dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
AMIRA: Automated Malware Incident Response & Analysis
AMIRA is a service for automatically running the analysis on the
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
Prerequisites
tox
The following steps assume you have
This link is hidden for visitors. Please Log in or register now.
If this is not the case, please run:
$ sudo pip install tox
OSXCollector Output Filters configuration file
AMIRA uses OSXCollector Output Filters to do the actual analysis, so you will need to have a valid osxcollector.yaml configuration file in the working directory. The example configuration file can be found in the
This link is hidden for visitors. Please Log in or register now.
The configuration file mentions the location of the file hash and the domain blacklists. Make sure that the blacklist locations mentioned in the configuration file are also available when running AMIRA.
AWS credentials
AMIRA uses boto to interface with AWS. You can supply the credentials using either of the possible
This link is hidden for visitors. Please Log in or register now.
The credentials should allow reading and deleting SQS messages from the SQS queue specified in the AMIRA config as well as the read access to the objects in the S3 bucket where the OSXCollector output files are stored. To be able to upload the analysis results back to the S3 bucket specified in the AMIRA configuration file, the credentials should also allow write access to this bucket.
AMIRA Architecture
The service uses the
This link is hidden for visitors. Please Log in or register now.
The Analyze Filter runs all the filters contained in the OSXCollector Output Filters package sequentially. Some of them communicate with the external resources, like domain and hashes blacklists (or whitelists) and threat intel APIs, e.g.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
The overview of the whole process and the system components involved in it are depicted below:
This link is hidden for visitors. Please Log in or register now.
Using AMIRA
The main entry point to AMIRA is in the amira/amira.py module. You will first need to create an instance of AMIRA class by providing the AWS region name, where the SQS queue with the event notifications for the OSXCollector output bucket is, and the SQS queue name:
from amira.amira import AMIRA
amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')
Then you can register the analysis results uploader, e.g. the S3 results uploader:
from amira.s3 import S3ResultsUploader
s3_results_uploader = S3ResultsUploader('amira-results-bucket')
amira.register_results_uploader(s3_results_uploader)
Finally, run AMIRA:
amira.run()
Go get some coffee, sit back, relax and wait till the analysis results pop up in the S3 bucket!
Download: