HaboMalHunter

(Please see the Chinese version here)

Tencent’s open source incentive program encourages developers’ participation and contributions, and looks forward to your joining.

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. The tool help security analyze extracting the static and dynamic features from malware effectively and efficiently. The generated report provides significant information about process, file I/O, network and system calls.

The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.

1. Basic Information: md5, name, file type, size and SSDEEP.
2. SO Files Dependency: SO files information (only applied for dynamic linked files).
3. Strings Information.
4. ELF Header and Entry Point.
5. IP and PORTS
6. ELF Segment, Section and Hash.
7. Source File Names.

1. Starting and Termination: Time Stamps and Elapsed Time.
2. Processes Information: clone, execve and exit etc.
3. File I/O: open, read, write and delete etc.
4. Network: TCP, UDP, HTTP and HTTPS etc.
5. Typical Malicous Actions: self deletion, midification and lock.
6. API Information: getpid, system, dup and other libc functions.
7. syscall sequences.

1. The HTML report.

2. The JSON report.

The tool will run on the VirtualBox 5.1 with Ubuntu 14.04 LTS.

in order to install thrid party software, please execute the following command after obtaining the code:

root# cd ./util/update_image
root# bash update_image.sh

git clone https://github.com/Tencent/HaboMalHunter.git

Firstly, please upload the source code into the VM. Execute the following command with root permission under the /root directory.

cp -ra /media/sf_Source/ * .

The command will compile and package the source code, and then will generate two zip files.

bash package.sh

using ./test/bin/read.32.elf to make a test. The second command will copy report and log outside the VM.

 python AnalyzeControl.py -v -l ./test/bin/read.32.elf
cp ./log/output.zip /media/sf_Source/

Among the result, output.static is static analysis result, output.dynamic is dynamic analysis result, and system.log is runtime log. Users can also upload samples to the Habo Malware Analysis System (https://habo.qq.com) to get a brief report.

1. [done] Memory Analysis.
2. More YARA rules (./utils/yara/malware/)
3. [done] HTML output format

1. Malware Analysis should be done inside a Virtual Machine environment and Intel-VT should be enabled on the host's BIOS. We shall not be liable to the damage of the analyzed malware.
2. VirtualBox 5.1 is recommended.
3. The tool will also generate dynamic log, which contains one error message, for ELF files which can not be executed, such as so files.

HaboMalHunter is an open source sub-project of the Hubble Analysis System (https://habo.qq.com), an open source tool for automated analysis and file security detection under the Linux platform. Using this tool can help security analysts to obtain static and dynamic behavior characteristics of malicious samples in a concise and efficient manner. The analysis report provides key information such as processes, files, networks and system calls.

Open source code supports automated static dynamic analysis of ELF files on Linux x86/x64 platforms.

1. Basic information: including file md5, name, type, size and SSDEEP.
2. Dependency so information: For dynamically linked files, output dependent so information.
3. String information
4. ELF header information, entry point
5. IP and port information
6. ELF segment information, section information and hash value
7. Source file name

1. Dynamic operation start-up end information: time-consuming, etc.
2. Process information: clone system call, execve call, process creation end, etc.
3. File operation information: Open, read, modify, delete and other file IO operations
4. Network information: TCP, UDP, HTTP, HTTPS, SSL and other information
5. Typical malicious behavior: self-deletion, self-modification and self-locking, etc.
6. API information: getpid, system, dup and other libc function calls
7. syscall sequence information

Using Hubble Linux open source version for virus analysis requires first creating a virtual machine environment for running viruses. Never run and analyze viruses directly in real environments. The project uses VirtualBox 5.1 to run Ubuntu 14.04 LTS as the analytical environment by default.

Install relevant software and obtain the source code, please run the following command as root in the virtual machine:

root# cd ./util/update_image
root# bash update_image.sh

Use git tools to get the source code.

git clone https://github.com/Tencent/HaboMalHunter.git

Most of the source code is python, and some of the C code needs to be compiled and packaged. First upload the code to the virtual machine. Use root identity and use commands in the /root/ directory, as shown in the figure:

cp -ra /media/sf_Source/ * .

Run the command, compile and package, and output two files, AnalyzeControl_1129.zip and test_1129.zip, as shown in the figure:

bash package.sh

This time, we used the test file ./test/bin/read.32.elf for testing. Use the following command: The second command will copy the analysis results outside the virtual machine and be used by analysts to read.

 python AnalyzeControl.py -v -l ./test/bin/read.32.elf
cp ./log/output.zip /media/sf_Source/

In the analysis results, output.static is the static analysis result, output.dynamic is the dynamic analysis result, and system.log is the runtime log. At the same time, sample analysis can also be performed in combination with the results display in the Hubble Analysis System (https://habo.qq.com).

1. [Completed] Want to use volatile and LiME for memory analysis
2. Hope to add more virus rules (./util/yara/malware)
3. [Completed] I hope to convert the output json data format into HTML page for display

1. To analyze viruses, please perform them in a virtual machine environment and enable Intel-VT function in the BIOS settings. This project does not assume any responsibility for any software security issues caused by running viruses.
2. It is recommended to use VirtualBox 5.1 or above to run virtual machines.
3. For ELF files that cannot be run, such as so files, Hubble Analysis System will generate dynamic logs by default, but there are only error messages that cannot be run.