Florentino - 快速静态文件分析框架

Florentino - 快速静态文件分析框架

Florentino; Fast Static File Analysis Framework

Story

Florentino is named after a fiction warrior.

Flarentino: "I'd wear a fedora but they haven't invented them yet"

As the sole heir to the House of Perfume, Florentino's romantic adventures were as well-known as his lavish balls ....

Florentino: "Ah... relationships are such a bother"

Introduction

Florentino is a cross-platform file analysis framework. useful for extracting static resources from malwares and unknown file analysis.

He can help malware analysts and security researchers to quickly get a glance at an unknown file. He can't win a big war alone, though; that's why he calls for his friends to help fighting bad guys. so he calls these friends (credits):

GolangD.I.EiocextractVirusTotalFlossStrings

Without them, it was a lost war from beginning.

Motivation

Anytime we want to analyze an unknown file, there are a couple of steps which are almost identical Florentino aims to automate some of these boring steps so an analyst can move faster with manual and dynamic analysis.

Florentino: "Flowers, women – I desire all that is beautiful."

Features

Florentino is written in go, and it's fast!. You can run it before any other tool in your chain to gain a good grasp of your target file. Most of the time, it's all you need to determine if a file is malicious or not!

1- File detection engine

Thanks to D.I.E, Florentino can detect hundreds of file types.

Number of com signatures: 200Number of Text signatures: 14Number of com signatures: 3Number of MSDOS signatures: 306Number of PE/PE+ signatures: 525Number of DS signatures: 19Number of EP signatures: 3Number of ELF/ELF64 signatures: 16Number of MACH/MACH64 signatures: 8Total signatures: 1117

Beside file detection, entropy and packer detection also performed.

2- Scan engine

Florentino can work various sources to analyze the file.

VirusTotal: we check it for an existing reportStrings and IOC scan: Florentino takes it; further it will extract, scan and possibly deobfuscate strings from binary filesBinary scan: Florentino can work with PE x86/x64, Macho x86/x64, ELF x86/x64 files it will obtain imported symbol and libraries

3- Packer detection and unpacking

Currently only support PE x86 Filesunpack engine : unpac.me

4- Report

All reports are stored as a text file in /data directory

Please note Florentino is not a reversing suite and its only aim is only to fasten the first analysis Florentino is modular and easy to extend with your own tools.

Flarentino: Fairest ladies, my lips are like whatever I finish this later ...

Version

1.0.1-alpha

Installation and Usage

Flarentino : "You have bad form my friend."

check out documentation at /docs/README.md

Action time: Florentino VS Ryuk Ransomware

Let's run Florentino against the trending millions dollar ransomware called Ryuk.

Florentino -f 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd7.exe

After one minutes or so we check /data folder

{ "detects": [ { "filetype": "PE+(64)", "name": "Microsoft Visual C/C++(2015 v.14.0)[-]", "type": "compiler" }, { "filetype": "PE+(64)", "name": "Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE64]", "type": "linker" } ], "entropy": "6.07306", "filename": "/malwares/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd7.exe"}

/C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "

Gentlemen!Your business is at serious risk. BLAH BLAH BLAH15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj.....

Now in less than 3 minutes, we already know its ransomware, it's not packed, we decrypted the first layer of obfuscated strings, and we already even extracted the persistence method.Please consider this is NOT ready for production, the main point of releasing this is to show you how you can achieve similar results. the code can greatly improve.

How to contribute

Florentino : "HaHa, A wonderful day for a duel among gentlemen."

Learn More

Malware fight back the tale of agent tesla

Awesome Malware Analysis

Awsome Reversing

License

The project is licensed under the wtfpl license.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。