nilsonsangy/MalwareInside

## 📋 Table of Contents - [📊 Tools Overview](#tools-overview) - [🚀 Quick Start](#quick-start) - [🔧 Installation](#installation) - [📖 Detailed Usage](#detailed-usage) - [YARA Rules](#yara-rules) - [INetSim DNS Fix](#inetsim-dns-fix) - [Hexdump to Hex Converter](#hexdump-to-hex-converter) - [Hex to Binary Converter](#hex-to-binary-converter) - [VirusTotal API Tools](#virustotal-api-tools) - [Malware Verifier](#malware-verifier) - [⚙️ Requirements](#requirements) - [📄 License & Support](#license--support) - [⚠️ Disclaimer](#disclaimer) - [📞 Contact](#contact) ## Tools Overview | Tool | Description | Input | Output | Use Case | |------|-------------|-------|--------|----------| | **YARA Rules** | Detection rules for malware families | Files/Memory | Matches | Threat identification | | **VirusTotal API** | Complete VT API integration | Hash/Files | JSON reports | File analysis & upload | | **fix_inetsim_dns.sh** | DNS service fix for INetSim | - | Fixed service | Lab setup | | **hexdump2hex.py** | Extract hex bytes from Wireshark dumps | `.txt` hexdump | `.hex` file | Network analysis | | **hex2bin.py** | Convert hex strings to binary | `.hex` file | `.bin` file | Sample reconstruction | | **malware-verifier.py** | VirusTotal batch scanner | Directory | Detection scores | Sample verification | ## Quick Start # Clone the repository git clone https://github.com/nilsonsangy/MalwareInside.git cd MalwareInside # Install dependencies pip install -r requirements.txt # Configure VirusTotal API key # Edit .env file and add your API key # Validate VirusTotal API key cd VT_API python validate_api_key.py # Get file report from VirusTotal python get_file_report.py 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad # Example workflow: Wireshark hexdump → binary extraction python scripts/hexdump2hex.py wireshark_dump.txt # Creates wireshark_dump.hex python scripts/hex2bin.py wireshark_dump.hex # Creates wireshark_dump.bin # Verify samples with VirusTotal python scripts/malware-verifier.py /path/to/samples # Apply INetSim fix (Kali Linux) sudo bash scripts/fix_inetsim_dns.sh ## Installation ### Prerequisites - **Python 3.x** - For running Python scripts - **YARA** - For using detection rules - **VirusTotal API Key** - For malware verification - **Kali Linux** - For INetSim DNS fix ### Setup 1. Clone this repository: git clone https://github.com/nilsonsangy/MalwareInside.git cd MalwareInside 2. Install Python dependencies: pip install -r requirements.txt 3. Set up your VirusTotal API key: - Copy the example environment file: `cp .env.example .env` - Get your API key from: https://www.virustotal.com/gui/my-apikey - Edit the `.env` file and replace `your_virustotal_api_key_here` with your actual API key - Optionally, set `MALWARE_SAMPLES_PATH` to specify a custom folder for malware samples (defaults to Downloads folder) 4. Validate your API configuration: cd VT_API python validate_api_key.py ## Detailed Usage ### YARA Rules The `YARA` directory contains detection rules for known malware families including ransomware and other threats. **Usage:** # Scan a single file yara YARA/lockbit3.yar suspicious_file.exe # Scan a directory recursively yara -r YARA/ /path/to/scan/ # Output matches with metadata yara -m YARA/conti.yar malware_sample.bin ### INetSim DNS Fix Fixes DNS service issues with INetSim on recent Kali Linux versions due to Perl compatibility problems. **Usage:** # Apply the fix (requires root privileges) sudo bash scripts/fix_inetsim_dns.sh # Verify INetSim service status sudo systemctl status inetsim ### Hexdump to Hex Converter **Usage:** # Convert Wireshark hexdump to clean hex string python scripts/hexdump2hex.py network_capture.txt # Output: network_capture.hex **Input format example:** 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| 00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| ### Hex to Binary Converter Converts hex string files to binary format for analysis or execution. **Usage:** # Convert hex file to binary python scripts/hex2bin.py payload.hex # Output: payload.bin **Input format:** 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000 ### VirusTotal API Tools Collection of scripts to interact with VirusTotal API for malware analysis. #### API Key Validation Validates if your VirusTotal API key is working correctly. **Usage:** cd VT_API python validate_api_key.py **Example output:** ✅ API key is valid! User ID: your_username #### File Report Analysis Get detailed analysis report for a file using its hash. **Usage:** cd VT_API python get_file_report.py **Supported hash types:** - MD5 (32 characters) - SHA-1 (40 characters) - SHA-256 (64 characters) **Example:** python get_file_report.py 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad #### File Upload & Analysis Upload files to VirusTotal for analysis (max 32MB). **Usage:** cd VT_API python upload_file.py [password] **Examples:** # Upload a file python upload_file.py malware_sample.exe # Upload protected ZIP with password python upload_file.py protected.zip mypassword #### Analysis Status Check Check the status of a file analysis using the analysis ID. **Usage:** cd VT_API python get_analysis.py **Example:** python get_analysis.py NjY0MjRlOTFjMDIyYTkyNWM0NjU2NWQxYjdiZWIxM2I6MTQ4ODU0NjU3Mw== ### Malware Verifier Batch verification of malware samples using VirusTotal API with detection score reporting. **Usage:** # Verify all samples in a directory python scripts/malware-verifier.py /path/to/samples/ # Example output: # sample1.exe: 45/67 detections # sample2.dll: 12/67 detections ## Requirements ### System Requirements - **Operating System**: Linux (preferred), Windows, macOS - **Python**: 3.6 or higher - **YARA**: Latest stable version for rule scanning - **Kali Linux**: For INetSim DNS fix script ### API Requirements - **VirusTotal API Key**: Required for VirusTotal API scripts and `malware-verifier.py` - Sign up at [VirusTotal](https://www.virustotal.com/) - Get your API key from: https://www.virustotal.com/gui/my-apikey - Configure it in the `.env` file ### Optional Tools - **Wireshark**: For generating hexdump files - **INetSim**: For malware analysis lab setup ## Disclaimer This toolkit is designed for **educational and research purposes only**. Users are responsible for ensuring compliance with applicable laws and regulations when analyzing malware samples. ### Important Notes - Only analyze malware in isolated, controlled environments - Ensure proper authorization before testing on any systems - The authors are not responsible for any misuse of these tools - Always follow responsible disclosure practices ## Contact For questions, suggestions, or collaboration opportunities: - 📧 **Email**: [Open an issue](https://github.com/nilsonsangy/MalwareInside/issues) for fastest response - 🐛 **Bug Reports**: [GitHub Issues](https://github.com/nilsonsangy/MalwareInside/issues) - 💡 **Feature Requests**: [GitHub Discussions](https://github.com/nilsonsangy/MalwareInside/discussions) - 🔗 **GitHub**: [@nilsonsangy](https://github.com/nilsonsangy)