Created
December 9, 2014 15:28
-
-
Save da667/fc2a311803415740927e to your computer and use it in GitHub Desktop.
simple analysis script - now with less CPU grinding.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#analysis script | |
#goal: for each file that isn't a rar, tar, gz, txt, reg, bat or sh: | |
#make a directory, copy the malware into the directory, cd into the directory, run hashing tools, file, strings dump into file (separate file for strings output, because its obnoxiously long in most cases) go back to parent directory, rinse, repeat until done. | |
#also stores a hash file for each hash type done in one single master file in the parent directory (e.g. all_md5.txt, all_ssdeep.txt, etc.) | |
for i in `ls -1 | egrep -v "sh|bat|rar|tar|gz|txt|reg"`; do | |
filedir=`echo $i`_analysis | |
filetxt=`echo $i`_analysis.txt | |
filestr=`echo $i`_strings.txt | |
mkdir -p $filedir | |
cp $i $filedir/$i | |
cd $filedir | |
echo "file output:" >> $filetxt | |
file $i >> $filetxt | |
echo "" >> $filetxt | |
echo "sums (md5, sha1, sha256, sha512):" >> $filetxt | |
filemd5=`md5sum $i` | |
filesha1=`sha1sum $i` | |
filesha256=`sha256sum $i` | |
filesha512=`sha512sum $i` | |
filessdeep=`ssdeep -b $i` | |
echo $filemd5 >> $filetxt | |
echo $filemd5 >> ../all_md5s.txt | |
echo $filesha1 >> $filetxt | |
echo $filesha1 >> ../all_sha1.txt | |
echo $filesha256 >> $filetxt | |
echo $filesha512 >> $filetxt | |
echo $filesha512 >> ../all_sha512.txt | |
echo "" >> $filetxt | |
echo "ssdeep:" >> $filetxt | |
echo $filessdeep >> $filetxt | |
echo $filessdeep >> ../all_ssdeep.txt | |
echo "" >> $filetxt | |
strings -a -n3 $i >> $filestr | |
cd .. | |
done | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment