VxCage
VxCage is a WSGI Python application for managing a malware samples repository with a REST API interface.
The successor of VxCage is Viper and is also available on github
Requirements
In order to install VxCage you need to have Python (2.7) installed. Following are the required libraries.
- bottle.py --
pip install bottle
- sqlalchemy --
pip install sqlalchemy
If you want to enable the fuzzy hash, you need to install ssdeep and the Python bindings, pydeep.
VxCage also requires any database engine from the ones supported. Depending to which one you pick, you'll need the required Python API. For example, in the case of MySQL you'll also need MySQLdb (pip install mysqldb
).
If you plan to run VxCage with Apache, you'll need to have mod_wsgi installed. On Ubuntu/Debian systems apt-get install libapache2-mod-wsgi
.
Installation
First thing first, extract VxCage to your selected location and open api.conf
and configure the path to the local folder you want to use as a storage.
You also need to configure the connection string for your database. For example:
MySQL:
mysql://user:pass@host/database
SQLite:
sqlite:///database.db
PostgreSQL:
postgresql://user:pass@host/database
Refer to SQLAlchemy's documentation for additional details.
Now proceeds installing Apache and required modes:
# apt-get install apache2 libapache2-mod-wsgi
Enable the mod:
# a2enmod wsgi
If you want to enable SSL, you need to generate a certificate with OpenSSL or buy one from a certified authority.
You can also use the make-ssl-cert
utility as following:
# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/apache.pem
Now create a virtual host for the domain you want to host the application on. We'll enable WSGI, SSL and a basic authentication. A valid template is the following:
<VirtualHost *:443>
ServerName yourwebsite.tld
WSGIDaemonProcess yourapp user=www-data group=www-data processes=1 threads=5
WSGIScriptAlias / /path/to/app.wsgi
<Directory /path/to/app.wsgi>
WSGIProcessGroup yourgroup
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/path/to/users"
Require valid-user
</Location>
SSLEngine on
SSLCertificateFile /path/to/apache.pem
ErrorLog /path/to/error.log
LogLevel warn
CustomLog /path/to/access.log combined
ServerSignature Off
</VirtualHost>
Now add your user:
# htpasswd -c /path/to/users username
You should be ready to go. Make sure to restart Apache afterwards:
# /etc/init.d/apache2 restart
For testing purposes, you can also run it with the Bottle.py server just doing:
$ python api.py
Usage
You can interact with your repository with the provided REST API.
Submit a sample:
$ curl -F [email protected] -F tags="tag1 tag2" http://yourdomain.tld/malware/add
Retrieve a sample:
$ curl http://yourdomain.tld/malware/get/<sha256> > sample.exe
Find a sample by MD5:
$ curl -F md5=<md5> http://yourdomain.tld/malware/find
Find a sample by SHA-256:
$ curl -F sha256=<sha256> http://yourdomain.tld/malware/find
Find a sample by Ssdeep (can also search for a substring of the ssdeep hash):
$ curl -F ssdeep=<pattern> http://yourdomain.tld/malware/find
Find a sample by Tag:
$ curl -F tag=<tag> http://yourdomain.tld/malware/find
List existing tags:
$ curl http://yourdomain.tld/tags/list
In case you added a basic authentication, you will need to add --basic -u "user:pass"
. In case you added SSL support with a generated certificate, you will need to add --insecure
and obviously make the requests to https://yourdomain.tld.
Console
You can also easily interact with your VxCage server using the provided console interface. In order to run it, you'll need the following dependencies:
- requests --
pip install requests
- prettytable --
pip install prettytable
- progressbar --
pip install progressbar
This is the help message:
usage: vxcage.py [-h] [-H HOST] [-p PORT] [-s] [-a]
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST Host of VxCage server
-p PORT, --port PORT Port of VxCage server
-s, --ssl Enable if the server is running over SSL
-a, --auth Enable if the server is prompting an HTTP
authentication
As you can see, you can specify the host
, the port
and enable SSL and HTTP authentication.
For example, you can launch it simply with:
$ python vxcage.py --host yourserver.com --port 443 --ssl --auth
You will be prompted with:
`o O o O .oOo .oOoO' .oOoO .oOo.
O o OoO O O o o O OooO'
o O o o o o O O o O
`o' O O `OoO' `OoO'o `OoOo `OoO'
O
OoO' by nex
Username: nex
Password:
vxcage>
Now you can start typing commands, you can start with:
vxcage> help
Available commands:
help Show this help
tags Retrieve list of tags
find Find a file by md5, sha256, ssdeep, tag or date
get Retrieve a file by sha256
add Upload a file to the server
You can retrieve the list of available tags:
vxcage> tags
+------------------------+
| tag |
+------------------------+
| banker |
| bot |
| carberp |
| citadel |
| zeus |
+------------------------+
Total: 5
You can search for all samples matching a specific tag:
vxcage> find tag carberp
+----------------------------------+------------------------------------------------------------------+--------------+---------------------------------------------------+-----------+
| md5 | sha256 | file_name | file_type | file_size |
+----------------------------------+------------------------------------------------------------------+--------------+---------------------------------------------------+-----------+
| 719354b4b7b182b30e1de8ce7b417d2f | 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029 | carberp1.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 132096 |
| 63d8fd55ebe6e2fa6cc9523df942a9a5 | a6d77a5ba2b5b46a0ad85fe7f7f01063fe7267344c0cecec47985cd1e46fa7a4 | carberp2.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 192512 |
| ccf43cdc957d09ea2c60c6f57e4600f0 | b998233b85af152596f5087e64c2cadb1466e4f6da62f416ac3126f87c364276 | carberp3.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 186880 |
+----------------------------------+------------------------------------------------------------------+--------------+---------------------------------------------------+-----------+
Total: 3
You can view details on a specific sample:
vxcage> find md5 719354b4b7b182b30e1de8ce7b417d2f
sha1: 091fcf7378bfc4baec61bc5708e9a64128c5c7e4
tags: banker,carberp
file_type: PE32 executable (GUI) Intel 80386, for MS Windows
file_name: carberp1.exe
created_at: 2012-12-25 00:37:16
file_size: 132096
crc32: 05AF53DC
ssdeep: 3072:fQAsBL+tnecg1OS+x/+SSQSBX8MxaQhJwox:fQAsBoecg1UM3c
sha256: 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029
sha512: 844e0010e23571e2bc6a44405a012bca4f01955348db26320d6a95e54e6afc85a81bef574ee65de9d67cdf6e2cf80fd4d1b2c559902596943b1e4ebeb5641650
id: 41
md5: 719354b4b7b182b30e1de8ce7b417d2f
You can download the sample:
vxcage> get 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029 /tmp
Download: 100% |:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::| Time: 00:00:00 223.63 K/s
File downloaded at path: /tmp/689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029
Or upload a new one:
vxcage> add /tmp/malware.exe windows,trojan,something
File uploaded successfully
Copying
VxCage is licensed under BSD 2-Clause and is copyrighted to Claudio Guarnieri.
Contacts
Twitter: @botherder