Earlier this week, I published a post on my employer’s blog about a project that I’ve started working on. The project, called Malformity, is a local transform package for Maltego that can be used to assist in conducting malware and malicious infrastructure research. Since this won’t re-hash all the basics introduced in that post, I highly recommend you read it first, if you haven’t done so already. This post will just lay out a few more notes related to the project.
First, if the project helps you out, awesome. I’m adding transforms right now that I think will be the most useful and the ones that help me out when I’m doing my analysis. If there’s a query or source that would be helpful for you, please feel free to submit a request for a new transform or transform set! I’d love to see this project grow to meet the needs of as wide a range of people as possible (within the scope of malz/infra of course…).
In the near term, I plan on creating a Virustotal account and distributing an API key with Malformity so that people don’t have to create their own accounts. The option to specify your own key will remain. Additionally, I plan on expanding the number of Virustotal transforms in the package. My colleague, @KyleMaxwell, wrote the first couple Virustotal transforms and is also working on a transform for the Collective Intelligence Framework. Once these are done, I plan on beginning to expand the base of transforms available. I’ve also submitted a CFP to a BsidesBOS, so if all goes well, I’ll be presenting there. If not, I hope to find another con this year that may work out.
I think the online transforms provide a wide range of immediate benefit. However, I think there is some real potential power and beginning to build transforms similar to Sploitego, which also uses local tools to produce data for the graphs. Using transforms to also pull data from local malware analysis tools could open up another aspect of graphing capabilities. This is particularly useful for analyzing samples that aren’t publicly available. For instance, we could write a transforms that uses pyew to pull links from binaries and graph them, or perhaps you want to graph all the function names.
Thanks again to Nadeem Douba for canari, Paterva for Maltego, and ohdae for his malware entities!
Again, I hope this proves useful for people and please don’t hesitate to submit transform requests or contribute via github. Thanks!