mandiant/flashmingo mandiant/flashmingo

  • This repository has been archived on 16/Sep/2021
  • Stars
    star
    118
  • Rank 299,923 (Top 6 %)
  • Language
    Python
  • License
    Other
  • Created over 5 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mandiant/flashmingo
github

mandiant

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automatic analysis of SWF files based on some heuristics. Extensible via plugins.

FLASHMINGO

Install

NOTE: The following instructions are for Python3.

If you need to install FLASHMINGO on Python2.7 you can checkout the release 1.0 under the releases tab. The installation steps are essentially the same.

Install the Python3 packages listed in requirements.txt.

You can use the following command: pip3 install -r requirements.txt

If you want to use the decompilation functionality you need to install Jython. Ubuntu/Debian users can issue apt install jython

Clone the project or download the zip file.

What

FLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files and guides the further analysis process, freeing precious resources in your team. You can easily incorporate FLASHMINGO’s analysis modules into your workflow.

Why

To this day forensic investigators and malware analysts must deal with suspicious SWF files. If history repeats itself the security threat may even become bigger beyond Flash’s end of life in 2020. Systems will continue to support a legacy file format that is not going to be updated with security patches anymore. Automation is the best way to deal with this issue and this is where FLASHMINGO can help you. FLASHMINGO is an analysis framework to automatically process SWF files that enables you to flag suspicious Flash samples and analyze them with minimal effort. It integrates into various analysis workflows as a stand-alone application or a powerful library. Users can easily extend the tool’s functionality via custom Python plugins.

How

Architecture

FLASHMINGO is designed with simplicity in mind. It reads a SWF file and creates an object (SWFObject) representing its contents and structure. Afterwards FLASHMINGO runs a series of plugins acting on this SWFObject and returning their values to the main program.

Below a mandatory ASCII art flow diagram:

                                                 +----------+
                                                 |          |
                       +------------+----------->+ PLUGIN 1 +------------+
                       |            |            |          |            |
                       |            |            +----------+            |
                       |            |                                    |
                       |            |            +----------+            |
                       |            |            |          |            |
+---------+            |            +----------->+ PLUGIN 2 +--------+   |
|SWF FILE +----------->+ FLASHMINGO |            |          |        |   |
+---------+            |            |            +----------+        |   |
                       |            |                                |   |
                       |            |                                |   |
                       |            |                                |   |
                       |            |                          +-----v---v-+
                       |            |                          |           |
                       |            |                          |           |
                       +-----+------+------------------------->+ SWFOBJECT |
                             ^                                 |           |
                             |                                 |           |
                             |                                 +-----+-----+
                             |                                       |
                             |                                       |
                             |                                       |
                             +---------------------------------------+

When using FLASHMINGO as a library in your own projects, you only need to take care of two kind of objects:

  • one or many SWFObject(s), representing the sample(s)
  • a Flashmingo object. This acts essentially as a harness connecting plugins and SWFObject(s).

Plugins!

FLASHMINGO plugins are stored in their own directories under... you guessed it: plugins When a Flashmingo object is instantiated, it goes through this directory and process all plugins' manifests. Should this indicate that the plugin is active, this is registered for later use. At the code level, this means that a small plugin_info dictionary is added to the plugins list.

Plugins are invoked via the run_plugin API with two arguments:

  • the plugin's name
  • the SWFObject instance

Optionally, most of the plugins allow you to pass your own user data. This is plugin dependent (read the documentation) and it can be more easily be explained with an example. The default plugin SuspiciousNames will search all constant pools for strings containing suspicious substrings (for example: 'overflow', 'spray', 'shell', etc.) There is a list of common substrings already hard-coded in the plugin so that it can be used as-is. However, you may pass a list of your own defined substrings, in this case via the names parameter.

Code example:

fm = Flashmingo()
print fm.run_plugin('DangerousAPIs', swf=swf)
print fm.run_plugin('SuspiciousNames', swf=swf, names=['spooky'])

Default plugins

FLASHMINGO ships with some useful plugins out of the box:

  • binary_data
  • dangerous_apis
  • decompiler
  • suspicious_constants
  • suspicious_loops
  • suspicious_names
  • template :)

Extending FLASHMINGO

A template plugin is provided for easy development. Extending FLASHMINGO is rather straightforward. Follow these simple steps:

  • Copy the template
  • Edit the manifest
  • Override the run method
  • Add your custom code

You are ready to go :)

FLASHMINGO as a library

API

  • See the docs directory for autogenerated documentation
  • See FireEye's blog post for an example

Front-ends

  • Console

Create Documentation

$ pip install sphinxcontrib-napoleon

After setting up Sphinx to build your docs, enable napoleon in the Sphinx conf.py file:

In conf.py, add napoleon to the extensions list

extensions = ['sphinxcontrib.napoleon']

Use sphinx-apidoc to build your API documentation:

$ sphinx-apidoc -f -o docs/source projectdir

This creates .rst files for Sphinx to process

$ make html

That's it! :)

More Repositories

1

commando-vm

Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]
PowerShell
6,897
star
2

flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
PowerShell
6,334
star
3

capa

The FLARE team's open-source tool to identify capabilities in executable files.
Python
4,775
star
4

flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Python
3,155
star
5

red_team_tool_countermeasures

YARA
2,639
star
6

flare-ida

IDA Pro utilities from FLARE team
Python
2,031
star
7

flare-fakenet-ng

FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Python
1,677
star
8

speakeasy

Windows kernel and user mode emulation.
Python
1,290
star
9

SharPersist

C#
1,213
star
10

ThreatPursuit-VM

Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
PowerShell
1,204
star
11

gocrack

GoCrack is a management frontend for password cracking tools written in Go
Go
1,101
star
12

flare-emu

Python
735
star
13

stringsifter

A machine learning tool that ranks strings based on their relevance for malware analysis.
Python
672
star
14

SilkETW

C#
641
star
15

Mandiant-Azure-AD-Investigator

PowerShell
614
star
16

Azure_Workshop

HCL
572
star
17

sunburst_countermeasures

YARA
561
star
18

Ghidrathon

The FLARE team's open-source extension to add Python 3 scripting to Ghidra.
Java
556
star
19

capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
528
star
20

ReelPhish

Python
493
star
21

iocs

FireEye Publicly Shared Indicators of Compromise (IOCs)
458
star
22

DueDLLigence

C#
450
star
23

FIDL

A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Python
431
star
24

flare-wmi

C++
412
star
25

GoReSym

Go symbol recovery tool
Go
379
star
26

rvmi

rVMI - A New Paradigm For Full System Analysis
C
352
star
27

PwnAuth

Python
347
star
28

idawasm

IDA Pro loader and processor modules for WebAssembly
Python
332
star
29

ADFSpoof

Python
318
star
30

SimplifyGraph

IDA Pro plugin to assist with complex graphs
C++
303
star
31

STrace

A DTrace on Windows Reimplementation
C++
299
star
32

ShimCacheParser

Python
258
star
33

OfficePurge

C#
256
star
34

msi-search

C
215
star
35

macos-UnifiedLogs

Rust
200
star
36

ioc_writer

Python
195
star
37

GeoLogonalyzer

GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
Python
194
star
38

Vulnerability-Disclosures

C++
183
star
39

flare-kscldr

FLARE Kernel Shellcode Loader
C
175
star
40

flare-qdb

Command-line and Python debugger for instrumenting and modifying native software behavior on Windows and Linux.
Python
161
star
41

flare-dbg

flare-dbg is a project meant to aid malware reverse engineers in rapidly developing debugger scripts.
Python
149
star
42

thiri-notebook

The Threat Hunting In Rapid Iterations (THIRI) Jupyter notebook is designed as a research aide to let you rapidly prototype threat hunting rules.
Python
146
star
43

route-sixty-sink

Link sources to sinks in C# applications.
C#
137
star
44

VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
PowerShell
135
star
45

heyserial

Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types
YARA
130
star
46

dncil

The FLARE team's open-source library to disassemble Common Intermediate Language (CIL) instructions.
Python
124
star
47

Reversing

111
star
48

ioc-scanner-CVE-2019-19781

Indicator of Compromise Scanner for CVE-2019-19781
Shell
91
star
49

flare-bytecode_graph

Python
82
star
50

gocrack-ui

The User Interface for GoCrack
Vue
81
star
51

Volatility-Plugins

Python
80
star
52

unicorn-libemu-shim

libemu shim layer and win32 environment for Unicorn Engine
C++
70
star
53

citrix-ioc-scanner-cve-2023-3519

Shell
61
star
54

AuditParser

AuditParser
Python
56
star
55

remote_lookup

Resolves DLL API entrypoints for a process w/ remote query capabilities.
Visual Basic
54
star
56

synfulknock

Lua
48
star
57

SSSDKCMExtractor

Python
46
star
58

jitm

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.
C++
43
star
59

goauditparser

Go
39
star
60

capa-testfiles

Data to test capa's code and rules.
Max
39
star
61

tf_rl_tutorial

Tutorial: Statistical Relational Learning with Google TensorFlow
Jupyter Notebook
39
star
62

macOS-tools

Python
38
star
63

apooxml

Generate YARA rules for OOXML documents.
Python
38
star
64

gootloader

Collection of scripts used to deobfuscate GOOTLOADER malware samples.
Python
36
star
65

pycommands

PyCommand Scripts for Immunity Debugger
Python
35
star
66

vocab_scraper

Vocabulary Scraper script used in FLARE's analysis of Russian-language Carbanak source code
Python
35
star
67

ARDvark

ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.
Python
34
star
68

rvmi-rekall

Rekall Forensics and Incident Response Framework with rVMI extensions
Python
32
star
69

gocat

Provides access to libhashcat
Go
29
star
70

ics_mem_collect

Python
26
star
71

rvmi-qemu

QEMU with rVMI extensions
C
26
star
72

IDA_Pro_VoiceAttack_profile

Python
25
star
73

win10_auto

Python
23
star
74

pulsesecure_exploitation_countermeasures

YARA
23
star
75

rvmi-kvm

Linux-KVM with rVMI extensions
C
23
star
76

pivy-report

Poison Ivy Appendix/Extras
17
star
77

siglib

Python
15
star
78

DFUR-Splunk-App

The "DFUR" Splunk application and data that was presented at the 2020 SANS DFIR Summit.
13
star
79

vbScript_deobfuscator

Help deobfuscate VBScript
VBA
13
star
80

flare-gsoc-2023

Supporting resources and documentation for FLARE @ Google Summer of Code 2023
13
star
81

rpdebug_qnx

Python
11
star
82

mandiant_managed_hunting

Azure Deployment Templates for Mandiant Managed Huning
9
star
83

flare-floss-testfiles

Resources for testing FLOSS by the FLARE team.
C
6
star
84

shelidate

Go
2
star