Malware Simple¶
The Malware-Simple module attempts to connect to a remote server and identify malware by sending various payloads and analysing how the server responds. It works similarly to the service-simple module except it is entirely focused at identifying malware instead of general service/product information.
Malware Simple Request Example¶
curl -v -L https://api.binaryedge.io/v1/tasks -d '{"type":"scan", "options":[{"targets":["X.X.X.X"], "ports":[{"port":80, "protocol":"tcp", "modules":["malware-simple"]}]}]}' -H "X-Token:<Token>"
Schema¶
Malware Simple Event Schema¶
{
...
"result": {
"data": {
"state": {
"state": "string"
},
"service": {
"name": "string",
"product": "string",
"version": "string",
"device": "string",
"ostype": "string",
"hostname": "string",
"extrainfo": "string",
"cpe": ["string"],
"banner": "string",
"method": "string"
}
}
}
}
Contents of the fields¶
This module provides the following data (if available):
-
state: Information regarding the state of the connection to the target
- state: State of the connection to the target. Possible values for this field are:
- open: The connection was established, data was sent and the target returned any response
- open|filtered: The connection was established, data was sent, but the target did not respond
- closed: The connection was not established.
- state: State of the connection to the target. Possible values for this field are:
-
service: Information regarding the service that is likely to be running on the target
- name: Type of service that is running
- product: Product designation (and Vendor)
- version: Application version number
- device: Type of device running the service
- ostype: Operating system running the service
- hostname: Hostname (if any) offered by the service
- extrainfo: Extra information extracted, can be an OS, version of a framework, etc
- cpe: List of Common Platform Enumeration tags, if available
- banner: Server response from which information was extracted
- method: Method used to match or extract information from server responses. Possible values for this field are:
- probe_matching: Server responses matched one of the expected responses for the probes that were sent
- probe_extraction: Customized information extraction, used when server responses do not match expected responses, but have relevant information
- probe_matching/probe_extraction: It's a mix of the previous methods, used when simple matching with expected responses does not return sufficient information
Malware Simple Event Example¶
{
...
"result":{
"data":{
"state":{
"state":"open"
},
"service":{
"product":"NanoCore_1.2.2.0",
"name":"rat",
"banner":" \\x00\\x00\\x00\\xbd\\xa2\\xc2\\x87S\\x02\\xe0\\xfd\\x94\\x94\\x83mn\\xf8hp\\xfaB\\x95\\xc6\\x02:ge\\x7f\\xf2&K\\x19U%\\xda",
"method":"probe_matching"
}
}
}
}