Skip to content

Malware Simple

The Malware-Simple module attempts to connect to a remote server and identify malware by sending various payloads and analysing how the server responds. It works similarly to the service-simple module except it is entirely focused at identifying malware instead of general service/product information.

Malware Simple Request Example

curl -v -L -d '{"type":"scan", "options":[{"targets":["X.X.X.X"], "ports":[{"port":80, "protocol":"tcp", "modules":["malware-simple"]}]}]}' -H "X-Token:<Token>"


Malware Simple Event Schema

    "result": {
        "data": {
          "state": {
            "state": "string"
          "service": {
              "name": "string",
              "product": "string",
              "version": "string",
              "device": "string",
              "ostype": "string",
              "hostname": "string",
              "extrainfo": "string",
              "cpe": ["string"],
              "banner": "string",
              "method": "string"

Contents of the fields

This module provides the following data (if available):

  • state: Information regarding the state of the connection to the target

    • state: State of the connection to the target. Possible values for this field are:
      • open: The connection was established, data was sent and the target returned any response
      • open|filtered: The connection was established, data was sent, but the target did not respond
      • closed: The connection was not established.
  • service: Information regarding the service that is likely to be running on the target

    • name: Type of service that is running
    • product: Product designation (and Vendor)
    • version: Application version number
    • device: Type of device running the service
    • ostype: Operating system running the service
    • hostname: Hostname (if any) offered by the service
    • extrainfo: Extra information extracted, can be an OS, version of a framework, etc
    • cpe: List of Common Platform Enumeration tags, if available
    • banner: Server response from which information was extracted
    • method: Method used to match or extract information from server responses. Possible values for this field are:
      • probe_matching: Server responses matched one of the expected responses for the probes that were sent
      • probe_extraction: Customized information extraction, used when server responses do not match expected responses, but have relevant information
      • probe_matching/probe_extraction: It's a mix of the previous methods, used when simple matching with expected responses does not return sufficient information

Malware Simple Event Example

        "banner":" \\x00\\x00\\x00\\xbd\\xa2\\xc2\\x87S\\x02\\xe0\\xfd\\x94\\x94\\x83mn\\xf8hp\\xfaB\\x95\\xc6\\x02:ge\\x7f\\xf2&K\\x19U%\\xda",