Saturday, March 19, 2016

Update - Hook Analyser Project


On this post I'd like to share some of the updates on the next release of Hook Analyser project v3.4.

In the current state i.e. v3.3, Hook Analyser has got the two (2) key capabilities: Malware Analysis (static and dynamic) and (Open Source) Threat Intelligence (collection, correlation and visualisation).

I'd like to announce that one of my other projects - Incident Analyser will be ported into Hook Analyser as a module called "Probe Engine".

The Probe Engine performs AD enumeration to extract information about registered machines, privileged accounts-related details etc. Once the list of the machines is extracted, or a user-specified network range is provided, Probe engine will connect to each of the machine (credential will be required) and extract information such as external IPs where machines are connected with, processes hashes related information etc. This information will subsequently flow through the intelligence and malware analysis module for further analysis and investigation.

As you'd imagine, this is a major step in terms of the project maturity - and it may take some time. I'll try my best to release a working version as soon as possible.

At a high-level, the project will address following key use cases -
  • Breach detection through information collection and co-relation with open source intelligence
  • Basic and Advanced Malware Analysis
  • Security controls enrichment through collection and sharing of Indicators of Compromise (IOCs) 

Interested to see how community is utilising Hook Analyser? Following are some noteworthy mentions -

Tuesday, March 8, 2016

Hook Analyser 3.3 Release and A Great News!


2015 was an incredible year for Hook Analyser for several reasons e.g. new functionalities introduced, several critical bugs were fixed and of course "the new baby - ThreatIntel module" was added as well. The ThreatIntel module was introduced as a value-add to the malware analysis module/engine. However, I admit that I underestimated its value : The ThreatIntel module has become bigger than ever with over 200 commits in the last 12 months. This is attributed to the requests of Hook Analyser users.

I'd like to announce that Hook Analyser was awarded as "Toolsmith Tool of the Year 2015". This wouldn't have been accomplished without the support of loyal Hook Analyser users and admirers. Thanks all for your vote of confidence on this project. As a chief-developer and architect of this project, this recognition does provide me a lot of energy to continue to build cool things. If you have any new idea or would like to partner with the solution, please feel free to reach out to me. The project is becoming bigger each day and if you'd like to contribute to it then give me a shout.

On this occasion, I'd also like to release the new version of Hook Analyser v3.3. Several improvements have been made on this release as following -

  • ThreatIntel module can now parse pdf files as well (along with text and pcap files) for extracting IOCs, and can then perform keyboard-based intelligence on it
  • Several bug-fixes and improved stability

You may download the tool from here.

There is one more thing to add - 

In the current state i.e. v3.3, Hook Analyser has got the two (2) key capabilities: Malware Analysis (static and dynamic) and (Open Source) Threat Intelligence (collection, correlation and visualisation).

I'd like to announce that one of my other projects - Incident Analyser will be ported into Hook Analyser as a module called "Probe Engine" in the version 3.4.  Click here to get information about the next release.

Sunday, July 19, 2015

Hook Analyser 3.2 - Major Release


UPDATE (4/11/2015) - Have made few changes on ThreatIntel module UI and fixed few bugs. Download links have been updated.

On this post, I'd like to announce the release of Hook Analyser v3.2. On this releases, significant improvements and capabilities have been added to the Threat Intelligence module.

Following are the key improvements and enhanced features -

  • The malware analysis module has been improved - and new signatures have been added
  • Cyber Threat Intelligence module -
    • IP Intelligence module (Analyse multiple IP addresses instead of just 1!). Sample output -
    • Keyword Intelligence module (Analyse keywords e.g. Internet Explorer 11, IP address, Hash etc). Sample output - 
    • Network file (PCAP) analysis - Analyse user-provided .PCAP file and performs analysis on external IP addresses. Example -

    • Social Intelligence (Pulls data from Twitter- for user-defined keywords and performs network analysis). Example -

Let's look at "HOW-TO-USE" of this releases (Cyber Threat Intelligence) -

The tool can perform analysis via 2 methods - auto mode and manual mode.

In the auto mode, the tool will use the following files for analysis -

  1. Channels.txt (Path: feeds->channels.txt): Specify the list of the twitter related channels or keywords for monitoring. In the Auto mode, the monitoring is performed for 2 minutes only, however if you'd like to monitor indefinitely, please select the manual mode. 
    • Example - 
  2. intelligence-ipdb.txt (Path: feeds->intelligence-ipdb.txt): Specify the list of IP addresses you'd like to analyse. Yes, you can provide as many IPs you'd like to.
    • Example - 
  3. Keywords.txt (Path: feeds->Keywords.txt): Specify the list of keywords you'd like to analyse. Yes, you can provide as many keywords you'd like to.
    • Example - 
  4. rssurl.txt (Path: feeds->rssurl.txt): Specify the RSS feeds to fetch vulnerability-related information.
    • Example -
  5. url.txt (Path: feeds->url.txt): Specify the list of the URLs from where tool will pull malicious IP addresses information.
    • Example - 

Threat Intel module can be executed from HookAnalyser3.2.exe (option #6) file or can be executed directly through ThreatIntel.exe file. Refer to the following screenshots -

In manual mode, you'd need to provide filename as an argument. Example below -

Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.

Download the software here

Sunday, September 21, 2014

Preview 1 : Hook Analyser 3.2


It's been a while since I posted any news about the next version (v 3.2) of Hook Analyser, so decided to give some update on this front.

New (Sub) Module : I am happy to announce that the next release will have a capability to pull information (near real-time) from social media website (Twitter), and you'd be able to analyse the results efficiently, including your brand promoter etc. This module will be a part of overarching Cyber Threat Intelligence module.

Thoughts - The module is not only useful for pulling and analysing information related to Cyber security, it can be used for other purposes e.g. brand monitoring, data breach monitoring or 'any' news / feeds etc. There are several use-cases which can be made out of this.

I have prepared a short video of the above however, this is still in development stage (so things may look different in release).

Image -

Tweets categorised by Date

Brand Monitoring


  • Cyber Threat Intelligence : You'd be able to analyse analyse and co-related information of 1  3 IP addresses. 
    • As you're aware, there is a restricted (or commercial) version of the tool which would allow you to do the following - 
      • Analyse and co-relate information related to unlimited IP addresses, and / or , for "any" keyword (e.g. CryptoLocker)
      • Parse PCAP file format and perform analysis on external IP addresses (with Visualisation)
      • Parse forward proxy logs and perform analysis over external IP addresses and domains (with Visualisation)
  • Hook Analyser : Signatures updated. Ability to export results into XML format.

Sunday, May 18, 2014

Hook Analyser 3.1 : Major release


I'm glad to announce major release (community version)  of Hook Analyser 3.1. In this build, significant changes have been made to static malware analysis (option #3) and Cyber threat intelligence (option #6) modules, along with addition of a new module - batch analysis (option #7).

Following are key changes made - 
  1. (Major Improvements) Cyber threat intelligence module -
    1. (Added) : New dashboard - which includes 
      1. Global threat-landscape  
      2. Keyword based malware intelligence 
      3. IP based intelligence.
    2. (Added) : IP based intelligence output in XML format
    3. (Reference) : Videos - 

  2. (Moderate Improvements) Static malware analysis module - 
    1. (Added) : Signed file/malware detection and certificate extraction
    2. (Modified) :  Deep detection signatures improved
    3. (Added) : Output in XML format
  3. (Moderate Improvements) Other bug fixes
  4. (Minor Addition) Batch analysis module - Perform static analysis on all files in a directory.
As you'd noticed from above, there is an "exclusive" version of the software- with additional features on Cyber threat intelligence module, which includes -

  1. Keyword based search analysis
  2. "Unlimited" IP addresses and keywords analysis (instead of 1 - in community version) - through additional sources on the Internet 
  3. Keywords based search intelligence module (in concert with above item #2)  - Demo 1 and Demo 2
Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.

If you're interested, feel free to write back on - 

Download the software here

For quick guide or how-to document, click here

Thank you.

Saturday, May 3, 2014

Internet Explorer , Adobe Flash Player, MS-Office and Java Vulnerabilities - Used/Leveraged on Malware Attacks / Exploits


You might be aware, I'm working on the Hook Analyser v3.1. As part of the development, I put / test certain test use cases. On this instance, I was interested to understand (and visualise) which (and how many) vulnerabilities have been exploited (by malware) for various client side applications - MS Internet Explorer, Adobe Flash Player, MS Office and Oracle Java.

Observations -

  1. MS Internet Explorer outstands as being most exploited or targeted software. This can be attributed to large market share, which makes it an attractive target.
  2. MS applications (Internet Explorer and MS Office) have been exploited more compared to Adobe Flash Player and Oracle Java.

Saturday, March 22, 2014

Preview - 3 - Hook Analyser 3.1 :Cyber Threat Intelligence


Here is an update on the Hook Analyser 3.1, specifically on Cyber Threat Intelligence module -

The IP intelligence component (within the Cyber Threat Intelligence module) has come up well, and it can collect, normalise and visualise data sets collected from Open sources to provide actionable information sets.

Following is the short video (or preview) of the tool -