab] end subgraph Data["Data Layer"] MD[malware-data.ts] end Nav --> D & CL & MA & IOC & CT D & CL & MA & IOC & CT --> MD CL -->|"onNavigate"| MA & IOC & CT D -->|"onNavigate"| CL ``` ## Features ### 1. Threat Dashboard - 4 animated stat cards (Active Families, IOCs Tracked, Financial Alerts, MITRE Techniques) - Severity distribution bars, malware type breakdown, top targeted sectors - Live threat feed with 15+ recent events and human-readable narratives ### 2. AI Malware Classifier - Enter SHA256 hash, domain, or IP address - 2-second scanning animation with progress bar and status messages - Result card: malware family, type, severity, confidence gauge (SVG radial), description, campaigns, target sectors - Quick-scan demo buttons for TrickBot, Emotet, LockBit, RedLine - Direct navigation to MITRE mapping, IOCs, and containment for classified malware ### 3. MITRE ATT&CK Matrix (Hero Feature) - Full 14-tactic interactive grid with 120+ real techniques - Technique cells coloured by usage intensity (grey → light red → deep crimson based on how many malware families use them) - Filter by malware family — highlights only that family's techniques - Click any technique to expand: description, associated malware families - Horizontally scrollable on mobile with tactic headers ### 4. IOC Analysis - Searchable/filterable table of all IOCs across 12 malware families - Filter by type (SHA256, Domain, IP, URL) and search by value - Confidence scores with visual bars - Active/Historical status indicators - CSV export (generates and downloads a file) ### 5. Containment Actions - Select any malware family to see prioritised containment playbook - Action cards with priority, category (Network/Endpoint/Identity/Communication), and detailed steps - Checkbox tracking with progress bar - **Incident Report Generator** — modal with complete incident report, copy-to-clipboard ## Malware Families Covered (12) | Family | Type | Severity | Key Threat | |---|---|---|---| | TrickBot | Trojan/Loader | Critical | Banking web injects, ransomware delivery | | Emotet | Loader/Dropper | Critical | Email thread hijacking, malware distribution | | Dridex | Banking Trojan | High | SWIFT/wire transfer credential theft (Evil Corp) | | QakBot/QBot | Trojan/Loader | Critical | Initial access broker for Black Basta ransomware | | IcedID/BokBot | Banking Trojan | High | SSL proxy MITB attacks on banking sessions | | LockBit 3.0 | Ransomware | Critical | Double extortion, fastest encryption speed | | BlackCat/ALPHV | Ransomware | Critical | Rust-based, triple extortion | | Cl0p | Ransomware | Critical | Zero-day exploitation of file transfer software | | RedLine Stealer | Info Stealer | High | Browser credentials, crypto wallets, session tokens | | Raccoon Stealer v2 | Info Stealer | High | MaaS credential theft ($200/month) | | AgentTesla | RAT/Stealer | High | Keylogging, screen capture, trade finance targeting | | FormBook/XLoader | Info Stealer | Medium | Form-grabbing, cross-platform (Windows + macOS) | ## Tech Stack | Layer | Technology | Why | |---|---|---| | **Framework** | Next.js 15 (App Router) | SSR, Vercel-native deployment | | **Language** | TypeScript | Type safety for complex data models | | **Styling** | Tailwind CSS | Rapid dark-theme styling, responsive | | **Animations** | Framer Motion | Smooth transitions, animated counters, card reveals | | **Icons** | Lucide React | Consistent cybersecurity iconography | | **Charts** | Pure SVG/CSS | Zero-dependency, fast rendering | | **State** | React useState/useMemo | Simple, no external state library needed | | **Deployment** | Vercel | Zero-config, edge network | ## Getting Started ``` git clone https://github.com/debster9755/malwareguard.git cd malwareguard npm install npm run dev ``` Open [http://localhost:3000](http://localhost:3000). ## Project Structure ``` src/ app/ page.tsx # App shell with 5-tab navigation layout.tsx # Root layout with metadata globals.css # Dark cybersecurity theme components/ DashboardTab.tsx # Stats, severity, threat feed ClassifierTab.tsx # Hash/domain classifier with scanning animation MitreAttackTab.tsx # Full 14-tactic interactive ATT&CK matrix IocAnalysisTab.tsx # Searchable IOC table with CSV export ContainmentTab.tsx # Per-family action playbooks + incident reports data/ malware-data.ts # 12 malware families, ATT&CK matrix, threat events ``` ## Business Benefits ### For Financial Services SOC Teams - **75% faster alert investigation** — malware family identification in seconds, not hours - **Unified threat view** — malware classification + MITRE mapping + IOCs + containment in one place - **Actionable intelligence** — not just "what" but "so what" and "now what" ### For Compliance (DORA/NIS2) - **ICT threat classification** — mandatory under DORA Article 17 - **Incident reporting** — auto-generated reports satisfy 24-hour notification requirements - **Audit trail** — containment action tracking with timestamps ### For the Portfolio - Demonstrates **deep cybersecurity knowledge** — real MITRE technique IDs, accurate malware descriptions - Shows **product thinking** — not just a dashboard, but a complete investigation workflow - Proves **technical execution** — full-stack TypeScript, animations, data architecture *Built by [Debayan Roy](https://github.com/debster9755) — Demonstrating AI-powered cybersecurity intelligence for financial services.*

标签：AI驱动, Apex, BlackCat, Cl0p, Cloudflare, Containment Playbook, CSV导出, DORA, Dridex, Emotet, EU AI Act, FinTech, IOC提取, LockBit, MITRE ATT&CK, Raccoon, RedLine, StruQ, TrickBot, 勒索软件防护, 合规, 安全仪表盘, 机器学习, 欺诈检测, 自动化攻击, 误报率, 金融交易监控, 金融安全, 银行安全, 银行木马