Identifies and extracts information from bots and other malware. Information is returned in a readable json format. bamfdetect works by reading files into RAM, applying any applicable preprocessors, then applying Yara signatures from modules to determine which module it matches. After a match is located, the module can then extract the configuration from the file.
Currently, only a preprocess for UPX files is supported. This preprocessor writes the file data to a temporary file, then calls upx -d on the temporary file, and rereads the data from that temporary file.
- Alina
- Andromeda
- Backoff
- BlackShades
- Dendroid
- Dexter
- Herpesnet
- Maazben
- MadnessPro
- pBot
- Pony
- ProjectHook
Until I have time to write a guide for writing modules, please use existing modules as a means of writing your own.
cloud@strife:~/git/BAMF$ ./bamfdetect.py -h usage: ./bamfdetect.py [-h] [-v] [-d] [-r] [-l] [-m MODULE] [path [path ...]] Identifies and extracts information from bots and other malware positional arguments: path Paths to files or directories to scan optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -d, --detect Only detect files -r, --recursive Scan paths recursively -l, --list List available modules -m MODULE, --module MODULE Modules to use, if not definedall modules are used ./bamfdetect.py v1.4.1 by Brian Wallace (@botnet_hunter)
- pefile (python module)
- yara (python module)
- rarfile
- upx (binary)
PE files will be checked if they are UPX compressed before being scanned. If they are, they will be written to a temporary file, then decompressed with the UPX utility. Yara rules and extraction will then be applied to the resulting data.
This project has been moved from https://github.com/bwall/bamf