Analysis Modules¶
The analysis modules currently available in MultiScanner are listed by catagory below.
| AV Scans | |
|---|---|
| AVG 2014 | Scans sample with AVG 2014 anti-virus |
| ClamAVScan | Scans sample with ClamAV |
| McAfeeScan | Scans sample with McAfee AntiVirus Command Line |
| Microsoft Security Essentials | Scans sample with Microsoft Security Essentials |
| Metadefender | Interacts with OPSWAT Metadefender Core 4 Version 3.x, polling Metadefender for scan results. |
| vtsearch | Searches VirusTotal for sample’s hash and downloads the report if available |
| VFind | Runs the CyberSoft VFind anti-malware scanner, part of the VFind Security Toolkit. |
| Database | |
|---|---|
| NSRL | Looks up a hash in the National Software Reference Library. |
| Sandbox Detonation | |
|---|---|
| Cuckoo Sandbox | Submits a sample to Cuckoo Sandbox cluster for analysis. |
| FireEye API | Detonates the sample in FireEye AX via FireEye’s API. |
| VxStream | Submits a file to a VxStream Sandbox cluster for analysis. |
| Machine Learning | |
|---|---|
| MaliciousMacroBot | Triage office files with MaliciousMacroBot. |
| Metadata | |
|---|---|
| entropy | Calculates the Shannon entropy of a file. |
| ExifToolsScan | Scans sample with Exif tools and returns the results. |
| fileextensions | Determines possible file extensions for a file. |
| floss | FireEye Labs Obfuscated String Solver uses static analysis techniques to deobfuscate strings from malware binaries. |
| impfuzzy | Calculates a fuzzy hash using ssdeep on Windows PE imports. |
| libmagic | Runs libmagic against the files to identify filetype. |
| MD5 | Generates the MD5 hash of the sample. |
| officemeta | Extracts metadata from Microsoft Office documents. |
| pdfinfo | Extracts feature information from PDF files using pdf-parser. |
| PEFile | Extracts features from EXE files. |
| pehasher | Computes pehash values using a variety of algorithms: totalhase, anymaster, anymaster_v1_0_1, endgame, crits, and pehashng. |
| SHA1 | Generates the SHA1 hash of the sample. |
| SHA256 | Generates the SHA256 hash of the sample. |
| ssdeep | Generates context triggered piecewise hashes (CTPH) for files. More information can be found on the ssdeep website. |
| Tika | Extracts metadata from the sample using Tika. |
| TrID | Runs TrID against a file. |
| UAD | Runs the CyberSoft Universal Atomic Disintegrator (UAD) tool, part of the VFind Security Toolkit. |
| Signatures | |
|---|---|
| YaraScan | Scans the sample with Yara and returns the results. |
Configuration Options¶
Parameters common to all modules are listed in the next section, followed by notes and module-specific parameters for those that have them.
Common Parameters¶
The parameters below may be used by all modules.
| Parameter | Description |
|---|---|
| path | Location of the executable. |
| cmdline | An array of command line options to be passed to the executable. |
| host | The hostname, port, and username of the machine that will be SSH’d into to run the analytic if the executable is not present on the local machine. |
| key | The SSH key to be used to SSH into the host. |
| replacement path | If the main config is set to copy the scanned files this will be what it replaces the path with. It should be where the network share is mounted. |
| ENABLED | When set to false, the module will not run. |
[Cuckoo]¶
This module submits a file to a Cuckoo Sandbox cluster for analysis.
| Parameter | Description |
|---|---|
| API URL | The URL to the API server. |
| WEB URL | The URL to the Web server. |
| timeout | The maximum time a sample will run. |
| running timeout | An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed. |
| delete tasks | When set to True, tasks will be deleted from Cuckoo after detonation. This is to prevent filling up the Cuckoo machine’s disk with reports. |
| maec | When set to True, a MAEC JSON-based report is added to Cuckoo JSON report. NOTE: Cuckoo needs MAEC reporting enabled to produce results. |
[ExifToolsScan]¶
This module scans the file with Exif tools and returns the results.
| Parameter | Description |
|---|---|
| remove-entry | A Python list of ExifTool results that should not be included in the report. File system level attributes are not useful and stripped out. |
[FireEyeAPI]¶
This module detonates the sample in FireEye AX via FireEye’s API. This “API” version replaces the “FireEye Scan” module.
| Parameter | Description |
|---|---|
| API URL | The URL to the API server. |
| fireeye images | A Python list of the VMs in fireeye. These are used to generate where to copy the files. |
| username | Username on the FireEye AX. |
| password | Password for the FireEye AX. |
| info level | Options are concise, normal, and extended. |
| timeout | The maximum time a sample will run. |
| force | If set to True, will rescan if the sample matches a previous scan. |
| analysis type | 0 = sandbox, 1 = live. |
| application id | For AX Series appliances (7.7 and higher) and CM Series appliances that manage AX Series appliances (7.7 and higher), setting the application value to -1 allows the AX Series appliance to choose the application. For other appliances, setting the application value to 0 allows the AX Series appliance to choose the application. |
[floss]¶
This module extracts ASCII, UTF-8, stack and obfuscated strings from executable files. More information about module configuration can be found at the flare-floss documentation.
[impfuzzy]¶
This module calculates a fuzzy hash using ssdeep where Windows PE imports is the input. This strategy was originally described in a blog post from JPCERT/CC.
[libmagic]¶
This module runs libmagic against the files.
| Parameter | Description |
|---|---|
| magicfile | The path to the compiled magic file you wish to use. If None it will use the default one. |
[Metadefender]¶
This module runs Metadefender against the files.
| Parameter | Description |
|---|---|
| timeout | The maximum time a sample will run. |
| running timeout | An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed. |
| fetch delay seconds | The number of seconds for the module to wait between submitting all samples and polling for scan results. Increase this value if Metadefender is taking a long time to store the samples. |
| poll interval | The number of seconds between successive queries to Metadefender for scan results. Default is 5 seconds. |
| user agent | Metadefender user agent string, refer to your Metadefender server configuration for this value. Default is “user agent”. |
[NSRL]¶
This module looks up hashes in the NSRL database. These two parameters are automatically generated. Users must run nsrl_parse.py tool in the utils/ directory before using this module.
| Parameter | Description |
|---|---|
| hash_list | The path to the NSRL database on the local filesystem, containing the MD5 hash, SHA1 hash, and original file name. |
| offsets | A file that contains the pointers into hash_list file. This is necessary to speed up searching of the NSRL database file. |
[officemeta]¶
This module extracts metadata from Microsoft Office documents.
Note: This module does not support OOXML documents (e.g., docx, pptx, xlsx).
[pdfinfo]¶
This module extracts out feature information from PDF files. It uses pdf-parser.
[PEFile]¶
This module extracts out feature information from EXE files. It uses pefile which is currently not available for python 3.
[ssdeeper]¶
This module generates context triggered piecewise hashes (CTPH) for the files. More information can be found on the ssdeep website.
[Tika]¶
This module extracts metadata from the file using Tika. For configuration of the module see the tika-python documentation.
| Parameter | Description |
|---|---|
| remove-entry | A Python list of Tika results that should not be included in the report. |
[TrID]¶
This module runs TrID against the files. The definition file should be in the same folder as the executable.
[vtsearch]¶
This module searches virustotal for the files hash and download the report if available.
| Parameter | Description |
|---|---|
| apikey | Public/private api key. Can optionally make it a list and the requests will be distributed across them. This is useful when two groups with private api keys want to share the load and reports. |
[VxStream]¶
This module submits a file to a VxStream Sandbox cluster for analysis.
| Parameter | Description |
|---|---|
| BASE URL | The base URL of the VxStream server. |
| API URL | The URL to the API server (include the /api/ in this URL). |
| API Key | The user’s API key to the API server. |
| API Secret | The user’s secret to the API server. |
| Environment ID | The environment in which to execute the sample (if you have different sandboxes configured). |
| Verify | Set to false to ignore TLS certificate errors when querying the VxStream server. |
| timeout | The maximum time a sample will run |
| running timeout | An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed. |
[YaraScan]¶
This module scans the files with yara and returns the results. You will need yara-python installed for this module.
| Parameter | Description |
|---|---|
| ruledir | The directory to look for rule files in. |
| fileextensions | A Python array of all valid rule file extensions. Files not ending in one of these will be ignored. |
| ignore-tags | A Python array of yara rule tags that will not be included in the report. |