YarHunt is a project created during an 8hr hackathon.
It is designed to be used as a collection / hunting system for malware samples.
YarHunt will download samples from Malware Bazaar and Malshare, then run Yara rules on the samples, and save all matches.
Discord is used as an easy front end, which allows a small set of commands to be used:
- Upload new Yara rule
- Remove Yara rule
- See active rules
- See active "jobs" (threads downloading new samples)
The malware samples of interest are saved locally, and sent to an MWDB instance.
YarHunt per default uploads samples to the MWDB instance run by CERT PL (https://mwdb.cert.pl).
A config file placed next to the "bot.py" file is needed.
This config file should contain the following constants:
# Path constants
rule_directory = "<Path to yara rules directory>"
compiled_rules_directory = "<Path to directory to store compiled yara rules in>"
malware_cage = "<Directory malware should be saved in>"
rule_match_folder = "<Directory samples should be stored in>"
bazaar_zip_name = "hourlybzr"
bazaar_unzip_name = "unzipped_hourlybzr"
malshare_folder = "malshare/"
# Discord stuff
bot_token = "<Discord bot token>"
webhook_url = "<Webhook URL>"
# APIs
bazaar_hourly_endpoint = "https://datalake.abuse.ch/malware-bazaar/hourly/"
malshare_key_two = "<Malshare API key #1>"
malshare_key_one = "<Malshare API key #2>"
malshare_api_endpoint = "https://malshare.com/api.php"
# MWDB
mwdb_username = "<MWDB username>"
mwdb_password = "<MWDB password>"
mwdb_url = "https://mwdb.cert.pl/api/" # Or your own MWDB URL
Prefix for the bot is "!".
List of commands are available with "!help".
CmdHandlerCog:
delete
jobs
rules
upload
No Category:
help Shows this message
The help menu is the builtin menu provided by the Discord.Py library
To upload a rule, add it as an attachment to the message, with the "!upload" command.
Same goes for deleting rules.