TUM's Malware Zoo



Functional Components Description

Malware Zoo has services for static and dynamic analysis of malwares. It has Holmes-Totem Planner, Holmes-Storage, Holmes-Gateway, Holmes-Analytics and Holmes-Totem-Dynamic.

Holmes-Totem Planner: The Holmes-Totem Planner is responsible for turning data into information by performing feature extraction against submitted objects. When tasked, Holmes-Totem schedules the execution of its services which are capable of performing static and dynamic analysis as well as gather data from third parties. The Holmes-Totem Investigation Planner is optimized for executing extraction services that complete in a few seconds, i.e. static analysis and 3rd party queries. When dealing with services that take longer to complete, we recommend pairing the Holmes-Totem Planner with Holmes-Totem-Dynamic.

Holmes-Storage: Holmes-Storage is responsible for managing the interaction of Holmes Processing with the database backends. At its core, Holmes-Storage organizes the information contained in Holmes Processing and provides a RESTful and AMQP interface for accessing the data. Additionally, Holmes-Storage provides an abstraction layer between the specific database types. This allows a Holmes Processing system to change database types and combine different databases together for optimization.

Holmes-Gateway: Holmes-Gateway orchestrates the submission of objects and tasks to HolmesProcessing. Foremost, this greatly simplifies the tasking and enables the ability to automatically route tasks to Holmes-Totem and Holmes-Totem-Dynamic at a Service level. In addition, Holmes-Gateway provides validation and authentication. Finally, Holmes-Gateway provides the technical foundation for collaboration between organizations. Holmes-Gateway is meant to prevent a user from directly connecting to Holmes-Storage or RabbitMQ. Instead tasking-requests and object upload pass through Holmes-Gateway, which performs validity checking, enforces ACL, and forwards the requests.

Holmes-Analytics: The goal of this project is to implement a semi-generic interface that enables Holmes Processing to manage the execution of advanced statistical and machine learning analysis operations.

Holmes-Totem-Dynamic: Just like Holmes-Totem the “Dynamic” Planner is responsible for turning data into information by performing feature extraction against submitted objects. When tasked, Holmes-Totem-Dynamic schedules the execution of its services which are focused on dynamic and other long or indefinite running analysis tasks.


Services provided

  • Analysis result for malware

  • Static and dynamic analysis for submitted samples or hashes

  • Having services like Yara, Cuckoo, Objdump, Gadgets, Rich Header


Keywords

Large-Scale Malware Analysis


Services

  • Analysis result for malware

  • Static and dynamic analysis for submitted samples or hashes

  • Having services like Yara, Cuckoo, Objdump, Gadgets, Rich Header


Technical equipment

  • Openstack:

    • Computer Server: Quantity 1

      • 2x AMD EPYC 7501

      • 512 GB RAM

      • 1x 250 GB SSD

      • 10 GBit Ethernet (2x RJ45)

    • Storage Server: Quantity 1

      • AMD Ryzen 5 1600

      • 64 GB RAM

      • 8x 10TB Raid 6

      • 10 GBit Ethernet (2x RJ45)

  • Cassandra:

    • DB Server: Quantity 6

      • AMD Ryzen 7 1700

      • 2x 2048 GB Samsung SSD

      • 32GB RAM

      • 10 GBit Ethernet (2x RJ45)

  • S3:

    • Storage Server: Quantity 4

      • AMD Ryzen 5 1600

      • 2x 6TB

      • 32GB RAM

      • 10 GBit Ethernet (2x RJ45)


Use request

Non-profit