UPDATE (4/11/2015) - Have made few changes on ThreatIntel module UI and fixed few bugs. Download links have been updated.
On this post, I'd like to announce the release of Hook Analyser v3.2. On this releases, significant improvements and capabilities have been added to the Threat Intelligence module.
Following are the key improvements and enhanced features -
- The malware analysis module has been improved - and new signatures have been added
- Cyber Threat Intelligence module -
- IP Intelligence module (Analyse multiple IP addresses instead of just 1!). Sample output -
- Keyword Intelligence module (Analyse keywords e.g. Internet Explorer 11, IP address, Hash etc). Sample output -
- Network file (PCAP) analysis - Analyse user-provided .PCAP file and performs analysis on external IP addresses. Example -
- Social Intelligence (Pulls data from Twitter- for user-defined keywords and performs network analysis). Example -
Let's look at "HOW-TO-USE" of this releases (Cyber Threat Intelligence) -
The tool can perform analysis via 2 methods - auto mode and manual mode.
In the auto mode, the tool will use the following files for analysis -
- Channels.txt (Path: feeds->channels.txt): Specify the list of the twitter related channels or keywords for monitoring. In the Auto mode, the monitoring is performed for 2 minutes only, however if you'd like to monitor indefinitely, please select the manual mode.
- Example -
- intelligence-ipdb.txt (Path: feeds->intelligence-ipdb.txt): Specify the list of IP addresses you'd like to analyse. Yes, you can provide as many IPs you'd like to.
- Example -
- Keywords.txt (Path: feeds->Keywords.txt): Specify the list of keywords you'd like to analyse. Yes, you can provide as many keywords you'd like to.
- Example -
- rssurl.txt (Path: feeds->rssurl.txt): Specify the RSS feeds to fetch vulnerability-related information.
- Example -
- url.txt (Path: feeds->url.txt): Specify the list of the URLs from where tool will pull malicious IP addresses information.
- Example -
Threat Intel module can be executed from HookAnalyser3.2.exe (option #6) file or can be executed directly through ThreatIntel.exe file. Refer to the following screenshots -
In manual mode, you'd need to provide filename as an argument. Example below -
Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.
If you're interested for a conversation or would like to share your success story with the tool, please feel free to write back on - beenudel1986@gmail.com
Some of the noteworthy use case are below -
- toolsmith: There Is No Privacy - Hook Analyser vs. Hacking Team
- https://isc.sans.edu/diary/Keeping+the+RATs+out%3A+the+trap+is+sprung+-+Part+3/18415
- https://www.youtube.com/
watch?v=35teUHnZNGU (@59:00) - https://digital-forensics.sans.org/summit-archives/DFIR_Summit/7-Sins-of-Malware-Analysis-Dominique-Kilman.pdf
- http://binaryhax0r.blogspot.com.au/2013/01/cve-2012-4792-hook-analyser.html
- http://www.darknet.org.uk/2014/05/hook-analyser-3-1-malware-analysis-tool/
Download the software here