Misc Tech Notes

mån 28 mars 2016

AFAR - Automatic File Analyze and Reporting

Posted by Peter Reuterås in Tips   

I've now added AFAR (Automatic File Analyze and Reporting) to Github. The project started a couple of weeks ago when I automated the collection of viruses stopped by anti virus. That was a very simple script since I could reuse a tool written by a colleague. Then I had a couple of zip files with viruses in a database format. Didn't make me any happier so I wrote another simple tool to extract the malware files (my collogue has updated his script to do this). I still wasn't happier. Now I had only gone from having lists of stopped malware to a bunch of malware files on my computer. What to do with them?

Since there are so many new malware files every day the anti virus companies cant write any longer technical information about viruses. I wanted to know more about the viruses and also have the possibility to analyze unknown files. I started with a script that submitted files to a virtual Cuckoo on my Mac. This simple start then evolved to AFAR that submits the file to Cuckoo and also can run tests in virtual machines with Windows and REMnux.

Now I should have been a happy analyst that had gone from only having a list of stopped malware to having reports of their actions. Right? The problem now was that I after the first run had over 30 report directories with a report from Cuckoo plus reports from other tools. To handle this information overload I continued on my bash/sed/grep journey and took the file and signatures parts from all Cuckoo Sandbox reports and put them in one file based on the regular Cuckoo report page (more sed...).

This was a great beginning and since then I've included code to parse matches from Yara-Rules and include them in the summary report. In the future I'll look at adding more information to the summary page.

To give you a hint of what the tool does you can see the sheen shots below. The virtual machines starts with the nogui flag so the user newer sees them.

The command output is verbose to tell the user about the progress since this takes time.

Command line output from afar.sh]

The -o switch opens a summary html page when the analyze is complete.

Summary page for a afar.sh run]

If a file looks interesting in the summary you can look in the directory structure for more automated output.

Summary page for a afar.sh run]

The goal is to save time. Automate 80% of the job and get more time to look at the 20% (or less) of files that are interesting.