S.M.A.T

Standardized Malware Analysis Toolkit

Capabilities

Unpac.me

• sample submission
• download results
• check if already submitted

MWDB

• query for config entries of samples
• file upload
• file download
• config upload

Triage

• get all JA3s and JA3 for a family
• get config details for a sample
• get pcaps from a malware family (meant to use in conjunction with PCAP processing tools)
• submit samples to the Tria.ge platform

Malware Bazaar

• check if samples exist in the respository
• get medata for all samples in a family over the last 24 hours
• upload samples to the platform

URLHaus

• upload URLs to the platform
• check if the URL exists in the dataset

ThreatFox

• pull all C2s over the last seven days

Setup

All the routing and auth is controlled via environment variables. To use all of the platforms, the following environment varialbes will have to be set

export TRIAGE_KEY=""
export BAZA_KEY=""
export URLHAUS=""
export MWDB_KEY=""
export MWDB_HOST="mwdb.cert.pl"
export MWDB_PROTO="<https://><http://>"

Examples

SMAT allows for anaylysts to quickly extract information about malware families, download samples, upload samples, download pcaps and extract config details from common malware families.

Usage:
  smat [command]

Available Commands:
  bazaar      all subcommands relating to the malware bazaar platform
  fox         all subcommands relating to the threatfox platform
  help        Help about any command
  mwdb        all subcommands relating to CERT.PLs MWDB platform
  triage      all subcommands relating to the triage platform
  urlhaus     all subcommands relating to the urlhaus platform

Flags:
  -h, --help   help for smat

Use "smat [command] --help" for more information about a command.

all subcommands relating to the malware bazaar platform

Usage:
  smat bazaar [command]

Available Commands:
  check       checks if a sample exists within malware bazaar
  get_family  returns metadata for all samples uploaded for a family within the last 24 hours
  upload      uploads a sample or samples to malware bazaar

Flags:
  -h, --help          help for bazaar
  -t, --tags string   comma split list of tags to apply

Use "smat bazaar [command] --help" for more information about a command.

all subcommands relating to the triage platform

Usage:
  smat triage [command]

Available Commands:
  get_JA3s    returns all ja3 and ja3s signatures for specific malware family
  get_config  returns all config details for the malware if it exists
  get_pcaps   returns all pcap ng files for a specific family
  submit      submits a file to the Hatching triage platform

Flags:
  -h, --help   help for triage

Use "smat triage [command] --help" for more information about a command.

all subcommands relating to the urlhaus platform

Usage:
  smat urlhaus [command]

Available Commands:
  check       checks if a url or set of urls exists within urlhaus
  submit      uploads the list of URLs to urlhaus

Flags:
  -h, --help   help for urlhaus

Use "smat urlhaus [command] --help" for more information about a command.