Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
malice
Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.
Setup Docker (OSX)
Install Docker for Mac
-Or-
Install with homebrew.
$ brew install caskroom/cask/brew-cask
$ brew cask install virtualbox
$ brew install docker
$ brew install docker-machine
$ docker-machine create --driver virtualbox --engine-storage-driver overlay malice
$ eval $(docker-machine env malice)Getting Started (OSX)
Install
$ brew install maliceio/tap/maliceUsage: malice [OPTIONS] COMMAND [arg...]
Open Source Malware Analysis Framework
Version: 0.3.11
Author:
blacktop - <https://github.com/blacktop>
Options:
--debug, -D Enable debug mode [$MALICE_DEBUG]
--help, -h show help
--version, -v print the version
Commands:
scan Scan a file
watch Watch a folder
lookup Look up a file hash
elk Start an ELK docker container
plugin List, Install or Remove Plugins
help Shows a list of commands or help for one command
Run 'malice COMMAND --help' for more information on a command.
Scan some malware
$ malice scan evil.malwareNOTE: On the first run malice will download all of it's default plugins which can take a while to complete.
Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see here
Start Malice's Web UI
$ malice elkYou can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)
-
Type in malice as the
Index name or patternand click Create. -
Now click on the
Discover Taband behold!!!
Getting Started (Docker in Docker)
Install/Update all Plugins
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update --allScan a file
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v `pwd`:/malice/samples \
-e MALICE_VT_API=$MALICE_VT_API \
malice/engine scan SAMPLEDocumentation
Known Issues ⚠️
I have noticed when running the new 5.0+ version of malice/elasticsearch on a linux host you need to increase the memory map areas with the following command
sudo sysctl -w vm.max_map_count=262144Elasticsearch requires at least 4GB of RAM to run. You can lower it to 2GB by running the following (before running a scan):
$ docker run -d \
-p 9200:9200 \
-name malice-elastic \
-e ES_JAVA_OPTS="-Xms2g -Xmx2g" \
malice/elasticsearchIssues
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue
CHANGELOG
See CHANGELOG.md
License
Apache License (Version 2.0)
Copyright (c) 2013 - 2017 blacktop Joshua Maine