HoodyK5/CID-Malware-Intelligence-Tool

# CID Malware Intelligence Tool Compact Incident Detection Malware Intelligence Tool. ## Overview : **CID Malware Intelligence** Tool is a professional, SOC-grade (Security Operations Center) malware analysis and threat intelligence platform built entirely in Python. This tool allows cybersecurity professionals, students, and researchers to analyze suspicious URLs, domains, IP addresses, file hashes, and files against multiple threat intelligence engines simultaneously all from a single, powerful desktop GUI application. The tool integrates **VirusTotal**, **Hybrid Analysis**, **Criminal IP**, and **URLScan.io** APIs to provide comprehensive, multi-source threat analysis. It also includes an IOC (Indicator of Compromise) extractor, professional PDF/CSV/JSON report generation, YARA-based local file scanning, APK malware analysis, OSINT intelligence gathering, and a real-time SOC console making it suitable for real-world threat hunting and incident response workflows. ## Features : ### Core Scan Modules - **URL Scanner** — Analyze any URL against 90+ security vendors via VirusTotal - **Domain Intelligence** — Full domain reputation check with WHOIS, DNS records, and SSL certificate analysis - **File Analyzer** — Deep file inspection with VirusTotal + local YARA rule scanning + APK malware analysis - **Hash Lookup** — Instant MD5 / SHA1 / SHA256 hash reputation check - **IP Scanner** — IP address threat intelligence with geolocation data ### Advanced Scan : - Multi-source analysis combining VirusTotal + Criminal IP + URLScan.io + Security Analysis - Detailed Anti-Virus results from 90+ vendors - Criminal IP threat verdict and score - URLScan.io scan results with direct report links - SSL certificate validity check - DNS record enumeration (A, MX, TXT, NS) - WHOIS information retrieval - IP Geolocation with ISP details ### Intelligence & Reporting : - **IOC Extractor** — Automatically extracts IPs, URLs, domains, MD5/SHA1/SHA256 hashes, emails, CVE IDs from scan results - **PDF Report** — Professional SOC-style PDF report with MITRE ATT&CK mapping, IOC table, risk timeline, recommendations - **CSV Report** — Spreadsheet-compatible export of all scan findings and IOCs - **JSON Forensic Report** — Structured forensic output ready for SIEM integration ### Additional Features : - **OSINT Module** — Open source intelligence gathering - **APK Analyzer** — Android APK static analysis for malware detection - **YARA Engine** — Local YARA rule-based file scanning - **Alert System** — Real-time malware alert notifications - **Scan History** — Persistent scan history with delete and export options - **Analytics Dashboard** — Threat statistics and distribution charts - **Live SOC Console** — Real-time color-coded threat logging - **Boot Animation** — Professional cyber startup sequence - **Human Verification** — CAPTCHA-style security check for advanced scans - **Network Monitor** — Network activity monitoring - **Malware Family Tracker** — Track detected malware families ## Requirements : ### System Requirements - Operating System: Kali Linux / Ubuntu / Debian (Windows compatible) - Python: 3.10 or higher - Internet connection (required for API calls) - Screen resolution: 1280x720 or higher (fullscreen application) ### Python Dependencies : requests Pillow reportlab dnspython yara-python androguard pandas pygame plyer ## Tech Stack : |Component : | Technology : | GUI Framework :Python Tkinter | Threat Intelligence :VirusTotal API v3 | Sandbox Analysis :Hybrid Analysis API v2 | IP/Domain Intel :Criminal IP API | URL Analysis :URLScan.io API | Local Scanning :YARA Rules Engine : | APK Analysis :Androguard | Report Generation :ReportLab | Data Storage :JSON (local persistent storage) | Networking :Python Requests, SSL, Socket | DNS Analysis :dnspython | Notifications :Plyer, Pygame ## ⚙ Installation : ### ⚡ Quick Install (Recommended — Works for Any User) git clone https://github.com/HoodyK5/CID-Malware-Intelligence-Tool.git cd CID-Malware-Intelligence-Tool bash install.sh The installer will automatically: - Install all Python dependencies - Create `cid` terminal command (launch from anywhere) - Create desktop application icon - Create desktop shortcut After installation, launch the tool from anywhere: cid ### 🔧 Manual Installation (Alternative) #### Step 1 — Clone the repository git clone https://github.com/HoodyK5/CID-Malware-Intelligence-Tool.git cd CID-Malware-Intelligence-Tool #### Step 2 — Install Python dependencies sudo pip3 install -r requirements.txt --break-system-packages #### Step 3 — Configure your API keys Create a file named `cid.env` in the project folder: nano cid.env Add your API keys in this format: VT_API_KEY=your_virustotal_api_key_here HA_API_KEY=your_hybrid_analysis_api_key_here CIP_API_KEY=your_criminal_ip_api_key_here URLSCAN_API_KEY=your_urlscan_api_key_here Save with Ctrl+X → Y → Enter #### Step 4 — Add background image Place your background image named `CID.jpg` in the project folder. (You can use any dark cyberpunk-style JPG image) #### Step 5 — Run the tool python3 main.py or python3 cid-malware.py ## 🔑 API Keys — Where to Get Them (All Free) : All required API keys are completely free to obtain. | API Service | Registration Link | VirusTotal :https://www.virustotal.com/gui/join-us | Hybrid Analysis :https://www.hybrid-analysis.com/signup | Criminal IP :https://www.criminalip.io/register | URLScan.io :https://urlscan.io/user/signup ### Where to add them : After registration, copy each API key and paste it into your `cid.env` file as shown in the Installation section above. ## 📖 How to Use —> Each Module Explained : ### 🌐 URL Scanner : 1. Click **URL Scanner** from the dashboard or sidebar 2. Type or paste any URL starting with `http://` or `https://` 3. Click **SCAN** button 4. Wait for results — 90+ security vendors will analyze the URL 5. Results show each vendor's detection status (Clean / Malicious / Suspicious) 6. Use **IOC** button to extract indicators from results 7. Use **REPORT** button to generate PDF/CSV/JSON report 8. Use **ADVANCED** button for deep multi-source analysis ### 🏠 Domain Intelligence : 1. Click **Domain Intel** from dashboard or sidebar 2. Enter a domain name (example: `google.com`) 3. Click **SCAN** 4. Results include vendor detections 5. Use **ADVANCED** scan for SSL certificate, DNS records, WHOIS, Criminal IP, URLScan.io analysis ### 📁 File Analyzer : 1. Click **File Analyzer** from dashboard or sidebar 2. Click **BROWSE** to select any file from your computer 3. Click **SCAN** to upload and analyze against VirusTotal 4. YARA local scan also runs automatically for .exe, .dll, .pdf files 5. For Android APK files - click **APK SCAN** for static analysis 6. Results show all vendor detections ### 🔐 Hash Lookup : 1. Click **Hash Lookup** from dashboard or sidebar 2. Paste any MD5, SHA1, or SHA256 hash 3. Click **SCAN** 4. Instantly retrieves existing VirusTotal analysis for that file hash 5. No file upload needed — hash-based lookup is instant ### 📡 IP Scanner : 1. Click **IP Scanner** from dashboard or sidebar 2. Enter any IPv4 address 3. Click **SCAN** 4. Results include vendor reputation data 5. Use **ADVANCED** scan for full Criminal IP report and geolocation data ### ⚡ Advanced Scan : 1. From any scan page, enter your target and click **ADVANCED** 2. Complete the human verification challenge 3. Click **GENERATE REPORT** 4. Tool runs simultaneous analysis across all sources 5. Navigate results using the sidebar: - **Anti-Virus Result** — Full vendor detection table - **CID Malware Overview** — Risk assessment and metadata - **Criminal IP** — Criminal IP verdict and score - **URLScan.io Analysis** — URLScan results with report link - **Security Analysis** — SSL, DNS, WHOIS, Geolocation 6. Use **IOC Extractor**, **Full Report**, **Export PDF** from sidebar ### 🔎 IOC Extractor : - Click **IOC** button after any scan - Automatically extracts all indicators from scan results: - IPv4 addresses - URLs - Domain names - MD5 hashes - SHA1 hashes - SHA256 hashes - Email addresses - CVE IDs - Each IOC is tagged with severity (Critical / High / Medium / Low) - Export extracted IOCs as JSON or CSV ### 📄 Report Generator : - Click **REPORT** button after any scan - Select report formats: PDF, CSV, JSON (any combination) - Choose save location - Add optional analyst notes - Click **GENERATE REPORTS** - PDF report includes: - Risk assessment badge - Detection statistics table - Malicious vendor detections - IOC table - MITRE ATT&CK technique mapping - Threat recommendations - Risk timeline - Analyst notes - Scan metadata and timestamp ### 🕵️ OSINT Module : - Click **OSINT Module** from sidebar - Perform open source intelligence gathering on targets - Useful for reconnaissance and threat research ### 📈 Scan History : - Click **Scan History** from sidebar - View all past scans with timestamps, targets, risk scores - Delete individual records, all history, or filter by date - Export history as CSV ### 📊 Analytics Dashboard : - Click **Analytics** from sidebar - View real-time statistics: - Total scans performed - Threats found - Malicious vs clean scan ratio - Recent high-risk scans - Threat distribution bar chart ## 💼 Use Cases : - **Malware Analysis** — Analyze suspicious files and URLs before opening them - **Incident Response** — Quickly check IOCs during a security incident - **Threat Hunting** — Proactively search for threats in your environment - **Security Research** — Research malware families and threat actors - **Phishing Investigation** — Verify suspicious URLs and domains - **SOC Operations** — Automate first-level triage of security alerts - **Penetration Testing** — Reconnaissance and target intelligence gathering - **CTF Challenges** — Hash lookups and IOC extraction for competitions - **Education** — Learn about cybersecurity threat intelligence concepts ## 📁 Project Structure CID-Malware-Intelligence-Tool/ │ ├── main.py # Main application — GUI and core logic ├── CIDV3_1_upgrade.py # v3.1 sidebar features (network monitor, charts) ├── yara_engine.py # YARA rules engine for local file scanning ├── alert_system.py # Real-time malware alert notifications ├── apk_analyzer.py # Android APK static analysis module ├── osint_module.py # OSINT intelligence gathering module ├── ioc_extractor.py # IOC extraction engine ├── report_engine.py # PDF/CSV/JSON report generation engine ├── report_dialog.py # Report generation UI dialog ├── boot_animation.py # Startup boot animation ├── CID.jpg # Background image (add your own) ├── cid.env # API keys ├── cid_data.json # Persistent scan history (auto-generated) ├── requirements.txt # Python dependencies └── README.md # This file ## ⚠ Disclaimer This tool is intended for **educational purposes, authorized security research, and legitimate cybersecurity work only**. - Only use this tool against systems, URLs, IPs, and files you own or have **explicit written permission** to analyze - The author is not responsible for any misuse, damage, or illegal activity conducted using this tool - Submitting files to VirusTotal makes them available to the security community — do not submit sensitive or private files - Always comply with the terms of service of all integrated APIs (VirusTotal, Hybrid Analysis, Criminal IP, URLScan.io) - This tool is not a replacement for professional enterprise security solutions **Use responsibly. Stay ethical.** ## 👤 Author **Akku K5** - GitHub: https://github.com/HoodyK5 - Tool: CID Malware Intelligence Platform v3.2 - Built with: Python, Tkinter, and multiple threat intelligence APIs ## 📄 License This project is licensed under the MIT License. You are free to use, modify, and distribute this software for personal and educational purposes. Commercial use requires attribution to the original author. ## 🙏 Acknowledgements - [VirusTotal](https://www.virustotal.com) — Multi-engine threat analysis - [Hybrid Analysis](https://www.hybrid-analysis.com) — Malware sandbox - [Criminal IP](https://www.criminalip.io) — IP and domain threat intelligence - [URLScan.io](https://urlscan.io) — URL scanning and analysis - [YARA](https://virustotal.github.io/yara/) — Malware pattern matching - [Androguard](https://github.com/androguard/androguard) — APK analysis - [ReportLab](https://www.reportlab.com) — PDF generation