MalwareClustering#

README

Prerequisites:#

Required:#

- [neo4j db instance](https://neo4j.com/download/)
- pip3 install -r requirements

Optional:#

- bulk import known malware samples in db from:
    - [cloned malpedia repo](https://malpedia.caad.fkie.fraunhofer.de/)
    - folder with some malicious sample with optional json malpedia like definition

from malwareclustering_api import Api
test = Api(host='127.0.0.1', port=7474, user='neo4j', password='password', threshold=40, folder_path='/home/user/malware_samples')
test.process()

MalwareClustering_Search#

Author: LDO-CERT
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
- hash
Registration required: False
Subscription required: False
Free subscription: False
Third party service:

Description#

Uses ApiVectors to find similarities between malware samples.

Configuration#

n4j_host	Neo4j server host
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

n4j_port	Neo4j server port
Default value if not configured	N/A
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	True

n4j_user	Neo4j server user
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

n4j_pwd	Neo4j server password
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

threshold	ApiScout correlation threshold
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive#

MalwareCustering long report sample