abc1230940/malware_scanner

GitHub: abc1230940/malware_scanner

Stars: 0 | Forks: 0

LinkedIn Gmail Instagram Old Discord Reddit


Malware Scanner

malware

A python threat-hunting malware scanning tool by inputting SHA256 file hash


🔎 Table of Content
  1. About The Project
  2. Getting Started
  3. Usage
  4. Acknowledgement

(Back to Top)

About the Project

1

This tool is designed to hunt for specific malware dropped by an attacker or spawned by a malicious payload. These threats often attempt to establish persistence on a system to reconnect to the attacker's Command and Control (C2) server upon reboot. By inputting the target malware's SHA-256 hash value, the script scans the entire file system to locate the file. Once a match is found, the script outputs the exact file path so the incident responder can take immediate remediation action.

(Back to Top)

Built With

Language

(Back to Top)

Getting Started

The malware scanner is used on the unix system, please make sure the system is updated and python with virtual environment is installed.

Prerequisites

1. System Update and Installation of Python 

  sudo apt update && sudo apt install -y python3.12-venv

Installation

1. Clone the Repo 

 git clone https://github.com/abc1230940/malware_scanner.git

2. Navigate into the folder 

 cd malware_scanner

3. Set up the virtual environment 

 python3 -m venv env

4. Activate the virtual environment 

 source env/bin/activate

5. Deactivate the virtual environment when finished 

 deactivate

(Back to Top)

Usage

1. Edit the python script and then save

2

The script was designed to scan the root directory ("/"), and we need to exclude the scanner from searching the directories /proc, /sys, /dev, /snap and /run because they contain virtual, dynamic kernel processes and hardware streams that do not exist on the physical disk, which would otherwise cause the program to hang, freeze, or crash.

You can also scan the targeted directories which attacker may drop the malware:

  • /tmp
  • /var/tmp
  • /dev/shm
  • /etc/cron.*
  • /etc/bin

2. Launch the malware scanner script 

 python3 malware_scanner.py

3. Input SHA-256 hash value and press Enter

3

I inputted the SHA-256 of "Malware": a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447

4. Result

1

The targeted "malware" was found! The path is "/tmp/malware/real_malware/hello_world.txt"

(Back to Top)

Acknowledgement

LetsDefend - Python for Blue Team

VirusTotal

14

(Back to Top)