• Stars
    star
    389
  • Rank 110,500 (Top 3 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Distributed malware processing framework based on Python, Redis and S3.

Karton

Distributed malware processing framework based on Python, Redis and S3.

The idea

Karton is a robust framework for creating flexible and lightweight malware analysis backends. It can be used to connect malware* analysis systems into a robust pipeline with very little effort.

We've been in the automation business for a long time. We're dealing with more and more threats, and we have to automate everything to keep up with incidents. Because of this, we often end up with many scripts stuck together with duck duct tape and WD-40. These scripts are written by analysts in the heat of the moment, fragile and ugly - but they work, and produce intel that must be stored, processed further, sent to other systems or shared with other organisations.

We needed a way to take our PoC scripts and easily insert them into our analysis pipeline. We also wanted to monitor their execution, centralise logging, improve robustness, reduce development inertia... For this exact purpose, we created Karton.

* while Karton was designed with malware analysis in mind, it works nicely in every microservice-oriented project.

Installation

Installation is as easy as a single pip install command:

pip3 install karton-core

In order to setup the whole backend environment you will also need S3-compatible storage and Redis, see the docs for details.

Example usage

To use karton you have to provide class that inherits from Karton.

from karton.core import Karton, Task, Resource

class GenericUnpacker(Karton):
    """
    Performs sample unpacking
    """
    identity = "karton.generic-unpacker"
    filters = [
        {
            "type": "sample",
            "kind": "runnable",
            "platform": "win32"
        }
    ]

    def process(self, task: Task) -> None:
        # Get sample object
        packed_sample = task.get_resource('sample')
        # Log with self.log
        self.log.info(f"Hi {packed_sample.name}, let me analyze you!")
        ...
        # Send our results for further processing or reporting
        task = Task(
            {
               "type": "sample",
               "kind": "raw"
            }, payload = {
               "parent": packed_sample,
               "sample": Resource(filename, unpacked)
            })
        self.send_task(task)

if __name__ == "__main__":
    # Here comes the main loop
    GenericUnpacker().loop()

Karton systems

Some Karton systems are universal and useful to everyone. We decided to share them with the community.

karton

This repository. It contains the karton.system service - main service, responsible for dispatching tasks within the system. It also contains the karton.core module, that is used as a library by other systems.

karton-dashboard

A small Flask dashboard for task and queue management and monitoring.

karton-classifier

The "router". It recognises samples/files and produces various task types depending on the file format. Thanks to this, other systems may only listen for tasks with a specific format (for example, only zip archives).

karton-archive-extractor

Generic archive unpacker. Archives uploaded into the system will be extracted, and every file will be processed individually.

karton-config-extractor

Malware extractor. It uses Yara rules and Python modules to extract static configuration from malware samples and analyses. It's a fishing rod, not a fish - we don't share the modules themselves. But it's easy to write your own!

karton-mwdb-reporter

A very important part of the pipeline. Reporter submits all files, tags, comments and other intel produced during the analysis to MWDB. If you don't use MWDB yet or just prefer other backends, it's easy to write your own reporter.

karton-yaramatcher

Automatically runs Yara rules on all files in the pipeline, and tags samples appropriately. Rules not included ;).

karton-asciimagic

Karton system that decodes files encoded with common methods, like hex, base64, etc. (You wouldn't believe how common it is).

karton-autoit-ripper

A small wrapper around AutoIt-Ripper that extracts embedded AutoIt scripts and resources from compiled AutoIt executables.

DRAKVUF Sandbox

Automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.


This is how these systems can be used to form a basic malware analysis pipeline:

Community projects that incorporate the Karton framework

c3rb3ru5d3d53c/karton-unpacker

A modular Karton Framework service that unpacks common packers like UPX and others using the Qiling Framework.

c3rb3ru5d3d53c/mwcfg / c3rb3ru5d3d53c/mwcfg-modules

A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

raw-data/karton-die-classifier

Detect-It-Easy classifier for the Karton framework

raw-data/karton-retdec-unpacker

RetDec unpacker module for the Karton framework

W3ndige/aurora / W3ndige/karton-similarity

Malware similarity platform with modularity in mind.

Co-financed by the Connecting Europe Facility by of the European Union

More Repositories

1

drakvuf-sandbox

DRAKVUF Sandbox - automated hypervisor-level malware analysis system
Python
1,043
star
2

Artemis

A modular vulnerability scanner with automatic report generation capabilities.
Python
548
star
3

mquery

YARA malware query accelerator (web frontend)
Python
413
star
4

mwdb-core

Malware repository component for samples & static configuration with REST API interface.
Python
323
star
5

malduck

🦆 Malduck is your ducky companion in malware analysis journeys
Python
315
star
6

mailgoose

A web application that allows the users to check whether their SPF, DMARC and DKIM configuration is set up correctly.
Python
132
star
7

hfinger

Hfinger - fingerprinting HTTP requests
Python
131
star
8

ursadb

Trigram database written in C++, suited for malware indexing
C++
123
star
9

n6

Automated handling of data feeds for security teams
Python
121
star
10

phobos-cuda-decryptor-poc

C++
68
star
11

training-materials

PHP
50
star
12

mwdblib

Client library for the mwdb service by CERT Polska.
Python
40
star
13

hsn2-bundle

Shell
29
star
14

nymaim-tools

C
26
star
15

Artemis-modules-extra

Python
24
star
16

dbglib

C#
22
star
17

training-mwdb

MWDB exercises
Python
19
star
18

phishing-api

Python
17
star
19

karton-misp-pusher

Python
16
star
20

n6sdk

Server-side SDK to provide a simple REST API for distribution of security information.
Python
16
star
21

karton-playground

Python
15
star
22

anti-modlishka

Python
12
star
23

mtracker

Python
12
star
24

HSN-Capture-HPC-NG

HoneySpider Network version of Capture-HPC
C++
11
star
25

drakpdb

Convert Windows PDB into JSON profile supported by DRAKVUF/LibVMI
Python
10
star
26

mwdb_iocextract

Python
10
star
27

karton-config-extractor

Static configuration extractor for the Karton framework
Python
8
star
28

ursadb-cli

Lightweight Python client for ursadb
Python
8
star
29

karton-pcap-miner

Python
8
star
30

proactive-detection-survey

Reference material for the proactive detection of incidents survey
7
star
31

warning-list-tools

A scripts, utilities, and documentation intended to help with integrating CERT.PL's Dangerous websites Warning List.
PowerShell
6
star
32

karton-classifier

File type classifier for the Karton framework.
Python
6
star
33

mwdb-plugin-drakvuf

DRAKVUF Sandbox simple integration plugin for mwdb-core.
Python
6
star
34

karton-dashboard

A small Flask application that allows for Karton task and queue introspection.
HTML
6
star
35

karton-autoit-ripper

AutoIt script ripper for Karton framework
Python
6
star
36

swf-tools

Java
5
star
37

karton-yaramatcher

File and analysis artifacts yara matcher for Karton framework
Python
5
star
38

snort3-x509-reputation-plugin

Snort3 x509 reputation plugin
C++
5
star
39

karton-archive-extractor

Extractor of various archive formats for Karton framework
Python
5
star
40

hsn2-yara

Python
4
star
41

hsn2-cuckoo

Python
3
star
42

hsn2-pcap-extract

Python
3
star
43

hsn2-shell-scdbg

Java
3
star
44

karton-asciimagic

Various decoders for ascii-encoded executables for Karton framework
Python
3
star
45

malduck-modules

YARA
3
star
46

karton-mwdb-reporter

Karton service that uploads analyzed artifacts and metadata to MWDB Core
Python
2
star
47

hsn2-pcap-analyze

Python
2
star
48

hsn2-malicious-domains

Python
2
star
49

hsn2-unicorn

Java
2
star
50

hsn2-razorback

C
2
star
51

hsn2-framework

Java
2
star
52

hsn2-commons-python-lib

Python
2
star
53

python-deploy

Build, push and deploy k8s services with single deploy.json file to provide common convention for multiple production services.
Python
2
star
54

hsn2-js-sta

C++
1
star
55

hsn2-dnsinfo

Java
1
star
56

hsn2-object-store-mongodb

Java
1
star
57

hsn2-swf-cve

Java
1
star
58

hsn2-url-feeder

Python
1
star
59

hsn2-commons-python-protobuf

Python
1
star
60

hsn2-commons-java

Java
1
star
61

hsn2-cuckoo-java

Java
1
star
62

hsn2-norm-url

Java
1
star
63

hsn2-webclient

Java
1
star
64

hsn2-file-feeder

Java
1
star
65

hsn2-commons-debian

Shell
1
star
66

hsn2-console

Python
1
star
67

hsn2-capture-hpc

Java
1
star
68

hsn2-md5-to-ssdeep

Java
1
star
69

hsn2-thug

Python
1
star
70

hsn2-commons-protobuf-definitions

C++
1
star
71

hsn2-reporter

Java
1
star
72

hsn2-data-store

Java
1
star
73

lint-python-action

Python
1
star