README
¶
malice-floss
Malice FLOSS Plugin
This repository contains a Dockerfile of the FLOSS malice plugin malice/floss.
Dependencies
Installation
- Install Docker.
- Download trusted build from public DockerHub:
docker pull malice/floss
Usage
docker run --rm -v /path/to/file:/malware:ro malice/floss FILE
Usage: floss [OPTIONS] COMMAND [arg...]
Malice FLOSS Plugin
Version: v0.1.0, BuildTime: 20180903
Author:
blacktop - <https://github.com/blacktop>
Options:
--verbose, -V verbose output
--timeout value malice plugin timeout (in seconds) (default: 120) [$MALICE_TIMEOUT]
--elasticsearch value elasticsearch url for Malice to store results [$MALICE_ELASTICSEARCH_URL]
--callback, -c POST results to Malice webhook [$MALICE_ENDPOINT]
--proxy, -x proxy settings for Malice webhook endpoint [$MALICE_PROXY]
--table, -t output as Markdown table
--all, -a output ascii/utf-16 strings
--help, -h show help
--version, -v print the version
Commands:
web Create a FLOSS scan web service
help Shows a list of commands or help for one command
Run 'floss COMMAND --help' for more information on a command.
This will output to stdout and POST to malice results API webhook endpoint.
Sample Output
JSON
{
"floss": {
"ascii": null,
"utf-16": null,
"decoded": [
{
"location": "0x401059",
"strings": [
"*lecnaC*",
"Software\\Microsoft\\CurrentNetInf",
"SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"MicrosoftZj",
"LhbqnrnesDwhs",
"MicrosoftHaveExit",
"LhbqnrnesG`ud@bj",
"IEXPLORE.EXE",
"/ver.htm",
"/exe.htm",
"/app.htm",
"/myapp.htm",
"/hostlist.htm",
".a`j-gsl",
"/SomeUpList.htm",
"/SomeUpVer.htm",
"www.flyeagles.com",
"www.km-nyc.com",
"/restore",
"/dizhi.gif",
"/connect.gif",
"\\$NtUninstallKB900727$",
"\\netsvc.exe",
"\\netscv.exe",
"\\netsvcs.exe",
"System Idle Process",
"Program Files",
"\\Internet Exp1orer",
"forceguest",
"AudioPort",
"AudioPort.sys",
"SYSTEM\\CurrentControlSet\\Services",
"SYSTEM\\ControlSet001\\Services",
"SYSTEM\\ControlSet002\\Services",
"\\drivers\\",
"\\DriverNum.dat"
]
},
{
"location": "0x404DDE",
"strings": [
"SMBs",
"NTLMSSP",
"Windows 2000 2195",
"Windows 2000 5.0",
"SMBr",
"PC NETWORK PROGRAM 1.0",
"LANMAN1.0",
"Windows for Workgroups 3.1a",
"LM1.2X002",
"LANMAN2.1",
"NT LM 0.12"
]
},
{
"location": "0x401047",
"strings": ["Ie_nkokbpAtep", "+^]g*dpi", "Ie_nkokbpD]ra=_g"]
}
],
"stack": ["cmd.exe"]
}
}
Markdown
Floss
Decoded Strings
Location: 0x401059
*lecnaC*Software\Microsoft\CurrentNetInfSYSTEM\CurrentControlSet\Control\LsaSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMicrosoftZjLhbqnrnesDwhsMicrosoftHaveExitLhbqnrnesGud@bj`IEXPLORE.EXE/ver.htm/exe.htm/app.htm/myapp.htm/hostlist.htm.aj-gsl`/SomeUpList.htm/SomeUpVer.htmwww.flyeagles.comwww.km-nyc.com/restore/dizhi.gif/connect.gif\$NtUninstallKB900727$\netsvc.exe\netscv.exe\netsvcs.exeSystem Idle ProcessProgram Files\Internet Exp1orerforceguestAudioPortAudioPort.sysSYSTEM\CurrentControlSet\ServicesSYSTEM\ControlSet001\ServicesSYSTEM\ControlSet002\Services\drivers\\DriverNum.dat
Location: 0x404DDE
SMBsNTLMSSPWindows 2000 2195Windows 2000 5.0SMBrPC NETWORK PROGRAM 1.0LANMAN1.0Windows for Workgroups 3.1aLM1.2X002LANMAN2.1NT LM 0.12
Location: 0x401047
Ie_nkokbpAtep+^]g*dpiIe_nkokbpD]ra=_g
Stack Strings
cmd.exe
Documentation
Issues
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue
CHANGELOG
See CHANGELOG.md
Contributing
See all contributors on GitHub.
Please update the CHANGELOG.md and submit a Pull Request on GitHub.
TODO
- https://bitbucket.org/cse-assemblyline/alsvc_frankenstrings
- prevent URLs from being rendered as links in MarkDown ⚠
License
MIT Copyright (c) 2016 blacktop
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.