Fast Static File Analysis Framework

Overview

Florentino; Fast Static File Analysis Framework

Florentino

Story

Florentino is named after a fiction warrior.

Flarentino: "I'd wear a fedora but they haven't invented them yet"

As the sole heir to the House of Perfume, Florentino's romantic adventures were as well-known as his lavish balls ....

Florentino: "Ah... relationships are such a bother"

Introduction

Florentino is a cross-platform file analysis framework. useful for extracting static resources from malwares and unknown file analysis.

He can help malware analysts and security researchers to quickly get a glance at an unknown file. He can't win a big war alone, though; that's why he calls for his friends to help fighting bad guys. so he calls these friends (credits):

Without them, it was a lost war from beginning.

Motivation

Anytime we want to analyze an unknown file, there are a couple of steps which are almost identical Florentino aims to automate some of these boring steps so an analyst can move faster with manual and dynamic analysis.

Florentino: "Flowers, women – I desire all that is beautiful."

Features

Florentino is written in go, and it's fast!. You can run it before any other tool in your chain to gain a good grasp of your target file. Most of the time, it's all you need to determine if a file is malicious or not!

1- File detection engine

Thanks to D.I.E, Florentino can detect hundreds of file types.

Number of com signatures: 200
Number of Text signatures: 14
Number of com signatures: 3
Number of MSDOS signatures: 306
Number of PE/PE+ signatures: 525
Number of DS signatures: 19
Number of EP signatures: 3
Number of ELF/ELF64 signatures: 16
Number of MACH/MACH64 signatures: 8
Total signatures: 1117 

Beside file detection, entropy and packer detection also performed.

2- Scan engine

Florentino can work various sources to analyze the file.

  • VirusTotal: we check it for an existing report
  • Strings and IOC scan: Florentino takes it; further it will extract, scan and possibly deobfuscate strings from binary files
  • Binary scan: Florentino can work with PE x86/x64, Macho x86/x64, ELF x86/x64 files it will obtain imported symbol and libraries

3- Packer detection and unpacking

  • Currently only support PE x86 Files
  • unpack engine : unpac.me

4- Report

  • All reports are stored as a text file in /data directory

Please note Florentino is not a reversing suite and its only aim is only to fasten the first analysis Florentino is modular and easy to extend with your own tools.

Flarentino: Fairest ladies, my lips are like whatever I finish this later ...

Version

1.0.1-alpha

Installation and Usage

Flarentino : "You have bad form my friend."

check out documentation at /docs/README.md

Action time: Florentino VS Ryuk Ransomware

Let's run Florentino against the trending millions dollar ransomware called Ryuk.

asciicast

Florentino -f 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd7.exe

After one minutes or so we check /data folder

{
    "detects": [
        {
            "filetype": "PE+(64)",
            "name": "Microsoft Visual C/C++(2015 v.14.0)[-]",
            "type": "compiler"
        },
        {
            "filetype": "PE+(64)",
            "name": "Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE64]",
            "type": "linker"
        }
    ],
    "entropy": "6.07306",
    "filename": "/malwares/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd7.exe"
}
/C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d " 
Gentlemen!
Your business is at serious risk. BLAH BLAH BLAH
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
.....
  • Now in less than 3 minutes, we already know its ransomware, it's not packed, we decrypted the first layer of obfuscated strings, and we already even extracted the persistence method.
  • Please consider this is NOT ready for production, the main point of releasing this is to show you how you can achieve similar results. the code can greatly improve.

How to contribute

Florentino : "HaHa, A wonderful day for a duel among gentlemen."

  • Add a module or fix something and then pull request.
  • The endless possibility of improvements:
    • Add a web UI
    • Connect it to a Relational/NoSQL database
    • Parse each binary to its deepest details
    • Integrate r2 as provide disassembles
    • ...
  • Share it with whomever you believe can use it.
  • Do the extra work and share your findings with community
  • ko-fi

Learn More

Malware fight back the tale of agent tesla

Awesome Malware Analysis

Awsome Reversing

License

The project is licensed under the wtfpl license.

Owner
security researcher, software developer, infosec entrepreneur, SciTech student.
null
Bodyclose: a static analysis tool which checks whether res.Body is correctly closed

bodyclose bodyclose is a static analysis tool which checks whether res.Body is correctly closed. Install You can get bodyclose by go get command. $ go

Seiji Takahashi 210 Dec 9, 2021
`kawipiko` -- blazingly fast static HTTP server -- focused on low latency and high concurrency, by leveraging Go, `fasthttp` and the CDB embedded database

kawipiko -- blazingly fast static HTTP server kawipiko is a lightweight static HTTP server written in Go; focused on serving static content as fast an

Volution 13 Jun 12, 2022
Simple, secure and modern Go HTTP server to serve static sites, single-page applications or a file with ease

srv srv is a simple, secure and modern HTTP server, written in Go, to serve static sites, single-page applications or a file with ease. You can use it

Kevin Pollet 55 May 23, 2022
Reverse Proxying + Static File Serving + Let's Encrypt + multiple hosts

Slashing This is a HTTPS server, which aims to replace my personal nginx usages. Currently, it serves Reverse Proxying (e.g. to a Python-Flask,Java,PH

Abby 3 Jul 29, 2021
Static file server that service content required by dan's services

Static file server that service content required by dan's services.

Danang Galuh Tegar Prasetyo 0 Jan 20, 2022
All-in-one Network Gateway for Malware analysis

aio-gw [EXPERIMENTAL]: All-in-one Network Gateway for Malware analysis. currently at Alpha stage. HELP NEEDED: if you're keen to contribute to aio-gw,

Ali Mosajjal 2 Jan 30, 2022
This is a Go port of the phase vocoding analysis/resynthesis routines from Tom Erbe's program "SoundHack".

Overview This is a Go port of the phase vocoding analysis/resynthesis routines from Tom Erbe's program "SoundHack". Unlike the original SoundHack, thi

Jon Moniaci 4 Apr 24, 2022
JSON assets that are almost static like house_id mappings for the API.

TibiaData API assets JSON assets that are almost static like house_id mappings for the API. This repo contains tooling that generates the assets json

TibiaData 2 Jun 1, 2022
Http-recorder - Application for record http response as static files

http-recorder This is a application for record http response as static files. Th

null 1 Mar 21, 2022
serve a static website as a .onion hidden service

hidden service server A CLI that will host a static website as a .onion hidden service. Comes with an additional binary that can be used to generate v

null 9 Apr 27, 2022
llb - It's a very simple but quick backend for proxy servers. Can be useful for fast redirection to predefined domain with zero memory allocation and fast response.

llb What the f--k it is? It's a very simple but quick backend for proxy servers. You can setup redirect to your main domain or just show HTTP/1.1 404

Kirill Danshin 12 Jan 23, 2022
DeepCopy a portable app that allows you to copy all forms of specified file types from your entire file system of the computer

DeepCopy a portable app that allows you to copy all forms of specified file types from your entire file system of the computer

subrahmanya  s hegade 1 Dec 20, 2021
Generates file.key file for IPFS Private Network.

ipfs-keygen Generates file.key file for IPFS Private Network. Installation go get -u github.com/reixmor/ipfs-keygen/ipfs-keygen Usage ipfs-keygen > ~/

Camilo Abel Monreal Aguero 0 Jan 18, 2022
A modern, fast and scalable websocket framework with elegant API written in Go

About neffos Neffos is a cross-platform real-time framework with expressive, elegant API written in Go. Neffos takes the pain out of development by ea

Gerasimos (Makis) Maropoulos 385 Jun 1, 2022
Fast and Scalable RPC Framework

Rony (Fast and Scalable RPC Framework) About Rony lets you create a clustered aware service easily. Checkout Wiki Performance Rony is very fast and wi

Ronak Software Group 40 Jun 13, 2022
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Jaime Pillora 7.4k Jun 29, 2022
Fast IP to CIDR lookup in Golang

cidranger Fast IP to CIDR block(s) lookup using trie in Golang, inspired by IPv4 route lookup linux. Possible use cases include detecting if a IP addr

Yulin Chen 721 Jun 15, 2022
Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http

fasthttp Fast HTTP implementation for Go. Currently fasthttp is successfully used by VertaMedia in a production serving up to 200K rps from more than

Aliaksandr Valialkin 17.9k Jun 23, 2022
🚀Gev is a lightweight, fast non-blocking TCP network library based on Reactor mode. Support custom protocols to quickly and easily build high-performance servers.

gev 中文 | English gev is a lightweight, fast non-blocking TCP network library based on Reactor mode. Support custom protocols to quickly and easily bui

徐旭 1.4k Jun 26, 2022