Skip to content

Application Architecture

Jump to bottom Edit New page
BlackSnufkin edited this page Sep 5, 2025 · 3 revisions 
graph LR
    %% === Entry ===
    subgraph ENTRY["User Interface"]
      direction TB
      LITTERBOX_INTERFACE[LitterBox Interface] --> TARGETED_PAYLOAD{Targeted Payload}
    end

    %% === Ingestion ===
    subgraph INGEST["Ingestion & Context"]
      direction TB
      TARGETED_PAYLOAD --> FILE_UPLOAD[File Upload]
      TARGETED_PAYLOAD --> PID_INPUT[Process ID]

      FILE_UPLOAD --> FILE_HANDLER[File Processing<br/>Hash Calculation<br/>Type Detection<br/>Metadata Extraction]
      PID_INPUT --> PID_VALIDATOR[Process Validation<br/>PID Verification<br/>Access Check]
    end

    %% === Routing ===
    subgraph ROUTE["Type Routing"]
      direction LR
      FILE_HANDLER --> TYPE_ROUTER{File Type}
      TYPE_ROUTER --> PE_EXT[.exe .dll]
      TYPE_ROUTER --> SYS_EXT[.sys]
      TYPE_ROUTER --> OFFICE_EXT[.docx .xlsx]
      TYPE_ROUTER --> LNK_EXT[.lnk]
    end

    %% === Analysis ===
    subgraph ANALYSIS["Analysis Engines"]
      direction TB
      PE_EXT --> PE_ANALYSIS[PE Analysis<br/>Section Parsing<br/>Import Analysis<br/>Runtime Detection Go/Rust<br/>Entropy Calculation]
      SYS_EXT --> DRIVER_ANALYSIS[HolyGrail BYOVD<br/>Policy Validation<br/>Vulnerability Check]
      OFFICE_EXT --> OFFICE_ANALYSIS[Office Macro Analysis<br/>VBA Parsing<br/>Threat Patterns]
      LNK_EXT --> LNK_ANALYSIS[LNK Forensics<br/>Target Extraction<br/>Metadata Analysis]

      PE_ANALYSIS --> ANALYSIS_ENGINE[Analysis Manager<br/>Tool Orchestration<br/>Result Aggregation]
      PID_VALIDATOR --> DYNAMIC_ANALYZERS

      ANALYSIS_ENGINE --> STATIC_ANALYZERS[**Static Analysis Tools**<br/>• YARA Scanner<br/>• CheckPLZ<br/>• Stringnalyzer]
      ANALYSIS_ENGINE --> DYNAMIC_ANALYZERS[**Dynamic Analysis Tools**<br/>• YARA Scanner<br/>• PE-Sieve<br/>• Moneta<br/>• Patriot<br/>• Hunt Sleeping Beacons<br/>• RedEDR]
    end

    %% === Scoring ===
    subgraph SCORING["Risk & Correlation"]
      direction TB
      STATIC_ANALYZERS --> RISK_ENGINE[Risk Calculator<br/>Multi-factor Scoring<br/>Threat Classification<br/>Runtime-aware Assessment]
      DYNAMIC_ANALYZERS --> RISK_ENGINE
      DRIVER_ANALYSIS --> RISK_ENGINE
      OFFICE_ANALYSIS --> RISK_ENGINE
      LNK_ANALYSIS --> RISK_ENGINE
    end

    %% === Reporting / Outputs ===
    subgraph REPORTING["Reporting & Outputs"]
      direction LR
      RISK_ENGINE --> RESULT_PROCESSOR[Result Handler<br/>Data Formatting<br/>Report Generation<br/>Template Rendering]
      RESULT_PROCESSOR --> WEB_DISPLAY[Web Dashboard<br/>Interactive Results<br/>HTML Templates]
      RESULT_PROCESSOR --> OUTPUT{Output Format}
      OUTPUT -->|API| JSON_API[JSON API<br/>Structured Data<br/>REST Endpoints]
      OUTPUT -->|Export| FILE_EXPORT[Report Export<br/>HTML Reports<br/>Downloadable Files]
    end

    %% === Storage (side-channel refs) ===
    subgraph STORAGE[Data Storage]
      direction TB
      FILE_STORE[(Upload Folder<br/>Original Samples)]
      RESULT_STORE[(Results Folder<br/>Analysis JSON)]
      CONFIG_STORE[(Configuration<br/>YAML Settings)]
      SIGNATURE_STORE[(MalAPI Database<br/>YARA Rules)]
      HOLYGRAIL_POLICIES[(HolyGrail Policies<br/>Driver Policy Files)]
      FUZZY_DB[(FuzzyHash DB<br/>Similarity Index)]
    end

    FILE_HANDLER -.-> FILE_STORE
    RESULT_PROCESSOR -.-> RESULT_STORE
    ANALYSIS_ENGINE -.-> CONFIG_STORE
    STATIC_ANALYZERS -.-> SIGNATURE_STORE
    DRIVER_ANALYSIS -.-> HOLYGRAIL_POLICIES

    %% === Advanced (optional post-processing) ===
    subgraph ADVANCED[Specialized Analysis]
      direction TB
      SIMILARITY[FuzzyHash Analyzer<br/>Similarity Comparison<br/>Variant Detection]
      BASELINE[Blender Analyzer<br/>System Comparison<br/>IOC Correlation]
    end

    RESULT_PROCESSOR -.-> ADVANCED
    SIMILARITY -.-> FUZZY_DB

    %% === Management (ops side-rail) ===
    subgraph MANAGEMENT[System Management]
      direction TB
      HEALTH[Health Monitor<br/>Tool Validation<br/>System Status]
      CLEANUP[Cleanup Service<br/>File Management<br/>Storage Maintenance]
    end

    LITTERBOX_INTERFACE -.-> MANAGEMENT

    %% === Styling ===
    classDef interface fill:#1e40af,stroke:#1d4ed8,stroke-width:2px,color:#fff
    classDef processing fill:#059669,stroke:#047857,stroke-width:2px,color:#fff
    classDef analysis fill:#eab308,stroke:#ca8a04,stroke-width:2px,color:#000
    classDef orchestration fill:#7c3aed,stroke:#6d28d9,stroke-width:2px,color:#fff
    classDef outputs fill:#dc2626,stroke:#b91c1c,stroke-width:2px,color:#fff
    classDef storage fill:#92400e,stroke:#78350f,stroke-width:2px,color:#fff
    classDef specialized fill:#ec4899,stroke:#be185d,stroke-width:2px,color:#fff
    classDef management fill:#6b7280,stroke:#374151,stroke-width:2px,color:#fff

    class LITTERBOX_INTERFACE,TARGETED_PAYLOAD,WEB_DISPLAY interface
    class FILE_UPLOAD,PID_INPUT,FILE_HANDLER,PID_VALIDATOR,TYPE_ROUTER,PE_EXT,SYS_EXT,OFFICE_EXT,LNK_EXT processing
    class PE_ANALYSIS,DRIVER_ANALYSIS,OFFICE_ANALYSIS,LNK_ANALYSIS,STATIC_ANALYZERS,DYNAMIC_ANALYZERS analysis
    class ANALYSIS_ENGINE,RISK_ENGINE,RESULT_PROCESSOR,OUTPUT orchestration
    class JSON_API,FILE_EXPORT outputs
    class STORAGE,FILE_STORE,RESULT_STORE,CONFIG_STORE,SIGNATURE_STORE,HOLYGRAIL_POLICIES,FUZZY_DB storage
    class ADVANCED,SIMILARITY,BASELINE specialized
    class MANAGEMENT,HEALTH,CLEANUP management
Loading
Add a custom footer
Add a custom sidebar

Clone this wiki locally