Py-Detux

Python library for interaction with Detux sandbox instances


Brief

Detux is a malware sandbox that uses the QEMU hypervisor to emulate a Linux system and perform both sttaic and dynamic analysis against suspect Linux executables or scripts. The author has made a free hosted version available at detux.org and also offers the sandbox itself as an open source project on Github.

The Py-Detux project is a Python library that can be used to interact with a Detux instances API, whether this be library default of detux.org's API or a private instance built from source. Using the library is as simple as running python setup.py install after cloning the Github repo, importing the library, and calling it with your Detux API key.

Project In Progress 90%
  • - Python 2.7 or higher
  • - Detux API key obtained from Detux.org account or private instance
  • - Python requests library
  • - Python boto3 library; for optional AWS report storage
  • - Some Linux malware you want to research! :)
  • - Submit single file or entire directories for analysis
  • - Submissions can be marked private, include user comments, and filenames
  • - Search by individual hash
  • - Search by text file list of hashes
  • - Search by hashes of files in a directory
  • - Retrieve sandbox analysis reports
  • - View formatted reports from the command line
  • - Store JSON reports locally or upload them to an AWS S3 bucket
  • - Multi-threading is available for bulk tasks such as uploading multiple files

Submit a file if it hasn't been analyzed and save the report

from pydetux import Detux
                                    
# instantiate the main class with your key
detux = Detux('your API key')

# provide a file and obtain its sha256 hash
sample_path = '/home/adam/malware/mips.sh'
sample_hash = detux.Utils.get_sha256(sample_path)

# check if the sample already has been analyzed
if not detux.search(sample_hash):
    submission = detux.submit_file(sample_path)

    # store the report to the current direction as $sha256.json
    report = '%s.json' % sample_hash
    detux.report(submission.sha256, save='json', output=report)
                                

Save a report to an S3 Bucket

# print details of storage process to stdout
detux.verbose = True

h = '7d9291fbd5ba96ede386e688584a6f873615a141a5363d4431499de5415c02c4'
detux.report(h,
    save='s3',
    output_file='linux/zeroaccess-01.json',
    s3_bucket='samples',
    aws_key='access key',
    aws_secret='secret key')
                                

Submit entire directory of samples

samples = detux.Utils.list_directory('/home/adam/malware')
print 'submitting %d samples ...' % len(samples)
detux.submit_directory('/home/adam/malware/captured', threads=5)
                                

Key Features

  • Submit Single or Bulk Files for Analysis
  • Search Detux for All Supported IOCs
  • Easy Retrieval Sandbox Reports
  • Save Reports in AWS S3
  • Multi-threading for fast searching and uploads