Data

Tools

Indexes

Applications

Experiments

Open Source Science

elfen

ELFEN: Automated Linux Malware Analysis Sandbox

https://github.com/nikhilh-20/elfen

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.5%) to scientific vocabulary
Last synced: 10 months ago · JSON representation ·

Repository

ELFEN: Automated Linux Malware Analysis Sandbox

Basic Info
  • Host: GitHub
  • Owner: nikhilh-20
  • License: gpl-3.0
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 1.52 MB
Statistics
  • Stars: 122
  • Watchers: 3
  • Forks: 15
  • Open Issues: 0
  • Releases: 0
Created about 3 years ago · Last pushed almost 2 years ago
Metadata Files
Readme License Citation

README.md

ELFEN: Linux Malware Analysis Sandbox

ELFEN is a dockerized sandbox for analyzing Linux (file type: ELF) malware. It leverages an array of open-source technologies to perform both static and dynamic analysis. Results are available through both the GUI and API.

Currently, ELFEN supports the analysis of ELF binaries for the following architectures: * x86-64 * MIPS 32-bit big/little-endian * PowerPC 32-bit big-endian * ARMv5 32-bit little-endian

Getting Started

Prerequisite

Install docker and docker compose from https://docs.docker.com/engine/install/ubuntu/

Setup

  1. Clone the ELFEN repository

bash $ git clone --recursive git@github.com:nikhilh-20/ELFEN.git

  1. Modify the DJANGO secret key in ELFEN/settings.py#L30. The secret key is used by Django for cryptographic purposes and must be secure. It can be generated in the following manner, for example:

```python import secrets

ASCII characters range: 33-126

ascii_chars = [chr(i) for i in range(33, 127)]

Length of SECRET_KEY must be 50 characters minimum

keylen = 60 ''.join(secrets.choice(ascii_chars) for i in range(keylen)) ```

  1. ELFEN uses fixed credentials for the following services. Modify them as needed.

    • MySQL. Refer to docker/mysql/Dockerfile.
      • Ensure changes, if any, are also mirrored to ELFEN/settings.py#L101-L103
    • PostgreSQL. Refer to docker/postgres/Dockerfile and docker/postgres/init.sql.
      • Ensure changes, if any, are also mirrored to ELFEN/settings.py#L115-L117 and ELFEN/settings.py#L136
    • RabbitMQ. Refer to docker/rabbitmq/Dockerfile.
      • Ensure changes, if any, are also mirrored to ELFEN/settings.py#L134

  2. ELFEN requires the following ports to be free/available on the host:

    • 5555 (Flower service)
    • 8000 (ELFEN web service)

  3. Create required directories in ELFEN root directory.

    • Databases and RabbitMQ data storage
    • ELFEN task data storage (sample binary, dynamic analysis artifacts) ```bash $ mkdir data && cd data && mkdir mysql postgres rabbitmq && cd ..

$ ls -1q data/ mysql postgres rabbitmq

$ mkdir -p media/web ```

  1. Modify the docker-compose.user.yml to contain your UID and GID. By default, both are set to 1000:1000.

```bash

UID

$ id -u 1000

GID

$ id -g 1000 ```

  1. Build the ELFEN docker system.

bash $ docker compose build

  1. Bring up ELFEN services.

bash $ docker compose -f docker-compose.yml -f docker-compose.user.yml up ... ... elfen-web-1 | Performing system checks... elfen-web-1 | elfen-web-1 | elfen-web-1 | System check identified no issues (0 silenced). elfen-web-1 | August 31, 2023 - 10:46:41 elfen-web-1 | Django version 4.1.7, using settings 'ELFEN.settings' elfen-web-1 | Starting development server at http://0.0.0.0:8000/ elfen-web-1 | Quit the server with CONTROL-C.

A Django superuser, admin is also created with password admin. ELFEN should now be available on the host at http://127.0.0.1:8000 in debug mode.

Note: ELFEN has only been tested on Ubuntu 22.04.2 LTS host.

```bash $ docker --version Docker version 24.0.4, build 3713ee1

$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.2 LTS Release: 22.04 Codename: jammy

$ uname -a Linux oni 6.2.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Jul 13 16:27:29 UTC 2 x8664 x8664 x8664 GNU/Linux ```

Troubleshooting

See the troubleshooting document for known issues.

API

ELFEN provides an API to submit samples and retrieve analysis reports. Ready-to-use scripts are available under the scripts directory.

API Token

GUI

To retrieve your API token, visit http://127.0.0.1:8000/api/token/ and login with your username and password. If you're using the default Django superuser, the credentials are admin:admin.

You should now see two values: access and refresh tokens. The access token will be valid for 7 days after which it will have to be re-generated (visit http://127.0.0.1:8000/api/token/refresh/) using the refresh token (valid for 30 days).

IPython

To retrieve your API token, send a POST request to http://127.0.0.1:8000/api/token/ with your username and password. If you're using the default Django superuser, the credentials are admin:admin.

```python import requests

username, pwd = "admin", "admin" r = requests.post("http://127.0.0.1:8000/api/token/", json={"username":username, "password":pwd})

r.json() {'refresh': '...', 'access': '...'} ```

Submitting Samples

Copy the access token into scripts/submit_samples.py. Given a file containing newline-separated full paths to samples, this script can be used to submit them to ELFEN. The output JSON is a mapping between the submitted sample path and ELFEN task UUID.

```bash $ cat demo_submit /full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe

$ python submitsamples.py -f demosubmit -o output.json Submitted /full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe successfully.

$ cat output.json { "/full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe": "4122f552-1897-48d0-b906-bb144c6e4010" } ```

Retrieving Full Analysis Report

Copy the access token into scripts/get_report_task.py. Given a task UUID, it retrieves the full analysis JSON report.

```bash $ python3 getreporttask.py -u 4122f552-1897-48d0-b906-bb144c6e4010 -o report.json Report retrieved successfully for 4122f552-1897-48d0-b906-bb144c6e4010.

$ du -h report.json 56K report.json ```

Retrieving Analysis Report for Given Backend

ELFEN leverages multiple backends to conduct analysis. Some backends like elfheader and capa are associated with static analysis, whereas others such as fileops, c2config are associated with dynamic analysis. Reports can be retrieved for a given backend using scripts/get_report_backend.py. Copy the access token into the script.

```bash $ python3 getreportbackend.py -u 4122f552-1897-48d0-b906-bb144c6e4010 -b procops -o report.json Report retrieved successfully for procops for 4122f552-1897-48d0-b906-bb144c6e4010.

$ cat report.json | jq { "submissionuuid": "4122f552-1897-48d0-b906-bb144c6e4010", "backend": "procops", "report": { "errors": false, "errormsg": [], "data": [ { "ts": "05:10:03.360807 UTC", "pid": 130, "procname": "Ba9iedKN", "func": "getpid", "args": "", "ret": 130 }, { "ts": "05:10:03.361229 UTC", "pid": 130, "procname": "Ba9iedKN", "func": "getpid", "args": "", "ret": 130 }, { "ts": "05:10:03.363962 UTC", "pid": 130, "procname": "Ba9iedKN", "func": "fork", "args": "", "ret": 132 }, { "ts": "05:10:03.388397 UTC", "pid": 132, "procname": "Ba9iedKN", "func": "fork", "args": "", "ret": 133 } ] } } ```

Conferences

  1. Nullcon Goa 2023
    1. Slides: https://github.com/nikhilh-20/ELFEN/blob/main/docs/NullconGoa2023_Slides.pdf
    2. Talk: https://www.youtube.com/watch?v=opfwbNlijSg

Owner

  • Name: Nikhil Hegde
  • Login: nikhilh-20
  • Kind: user
  • Location: Maryland, USA

Citation (CITATION.cff) 

cff-version: 1.2.0
title: "ELFEN: Linux Malware Analysis Sandbox"
message: "If you use this software, please cite it as below."
type: software
authors:
- given-names: "Nikhil Ashok"
  family-names: "Hegde"
url: "https://github.com/nikhilh-20/ELFEN"
repository-code: "https://github.com/nikhilh-20/ELFEN"
version: 1
license: GPL-3.0

GitHub Events

Total
  • Watch event: 11
  • Fork event: 5
Last Year
  • Watch event: 11
  • Fork event: 5

Dependencies

docker/elfen/Dockerfile docker
  • python 3.8.16-bullseye build
docker/mysql/Dockerfile docker
  • mysql 8 build
docker/postgres/Dockerfile docker
  • postgres 15.2-bullseye build
docker/rabbitmq/Dockerfile docker
  • rabbitmq 3.11 build
docker-compose.yml docker
  • elfen_image latest
requirements.txt pypi
  • Django ==4.1.7
  • Pillow ==9.4.0
  • PyYAML ==6.0
  • Pygments ==2.14.0
  • SQLAlchemy ==2.0.0
  • SecretStorage ==3.3.3
  • amqp ==5.1.1
  • antlr4-python3-runtime ==4.11.1
  • asciimatics ==1.14.0
  • asgiref ==3.6.0
  • asttokens ==2.2.1
  • attrs ==22.2.0
  • backcall ==0.2.0
  • backports.zoneinfo ==0.2.1
  • beautifulsoup4 ==4.11.1
  • billiard ==3.6.4.0
  • binary2strings ==0.1.9
  • bintropy ==1.4.3
  • bleach ==6.0.0
  • capstone ==4.0.2
  • celery ==5.2.7
  • certifi ==2022.12.7
  • cffi ==1.15.1
  • charset-normalizer ==3.0.1
  • click ==8.1.3
  • click-didyoumean ==0.3.0
  • click-plugins ==1.1.1
  • click-repl ==0.2.0
  • colorama >=0.4.5
  • commonmark ==0.9.1
  • contourpy ==1.0.7
  • coverage ==7.1.0
  • cryptography ==39.0.0
  • cxxfilt ==0.2.2
  • cycler ==0.11.0
  • dacite ==1.8.0
  • decorator ==4.4.2
  • dill ==0.3.6
  • django-bootstrap-v5 ==1.0.11
  • django-extensions ==3.2.1
  • django-ranged-response ==0.2.0
  • django-simple-captcha ==0.5.17
  • djangorestframework ==3.14.0
  • djangorestframework-simplejwt ==5.2.2
  • dncil ==1.0.2
  • dnfile ==0.13.0
  • docutils ==0.19
  • elflepton ==2.0.2
  • enum-compat ==0.0.3
  • exceptiongroup ==1.1.0
  • executing ==1.2.0
  • first ==2.0.2
  • flake8 ==6.0.0
  • flare-capa ==5.1.0
  • flower ==1.2.0
  • fonttools ==4.38.0
  • funcy >=1.17
  • future ==0.18.3
  • gevent ==22.10.2
  • greenlet ==2.0.2
  • halo ==0.0.31
  • humanize ==4.5.0
  • ida-netnode ==3.0
  • ida-settings ==2.1.0
  • idna ==3.4
  • importlib-metadata ==6.0.0
  • importlib-resources ==5.10.2
  • iniconfig ==2.0.0
  • intervaltree ==3.1.0
  • ipython ==8.11.0
  • jaraco.classes ==3.2.3
  • jedi ==0.18.2
  • jeepney ==0.8.0
  • jsonpath-ng ==1.5.3
  • keyring ==23.13.1
  • keystone-engine ==0.9.2
  • kiwisolver ==1.4.4
  • kombu ==5.2.4
  • lief >=0.12.3
  • log-symbols ==0.0.14
  • loguru ==0.6.0
  • markdown-it-py ==2.2.0
  • matplotlib ==3.6.3
  • matplotlib-inline ==0.1.6
  • mccabe ==0.7.0
  • mdurl ==0.1.2
  • mock ==5.0.1
  • more-itertools ==9.0.0
  • msgpack ==1.0.4
  • multiprocess ==0.70.14
  • mysqlclient ==2.1.1
  • networkx >=2.5.1
  • nose ==1.3.7
  • numpy ==1.24.1
  • overrides ==7.3.1
  • packaging ==23.0
  • parso ==0.8.3
  • pefile >=2022.5.30
  • pexpect ==4.8.0
  • pickleshare ==0.7.5
  • pip-licenses ==4.0.3
  • pipdeptree ==2.3.3
  • pkginfo ==1.9.6
  • plac ==1.3.5
  • pluggy ==1.0.0
  • ply ==3.11
  • prettytable ==3.6.0
  • prompt-toolkit ==3.0.36
  • psycopg2 ==2.9.5
  • ptyprocess ==0.7.0
  • pure-eval ==0.2.2
  • pyasn1 ==0.4.8
  • pyasn1-modules ==0.2.8
  • pycodestyle ==2.10.0
  • pycparser ==2.21
  • pycryptodome ==3.17
  • pydantic >=1.10.4
  • pyelftools ==0.29
  • pyfiglet ==0.8.post1
  • pyflakes ==3.0.1
  • pygraphviz >=1.10
  • pykerberos ==1.2.4
  • pyparsing ==3.0.9
  • pyperclip ==1.8.2
  • pytest ==7.2.1
  • python-dateutil ==2.8.2
  • python-flirt ==0.8.6
  • python-magic ==0.4.27
  • python-registry ==1.3.1
  • python-snappy ==0.6.1
  • python-tlsh ==4.5.0
  • pytz ==2022.7.1
  • qiling ==1.4.4
  • questionary ==1.10.0
  • readme-renderer ==37.3
  • requests ==2.28.2
  • requests-toolbelt ==0.10.1
  • rfc3986 ==2.0.0
  • rich ==13.3.1
  • ruamel.yaml >=0.17.21
  • ruamel.yaml.clib ==0.2.7
  • six ==1.16.0
  • smda ==1.8.4
  • sortedcontainers ==2.4.0
  • soupsieve ==2.3.2.post1
  • spinners ==0.0.24
  • sqlparse ==0.4.3
  • stack-data ==0.6.2
  • tabulate ==0.9.0
  • termcolor >=2.2.0
  • tomli ==2.0.1
  • tqdm >=4.64.1
  • traitlets ==5.9.0
  • twine ==4.0.2
  • typing_extensions >=4.2.0
  • unicodecsv ==0.14.1
  • unicorn ==2.0.1.post1
  • urllib3 ==1.26.14
  • urwid ==2.1.2
  • vine ==5.0.0
  • viv-utils >=0.7.7
  • vivisect >=1.0.8
  • wcwidth ==0.2.6
  • webencodings ==0.5.1
  • yamale ==4.0.4
  • yara-python ==4.2.3
  • zipp ==3.12.0
  • zope.event ==4.6
  • zope.interface ==5.5.2
.github/workflows/main.yml actions
  • actions/checkout v4 composite
docker-compose.user.yml docker