A common use case in malware analysis when using network tools to analyze its traffic is to enrich your analysis by identifying and researching C2 domains and information about them. This tool was my attempt to create something for that, where it would sanitize an IP and provide information from a clipboard lookup.
Although this tool didn’t end up quite as sophisticated as I wanted it to be, I believe it’s in a spot where it can be improved upon by either using a better dataset or adding some external tools. Mostly, it was an academic exercise in trying to understand how tools like VirusTotal serve up information when you plug in domains and IP addresses.
A lot of it is explained on the GitHub README, but the essentials of how it works is,
- a cron job is scheduled to pull data from a large dataset of over 600 million malicious IP addresses at a customizable interval.
- this updates an sqlite database.
- the API built using Python FastAPI plugs in and can be queried to match IPs and obtain more information.
I also provided a Dockerfile which sets up all the necessary tools, namely FireHOL, and starts the FastAPI backend. This can be deployed using Amazon ECS or some tool probably and you can get up and running very fast.