Update README.md
This commit is contained in:
BlackSnufkin
@@ -1,15 +1,60 @@
|
||||
# LitterBox
|
||||
|
||||
LitterBox streamlines malware analysis by providing an automated web interface for testing payloads and analyzing process behavior. Built for red team operators and malware developers, it integrates industry-standard analysis tools to validate your tradecraft.
|
||||
LitterBox provides automated analysis of payloads and malware through an intuitive web interface. The platform streamlines pre-deployment testing by validating evasion techniques, monitoring process behavior, and generating comprehensive runtime analysis reports. Designed for validating tradecraft, it enables rapid testing of payloads against common detection mechanisms before execution in target environments.
|
||||
|
||||
## Features
|
||||
## Core Features
|
||||
|
||||
### Static Analysis
|
||||
### Initial Analysis
|
||||
Upon file upload, LitterBox automatically performs:
|
||||
- File identification and hashing (MD5, SHA256)
|
||||
- Shannon entropy calculation
|
||||
- File type detection and MIME analysis
|
||||
- Original filename preservation
|
||||
- Upload timestamp recording
|
||||
|
||||
- Identify Indicators of Compromise (IOCs) with **YARA** and **ThreatCheck**.
|
||||
- Extract metadata and entropy, and analyze Portable Executables (PEs) and Office documents.
|
||||
### Analysis Options
|
||||
|
||||
### Dynamic Analysis
|
||||
#### PE File Analysis
|
||||
For executables (.exe, .dll, .sys):
|
||||
- File type detection (PE32/PE32+)
|
||||
- Machine type identification
|
||||
- Compilation timestamp extraction
|
||||
- Subsystem identification
|
||||
- Entry point location
|
||||
- Section enumeration
|
||||
- Import DLL listing
|
||||
|
||||
- Monitor runtime behavior of executables and processes using tools like **PE-Sieve**, **Moneta**, **Patriot** and **Hunt-Sleeping-Beacons**.
|
||||
- Evaluate behavior to refine evasion techniques and identify detection triggers.
|
||||
#### Office Document Analysis
|
||||
For Office files (.docx, .xlsx, .doc, .xls, .xlsm, .docm):
|
||||
- Macro detection
|
||||
- VBA code analysis (if macros present)
|
||||
|
||||
#### Static Analysis
|
||||
# Static Analysis
|
||||
- Scanning binaries against known detection signatures and rulesets
|
||||
- Analyzing file characteristics and entropy levels for suspicious indicators
|
||||
- Extracting and validating metadata from executables and documents
|
||||
- Evaluating PE headers and structures for signs of manipulation
|
||||
|
||||
|
||||
#### Dynamic Analysis
|
||||
Supports two modes:
|
||||
- Scanning executable files and processes to identify suspicious behavioral characteristics
|
||||
- Inspecting memory regions to detect anomalous content and hidden payloads
|
||||
- Analyzing process hollowing and injection techniques for detection artifacts
|
||||
- Monitoring sleep patterns and network behavior of beacon processes
|
||||
- Validating integrity of PE files and detecting runtime modifications
|
||||
|
||||
|
||||
## API Endpoints
|
||||
|
||||
### File Operations
|
||||
- `POST /upload` - Upload files for analysis
|
||||
- `GET /analyze/static/<hash>` - Static file analysis
|
||||
- `POST /analyze/dynamic/<hash>` - Dynamic file analysis
|
||||
- `POST /analyze/dynamic/<pid>` - Process analysis
|
||||
|
||||
### System Management
|
||||
- `GET /health` - System health and tool status check
|
||||
- `POST /cleanup` - Clean analysis artifacts and uploads
|
||||
- `POST /validate/<pid>` - Validate process accessibility
|
||||
|
||||
Reference in New Issue
Block a user